fmgr_secprof_appctrl – Manage application control security profiles

From Get docs
Ansible/docs/2.8/modules/fmgr secprof appctrl module


fmgr_secprof_appctrl – Manage application control security profiles

New in version 2.8.


Synopsis

  • Manage application control security profiles within FortiManager

Parameters

Parameter Choices/Defaults Comments

adom

-

Default:

"root"

The ADOM the configuration should belong to.

app_replacemsg

-

  • disable
  • enable

Enable/disable replacement messages for blocked applications.

choice | disable | Disable replacement messages for blocked applications.

choice | enable | Enable replacement messages for blocked applications.

comment

-

comments

deep_app_inspection

-

  • disable
  • enable

Enable/disable deep application inspection.

choice | disable | Disable deep application inspection.

choice | enable | Enable deep application inspection.

entries

-

EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!

List of multiple child objects to be added. Expects a list of dictionaries.

Dictionaries must use FortiManager API parameters, not the ansible ones listed below.

If submitted, all other prefixed sub-parameters ARE IGNORED. This object is MUTUALLY EXCLUSIVE with its options.

We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.

WHEN IN DOUBT, OMIT THE USE OF THIS PARAMETER

AND USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS

entries_action

-

  • pass
  • block
  • reset

Pass or block traffic, or reset connection for traffic from this application.

choice | pass | Pass or allow matching traffic.

choice | block | Block or drop matching traffic.

choice | reset | Reset sessions for matching traffic.

entries_application

-

ID of allowed applications.

entries_behavior

-

Application behavior filter.

entries_category

-

Category ID list.

entries_log

-

  • disable
  • enable

Enable/disable logging for this application list.

choice | disable | Disable logging.

choice | enable | Enable logging.

entries_log_packet

-

  • disable
  • enable

Enable/disable packet logging.

choice | disable | Disable packet logging.

choice | enable | Enable packet logging.

entries_parameters_value

-

Parameter value.

entries_per_ip_shaper

-

Per-IP traffic shaper.

entries_popularity

-

  • 1
  • 2
  • 3
  • 4
  • 5

Application popularity filter (1 - 5, from least to most popular).

FLAG Based Options. Specify multiple in list form.

flag | 1 | Popularity level 1.

flag | 2 | Popularity level 2.

flag | 3 | Popularity level 3.

flag | 4 | Popularity level 4.

flag | 5 | Popularity level 5.

entries_protocols

-

Application protocol filter.

entries_quarantine

-

  • none
  • attacker

Quarantine method.

choice | none | Quarantine is disabled.

choice | attacker | Block all traffic sent from attacker's IP address.

The attacker's IP address is also added to the banned user list. The target's address is not affected.

entries_quarantine_expiry

-

Duration of quarantine. (Format

Requires quarantine set to attacker.

entries_quarantine_log

-

  • disable
  • enable

Enable/disable quarantine logging.

choice | disable | Disable quarantine logging.

choice | enable | Enable quarantine logging.

entries_rate_count

-

Count of the rate.

entries_rate_duration

-

Duration (sec) of the rate.

entries_rate_mode

-

  • periodical
  • continuous

Rate limit mode.

choice | periodical | Allow configured number of packets every rate-duration.

choice | continuous | Block packets once the rate is reached.

entries_rate_track

-

  • none
  • src-ip
  • dest-ip
  • dhcp-client-mac
  • dns-domain

Track the packet protocol field.

choice | none |

choice | src-ip | Source IP.

choice | dest-ip | Destination IP.

choice | dhcp-client-mac | DHCP client.

choice | dns-domain | DNS domain.

entries_risk

-

Risk, or impact, of allowing traffic from this application to occur 1 - 5;

(Low, Elevated, Medium, High, and Critical).

entries_session_ttl

-

Session TTL (0 = default).

entries_shaper

-

Traffic shaper.

entries_shaper_reverse

-

Reverse traffic shaper.

entries_sub_category

-

Application Sub-category ID list.

entries_technology

-

Application technology filter.

entries_vendor

-

Application vendor filter.

extended_log

-

  • disable
  • enable

Enable/disable extended logging.

choice | disable | Disable setting.

choice | enable | Enable setting.

mode

-

  • add

  • set
  • delete
  • update

Sets one of three modes for managing the object.

Allows use of soft-adds instead of overwriting existing values

name

-

List name.

options

-

  • allow-dns
  • allow-icmp
  • allow-http
  • allow-ssl
  • allow-quic

NO DESCRIPTION PARSED ENTER MANUALLY

FLAG Based Options. Specify multiple in list form.

flag | allow-dns | Allow DNS.

flag | allow-icmp | Allow ICMP.

flag | allow-http | Allow generic HTTP web browsing.

flag | allow-ssl | Allow generic SSL communication.

flag | allow-quic | Allow QUIC.

other_application_action

-

  • pass
  • block

Action for other applications.

choice | pass | Allow sessions matching an application in this application list.

choice | block | Block sessions matching an application in this application list.

other_application_log

-

  • disable
  • enable

Enable/disable logging for other applications.

choice | disable | Disable logging for other applications.

choice | enable | Enable logging for other applications.

p2p_black_list

-

  • skype
  • edonkey
  • bittorrent

NO DESCRIPTION PARSED ENTER MANUALLY

FLAG Based Options. Specify multiple in list form.

flag | skype | Skype.

flag | edonkey | Edonkey.

flag | bittorrent | Bit torrent.

replacemsg_group

-

Replacement message group.

unknown_application_action

-

  • pass
  • block

Pass or block traffic from unknown applications.

choice | pass | Pass or allow unknown applications.

choice | block | Drop or block unknown applications.

unknown_application_log

-

  • disable
  • enable

Enable/disable logging for unknown applications.

choice | disable | Disable logging for unknown applications.

choice | enable | Enable logging for unknown applications.



Notes

Examples

- name: DELETE Profile
  fmgr_secprof_appctrl:
    name: "Ansible_Application_Control_Profile"
    comment: "Created by Ansible Module TEST"
    mode: "delete"

- name: CREATE Profile
  fmgr_secprof_appctrl:
    name: "Ansible_Application_Control_Profile"
    comment: "Created by Ansible Module TEST"
    mode: "set"
    entries: [{
              action: "block",
              log: "enable",
              log-packet: "enable",
              protocols: ["1"],
              quarantine: "attacker",
              quarantine-log: "enable",
              },
              {action: "pass",
              category: ["2","3","4"]},
            ]

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description

api_result

string

always

full API response, includes status code and message





Status

Authors

  • Luke Weighall (@lweighall)
  • Andrew Welsh (@Ghilli3)
  • Jim Huber (@p4r4n0y1ng)

Hint

If you notice any issues in this documentation you can edit this document to improve it.


© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.8/modules/fmgr_secprof_appctrl_module.html