fortinet.fortimanager.fmgr_firewall_sslsshprofile – Configure SSL/SSH protocol options.
Note
This plugin is part of the fortinet.fortimanager collection (version 2.1.3).
You might already have this collection installed if you are using the ansible
package. It is not included in ansible-core
. To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install fortinet.fortimanager
.
To use it in a playbook, specify: fortinet.fortimanager.fmgr_firewall_sslsshprofile
.
New in version 2.10: of fortinet.fortimanager
Synopsis
- This module is able to configure a FortiManager device.
- Examples include all parameters and values which need to be adjusted to data sources before usage.
Parameters
Parameter | Choices/Defaults | Comments | ||
---|---|---|---|---|
adom string / required | the parameter (adom) in requested url | |||
bypass_validation boolean |
| only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters | ||
enable_log boolean |
| Enable/Disable logging for task | ||
firewall_sslsshprofile dictionary | the top level parameters set | |||
allowlist string |
| Enable/disable exempting servers by FortiGuard allowlist. | ||
block-blacklisted-certificates string |
| Enable/disable blocking SSL-based botnet communication by FortiGuard certificate blacklist. | ||
block-blocklisted-certificates string |
| Enable/disable blocking SSL-based botnet communication by FortiGuard certificate blocklist. | ||
caname string | CA certificate used by SSL Inspection. | |||
comment string | Optional comments. | |||
dot dictionary | no description | |||
cert-validation-failure string |
| Action based on certificate validation failure. | ||
cert-validation-timeout string |
| Action based on certificate validation timeout. | ||
client-certificate string |
| Action based on received client certificate. | ||
expired-server-cert string |
| Action based on server certificate is expired. | ||
proxy-after-tcp-handshake string |
| Proxy traffic after the TCP 3-way handshake has been established (not before). | ||
revoked-server-cert string |
| Action based on server certificate is revoked. | ||
sni-server-cert-check string |
| Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. | ||
status string |
| Configure protocol inspection status. | ||
unsupported-ssl-cipher string |
| Action based on the SSL cipher used being unsupported. | ||
unsupported-ssl-negotiation string |
| Action based on the SSL negotiation used being unsupported. | ||
untrusted-server-cert string |
| Action based on server certificate is not issued by a trusted CA. | ||
ftps dictionary | no description | |||
cert-validation-failure string |
| Action based on certificate validation failure. | ||
cert-validation-timeout string |
| Action based on certificate validation timeout. | ||
client-certificate string |
| Action based on received client certificate. | ||
expired-server-cert string |
| Action based on server certificate is expired. | ||
ports integer | no description | |||
revoked-server-cert string |
| Action based on server certificate is revoked. | ||
sni-server-cert-check string |
| Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. | ||
status string |
| Configure protocol inspection status. | ||
unsupported-ssl-cipher string |
| Action based on the SSL cipher used being unsupported. | ||
unsupported-ssl-negotiation string |
| Action based on the SSL negotiation used being unsupported. | ||
untrusted-server-cert string |
| Action based on server certificate is not issued by a trusted CA. | ||
https dictionary | no description | |||
cert-probe-failure string |
| Action based on certificate probe failure. | ||
cert-validation-failure string |
| Action based on certificate validation failure. | ||
cert-validation-timeout string |
| Action based on certificate validation timeout. | ||
client-certificate string |
| Action based on received client certificate. | ||
expired-server-cert string |
| Action based on server certificate is expired. | ||
ports integer | no description | |||
proxy-after-tcp-handshake string |
| Proxy traffic after the TCP 3-way handshake has been established (not before). | ||
revoked-server-cert string |
| Action based on server certificate is revoked. | ||
sni-server-cert-check string |
| Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. | ||
status string |
| Configure protocol inspection status. | ||
unsupported-ssl-cipher string |
| Action based on the SSL cipher used being unsupported. | ||
unsupported-ssl-negotiation string |
| Action based on the SSL negotiation used being unsupported. | ||
untrusted-server-cert string |
| Action based on server certificate is not issued by a trusted CA. | ||
imaps dictionary | no description | |||
cert-validation-failure string |
| Action based on certificate validation failure. | ||
cert-validation-timeout string |
| Action based on certificate validation timeout. | ||
client-certificate string |
| Action based on received client certificate. | ||
expired-server-cert string |
| Action based on server certificate is expired. | ||
ports integer | no description | |||
proxy-after-tcp-handshake string |
| Proxy traffic after the TCP 3-way handshake has been established (not before). | ||
revoked-server-cert string |
| Action based on server certificate is revoked. | ||
sni-server-cert-check string |
| Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. | ||
status string |
| Configure protocol inspection status. | ||
unsupported-ssl-cipher string |
| Action based on the SSL cipher used being unsupported. | ||
unsupported-ssl-negotiation string |
| Action based on the SSL negotiation used being unsupported. | ||
untrusted-server-cert string |
| Action based on server certificate is not issued by a trusted CA. | ||
mapi-over-https string |
| Enable/disable inspection of MAPI over HTTPS. | ||
name string | Name. | |||
pop3s dictionary | no description | |||
cert-validation-failure string |
| Action based on certificate validation failure. | ||
cert-validation-timeout string |
| Action based on certificate validation timeout. | ||
client-certificate string |
| Action based on received client certificate. | ||
expired-server-cert string |
| Action based on server certificate is expired. | ||
ports integer | no description | |||
proxy-after-tcp-handshake string |
| Proxy traffic after the TCP 3-way handshake has been established (not before). | ||
revoked-server-cert string |
| Action based on server certificate is revoked. | ||
sni-server-cert-check string |
| Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. | ||
status string |
| Configure protocol inspection status. | ||
unsupported-ssl-cipher string |
| Action based on the SSL cipher used being unsupported. | ||
unsupported-ssl-negotiation string |
| Action based on the SSL negotiation used being unsupported. | ||
untrusted-server-cert string |
| Action based on server certificate is not issued by a trusted CA. | ||
rpc-over-https string |
| Enable/disable inspection of RPC over HTTPS. | ||
server-cert string | Certificate used by SSL Inspection to replace server certificate. | |||
server-cert-mode string |
| Re-sign or replace the servers certificate. | ||
smtps dictionary | no description | |||
cert-validation-failure string |
| Action based on certificate validation failure. | ||
cert-validation-timeout string |
| Action based on certificate validation timeout. | ||
client-certificate string |
| Action based on received client certificate. | ||
expired-server-cert string |
| Action based on server certificate is expired. | ||
ports integer | no description | |||
proxy-after-tcp-handshake string |
| Proxy traffic after the TCP 3-way handshake has been established (not before). | ||
revoked-server-cert string |
| Action based on server certificate is revoked. | ||
sni-server-cert-check string |
| Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. | ||
status string |
| Configure protocol inspection status. | ||
unsupported-ssl-cipher string |
| Action based on the SSL cipher used being unsupported. | ||
unsupported-ssl-negotiation string |
| Action based on the SSL negotiation used being unsupported. | ||
untrusted-server-cert string |
| Action based on server certificate is not issued by a trusted CA. | ||
ssh dictionary | no description | |||
inspect-all string |
| Level of SSL inspection. | ||
ports integer | no description | |||
proxy-after-tcp-handshake string |
| Proxy traffic after the TCP 3-way handshake has been established (not before). | ||
ssh-algorithm string |
| Relative strength of encryption algorithms accepted during negotiation. | ||
ssh-tun-policy-check string |
| Enable/disable SSH tunnel policy check. | ||
status string |
| Configure protocol inspection status. | ||
unsupported-version string |
| Action based on SSH version being unsupported. | ||
ssl dictionary | no description | |||
cert-validation-failure string |
| Action based on certificate validation failure. | ||
cert-validation-timeout string |
| Action based on certificate validation timeout. | ||
client-certificate string |
| Action based on received client certificate. | ||
expired-server-cert string |
| Action based on server certificate is expired. | ||
inspect-all string |
| Level of SSL inspection. | ||
revoked-server-cert string |
| Action based on server certificate is revoked. | ||
sni-server-cert-check string |
| Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. | ||
unsupported-ssl-cipher string |
| Action based on the SSL cipher used being unsupported. | ||
unsupported-ssl-negotiation string |
| Action based on the SSL negotiation used being unsupported. | ||
untrusted-server-cert string |
| Action based on server certificate is not issued by a trusted CA. | ||
ssl-anomalies-log string |
| Enable/disable logging SSL anomalies. | ||
ssl-exempt list / elements=string | no description | |||
address string | IPv4 address object. | |||
address6 string | IPv6 address object. | |||
fortiguard-category string | FortiGuard category ID. | |||
id integer | ID number. | |||
regex string | Exempt servers by regular expression. | |||
type string |
| Type of address object (IPv4 or IPv6) or FortiGuard category. | ||
wildcard-fqdn string | Exempt servers by wildcard FQDN. | |||
ssl-exemptions-log string |
| Enable/disable logging SSL exemptions. | ||
ssl-negotiation-log string |
| Enable/disable logging SSL negotiation. | ||
ssl-server list / elements=string | no description | |||
ftps-client-cert-request string |
| Action based on client certificate request during the FTPS handshake. | ||
ftps-client-certificate string |
| Action based on received client certificate during the FTPS handshake. | ||
https-client-cert-request string |
| Action based on client certificate request during the HTTPS handshake. | ||
https-client-certificate string |
| Action based on received client certificate during the HTTPS handshake. | ||
id integer | SSL server ID. | |||
imaps-client-cert-request string |
| Action based on client certificate request during the IMAPS handshake. | ||
imaps-client-certificate string |
| Action based on received client certificate during the IMAPS handshake. | ||
ip string | IPv4 address of the SSL server. | |||
pop3s-client-cert-request string |
| Action based on client certificate request during the POP3S handshake. | ||
pop3s-client-certificate string |
| Action based on received client certificate during the POP3S handshake. | ||
smtps-client-cert-request string |
| Action based on client certificate request during the SMTPS handshake. | ||
smtps-client-certificate string |
| Action based on received client certificate during the SMTPS handshake. | ||
ssl-other-client-cert-request string |
| Action based on client certificate request during an SSL protocol handshake. | ||
ssl-other-client-certificate string |
| Action based on received client certificate during an SSL protocol handshake. | ||
supported-alpn string |
| Configure ALPN option. | ||
untrusted-caname string | Untrusted CA certificate used by SSL Inspection. | |||
use-ssl-server string |
| Enable/disable the use of SSL server table for SSL offloading. | ||
whitelist string |
| Enable/disable exempting servers by FortiGuard whitelist. | ||
proposed_method string |
| The overridden method for the underlying Json RPC request | ||
rc_failed list / elements=string | the rc codes list with which the conditions to fail will be overriden | |||
rc_succeeded list / elements=string | the rc codes list with which the conditions to succeed will be overriden | |||
state string / required |
| the directive to create, update or delete an object | ||
workspace_locking_adom string | the adom to lock for FortiManager running in workspace mode, the value can be global and others including root | |||
workspace_locking_timeout integer | Default: 300 | the maximum time in seconds to wait for other user to release the workspace lock |
Notes
Note
- Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.
- To create or update an object, use state present directive.
- To delete an object, use state absent directive.
- Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded
Examples
- hosts: fortimanager-inventory collections: - fortinet.fortimanager connection: httpapi vars: ansible_httpapi_use_ssl: True ansible_httpapi_validate_certs: False ansible_httpapi_port: 443 tasks: - name: Configure SSL/SSH protocol options. fmgr_firewall_sslsshprofile: bypass_validation: False workspace_locking_adom: <value in [global, custom adom including root]> workspace_locking_timeout: 300 rc_succeeded: [0, -2, -3, ...] rc_failed: [-2, -3, ...] adom: <your own value> state: <value in [present, absent]> firewall_sslsshprofile: caname: <value of string> comment: <value of string> mapi-over-https: <value in [disable, enable]> name: <value of string> rpc-over-https: <value in [disable, enable]> server-cert: <value of string> server-cert-mode: <value in [re-sign, replace]> ssl-anomalies-log: <value in [disable, enable]> ssl-exempt: - address: <value of string> address6: <value of string> fortiguard-category: <value of string> id: <value of integer> regex: <value of string> type: <value in [fortiguard-category, address, address6, ...]> wildcard-fqdn: <value of string> ssl-exemptions-log: <value in [disable, enable]> ssl-server: - ftps-client-cert-request: <value in [bypass, inspect, block]> https-client-cert-request: <value in [bypass, inspect, block]> id: <value of integer> imaps-client-cert-request: <value in [bypass, inspect, block]> ip: <value of string> pop3s-client-cert-request: <value in [bypass, inspect, block]> smtps-client-cert-request: <value in [bypass, inspect, block]> ssl-other-client-cert-request: <value in [bypass, inspect, block]> ftps-client-certificate: <value in [bypass, inspect, block]> https-client-certificate: <value in [bypass, inspect, block]> imaps-client-certificate: <value in [bypass, inspect, block]> pop3s-client-certificate: <value in [bypass, inspect, block]> smtps-client-certificate: <value in [bypass, inspect, block]> ssl-other-client-certificate: <value in [bypass, inspect, block]> untrusted-caname: <value of string> use-ssl-server: <value in [disable, enable]> whitelist: <value in [disable, enable]> block-blacklisted-certificates: <value in [disable, enable]> ssl-negotiation-log: <value in [disable, enable]> ftps: cert-validation-failure: <value in [allow, block, ignore]> cert-validation-timeout: <value in [allow, block, ignore]> client-certificate: <value in [bypass, inspect, block]> expired-server-cert: <value in [allow, block, ignore]> ports: <value of integer> revoked-server-cert: <value in [allow, block, ignore]> sni-server-cert-check: <value in [disable, enable, strict]> status: <value in [disable, deep-inspection]> unsupported-ssl-cipher: <value in [allow, block]> unsupported-ssl-negotiation: <value in [allow, block]> untrusted-server-cert: <value in [allow, block, ignore]> https: cert-validation-failure: <value in [allow, block, ignore]> cert-validation-timeout: <value in [allow, block, ignore]> client-certificate: <value in [bypass, inspect, block]> expired-server-cert: <value in [allow, block, ignore]> ports: <value of integer> proxy-after-tcp-handshake: <value in [disable, enable]> revoked-server-cert: <value in [allow, block, ignore]> sni-server-cert-check: <value in [disable, enable, strict]> status: <value in [disable, certificate-inspection, deep-inspection]> unsupported-ssl-cipher: <value in [allow, block]> unsupported-ssl-negotiation: <value in [allow, block]> untrusted-server-cert: <value in [allow, block, ignore]> cert-probe-failure: <value in [block, allow]> imaps: cert-validation-failure: <value in [allow, block, ignore]> cert-validation-timeout: <value in [allow, block, ignore]> client-certificate: <value in [bypass, inspect, block]> expired-server-cert: <value in [allow, block, ignore]> ports: <value of integer> proxy-after-tcp-handshake: <value in [disable, enable]> revoked-server-cert: <value in [allow, block, ignore]> sni-server-cert-check: <value in [disable, enable, strict]> status: <value in [disable, deep-inspection]> unsupported-ssl-cipher: <value in [allow, block]> unsupported-ssl-negotiation: <value in [allow, block]> untrusted-server-cert: <value in [allow, block, ignore]> pop3s: cert-validation-failure: <value in [allow, block, ignore]> cert-validation-timeout: <value in [allow, block, ignore]> client-certificate: <value in [bypass, inspect, block]> expired-server-cert: <value in [allow, block, ignore]> ports: <value of integer> proxy-after-tcp-handshake: <value in [disable, enable]> revoked-server-cert: <value in [allow, block, ignore]> sni-server-cert-check: <value in [disable, enable, strict]> status: <value in [disable, deep-inspection]> unsupported-ssl-cipher: <value in [allow, block]> unsupported-ssl-negotiation: <value in [allow, block]> untrusted-server-cert: <value in [allow, block, ignore]> smtps: cert-validation-failure: <value in [allow, block, ignore]> cert-validation-timeout: <value in [allow, block, ignore]> client-certificate: <value in [bypass, inspect, block]> expired-server-cert: <value in [allow, block, ignore]> ports: <value of integer> proxy-after-tcp-handshake: <value in [disable, enable]> revoked-server-cert: <value in [allow, block, ignore]> sni-server-cert-check: <value in [disable, enable, strict]> status: <value in [disable, deep-inspection]> unsupported-ssl-cipher: <value in [allow, block]> unsupported-ssl-negotiation: <value in [allow, block]> untrusted-server-cert: <value in [allow, block, ignore]> ssh: inspect-all: <value in [disable, deep-inspection]> ports: <value of integer> proxy-after-tcp-handshake: <value in [disable, enable]> ssh-algorithm: <value in [compatible, high-encryption]> ssh-tun-policy-check: <value in [disable, enable]> status: <value in [disable, deep-inspection]> unsupported-version: <value in [block, bypass]> ssl: cert-validation-failure: <value in [allow, block, ignore]> cert-validation-timeout: <value in [allow, block, ignore]> client-certificate: <value in [bypass, inspect, block]> expired-server-cert: <value in [allow, block, ignore]> inspect-all: <value in [disable, certificate-inspection, deep-inspection]> revoked-server-cert: <value in [allow, block, ignore]> sni-server-cert-check: <value in [disable, enable, strict]> unsupported-ssl-cipher: <value in [allow, block]> unsupported-ssl-negotiation: <value in [allow, block]> untrusted-server-cert: <value in [allow, block, ignore]> allowlist: <value in [disable, enable]> block-blocklisted-certificates: <value in [disable, enable]> dot: cert-validation-failure: <value in [allow, block, ignore]> cert-validation-timeout: <value in [allow, block, ignore]> client-certificate: <value in [bypass, inspect, block]> expired-server-cert: <value in [allow, block, ignore]> proxy-after-tcp-handshake: <value in [disable, enable]> revoked-server-cert: <value in [allow, block, ignore]> sni-server-cert-check: <value in [enable, strict, disable]> status: <value in [disable, deep-inspection]> unsupported-ssl-cipher: <value in [block, allow]> unsupported-ssl-negotiation: <value in [block, allow]> untrusted-server-cert: <value in [allow, block, ignore]> supported-alpn: <value in [none, http1-1, http2, ...]>
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
request_url string | always | The full url requested Sample: /sys/login/user |
response_code integer | always | The status of api request |
response_message string | always | The descriptive message of the api response Sample: OK. |
Authors
- Link Zheng (@chillancezen)
- Jie Xue (@JieX19)
- Frank Shen (@fshen01)
- Hongbin Lu (@fgtdev-hblu)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/fortinet/fortimanager/fmgr_firewall_sslsshprofile_module.html