fortinet.fortios.fortios_ztna_traffic_forward_proxy module – Configure ZTNA traffic forward proxy in Fortinet’s FortiOS and FortiGate.
Note
This module is part of the fortinet.fortios collection (version 2.3.8).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install fortinet.fortios.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: fortinet.fortios.fortios_ztna_traffic_forward_proxy.
New in fortinet.fortios 2.0.0
Synopsis
This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify ztna feature and traffic_forward_proxy category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
The below requirements are needed on the host that executes this module.
ansible>=2.15
Parameters
Parameter |
Comments |
|---|---|
Token-based authentication. Generated from GUI of Fortigate. |
|
Enable/Disable logging for task. Choices:
|
|
Member attribute path to operate on. Delimited by a slash character if there are more than one attribute. Parameter marked with member_path is legitimate for doing member operation. |
|
Add or delete a member under specified attribute path. When member_state is specified, the state option is ignored. Choices:
|
|
Indicates whether to create or remove the object. Choices:
|
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. Default: |
|
Configure ZTNA traffic forward proxy. |
|
Enable/disable authentication portal. Choices:
|
|
Enable/disable to request client certificate. Choices:
|
|
Comment. |
|
Action of an empty client certificate. Choices:
|
|
Enable/disable HTTP3/QUIC support . Choices:
|
|
interface name Source system.interface.name. |
|
Enable/disable logging of blocked traffic. Choices:
|
|
Traffic forward proxy name |
|
Accept incoming traffic on one or more ports (0 - 65535). |
|
QUIC setting. |
|
ACK delay exponent (1 - 20). |
|
Active connection ID limit (1 - 8). |
|
Enable/disable active migration . Choices:
|
|
Enable/disable grease QUIC bit . Choices:
|
|
Maximum ACK delay in milliseconds (1 - 16383). |
|
Maximum datagram frame size in bytes (1 - 1500). |
|
Maximum idle timeout milliseconds (1 - 60000). |
|
Maximum UDP payload size in bytes (1200 - 1500). |
|
Enable/disable FFDHE cipher suite for SSL key exchange. Choices:
|
|
Permitted encryption algorithms for SSL sessions according to encryption strength. Choices:
|
|
Name of the certificate to use for SSL handshake. |
|
Certificate list. Source vpn.certificate.local.name. |
|
SSL/TLS cipher suites acceptable from a client, ordered by priority. |
|
Cipher suite name. Choices:
|
|
SSL/TLS cipher suites priority. see <a href=’#notes’>Notes</a>. |
|
SSL/TLS versions that the cipher suite can be used with. Choices:
|
|
Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507). Choices:
|
|
Maximum length of data in MB before triggering a client rekey (0 = disable). |
|
Allow, deny, or require secure renegotiation of client sessions to comply with RFC 5746. Choices:
|
|
Maximum number of client to FortiProxy SSL session states to keep. |
|
Number of minutes to keep client to FortiProxy SSL session state. |
|
How to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate. Choices:
|
|
Bit-size of Diffie-Hellman (DH) prime used in DHE-RSA negotiation . Choices:
|
|
Enable/disable including HPKP header in response. Choices:
|
|
Number of seconds the client should honor the HPKP setting. |
|
Certificate to generate backup HPKP pin from. Source vpn.certificate.local.name vpn.certificate.ca.name. |
|
Indicate that HPKP header applies to all subdomains. Choices:
|
|
Certificate to generate primary HPKP pin from. Source vpn.certificate.local.name vpn.certificate.ca.name. |
|
URL to report HPKP violations to. |
|
Enable/disable including HSTS header in response. Choices:
|
|
Number of seconds the client should honor the HSTS setting. |
|
Indicate that HSTS header applies to all subdomains. Choices:
|
|
Enable to replace HTTP with HTTPS in the reply”s Location HTTP header field. Choices:
|
|
Enable/disable HTTP host matching for location conversion. Choices:
|
|
Highest SSL/TLS version acceptable from a client. Choices:
|
|
Lowest SSL/TLS version acceptable from a client. Choices:
|
|
Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full). Choices:
|
|
Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions. Choices:
|
|
Enable/disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 & TLS 1.0 only). May need to be disabled for compatibility with older systems. Choices:
|
|
Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength. Choices:
|
|
SSL/TLS cipher suites to offer to a server, ordered by priority. |
|
Cipher suite name. Choices:
|
|
SSL/TLS cipher suites priority. see <a href=’#notes’>Notes</a>. |
|
SSL/TLS versions that the cipher suite can be used with. Choices:
|
|
Highest SSL/TLS version acceptable from a server. Use the client setting by default. Choices:
|
|
Lowest SSL/TLS version acceptable from a server. Use the client setting by default. Choices:
|
|
Enable/disable secure renegotiation to comply with RFC 5746. Choices:
|
|
Maximum number of FortiGate to Server SSL session states to keep. |
|
Number of minutes to keep FortiGate to Server SSL session state. |
|
How to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate. Choices:
|
|
Enable/disable the traffic forward proxy for ZTNA traffic. Choices:
|
|
Enable/disable server pool multiplexing. Share connected server in HTTP, HTTPS, and web-portal api-gateway. Choices:
|
|
Maximum number of concurrent requests that servers in server pool could handle . |
|
Maximum number of requests that servers in server pool handle before disconnecting . |
|
Time-to-live in the server pool for idle connections to servers. |
|
Enable/disable to detect device type by HTTP user-agent if no client certificate provided. Choices:
|
Notes
Note
Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks
Examples
- name: Configure ZTNA traffic forward proxy.
fortinet.fortios.fortios_ztna_traffic_forward_proxy:
vdom: "{{ vdom }}"
state: "present"
access_token: "<your_own_value>"
ztna_traffic_forward_proxy:
auth_portal: "disable"
client_cert: "disable"
comment: "Comment."
empty_cert_action: "accept"
h3_support: "enable"
interface: "<your_own_value> (source system.interface.name)"
log_blocked_traffic: "enable"
name: "default_name_10"
port: "<your_own_value>"
quic:
ack_delay_exponent: "3"
active_connection_id_limit: "2"
active_migration: "enable"
grease_quic_bit: "enable"
max_ack_delay: "25"
max_datagram_frame_size: "1500"
max_idle_timeout: "30000"
max_udp_payload_size: "1500"
ssl_accept_ffdhe_groups: "enable"
ssl_algorithm: "high"
ssl_certificate:
-
name: "default_name_24 (source vpn.certificate.local.name)"
ssl_cipher_suites:
-
cipher: "TLS-AES-128-GCM-SHA256"
priority: "<you_own_value>"
versions: "ssl-3.0"
ssl_client_fallback: "disable"
ssl_client_rekey_count: "0"
ssl_client_renegotiation: "allow"
ssl_client_session_state_max: "1000"
ssl_client_session_state_timeout: "30"
ssl_client_session_state_type: "disable"
ssl_dh_bits: "768"
ssl_hpkp: "disable"
ssl_hpkp_age: "5184000"
ssl_hpkp_backup: "<your_own_value> (source vpn.certificate.local.name vpn.certificate.ca.name)"
ssl_hpkp_include_subdomains: "disable"
ssl_hpkp_primary: "<your_own_value> (source vpn.certificate.local.name vpn.certificate.ca.name)"
ssl_hpkp_report_uri: "<your_own_value>"
ssl_hsts: "disable"
ssl_hsts_age: "5184000"
ssl_hsts_include_subdomains: "disable"
ssl_http_location_conversion: "enable"
ssl_http_match_host: "enable"
ssl_max_version: "ssl-3.0"
ssl_min_version: "ssl-3.0"
ssl_mode: "half"
ssl_pfs: "require"
ssl_send_empty_frags: "enable"
ssl_server_algorithm: "high"
ssl_server_cipher_suites:
-
cipher: "TLS-AES-128-GCM-SHA256"
priority: "<you_own_value>"
versions: "ssl-3.0"
ssl_server_max_version: "ssl-3.0"
ssl_server_min_version: "ssl-3.0"
ssl_server_renegotiation: "enable"
ssl_server_session_state_max: "100"
ssl_server_session_state_timeout: "60"
ssl_server_session_state_type: "disable"
status: "enable"
svr_pool_multiplex: "enable"
svr_pool_server_max_concurrent_request: "0"
svr_pool_server_max_request: "0"
svr_pool_ttl: "15"
user_agent_detect: "disable"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
Build number of the fortigate image Returned: always Sample: |
|
Last method used to provision the content into FortiGate Returned: always Sample: |
|
Last result given by FortiGate on last operation applied Returned: always Sample: |
|
Master key (id) used in the last call to FortiGate Returned: success Sample: |
|
Name of the table used to fulfill the request Returned: always Sample: |
|
Path of the table used to fulfill the request Returned: always Sample: |
|
Internal revision number Returned: always Sample: |
|
Serial number of the unit Returned: always Sample: |
|
Indication of the operation’s result Returned: always Sample: |
|
Virtual domain used Returned: always Sample: |
|
Version of the FortiGate Returned: always Sample: |