New in version 2.8.
The below requirements are needed on the host that executes this module.
Parameter | Choices/Defaults | Comments | ||
---|---|---|---|---|
firewall_vip6
-
|
Default: null
|
Configure virtual IP for IPv6.
|
||
arp-reply
-
|
|
Enable to respond to ARP requests for this virtual IP address. Enabled by default.
|
||
color
-
|
Color of icon on the GUI.
|
|||
comment
-
|
Comment.
|
|||
extip
-
|
IP address or address range on the external interface that you want to map to an address or address range on the destination network.
|
|||
extport
-
|
Incoming port number range that you want to map to a port number range on the destination network.
|
|||
http-cookie-age
-
|
Time in minutes that client web browsers should keep a cookie. Default is 60 seconds. 0 = no time limit.
|
|||
http-cookie-domain
-
|
Domain that HTTP cookie persistence should apply to.
|
|||
http-cookie-domain-from-host
-
|
|
Enable/disable use of HTTP cookie domain from host field in HTTP.
|
||
http-cookie-generation
-
|
Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies.
|
|||
http-cookie-path
-
|
Limit HTTP cookie persistence to the specified path.
|
|||
http-cookie-share
-
|
|
Control sharing of cookies across virtual servers. same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.
|
||
http-ip-header
-
|
|
For HTTP multiplexing, enable to add the original client IP address in the XForwarded-For HTTP header.
|
||
http-ip-header-name
-
|
For HTTP multiplexing, enter a custom HTTPS header name. The original client IP address is added to this header. If empty, X-Forwarded-For is used.
|
|||
http-multiplex
-
|
|
Enable/disable HTTP multiplexing.
|
||
https-cookie-secure
-
|
|
Enable/disable verification that inserted HTTPS cookies are secure.
|
||
id
-
|
Custom defined ID.
|
|||
ldb-method
-
|
|
Method used to distribute sessions to real servers.
|
||
mappedip
-
|
Mapped IP address range in the format startIP-endIP.
|
|||
mappedport
-
|
Port number range on the destination network to which the external port number range is mapped.
|
|||
max-embryonic-connections
-
|
Maximum number of incomplete connections.
|
|||
monitor
-
|
Name of the health check monitor to use when polling to determine a virtual server's connectivity status.
|
|||
name
-
/ required
|
Health monitor name. Source firewall.ldb-monitor.name.
|
|||
name
-
/ required
|
Virtual ip6 name.
|
|||
outlook-web-access
-
|
|
Enable to add the Front-End-Https header for Microsoft Outlook Web Access.
|
||
persistence
-
|
|
Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.
|
||
portforward
-
|
|
Enable port forwarding.
|
||
protocol
-
|
|
Protocol to use when forwarding packets.
|
||
realservers
-
|
Select the real servers that this server load balancing VIP will distribute traffic to.
|
|||
client-ip
-
|
Only clients in this IP range can connect to this real server.
|
|||
healthcheck
-
|
|
Enable to check the responsiveness of the real server before forwarding traffic.
|
||
holddown-interval
-
|
Time in seconds that the health check monitor continues to monitor an unresponsive server that should be active.
|
|||
http-host
-
|
HTTP server domain name in HTTP header.
|
|||
id
-
/ required
|
Real server ID.
|
|||
ip
-
|
IPv6 address of the real server.
|
|||
max-connections
-
|
Max number of active connections that can directed to the real server. When reached, sessions are sent to other real servers.
|
|||
monitor
-
|
Name of the health check monitor to use when polling to determine a virtual server's connectivity status. Source firewall .ldb-monitor.name.
|
|||
port
-
|
Port for communicating with the real server. Required if port forwarding is enabled.
|
|||
status
-
|
|
Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.
|
||
weight
-
|
Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections.
|
|||
server-type
-
|
|
Protocol to be load balanced by the virtual server (also called the server load balance virtual IP).
|
||
src-filter
-
|
Source IP6 filter (x:x:x:x:x:x:x:x/x). Separate addresses with spaces.
|
|||
range
-
/ required
|
Source-filter range.
|
|||
ssl-algorithm
-
|
|
Permitted encryption algorithms for SSL sessions according to encryption strength.
|
||
ssl-certificate
-
|
The name of the SSL certificate to use for SSL acceleration. Source vpn.certificate.local.name.
|
|||
ssl-cipher-suites
-
|
SSL/TLS cipher suites acceptable from a client, ordered by priority.
|
|||
cipher
-
|
|
Cipher suite name.
|
||
priority
-
/ required
|
SSL/TLS cipher suites priority.
|
|||
versions
-
|
|
SSL/TLS versions that the cipher suite can be used with.
|
||
ssl-client-fallback
-
|
|
Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507).
|
||
ssl-client-renegotiation
-
|
|
Allow, deny, or require secure renegotiation of client sessions to comply with RFC 5746.
|
||
ssl-client-session-state-max
-
|
Maximum number of client to FortiGate SSL session states to keep.
|
|||
ssl-client-session-state-timeout
-
|
Number of minutes to keep client to FortiGate SSL session state.
|
|||
ssl-client-session-state-type
-
|
|
How to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate.
|
||
ssl-dh-bits
-
|
|
Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.
|
||
ssl-hpkp
-
|
|
Enable/disable including HPKP header in response.
|
||
ssl-hpkp-age
-
|
Number of minutes the web browser should keep HPKP.
|
|||
ssl-hpkp-backup
-
|
Certificate to generate backup HPKP pin from. Source vpn.certificate.local.name vpn.certificate.ca.name.
|
|||
ssl-hpkp-include-subdomains
-
|
|
Indicate that HPKP header applies to all subdomains.
|
||
ssl-hpkp-primary
-
|
Certificate to generate primary HPKP pin from. Source vpn.certificate.local.name vpn.certificate.ca.name.
|
|||
ssl-hpkp-report-uri
-
|
URL to report HPKP violations to.
|
|||
ssl-hsts
-
|
|
Enable/disable including HSTS header in response.
|
||
ssl-hsts-age
-
|
Number of seconds the client should honour the HSTS setting.
|
|||
ssl-hsts-include-subdomains
-
|
|
Indicate that HSTS header applies to all subdomains.
|
||
ssl-http-location-conversion
-
|
|
Enable to replace HTTP with HTTPS in the reply's Location HTTP header field.
|
||
ssl-http-match-host
-
|
|
Enable/disable HTTP host matching for location conversion.
|
||
ssl-max-version
-
|
|
Highest SSL/TLS version acceptable from a client.
|
||
ssl-min-version
-
|
|
Lowest SSL/TLS version acceptable from a client.
|
||
ssl-mode
-
|
|
Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full).
|
||
ssl-pfs
-
|
|
Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions.
|
||
ssl-send-empty-frags
-
|
|
Enable/disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 & TLS 1.0 only). May need to be disabled for compatibility with older systems.
|
||
ssl-server-algorithm
-
|
|
Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.
|
||
ssl-server-cipher-suites
-
|
SSL/TLS cipher suites to offer to a server, ordered by priority.
|
|||
cipher
-
|
|
Cipher suite name.
|
||
priority
-
/ required
|
SSL/TLS cipher suites priority.
|
|||
versions
-
|
|
SSL/TLS versions that the cipher suite can be used with.
|
||
ssl-server-max-version
-
|
|
Highest SSL/TLS version acceptable from a server. Use the client setting by default.
|
||
ssl-server-min-version
-
|
|
Lowest SSL/TLS version acceptable from a server. Use the client setting by default.
|
||
ssl-server-session-state-max
-
|
Maximum number of FortiGate to Server SSL session states to keep.
|
|||
ssl-server-session-state-timeout
-
|
Number of minutes to keep FortiGate to Server SSL session state.
|
|||
ssl-server-session-state-type
-
|
|
How to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate.
|
||
state
-
|
|
Indicates whether to create or remove the object
|
||
type
-
|
|
Configure a static NAT or server load balance VIP.
|
||
uuid
-
|
Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
|
|||
weblogic-server
-
|
|
Enable to add an HTTP header to indicate SSL offloading for a WebLogic server.
|
||
websphere-server
-
|
|
Enable to add an HTTP header to indicate SSL offloading for a WebSphere server.
|
||
host
-
/ required
|
FortiOS or FortiGate ip address.
|
|||
https
boolean
|
|
Indicates if the requests towards FortiGate must use HTTPS protocol
|
||
password
-
|
Default: ""
|
FortiOS or FortiGate password.
|
||
username
-
/ required
|
FortiOS or FortiGate username.
|
|||
vdom
-
|
Default: "root"
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
|
Note
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
tasks:
- name: Configure virtual IP for IPv6.
fortios_firewall_vip6:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
firewall_vip6:
state: "present"
arp-reply: "disable"
color: "4"
comment: "Comment."
extip: "<your_own_value>"
extport: "<your_own_value>"
http-cookie-age: "8"
http-cookie-domain: "<your_own_value>"
http-cookie-domain-from-host: "disable"
http-cookie-generation: "11"
http-cookie-path: "<your_own_value>"
http-cookie-share: "disable"
http-ip-header: "enable"
http-ip-header-name: "<your_own_value>"
http-multiplex: "enable"
https-cookie-secure: "disable"
id: "18"
ldb-method: "static"
mappedip: "<your_own_value>"
mappedport: "<your_own_value>"
max-embryonic-connections: "22"
monitor:
-
name: "default_name_24 (source firewall.ldb-monitor.name)"
name: "default_name_25"
outlook-web-access: "disable"
persistence: "none"
portforward: "disable"
protocol: "tcp"
realservers:
-
client-ip: "<your_own_value>"
healthcheck: "disable"
holddown-interval: "33"
http-host: "myhostname"
id: "35"
ip: "<your_own_value>"
max-connections: "37"
monitor: "<your_own_value> (source firewall.ldb-monitor.name)"
port: "39"
status: "active"
weight: "41"
server-type: "http"
src-filter:
-
range: "<your_own_value>"
ssl-algorithm: "high"
ssl-certificate: "<your_own_value> (source vpn.certificate.local.name)"
ssl-cipher-suites:
-
cipher: "TLS-RSA-WITH-3DES-EDE-CBC-SHA"
priority: "49"
versions: "ssl-3.0"
ssl-client-fallback: "disable"
ssl-client-renegotiation: "allow"
ssl-client-session-state-max: "53"
ssl-client-session-state-timeout: "54"
ssl-client-session-state-type: "disable"
ssl-dh-bits: "768"
ssl-hpkp: "disable"
ssl-hpkp-age: "58"
ssl-hpkp-backup: "<your_own_value> (source vpn.certificate.local.name vpn.certificate.ca.name)"
ssl-hpkp-include-subdomains: "disable"
ssl-hpkp-primary: "<your_own_value> (source vpn.certificate.local.name vpn.certificate.ca.name)"
ssl-hpkp-report-uri: "<your_own_value>"
ssl-hsts: "disable"
ssl-hsts-age: "64"
ssl-hsts-include-subdomains: "disable"
ssl-http-location-conversion: "enable"
ssl-http-match-host: "enable"
ssl-max-version: "ssl-3.0"
ssl-min-version: "ssl-3.0"
ssl-mode: "half"
ssl-pfs: "require"
ssl-send-empty-frags: "enable"
ssl-server-algorithm: "high"
ssl-server-cipher-suites:
-
cipher: "TLS-RSA-WITH-3DES-EDE-CBC-SHA"
priority: "76"
versions: "ssl-3.0"
ssl-server-max-version: "ssl-3.0"
ssl-server-min-version: "ssl-3.0"
ssl-server-session-state-max: "80"
ssl-server-session-state-timeout: "81"
ssl-server-session-state-type: "disable"
type: "static-nat"
uuid: "<your_own_value>"
weblogic-server: "disable"
websphere-server: "disable"
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
build
string
|
always |
Build number of the fortigate image
Sample:
1547
|
http_method
string
|
always |
Last method used to provision the content into FortiGate
Sample:
PUT
|
http_status
string
|
always |
Last result given by FortiGate on last operation applied
Sample:
200
|
mkey
string
|
success |
Master key (id) used in the last call to FortiGate
Sample:
key1
|
name
string
|
always |
Name of the table used to fulfill the request
Sample:
urlfilter
|
path
string
|
always |
Path of the table used to fulfill the request
Sample:
webfilter
|
revision
string
|
always |
Internal revision number
Sample:
17.0.2.10658
|
serial
string
|
always |
Serial number of the unit
Sample:
FGVMEVYYQT3AB5352
|
status
string
|
always |
Indication of the operation's result
Sample:
success
|
vdom
string
|
always |
Virtual domain used
Sample:
root
|
version
string
|
always |
Version of the FortiGate
Sample:
v5.6.3
|
Hint
If you notice any issues in this documentation you can edit this document to improve it.