fmgr_fwpol_ipv4 – Allows the add/delete of Firewall Policies on Packages in FortiManager

From Get docs
Ansible/docs/2.8/modules/fmgr fwpol ipv4 module


fmgr_fwpol_ipv4 – Allows the add/delete of Firewall Policies on Packages in FortiManager

New in version 2.8.


Synopsis

  • Allows the add/delete of Firewall Policies on Packages in FortiManager.

Parameters

Parameter Choices/Defaults Comments

action

-

  • deny
  • accept
  • ipsec

Policy action (allow/deny/ipsec).

choice | deny | Blocks sessions that match the firewall policy.

choice | accept | Allows session that match the firewall policy.

choice | ipsec | Firewall policy becomes a policy-based IPsec VPN policy.

adom

-

Default:

"root"

The ADOM the configuration should belong to.

app_category

-

Application category ID list.

app_group

-

Application group names.

application

-

Application ID list.

application_list

-

Name of an existing Application list.

auth_cert

-

HTTPS server certificate for policy authentication.

auth_path

-

  • disable
  • enable

Enable/disable authentication-based routing.

choice | disable | Disable authentication-based routing.

choice | enable | Enable authentication-based routing.

auth_redirect_addr

-

HTTP-to-HTTPS redirect address for firewall authentication.

auto_asic_offload

-

  • disable
  • enable

Enable/disable offloading security profile processing to CP processors.

choice | disable | Disable ASIC offloading.

choice | enable | Enable auto ASIC offloading.

av_profile

-

Name of an existing Antivirus profile.

block_notification

-

  • disable
  • enable

Enable/disable block notification.

choice | disable | Disable setting.

choice | enable | Enable setting.

captive_portal_exempt

-

  • disable
  • enable

Enable to exempt some users from the captive portal.

choice | disable | Disable exemption of captive portal.

choice | enable | Enable exemption of captive portal.

capture_packet

-

  • disable
  • enable

Enable/disable capture packets.

choice | disable | Disable capture packets.

choice | enable | Enable capture packets.

comments

-

Comment.

custom_log_fields

-

Custom fields to append to log messages for this policy.

delay_tcp_npu_session

-

  • disable
  • enable

Enable TCP NPU session delay to guarantee packet order of 3-way handshake.

choice | disable | Disable TCP NPU session delay in order to guarantee packet order of 3-way handshake.

choice | enable | Enable TCP NPU session delay in order to guarantee packet order of 3-way handshake.

devices

-

Names of devices or device groups that can be matched by the policy.

diffserv_forward

-

  • disable
  • enable

Enable to change packet's DiffServ values to the specified diffservcode-forward value.

choice | disable | Disable WAN optimization.

choice | enable | Enable WAN optimization.

diffserv_reverse

-

  • disable
  • enable

Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value.

choice | disable | Disable setting.

choice | enable | Enable setting.

diffservcode_forward

-

Change packet's DiffServ to this value.

diffservcode_rev

-

Change packet's reverse (reply) DiffServ to this value.

disclaimer

-

  • disable
  • enable

Enable/disable user authentication disclaimer.

choice | disable | Disable user authentication disclaimer.

choice | enable | Enable user authentication disclaimer.

dlp_sensor

-

Name of an existing DLP sensor.

dnsfilter_profile

-

Name of an existing DNS filter profile.

dscp_match

-

  • disable
  • enable

Enable DSCP check.

choice | disable | Disable DSCP check.

choice | enable | Enable DSCP check.

dscp_negate

-

  • disable
  • enable

Enable negated DSCP match.

choice | disable | Disable DSCP negate.

choice | enable | Enable DSCP negate.

dscp_value

-

DSCP value.

dsri

-

  • disable
  • enable

Enable DSRI to ignore HTTP server responses.

choice | disable | Disable DSRI.

choice | enable | Enable DSRI.

dstaddr

-

Destination address and address group names.

dstaddr_negate

-

  • disable
  • enable

When enabled dstaddr specifies what the destination address must NOT be.

choice | disable | Disable destination address negate.

choice | enable | Enable destination address negate.

dstintf

-

Outgoing (egress) interface.

firewall_session_dirty

-

  • check-all
  • check-new

How to handle sessions if the configuration of this firewall policy changes.

choice | check-all | Flush all current sessions accepted by this policy.

choice | check-new | Continue to allow sessions already accepted by this policy.

fixedport

-

  • disable
  • enable

Enable to prevent source NAT from changing a session's source port.

choice | disable | Disable setting.

choice | enable | Enable setting.

fsso

-

  • disable
  • enable

Enable/disable Fortinet Single Sign-On.

choice | disable | Disable setting.

choice | enable | Enable setting.

fsso_agent_for_ntlm

-

FSSO agent to use for NTLM authentication.

global_label

-

Label for the policy that appears when the GUI is in Global View mode.

groups

-

Names of user groups that can authenticate with this policy.

gtp_profile

-

GTP profile.

icap_profile

-

Name of an existing ICAP profile.

identity_based_route

-

Name of identity-based routing rule.

inbound

-

  • disable
  • enable

Policy-based IPsec VPN | only traffic from the remote network can initiate a VPN.

choice | disable | Disable setting.

choice | enable | Enable setting.

internet_service

-

  • disable
  • enable

Enable/disable use of Internet Services for this policy. If enabled, dstaddr and service are not used.

choice | disable | Disable use of Internet Services in policy.

choice | enable | Enable use of Internet Services in policy.

internet_service_custom

-

Custom Internet Service name.

internet_service_id

-

Internet Service ID.

internet_service_negate

-

  • disable
  • enable

When enabled internet-service specifies what the service must NOT be.

choice | disable | Disable negated Internet Service match.

choice | enable | Enable negated Internet Service match.

internet_service_src

-

  • disable
  • enable

Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used.

choice | disable | Disable use of Internet Services source in policy.

choice | enable | Enable use of Internet Services source in policy.

internet_service_src_custom

-

Custom Internet Service source name.

internet_service_src_id

-

Internet Service source ID.

internet_service_src_negate

-

  • disable
  • enable

When enabled internet-service-src specifies what the service must NOT be.

choice | disable | Disable negated Internet Service source match.

choice | enable | Enable negated Internet Service source match.

ippool

-

  • disable
  • enable

Enable to use IP Pools for source NAT.

choice | disable | Disable setting.

choice | enable | Enable setting.

ips_sensor

-

Name of an existing IPS sensor.

label

-

Label for the policy that appears when the GUI is in Section View mode.

learning_mode

-

  • disable
  • enable

Enable to allow everything, but log all of the meaningful data for security information gathering.

choice | disable | Disable learning mode in firewall policy.

choice | enable | Enable learning mode in firewall policy.

logtraffic

-

  • disable
  • all
  • utm

Enable or disable logging. Log all sessions or security profile sessions.

choice | disable | Disable all logging for this policy.

choice | all | Log all sessions accepted or denied by this policy.

choice | utm | Log traffic that has a security profile applied to it.

logtraffic_start

-

  • disable
  • enable

Record logs when a session starts and ends.

choice | disable | Disable setting.

choice | enable | Enable setting.

match_vip

-

  • disable
  • enable

Enable to match packets that have had their destination addresses changed by a VIP.

choice | disable | Do not match DNATed packet.

choice | enable | Match DNATed packet.

mms_profile

-

Name of an existing MMS profile.

mode

-

  • add

  • set
  • delete
  • update

Sets one of three modes for managing the object.

Allows use of soft-adds instead of overwriting existing values

name

-

Policy name.

nat

-

  • disable
  • enable

Enable/disable source NAT.

choice | disable | Disable setting.

choice | enable | Enable setting.

natinbound

-

  • disable
  • enable

Policy-based IPsec VPN | apply destination NAT to inbound traffic.

choice | disable | Disable setting.

choice | enable | Enable setting.

natip

-

Policy-based IPsec VPN | source NAT IP address for outgoing traffic.

natoutbound

-

  • disable
  • enable

Policy-based IPsec VPN | apply source NAT to outbound traffic.

choice | disable | Disable setting.

choice | enable | Enable setting.

np_acceleration

-

  • disable
  • enable

Enable/disable UTM Network Processor acceleration.

choice | disable | Disable UTM Network Processor acceleration.

choice | enable | Enable UTM Network Processor acceleration.

ntlm

-

  • disable
  • enable

Enable/disable NTLM authentication.

choice | disable | Disable setting.

choice | enable | Enable setting.

ntlm_enabled_browsers

-

HTTP-User-Agent value of supported browsers.

ntlm_guest

-

  • disable
  • enable

Enable/disable NTLM guest user access.

choice | disable | Disable setting.

choice | enable | Enable setting.

outbound

-

  • disable
  • enable

Policy-based IPsec VPN | only traffic from the internal network can initiate a VPN.

choice | disable | Disable setting.

choice | enable | Enable setting.

package_name

-

Default:

"default"

The policy package you want to modify

per_ip_shaper

-

Per-IP traffic shaper.

permit_any_host

-

  • disable
  • enable

Accept UDP packets from any host.

choice | disable | Disable setting.

choice | enable | Enable setting.

permit_stun_host

-

  • disable
  • enable

Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host.

choice | disable | Disable setting.

choice | enable | Enable setting.

policyid

-

Policy ID.

poolname

-

IP Pool names.

profile_group

-

Name of profile group.

profile_protocol_options

-

Name of an existing Protocol options profile.

profile_type

-

  • single
  • group

Determine whether the firewall policy allows security profile groups or single profiles only.

choice | single | Do not allow security profile groups.

choice | group | Allow security profile groups.

radius_mac_auth_bypass

-

  • disable
  • enable

Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server.

choice | disable | Disable MAC authentication bypass.

choice | enable | Enable MAC authentication bypass.

redirect_url

-

URL users are directed to after seeing and accepting the disclaimer or authenticating.

replacemsg_override_group

-

Override the default replacement message group for this policy.

rsso

-

  • disable
  • enable

Enable/disable RADIUS single sign-on (RSSO).

choice | disable | Disable setting.

choice | enable | Enable setting.

rtp_addr

-

Address names if this is an RTP NAT policy.

rtp_nat

-

  • disable
  • enable

Enable Real Time Protocol (RTP) NAT.

choice | disable | Disable setting.

choice | enable | Enable setting.

scan_botnet_connections

-

  • disable
  • block
  • monitor

Block or monitor connections to Botnet servers or disable Botnet scanning.

choice | disable | Do not scan connections to botnet servers.

choice | block | Block connections to botnet servers.

choice | monitor | Log connections to botnet servers.

schedule

-

Schedule name.

schedule_timeout

-

  • disable
  • enable

Enable to force current sessions to end when the schedule object times out.

choice | disable | Disable schedule timeout.

choice | enable | Enable schedule timeout.

send_deny_packet

-

  • disable
  • enable

Enable to send a reply when a session is denied or blocked by a firewall policy.

choice | disable | Disable deny-packet sending.

choice | enable | Enable deny-packet sending.

service

-

Service and service group names.

service_negate

-

  • disable
  • enable

When enabled service specifies what the service must NOT be.

choice | disable | Disable negated service match.

choice | enable | Enable negated service match.

session_ttl

-

TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).

spamfilter_profile

-

Name of an existing Spam filter profile.

srcaddr

-

Source address and address group names.

srcaddr_negate

-

  • disable
  • enable

When enabled srcaddr specifies what the source address must NOT be.

choice | disable | Disable source address negate.

choice | enable | Enable source address negate.

srcintf

-

Incoming (ingress) interface.

ssh_filter_profile

-

Name of an existing SSH filter profile.

ssl_mirror

-

  • disable
  • enable

Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring).

choice | disable | Disable SSL mirror.

choice | enable | Enable SSL mirror.

ssl_mirror_intf

-

SSL mirror interface name.

ssl_ssh_profile

-

Name of an existing SSL SSH profile.

status

-

  • disable
  • enable

Enable or disable this policy.

choice | disable | Disable setting.

choice | enable | Enable setting.

tcp_mss_receiver

-

Receiver TCP maximum segment size (MSS).

tcp_mss_sender

-

Sender TCP maximum segment size (MSS).

tcp_session_without_syn

-

  • all
  • data-only
  • disable

Enable/disable creation of TCP session without SYN flag.

choice | all | Enable TCP session without SYN.

choice | data-only | Enable TCP session data only.

choice | disable | Disable TCP session without SYN.

timeout_send_rst

-

  • disable
  • enable

Enable/disable sending RST packets when TCP sessions expire.

choice | disable | Disable sending of RST packet upon TCP session expiration.

choice | enable | Enable sending of RST packet upon TCP session expiration.

traffic_shaper

-

Traffic shaper.

traffic_shaper_reverse

-

Reverse traffic shaper.

url_category

-

URL category ID list.

users

-

Names of individual users that can authenticate with this policy.

utm_status

-

  • disable
  • enable

Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.

choice | disable | Disable setting.

choice | enable | Enable setting.

vlan_cos_fwd

-

VLAN forward direction user priority | 255 passthrough, 0 lowest, 7 highest.

vlan_cos_rev

-

VLAN reverse direction user priority | 255 passthrough, 0 lowest, 7 highest..

vlan_filter

-

Set VLAN filters.

voip_profile

-

Name of an existing VoIP profile.

vpn_dst_node

-

EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!

List of multiple child objects to be added. Expects a list of dictionaries.

Dictionaries must use FortiManager API parameters, not the ansible ones listed below.

If submitted, all other prefixed sub-parameters ARE IGNORED. This object is MUTUALLY EXCLUSIVE with its options.

We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.

vpn_dst_node_host

-

VPN Destination Node Host.

vpn_dst_node_seq

-

VPN Destination Node Seq.

vpn_dst_node_subnet

-

VPN Destination Node Seq.

vpn_src_node

-

EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!

List of multiple child objects to be added. Expects a list of dictionaries.

Dictionaries must use FortiManager API parameters, not the ansible ones listed below.

If submitted, all other prefixed sub-parameters ARE IGNORED. This object is MUTUALLY EXCLUSIVE with its options.

We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.

vpn_src_node_host

-

VPN Source Node Host.

vpn_src_node_seq

-

VPN Source Node Seq.

vpn_src_node_subnet

-

VPN Source Node.

vpntunnel

-

Policy-based IPsec VPN | name of the IPsec VPN Phase 1.

waf_profile

-

Name of an existing Web application firewall profile.

wanopt

-

  • disable
  • enable

Enable/disable WAN optimization.

choice | disable | Disable setting.

choice | enable | Enable setting.

wanopt_detection

-

  • active
  • passive
  • off

WAN optimization auto-detection mode.

choice | active | Active WAN optimization peer auto-detection.

choice | passive | Passive WAN optimization peer auto-detection.

choice | off | Turn off WAN optimization peer auto-detection.

wanopt_passive_opt

-

  • default
  • transparent
  • non-transparent

WAN optimization passive mode options. This option decides what IP address will be used to connect server.

choice | default | Allow client side WAN opt peer to decide.

choice | transparent | Use address of client to connect to server.

choice | non-transparent | Use local FortiGate address to connect to server.

wanopt_peer

-

WAN optimization peer.

wanopt_profile

-

WAN optimization profile.

wccp

-

  • disable
  • enable

Enable/disable forwarding traffic matching this policy to a configured WCCP server.

choice | disable | Disable WCCP setting.

choice | enable | Enable WCCP setting.

webcache

-

  • disable
  • enable

Enable/disable web cache.

choice | disable | Disable setting.

choice | enable | Enable setting.

webcache_https

-

  • disable
  • enable

Enable/disable web cache for HTTPS.

choice | disable | Disable web cache for HTTPS.

choice | enable | Enable web cache for HTTPS.

webfilter_profile

-

Name of an existing Web filter profile.

wsso

-

  • disable
  • enable

Enable/disable WiFi Single Sign On (WSSO).

choice | disable | Disable setting.

choice | enable | Enable setting.



Notes

Examples

- name: ADD VERY BASIC IPV4 POLICY WITH NO NAT (WIDE OPEN)
  fmgr_fwpol_ipv4:
    mode: "set"
    adom: "ansible"
    package_name: "default"
    name: "Basic_IPv4_Policy"
    comments: "Created by Ansible"
    action: "accept"
    dstaddr: "all"
    srcaddr: "all"
    dstintf: "any"
    srcintf: "any"
    logtraffic: "utm"
    service: "ALL"
    schedule: "always"

- name: ADD VERY BASIC IPV4 POLICY WITH NAT AND MULTIPLE ENTRIES
  fmgr_fwpol_ipv4:
    mode: "set"
    adom: "ansible"
    package_name: "default"
    name: "Basic_IPv4_Policy_2"
    comments: "Created by Ansible"
    action: "accept"
    dstaddr: "google-play"
    srcaddr: "all"
    dstintf: "any"
    srcintf: "any"
    logtraffic: "utm"
    service: "HTTP, HTTPS"
    schedule: "always"
    nat: "enable"
    users: "karen, kevin"

- name: ADD VERY BASIC IPV4 POLICY WITH NAT AND MULTIPLE ENTRIES AND SEC PROFILES
  fmgr_fwpol_ipv4:
    mode: "set"
    adom: "ansible"
    package_name: "default"
    name: "Basic_IPv4_Policy_3"
    comments: "Created by Ansible"
    action: "accept"
    dstaddr: "google-play, autoupdate.opera.com"
    srcaddr: "corp_internal"
    dstintf: "zone_wan1, zone_wan2"
    srcintf: "zone_int1"
    logtraffic: "utm"
    service: "HTTP, HTTPS"
    schedule: "always"
    nat: "enable"
    users: "karen, kevin"
    av_profile: "sniffer-profile"
    ips_sensor: "default"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description

api_result

string

always

full API response, includes status code and message





Status

Authors

  • Luke Weighall (@lweighall)
  • Andrew Welsh (@Ghilli3)
  • Jim Huber (@p4r4n0y1ng)

Hint

If you notice any issues in this documentation you can edit this document to improve it.


© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.8/modules/fmgr_fwpol_ipv4_module.html