fmgr_secprof_ssl_ssh – Manage SSL and SSH security profiles in FortiManager

From Get docs
Ansible/docs/2.8/modules/fmgr secprof ssl ssh module


fmgr_secprof_ssl_ssh – Manage SSL and SSH security profiles in FortiManager

New in version 2.8.


Synopsis

  • Manage SSL and SSH security profiles in FortiManager via the FMG API

Parameters

Parameter Choices/Defaults Comments

adom

-

Default:

"root"

The ADOM the configuration should belong to.

caname

-

CA certificate used by SSL Inspection.

comment

-

Optional comments.

ftps

-

EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!

List of multiple child objects to be added. Expects a list of dictionaries.

Dictionaries must use FortiManager API parameters, not the ansible ones listed below.

If submitted, all other prefixed sub-parameters ARE IGNORED.

This object is MUTUALLY EXCLUSIVE with its options.

We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.

WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS

ftps_allow_invalid_server_cert

-

  • disable
  • enable

When enabled, allows SSL sessions whose server certificate validation failed.

choice | disable | Disable setting.

choice | enable | Enable setting.

ftps_client_cert_request

-

  • bypass
  • inspect
  • block

Action based on client certificate request failure.

choice | bypass | Bypass.

choice | inspect | Inspect.

choice | block | Block.

ftps_ports

-

Ports to use for scanning (1 - 65535, default = 443).

ftps_status

-

  • disable
  • deep-inspection

Configure protocol inspection status.

choice | disable | Disable.

choice | deep-inspection | Full SSL inspection.

ftps_unsupported_ssl

-

  • bypass
  • inspect
  • block

Action based on the SSL encryption used being unsupported.

choice | bypass | Bypass.

choice | inspect | Inspect.

choice | block | Block.

ftps_untrusted_cert

-

  • allow
  • block
  • ignore

Allow, ignore, or block the untrusted SSL session server certificate.

choice | allow | Allow the untrusted server certificate.

choice | block | Block the connection when an untrusted server certificate is detected.

choice | ignore | Always take the server certificate as trusted.

https

-

EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!

List of multiple child objects to be added. Expects a list of dictionaries.

Dictionaries must use FortiManager API parameters, not the ansible ones listed below.

If submitted, all other prefixed sub-parameters ARE IGNORED.

This object is MUTUALLY EXCLUSIVE with its options.

We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.

WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS

https_allow_invalid_server_cert

-

  • disable
  • enable

When enabled, allows SSL sessions whose server certificate validation failed.

choice | disable | Disable setting.

choice | enable | Enable setting.

https_client_cert_request

-

  • bypass
  • inspect
  • block

Action based on client certificate request failure.

choice | bypass | Bypass.

choice | inspect | Inspect.

choice | block | Block.

https_ports

-

Ports to use for scanning (1 - 65535, default = 443).

https_status

-

  • disable
  • certificate-inspection
  • deep-inspection

Configure protocol inspection status.

choice | disable | Disable.

choice | certificate-inspection | Inspect SSL handshake only.

choice | deep-inspection | Full SSL inspection.

https_unsupported_ssl

-

  • bypass
  • inspect
  • block

Action based on the SSL encryption used being unsupported.

choice | bypass | Bypass.

choice | inspect | Inspect.

choice | block | Block.

https_untrusted_cert

-

  • allow
  • block
  • ignore

Allow, ignore, or block the untrusted SSL session server certificate.

choice | allow | Allow the untrusted server certificate.

choice | block | Block the connection when an untrusted server certificate is detected.

choice | ignore | Always take the server certificate as trusted.

imaps

-

EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!

List of multiple child objects to be added. Expects a list of dictionaries.

Dictionaries must use FortiManager API parameters, not the ansible ones listed below.

If submitted, all other prefixed sub-parameters ARE IGNORED.

This object is MUTUALLY EXCLUSIVE with its options.

We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.

WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS

imaps_allow_invalid_server_cert

-

  • disable
  • enable

When enabled, allows SSL sessions whose server certificate validation failed.

choice | disable | Disable setting.

choice | enable | Enable setting.

imaps_client_cert_request

-

  • bypass
  • inspect
  • block

Action based on client certificate request failure.

choice | bypass | Bypass.

choice | inspect | Inspect.

choice | block | Block.

imaps_ports

-

Ports to use for scanning (1 - 65535, default = 443).

imaps_status

-

  • disable
  • deep-inspection

Configure protocol inspection status.

choice | disable | Disable.

choice | deep-inspection | Full SSL inspection.

imaps_unsupported_ssl

-

  • bypass
  • inspect
  • block

Action based on the SSL encryption used being unsupported.

choice | bypass | Bypass.

choice | inspect | Inspect.

choice | block | Block.

imaps_untrusted_cert

-

  • allow
  • block
  • ignore

Allow, ignore, or block the untrusted SSL session server certificate.

choice | allow | Allow the untrusted server certificate.

choice | block | Block the connection when an untrusted server certificate is detected.

choice | ignore | Always take the server certificate as trusted.

mapi_over_https

-

  • disable
  • enable

Enable/disable inspection of MAPI over HTTPS.

choice | disable | Disable inspection of MAPI over HTTPS.

choice | enable | Enable inspection of MAPI over HTTPS.

mode

-

  • add

  • set
  • delete
  • update

Sets one of three modes for managing the object.

Allows use of soft-adds instead of overwriting existing values

name

-

Name.

pop3s

-

EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!

List of multiple child objects to be added. Expects a list of dictionaries.

Dictionaries must use FortiManager API parameters, not the ansible ones listed below.

If submitted, all other prefixed sub-parameters ARE IGNORED.

This object is MUTUALLY EXCLUSIVE with its options.

We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.

WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS

pop3s_allow_invalid_server_cert

-

  • disable
  • enable

When enabled, allows SSL sessions whose server certificate validation failed.

choice | disable | Disable setting.

choice | enable | Enable setting.

pop3s_client_cert_request

-

  • bypass
  • inspect
  • block

Action based on client certificate request failure.

choice | bypass | Bypass.

choice | inspect | Inspect.

choice | block | Block.

pop3s_ports

-

Ports to use for scanning (1 - 65535, default = 443).

pop3s_status

-

  • disable
  • deep-inspection

Configure protocol inspection status.

choice | disable | Disable.

choice | deep-inspection | Full SSL inspection.

pop3s_unsupported_ssl

-

  • bypass
  • inspect
  • block

Action based on the SSL encryption used being unsupported.

choice | bypass | Bypass.

choice | inspect | Inspect.

choice | block | Block.

pop3s_untrusted_cert

-

  • allow
  • block
  • ignore

Allow, ignore, or block the untrusted SSL session server certificate.

choice | allow | Allow the untrusted server certificate.

choice | block | Block the connection when an untrusted server certificate is detected.

choice | ignore | Always take the server certificate as trusted.

rpc_over_https

-

  • disable
  • enable

Enable/disable inspection of RPC over HTTPS.

choice | disable | Disable inspection of RPC over HTTPS.

choice | enable | Enable inspection of RPC over HTTPS.

server_cert

-

Certificate used by SSL Inspection to replace server certificate.

server_cert_mode

-

  • re-sign
  • replace

Re-sign or replace the server's certificate.

choice | re-sign | Multiple clients connecting to multiple servers.

choice | replace | Protect an SSL server.

smtps

-

EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!

List of multiple child objects to be added. Expects a list of dictionaries.

Dictionaries must use FortiManager API parameters, not the ansible ones listed below.

If submitted, all other prefixed sub-parameters ARE IGNORED.

This object is MUTUALLY EXCLUSIVE with its options.

We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.

WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS

smtps_allow_invalid_server_cert

-

  • disable
  • enable

When enabled, allows SSL sessions whose server certificate validation failed.

choice | disable | Disable setting.

choice | enable | Enable setting.

smtps_client_cert_request

-

  • bypass
  • inspect
  • block

Action based on client certificate request failure.

choice | bypass | Bypass.

choice | inspect | Inspect.

choice | block | Block.

smtps_ports

-

Ports to use for scanning (1 - 65535, default = 443).

smtps_status

-

  • disable
  • deep-inspection

Configure protocol inspection status.

choice | disable | Disable.

choice | deep-inspection | Full SSL inspection.

smtps_unsupported_ssl

-

  • bypass
  • inspect
  • block

Action based on the SSL encryption used being unsupported.

choice | bypass | Bypass.

choice | inspect | Inspect.

choice | block | Block.

smtps_untrusted_cert

-

  • allow
  • block
  • ignore

Allow, ignore, or block the untrusted SSL session server certificate.

choice | allow | Allow the untrusted server certificate.

choice | block | Block the connection when an untrusted server certificate is detected.

choice | ignore | Always take the server certificate as trusted.

ssh

-

EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!

List of multiple child objects to be added. Expects a list of dictionaries.

Dictionaries must use FortiManager API parameters, not the ansible ones listed below.

If submitted, all other prefixed sub-parameters ARE IGNORED.

This object is MUTUALLY EXCLUSIVE with its options.

We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.

WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS

ssh_inspect_all

-

  • disable
  • deep-inspection

Level of SSL inspection.

choice | disable | Disable.

choice | deep-inspection | Full SSL inspection.

ssh_ports

-

Ports to use for scanning (1 - 65535, default = 443).

ssh_ssh_algorithm

-

  • compatible
  • high-encryption

Relative strength of encryption algorithms accepted during negotiation.

choice | compatible | Allow a broader set of encryption algorithms for best compatibility.

choice | high-encryption | Allow only AES-CTR, AES-GCM ciphers and high encryption algorithms.

ssh_ssh_policy_check

-

  • disable
  • enable

Enable/disable SSH policy check.

choice | disable | Disable SSH policy check.

choice | enable | Enable SSH policy check.

ssh_ssh_tun_policy_check

-

  • disable
  • enable

Enable/disable SSH tunnel policy check.

choice | disable | Disable SSH tunnel policy check.

choice | enable | Enable SSH tunnel policy check.

ssh_status

-

  • disable
  • deep-inspection

Configure protocol inspection status.

choice | disable | Disable.

choice | deep-inspection | Full SSL inspection.

ssh_unsupported_version

-

  • block
  • bypass

Action based on SSH version being unsupported.

choice | block | Block.

choice | bypass | Bypass.

ssl

-

EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!

List of multiple child objects to be added. Expects a list of dictionaries.

Dictionaries must use FortiManager API parameters, not the ansible ones listed below.

If submitted, all other prefixed sub-parameters ARE IGNORED.

This object is MUTUALLY EXCLUSIVE with its options.

We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.

WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS

ssl_allow_invalid_server_cert

-

  • disable
  • enable

When enabled, allows SSL sessions whose server certificate validation failed.

choice | disable | Disable setting.

choice | enable | Enable setting.

ssl_anomalies_log

-

  • disable
  • enable

Enable/disable logging SSL anomalies.

choice | disable | Disable logging SSL anomalies.

choice | enable | Enable logging SSL anomalies.

ssl_client_cert_request

-

  • bypass
  • inspect
  • block

Action based on client certificate request failure.

choice | bypass | Bypass.

choice | inspect | Inspect.

choice | block | Block.

ssl_exempt

-

EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!

List of multiple child objects to be added. Expects a list of dictionaries.

Dictionaries must use FortiManager API parameters, not the ansible ones listed below.

If submitted, all other prefixed sub-parameters ARE IGNORED.

This object is MUTUALLY EXCLUSIVE with its options.

We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.

WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS

ssl_exempt_address

-

IPv4 address object.

ssl_exempt_address6

-

IPv6 address object.

ssl_exempt_fortiguard_category

-

FortiGuard category ID.

ssl_exempt_regex

-

Exempt servers by regular expression.

ssl_exempt_type

-

  • fortiguard-category
  • address
  • address6
  • wildcard-fqdn
  • regex

Type of address object (IPv4 or IPv6) or FortiGuard category.

choice | fortiguard-category | FortiGuard category.

choice | address | Firewall IPv4 address.

choice | address6 | Firewall IPv6 address.

choice | wildcard-fqdn | Fully Qualified Domain Name with wildcard characters.

choice | regex | Regular expression FQDN.

ssl_exempt_wildcard_fqdn

-

Exempt servers by wildcard FQDN.

ssl_exemptions_log

-

  • disable
  • enable

Enable/disable logging SSL exemptions.

choice | disable | Disable logging SSL exemptions.

choice | enable | Enable logging SSL exemptions.

ssl_inspect_all

-

  • disable
  • certificate-inspection
  • deep-inspection

Level of SSL inspection.

choice | disable | Disable.

choice | certificate-inspection | Inspect SSL handshake only.

choice | deep-inspection | Full SSL inspection.

ssl_server

-

EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!

List of multiple child objects to be added. Expects a list of dictionaries.

Dictionaries must use FortiManager API parameters, not the ansible ones listed below.

If submitted, all other prefixed sub-parameters ARE IGNORED.

This object is MUTUALLY EXCLUSIVE with its options.

We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.

WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS

ssl_server_ftps_client_cert_request

-

  • bypass
  • inspect
  • block

Action based on client certificate request failure during the FTPS handshake.

choice | bypass | Bypass.

choice | inspect | Inspect.

choice | block | Block.

ssl_server_https_client_cert_request

-

  • bypass
  • inspect
  • block

Action based on client certificate request failure during the HTTPS handshake.

choice | bypass | Bypass.

choice | inspect | Inspect.

choice | block | Block.

ssl_server_imaps_client_cert_request

-

  • bypass
  • inspect
  • block

Action based on client certificate request failure during the IMAPS handshake.

choice | bypass | Bypass.

choice | inspect | Inspect.

choice | block | Block.

ssl_server_ip

-

IPv4 address of the SSL server.

ssl_server_pop3s_client_cert_request

-

  • bypass
  • inspect
  • block

Action based on client certificate request failure during the POP3S handshake.

choice | bypass | Bypass.

choice | inspect | Inspect.

choice | block | Block.

ssl_server_smtps_client_cert_request

-

  • bypass
  • inspect
  • block

Action based on client certificate request failure during the SMTPS handshake.

choice | bypass | Bypass.

choice | inspect | Inspect.

choice | block | Block.

ssl_server_ssl_other_client_cert_request

-

  • bypass
  • inspect
  • block

Action based on client certificate request failure during an SSL protocol handshake.

choice | bypass | Bypass.

choice | inspect | Inspect.

choice | block | Block.

ssl_unsupported_ssl

-

  • bypass
  • inspect
  • block

Action based on the SSL encryption used being unsupported.

choice | bypass | Bypass.

choice | inspect | Inspect.

choice | block | Block.

ssl_untrusted_cert

-

  • allow
  • block
  • ignore

Allow, ignore, or block the untrusted SSL session server certificate.

choice | allow | Allow the untrusted server certificate.

choice | block | Block the connection when an untrusted server certificate is detected.

choice | ignore | Always take the server certificate as trusted.

untrusted_caname

-

Untrusted CA certificate used by SSL Inspection.

use_ssl_server

-

  • disable
  • enable

Enable/disable the use of SSL server table for SSL offloading.

choice | disable | Don't use SSL server configuration.

choice | enable | Use SSL server configuration.

whitelist

-

  • disable
  • enable

Enable/disable exempting servers by FortiGuard whitelist.

choice | disable | Disable setting.

choice | enable | Enable setting.



Notes

Examples

- name: DELETE Profile
  fmgr_secprof_ssl_ssh:
    name: Ansible_SSL_SSH_Profile
    mode: delete

- name: CREATE Profile
  fmgr_secprof_ssl_ssh:
    name: Ansible_SSL_SSH_Profile
    comment: "Created by Ansible Module TEST"
    mode: set
    mapi_over_https: enable
    rpc_over_https: enable
    server_cert_mode: replace
    ssl_anomalies_log: enable
    ssl_exemptions_log: enable
    use_ssl_server: enable
    whitelist: enable

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description

api_result

string

always

full API response, includes status code and message





Status

Authors

  • Luke Weighall (@lweighall)
  • Andrew Welsh (@Ghilli3)
  • Jim Huber (@p4r4n0y1ng)

Hint

If you notice any issues in this documentation you can edit this document to improve it.


© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.8/modules/fmgr_secprof_ssl_ssh_module.html