fortinet.fortios.fortios_endpoint_control_profile – Configure FortiClient endpoint control profiles in Fortinet’s FortiOS and FortiGate.
Note
This plugin is part of the fortinet.fortios collection (version 2.1.2).
You might already have this collection installed if you are using the ansible
package. It is not included in ansible-core
. To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install fortinet.fortios
.
To use it in a playbook, specify: fortinet.fortios.fortios_endpoint_control_profile
.
New in version 2.10: of fortinet.fortios
Synopsis
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify endpoint_control feature and profile category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
The below requirements are needed on the host that executes this module.
- ansible>=2.9.0
Parameters
Parameter | Choices/Defaults | Comments | |||
---|---|---|---|---|---|
access_token string | Token-based authentication. Generated from GUI of Fortigate. | ||||
enable_log boolean |
| Enable/Disable logging for task. | |||
endpoint_control_profile dictionary | Configure FortiClient endpoint control profiles. | ||||
description string | Description. | ||||
device_groups list / elements=string | Device groups. | ||||
name string / required | Device group object from available options. Source user.device-group.name user.device-category.name. | ||||
forticlient_android_settings dictionary | FortiClient settings for Android platform. | ||||
disable_wf_when_protected string |
| Enable/disable FortiClient web category filtering when protected by FortiGate. | |||
forticlient_advanced_vpn string |
| Enable/disable advanced FortiClient VPN configuration. | |||
forticlient_advanced_vpn_buffer string | Advanced FortiClient VPN configuration. | ||||
forticlient_vpn_provisioning string |
| Enable/disable FortiClient VPN provisioning. | |||
forticlient_vpn_settings list / elements=string | FortiClient VPN settings. | ||||
auth_method string |
| Authentication method. | |||
name string / required | VPN name. | ||||
preshared_key string | Pre-shared secret for PSK authentication. | ||||
remote_gw string | IP address or FQDN of the remote VPN gateway. | ||||
sslvpn_access_port integer | SSL VPN access port (1 - 65535). | ||||
sslvpn_require_certificate string |
| Enable/disable requiring SSL VPN client certificate. | |||
type string |
| VPN type (IPsec or SSL VPN). | |||
forticlient_wf string |
| Enable/disable FortiClient web filtering. | |||
forticlient_wf_profile string | The FortiClient web filter profile to apply. Source webfilter.profile.name. | ||||
forticlient_ios_settings dictionary | FortiClient settings for iOS platform. | ||||
client_vpn_provisioning string |
| FortiClient VPN provisioning. | |||
client_vpn_settings list / elements=string | FortiClient VPN settings. | ||||
auth_method string |
| Authentication method. | |||
name string / required | VPN name. | ||||
preshared_key string | Pre-shared secret for PSK authentication. | ||||
remote_gw string | IP address or FQDN of the remote VPN gateway. | ||||
sslvpn_access_port integer | SSL VPN access port (1 - 65535). | ||||
sslvpn_require_certificate string |
| Enable/disable requiring SSL VPN client certificate. | |||
type string |
| VPN type (IPsec or SSL VPN). | |||
vpn_configuration_content string | Content of VPN configuration. | ||||
vpn_configuration_name string | Name of VPN configuration. | ||||
configuration_content string | Content of configuration profile. | ||||
configuration_name string | Name of configuration profile. | ||||
disable_wf_when_protected string |
| Enable/disable FortiClient web category filtering when protected by FortiGate. | |||
distribute_configuration_profile string |
| Enable/disable configuration profile (.mobileconfig file) distribution. | |||
forticlient_wf string |
| Enable/disable FortiClient web filtering. | |||
forticlient_wf_profile string | The FortiClient web filter profile to apply. Source webfilter.profile.name. | ||||
forticlient_winmac_settings dictionary | FortiClient settings for Windows/Mac platform. | ||||
av_realtime_protection string |
| Enable/disable FortiClient AntiVirus real-time protection. | |||
av_signature_up_to_date string |
| Enable/disable FortiClient AV signature updates. | |||
forticlient_application_firewall string |
| Enable/disable the FortiClient application firewall. | |||
forticlient_application_firewall_list string | FortiClient application firewall rule list. Source application.list.name. | ||||
forticlient_av string |
| Enable/disable FortiClient AntiVirus scanning. | |||
forticlient_ems_compliance string |
| Enable/disable FortiClient Enterprise Management Server (EMS) compliance. | |||
forticlient_ems_compliance_action string |
| FortiClient EMS compliance action. | |||
forticlient_ems_entries list / elements=string | FortiClient EMS entries. | ||||
name string / required | FortiClient EMS name. Source endpoint-control.forticlient-ems.name. | ||||
forticlient_linux_ver string | Minimum FortiClient Linux version. | ||||
forticlient_log_upload string |
| Enable/disable uploading FortiClient logs. | |||
forticlient_log_upload_level string |
| Select the FortiClient logs to upload. | |||
forticlient_log_upload_server string | IP address or FQDN of the server to which to upload FortiClient logs. | ||||
forticlient_mac_ver string | Minimum FortiClient Mac OS version. | ||||
forticlient_minimum_software_version string |
| Enable/disable requiring clients to run FortiClient with a minimum software version number. | |||
forticlient_operating_system list / elements=string | FortiClient operating system. | ||||
id integer / required | Operating system entry ID. | ||||
os_name string | Customize operating system name or Mac OS format:x.x.x | ||||
os_type string |
| Operating system type. | |||
forticlient_own_file list / elements=string | Checking the path and filename of the FortiClient application. | ||||
file string | File path and name. | ||||
id integer / required | File ID. | ||||
forticlient_registration_compliance_action string |
| FortiClient registration compliance action. | |||
forticlient_registry_entry list / elements=string | FortiClient registry entry. | ||||
id integer / required | Registry entry ID. | ||||
registry_entry string | Registry entry. | ||||
forticlient_running_app list / elements=string | Use FortiClient to verify if the listed applications are running on the client. | ||||
app_name string | Application name. | ||||
app_sha256_signature string | App"s SHA256 signature. | ||||
app_sha256_signature2 string | App"s SHA256 Signature. | ||||
app_sha256_signature3 string | App"s SHA256 Signature. | ||||
app_sha256_signature4 string | App"s SHA256 Signature. | ||||
application_check_rule string |
| Application check rule. | |||
id integer / required | Application ID. | ||||
process_name string | Process name. | ||||
process_name2 string | Process name. | ||||
process_name3 string | Process name. | ||||
process_name4 string | Process name. | ||||
forticlient_security_posture string |
| Enable/disable FortiClient security posture check options. | |||
forticlient_security_posture_compliance_action string |
| FortiClient security posture compliance action. | |||
forticlient_system_compliance string |
| Enable/disable enforcement of FortiClient system compliance. | |||
forticlient_system_compliance_action string |
| Block or warn clients not compliant with FortiClient requirements. | |||
forticlient_vuln_scan string |
| Enable/disable FortiClient vulnerability scanning. | |||
forticlient_vuln_scan_compliance_action string |
| FortiClient vulnerability compliance action. | |||
forticlient_vuln_scan_enforce string |
| Configure the level of the vulnerability found that causes a FortiClient vulnerability compliance action. | |||
forticlient_vuln_scan_enforce_grace integer | FortiClient vulnerability scan enforcement grace period (0 - 30 days). | ||||
forticlient_vuln_scan_exempt string |
| Enable/disable compliance exemption for vulnerabilities that cannot be patched automatically. | |||
forticlient_wf string |
| Enable/disable FortiClient web filtering. | |||
forticlient_wf_profile string | The FortiClient web filter profile to apply. Source webfilter.profile.name. | ||||
forticlient_win_ver string | Minimum FortiClient Windows version. | ||||
os_av_software_installed string |
| Enable/disable checking for OS recognized AntiVirus software. | |||
sandbox_address string | FortiSandbox address. | ||||
sandbox_analysis string |
| Enable/disable sending files to FortiSandbox for analysis. | |||
on_net_addr list / elements=string | Addresses for on-net detection. | ||||
name string / required | Address object from available options. Source firewall.address.name firewall.addrgrp.name. | ||||
profile_name string | Profile name. | ||||
replacemsg_override_group string | Select an endpoint control replacement message override group from available options. Source system.replacemsg-group.name. | ||||
src_addr list / elements=string | Source addresses. | ||||
name string / required | Address object from available options. Source firewall.address.name firewall.addrgrp.name. | ||||
user_groups list / elements=string | User groups. | ||||
name string / required | User group name. Source user.group.name. | ||||
users list / elements=string | Users. | ||||
name string / required | User name. Source user.local.name. | ||||
state string / required |
| Indicates whether to create or remove the object. | |||
vdom string | Default: "root" | Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. |
Notes
Note
- Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks
Examples
- hosts: fortigates collections: - fortinet.fortios connection: httpapi vars: vdom: "root" ansible_httpapi_use_ssl: yes ansible_httpapi_validate_certs: no ansible_httpapi_port: 443 tasks: - name: Configure FortiClient endpoint control profiles. fortios_endpoint_control_profile: vdom: "{{ vdom }}" state: "present" access_token: "<your_own_value>" endpoint_control_profile: description: "<your_own_value>" device_groups: - name: "default_name_5 (source user.device-group.name user.device-category.name)" forticlient_android_settings: disable_wf_when_protected: "enable" forticlient_advanced_vpn: "enable" forticlient_advanced_vpn_buffer: "<your_own_value>" forticlient_vpn_provisioning: "enable" forticlient_vpn_settings: - auth_method: "psk" name: "default_name_13" preshared_key: "<your_own_value>" remote_gw: "<your_own_value>" sslvpn_access_port: "16" sslvpn_require_certificate: "enable" type: "ipsec" forticlient_wf: "enable" forticlient_wf_profile: "<your_own_value> (source webfilter.profile.name)" forticlient_ios_settings: client_vpn_provisioning: "enable" client_vpn_settings: - auth_method: "psk" name: "default_name_25" preshared_key: "<your_own_value>" remote_gw: "<your_own_value>" sslvpn_access_port: "28" sslvpn_require_certificate: "enable" type: "ipsec" vpn_configuration_content: "<your_own_value>" vpn_configuration_name: "<your_own_value>" configuration_content: "<your_own_value>" configuration_name: "<your_own_value>" disable_wf_when_protected: "enable" distribute_configuration_profile: "enable" forticlient_wf: "enable" forticlient_wf_profile: "<your_own_value> (source webfilter.profile.name)" forticlient_winmac_settings: av_realtime_protection: "enable" av_signature_up_to_date: "enable" forticlient_application_firewall: "enable" forticlient_application_firewall_list: "<your_own_value> (source application.list.name)" forticlient_av: "enable" forticlient_ems_compliance: "enable" forticlient_ems_compliance_action: "block" forticlient_ems_entries: - name: "default_name_48 (source endpoint-control.forticlient-ems.name)" forticlient_linux_ver: "<your_own_value>" forticlient_log_upload: "enable" forticlient_log_upload_level: "traffic" forticlient_log_upload_server: "<your_own_value>" forticlient_mac_ver: "<your_own_value>" forticlient_minimum_software_version: "enable" forticlient_operating_system: - id: "56" os_name: "<your_own_value>" os_type: "custom" forticlient_own_file: - file: "<your_own_value>" id: "61" forticlient_registration_compliance_action: "block" forticlient_registry_entry: - id: "64" registry_entry: "<your_own_value>" forticlient_running_app: - app_name: "<your_own_value>" app_sha256_signature: "<your_own_value>" app_sha256_signature2: "<your_own_value>" app_sha256_signature3: "<your_own_value>" app_sha256_signature4: "<your_own_value>" application_check_rule: "present" id: "73" process_name: "<your_own_value>" process_name2: "<your_own_value>" process_name3: "<your_own_value>" process_name4: "<your_own_value>" forticlient_security_posture: "enable" forticlient_security_posture_compliance_action: "block" forticlient_system_compliance: "enable" forticlient_system_compliance_action: "block" forticlient_vuln_scan: "enable" forticlient_vuln_scan_compliance_action: "block" forticlient_vuln_scan_enforce: "critical" forticlient_vuln_scan_enforce_grace: "85" forticlient_vuln_scan_exempt: "enable" forticlient_wf: "enable" forticlient_wf_profile: "<your_own_value> (source webfilter.profile.name)" forticlient_win_ver: "<your_own_value>" os_av_software_installed: "enable" sandbox_address: "<your_own_value>" sandbox_analysis: "enable" on_net_addr: - name: "default_name_94 (source firewall.address.name firewall.addrgrp.name)" profile_name: "<your_own_value>" replacemsg_override_group: "<your_own_value> (source system.replacemsg-group.name)" src_addr: - name: "default_name_98 (source firewall.address.name firewall.addrgrp.name)" user_groups: - name: "default_name_100 (source user.group.name)" users: - name: "default_name_102 (source user.local.name)"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
build string | always | Build number of the fortigate image Sample: 1547 |
http_method string | always | Last method used to provision the content into FortiGate Sample: PUT |
http_status string | always | Last result given by FortiGate on last operation applied Sample: 200 |
mkey string | success | Master key (id) used in the last call to FortiGate Sample: id |
name string | always | Name of the table used to fulfill the request Sample: urlfilter |
path string | always | Path of the table used to fulfill the request Sample: webfilter |
revision string | always | Internal revision number Sample: 17.0.2.10658 |
serial string | always | Serial number of the unit Sample: FGVMEVYYQT3AB5352 |
status string | always | Indication of the operation's result Sample: success |
vdom string | always | Virtual domain used Sample: root |
version string | always | Version of the FortiGate Sample: v5.6.3 |
Authors
- Link Zheng (@chillancezen)
- Jie Xue (@JieX19)
- Hongbin Lu (@fgtdev-hblu)
- Frank Shen (@frankshen01)
- Miguel Angel Munoz (@mamunozgonzalez)
- Nicolas Thomas (@thomnico)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/fortios_endpoint_control_profile_module.html