fortios_system_admin – Configure admin users in Fortinet’s FortiOS and FortiGate

From Get docs
Ansible/docs/2.8/modules/fortios system admin module


fortios_system_admin – Configure admin users in Fortinet’s FortiOS and FortiGate

New in version 2.8.


Synopsis

  • This module is able to configure a FortiGate or FortiOS by allowing the user to set and modify system feature and admin category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.2

Requirements

The below requirements are needed on the host that executes this module.

  • fortiosapi>=0.9.8

Parameters

Parameter Choices/Defaults Comments

host

- / required

FortiOS or FortiGate ip address.

https

boolean

  • no
  • yes

Indicates if the requests towards FortiGate must use HTTPS protocol

password

-

Default:

""

FortiOS or FortiGate password.

system_admin

-

Default:

null

Configure admin users.

accprofile

-

Access profile for this administrator. Access profiles control administrator access to FortiGate features. Source system.accprofile.name.

accprofile-override

-

  • enable
  • disable

Enable to use the name of an access profile provided by the remote authentication server to control the FortiGate features that this administrator can access.

allow-remove-admin-session

-

  • enable
  • disable

Enable/disable allow admin session to be removed by privileged admin users.

comments

-

Comment.

email-to

-

This administrator's email address.

force-password-change

-

  • enable
  • disable

Enable/disable force password change on next login.

fortitoken

-

This administrator's FortiToken serial number.

guest-auth

-

  • disable
  • enable

Enable/disable guest authentication.

guest-lang

-

Guest management portal language. Source system.custom-language.name.

guest-usergroups

-

Select guest user groups.

name

- / required

Select guest user groups.

gui-dashboard

-

GUI dashboards.

columns

-

Number of columns.

id

- / required

Dashboard ID.

layout-type

-

  • responsive
  • fixed

Layout type.

name

-

Dashboard name.

scope

-

  • global
  • vdom

Dashboard scope.

widget

-

Dashboard widgets.

fabric-device

-

Fabric device to monitor.

filters

-

FortiView filters.

id

- / required

FortiView Filter ID.

key

-

Filter key.

value

-

Filter value.

height

-

Height.

id

- / required

Widget ID.

industry

-

  • default
  • custom

Security Audit Rating industry.

interface

-

Interface to monitor. Source system.interface.name.

region

-

  • default
  • custom

Security Audit Rating region.

report-by

-

  • source
  • destination
  • country
  • intfpair
  • srcintf
  • dstintf
  • policy
  • wificlient
  • shaper
  • endpoint-vulnerability
  • endpoint-device
  • application
  • cloud-app
  • cloud-user
  • web-domain
  • web-category
  • web-search-phrase
  • threat
  • system
  • unauth
  • admin
  • vpn

Field to aggregate the data by.

sort-by

-

Field to sort the data by.

timeframe

-

  • realtime
  • 5min
  • hour
  • day
  • week

Timeframe period of reported data.

title

-

Widget title.

type

-

  • sysinfo
  • licinfo
  • vminfo
  • forticloud
  • cpu-usage
  • memory-usage
  • disk-usage
  • log-rate
  • sessions
  • session-rate
  • tr-history
  • analytics
  • usb-modem
  • admins
  • security-fabric
  • security-fabric-ranking
  • ha-status
  • vulnerability-summary
  • host-scan-summary
  • fortiview
  • botnet-activity
  • fortimail

Widget type.

visualization

-

  • table
  • bubble
  • country
  • chord

Visualization to use.

width

-

Width.

x-pos

-

X position.

y-pos

-

Y position.

gui-global-menu-favorites

-

Favorite GUI menu IDs for the global VDOM.

id

- / required

Select menu ID.

gui-vdom-menu-favorites

-

Favorite GUI menu IDs for VDOMs.

id

- / required

Select menu ID.

hidden

-

Admin user hidden attribute.

history0

-

history0

history1

-

history1

ip6-trusthost1

-

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ip6-trusthost10

-

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ip6-trusthost2

-

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ip6-trusthost3

-

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ip6-trusthost4

-

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ip6-trusthost5

-

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ip6-trusthost6

-

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ip6-trusthost7

-

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ip6-trusthost8

-

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ip6-trusthost9

-

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

login-time

-

Record user login time.

last-failed-login

-

Last failed login time.

last-login

-

Last successful login time.

usr-name

- / required

User name.

name

- / required

User name.

password

-

Admin user password.

password-expire

-

Password expire time.

peer-auth

-

  • enable
  • disable

Set to enable peer certificate authentication (for HTTPS admin access).

peer-group

-

Name of peer group defined under config user group which has PKI members. Used for peer certificate authentication (for HTTPS admin access).

radius-vdom-override

-

  • enable
  • disable

Enable to use the names of VDOMs provided by the remote authentication server to control the VDOMs that this administrator can access.

remote-auth

-

  • enable
  • disable

Enable/disable authentication using a remote RADIUS, LDAP, or TACACS+ server.

remote-group

-

User group name used for remote auth.

schedule

-

Firewall schedule used to restrict when the administrator can log in. No schedule means no restrictions.

sms-custom-server

-

Custom SMS server to send SMS messages to. Source system.sms-server.name.

sms-phone

-

Phone number on which the administrator receives SMS messages.

sms-server

-

  • fortiguard
  • custom

Send SMS messages using the FortiGuard SMS server or a custom server.

ssh-certificate

-

Select the certificate to be used by the FortiGate for authentication with an SSH client. Source certificate.local.name.

ssh-public-key1

-

Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

ssh-public-key2

-

Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

ssh-public-key3

-

Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

state

-

  • present
  • absent

Indicates whether to create or remove the object

trusthost1

-

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

trusthost10

-

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

trusthost2

-

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

trusthost3

-

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

trusthost4

-

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

trusthost5

-

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

trusthost6

-

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

trusthost7

-

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

trusthost8

-

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

trusthost9

-

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

two-factor

-

  • disable
  • fortitoken
  • email
  • sms

Enable/disable two-factor authentication.

vdom

-

Virtual domain(s) that the administrator can access.

name

- / required

Virtual domain name. Source system.vdom.name.

wildcard

-

  • enable
  • disable

Enable/disable wildcard RADIUS authentication.

username

- / required

FortiOS or FortiGate username.

vdom

-

Default:

"root"

Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.



Notes

Note

  • Requires fortiosapi library developed by Fortinet
  • Run as a local_action in your playbook


Examples

- hosts: localhost
  vars:
   host: "192.168.122.40"
   username: "admin"
   password: ""
   vdom: "root"
  tasks:
  - name: Configure admin users.
    fortios_system_admin:
      host:  "{{ host }}"
      username: "{{ username }}"
      password: "{{ password }}"
      vdom:  "{{ vdom }}"
      https: "False"
      system_admin:
        state: "present"
        accprofile: "<your_own_value> (source system.accprofile.name)"
        accprofile-override: "enable"
        allow-remove-admin-session: "enable"
        comments: "<your_own_value>"
        email-to: "<your_own_value>"
        force-password-change: "enable"
        fortitoken: "<your_own_value>"
        guest-auth: "disable"
        guest-lang: "<your_own_value> (source system.custom-language.name)"
        guest-usergroups:
         -
            name: "default_name_13"
        gui-dashboard:
         -
            columns: "15"
            id:  "16"
            layout-type: "responsive"
            name: "default_name_18"
            scope: "global"
            widget:
             -
                fabric-device: "<your_own_value>"
                filters:
                 -
                    id:  "23"
                    key: "<your_own_value>"
                    value: "<your_own_value>"
                height: "26"
                id:  "27"
                industry: "default"
                interface: "<your_own_value> (source system.interface.name)"
                region: "default"
                report-by: "source"
                sort-by: "<your_own_value>"
                timeframe: "realtime"
                title: "<your_own_value>"
                type: "sysinfo"
                visualization: "table"
                width: "37"
                x-pos: "38"
                y-pos: "39"
        gui-global-menu-favorites:
         -
            id:  "41"
        gui-vdom-menu-favorites:
         -
            id:  "43"
        hidden: "44"
        history0: "<your_own_value>"
        history1: "<your_own_value>"
        ip6-trusthost1: "<your_own_value>"
        ip6-trusthost10: "<your_own_value>"
        ip6-trusthost2: "<your_own_value>"
        ip6-trusthost3: "<your_own_value>"
        ip6-trusthost4: "<your_own_value>"
        ip6-trusthost5: "<your_own_value>"
        ip6-trusthost6: "<your_own_value>"
        ip6-trusthost7: "<your_own_value>"
        ip6-trusthost8: "<your_own_value>"
        ip6-trusthost9: "<your_own_value>"
        login-time:
         -
            last-failed-login: "<your_own_value>"
            last-login: "<your_own_value>"
            usr-name: "<your_own_value>"
        name: "default_name_61"
        password: "<your_own_value>"
        password-expire: "<your_own_value>"
        peer-auth: "enable"
        peer-group: "<your_own_value>"
        radius-vdom-override: "enable"
        remote-auth: "enable"
        remote-group: "<your_own_value>"
        schedule: "<your_own_value>"
        sms-custom-server: "<your_own_value> (source system.sms-server.name)"
        sms-phone: "<your_own_value>"
        sms-server: "fortiguard"
        ssh-certificate: "<your_own_value> (source certificate.local.name)"
        ssh-public-key1: "<your_own_value>"
        ssh-public-key2: "<your_own_value>"
        ssh-public-key3: "<your_own_value>"
        trusthost1: "<your_own_value>"
        trusthost10: "<your_own_value>"
        trusthost2: "<your_own_value>"
        trusthost3: "<your_own_value>"
        trusthost4: "<your_own_value>"
        trusthost5: "<your_own_value>"
        trusthost6: "<your_own_value>"
        trusthost7: "<your_own_value>"
        trusthost8: "<your_own_value>"
        trusthost9: "<your_own_value>"
        two-factor: "disable"
        vdom:
         -
            name: "default_name_89 (source system.vdom.name)"
        wildcard: "enable"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description

build

string

always

Build number of the fortigate image


Sample:

1547

http_method

string

always

Last method used to provision the content into FortiGate


Sample:

PUT

http_status

string

always

Last result given by FortiGate on last operation applied


Sample:

200

mkey

string

success

Master key (id) used in the last call to FortiGate


Sample:

id

name

string

always

Name of the table used to fulfill the request


Sample:

urlfilter

path

string

always

Path of the table used to fulfill the request


Sample:

webfilter

revision

string

always

Internal revision number


Sample:

17.0.2.10658

serial

string

always

Serial number of the unit


Sample:

FGVMEVYYQT3AB5352

status

string

always

Indication of the operation's result


Sample:

success

vdom

string

always

Virtual domain used


Sample:

root

version

string

always

Version of the FortiGate


Sample:

v5.6.3




Status

Authors

  • Miguel Angel Munoz (@mamunozgonzalez)
  • Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation you can edit this document to improve it.


© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.8/modules/fortios_system_admin_module.html