New in version 2.8.
The below requirements are needed on the host that executes this module.
| Parameter | Choices/Defaults | Comments | ||
|---|---|---|---|---|
| firewall_policy6 dictionary | Default: null | Configure IPv6 policies. | ||
| action string |
| Policy action (allow/deny/ipsec). | ||
| app_category list | Application category ID list. | |||
| id integer / required | Category IDs. | |||
| app_group list | Application group names. | |||
| name string / required | Application group names. Source application.group.name. | |||
| application list | Application ID list. | |||
| id integer / required | Application IDs. | |||
| application_list string | Name of an existing Application list. Source application.list.name. | |||
| av_profile string | Name of an existing Antivirus profile. Source antivirus.profile.name. | |||
| comments string | Comment. | |||
| custom_log_fields list | Log field index numbers to append custom log fields to log messages for this policy. | |||
| field_id string | Custom log field. Source log.custom-field.id. | |||
| devices list | Names of devices or device groups that can be matched by the policy. | |||
| name string / required | Device or group name. Source user.device.alias user.device-group.name user.device-category.name. | |||
| diffserv_forward string |
| Enable to change packet's DiffServ values to the specified diffservcode-forward value. | ||
| diffserv_reverse string |
| Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. | ||
| diffservcode_forward string | Change packet's DiffServ to this value. | |||
| diffservcode_rev string | Change packet's reverse (reply) DiffServ to this value. | |||
| dlp_sensor string | Name of an existing DLP sensor. Source dlp.sensor.name. | |||
| dscp_match string |
| Enable DSCP check. | ||
| dscp_negate string |
| Enable negated DSCP match. | ||
| dscp_value string | DSCP value. | |||
| dsri string |
| Enable DSRI to ignore HTTP server responses. | ||
| dstaddr list | Destination address and address group names. | |||
| name string / required | Address name. Source firewall.address6.name firewall.addrgrp6.name firewall.vip6.name firewall.vipgrp6.name. | |||
| dstaddr_negate string |
| When enabled dstaddr specifies what the destination address must NOT be. | ||
| dstintf list | Outgoing (egress) interface. | |||
| name string / required | Interface name. Source system.interface.name system.zone.name. | |||
| firewall_session_dirty string |
| How to handle sessions if the configuration of this firewall policy changes. | ||
| fixedport string |
| Enable to prevent source NAT from changing a session's source port. | ||
| global_label string | Label for the policy that appears when the GUI is in Global View mode. | |||
| groups list | Names of user groups that can authenticate with this policy. | |||
| name string / required | Group name. Source user.group.name. | |||
| icap_profile string | Name of an existing ICAP profile. Source icap.profile.name. | |||
| inbound string |
| Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. | ||
| ippool string |
| Enable to use IP Pools for source NAT. | ||
| ips_sensor string | Name of an existing IPS sensor. Source ips.sensor.name. | |||
| label string | Label for the policy that appears when the GUI is in Section View mode. | |||
| logtraffic string |
| Enable or disable logging. Log all sessions or security profile sessions. | ||
| logtraffic_start string |
| Record logs when a session starts and ends. | ||
| name string | Policy name. | |||
| nat string |
| Enable/disable source NAT. | ||
| natinbound string |
| Policy-based IPsec VPN: apply destination NAT to inbound traffic. | ||
| natoutbound string |
| Policy-based IPsec VPN: apply source NAT to outbound traffic. | ||
| outbound string |
| Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. | ||
| per_ip_shaper string | Per-IP traffic shaper. Source firewall.shaper.per-ip-shaper.name. | |||
| policyid integer / required | Policy ID. | |||
| poolname list | IP Pool names. | |||
| name string / required | IP pool name. Source firewall.ippool6.name. | |||
| profile_group string | Name of profile group. Source firewall.profile-group.name. | |||
| profile_protocol_options string | Name of an existing Protocol options profile. Source firewall.profile-protocol-options.name. | |||
| profile_type string |
| Determine whether the firewall policy allows security profile groups or single profiles only. | ||
| replacemsg_override_group string | Override the default replacement message group for this policy. Source system.replacemsg-group.name. | |||
| rsso string |
| Enable/disable RADIUS single sign-on (RSSO). | ||
| schedule string | Schedule name. Source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name. | |||
| send_deny_packet string |
| Enable/disable return of deny-packet. | ||
| service list | Service and service group names. | |||
| name string / required | Address name. Source firewall.service.custom.name firewall.service.group.name. | |||
| service_negate string |
| When enabled service specifies what the service must NOT be. | ||
| session_ttl integer | Session TTL in seconds for sessions accepted by this policy. 0 means use the system default session TTL. | |||
| spamfilter_profile string | Name of an existing Spam filter profile. Source spamfilter.profile.name. | |||
| srcaddr list | Source address and address group names. | |||
| name string / required | Address name. Source firewall.address6.name firewall.addrgrp6.name. | |||
| srcaddr_negate string |
| When enabled srcaddr specifies what the source address must NOT be. | ||
| srcintf list | Incoming (ingress) interface. | |||
| name string / required | Interface name. Source system.zone.name system.interface.name. | |||
| ssh_filter_profile string | Name of an existing SSH filter profile. Source ssh-filter.profile.name. | |||
| ssl_mirror string |
| Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). | ||
| ssl_mirror_intf list | SSL mirror interface name. | |||
| name string / required | Interface name. Source system.zone.name system.interface.name. | |||
| ssl_ssh_profile string | Name of an existing SSL SSH profile. Source firewall.ssl-ssh-profile.name. | |||
| state string |
| Deprecated Starting with Ansible 2.9 we recommend using the top-level 'state' parameter. Indicates whether to create or remove the object. | ||
| status string |
| Enable or disable this policy. | ||
| tcp_mss_receiver integer | Receiver TCP maximum segment size (MSS). | |||
| tcp_mss_sender integer | Sender TCP maximum segment size (MSS). | |||
| tcp_session_without_syn string |
| Enable/disable creation of TCP session without SYN flag. | ||
| timeout_send_rst string |
| Enable/disable sending RST packets when TCP sessions expire. | ||
| traffic_shaper string | Reverse traffic shaper. Source firewall.shaper.traffic-shaper.name. | |||
| traffic_shaper_reverse string | Reverse traffic shaper. Source firewall.shaper.traffic-shaper.name. | |||
| url_category list | URL category ID list. | |||
| id integer / required | URL category ID. | |||
| users list | Names of individual users that can authenticate with this policy. | |||
| name string / required | Names of individual users that can authenticate with this policy. Source user.local.name. | |||
| utm_status string |
| Enable AV/web/ips protection profile. | ||
| uuid string | Universally Unique Identifier (UUID; automatically assigned but can be manually reset). | |||
| vlan_cos_fwd integer | VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest | |||
| vlan_cos_rev integer | VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest | |||
| vlan_filter string | Set VLAN filters. | |||
| voip_profile string | Name of an existing VoIP profile. Source voip.profile.name. | |||
| vpntunnel string | Policy-based IPsec VPN: name of the IPsec VPN Phase 1. Source vpn.ipsec.phase1.name vpn.ipsec.manualkey.name. | |||
| webfilter_profile string | Name of an existing Web filter profile. Source webfilter.profile.name. | |||
| host string | FortiOS or FortiGate IP address. | |||
| https boolean |
| Indicates if the requests towards FortiGate must use HTTPS protocol. | ||
| password string | Default: "" | FortiOS or FortiGate password. | ||
| ssl_verify boolean added in 2.9 |
| Ensures FortiGate certificate must be verified by a proper CA. | ||
| state string added in 2.9 |
| Indicates whether to create or remove the object. This attribute was present already in previous version in a deeper level. It has been moved out to this outer level. | ||
| username string | FortiOS or FortiGate username. | |||
| vdom string | Default: "root" | Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. | ||
Note
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
ssl_verify: "False"
tasks:
- name: Configure IPv6 policies.
fortios_firewall_policy6:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
state: "present"
firewall_policy6:
action: "accept"
app_category:
-
id: "5"
app_group:
-
name: "default_name_7 (source application.group.name)"
application:
-
id: "9"
application_list: "<your_own_value> (source application.list.name)"
av_profile: "<your_own_value> (source antivirus.profile.name)"
comments: "<your_own_value>"
custom_log_fields:
-
field_id: "<your_own_value> (source log.custom-field.id)"
devices:
-
name: "default_name_16 (source user.device.alias user.device-group.name user.device-category.name)"
diffserv_forward: "enable"
diffserv_reverse: "enable"
diffservcode_forward: "<your_own_value>"
diffservcode_rev: "<your_own_value>"
dlp_sensor: "<your_own_value> (source dlp.sensor.name)"
dscp_match: "enable"
dscp_negate: "enable"
dscp_value: "<your_own_value>"
dsri: "enable"
dstaddr:
-
name: "default_name_27 (source firewall.address6.name firewall.addrgrp6.name firewall.vip6.name firewall.vipgrp6.name)"
dstaddr_negate: "enable"
dstintf:
-
name: "default_name_30 (source system.interface.name system.zone.name)"
firewall_session_dirty: "check-all"
fixedport: "enable"
global_label: "<your_own_value>"
groups:
-
name: "default_name_35 (source user.group.name)"
icap_profile: "<your_own_value> (source icap.profile.name)"
inbound: "enable"
ippool: "enable"
ips_sensor: "<your_own_value> (source ips.sensor.name)"
label: "<your_own_value>"
logtraffic: "all"
logtraffic_start: "enable"
name: "default_name_43"
nat: "enable"
natinbound: "enable"
natoutbound: "enable"
outbound: "enable"
per_ip_shaper: "<your_own_value> (source firewall.shaper.per-ip-shaper.name)"
policyid: "49"
poolname:
-
name: "default_name_51 (source firewall.ippool6.name)"
profile_group: "<your_own_value> (source firewall.profile-group.name)"
profile_protocol_options: "<your_own_value> (source firewall.profile-protocol-options.name)"
profile_type: "single"
replacemsg_override_group: "<your_own_value> (source system.replacemsg-group.name)"
rsso: "enable"
schedule: "<your_own_value> (source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name)"
send_deny_packet: "enable"
service:
-
name: "default_name_60 (source firewall.service.custom.name firewall.service.group.name)"
service_negate: "enable"
session_ttl: "62"
spamfilter_profile: "<your_own_value> (source spamfilter.profile.name)"
srcaddr:
-
name: "default_name_65 (source firewall.address6.name firewall.addrgrp6.name)"
srcaddr_negate: "enable"
srcintf:
-
name: "default_name_68 (source system.zone.name system.interface.name)"
ssh_filter_profile: "<your_own_value> (source ssh-filter.profile.name)"
ssl_mirror: "enable"
ssl_mirror_intf:
-
name: "default_name_72 (source system.zone.name system.interface.name)"
ssl_ssh_profile: "<your_own_value> (source firewall.ssl-ssh-profile.name)"
status: "enable"
tcp_mss_receiver: "75"
tcp_mss_sender: "76"
tcp_session_without_syn: "all"
timeout_send_rst: "enable"
traffic_shaper: "<your_own_value> (source firewall.shaper.traffic-shaper.name)"
traffic_shaper_reverse: "<your_own_value> (source firewall.shaper.traffic-shaper.name)"
url_category:
-
id: "82"
users:
-
name: "default_name_84 (source user.local.name)"
utm_status: "enable"
uuid: "<your_own_value>"
vlan_cos_fwd: "87"
vlan_cos_rev: "88"
vlan_filter: "<your_own_value>"
voip_profile: "<your_own_value> (source voip.profile.name)"
vpntunnel: "<your_own_value> (source vpn.ipsec.phase1.name vpn.ipsec.manualkey.name)"
webfilter_profile: "<your_own_value> (source webfilter.profile.name)"
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| build string | always | Build number of the fortigate image Sample: 1547 |
| http_method string | always | Last method used to provision the content into FortiGate Sample: PUT |
| http_status string | always | Last result given by FortiGate on last operation applied Sample: 200 |
| mkey string | success | Master key (id) used in the last call to FortiGate Sample: id |
| name string | always | Name of the table used to fulfill the request Sample: urlfilter |
| path string | always | Path of the table used to fulfill the request Sample: webfilter |
| revision string | always | Internal revision number Sample: 17.0.2.10658 |
| serial string | always | Serial number of the unit Sample: FGVMEVYYQT3AB5352 |
| status string | always | Indication of the operation's result Sample: success |
| vdom string | always | Virtual domain used Sample: root |
| version string | always | Version of the FortiGate Sample: v5.6.3 |
Hint
If you notice any issues in this documentation, you can edit this document to improve it.
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.9/modules/fortios_firewall_policy6_module.html