W3cubDocs

/Ansible 2.9

fortios_endpoint_control_profile – Configure FortiClient endpoint control profiles in Fortinet’s FortiOS and FortiGate

New in version 2.8.

Synopsis
Requirements
Parameters
Notes
Examples
Return Values
Status

Synopsis

This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify endpoint_control feature and profile category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.5

Requirements

The below requirements are needed on the host that executes this module.

fortiosapi>=0.9.8

Parameters

Parameter				Choices/Defaults	Comments
endpoint_control_profile dictionary				Default: null	Configure FortiClient endpoint control profiles.
	description string				Description.
	device_groups list				Device groups.
		name string / required			Device group object from available options. Source user.device-group.name user.device-category.name.
	forticlient_android_settings dictionary				FortiClient settings for Android platform.
		disable_wf_when_protected string		Choices: enable disable	Enable/disable FortiClient web category filtering when protected by FortiGate.
		forticlient_advanced_vpn string		Choices: enable disable	Enable/disable advanced FortiClient VPN configuration.
		forticlient_advanced_vpn_buffer string			Advanced FortiClient VPN configuration.
		forticlient_vpn_provisioning string		Choices: enable disable	Enable/disable FortiClient VPN provisioning.
		forticlient_vpn_settings list			FortiClient VPN settings.
			auth_method string	Choices: psk certificate	Authentication method.
			name string / required		VPN name.
			preshared_key string		Pre-shared secret for PSK authentication.
			remote_gw string		IP address or FQDN of the remote VPN gateway.
			sslvpn_access_port integer		SSL VPN access port (1 - 65535).
			sslvpn_require_certificate string	Choices: enable disable	Enable/disable requiring SSL VPN client certificate.
			type string	Choices: ipsec ssl	VPN type (IPsec or SSL VPN).
		forticlient_wf string		Choices: enable disable	Enable/disable FortiClient web filtering.
		forticlient_wf_profile string			The FortiClient web filter profile to apply. Source webfilter.profile.name.
	forticlient_ios_settings dictionary				FortiClient settings for iOS platform.
		client_vpn_provisioning string		Choices: enable disable	FortiClient VPN provisioning.
		client_vpn_settings list			FortiClient VPN settings.
			auth_method string	Choices: psk certificate	Authentication method.
			name string / required		VPN name.
			preshared_key string		Pre-shared secret for PSK authentication.
			remote_gw string		IP address or FQDN of the remote VPN gateway.
			sslvpn_access_port integer		SSL VPN access port (1 - 65535).
			sslvpn_require_certificate string	Choices: enable disable	Enable/disable requiring SSL VPN client certificate.
			type string	Choices: ipsec ssl	VPN type (IPsec or SSL VPN).
			vpn_configuration_content string		Content of VPN configuration.
			vpn_configuration_name string		Name of VPN configuration.
		configuration_content string			Content of configuration profile.
		configuration_name string			Name of configuration profile.
		disable_wf_when_protected string		Choices: enable disable	Enable/disable FortiClient web category filtering when protected by FortiGate.
		distribute_configuration_profile string		Choices: enable disable	Enable/disable configuration profile (.mobileconfig file) distribution.
		forticlient_wf string		Choices: enable disable	Enable/disable FortiClient web filtering.
		forticlient_wf_profile string			The FortiClient web filter profile to apply. Source webfilter.profile.name.
	forticlient_winmac_settings dictionary				FortiClient settings for Windows/Mac platform.
		av_realtime_protection string		Choices: enable disable	Enable/disable FortiClient AntiVirus real-time protection.
		av_signature_up_to_date string		Choices: enable disable	Enable/disable FortiClient AV signature updates.
		forticlient_application_firewall string		Choices: enable disable	Enable/disable the FortiClient application firewall.
		forticlient_application_firewall_list string			FortiClient application firewall rule list. Source application.list.name.
		forticlient_av string		Choices: enable disable	Enable/disable FortiClient AntiVirus scanning.
		forticlient_ems_compliance string		Choices: enable disable	Enable/disable FortiClient Enterprise Management Server (EMS) compliance.
		forticlient_ems_compliance_action string		Choices: block warning	FortiClient EMS compliance action.
		forticlient_ems_entries list			FortiClient EMS entries.
			name string / required		FortiClient EMS name. Source endpoint-control.forticlient-ems.name.
		forticlient_linux_ver string			Minimum FortiClient Linux version.
		forticlient_log_upload string		Choices: enable disable	Enable/disable uploading FortiClient logs.
		forticlient_log_upload_level string		Choices: traffic vulnerability event	Select the FortiClient logs to upload.
		forticlient_log_upload_server string			IP address or FQDN of the server to which to upload FortiClient logs.
		forticlient_mac_ver string			Minimum FortiClient Mac OS version.
		forticlient_minimum_software_version string		Choices: enable disable	Enable/disable requiring clients to run FortiClient with a minimum software version number.
		forticlient_operating_system list			FortiClient operating system.
			id integer / required		Operating system entry ID.
			os_name string		Customize operating system name or Mac OS format:x.x.x
			os_type string	Choices: custom mac-os win-7 win-80 win-81 win-10 win-2000 win-home-svr win-svr-10 win-svr-2003 win-svr-2003-r2 win-svr-2008 win-svr-2008-r2 win-svr-2012 win-svr-2012-r2 win-sto-svr-2003 win-vista win-xp ubuntu-linux centos-linux redhat-linux fedora-linux	Operating system type.
		forticlient_own_file list			Checking the path and filename of the FortiClient application.
			file string		File path and name.
			id integer / required		File ID.
		forticlient_registration_compliance_action string		Choices: block warning	FortiClient registration compliance action.
		forticlient_registry_entry list			FortiClient registry entry.
			id integer / required		Registry entry ID.
			registry_entry string		Registry entry.
		forticlient_running_app list			Use FortiClient to verify if the listed applications are running on the client.
			app_name string		Application name.
			app_sha256_signature string		App's SHA256 signature.
			app_sha256_signature2 string		App's SHA256 Signature.
			app_sha256_signature3 string		App's SHA256 Signature.
			app_sha256_signature4 string		App's SHA256 Signature.
			application_check_rule string	Choices: present absent	Application check rule.
			id integer / required		Application ID.
			process_name string		Process name.
			process_name2 string		Process name.
			process_name3 string		Process name.
			process_name4 string		Process name.
		forticlient_security_posture string		Choices: enable disable	Enable/disable FortiClient security posture check options.
		forticlient_security_posture_compliance_action string		Choices: block warning	FortiClient security posture compliance action.
		forticlient_system_compliance string		Choices: enable disable	Enable/disable enforcement of FortiClient system compliance.
		forticlient_system_compliance_action string		Choices: block warning	Block or warn clients not compliant with FortiClient requirements.
		forticlient_vuln_scan string		Choices: enable disable	Enable/disable FortiClient vulnerability scanning.
		forticlient_vuln_scan_compliance_action string		Choices: block warning	FortiClient vulnerability compliance action.
		forticlient_vuln_scan_enforce string		Choices: critical high medium low info	Configure the level of the vulnerability found that causes a FortiClient vulnerability compliance action.
		forticlient_vuln_scan_enforce_grace integer			FortiClient vulnerability scan enforcement grace period (0 - 30 days).
		forticlient_vuln_scan_exempt string		Choices: enable disable	Enable/disable compliance exemption for vulnerabilities that cannot be patched automatically.
		forticlient_wf string		Choices: enable disable	Enable/disable FortiClient web filtering.
		forticlient_wf_profile string			The FortiClient web filter profile to apply. Source webfilter.profile.name.
		forticlient_win_ver string			Minimum FortiClient Windows version.
		os_av_software_installed string		Choices: enable disable	Enable/disable checking for OS recognized AntiVirus software.
		sandbox_address string			FortiSandbox address.
		sandbox_analysis string		Choices: enable disable	Enable/disable sending files to FortiSandbox for analysis.
	on_net_addr list				Addresses for on-net detection.
		name string / required			Address object from available options. Source firewall.address.name firewall.addrgrp.name.
	profile_name string				Profile name.
	replacemsg_override_group string				Select an endpoint control replacement message override group from available options. Source system.replacemsg-group.name.
	src_addr list				Source addresses.
		name string / required			Address object from available options. Source firewall.address.name firewall.addrgrp.name.
	state string			Choices: present absent	Deprecated Starting with Ansible 2.9 we recommend using the top-level 'state' parameter. Indicates whether to create or remove the object.
	user_groups list				User groups.
		name string / required			User group name. Source user.group.name.
	users list				Users.
		name string / required			User name. Source user.local.name.
host string					FortiOS or FortiGate IP address.
https boolean				Choices: no yes ←	Indicates if the requests towards FortiGate must use HTTPS protocol.
password string				Default: ""	FortiOS or FortiGate password.
ssl_verify boolean added in 2.9				Choices: no yes ←	Ensures FortiGate certificate must be verified by a proper CA.
state string added in 2.9				Choices: present absent	Indicates whether to create or remove the object. This attribute was present already in previous version in a deeper level. It has been moved out to this outer level.
username string					FortiOS or FortiGate username.
vdom string				Default: "root"	Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.

Notes

Note

Requires fortiosapi library developed by Fortinet
Run as a local_action in your playbook

Examples

- hosts: localhost
  vars:
   host: "192.168.122.40"
   username: "admin"
   password: ""
   vdom: "root"
   ssl_verify: "False"
  tasks:
  - name: Configure FortiClient endpoint control profiles.
    fortios_endpoint_control_profile:
      host:  "{{ host }}"
      username: "{{ username }}"
      password: "{{ password }}"
      vdom:  "{{ vdom }}"
      https: "False"
      state: "present"
      endpoint_control_profile:
        description: "<your_own_value>"
        device_groups:
         -
            name: "default_name_5 (source user.device-group.name user.device-category.name)"
        forticlient_android_settings:
            disable_wf_when_protected: "enable"
            forticlient_advanced_vpn: "enable"
            forticlient_advanced_vpn_buffer: "<your_own_value>"
            forticlient_vpn_provisioning: "enable"
            forticlient_vpn_settings:
             -
                auth_method: "psk"
                name: "default_name_13"
                preshared_key: "<your_own_value>"
                remote_gw: "<your_own_value>"
                sslvpn_access_port: "16"
                sslvpn_require_certificate: "enable"
                type: "ipsec"
            forticlient_wf: "enable"
            forticlient_wf_profile: "<your_own_value> (source webfilter.profile.name)"
        forticlient_ios_settings:
            client_vpn_provisioning: "enable"
            client_vpn_settings:
             -
                auth_method: "psk"
                name: "default_name_25"
                preshared_key: "<your_own_value>"
                remote_gw: "<your_own_value>"
                sslvpn_access_port: "28"
                sslvpn_require_certificate: "enable"
                type: "ipsec"
                vpn_configuration_content: "<your_own_value>"
                vpn_configuration_name: "<your_own_value>"
            configuration_content: "<your_own_value>"
            configuration_name: "<your_own_value>"
            disable_wf_when_protected: "enable"
            distribute_configuration_profile: "enable"
            forticlient_wf: "enable"
            forticlient_wf_profile: "<your_own_value> (source webfilter.profile.name)"
        forticlient_winmac_settings:
            av_realtime_protection: "enable"
            av_signature_up_to_date: "enable"
            forticlient_application_firewall: "enable"
            forticlient_application_firewall_list: "<your_own_value> (source application.list.name)"
            forticlient_av: "enable"
            forticlient_ems_compliance: "enable"
            forticlient_ems_compliance_action: "block"
            forticlient_ems_entries:
             -
                name: "default_name_48 (source endpoint-control.forticlient-ems.name)"
            forticlient_linux_ver: "<your_own_value>"
            forticlient_log_upload: "enable"
            forticlient_log_upload_level: "traffic"
            forticlient_log_upload_server: "<your_own_value>"
            forticlient_mac_ver: "<your_own_value>"
            forticlient_minimum_software_version: "enable"
            forticlient_operating_system:
             -
                id:  "56"
                os_name: "<your_own_value>"
                os_type: "custom"
            forticlient_own_file:
             -
                file: "<your_own_value>"
                id:  "61"
            forticlient_registration_compliance_action: "block"
            forticlient_registry_entry:
             -
                id:  "64"
                registry_entry: "<your_own_value>"
            forticlient_running_app:
             -
                app_name: "<your_own_value>"
                app_sha256_signature: "<your_own_value>"
                app_sha256_signature2: "<your_own_value>"
                app_sha256_signature3: "<your_own_value>"
                app_sha256_signature4: "<your_own_value>"
                application_check_rule: "present"
                id:  "73"
                process_name: "<your_own_value>"
                process_name2: "<your_own_value>"
                process_name3: "<your_own_value>"
                process_name4: "<your_own_value>"
            forticlient_security_posture: "enable"
            forticlient_security_posture_compliance_action: "block"
            forticlient_system_compliance: "enable"
            forticlient_system_compliance_action: "block"
            forticlient_vuln_scan: "enable"
            forticlient_vuln_scan_compliance_action: "block"
            forticlient_vuln_scan_enforce: "critical"
            forticlient_vuln_scan_enforce_grace: "85"
            forticlient_vuln_scan_exempt: "enable"
            forticlient_wf: "enable"
            forticlient_wf_profile: "<your_own_value> (source webfilter.profile.name)"
            forticlient_win_ver: "<your_own_value>"
            os_av_software_installed: "enable"
            sandbox_address: "<your_own_value>"
            sandbox_analysis: "enable"
        on_net_addr:
         -
            name: "default_name_94 (source firewall.address.name firewall.addrgrp.name)"
        profile_name: "<your_own_value>"
        replacemsg_override_group: "<your_own_value> (source system.replacemsg-group.name)"
        src_addr:
         -
            name: "default_name_98 (source firewall.address.name firewall.addrgrp.name)"
        user_groups:
         -
            name: "default_name_100 (source user.group.name)"
        users:
         -
            name: "default_name_102 (source user.local.name)"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Returned	Description
build string	always	Build number of the fortigate image Sample: 1547
http_method string	always	Last method used to provision the content into FortiGate Sample: PUT
http_status string	always	Last result given by FortiGate on last operation applied Sample: 200
mkey string	success	Master key (id) used in the last call to FortiGate Sample: id
name string	always	Name of the table used to fulfill the request Sample: urlfilter
path string	always	Path of the table used to fulfill the request Sample: webfilter
revision string	always	Internal revision number Sample: 17.0.2.10658
serial string	always	Serial number of the unit Sample: FGVMEVYYQT3AB5352
status string	always	Indication of the operation's result Sample: success
vdom string	always	Virtual domain used Sample: root
version string	always	Version of the FortiGate Sample: v5.6.3

Status

This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community. [community]

Authors

Miguel Angel Munoz (@mamunozgonzalez)
Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation, you can edit this document to improve it.

© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.9/modules/fortios_endpoint_control_profile_module.html