W3cubDocs

/Ansible 2.9

fortios_system_admin – Configure admin users in Fortinet’s FortiOS and FortiGate

New in version 2.8.

Synopsis

  • This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify system feature and admin category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.5

Requirements

The below requirements are needed on the host that executes this module.

  • fortiosapi>=0.9.8

Parameters

Parameter Choices/Defaults Comments
host
string
FortiOS or FortiGate IP address.
https
boolean
    Choices:
  • no
  • yes
Indicates if the requests towards FortiGate must use HTTPS protocol.
password
string
Default:
""
FortiOS or FortiGate password.
ssl_verify
boolean
added in 2.9
    Choices:
  • no
  • yes
Ensures FortiGate certificate must be verified by a proper CA.
state
string
added in 2.9
    Choices:
  • present
  • absent
Indicates whether to create or remove the object. This attribute was present already in previous version in a deeper level. It has been moved out to this outer level.
system_admin
dictionary
Default:
null
Configure admin users.
accprofile
string
Access profile for this administrator. Access profiles control administrator access to FortiGate features. Source system.accprofile.name.
accprofile_override
string
    Choices:
  • enable
  • disable
Enable to use the name of an access profile provided by the remote authentication server to control the FortiGate features that this administrator can access.
allow_remove_admin_session
string
    Choices:
  • enable
  • disable
Enable/disable allow admin session to be removed by privileged admin users.
comments
string
Comment.
email_to
string
This administrator's email address.
force_password_change
string
    Choices:
  • enable
  • disable
Enable/disable force password change on next login.
fortitoken
string
This administrator's FortiToken serial number.
guest_auth
string
    Choices:
  • disable
  • enable
Enable/disable guest authentication.
guest_lang
string
Guest management portal language. Source system.custom-language.name.
guest_usergroups
list
Select guest user groups.
name
string / required
Select guest user groups.
gui_dashboard
list
GUI dashboards.
columns
integer
Number of columns.
id
integer / required
Dashboard ID.
layout_type
string
    Choices:
  • responsive
  • fixed
Layout type.
name
string
Dashboard name.
scope
string
    Choices:
  • global
  • vdom
Dashboard scope.
widget
list
Dashboard widgets.
fabric_device
string
Fabric device to monitor.
fortiview_filters
list
FortiView filters.
id
integer / required
FortiView Filter ID.
key
string
Filter key.
value
string
Filter value.
fortiview_sort_by
string
FortiView sort by.
fortiview_timeframe
string
FortiView timeframe.
fortiview_type
string
FortiView type.
fortiview_visualization
string
FortiView visualization.
height
integer
Height.
id
integer / required
Widget ID.
industry
string
    Choices:
  • default
  • custom
Security Audit Rating industry.
interface
string
Interface to monitor. Source system.interface.name.
region
string
    Choices:
  • default
  • custom
Security Audit Rating region.
title
string
Widget title.
type
string
    Choices:
  • sysinfo
  • licinfo
  • vminfo
  • forticloud
  • cpu-usage
  • memory-usage
  • disk-usage
  • log-rate
  • sessions
  • session-rate
  • tr-history
  • analytics
  • usb-modem
  • admins
  • security-fabric
  • security-fabric-ranking
  • ha-status
  • vulnerability-summary
  • host-scan-summary
  • fortiview
  • botnet-activity
  • fortimail
Widget type.
width
integer
Width.
x_pos
integer
X position.
y_pos
integer
Y position.
gui_global_menu_favorites
list
Favorite GUI menu IDs for the global VDOM.
id
string / required
Select menu ID.
gui_vdom_menu_favorites
list
Favorite GUI menu IDs for VDOMs.
id
string / required
Select menu ID.
hidden
integer
Admin user hidden attribute.
history0
string
history0
history1
string
history1
ip6_trusthost1
string
Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
ip6_trusthost10
string
Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
ip6_trusthost2
string
Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
ip6_trusthost3
string
Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
ip6_trusthost4
string
Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
ip6_trusthost5
string
Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
ip6_trusthost6
string
Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
ip6_trusthost7
string
Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
ip6_trusthost8
string
Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
ip6_trusthost9
string
Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
login_time
list
Record user login time.
last_failed_login
string
Last failed login time.
last_login
string
Last successful login time.
usr_name
string
User name.
name
string / required
User name.
password
string
Admin user password.
password_expire
string
Password expire time.
peer_auth
string
    Choices:
  • enable
  • disable
Set to enable peer certificate authentication (for HTTPS admin access).
peer_group
string
Name of peer group defined under config user group which has PKI members. Used for peer certificate authentication (for HTTPS admin access).
radius_vdom_override
string
    Choices:
  • enable
  • disable
Enable to use the names of VDOMs provided by the remote authentication server to control the VDOMs that this administrator can access.
remote_auth
string
    Choices:
  • enable
  • disable
Enable/disable authentication using a remote RADIUS, LDAP, or TACACS+ server.
remote_group
string
User group name used for remote auth.
schedule
string
Firewall schedule used to restrict when the administrator can log in. No schedule means no restrictions.
sms_custom_server
string
Custom SMS server to send SMS messages to. Source system.sms-server.name.
sms_phone
string
Phone number on which the administrator receives SMS messages.
sms_server
string
    Choices:
  • fortiguard
  • custom
Send SMS messages using the FortiGuard SMS server or a custom server.
ssh_certificate
string
Select the certificate to be used by the FortiGate for authentication with an SSH client. Source certificate.local.name.
ssh_public_key1
string
Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.
ssh_public_key2
string
Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.
ssh_public_key3
string
Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.
state
string
    Choices:
  • present
  • absent
Deprecated
Starting with Ansible 2.9 we recommend using the top-level 'state' parameter.
Indicates whether to create or remove the object.
trusthost1
string
Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
trusthost10
string
Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
trusthost2
string
Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
trusthost3
string
Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
trusthost4
string
Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
trusthost5
string
Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
trusthost6
string
Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
trusthost7
string
Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
trusthost8
string
Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
trusthost9
string
Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
two_factor
string
    Choices:
  • disable
  • fortitoken
  • email
  • sms
Enable/disable two-factor authentication.
vdom
list
Virtual domain(s) that the administrator can access.
name
string / required
Virtual domain name. Source system.vdom.name.
wildcard
string
    Choices:
  • enable
  • disable
Enable/disable wildcard RADIUS authentication.
username
string
FortiOS or FortiGate username.
vdom
string
Default:
"root"
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.

Notes

Note

  • Requires fortiosapi library developed by Fortinet
  • Run as a local_action in your playbook

Examples

- hosts: localhost
  vars:
   host: "192.168.122.40"
   username: "admin"
   password: ""
   vdom: "root"
   ssl_verify: "False"
  tasks:
  - name: Configure admin users.
    fortios_system_admin:
      host:  "{{ host }}"
      username: "{{ username }}"
      password: "{{ password }}"
      vdom:  "{{ vdom }}"
      https: "False"
      state: "present"
      system_admin:
        accprofile: "<your_own_value> (source system.accprofile.name)"
        accprofile_override: "enable"
        allow_remove_admin_session: "enable"
        comments: "<your_own_value>"
        email_to: "<your_own_value>"
        force_password_change: "enable"
        fortitoken: "<your_own_value>"
        guest_auth: "disable"
        guest_lang: "<your_own_value> (source system.custom-language.name)"
        guest_usergroups:
         -
            name: "default_name_13"
        gui_dashboard:
         -
            columns: "15"
            id:  "16"
            layout_type: "responsive"
            name: "default_name_18"
            scope: "global"
            widget:
             -
                fabric_device: "<your_own_value>"
                fortiview_filters:
                 -
                    id:  "23"
                    key: "<your_own_value>"
                    value: "<your_own_value>"
                fortiview_sort_by: "<your_own_value>"
                fortiview_timeframe: "<your_own_value>"
                fortiview_type: "<your_own_value>"
                fortiview_visualization: "<your_own_value>"
                height: "30"
                id:  "31"
                industry: "default"
                interface: "<your_own_value> (source system.interface.name)"
                region: "default"
                title: "<your_own_value>"
                type: "sysinfo"
                width: "37"
                x_pos: "38"
                y_pos: "39"
        gui_global_menu_favorites:
         -
            id:  "41"
        gui_vdom_menu_favorites:
         -
            id:  "43"
        hidden: "44"
        history0: "<your_own_value>"
        history1: "<your_own_value>"
        ip6_trusthost1: "<your_own_value>"
        ip6_trusthost10: "<your_own_value>"
        ip6_trusthost2: "<your_own_value>"
        ip6_trusthost3: "<your_own_value>"
        ip6_trusthost4: "<your_own_value>"
        ip6_trusthost5: "<your_own_value>"
        ip6_trusthost6: "<your_own_value>"
        ip6_trusthost7: "<your_own_value>"
        ip6_trusthost8: "<your_own_value>"
        ip6_trusthost9: "<your_own_value>"
        login_time:
         -
            last_failed_login: "<your_own_value>"
            last_login: "<your_own_value>"
            usr_name: "<your_own_value>"
        name: "default_name_61"
        password: "<your_own_value>"
        password_expire: "<your_own_value>"
        peer_auth: "enable"
        peer_group: "<your_own_value>"
        radius_vdom_override: "enable"
        remote_auth: "enable"
        remote_group: "<your_own_value>"
        schedule: "<your_own_value>"
        sms_custom_server: "<your_own_value> (source system.sms-server.name)"
        sms_phone: "<your_own_value>"
        sms_server: "fortiguard"
        ssh_certificate: "<your_own_value> (source certificate.local.name)"
        ssh_public_key1: "<your_own_value>"
        ssh_public_key2: "<your_own_value>"
        ssh_public_key3: "<your_own_value>"
        trusthost1: "<your_own_value>"
        trusthost10: "<your_own_value>"
        trusthost2: "<your_own_value>"
        trusthost3: "<your_own_value>"
        trusthost4: "<your_own_value>"
        trusthost5: "<your_own_value>"
        trusthost6: "<your_own_value>"
        trusthost7: "<your_own_value>"
        trusthost8: "<your_own_value>"
        trusthost9: "<your_own_value>"
        two_factor: "disable"
        vdom:
         -
            name: "default_name_89 (source system.vdom.name)"
        wildcard: "enable"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
build
string
always
Build number of the fortigate image

Sample:
1547
http_method
string
always
Last method used to provision the content into FortiGate

Sample:
PUT
http_status
string
always
Last result given by FortiGate on last operation applied

Sample:
200
mkey
string
success
Master key (id) used in the last call to FortiGate

Sample:
id
name
string
always
Name of the table used to fulfill the request

Sample:
urlfilter
path
string
always
Path of the table used to fulfill the request

Sample:
webfilter
revision
string
always
Internal revision number

Sample:
17.0.2.10658
serial
string
always
Serial number of the unit

Sample:
FGVMEVYYQT3AB5352
status
string
always
Indication of the operation's result

Sample:
success
vdom
string
always
Virtual domain used

Sample:
root
version
string
always
Version of the FortiGate

Sample:
v5.6.3


Status

Authors

  • Miguel Angel Munoz (@mamunozgonzalez)
  • Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation, you can edit this document to improve it.

© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.9/modules/fortios_system_admin_module.html