fortios_vpn_ssl_settings – Configure SSL VPN in Fortinet’s FortiOS and FortiGate
New in version 2.8.
Synopsis
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_ssl feature and settings category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.5
Requirements
The below requirements are needed on the host that executes this module.
- fortiosapi>=0.9.8
Parameters
| Parameter | Choices/Defaults | Comments | |||
|---|---|---|---|---|---|
| host string | FortiOS or FortiGate IP address. | ||||
| https boolean |
| Indicates if the requests towards FortiGate must use HTTPS protocol. | |||
| password string | Default: "" | FortiOS or FortiGate password. | |||
| ssl_verify boolean added in 2.9 |
| Ensures FortiGate certificate must be verified by a proper CA. | |||
| username string | FortiOS or FortiGate username. | ||||
| vdom string | Default: "root" | Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. | |||
| vpn_ssl_settings dictionary | Default: null | Configure SSL VPN. | |||
| auth_timeout integer | SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout). | ||||
| authentication_rule list | Authentication rule for SSL VPN. | ||||
| auth string |
| SSL VPN authentication method restriction. | |||
| cipher string |
| SSL VPN cipher strength. | |||
| client_cert string |
| Enable/disable SSL VPN client certificate restrictive. | |||
| groups list | User groups. | ||||
| name string / required | Group name. Source user.group.name. | ||||
| id integer / required | ID (0 - 4294967295). | ||||
| portal string | SSL VPN portal. Source vpn.ssl.web.portal.name. | ||||
| realm string | SSL VPN realm. Source vpn.ssl.web.realm.url-path. | ||||
| source_address list | Source address of incoming traffic. | ||||
| name string / required | Address name. Source firewall.address.name firewall.addrgrp.name. | ||||
| source_address6 list | IPv6 source address of incoming traffic. | ||||
| name string / required | IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name. | ||||
| source_address6_negate string |
| Enable/disable negated source IPv6 address match. | |||
| source_address_negate string |
| Enable/disable negated source address match. | |||
| source_interface list | SSL VPN source interface of incoming traffic. | ||||
| name string / required | Interface name. Source system.interface.name system.zone.name. | ||||
| users list | User name. | ||||
| name string / required | User name. Source user.local.name. | ||||
| auto_tunnel_static_route string |
| Enable to auto-create static routes for the SSL-VPN tunnel IP addresses. | |||
| banned_cipher string |
| Select one or more cipher technologies that cannot be used in SSL-VPN negotiations. | |||
| check_referer string |
| Enable/disable verification of referer field in HTTP request header. | |||
| default_portal string | Default SSL VPN portal. Source vpn.ssl.web.portal.name. | ||||
| deflate_compression_level integer | Compression level (0~9). | ||||
| deflate_min_data_size integer | Minimum amount of data that triggers compression (200 - 65535 bytes). | ||||
| dns_server1 string | DNS server 1. | ||||
| dns_server2 string | DNS server 2. | ||||
| dns_suffix string | DNS suffix used for SSL-VPN clients. | ||||
| dtls_hello_timeout integer | SSLVPN maximum DTLS hello timeout (10 - 60 sec). | ||||
| dtls_tunnel string |
| Enable DTLS to prevent eavesdropping, tampering, or message forgery. | |||
| force_two_factor_auth string |
| Enable to force two-factor authentication for all SSL-VPNs. | |||
| header_x_forwarded_for string |
| Forward the same, add, or remove HTTP header. | |||
| http_compression string |
| Enable to allow HTTP compression over SSL-VPN tunnels. | |||
| http_only_cookie string |
| Enable/disable SSL-VPN support for HttpOnly cookies. | |||
| http_request_body_timeout integer | SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec). | ||||
| http_request_header_timeout integer | SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec). | ||||
| https_redirect string |
| Enable/disable redirect of port 80 to SSL-VPN port. | |||
| idle_timeout integer | SSL VPN disconnects if idle for specified time in seconds. | ||||
| ipv6_dns_server1 string | IPv6 DNS server 1. | ||||
| ipv6_dns_server2 string | IPv6 DNS server 2. | ||||
| ipv6_wins_server1 string | IPv6 WINS server 1. | ||||
| ipv6_wins_server2 string | IPv6 WINS server 2. | ||||
| login_attempt_limit integer | SSL VPN maximum login attempt times before block (0 - 10). | ||||
| login_block_time integer | Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec). | ||||
| login_timeout integer | SSLVPN maximum login timeout (10 - 180 sec). | ||||
| port integer | SSL-VPN access port (1 - 65535). | ||||
| port_precedence string |
| Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface. | |||
| reqclientcert string |
| Enable to require client certificates for all SSL-VPN users. | |||
| route_source_interface string |
| Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface. | |||
| servercert string | Name of the server certificate to be used for SSL-VPNs. Source vpn.certificate.local.name. | ||||
| source_address list | Source address of incoming traffic. | ||||
| name string / required | Address name. Source firewall.address.name firewall.addrgrp.name. | ||||
| source_address6 list | IPv6 source address of incoming traffic. | ||||
| name string / required | IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name. | ||||
| source_address6_negate string |
| Enable/disable negated source IPv6 address match. | |||
| source_address_negate string |
| Enable/disable negated source address match. | |||
| source_interface list | SSL VPN source interface of incoming traffic. | ||||
| name string / required | Interface name. Source system.interface.name system.zone.name. | ||||
| ssl_client_renegotiation string |
| Enable to allow client renegotiation by the server if the tunnel goes down. | |||
| ssl_insert_empty_fragment string |
| Enable/disable insertion of empty fragment. | |||
| tlsv1_0 string |
| Enable/disable TLSv1.0. | |||
| tlsv1_1 string |
| Enable/disable TLSv1.1. | |||
| tlsv1_2 string |
| Enable/disable TLSv1.2. | |||
| tunnel_ip_pools list | Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients. | ||||
| name string / required | Address name. Source firewall.address.name firewall.addrgrp.name. | ||||
| tunnel_ipv6_pools list | Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients. | ||||
| name string / required | Address name. Source firewall.address6.name firewall.addrgrp6.name. | ||||
| unsafe_legacy_renegotiation string |
| Enable/disable unsafe legacy re-negotiation. | |||
| url_obscuration string |
| Enable to obscure the host name of the URL of the web browser display. | |||
| wins_server1 string | WINS server 1. | ||||
| wins_server2 string | WINS server 2. | ||||
| x_content_type_options string |
| Add HTTP X-Content-Type-Options header. | |||
Notes
Note
- Requires fortiosapi library developed by Fortinet
- Run as a local_action in your playbook
Examples
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
ssl_verify: "False"
tasks:
- name: Configure SSL VPN.
fortios_vpn_ssl_settings:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
vpn_ssl_settings:
auth_timeout: "3"
authentication_rule:
-
auth: "any"
cipher: "any"
client_cert: "enable"
groups:
-
name: "default_name_9 (source user.group.name)"
id: "10"
portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
realm: "<your_own_value> (source vpn.ssl.web.realm.url-path)"
source_address:
-
name: "default_name_14 (source firewall.address.name firewall.addrgrp.name)"
source_address_negate: "enable"
source_address6:
-
name: "default_name_17 (source firewall.address6.name firewall.addrgrp6.name)"
source_address6_negate: "enable"
source_interface:
-
name: "default_name_20 (source system.interface.name system.zone.name)"
users:
-
name: "default_name_22 (source user.local.name)"
auto_tunnel_static_route: "enable"
banned_cipher: "RSA"
check_referer: "enable"
default_portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
deflate_compression_level: "27"
deflate_min_data_size: "28"
dns_server1: "<your_own_value>"
dns_server2: "<your_own_value>"
dns_suffix: "<your_own_value>"
dtls_hello_timeout: "32"
dtls_tunnel: "enable"
force_two_factor_auth: "enable"
header_x_forwarded_for: "pass"
http_compression: "enable"
http_only_cookie: "enable"
http_request_body_timeout: "38"
http_request_header_timeout: "39"
https_redirect: "enable"
idle_timeout: "41"
ipv6_dns_server1: "<your_own_value>"
ipv6_dns_server2: "<your_own_value>"
ipv6_wins_server1: "<your_own_value>"
ipv6_wins_server2: "<your_own_value>"
login_attempt_limit: "46"
login_block_time: "47"
login_timeout: "48"
port: "49"
port_precedence: "enable"
reqclientcert: "enable"
route_source_interface: "enable"
servercert: "<your_own_value> (source vpn.certificate.local.name)"
source_address:
-
name: "default_name_55 (source firewall.address.name firewall.addrgrp.name)"
source_address_negate: "enable"
source_address6:
-
name: "default_name_58 (source firewall.address6.name firewall.addrgrp6.name)"
source_address6_negate: "enable"
source_interface:
-
name: "default_name_61 (source system.interface.name system.zone.name)"
ssl_client_renegotiation: "disable"
ssl_insert_empty_fragment: "enable"
tlsv1_0: "enable"
tlsv1_1: "enable"
tlsv1_2: "enable"
tunnel_ip_pools:
-
name: "default_name_68 (source firewall.address.name firewall.addrgrp.name)"
tunnel_ipv6_pools:
-
name: "default_name_70 (source firewall.address6.name firewall.addrgrp6.name)"
unsafe_legacy_renegotiation: "enable"
url_obscuration: "enable"
wins_server1: "<your_own_value>"
wins_server2: "<your_own_value>"
x_content_type_options: "enable"
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| build string | always | Build number of the fortigate image Sample: 1547 |
| http_method string | always | Last method used to provision the content into FortiGate Sample: PUT |
| http_status string | always | Last result given by FortiGate on last operation applied Sample: 200 |
| mkey string | success | Master key (id) used in the last call to FortiGate Sample: id |
| name string | always | Name of the table used to fulfill the request Sample: urlfilter |
| path string | always | Path of the table used to fulfill the request Sample: webfilter |
| revision string | always | Internal revision number Sample: 17.0.2.10658 |
| serial string | always | Serial number of the unit Sample: FGVMEVYYQT3AB5352 |
| status string | always | Indication of the operation's result Sample: success |
| vdom string | always | Virtual domain used Sample: root |
| version string | always | Version of the FortiGate Sample: v5.6.3 |
Status
- This module is not guaranteed to have a backwards compatible interface. [preview]
- This module is maintained by the Ansible Community. [community]
Authors
- Miguel Angel Munoz (@mamunozgonzalez)
- Nicolas Thomas (@thomnico)
Hint
If you notice any issues in this documentation, you can edit this document to improve it.
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.9/modules/fortios_vpn_ssl_settings_module.html