fortios_vpn_ssl_web_portal – Portal in Fortinet’s FortiOS and FortiGate

From Get docs
Ansible/docs/2.8/modules/fortios vpn ssl web portal module


fortios_vpn_ssl_web_portal – Portal in Fortinet’s FortiOS and FortiGate

New in version 2.8.


Synopsis

  • This module is able to configure a FortiGate or FortiOS by allowing the user to set and modify vpn_ssl_web feature and portal category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.2

Requirements

The below requirements are needed on the host that executes this module.

  • fortiosapi>=0.9.8

Parameters

Parameter Choices/Defaults Comments

host

- / required

FortiOS or FortiGate ip address.

https

boolean

  • no
  • yes

Indicates if the requests towards FortiGate must use HTTPS protocol

password

-

Default:

""

FortiOS or FortiGate password.

username

- / required

FortiOS or FortiGate username.

vdom

-

Default:

"root"

Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.

vpn_ssl_web_portal

-

Default:

null

Portal.

allow-user-access

-

  • web
  • ftp
  • smb
  • telnet
  • ssh
  • vnc
  • rdp
  • ping
  • citrix
  • portforward

Allow user access to SSL-VPN applications.

auto-connect

-

  • enable
  • disable

Enable/disable automatic connect by client when system is up.

bookmark-group

-

Portal bookmark group.

bookmarks

-

Bookmark table.

additional-params

-

Additional parameters.

apptype

-

  • citrix
  • ftp
  • portforward
  • rdp
  • smb
  • ssh
  • telnet
  • vnc
  • web

Application type.

description

-

Description.

folder

-

Network shared file folder parameter.

form-data

-

Form data.

name

- / required

Name.

value

-

Value.

host

-

Host name/IP parameter.

listening-port

-

Listening port (0 - 65535).

load-balancing-info

-

The load balancing information or cookie which should be provided to the connection broker.

logon-password

-

Logon password.

logon-user

-

Logon user.

name

- / required

Bookmark name.

port

-

Remote port.

preconnection-blob

-

An arbitrary string which identifies the RDP source.

preconnection-id

-

The numeric ID of the RDP source (0-2147483648).

remote-port

-

Remote port (0 - 65535).

security

-

  • rdp
  • nla
  • tls
  • any

Security mode for RDP connection.

server-layout

-

  • de-de-qwertz
  • en-gb-qwerty
  • en-us-qwerty
  • es-es-qwerty
  • fr-fr-azerty
  • fr-ch-qwertz
  • it-it-qwerty
  • ja-jp-qwerty
  • pt-br-qwerty
  • sv-se-qwerty
  • tr-tr-qwerty
  • failsafe

Server side keyboard layout.

show-status-window

-

  • enable
  • disable

Enable/disable showing of status window.

sso

-

  • disable
  • static
  • auto

Single Sign-On.

sso-credential

-

  • sslvpn-login
  • alternative

Single sign-on credentials.

sso-credential-sent-once

-

  • enable
  • disable

Single sign-on credentials are only sent once to remote server.

sso-password

-

SSO password.

sso-username

-

SSO user name.

url

-

URL parameter.

name

- / required

Bookmark group name.

custom-lang

-

Change the web portal display language. Overrides config system global set language. You can use config system custom-language and execute system custom-language to add custom language files. Source system.custom-language.name.

customize-forticlient-download-url

-

  • enable
  • disable

Enable support of customized download URL for FortiClient.

display-bookmark

-

  • enable
  • disable

Enable to display the web portal bookmark widget.

display-connection-tools

-

  • enable
  • disable

Enable to display the web portal connection tools widget.

display-history

-

  • enable
  • disable

Enable to display the web portal user login history widget.

display-status

-

  • enable
  • disable

Enable to display the web portal status widget.

dns-server1

-

IPv4 DNS server 1.

dns-server2

-

IPv4 DNS server 2.

dns-suffix

-

DNS suffix.

exclusive-routing

-

  • enable
  • disable

Enable/disable all traffic go through tunnel only.

forticlient-download

-

  • enable
  • disable

Enable/disable download option for FortiClient.

forticlient-download-method

-

  • direct
  • ssl-vpn

FortiClient download method.

heading

-

Web portal heading message.

hide-sso-credential

-

  • enable
  • disable

Enable to prevent SSO credential being sent to client.

host-check

-

  • none
  • av
  • fw
  • av-fw
  • custom

Type of host checking performed on endpoints.

host-check-interval

-

Periodic host check interval. Value of 0 means disabled and host checking only happens when the endpoint connects.

host-check-policy

-

One or more policies to require the endpoint to have specific security software.

name

- / required

Host check software list name. Source vpn.ssl.web.host-check-software.name.

ip-mode

-

  • range
  • user-group

Method by which users of this SSL-VPN tunnel obtain IP addresses.

ip-pools

-

IPv4 firewall source address objects reserved for SSL-VPN tunnel mode clients.

name

- / required

Address name. Source firewall.address.name firewall.addrgrp.name.

ipv6-dns-server1

-

IPv6 DNS server 1.

ipv6-dns-server2

-

IPv6 DNS server 2.

ipv6-exclusive-routing

-

  • enable
  • disable

Enable/disable all IPv6 traffic go through tunnel only.

ipv6-pools

-

IPv4 firewall source address objects reserved for SSL-VPN tunnel mode clients.

name

- / required

Address name. Source firewall.address6.name firewall.addrgrp6.name.

ipv6-service-restriction

-

  • enable
  • disable

Enable/disable IPv6 tunnel service restriction.

ipv6-split-tunneling

-

  • enable
  • disable

Enable/disable IPv6 split tunneling.

ipv6-split-tunneling-routing-address

-

IPv6 SSL-VPN tunnel mode firewall address objects that override firewall policy destination addresses to control split-tunneling access.

name

- / required

Address name. Source firewall.address6.name firewall.addrgrp6.name.

ipv6-tunnel-mode

-

  • enable
  • disable

Enable/disable IPv6 SSL-VPN tunnel mode.

ipv6-wins-server1

-

IPv6 WINS server 1.

ipv6-wins-server2

-

IPv6 WINS server 2.

keep-alive

-

  • enable
  • disable

Enable/disable automatic reconnect for FortiClient connections.

limit-user-logins

-

  • enable
  • disable

Enable to limit each user to one SSL-VPN session at a time.

mac-addr-action

-

  • allow
  • deny

Client MAC address action.

mac-addr-check

-

  • enable
  • disable

Enable/disable MAC address host checking.

mac-addr-check-rule

-

Client MAC address check rule.

mac-addr-list

-

Client MAC address list.

addr

- / required

Client MAC address.

mac-addr-mask

-

Client MAC address mask.

name

- / required

Client MAC address check rule name.

macos-forticlient-download-url

-

Download URL for Mac FortiClient.

name

- / required

Portal name.

os-check

-

  • enable
  • disable

Enable to let the FortiGate decide action based on client OS.

os-check-list

-

SSL VPN OS checks.

action

-

  • deny
  • allow
  • check-up-to-date

OS check options.

latest-patch-level

-

Latest OS patch level.

name

- / required

Name.

tolerance

-

OS patch level tolerance.

redir-url

-

Client login redirect URL.

save-password

-

  • enable
  • disable

Enable/disable FortiClient saving the user's password.

service-restriction

-

  • enable
  • disable

Enable/disable tunnel service restriction.

skip-check-for-unsupported-browser

-

  • enable
  • disable

Enable to skip host check if browser does not support it.

skip-check-for-unsupported-os

-

  • enable
  • disable

Enable to skip host check if client OS does not support it.

smb-ntlmv1-auth

-

  • enable
  • disable

Enable support of NTLMv1 for Samba authentication.

smbv1

-

  • enable
  • disable

Enable/disable support of SMBv1 for Samba.

split-dns

-

Split DNS for SSL VPN.

dns-server1

-

DNS server 1.

dns-server2

-

DNS server 2.

domains

-

Split DNS domains used for SSL-VPN clients separated by comma(,).

id

- / required

ID.

ipv6-dns-server1

-

IPv6 DNS server 1.

ipv6-dns-server2

-

IPv6 DNS server 2.

split-tunneling

-

  • enable
  • disable

Enable/disable IPv4 split tunneling.

split-tunneling-routing-address

-

IPv4 SSL-VPN tunnel mode firewall address objects that override firewall policy destination addresses to control split-tunneling access.

name

- / required

Address name. Source firewall.address.name firewall.addrgrp.name.

state

-

  • present
  • absent

Indicates whether to create or remove the object

theme

-

  • blue
  • green
  • red
  • melongene
  • mariner

Web portal color scheme.

tunnel-mode

-

  • enable
  • disable

Enable/disable IPv4 SSL-VPN tunnel mode.

user-bookmark

-

  • enable
  • disable

Enable to allow web portal users to create their own bookmarks.

user-group-bookmark

-

  • enable
  • disable

Enable to allow web portal users to create bookmarks for all users in the same user group.

web-mode

-

  • enable
  • disable

Enable/disable SSL VPN web mode.

windows-forticlient-download-url

-

Download URL for Windows FortiClient.

wins-server1

-

IPv4 WINS server 1.

wins-server2

-

IPv4 WINS server 1.



Notes

Note

  • Requires fortiosapi library developed by Fortinet
  • Run as a local_action in your playbook


Examples

- hosts: localhost
  vars:
   host: "192.168.122.40"
   username: "admin"
   password: ""
   vdom: "root"
  tasks:
  - name: Portal.
    fortios_vpn_ssl_web_portal:
      host:  "{{ host }}"
      username: "{{ username }}"
      password: "{{ password }}"
      vdom:  "{{ vdom }}"
      https: "False"
      vpn_ssl_web_portal:
        state: "present"
        allow-user-access: "web"
        auto-connect: "enable"
        bookmark-group:
         -
            bookmarks:
             -
                additional-params: "<your_own_value>"
                apptype: "citrix"
                description: "<your_own_value>"
                folder: "<your_own_value>"
                form-data:
                 -
                    name: "default_name_12"
                    value: "<your_own_value>"
                host: "<your_own_value>"
                listening-port: "15"
                load-balancing-info: "<your_own_value>"
                logon-password: "<your_own_value>"
                logon-user: "<your_own_value>"
                name: "default_name_19"
                port: "20"
                preconnection-blob: "<your_own_value>"
                preconnection-id: "22"
                remote-port: "23"
                security: "rdp"
                server-layout: "de-de-qwertz"
                show-status-window: "enable"
                sso: "disable"
                sso-credential: "sslvpn-login"
                sso-credential-sent-once: "enable"
                sso-password: "<your_own_value>"
                sso-username: "<your_own_value>"
                url: "myurl.com"
            name: "default_name_33"
        custom-lang: "<your_own_value> (source system.custom-language.name)"
        customize-forticlient-download-url: "enable"
        display-bookmark: "enable"
        display-connection-tools: "enable"
        display-history: "enable"
        display-status: "enable"
        dns-server1: "<your_own_value>"
        dns-server2: "<your_own_value>"
        dns-suffix: "<your_own_value>"
        exclusive-routing: "enable"
        forticlient-download: "enable"
        forticlient-download-method: "direct"
        heading: "<your_own_value>"
        hide-sso-credential: "enable"
        host-check: "none"
        host-check-interval: "49"
        host-check-policy:
         -
            name: "default_name_51 (source vpn.ssl.web.host-check-software.name)"
        ip-mode: "range"
        ip-pools:
         -
            name: "default_name_54 (source firewall.address.name firewall.addrgrp.name)"
        ipv6-dns-server1: "<your_own_value>"
        ipv6-dns-server2: "<your_own_value>"
        ipv6-exclusive-routing: "enable"
        ipv6-pools:
         -
            name: "default_name_59 (source firewall.address6.name firewall.addrgrp6.name)"
        ipv6-service-restriction: "enable"
        ipv6-split-tunneling: "enable"
        ipv6-split-tunneling-routing-address:
         -
            name: "default_name_63 (source firewall.address6.name firewall.addrgrp6.name)"
        ipv6-tunnel-mode: "enable"
        ipv6-wins-server1: "<your_own_value>"
        ipv6-wins-server2: "<your_own_value>"
        keep-alive: "enable"
        limit-user-logins: "enable"
        mac-addr-action: "allow"
        mac-addr-check: "enable"
        mac-addr-check-rule:
         -
            mac-addr-list:
             -
                addr: "<your_own_value>"
            mac-addr-mask: "74"
            name: "default_name_75"
        macos-forticlient-download-url: "<your_own_value>"
        name: "default_name_77"
        os-check: "enable"
        os-check-list:
         -
            action: "deny"
            latest-patch-level: "<your_own_value>"
            name: "default_name_82"
            tolerance: "83"
        redir-url: "<your_own_value>"
        save-password: "enable"
        service-restriction: "enable"
        skip-check-for-unsupported-browser: "enable"
        skip-check-for-unsupported-os: "enable"
        smb-ntlmv1-auth: "enable"
        smbv1: "enable"
        split-dns:
         -
            dns-server1: "<your_own_value>"
            dns-server2: "<your_own_value>"
            domains: "<your_own_value>"
            id:  "95"
            ipv6-dns-server1: "<your_own_value>"
            ipv6-dns-server2: "<your_own_value>"
        split-tunneling: "enable"
        split-tunneling-routing-address:
         -
            name: "default_name_100 (source firewall.address.name firewall.addrgrp.name)"
        theme: "blue"
        tunnel-mode: "enable"
        user-bookmark: "enable"
        user-group-bookmark: "enable"
        web-mode: "enable"
        windows-forticlient-download-url: "<your_own_value>"
        wins-server1: "<your_own_value>"
        wins-server2: "<your_own_value>"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description

build

string

always

Build number of the fortigate image


Sample:

1547

http_method

string

always

Last method used to provision the content into FortiGate


Sample:

PUT

http_status

string

always

Last result given by FortiGate on last operation applied


Sample:

200

mkey

string

success

Master key (id) used in the last call to FortiGate


Sample:

id

name

string

always

Name of the table used to fulfill the request


Sample:

urlfilter

path

string

always

Path of the table used to fulfill the request


Sample:

webfilter

revision

string

always

Internal revision number


Sample:

17.0.2.10658

serial

string

always

Serial number of the unit


Sample:

FGVMEVYYQT3AB5352

status

string

always

Indication of the operation's result


Sample:

success

vdom

string

always

Virtual domain used


Sample:

root

version

string

always

Version of the FortiGate


Sample:

v5.6.3




Status

Authors

  • Miguel Angel Munoz (@mamunozgonzalez)
  • Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation you can edit this document to improve it.


© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.8/modules/fortios_vpn_ssl_web_portal_module.html