fortios_endpoint_control_profile – Configure FortiClient endpoint control profiles in Fortinet’s FortiOS and FortiGate

From Get docs
Ansible/docs/2.8/modules/fortios endpoint control profile module


fortios_endpoint_control_profile – Configure FortiClient endpoint control profiles in Fortinet’s FortiOS and FortiGate

New in version 2.8.


Synopsis

  • This module is able to configure a FortiGate or FortiOS by allowing the user to configure endpoint_control feature and profile category. Examples includes all options and need to be adjusted to datasources before usage. Tested with FOS v6.0.2

Requirements

The below requirements are needed on the host that executes this module.

  • fortiosapi>=0.9.8

Parameters

Parameter Choices/Defaults Comments

endpoint_control_profile

-

Default:

null

Configure FortiClient endpoint control profiles.

description

-

Description.

device-groups

-

Device groups.

name

- / required

Device group object from available options. Source user.device-group.name user.device-category.name.

forticlient-android-settings

-

FortiClient settings for Android platform.

disable-wf-when-protected

-

  • enable
  • disable

Enable/disable FortiClient web category filtering when protected by FortiGate.

forticlient-advanced-vpn

-

  • enable
  • disable

Enable/disable advanced FortiClient VPN configuration.

forticlient-advanced-vpn-buffer

-

Advanced FortiClient VPN configuration.

forticlient-vpn-provisioning

-

  • enable
  • disable

Enable/disable FortiClient VPN provisioning.

forticlient-vpn-settings

-

FortiClient VPN settings.

auth-method

-

  • psk
  • certificate

Authentication method.

name

- / required

VPN name.

preshared-key

-

Pre-shared secret for PSK authentication.

remote-gw

-

IP address or FQDN of the remote VPN gateway.

sslvpn-access-port

-

SSL VPN access port (1 - 65535).

sslvpn-require-certificate

-

  • enable
  • disable

Enable/disable requiring SSL VPN client certificate.

type

-

  • ipsec
  • ssl

VPN type (IPsec or SSL VPN).

forticlient-wf

-

  • enable
  • disable

Enable/disable FortiClient web filtering.

forticlient-wf-profile

-

The FortiClient web filter profile to apply. Source webfilter.profile.name.

forticlient-ios-settings

-

FortiClient settings for iOS platform.

client-vpn-provisioning

-

  • enable
  • disable

FortiClient VPN provisioning.

client-vpn-settings

-

FortiClient VPN settings.

auth-method

-

  • psk
  • certificate

Authentication method.

name

- / required

VPN name.

preshared-key

-

Pre-shared secret for PSK authentication.

remote-gw

-

IP address or FQDN of the remote VPN gateway.

sslvpn-access-port

-

SSL VPN access port (1 - 65535).

sslvpn-require-certificate

-

  • enable
  • disable

Enable/disable requiring SSL VPN client certificate.

type

-

  • ipsec
  • ssl

VPN type (IPsec or SSL VPN).

vpn-configuration-content

-

Content of VPN configuration.

vpn-configuration-name

-

Name of VPN configuration.

configuration-content

-

Content of configuration profile.

configuration-name

-

Name of configuration profile.

disable-wf-when-protected

-

  • enable
  • disable

Enable/disable FortiClient web category filtering when protected by FortiGate.

distribute-configuration-profile

-

  • enable
  • disable

Enable/disable configuration profile (.mobileconfig file) distribution.

forticlient-wf

-

  • enable
  • disable

Enable/disable FortiClient web filtering.

forticlient-wf-profile

-

The FortiClient web filter profile to apply. Source webfilter.profile.name.

forticlient-winmac-settings

-

FortiClient settings for Windows/Mac platform.

av-realtime-protection

-

  • enable
  • disable

Enable/disable FortiClient AntiVirus real-time protection.

av-signature-up-to-date

-

  • enable
  • disable

Enable/disable FortiClient AV signature updates.

forticlient-application-firewall

-

  • enable
  • disable

Enable/disable the FortiClient application firewall.

forticlient-application-firewall-list

-

FortiClient application firewall rule list. Source application.list.name.

forticlient-av

-

  • enable
  • disable

Enable/disable FortiClient AntiVirus scanning.

forticlient-ems-compliance

-

  • enable
  • disable

Enable/disable FortiClient Enterprise Management Server (EMS) compliance.

forticlient-ems-compliance-action

-

  • block
  • warning

FortiClient EMS compliance action.

forticlient-ems-entries

-

FortiClient EMS entries.

name

- / required

FortiClient EMS name. Source endpoint-control.forticlient-ems.name.

forticlient-linux-ver

-

Minimum FortiClient Linux version.

forticlient-log-upload

-

  • enable
  • disable

Enable/disable uploading FortiClient logs.

forticlient-log-upload-level

-

  • traffic
  • vulnerability
  • event

Select the FortiClient logs to upload.

forticlient-log-upload-server

-

IP address or FQDN of the server to which to upload FortiClient logs.

forticlient-mac-ver

-

Minimum FortiClient Mac OS version.

forticlient-minimum-software-version

-

  • enable
  • disable

Enable/disable requiring clients to run FortiClient with a minimum software version number.

forticlient-operating-system

-

FortiClient operating system.

id

- / required

Operating system entry ID.

os-name

-

Customize operating system name or Mac OS format:x.x.x

os-type

-

  • custom
  • mac-os
  • win-7
  • win-80
  • win-81
  • win-10
  • win-2000
  • win-home-svr
  • win-svr-10
  • win-svr-2003
  • win-svr-2003-r2
  • win-svr-2008
  • win-svr-2008-r2
  • win-svr-2012
  • win-svr-2012-r2
  • win-sto-svr-2003
  • win-vista
  • win-xp
  • ubuntu-linux
  • centos-linux
  • redhat-linux
  • fedora-linux

Operating system type.

forticlient-own-file

-

Checking the path and filename of the FortiClient application.

file

-

File path and name.

id

- / required

File ID.

forticlient-registration-compliance-action

-

  • block
  • warning

FortiClient registration compliance action.

forticlient-registry-entry

-

FortiClient registry entry.

id

- / required

Registry entry ID.

registry-entry

-

Registry entry.

forticlient-running-app

-

Use FortiClient to verify if the listed applications are running on the client.

app-name

-

Application name.

app-sha256-signature

-

App's SHA256 signature.

app-sha256-signature2

-

App's SHA256 Signature.

app-sha256-signature3

-

App's SHA256 Signature.

app-sha256-signature4

-

App's SHA256 Signature.

application-check-rule

-

  • present
  • absent

Application check rule.

id

- / required

Application ID.

process-name

-

Process name.

process-name2

-

Process name.

process-name3

-

Process name.

process-name4

-

Process name.

forticlient-security-posture

-

  • enable
  • disable

Enable/disable FortiClient security posture check options.

forticlient-security-posture-compliance-action

-

  • block
  • warning

FortiClient security posture compliance action.

forticlient-system-compliance

-

  • enable
  • disable

Enable/disable enforcement of FortiClient system compliance.

forticlient-system-compliance-action

-

  • block
  • warning

Block or warn clients not compliant with FortiClient requirements.

forticlient-vuln-scan

-

  • enable
  • disable

Enable/disable FortiClient vulnerability scanning.

forticlient-vuln-scan-compliance-action

-

  • block
  • warning

FortiClient vulnerability compliance action.

forticlient-vuln-scan-enforce

-

  • critical
  • high
  • medium
  • low
  • info

Configure the level of the vulnerability found that causes a FortiClient vulnerability compliance action.

forticlient-vuln-scan-enforce-grace

-

FortiClient vulnerability scan enforcement grace period (0 - 30 days, default = 1).

forticlient-vuln-scan-exempt

-

  • enable
  • disable

Enable/disable compliance exemption for vulnerabilities that cannot be patched automatically.

forticlient-wf

-

  • enable
  • disable

Enable/disable FortiClient web filtering.

forticlient-wf-profile

-

The FortiClient web filter profile to apply. Source webfilter.profile.name.

forticlient-win-ver

-

Minimum FortiClient Windows version.

os-av-software-installed

-

  • enable
  • disable

Enable/disable checking for OS recognized AntiVirus software.

sandbox-address

-

FortiSandbox address.

sandbox-analysis

-

  • enable
  • disable

Enable/disable sending files to FortiSandbox for analysis.

on-net-addr

-

Addresses for on-net detection.

name

- / required

Address object from available options. Source firewall.address.name firewall.addrgrp.name.

profile-name

- / required

Profile name.

replacemsg-override-group

-

Select an endpoint control replacement message override group from available options. Source system.replacemsg-group.name.

src-addr

-

Source addresses.

name

- / required

Address object from available options. Source firewall.address.name firewall.addrgrp.name.

state

-

  • present
  • absent

Indicates whether to create or remove the object

user-groups

-

User groups.

name

- / required

User group name. Source user.group.name.

users

-

Users.

name

- / required

User name. Source user.local.name.

host

- / required

FortiOS or FortiGate ip address.

https

boolean

  • no

  • yes

Indicates if the requests towards FortiGate must use HTTPS protocol

password

-

Default:

""

FortiOS or FortiGate password.

username

- / required

FortiOS or FortiGate username.

vdom

-

Default:

"root"

Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.



Notes

Note

  • Requires fortiosapi library developed by Fortinet
  • Run as a local_action in your playbook


Examples

- hosts: localhost
  vars:
   host: "192.168.122.40"
   username: "admin"
   password: ""
   vdom: "root"
  tasks:
  - name: Configure FortiClient endpoint control profiles.
    fortios_endpoint_control_profile:
      host:  "{{ host }}"
      username: "{{ username }}"
      password: "{{ password }}"
      vdom:  "{{ vdom }}"
      endpoint_control_profile:
        state: "present"
        description: "<your_own_value>"
        device-groups:
         -
            name: "default_name_5 (source user.device-group.name user.device-category.name)"
        forticlient-android-settings:
            disable-wf-when-protected: "enable"
            forticlient-advanced-vpn: "enable"
            forticlient-advanced-vpn-buffer: "<your_own_value>"
            forticlient-vpn-provisioning: "enable"
            forticlient-vpn-settings:
             -
                auth-method: "psk"
                name: "default_name_13"
                preshared-key: "<your_own_value>"
                remote-gw: "<your_own_value>"
                sslvpn-access-port: "16"
                sslvpn-require-certificate: "enable"
                type: "ipsec"
            forticlient-wf: "enable"
            forticlient-wf-profile: "<your_own_value> (source webfilter.profile.name)"
        forticlient-ios-settings:
            client-vpn-provisioning: "enable"
            client-vpn-settings:
             -
                auth-method: "psk"
                name: "default_name_25"
                preshared-key: "<your_own_value>"
                remote-gw: "<your_own_value>"
                sslvpn-access-port: "28"
                sslvpn-require-certificate: "enable"
                type: "ipsec"
                vpn-configuration-content: "<your_own_value>"
                vpn-configuration-name: "<your_own_value>"
            configuration-content: "<your_own_value>"
            configuration-name: "<your_own_value>"
            disable-wf-when-protected: "enable"
            distribute-configuration-profile: "enable"
            forticlient-wf: "enable"
            forticlient-wf-profile: "<your_own_value> (source webfilter.profile.name)"
        forticlient-winmac-settings:
            av-realtime-protection: "enable"
            av-signature-up-to-date: "enable"
            forticlient-application-firewall: "enable"
            forticlient-application-firewall-list: "<your_own_value> (source application.list.name)"
            forticlient-av: "enable"
            forticlient-ems-compliance: "enable"
            forticlient-ems-compliance-action: "block"
            forticlient-ems-entries:
             -
                name: "default_name_48 (source endpoint-control.forticlient-ems.name)"
            forticlient-linux-ver: "<your_own_value>"
            forticlient-log-upload: "enable"
            forticlient-log-upload-level: "traffic"
            forticlient-log-upload-server: "<your_own_value>"
            forticlient-mac-ver: "<your_own_value>"
            forticlient-minimum-software-version: "enable"
            forticlient-operating-system:
             -
                id:  "56"
                os-name: "<your_own_value>"
                os-type: "custom"
            forticlient-own-file:
             -
                file: "<your_own_value>"
                id:  "61"
            forticlient-registration-compliance-action: "block"
            forticlient-registry-entry:
             -
                id:  "64"
                registry-entry: "<your_own_value>"
            forticlient-running-app:
             -
                app-name: "<your_own_value>"
                app-sha256-signature: "<your_own_value>"
                app-sha256-signature2: "<your_own_value>"
                app-sha256-signature3: "<your_own_value>"
                app-sha256-signature4: "<your_own_value>"
                application-check-rule: "present"
                id:  "73"
                process-name: "<your_own_value>"
                process-name2: "<your_own_value>"
                process-name3: "<your_own_value>"
                process-name4: "<your_own_value>"
            forticlient-security-posture: "enable"
            forticlient-security-posture-compliance-action: "block"
            forticlient-system-compliance: "enable"
            forticlient-system-compliance-action: "block"
            forticlient-vuln-scan: "enable"
            forticlient-vuln-scan-compliance-action: "block"
            forticlient-vuln-scan-enforce: "critical"
            forticlient-vuln-scan-enforce-grace: "85"
            forticlient-vuln-scan-exempt: "enable"
            forticlient-wf: "enable"
            forticlient-wf-profile: "<your_own_value> (source webfilter.profile.name)"
            forticlient-win-ver: "<your_own_value>"
            os-av-software-installed: "enable"
            sandbox-address: "<your_own_value>"
            sandbox-analysis: "enable"
        on-net-addr:
         -
            name: "default_name_94 (source firewall.address.name firewall.addrgrp.name)"
        profile-name: "<your_own_value>"
        replacemsg-override-group: "<your_own_value> (source system.replacemsg-group.name)"
        src-addr:
         -
            name: "default_name_98 (source firewall.address.name firewall.addrgrp.name)"
        user-groups:
         -
            name: "default_name_100 (source user.group.name)"
        users:
         -
            name: "default_name_102 (source user.local.name)"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description

build

string

always

Build number of the fortigate image


Sample:

1547

http_method

string

always

Last method used to provision the content into FortiGate


Sample:

PUT

http_status

string

always

Last result given by FortiGate on last operation applied


Sample:

200

mkey

string

success

Master key (id) used in the last call to FortiGate


Sample:

id

name

string

always

Name of the table used to fulfill the request


Sample:

urlfilter

path

string

always

Path of the table used to fulfill the request


Sample:

webfilter

revision

string

always

Internal revision number


Sample:

17.0.2.10658

serial

string

always

Serial number of the unit


Sample:

FGVMEVYYQT3AB5352

status

string

always

Indication of the operation's result


Sample:

success

vdom

string

always

Virtual domain used


Sample:

root

version

string

always

Version of the FortiGate


Sample:

v5.6.3




Status

Authors

  • Miguel Angel Munoz (@mamunozgonzalez)
  • Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation you can edit this document to improve it.


© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.8/modules/fortios_endpoint_control_profile_module.html