fortios_application_list – Configure application control lists

New in version 2.8.

Synopsis
Requirements
Parameters
Notes
Examples
Return Values
Status

Synopsis

This module is able to configure a FortiGate or FortiOS by allowing the user to configure application feature and list category. Examples includes all options and need to be adjusted to datasources before usage. Tested with FOS v6.0.2

Requirements

The below requirements are needed on the host that executes this module.

fortiosapi>=0.9.8

Parameters

Parameter				Choices/Defaults	Comments
application_list -				Default: null	Configure application control lists.
	app-replacemsg -			Choices: disable enable	Enable/disable replacement messages for blocked applications.
	comment -				comments
	deep-app-inspection -			Choices: disable enable	Enable/disable deep application inspection.
	entries -				Application list entries.
		action -		Choices: pass block reset	Pass or block traffic, or reset connection for traffic from this application.
		application -			ID of allowed applications.
			id - / required		Application IDs.
		behavior -			Application behavior filter.
		category -			Category ID list.
			id - / required		Application category ID.
		id - / required			Entry ID.
		log -		Choices: disable enable	Enable/disable logging for this application list.
		log-packet -		Choices: disable enable	Enable/disable packet logging.
		parameters -			Application parameters.
			id - / required		Parameter ID.
			value -		Parameter value.
		per-ip-shaper -			Per-IP traffic shaper. Source firewall.shaper.per-ip-shaper.name.
		popularity -		Choices: 1 2 3 4 5	Application popularity filter (1 - 5, from least to most popular).
		protocols -			Application protocol filter.
		quarantine -		Choices: none attacker	Quarantine method.
		quarantine-expiry -			Duration of quarantine. (Format
		quarantine-log -		Choices: disable enable	Enable/disable quarantine logging.
		rate-count -			Count of the rate.
		rate-duration -			Duration (sec) of the rate.
		rate-mode -		Choices: periodical continuous	Rate limit mode.
		rate-track -		Choices: none src-ip dest-ip dhcp-client-mac dns-domain	Track the packet protocol field.
		risk -			Risk, or impact, of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical).
			level - / required		Risk, or impact, of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical).
		session-ttl -			Session TTL (0 = default).
		shaper -			Traffic shaper. Source firewall.shaper.traffic-shaper.name.
		shaper-reverse -			Reverse traffic shaper. Source firewall.shaper.traffic-shaper.name.
		sub-category -			Application Sub-category ID list.
			id - / required		Application sub-category ID.
		technology -			Application technology filter.
		vendor -			Application vendor filter.
	extended-log -			Choices: enable disable	Enable/disable extended logging.
	name - / required				List name.
	options -			Choices: allow-dns allow-icmp allow-http allow-ssl allow-quic	Basic application protocol signatures allowed by default.
	other-application-action -			Choices: pass block	Action for other applications.
	other-application-log -			Choices: disable enable	Enable/disable logging for other applications.
	p2p-black-list -			Choices: skype edonkey bittorrent	P2P applications to be black listed.
	replacemsg-group -				Replacement message group. Source system.replacemsg-group.name.
	state -			Choices: present absent	Indicates whether to create or remove the object
	unknown-application-action -			Choices: pass block	Pass or block traffic from unknown applications.
	unknown-application-log -			Choices: disable enable	Enable/disable logging for unknown applications.
host - / required					FortiOS or FortiGate ip address.
https boolean				Choices: no ← yes	Indicates if the requests towards FortiGate must use HTTPS protocol
password -				Default: ""	FortiOS or FortiGate password.
username - / required					FortiOS or FortiGate username.
vdom -				Default: "root"	Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.

Notes

Note

Requires fortiosapi library developed by Fortinet
Run as a local_action in your playbook

Examples

- hosts: localhost
  vars:
   host: "192.168.122.40"
   username: "admin"
   password: ""
   vdom: "root"
  tasks:
  - name: Configure application control lists.
    fortios_application_list:
      host:  "{{  host }}"
      username: "{{ username }}"
      password: "{{ password }}"
      vdom:  "{{  vdom }}"
      application_list:
        state: "present"
        app-replacemsg: "disable"
        comment: "comments"
        deep-app-inspection: "disable"
        entries:
         -
            action: "pass"
            application:
             -
                id:  "9"
            behavior: "<your_own_value>"
            category:
             -
                id:  "12"
            id:  "13"
            log: "disable"
            log-packet: "disable"
            parameters:
             -
                id:  "17"
                value: "<your_own_value>"
            per-ip-shaper: "<your_own_value> (source firewall.shaper.per-ip-shaper.name)"
            popularity: "1"
            protocols: "<your_own_value>"
            quarantine: "none"
            quarantine-expiry: "<your_own_value>"
            quarantine-log: "disable"
            rate-count: "25"
            rate-duration: "26"
            rate-mode: "periodical"
            rate-track: "none"
            risk:
             -
                level: "30"
            session-ttl: "31"
            shaper: "<your_own_value> (source firewall.shaper.traffic-shaper.name)"
            shaper-reverse: "<your_own_value> (source firewall.shaper.traffic-shaper.name)"
            sub-category:
             -
                id:  "35"
            technology: "<your_own_value>"
            vendor: "<your_own_value>"
        extended-log: "enable"
        name: "default_name_39"
        options: "allow-dns"
        other-application-action: "pass"
        other-application-log: "disable"
        p2p-black-list: "skype"
        replacemsg-group: "<your_own_value> (source system.replacemsg-group.name)"
        unknown-application-action: "pass"
        unknown-application-log: "disable"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Returned	Description
build string	always	Build number of the fortigate image Sample: 1547
http_method string	always	Last method used to provision the content into FortiGate Sample: PUT
http_status string	always	Last result given by FortiGate on last operation applied Sample: 200
mkey string	success	Master key (id) used in the last call to FortiGate Sample: key1
name string	always	Name of the table used to fulfill the request Sample: urlfilter
path string	always	Path of the table used to fulfill the request Sample: webfilter
revision string	always	Internal revision number Sample: 17.0.2.10658
serial string	always	Serial number of the unit Sample: FGVMEVYYQT3AB5352
status string	always	Indication of the operation's result Sample: success
vdom string	always	Virtual domain used Sample: root
version string	always	Version of the FortiGate Sample: v5.6.3

Status

This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community. [community]

Authors

Miguel Angel Munoz (@mamunozgonzalez)
Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation you can edit this document to improve it.

© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.8/modules/fortios_application_list_module.html