fortinet.fortimanager.fmgr_vpn_ssl_settings module – Configure SSL VPN.

Note

This module is part of the fortinet.fortimanager collection (version 2.7.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install fortinet.fortimanager.

To use it in a playbook, specify: fortinet.fortimanager.fmgr_vpn_ssl_settings.

New in fortinet.fortimanager 2.1.0

Synopsis

  • This module is able to configure a FortiManager device.

  • Examples include all parameters and values which need to be adjusted to data sources before usage.

Parameters

Parameter

Comments

access_token

string

The token to access FortiManager without using username and password.

bypass_validation

boolean

Only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters.

Choices:

  • false ← (default)

  • true

device

string / required

The parameter (device) in requested url.

enable_log

boolean

Enable/Disable logging for task.

Choices:

  • false ← (default)

  • true

forticloud_access_token

string

Authenticate Ansible client with forticloud API access token.

proposed_method

string

The overridden method for the underlying Json RPC request.

Choices:

  • "update"

  • "set"

  • "add"

rc_failed

list / elements=integer

The rc codes list with which the conditions to fail will be overriden.

rc_succeeded

list / elements=integer

The rc codes list with which the conditions to succeed will be overriden.

vdom

string / required

The parameter (vdom) in requested url.

vpn_ssl_settings

dictionary

The top level parameters set.

algorithm

string

Force the SSL VPN security level.

Choices:

  • "default"

  • "high"

  • "low"

  • "medium"

auth-session-check-source-ip

string

Deprecated, please rename it to auth_session_check_source_ip. Enable/disable checking of source IP for authentication session.

Choices:

  • "disable"

  • "enable"

auth-timeout

integer

Deprecated, please rename it to auth_timeout. SSL VPN authentication timeout

authentication-rule

list / elements=dictionary

Deprecated, please rename it to authentication_rule. Authentication rule.

auth

string

SSL VPN authentication method restriction.

Choices:

  • "any"

  • "local"

  • "radius"

  • "ldap"

  • "tacacs+"

  • "peer"

cipher

string

SSL VPN cipher strength.

Choices:

  • "any"

  • "high"

  • "medium"

client-cert

string

Deprecated, please rename it to client_cert. Enable/disable SSL VPN client certificate restrictive.

Choices:

  • "disable"

  • "enable"

groups

any

(list or str) User groups.

id

integer

ID

portal

string

SSL VPN portal.

realm

string

SSL VPN realm.

source-address

any

(list or str) Deprecated, please rename it to source_address. Source address of incoming traffic.

source-address-negate

string

Deprecated, please rename it to source_address_negate. Enable/disable negated source address match.

Choices:

  • "disable"

  • "enable"

source-address6

any

(list or str) Deprecated, please rename it to source_address6. IPv6 source address of incoming traffic.

source-address6-negate

string

Deprecated, please rename it to source_address6_negate. Enable/disable negated source IPv6 address match.

Choices:

  • "disable"

  • "enable"

source-interface

any

(list or str) Deprecated, please rename it to source_interface. SSL VPN source interface of incoming traffic.

user-peer

string

Deprecated, please rename it to user_peer. Name of user peer.

users

any

(list or str) User name.

auto-tunnel-static-route

string

Deprecated, please rename it to auto_tunnel_static_route. Enable/disable to auto-create static routes for the SSL VPN tunn…

Choices:

  • "disable"

  • "enable"

banned-cipher

list / elements=string

Deprecated, please rename it to banned_cipher. Select one or more cipher technologies that cannot be used in SSL VPN negot…

Choices:

  • "RSA"

  • "DH"

  • "DHE"

  • "ECDH"

  • "ECDHE"

  • "DSS"

  • "ECDSA"

  • "AES"

  • "AESGCM"

  • "CAMELLIA"

  • "3DES"

  • "SHA1"

  • "SHA256"

  • "SHA384"

  • "STATIC"

  • "CHACHA20"

  • "ARIA"

  • "AESCCM"

browser-language-detection

string

Deprecated, please rename it to browser_language_detection. Enable/disable overriding the configured system language based…

Choices:

  • "disable"

  • "enable"

check-referer

string

Deprecated, please rename it to check_referer. Enable/disable verification of referer field in HTTP request header.

Choices:

  • "disable"

  • "enable"

ciphersuite

list / elements=string

Select one or more TLS 1.

Choices:

  • "TLS-AES-128-GCM-SHA256"

  • "TLS-AES-256-GCM-SHA384"

  • "TLS-CHACHA20-POLY1305-SHA256"

  • "TLS-AES-128-CCM-SHA256"

  • "TLS-AES-128-CCM-8-SHA256"

client-sigalgs

string

Deprecated, please rename it to client_sigalgs. Set signature algorithms related to client authentication.

Choices:

  • "no-rsa-pss"

  • "all"

default-portal

string

Deprecated, please rename it to default_portal. Default SSL VPN portal.

deflate-compression-level

integer

Deprecated, please rename it to deflate_compression_level. Compression level

deflate-min-data-size

integer

Deprecated, please rename it to deflate_min_data_size. Minimum amount of data that triggers compression

dns-server1

string

Deprecated, please rename it to dns_server1. DNS server 1.

dns-server2

string

Deprecated, please rename it to dns_server2. DNS server 2.

dns-suffix

string

Deprecated, please rename it to dns_suffix. DNS suffix used for SSL VPN clients.

dtls-heartbeat-fail-count

integer

Deprecated, please rename it to dtls_heartbeat_fail_count. Number of missing heartbeats before the connection is considere…

dtls-heartbeat-idle-timeout

integer

Deprecated, please rename it to dtls_heartbeat_idle_timeout. Idle timeout before DTLS heartbeat is sent.

dtls-heartbeat-interval

integer

Deprecated, please rename it to dtls_heartbeat_interval. Interval between DTLS heartbeat.

dtls-hello-timeout

integer

Deprecated, please rename it to dtls_hello_timeout. SSLVPN maximum DTLS hello timeout

dtls-max-proto-ver

string

Deprecated, please rename it to dtls_max_proto_ver. DTLS maximum protocol version.

Choices:

  • "dtls1-0"

  • "dtls1-2"

dtls-min-proto-ver

string

Deprecated, please rename it to dtls_min_proto_ver. DTLS minimum protocol version.

Choices:

  • "dtls1-0"

  • "dtls1-2"

dtls-tunnel

string

Deprecated, please rename it to dtls_tunnel. Enable/disable DTLS to prevent eavesdropping, tampering, or message forgery.

Choices:

  • "disable"

  • "enable"

dual-stack-mode

string

Deprecated, please rename it to dual_stack_mode. Tunnel mode

Choices:

  • "disable"

  • "enable"

encode-2f-sequence

string

Deprecated, please rename it to encode_2f_sequence. Encode 2F sequence to forward slash in URLs.

Choices:

  • "disable"

  • "enable"

encrypt-and-store-password

string

Deprecated, please rename it to encrypt_and_store_password. Encrypt and store user passwords for SSL VPN web sessions.

Choices:

  • "disable"

  • "enable"

force-two-factor-auth

string

Deprecated, please rename it to force_two_factor_auth. Enable/disable only PKI users with two-factor authentication for SS…

Choices:

  • "disable"

  • "enable"

header-x-forwarded-for

string

Deprecated, please rename it to header_x_forwarded_for. Forward the same, add, or remove HTTP header.

Choices:

  • "pass"

  • "add"

  • "remove"

hsts-include-subdomains

string

Deprecated, please rename it to hsts_include_subdomains. Add HSTS includeSubDomains response header.

Choices:

  • "disable"

  • "enable"

http-compression

string

Deprecated, please rename it to http_compression. Enable/disable to allow HTTP compression over SSL VPN tunnels.

Choices:

  • "disable"

  • "enable"

string

Deprecated, please rename it to http_only_cookie. Enable/disable SSL VPN support for HttpOnly cookies.

Choices:

  • "disable"

  • "enable"

http-request-body-timeout

integer

Deprecated, please rename it to http_request_body_timeout. SSL VPN session is disconnected if an HTTP request body is not …

http-request-header-timeout

integer

Deprecated, please rename it to http_request_header_timeout. SSL VPN session is disconnected if an HTTP request header is …

https-redirect

string

Deprecated, please rename it to https_redirect. Enable/disable redirect of port 80 to SSL VPN port.

Choices:

  • "disable"

  • "enable"

idle-timeout

integer

Deprecated, please rename it to idle_timeout. SSL VPN disconnects if idle for specified time in seconds.

ipv6-dns-server1

string

Deprecated, please rename it to ipv6_dns_server1. IPv6 DNS server 1.

ipv6-dns-server2

string

Deprecated, please rename it to ipv6_dns_server2. IPv6 DNS server 2.

ipv6-wins-server1

string

Deprecated, please rename it to ipv6_wins_server1. IPv6 WINS server 1.

ipv6-wins-server2

string

Deprecated, please rename it to ipv6_wins_server2. IPv6 WINS server 2.

login-attempt-limit

integer

Deprecated, please rename it to login_attempt_limit. SSL VPN maximum login attempt times before block

login-block-time

integer

Deprecated, please rename it to login_block_time. Time for which a user is blocked from logging in after too many failed l…

login-timeout

integer

Deprecated, please rename it to login_timeout. SSLVPN maximum login timeout

port

integer

SSL VPN access port

port-precedence

string

Deprecated, please rename it to port_precedence. Enable/disable, Enable means that if SSL VPN connections are allowed on a…

Choices:

  • "disable"

  • "enable"

reqclientcert

string

Enable/disable to require client certificates for all SSL VPN users.

Choices:

  • "disable"

  • "enable"

route-source-interface

string

Deprecated, please rename it to route_source_interface. Enable/disable to allow SSL VPN sessions to bypass routing and bin…

Choices:

  • "disable"

  • "enable"

saml-redirect-port

integer

Deprecated, please rename it to saml_redirect_port. SAML local redirect port in the machine running FortiClient

server-hostname

string

Deprecated, please rename it to server_hostname. Server hostname for HTTPS.

servercert

string

Name of the server certificate to be used for SSL VPNs.

source-address

any

(list or str) Deprecated, please rename it to source_address. Source address of incoming traffic.

source-address-negate

string

Deprecated, please rename it to source_address_negate. Enable/disable negated source address match.

Choices:

  • "disable"

  • "enable"

source-address6

any

(list or str) Deprecated, please rename it to source_address6. IPv6 source address of incoming traffic.

source-address6-negate

string

Deprecated, please rename it to source_address6_negate. Enable/disable negated source IPv6 address match.

Choices:

  • "disable"

  • "enable"

source-interface

any

(list or str) Deprecated, please rename it to source_interface. SSL VPN source interface of incoming traffic.

ssl-big-buffer

string

Deprecated, please rename it to ssl_big_buffer. Disable using the big SSLv3 buffer feature to save memory and force higher…

Choices:

  • "disable"

  • "enable"

ssl-client-renegotiation

string

Deprecated, please rename it to ssl_client_renegotiation. Enable/disable to allow client renegotiation by the server if th…

Choices:

  • "disable"

  • "enable"

ssl-insert-empty-fragment

string

Deprecated, please rename it to ssl_insert_empty_fragment. Enable/disable insertion of empty fragment.

Choices:

  • "disable"

  • "enable"

ssl-max-proto-ver

string

Deprecated, please rename it to ssl_max_proto_ver. SSL maximum protocol version.

Choices:

  • "tls1-0"

  • "tls1-1"

  • "tls1-2"

  • "tls1-3"

ssl-min-proto-ver

string

Deprecated, please rename it to ssl_min_proto_ver. SSL minimum protocol version.

Choices:

  • "tls1-0"

  • "tls1-1"

  • "tls1-2"

  • "tls1-3"

sslv3

string

Sslv3.

Choices:

  • "disable"

  • "enable"

status

string

Enable/disable SSL-VPN.

Choices:

  • "disable"

  • "enable"

tlsv1-0

string

Deprecated, please rename it to tlsv1_0. Enable/disable TLSv1.

Choices:

  • "disable"

  • "enable"

tlsv1-1

string

Deprecated, please rename it to tlsv1_1. Enable/disable TLSv1.

Choices:

  • "disable"

  • "enable"

tlsv1-2

string

Deprecated, please rename it to tlsv1_2. Enable/disable TLSv1.

Choices:

  • "disable"

  • "enable"

tlsv1-3

string

Deprecated, please rename it to tlsv1_3. Tlsv1 3.

Choices:

  • "disable"

  • "enable"

transform-backward-slashes

string

Deprecated, please rename it to transform_backward_slashes. Transform backward slashes to forward slashes in URLs.

Choices:

  • "disable"

  • "enable"

tunnel-addr-assigned-method

string

Deprecated, please rename it to tunnel_addr_assigned_method. Method used for assigning address for tunnel.

Choices:

  • "first-available"

  • "round-robin"

tunnel-connect-without-reauth

string

Deprecated, please rename it to tunnel_connect_without_reauth. Enable/disable tunnel connection without re-authorization i…

Choices:

  • "disable"

  • "enable"

tunnel-ip-pools

any

(list or str) Deprecated, please rename it to tunnel_ip_pools. Names of the IPv4 IP Pool firewall objects that define the …

tunnel-ipv6-pools

any

(list or str) Deprecated, please rename it to tunnel_ipv6_pools. Names of the IPv6 IP Pool firewall objects that define th…

tunnel-user-session-timeout

integer

Deprecated, please rename it to tunnel_user_session_timeout. Time out value to clean up user session after tunnel connecti…

unsafe-legacy-renegotiation

string

Deprecated, please rename it to unsafe_legacy_renegotiation. Enable/disable unsafe legacy re-negotiation.

Choices:

  • "disable"

  • "enable"

url-obscuration

string

Deprecated, please rename it to url_obscuration. Enable/disable to obscure the host name of the URL of the web browser dis…

Choices:

  • "disable"

  • "enable"

user-peer

string

Deprecated, please rename it to user_peer. Name of user peer.

web-mode-snat

string

Deprecated, please rename it to web_mode_snat. Enable/disable use of IP pools defined in firewall policy while using web-mode.

Choices:

  • "disable"

  • "enable"

wins-server1

string

Deprecated, please rename it to wins_server1. WINS server 1.

wins-server2

string

Deprecated, please rename it to wins_server2. WINS server 2.

x-content-type-options

string

Deprecated, please rename it to x_content_type_options. Add HTTP X-Content-Type-Options header.

Choices:

  • "disable"

  • "enable"

ztna-trusted-client

string

Deprecated, please rename it to ztna_trusted_client. Enable/disable verification of device certificate for SSLVPN ZTNA ses…

Choices:

  • "disable"

  • "enable"

workspace_locking_adom

string

The adom to lock for FortiManager running in workspace mode, the value can be global and others including root.

workspace_locking_timeout

integer

The maximum time in seconds to wait for other user to release the workspace lock.

Default: 300

Notes

Note

  • Starting in version 2.4.0, all input arguments are named using the underscore naming convention (snake_case). Please change the arguments such as “var-name” to “var_name”. Old argument names are still available yet you will receive deprecation warnings. You can ignore this warning by setting deprecation_warnings=False in ansible.cfg.

  • Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.

  • Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded

Examples

- name: Example playbook (generated based on argument schema)
  hosts: fortimanagers
  connection: httpapi
  vars:
    ansible_httpapi_use_ssl: true
    ansible_httpapi_validate_certs: false
    ansible_httpapi_port: 443
  tasks:
    - name: Configure SSL VPN.
      fortinet.fortimanager.fmgr_vpn_ssl_settings:
        # bypass_validation: false
        workspace_locking_adom: <value in [global, custom adom including root]>
        workspace_locking_timeout: 300
        # rc_succeeded: [0, -2, -3, ...]
        # rc_failed: [-2, -3, ...]
        device: <your own value>
        vdom: <your own value>
        vpn_ssl_settings:
          algorithm: <value in [default, high, low, ...]>
          auth_session_check_source_ip: <value in [disable, enable]>
          auth_timeout: <integer>
          authentication_rule:
            -
              auth: <value in [any, local, radius, ...]>
              cipher: <value in [any, high, medium]>
              client_cert: <value in [disable, enable]>
              groups: <list or string>
              id: <integer>
              portal: <string>
              realm: <string>
              source_address: <list or string>
              source_address_negate: <value in [disable, enable]>
              source_address6: <list or string>
              source_address6_negate: <value in [disable, enable]>
              source_interface: <list or string>
              user_peer: <string>
              users: <list or string>
          auto_tunnel_static_route: <value in [disable, enable]>
          banned_cipher:
            - RSA
            - DH
            - DHE
            - ECDH
            - ECDHE
            - DSS
            - ECDSA
            - AES
            - AESGCM
            - CAMELLIA
            - 3DES
            - SHA1
            - SHA256
            - SHA384
            - STATIC
            - CHACHA20
            - ARIA
            - AESCCM
          check_referer: <value in [disable, enable]>
          default_portal: <string>
          deflate_compression_level: <integer>
          deflate_min_data_size: <integer>
          dns_server1: <string>
          dns_server2: <string>
          dns_suffix: <string>
          dtls_hello_timeout: <integer>
          dtls_max_proto_ver: <value in [dtls1-0, dtls1-2]>
          dtls_min_proto_ver: <value in [dtls1-0, dtls1-2]>
          dtls_tunnel: <value in [disable, enable]>
          encode_2f_sequence: <value in [disable, enable]>
          encrypt_and_store_password: <value in [disable, enable]>
          force_two_factor_auth: <value in [disable, enable]>
          header_x_forwarded_for: <value in [pass, add, remove]>
          hsts_include_subdomains: <value in [disable, enable]>
          http_compression: <value in [disable, enable]>
          http_only_cookie: <value in [disable, enable]>
          http_request_body_timeout: <integer>
          http_request_header_timeout: <integer>
          https_redirect: <value in [disable, enable]>
          idle_timeout: <integer>
          ipv6_dns_server1: <string>
          ipv6_dns_server2: <string>
          ipv6_wins_server1: <string>
          ipv6_wins_server2: <string>
          login_attempt_limit: <integer>
          login_block_time: <integer>
          login_timeout: <integer>
          port: <integer>
          port_precedence: <value in [disable, enable]>
          reqclientcert: <value in [disable, enable]>
          route_source_interface: <value in [disable, enable]>
          servercert: <string>
          source_address: <list or string>
          source_address_negate: <value in [disable, enable]>
          source_address6: <list or string>
          source_address6_negate: <value in [disable, enable]>
          source_interface: <list or string>
          ssl_client_renegotiation: <value in [disable, enable]>
          ssl_insert_empty_fragment: <value in [disable, enable]>
          ssl_max_proto_ver: <value in [tls1-0, tls1-1, tls1-2, ...]>
          ssl_min_proto_ver: <value in [tls1-0, tls1-1, tls1-2, ...]>
          tlsv1_0: <value in [disable, enable]>
          tlsv1_1: <value in [disable, enable]>
          tlsv1_2: <value in [disable, enable]>
          tlsv1_3: <value in [disable, enable]>
          transform_backward_slashes: <value in [disable, enable]>
          tunnel_connect_without_reauth: <value in [disable, enable]>
          tunnel_ip_pools: <list or string>
          tunnel_ipv6_pools: <list or string>
          tunnel_user_session_timeout: <integer>
          unsafe_legacy_renegotiation: <value in [disable, enable]>
          url_obscuration: <value in [disable, enable]>
          user_peer: <string>
          wins_server1: <string>
          wins_server2: <string>
          x_content_type_options: <value in [disable, enable]>
          sslv3: <value in [disable, enable]>
          ssl_big_buffer: <value in [disable, enable]>
          client_sigalgs: <value in [no-rsa-pss, all]>
          ciphersuite:
            - TLS-AES-128-GCM-SHA256
            - TLS-AES-256-GCM-SHA384
            - TLS-CHACHA20-POLY1305-SHA256
            - TLS-AES-128-CCM-SHA256
            - TLS-AES-128-CCM-8-SHA256
          dual_stack_mode: <value in [disable, enable]>
          tunnel_addr_assigned_method: <value in [first-available, round-robin]>
          browser_language_detection: <value in [disable, enable]>
          saml_redirect_port: <integer>
          status: <value in [disable, enable]>
          web_mode_snat: <value in [disable, enable]>
          ztna_trusted_client: <value in [disable, enable]>
          dtls_heartbeat_fail_count: <integer>
          dtls_heartbeat_idle_timeout: <integer>
          dtls_heartbeat_interval: <integer>
          server_hostname: <string>

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

meta

dictionary

The result of the request.

Returned: always

request_url

string

The full url requested.

Returned: always

Sample: "/sys/login/user"

response_code

integer

The status of api request.

Returned: always

Sample: 0

response_data

list / elements=string

The api response.

Returned: always

response_message

string

The descriptive message of the api response.

Returned: always

Sample: "OK."

system_information

dictionary

The information of the target system.

Returned: always

rc

integer

The status the request.

Returned: always

Sample: 0

version_check_warning

list / elements=string

Warning if the parameters used in the playbook are not supported by the current FortiManager version.

Returned: complex

Authors

  • Xinwei Du (@dux-fortinet)

  • Xing Li (@lix-fortinet)

  • Jie Xue (@JieX19)

  • Link Zheng (@chillancezen)

  • Frank Shen (@fshen01)

  • Hongbin Lu (@fgtdev-hblu)