fortinet.fortios.fortios_vpn_certificate_setting – VPN certificate setting in Fortinet’s FortiOS and FortiGate.
Note
This plugin is part of the fortinet.fortios collection (version 2.1.2).
You might already have this collection installed if you are using the ansible
package. It is not included in ansible-core
. To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install fortinet.fortios
.
To use it in a playbook, specify: fortinet.fortios.fortios_vpn_certificate_setting
.
New in version 2.10: of fortinet.fortios
Synopsis
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_certificate feature and setting category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
The below requirements are needed on the host that executes this module.
- ansible>=2.9.0
Parameters
Parameter | Choices/Defaults | Comments | |
---|---|---|---|
access_token string | Token-based authentication. Generated from GUI of Fortigate. | ||
enable_log boolean |
| Enable/Disable logging for task. | |
vdom string | Default: "root" | Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. | |
vpn_certificate_setting dictionary | VPN certificate setting. | ||
certname_dsa1024 string | 1024 bit DSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. | ||
certname_dsa2048 string | 2048 bit DSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. | ||
certname_ecdsa256 string | 256 bit ECDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. | ||
certname_ecdsa384 string | 384 bit ECDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. | ||
certname_ecdsa521 string | 521 bit ECDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. | ||
certname_ed25519 string | 253 bit EdDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. | ||
certname_ed448 string | 456 bit EdDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. | ||
certname_rsa1024 string | 1024 bit RSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. | ||
certname_rsa2048 string | 2048 bit RSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. | ||
certname_rsa4096 string | 4096 bit RSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. | ||
check_ca_cert string |
| Enable/disable verification of the user certificate and pass authentication if any CA in the chain is trusted . | |
check_ca_chain string |
| Enable/disable verification of the entire certificate chain and pass authentication only if the chain is complete and all of the CAs in the chain are trusted . | |
cmp_key_usage_checking string |
| Enable/disable server certificate key usage checking in CMP mode . | |
cmp_save_extra_certs string |
| Enable/disable saving extra certificates in CMP mode. | |
cn_match string |
| When searching for a matching certificate, control how to find matches in the cn attribute of the certificate subject name. | |
interface string | Specify outgoing interface to reach server. Source system.interface.name. | ||
interface_select_method string |
| Specify how to select outgoing interface to reach server. | |
ocsp_default_server string | Default OCSP server. Source vpn.certificate.ocsp-server.name. | ||
ocsp_option string |
| Specify whether the OCSP URL is from certificate or configured OCSP server. | |
ocsp_status string |
| Enable/disable receiving certificates using the OCSP. | |
ssl_min_proto_version string |
| Minimum supported protocol version for SSL/TLS connections . | |
ssl_ocsp_option string |
| Specify whether the OCSP URL is from the certificate or the default OCSP server. | |
ssl_ocsp_source_ip string | Source IP address to use to communicate with the OCSP server. | ||
ssl_ocsp_status string |
| Enable/disable SSL OCSP. | |
strict_crl_check string |
| Enable/disable strict mode CRL checking. | |
strict_ocsp_check string |
| Enable/disable strict mode OCSP checking. | |
subject_match string |
| When searching for a matching certificate, control how to find matches in the certificate subject name. |
Notes
Note
- Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks
Examples
- hosts: fortigates collections: - fortinet.fortios connection: httpapi vars: vdom: "root" ansible_httpapi_use_ssl: yes ansible_httpapi_validate_certs: no ansible_httpapi_port: 443 tasks: - name: VPN certificate setting. fortios_vpn_certificate_setting: vdom: "{{ vdom }}" vpn_certificate_setting: certname_dsa1024: "<your_own_value> (source vpn.certificate.local.name)" certname_dsa2048: "<your_own_value> (source vpn.certificate.local.name)" certname_ecdsa256: "<your_own_value> (source vpn.certificate.local.name)" certname_ecdsa384: "<your_own_value> (source vpn.certificate.local.name)" certname_ecdsa521: "<your_own_value> (source vpn.certificate.local.name)" certname_ed25519: "<your_own_value> (source vpn.certificate.local.name)" certname_ed448: "<your_own_value> (source vpn.certificate.local.name)" certname_rsa1024: "<your_own_value> (source vpn.certificate.local.name)" certname_rsa2048: "<your_own_value> (source vpn.certificate.local.name)" certname_rsa4096: "<your_own_value> (source vpn.certificate.local.name)" check_ca_cert: "enable" check_ca_chain: "enable" cmp_key_usage_checking: "enable" cmp_save_extra_certs: "enable" cn_match: "substring" interface: "<your_own_value> (source system.interface.name)" interface_select_method: "auto" ocsp_default_server: "<your_own_value> (source vpn.certificate.ocsp-server.name)" ocsp_option: "certificate" ocsp_status: "enable" ssl_min_proto_version: "default" ssl_ocsp_option: "certificate" ssl_ocsp_source_ip: "<your_own_value>" ssl_ocsp_status: "enable" strict_crl_check: "enable" strict_ocsp_check: "enable" subject_match: "substring"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
build string | always | Build number of the fortigate image Sample: 1547 |
http_method string | always | Last method used to provision the content into FortiGate Sample: PUT |
http_status string | always | Last result given by FortiGate on last operation applied Sample: 200 |
mkey string | success | Master key (id) used in the last call to FortiGate Sample: id |
name string | always | Name of the table used to fulfill the request Sample: urlfilter |
path string | always | Path of the table used to fulfill the request Sample: webfilter |
revision string | always | Internal revision number Sample: 17.0.2.10658 |
serial string | always | Serial number of the unit Sample: FGVMEVYYQT3AB5352 |
status string | always | Indication of the operation's result Sample: success |
vdom string | always | Virtual domain used Sample: root |
version string | always | Version of the FortiGate Sample: v5.6.3 |
Authors
- Link Zheng (@chillancezen)
- Jie Xue (@JieX19)
- Hongbin Lu (@fgtdev-hblu)
- Frank Shen (@frankshen01)
- Miguel Angel Munoz (@mamunozgonzalez)
- Nicolas Thomas (@thomnico)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/fortios_vpn_certificate_setting_module.html