fortinet.fortios.fortios_application_list – Configure application control lists in Fortinet’s FortiOS and FortiGate.
Note
This plugin is part of the fortinet.fortios collection (version 2.1.2).
You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install fortinet.fortios.
To use it in a playbook, specify: fortinet.fortios.fortios_application_list.
New in version 2.10: of fortinet.fortios
Synopsis
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify application feature and list category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
The below requirements are needed on the host that executes this module.
- ansible>=2.9.0
Parameters
| Parameter | Choices/Defaults | Comments | ||||
|---|---|---|---|---|---|---|
| access_token string | Token-based authentication. Generated from GUI of Fortigate. | |||||
| application_list dictionary | Configure application control lists. | |||||
| app_replacemsg string |
| Enable/disable replacement messages for blocked applications. | ||||
| comment string | comments | |||||
| control_default_network_services string |
| Enable/disable enforcement of protocols over selected ports. | ||||
| deep_app_inspection string |
| Enable/disable deep application inspection. | ||||
| default_network_services list / elements=string | Default network service entries. | |||||
| id integer / required | Entry ID. | |||||
| port integer | Port number. | |||||
| services string |
| Network protocols. | ||||
| violation_action string |
| Action for protocols not white listed under selected port. | ||||
| enforce_default_app_port string |
| Enable/disable default application port enforcement for allowed applications. | ||||
| entries list / elements=string | Application list entries. | |||||
| action string |
| Pass or block traffic, or reset connection for traffic from this application. | ||||
| application list / elements=string | ID of allowed applications. | |||||
| id integer / required | Application IDs. | |||||
| behavior string | Application behavior filter. | |||||
| category list / elements=string | Category ID list. | |||||
| id integer / required | Application category ID. | |||||
| exclusion list / elements=string | ID of excluded applications. | |||||
| id integer / required | Excluded application IDs. | |||||
| id integer / required | Entry ID. | |||||
| log string |
| Enable/disable logging for this application list. | ||||
| log_packet string |
| Enable/disable packet logging. | ||||
| parameters list / elements=string | Application parameters. | |||||
| id integer / required | Parameter ID. | |||||
| members list / elements=string | Parameter tuple members. | |||||
| id integer / required | Parameter. | |||||
| name string | Parameter name. | |||||
| value string | Parameter value. | |||||
| value string | Parameter value. | |||||
| per_ip_shaper string | Per-IP traffic shaper. Source firewall.shaper.per-ip-shaper.name. | |||||
| popularity list / elements=string |
| Application popularity filter (1 - 5, from least to most popular). | ||||
| protocols string | Application protocol filter. | |||||
| quarantine string |
| Quarantine method. | ||||
| quarantine_expiry string | Duration of quarantine. (Format | |||||
| quarantine_log string |
| Enable/disable quarantine logging. | ||||
| rate_count integer | Count of the rate. | |||||
| rate_duration integer | Duration (sec) of the rate. | |||||
| rate_mode string |
| Rate limit mode. | ||||
| rate_track string |
| Track the packet protocol field. | ||||
| risk list / elements=string | Risk, or impact, of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical). | |||||
| level integer / required | Risk, or impact, of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical). | |||||
| session_ttl integer | Session TTL (0 = default). | |||||
| shaper string | Traffic shaper. Source firewall.shaper.traffic-shaper.name. | |||||
| shaper_reverse string | Reverse traffic shaper. Source firewall.shaper.traffic-shaper.name. | |||||
| sub_category list / elements=string | Application Sub-category ID list. | |||||
| id integer / required | Application sub-category ID. | |||||
| technology string | Application technology filter. | |||||
| vendor string | Application vendor filter. | |||||
| extended_log string |
| Enable/disable extended logging. | ||||
| force_inclusion_ssl_di_sigs string |
| Enable/disable forced inclusion of SSL deep inspection signatures. | ||||
| name string / required | List name. | |||||
| options list / elements=string |
| Basic application protocol signatures allowed by default. | ||||
| other_application_action string |
| Action for other applications. | ||||
| other_application_log string |
| Enable/disable logging for other applications. | ||||
| p2p_black_list list / elements=string |
| P2P applications to be black listed. | ||||
| p2p_block_list list / elements=string |
| P2P applications to be blocklisted. | ||||
| replacemsg_group string | Replacement message group. Source system.replacemsg-group.name. | |||||
| unknown_application_action string |
| Pass or block traffic from unknown applications. | ||||
| unknown_application_log string |
| Enable/disable logging for unknown applications. | ||||
| enable_log boolean |
| Enable/Disable logging for task. | ||||
| state string / required |
| Indicates whether to create or remove the object. | ||||
| vdom string | Default: "root" | Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. | ||||
Notes
Note
- Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks
Examples
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure application control lists.
fortios_application_list:
vdom: "{{ vdom }}"
state: "present"
access_token: "<your_own_value>"
application_list:
app_replacemsg: "disable"
comment: "comments"
control_default_network_services: "disable"
deep_app_inspection: "disable"
default_network_services:
-
id: "8"
port: "9"
services: "http"
violation_action: "pass"
enforce_default_app_port: "disable"
entries:
-
action: "pass"
application:
-
id: "16"
behavior: "<your_own_value>"
category:
-
id: "19"
exclusion:
-
id: "21"
id: "22"
log: "disable"
log_packet: "disable"
parameters:
-
id: "26"
members:
-
id: "28"
name: "default_name_29"
value: "<your_own_value>"
value: "<your_own_value>"
per_ip_shaper: "<your_own_value> (source firewall.shaper.per-ip-shaper.name)"
popularity: "1"
protocols: "<your_own_value>"
quarantine: "none"
quarantine_expiry: "<your_own_value>"
quarantine_log: "disable"
rate_count: "38"
rate_duration: "39"
rate_mode: "periodical"
rate_track: "none"
risk:
-
level: "43"
session_ttl: "44"
shaper: "<your_own_value> (source firewall.shaper.traffic-shaper.name)"
shaper_reverse: "<your_own_value> (source firewall.shaper.traffic-shaper.name)"
sub_category:
-
id: "48"
technology: "<your_own_value>"
vendor: "<your_own_value>"
extended_log: "enable"
force_inclusion_ssl_di_sigs: "disable"
name: "default_name_53"
options: "allow-dns"
other_application_action: "pass"
other_application_log: "disable"
p2p_black_list: "skype"
p2p_block_list: "skype"
replacemsg_group: "<your_own_value> (source system.replacemsg-group.name)"
unknown_application_action: "pass"
unknown_application_log: "disable"
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| build string | always | Build number of the fortigate image Sample: 1547 |
| http_method string | always | Last method used to provision the content into FortiGate Sample: PUT |
| http_status string | always | Last result given by FortiGate on last operation applied Sample: 200 |
| mkey string | success | Master key (id) used in the last call to FortiGate Sample: id |
| name string | always | Name of the table used to fulfill the request Sample: urlfilter |
| path string | always | Path of the table used to fulfill the request Sample: webfilter |
| revision string | always | Internal revision number Sample: 17.0.2.10658 |
| serial string | always | Serial number of the unit Sample: FGVMEVYYQT3AB5352 |
| status string | always | Indication of the operation's result Sample: success |
| vdom string | always | Virtual domain used Sample: root |
| version string | always | Version of the FortiGate Sample: v5.6.3 |
Authors
- Link Zheng (@chillancezen)
- Jie Xue (@JieX19)
- Hongbin Lu (@fgtdev-hblu)
- Frank Shen (@frankshen01)
- Miguel Angel Munoz (@mamunozgonzalez)
- Nicolas Thomas (@thomnico)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/fortios_application_list_module.html