New in version 2.8.
The below requirements are needed on the host that executes this module.
| Parameter | Choices/Defaults | Comments | ||
|---|---|---|---|---|
| firewall_vip dictionary | Default: null | Configure virtual IP for IPv4. | ||
| arp_reply string |
| Enable to respond to ARP requests for this virtual IP address. Enabled by default. | ||
| color integer | Color of icon on the GUI. | |||
| comment string | Comment. | |||
| dns_mapping_ttl integer | DNS mapping TTL (Set to zero to use TTL in DNS response). | |||
| extaddr list | External FQDN address name. | |||
| name string / required | Address name. Source firewall.address.name firewall.addrgrp.name. | |||
| extintf string | Interface connected to the source network that receives the packets that will be forwarded to the destination network. Source system .interface.name. | |||
| extip string | IP address or address range on the external interface that you want to map to an address or address range on the destination network. | |||
| extport string | Incoming port number range that you want to map to a port number range on the destination network. | |||
| gratuitous_arp_interval integer | Enable to have the VIP send gratuitous ARPs. 0=disabled. Set from 5 up to 8640000 seconds to enable. | |||
| http_cookie_age integer | Time in minutes that client web browsers should keep a cookie. Default is 60 seconds. 0 = no time limit. | |||
| http_cookie_domain string | Domain that HTTP cookie persistence should apply to. | |||
| http_cookie_domain_from_host string |
| Enable/disable use of HTTP cookie domain from host field in HTTP. | ||
| http_cookie_generation integer | Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies. | |||
| http_cookie_path string | Limit HTTP cookie persistence to the specified path. | |||
| http_cookie_share string |
| Control sharing of cookies across virtual servers. same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing. | ||
| http_ip_header string |
| For HTTP multiplexing, enable to add the original client IP address in the XForwarded-For HTTP header. | ||
| http_ip_header_name string | For HTTP multiplexing, enter a custom HTTPS header name. The original client IP address is added to this header. If empty, X-Forwarded-For is used. | |||
| http_multiplex string |
| Enable/disable HTTP multiplexing. | ||
| https_cookie_secure string |
| Enable/disable verification that inserted HTTPS cookies are secure. | ||
| id integer | Custom defined ID. | |||
| ldb_method string |
| Method used to distribute sessions to real servers. | ||
| mapped_addr string | Mapped FQDN address name. Source firewall.address.name. | |||
| mappedip list | IP address or address range on the destination network to which the external IP address is mapped. | |||
| range string / required | Mapped IP range. | |||
| mappedport string | Port number range on the destination network to which the external port number range is mapped. | |||
| max_embryonic_connections integer | Maximum number of incomplete connections. | |||
| monitor list | Name of the health check monitor to use when polling to determine a virtual server's connectivity status. | |||
| name string / required | Health monitor name. Source firewall.ldb-monitor.name. | |||
| name string / required | Virtual IP name. | |||
| nat_source_vip string |
| Enable/disable forcing the source NAT mapped IP to the external IP for all traffic. | ||
| outlook_web_access string |
| Enable to add the Front-End-Https header for Microsoft Outlook Web Access. | ||
| persistence string |
| Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session. | ||
| portforward string |
| Enable/disable port forwarding. | ||
| portmapping_type string |
| Port mapping type. | ||
| protocol string |
| Protocol to use when forwarding packets. | ||
| realservers list | Select the real servers that this server load balancing VIP will distribute traffic to. | |||
| client_ip string | Only clients in this IP range can connect to this real server. | |||
| healthcheck string |
| Enable to check the responsiveness of the real server before forwarding traffic. | ||
| holddown_interval integer | Time in seconds that the health check monitor continues to monitor and unresponsive server that should be active. | |||
| http_host string | HTTP server domain name in HTTP header. | |||
| id integer / required | Real server ID. | |||
| ip string | IP address of the real server. | |||
| max_connections integer | Max number of active connections that can be directed to the real server. When reached, sessions are sent to other real servers. | |||
| monitor string | Name of the health check monitor to use when polling to determine a virtual server's connectivity status. Source firewall .ldb-monitor.name. | |||
| port integer | Port for communicating with the real server. Required if port forwarding is enabled. | |||
| status string |
| Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent. | ||
| weight integer | Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. | |||
| server_type string |
| Protocol to be load balanced by the virtual server (also called the server load balance virtual IP). | ||
| service list | Service name. | |||
| name string / required | Service name. Source firewall.service.custom.name firewall.service.group.name. | |||
| src_filter list | Source address filter. Each address must be either an IP/subnet (x.x.x.x/n) or a range (x.x.x.x-y.y.y.y). Separate addresses with spaces. | |||
| range string / required | Source-filter range. | |||
| srcintf_filter list | Interfaces to which the VIP applies. Separate the names with spaces. | |||
| interface_name string | Interface name. Source system.interface.name. | |||
| ssl_algorithm string |
| Permitted encryption algorithms for SSL sessions according to encryption strength. | ||
| ssl_certificate string | The name of the SSL certificate to use for SSL acceleration. Source vpn.certificate.local.name. | |||
| ssl_cipher_suites list | SSL/TLS cipher suites acceptable from a client, ordered by priority. | |||
| cipher string |
| Cipher suite name. | ||
| priority integer / required | SSL/TLS cipher suites priority. | |||
| versions string |
| SSL/TLS versions that the cipher suite can be used with. | ||
| ssl_client_fallback string |
| Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507). | ||
| ssl_client_renegotiation string |
| Allow, deny, or require secure renegotiation of client sessions to comply with RFC 5746. | ||
| ssl_client_session_state_max integer | Maximum number of client to FortiGate SSL session states to keep. | |||
| ssl_client_session_state_timeout integer | Number of minutes to keep client to FortiGate SSL session state. | |||
| ssl_client_session_state_type string |
| How to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate. | ||
| ssl_dh_bits string |
| Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions. | ||
| ssl_hpkp string |
| Enable/disable including HPKP header in response. | ||
| ssl_hpkp_age integer | Number of seconds the client should honour the HPKP setting. | |||
| ssl_hpkp_backup string | Certificate to generate backup HPKP pin from. Source vpn.certificate.local.name vpn.certificate.ca.name. | |||
| ssl_hpkp_include_subdomains string |
| Indicate that HPKP header applies to all subdomains. | ||
| ssl_hpkp_primary string | Certificate to generate primary HPKP pin from. Source vpn.certificate.local.name vpn.certificate.ca.name. | |||
| ssl_hpkp_report_uri string | URL to report HPKP violations to. | |||
| ssl_hsts string |
| Enable/disable including HSTS header in response. | ||
| ssl_hsts_age integer | Number of seconds the client should honour the HSTS setting. | |||
| ssl_hsts_include_subdomains string |
| Indicate that HSTS header applies to all subdomains. | ||
| ssl_http_location_conversion string |
| Enable to replace HTTP with HTTPS in the reply's Location HTTP header field. | ||
| ssl_http_match_host string |
| Enable/disable HTTP host matching for location conversion. | ||
| ssl_max_version string |
| Highest SSL/TLS version acceptable from a client. | ||
| ssl_min_version string |
| Lowest SSL/TLS version acceptable from a client. | ||
| ssl_mode string |
| Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full). | ||
| ssl_pfs string |
| Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions. | ||
| ssl_send_empty_frags string |
| Enable/disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 & TLS 1.0 only). May need to be disabled for compatibility with older systems. | ||
| ssl_server_algorithm string |
| Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength. | ||
| ssl_server_cipher_suites list | SSL/TLS cipher suites to offer to a server, ordered by priority. | |||
| cipher string |
| Cipher suite name. | ||
| priority integer / required | SSL/TLS cipher suites priority. | |||
| versions string |
| SSL/TLS versions that the cipher suite can be used with. | ||
| ssl_server_max_version string |
| Highest SSL/TLS version acceptable from a server. Use the client setting by default. | ||
| ssl_server_min_version string |
| Lowest SSL/TLS version acceptable from a server. Use the client setting by default. | ||
| ssl_server_session_state_max integer | Maximum number of FortiGate to Server SSL session states to keep. | |||
| ssl_server_session_state_timeout integer | Number of minutes to keep FortiGate to Server SSL session state. | |||
| ssl_server_session_state_type string |
| How to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate. | ||
| state string |
| Deprecated Starting with Ansible 2.9 we recommend using the top-level 'state' parameter. Indicates whether to create or remove the object. | ||
| type string |
| Configure a static NAT, load balance, server load balance, DNS translation, or FQDN VIP. | ||
| uuid string | Universally Unique Identifier (UUID; automatically assigned but can be manually reset). | |||
| weblogic_server string |
| Enable to add an HTTP header to indicate SSL offloading for a WebLogic server. | ||
| websphere_server string |
| Enable to add an HTTP header to indicate SSL offloading for a WebSphere server. | ||
| host string | FortiOS or FortiGate IP address. | |||
| https boolean |
| Indicates if the requests towards FortiGate must use HTTPS protocol. | ||
| password string | Default: "" | FortiOS or FortiGate password. | ||
| ssl_verify boolean added in 2.9 |
| Ensures FortiGate certificate must be verified by a proper CA. | ||
| state string added in 2.9 |
| Indicates whether to create or remove the object. This attribute was present already in previous version in a deeper level. It has been moved out to this outer level. | ||
| username string | FortiOS or FortiGate username. | |||
| vdom string | Default: "root" | Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. | ||
Note
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
ssl_verify: "False"
tasks:
- name: Configure virtual IP for IPv4.
fortios_firewall_vip:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
state: "present"
firewall_vip:
arp_reply: "disable"
color: "4"
comment: "Comment."
dns_mapping_ttl: "6"
extaddr:
-
name: "default_name_8 (source firewall.address.name firewall.addrgrp.name)"
extintf: "<your_own_value> (source system.interface.name)"
extip: "<your_own_value>"
extport: "<your_own_value>"
gratuitous_arp_interval: "12"
http_cookie_age: "13"
http_cookie_domain: "<your_own_value>"
http_cookie_domain_from_host: "disable"
http_cookie_generation: "16"
http_cookie_path: "<your_own_value>"
http_cookie_share: "disable"
http_ip_header: "enable"
http_ip_header_name: "<your_own_value>"
http_multiplex: "enable"
https_cookie_secure: "disable"
id: "23"
ldb_method: "static"
mapped_addr: "<your_own_value> (source firewall.address.name)"
mappedip:
-
range: "<your_own_value>"
mappedport: "<your_own_value>"
max_embryonic_connections: "29"
monitor:
-
name: "default_name_31 (source firewall.ldb-monitor.name)"
name: "default_name_32"
nat_source_vip: "disable"
outlook_web_access: "disable"
persistence: "none"
portforward: "disable"
portmapping_type: "1-to-1"
protocol: "tcp"
realservers:
-
client_ip: "<your_own_value>"
healthcheck: "disable"
holddown_interval: "42"
http_host: "myhostname"
id: "44"
ip: "<your_own_value>"
max_connections: "46"
monitor: "<your_own_value> (source firewall.ldb-monitor.name)"
port: "48"
status: "active"
weight: "50"
server_type: "http"
service:
-
name: "default_name_53 (source firewall.service.custom.name firewall.service.group.name)"
src_filter:
-
range: "<your_own_value>"
srcintf_filter:
-
interface_name: "<your_own_value> (source system.interface.name)"
ssl_algorithm: "high"
ssl_certificate: "<your_own_value> (source vpn.certificate.local.name)"
ssl_cipher_suites:
-
cipher: "TLS-RSA-WITH-3DES-EDE-CBC-SHA"
priority: "62"
versions: "ssl-3.0"
ssl_client_fallback: "disable"
ssl_client_renegotiation: "allow"
ssl_client_session_state_max: "66"
ssl_client_session_state_timeout: "67"
ssl_client_session_state_type: "disable"
ssl_dh_bits: "768"
ssl_hpkp: "disable"
ssl_hpkp_age: "71"
ssl_hpkp_backup: "<your_own_value> (source vpn.certificate.local.name vpn.certificate.ca.name)"
ssl_hpkp_include_subdomains: "disable"
ssl_hpkp_primary: "<your_own_value> (source vpn.certificate.local.name vpn.certificate.ca.name)"
ssl_hpkp_report_uri: "<your_own_value>"
ssl_hsts: "disable"
ssl_hsts_age: "77"
ssl_hsts_include_subdomains: "disable"
ssl_http_location_conversion: "enable"
ssl_http_match_host: "enable"
ssl_max_version: "ssl-3.0"
ssl_min_version: "ssl-3.0"
ssl_mode: "half"
ssl_pfs: "require"
ssl_send_empty_frags: "enable"
ssl_server_algorithm: "high"
ssl_server_cipher_suites:
-
cipher: "TLS-RSA-WITH-3DES-EDE-CBC-SHA"
priority: "89"
versions: "ssl-3.0"
ssl_server_max_version: "ssl-3.0"
ssl_server_min_version: "ssl-3.0"
ssl_server_session_state_max: "93"
ssl_server_session_state_timeout: "94"
ssl_server_session_state_type: "disable"
type: "static-nat"
uuid: "<your_own_value>"
weblogic_server: "disable"
websphere_server: "disable"
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| build string | always | Build number of the fortigate image Sample: 1547 |
| http_method string | always | Last method used to provision the content into FortiGate Sample: PUT |
| http_status string | always | Last result given by FortiGate on last operation applied Sample: 200 |
| mkey string | success | Master key (id) used in the last call to FortiGate Sample: id |
| name string | always | Name of the table used to fulfill the request Sample: urlfilter |
| path string | always | Path of the table used to fulfill the request Sample: webfilter |
| revision string | always | Internal revision number Sample: 17.0.2.10658 |
| serial string | always | Serial number of the unit Sample: FGVMEVYYQT3AB5352 |
| status string | always | Indication of the operation's result Sample: success |
| vdom string | always | Virtual domain used Sample: root |
| version string | always | Version of the FortiGate Sample: v5.6.3 |
Hint
If you notice any issues in this documentation, you can edit this document to improve it.
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.9/modules/fortios_firewall_vip_module.html