fortios_ipv4_policy – Manage IPv4 policy objects on Fortinet FortiOS firewall devices

From Get docs
Ansible/docs/2.7/modules/fortios ipv4 policy module


fortios_ipv4_policy – Manage IPv4 policy objects on Fortinet FortiOS firewall devices

New in version 2.3.


Synopsis

  • This module provides management of firewall IPv4 policies on FortiOS devices.

Parameters

Parameter Choices/Defaults Comments

application_list

-

Specifies Application Control name.

av_profile

-

Specifies Antivirus profile name.

backup

boolean

  • no

  • yes

This argument will cause the module to create a backup of the current running-config from the remote device before any changes are made. The backup file is written to the i(backup) folder.

backup_filename

-

Specifies the backup filename. If omitted filename will be formatted like HOST_config.YYYY-MM-DD@HH:MM:SS

backup_path

-

Specifies where to store backup files. Required if backup=yes.

comment

-

free text to describe policy.

config_file

-

added in 2.4

Path to configuration file. Required when file_mode is True.

dst_addr

-

Specifies destination address (or group) object name(s). Required when state=present.

dst_addr_negate

boolean

  • no

  • yes

Negate destination address param.

dst_intf

-

Default:

"any"

Specifies destination interface name(s).

file_mode

boolean

added in 2.4

  • no

  • yes

Don't connect to any device, only use config_file as input and Output.

fixedport

boolean

  • no

  • yes

Use fixed port for nat.

host

-

Specifies the DNS hostname or IP address for connecting to the remote fortios device. Required when file_mode is False.

id

- / required

Policy ID. Warning: policy ID number is different than Policy sequence number. The policy ID is the number assigned at policy creation. The sequence number represents the order in which the Fortigate will evaluate the rule for policy enforcement, and also the order in which rules are listed in the GUI and CLI. These two numbers do not necessarily correlate: this module is based off policy ID. TIP: policy ID can be viewed in the GUI by adding 'ID' to the display columns

ips_sensor

-

Specifies IPS Sensor profile name.

logtraffic

-

added in 2.4

  • disable
  • utm

  • all

Logs sessions that matched policy.

logtraffic_start

boolean

added in 2.4

  • no

  • yes

Logs beginning of session as well.

nat

boolean

  • no

  • yes

Enable or disable Nat.

password

-

Specifies the password used to authenticate to the remote device. Required when file_mode is True.

policy_action

-

  • accept
  • deny

Specifies accept or deny action policy. Required when state=present.


aliases: action

poolname

-

Specifies NAT pool name.

schedule

-

Default:

"always"

defines policy schedule.

service

-

Specifies policy service(s), could be a list (ex: ['MAIL','DNS']). Required when state=present.


aliases: services

service_negate

boolean

  • no

  • yes

Negate policy service(s) defined in service value.

src_addr

-

Specifies source address (or group) object name(s). Required when state=present.

src_addr_negate

boolean

  • no

  • yes

Negate source address param.

src_intf

-

Default:

"any"

Specifies source interface name(s).

state

-

  • present

  • absent

Specifies if policy id need to be added or deleted.

timeout

-

Default:

60

Timeout in seconds for connecting to the remote device.

username

-

Configures the username used to authenticate to the remote device. Required when file_mode is True.

vdom

-

Specifies on which vdom to apply configuration

webfilter_profile

-

Specifies Webfilter profile name.



Notes

Note

  • This module requires pyFG library.


Examples

- name: Allow external DNS call
  fortios_ipv4_policy:
    host: 192.168.0.254
    username: admin
    password: password
    id: 42
    src_addr: internal_network
    dst_addr: all
    service: dns
    nat: True
    state: present
    policy_action: accept
    logtraffic: disable

- name: Public Web
  fortios_ipv4_policy:
    host: 192.168.0.254
    username: admin
    password: password
    id: 42
    src_addr: all
    dst_addr: webservers
    services:
      - http
      - https
    state: present
    policy_action: accept

- name: Some Policy
  fortios_ipv4_policy:
    host: 192.168.0.254
    username: admin
    password: password
    id: 42
    comment: "no comment (created by ansible)"
    src_intf: vl1000
    src_addr:
      - some_serverA
      - some_serverB
    dst_intf:
      - vl2000
      - vl3000
    dst_addr: all
    services:
      - HTTP
      - HTTPS
    nat: True
    state: present
    policy_action: accept
    logtraffic: disable
  tags:
    - policy

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description

change_string

string

only if config changed

The commands executed by the module


firewall_address_config

string

always

full firewall addresses config string


msg_error_list

string

only when error

List of errors returned by CLI (use -vvv for better readability).





Status

Authors

  • Benjamin Jolivot (@bjolivot)

Hint

If you notice any issues in this documentation you can edit this document to improve it.


© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.7/modules/fortios_ipv4_policy_module.html