fortios_firewall_policy – Configure IPv4 policies in Fortinet’s FortiOS and FortiGate
fortios_firewall_policy – Configure IPv4 policies in Fortinet’s FortiOS and FortiGate
New in version 2.8.
Synopsis
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall feature and policy category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.5
Requirements
The below requirements are needed on the host that executes this module.
- fortiosapi>=0.9.8
Parameters
| Parameter | Choices/Defaults | Comments | ||
|---|---|---|---|---|
|
firewall_policy dictionary |
Default: null |
Configure IPv4 policies. | ||
|
action string |
|
Policy action (allow/deny/ipsec). | ||
|
app_category list |
Application category ID list. | |||
|
id integer / required |
Category IDs. | |||
|
app_group list |
Application group names. | |||
|
name string / required |
Application group names. Source application.group.name. | |||
|
application list |
Application ID list. | |||
|
id integer / required |
Application IDs. | |||
|
application_list string |
Name of an existing Application list. Source application.list.name. | |||
|
auth_cert string |
HTTPS server certificate for policy authentication. Source vpn.certificate.local.name. | |||
|
auth_path string |
|
Enable/disable authentication-based routing. | ||
|
auth_redirect_addr string |
HTTP-to-HTTPS redirect address for firewall authentication. | |||
|
av_profile string |
Name of an existing Antivirus profile. Source antivirus.profile.name. | |||
|
block_notification string |
|
Enable/disable block notification. | ||
|
captive_portal_exempt string |
|
Enable to exempt some users from the captive portal. | ||
|
capture_packet string |
|
Enable/disable capture packets. | ||
|
comments string |
Comment. | |||
|
custom_log_fields list |
Custom fields to append to log messages for this policy. | |||
|
field_id string |
Custom log field. Source log.custom-field.id. | |||
|
delay_tcp_npu_session string |
|
Enable TCP NPU session delay to guarantee packet order of 3-way handshake. | ||
|
devices list |
Names of devices or device groups that can be matched by the policy. | |||
|
name string / required |
Device or group name. Source user.device.alias user.device-group.name user.device-category.name. | |||
|
diffserv_forward string |
|
Enable to change packet's DiffServ values to the specified diffservcode-forward value. | ||
|
diffserv_reverse string |
|
Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. | ||
|
diffservcode_forward string |
Change packet's DiffServ to this value. | |||
|
diffservcode_rev string |
Change packet's reverse (reply) DiffServ to this value. | |||
|
disclaimer string |
|
Enable/disable user authentication disclaimer. | ||
|
dlp_sensor string |
Name of an existing DLP sensor. Source dlp.sensor.name. | |||
|
dnsfilter_profile string |
Name of an existing DNS filter profile. Source dnsfilter.profile.name. | |||
|
dscp_match string |
|
Enable DSCP check. | ||
|
dscp_negate string |
|
Enable negated DSCP match. | ||
|
dscp_value string |
DSCP value. | |||
|
dsri string |
|
Enable DSRI to ignore HTTP server responses. | ||
|
dstaddr list |
Destination address and address group names. | |||
|
name string / required |
Address name. Source firewall.address.name firewall.addrgrp.name firewall.vip.name firewall.vipgrp.name. | |||
|
dstaddr_negate string |
|
When enabled dstaddr specifies what the destination address must NOT be. | ||
|
dstintf list |
Outgoing (egress) interface. | |||
|
name string / required |
Interface name. Source system.interface.name system.zone.name. | |||
|
firewall_session_dirty string |
|
How to handle sessions if the configuration of this firewall policy changes. | ||
|
fixedport string |
|
Enable to prevent source NAT from changing a session's source port. | ||
|
fsso string |
|
Enable/disable Fortinet Single Sign-On. | ||
|
fsso_agent_for_ntlm string |
FSSO agent to use for NTLM authentication. Source user.fsso.name. | |||
|
global_label string |
Label for the policy that appears when the GUI is in Global View mode. | |||
|
groups list |
Names of user groups that can authenticate with this policy. | |||
|
name string / required |
Group name. Source user.group.name. | |||
|
icap_profile string |
Name of an existing ICAP profile. Source icap.profile.name. | |||
|
identity_based_route string |
Name of identity-based routing rule. Source firewall.identity-based-route.name. | |||
|
inbound string |
|
Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. | ||
|
internet_service string |
|
Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. | ||
|
internet_service_custom list |
Custom Internet Service name. | |||
|
name string / required |
Custom Internet Service name. Source firewall.internet-service-custom.name. | |||
|
internet_service_id list |
Internet Service ID. | |||
|
id integer / required |
Internet Service ID. Source firewall.internet-service.id. | |||
|
internet_service_negate string |
|
When enabled internet-service specifies what the service must NOT be. | ||
|
internet_service_src string |
|
Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. | ||
|
internet_service_src_custom list |
Custom Internet Service source name. | |||
|
name string / required |
Custom Internet Service name. Source firewall.internet-service-custom.name. | |||
|
internet_service_src_id list |
Internet Service source ID. | |||
|
id integer / required |
Internet Service ID. Source firewall.internet-service.id. | |||
|
internet_service_src_negate string |
|
When enabled internet-service-src specifies what the service must NOT be. | ||
|
ippool string |
|
Enable to use IP Pools for source NAT. | ||
|
ips_sensor string |
Name of an existing IPS sensor. Source ips.sensor.name. | |||
|
label string |
Label for the policy that appears when the GUI is in Section View mode. | |||
|
learning_mode string |
|
Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. | ||
|
logtraffic string |
|
Enable or disable logging. Log all sessions or security profile sessions. | ||
|
logtraffic_start string |
|
Record logs when a session starts and ends. | ||
|
match_vip string |
|
Enable to match packets that have had their destination addresses changed by a VIP. | ||
|
name string |
Policy name. | |||
|
nat string |
|
Enable/disable source NAT. | ||
|
natinbound string |
|
Policy-based IPsec VPN: apply destination NAT to inbound traffic. | ||
|
natip string |
Policy-based IPsec VPN: source NAT IP address for outgoing traffic. | |||
|
natoutbound string |
|
Policy-based IPsec VPN: apply source NAT to outbound traffic. | ||
|
ntlm string |
|
Enable/disable NTLM authentication. | ||
|
ntlm_enabled_browsers list |
HTTP-User-Agent value of supported browsers. | |||
|
user_agent_string string |
User agent string. | |||
|
ntlm_guest string |
|
Enable/disable NTLM guest user access. | ||
|
outbound string |
|
Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. | ||
|
per_ip_shaper string |
Per-IP traffic shaper. Source firewall.shaper.per-ip-shaper.name. | |||
|
permit_any_host string |
|
Accept UDP packets from any host. | ||
|
permit_stun_host string |
|
Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. | ||
|
policyid integer / required |
Policy ID. | |||
|
poolname list |
IP Pool names. | |||
|
name string / required |
IP pool name. Source firewall.ippool.name. | |||
|
profile_group string |
Name of profile group. Source firewall.profile-group.name. | |||
|
profile_protocol_options string |
Name of an existing Protocol options profile. Source firewall.profile-protocol-options.name. | |||
|
profile_type string |
|
Determine whether the firewall policy allows security profile groups or single profiles only. | ||
|
radius_mac_auth_bypass string |
|
Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. | ||
|
redirect_url string |
URL users are directed to after seeing and accepting the disclaimer or authenticating. | |||
|
replacemsg_override_group string |
Override the default replacement message group for this policy. Source system.replacemsg-group.name. | |||
|
rsso string |
|
Enable/disable RADIUS single sign-on (RSSO). | ||
|
rtp_addr list |
Address names if this is an RTP NAT policy. | |||
|
name string / required |
Address name. Source firewall.address.name firewall.addrgrp.name. | |||
|
rtp_nat string |
|
Enable Real Time Protocol (RTP) NAT. | ||
|
scan_botnet_connections string |
|
Block or monitor connections to Botnet servers or disable Botnet scanning. | ||
|
schedule string |
Schedule name. Source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name. | |||
|
schedule_timeout string |
|
Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. | ||
|
send_deny_packet string |
|
Enable to send a reply when a session is denied or blocked by a firewall policy. | ||
|
service list |
Service and service group names. | |||
|
name string / required |
Service and service group names. Source firewall.service.custom.name firewall.service.group.name. | |||
|
service_negate string |
|
When enabled service specifies what the service must NOT be. | ||
|
session_ttl integer |
TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL). | |||
|
spamfilter_profile string |
Name of an existing Spam filter profile. Source spamfilter.profile.name. | |||
|
srcaddr list |
Source address and address group names. | |||
|
name string / required |
Address name. Source firewall.address.name firewall.addrgrp.name. | |||
|
srcaddr_negate string |
|
When enabled srcaddr specifies what the source address must NOT be. | ||
|
srcintf list |
Incoming (ingress) interface. | |||
|
name string / required |
Interface name. Source system.interface.name system.zone.name. | |||
|
ssh_filter_profile string |
Name of an existing SSH filter profile. Source ssh-filter.profile.name. | |||
|
ssl_mirror string |
|
Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). | ||
|
ssl_mirror_intf list |
SSL mirror interface name. | |||
|
name string / required |
Mirror Interface name. Source system.interface.name system.zone.name. | |||
|
ssl_ssh_profile string |
Name of an existing SSL SSH profile. Source firewall.ssl-ssh-profile.name. | |||
|
state string |
|
Deprecated Starting with Ansible 2.9 we recommend using the top-level 'state' parameter. Indicates whether to create or remove the object. | ||
|
status string |
|
Enable or disable this policy. | ||
|
tcp_mss_receiver integer |
Receiver TCP maximum segment size (MSS). | |||
|
tcp_mss_sender integer |
Sender TCP maximum segment size (MSS). | |||
|
tcp_session_without_syn string |
|
Enable/disable creation of TCP session without SYN flag. | ||
|
timeout_send_rst string |
|
Enable/disable sending RST packets when TCP sessions expire. | ||
|
traffic_shaper string |
Traffic shaper. Source firewall.shaper.traffic-shaper.name. | |||
|
traffic_shaper_reverse string |
Reverse traffic shaper. Source firewall.shaper.traffic-shaper.name. | |||
|
url_category list |
URL category ID list. | |||
|
id integer / required |
URL category ID. | |||
|
users list |
Names of individual users that can authenticate with this policy. | |||
|
name string / required |
Names of individual users that can authenticate with this policy. Source user.local.name. | |||
|
utm_status string |
|
Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. | ||
|
uuid string |
Universally Unique Identifier (UUID; automatically assigned but can be manually reset). | |||
|
vlan_cos_fwd integer |
VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest. | |||
|
vlan_cos_rev integer |
VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.. | |||
|
vlan_filter string |
Set VLAN filters. | |||
|
voip_profile string |
Name of an existing VoIP profile. Source voip.profile.name. | |||
|
vpntunnel string |
Policy-based IPsec VPN: name of the IPsec VPN Phase 1. Source vpn.ipsec.phase1.name vpn.ipsec.manualkey.name. | |||
|
waf_profile string |
Name of an existing Web application firewall profile. Source waf.profile.name. | |||
|
wanopt string |
|
Enable/disable WAN optimization. | ||
|
wanopt_detection string |
|
WAN optimization auto-detection mode. | ||
|
wanopt_passive_opt string |
|
WAN optimization passive mode options. This option decides what IP address will be used to connect server. | ||
|
wanopt_peer string |
WAN optimization peer. Source wanopt.peer.peer-host-id. | |||
|
wanopt_profile string |
WAN optimization profile. Source wanopt.profile.name. | |||
|
wccp string |
|
Enable/disable forwarding traffic matching this policy to a configured WCCP server. | ||
|
webcache string |
|
Enable/disable web cache. | ||
|
webcache_https string |
|
Enable/disable web cache for HTTPS. | ||
|
webfilter_profile string |
Name of an existing Web filter profile. Source webfilter.profile.name. | |||
|
wsso string |
|
Enable/disable WiFi Single Sign On (WSSO). | ||
|
host string |
FortiOS or FortiGate IP address. | |||
|
https boolean |
|
Indicates if the requests towards FortiGate must use HTTPS protocol. | ||
|
password string |
Default: "" |
FortiOS or FortiGate password. | ||
|
ssl_verify boolean added in 2.9 |
|
Ensures FortiGate certificate must be verified by a proper CA. | ||
|
state string added in 2.9 |
|
Indicates whether to create or remove the object. This attribute was present already in previous version in a deeper level. It has been moved out to this outer level. | ||
|
username string |
FortiOS or FortiGate username. | |||
|
vdom string |
Default: "root" |
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. |
Notes
Note
- Requires fortiosapi library developed by Fortinet
- Run as a local_action in your playbook
Examples
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
ssl_verify: "False"
tasks:
- name: Configure IPv4 policies.
fortios_firewall_policy:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
state: "present"
firewall_policy:
action: "accept"
app_category:
-
id: "5"
app_group:
-
name: "default_name_7 (source application.group.name)"
application:
-
id: "9"
application_list: "<your_own_value> (source application.list.name)"
auth_cert: "<your_own_value> (source vpn.certificate.local.name)"
auth_path: "enable"
auth_redirect_addr: "<your_own_value>"
av_profile: "<your_own_value> (source antivirus.profile.name)"
block_notification: "enable"
captive_portal_exempt: "enable"
capture_packet: "enable"
comments: "<your_own_value>"
custom_log_fields:
-
field_id: "<your_own_value> (source log.custom-field.id)"
delay_tcp_npu_session: "enable"
devices:
-
name: "default_name_23 (source user.device.alias user.device-group.name user.device-category.name)"
diffserv_forward: "enable"
diffserv_reverse: "enable"
diffservcode_forward: "<your_own_value>"
diffservcode_rev: "<your_own_value>"
disclaimer: "enable"
dlp_sensor: "<your_own_value> (source dlp.sensor.name)"
dnsfilter_profile: "<your_own_value> (source dnsfilter.profile.name)"
dscp_match: "enable"
dscp_negate: "enable"
dscp_value: "<your_own_value>"
dsri: "enable"
dstaddr:
-
name: "default_name_36 (source firewall.address.name firewall.addrgrp.name firewall.vip.name firewall.vipgrp.name)"
dstaddr_negate: "enable"
dstintf:
-
name: "default_name_39 (source system.interface.name system.zone.name)"
firewall_session_dirty: "check-all"
fixedport: "enable"
fsso: "enable"
fsso_agent_for_ntlm: "<your_own_value> (source user.fsso.name)"
global_label: "<your_own_value>"
groups:
-
name: "default_name_46 (source user.group.name)"
icap_profile: "<your_own_value> (source icap.profile.name)"
identity_based_route: "<your_own_value> (source firewall.identity-based-route.name)"
inbound: "enable"
internet_service: "enable"
internet_service_custom:
-
name: "default_name_52 (source firewall.internet-service-custom.name)"
internet_service_id:
-
id: "54 (source firewall.internet-service.id)"
internet_service_negate: "enable"
internet_service_src: "enable"
internet_service_src_custom:
-
name: "default_name_58 (source firewall.internet-service-custom.name)"
internet_service_src_id:
-
id: "60 (source firewall.internet-service.id)"
internet_service_src_negate: "enable"
ippool: "enable"
ips_sensor: "<your_own_value> (source ips.sensor.name)"
label: "<your_own_value>"
learning_mode: "enable"
logtraffic: "all"
logtraffic_start: "enable"
match_vip: "enable"
name: "default_name_69"
nat: "enable"
natinbound: "enable"
natip: "<your_own_value>"
natoutbound: "enable"
ntlm: "enable"
ntlm_enabled_browsers:
-
user_agent_string: "<your_own_value>"
ntlm_guest: "enable"
outbound: "enable"
per_ip_shaper: "<your_own_value> (source firewall.shaper.per-ip-shaper.name)"
permit_any_host: "enable"
permit_stun_host: "enable"
policyid: "82"
poolname:
-
name: "default_name_84 (source firewall.ippool.name)"
profile_group: "<your_own_value> (source firewall.profile-group.name)"
profile_protocol_options: "<your_own_value> (source firewall.profile-protocol-options.name)"
profile_type: "single"
radius_mac_auth_bypass: "enable"
redirect_url: "<your_own_value>"
replacemsg_override_group: "<your_own_value> (source system.replacemsg-group.name)"
rsso: "enable"
rtp_addr:
-
name: "default_name_93 (source firewall.address.name firewall.addrgrp.name)"
rtp_nat: "disable"
scan_botnet_connections: "disable"
schedule: "<your_own_value> (source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name)"
schedule_timeout: "enable"
send_deny_packet: "disable"
service:
-
name: "default_name_100 (source firewall.service.custom.name firewall.service.group.name)"
service_negate: "enable"
session_ttl: "102"
spamfilter_profile: "<your_own_value> (source spamfilter.profile.name)"
srcaddr:
-
name: "default_name_105 (source firewall.address.name firewall.addrgrp.name)"
srcaddr_negate: "enable"
srcintf:
-
name: "default_name_108 (source system.interface.name system.zone.name)"
ssh_filter_profile: "<your_own_value> (source ssh-filter.profile.name)"
ssl_mirror: "enable"
ssl_mirror_intf:
-
name: "default_name_112 (source system.interface.name system.zone.name)"
ssl_ssh_profile: "<your_own_value> (source firewall.ssl-ssh-profile.name)"
status: "enable"
tcp_mss_receiver: "115"
tcp_mss_sender: "116"
tcp_session_without_syn: "all"
timeout_send_rst: "enable"
traffic_shaper: "<your_own_value> (source firewall.shaper.traffic-shaper.name)"
traffic_shaper_reverse: "<your_own_value> (source firewall.shaper.traffic-shaper.name)"
url_category:
-
id: "122"
users:
-
name: "default_name_124 (source user.local.name)"
utm_status: "enable"
uuid: "<your_own_value>"
vlan_cos_fwd: "127"
vlan_cos_rev: "128"
vlan_filter: "<your_own_value>"
voip_profile: "<your_own_value> (source voip.profile.name)"
vpntunnel: "<your_own_value> (source vpn.ipsec.phase1.name vpn.ipsec.manualkey.name)"
waf_profile: "<your_own_value> (source waf.profile.name)"
wanopt: "enable"
wanopt_detection: "active"
wanopt_passive_opt: "default"
wanopt_peer: "<your_own_value> (source wanopt.peer.peer-host-id)"
wanopt_profile: "<your_own_value> (source wanopt.profile.name)"
wccp: "enable"
webcache: "enable"
webcache_https: "disable"
webfilter_profile: "<your_own_value> (source webfilter.profile.name)"
wsso: "enable"Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
|
build string |
always |
Build number of the fortigate image
Sample: 1547 |
|
http_method string |
always |
Last method used to provision the content into FortiGate
Sample: PUT |
|
http_status string |
always |
Last result given by FortiGate on last operation applied
Sample: 200 |
|
mkey string |
success |
Master key (id) used in the last call to FortiGate
Sample: id |
|
name string |
always |
Name of the table used to fulfill the request
Sample: urlfilter |
|
path string |
always |
Path of the table used to fulfill the request
Sample: webfilter |
|
revision string |
always |
Internal revision number
Sample: 17.0.2.10658 |
|
serial string |
always |
Serial number of the unit
Sample: FGVMEVYYQT3AB5352 |
|
status string |
always |
Indication of the operation's result
Sample: success |
|
vdom string |
always |
Virtual domain used
Sample: root |
|
version string |
always |
Version of the FortiGate
Sample: v5.6.3 |
Status
- This module is not guaranteed to have a backwards compatible interface. [preview]
- This module is maintained by the Ansible Community. [community]
Authors
- Miguel Angel Munoz (@mamunozgonzalez)
- Nicolas Thomas (@thomnico)
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.9/modules/fortios_firewall_policy_module.html
