fortinet.fortios.fortios_system_settings – Configure VDOM settings in Fortinet’s FortiOS and FortiGate.
Note
This plugin is part of the fortinet.fortios collection (version 1.1.8).
To install it use: ansible-galaxy collection install fortinet.fortios.
To use it in a playbook, specify: fortinet.fortios.fortios_system_settings.
New in version 2.8: of fortinet.fortios
Synopsis
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify system feature and settings category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
The below requirements are needed on the host that executes this module.
- ansible>=2.9.0
Parameters
| Parameter | Choices/Defaults | Comments | ||
|---|---|---|---|---|
| access_token string | Token-based authentication. Generated from GUI of Fortigate. | |||
| system_settings dictionary | Configure VDOM settings. | |||
| allow_subnet_overlap string |
| Enable/disable allowing interface subnets to use overlapping IP addresses. | ||
| asymroute string |
| Enable/disable IPv4 asymmetric routing. | ||
| asymroute6 string |
| Enable/disable asymmetric IPv6 routing. | ||
| asymroute6_icmp string |
| Enable/disable asymmetric ICMPv6 routing. | ||
| asymroute_icmp string |
| Enable/disable ICMP asymmetric routing. | ||
| bfd string |
| Enable/disable Bi-directional Forwarding Detection (BFD) on all interfaces. | ||
| bfd_desired_min_tx integer | BFD desired minimal transmit interval (1 - 100000 ms). | |||
| bfd_detect_mult integer | BFD detection multiplier (1 - 50). | |||
| bfd_dont_enforce_src_port string |
| Enable to not enforce verifying the source port of BFD Packets. | ||
| bfd_required_min_rx integer | BFD required minimal receive interval (1 - 100000 ms). | |||
| block_land_attack string |
| Enable/disable blocking of land attacks. | ||
| central_nat string |
| Enable/disable central NAT. | ||
| comments string | VDOM comments. | |||
| compliance_check string |
| Enable/disable PCI DSS compliance checking. | ||
| default_voip_alg_mode string |
| Configure how the FortiGate handles VoIP traffic when a policy that accepts the traffic doesn"t include a VoIP profile. | ||
| deny_tcp_with_icmp string |
| Enable/disable denying TCP by sending an ICMP communication prohibited packet. | ||
| device string | Interface to use for management access for NAT mode. Source system.interface.name. | |||
| dhcp6_server_ip string | DHCPv6 server IPv6 address. | |||
| dhcp_proxy string |
| Enable/disable the DHCP Proxy. | ||
| dhcp_server_ip string | DHCP Server IPv4 address. | |||
| discovered_device_timeout integer | Timeout for discovered devices (1 - 365 days). | |||
| ecmp_max_paths integer | Maximum number of Equal Cost Multi-Path (ECMP) next-hops. Set to 1 to disable ECMP routing (1 - 100). | |||
| email_portal_check_dns string |
| Enable/disable using DNS to validate email addresses collected by a captive portal. | ||
| firewall_session_dirty string |
| Select how to manage sessions affected by firewall policy configuration changes. | ||
| fw_session_hairpin string |
| Enable/disable checking for a matching policy each time hairpin traffic goes through the FortiGate. | ||
| gateway string | Transparent mode IPv4 default gateway IP address. | |||
| gateway6 string | Transparent mode IPv4 default gateway IP address. | |||
| gui_advanced_policy string |
| Enable/disable advanced policy configuration on the GUI. | ||
| gui_allow_unnamed_policy string |
| Enable/disable the requirement for policy naming on the GUI. | ||
| gui_antivirus string |
| Enable/disable AntiVirus on the GUI. | ||
| gui_ap_profile string |
| Enable/disable FortiAP profiles on the GUI. | ||
| gui_application_control string |
| Enable/disable application control on the GUI. | ||
| gui_default_policy_columns list / elements=string | Default columns to display for policy lists on GUI. | |||
| name string / required | Select column name. | |||
| gui_dhcp_advanced string |
| Enable/disable advanced DHCP options on the GUI. | ||
| gui_dlp string |
| Enable/disable DLP on the GUI. | ||
| gui_dns_database string |
| Enable/disable DNS database settings on the GUI. | ||
| gui_dnsfilter string |
| Enable/disable DNS Filtering on the GUI. | ||
| gui_domain_ip_reputation string |
| Enable/disable Domain and IP Reputation on the GUI. | ||
| gui_dos_policy string |
| Enable/disable DoS policies on the GUI. | ||
| gui_dynamic_profile_display string |
| Enable/disable RADIUS Single Sign On (RSSO) on the GUI. | ||
| gui_dynamic_routing string |
| Enable/disable dynamic routing on the GUI. | ||
| gui_email_collection string |
| Enable/disable email collection on the GUI. | ||
| gui_endpoint_control string |
| Enable/disable endpoint control on the GUI. | ||
| gui_endpoint_control_advanced string |
| Enable/disable advanced endpoint control options on the GUI. | ||
| gui_explicit_proxy string |
| Enable/disable the explicit proxy on the GUI. | ||
| gui_fortiap_split_tunneling string |
| Enable/disable FortiAP split tunneling on the GUI. | ||
| gui_fortiextender_controller string |
| Enable/disable FortiExtender on the GUI. | ||
| gui_icap string |
| Enable/disable ICAP on the GUI. | ||
| gui_implicit_policy string |
| Enable/disable implicit firewall policies on the GUI. | ||
| gui_ips string |
| Enable/disable IPS on the GUI. | ||
| gui_load_balance string |
| Enable/disable server load balancing on the GUI. | ||
| gui_local_in_policy string |
| Enable/disable Local-In policies on the GUI. | ||
| gui_local_reports string |
| Enable/disable local reports on the GUI. | ||
| gui_multicast_policy string |
| Enable/disable multicast firewall policies on the GUI. | ||
| gui_multiple_interface_policy string |
| Enable/disable adding multiple interfaces to a policy on the GUI. | ||
| gui_multiple_utm_profiles string |
| Enable/disable multiple UTM profiles on the GUI. | ||
| gui_nat46_64 string |
| Enable/disable NAT46 and NAT64 settings on the GUI. | ||
| gui_object_colors string |
| Enable/disable object colors on the GUI. | ||
| gui_policy_based_ipsec string |
| Enable/disable policy-based IPsec VPN on the GUI. | ||
| gui_policy_learning string |
| Enable/disable firewall policy learning mode on the GUI. | ||
| gui_replacement_message_groups string |
| Enable/disable replacement message groups on the GUI. | ||
| gui_spamfilter string |
| Enable/disable Antispam on the GUI. | ||
| gui_sslvpn_personal_bookmarks string |
| Enable/disable SSL-VPN personal bookmark management on the GUI. | ||
| gui_sslvpn_realms string |
| Enable/disable SSL-VPN realms on the GUI. | ||
| gui_switch_controller string |
| Enable/disable the switch controller on the GUI. | ||
| gui_threat_weight string |
| Enable/disable threat weight on the GUI. | ||
| gui_traffic_shaping string |
| Enable/disable traffic shaping on the GUI. | ||
| gui_voip_profile string |
| Enable/disable VoIP profiles on the GUI. | ||
| gui_vpn string |
| Enable/disable VPN tunnels on the GUI. | ||
| gui_waf_profile string |
| Enable/disable Web Application Firewall on the GUI. | ||
| gui_wan_load_balancing string |
| Enable/disable SD-WAN on the GUI. | ||
| gui_wanopt_cache string |
| Enable/disable WAN Optimization and Web Caching on the GUI. | ||
| gui_webfilter string |
| Enable/disable Web filtering on the GUI. | ||
| gui_webfilter_advanced string |
| Enable/disable advanced web filtering on the GUI. | ||
| gui_wireless_controller string |
| Enable/disable the wireless controller on the GUI. | ||
| http_external_dest string |
| Offload HTTP traffic to FortiWeb or FortiCache. | ||
| ike_dn_format string |
| Configure IKE ASN.1 Distinguished Name format conventions. | ||
| ike_quick_crash_detect string |
| Enable/disable IKE quick crash detection (RFC 6290). | ||
| ike_session_resume string |
| Enable/disable IKEv2 session resumption (RFC 5723). | ||
| implicit_allow_dns string |
| Enable/disable implicitly allowing DNS traffic. | ||
| inspection_mode string |
| Inspection mode (proxy-based or flow-based). | ||
| ip string | IP address and netmask. | |||
| ip6 string | IPv6 address prefix for NAT mode. | |||
| link_down_access string |
| Enable/disable link down access traffic. | ||
| lldp_transmission string |
| Enable/disable Link Layer Discovery Protocol (LLDP) for this VDOM or apply global settings to this VDOM. | ||
| mac_ttl integer | Duration of MAC addresses in Transparent mode (300 - 8640000 sec). | |||
| manageip string | Transparent mode IPv4 management IP address and netmask. | |||
| manageip6 string | Transparent mode IPv6 management IP address and netmask. | |||
| multicast_forward string |
| Enable/disable multicast forwarding. | ||
| multicast_skip_policy string |
| Enable/disable allowing multicast traffic through the FortiGate without a policy check. | ||
| multicast_ttl_notchange string |
| Enable/disable preventing the FortiGate from changing the TTL for forwarded multicast packets. | ||
| ngfw_mode string |
| Next Generation Firewall (NGFW) mode. | ||
| opmode string |
| Firewall operation mode (NAT or Transparent). | ||
| sccp_port integer | TCP port the SCCP proxy monitors for SCCP traffic (0 - 65535). | |||
| ses_denied_traffic string |
| Enable/disable including denied session in the session table. | ||
| sip_helper string |
| Enable/disable the SIP session helper to process SIP sessions unless SIP sessions are accepted by the SIP application layer gateway (ALG). | ||
| sip_nat_trace string |
| Enable/disable recording the original SIP source IP address when NAT is used. | ||
| sip_ssl_port integer | TCP port the SIP proxy monitors for SIP SSL/TLS traffic (0 - 65535). | |||
| sip_tcp_port integer | TCP port the SIP proxy monitors for SIP traffic (0 - 65535). | |||
| sip_udp_port integer | UDP port the SIP proxy monitors for SIP traffic (0 - 65535). | |||
| snat_hairpin_traffic string |
| Enable/disable source NAT (SNAT) for hairpin traffic. | ||
| ssl_ssh_profile string | Profile for SSL/SSH inspection. Source firewall.ssl-ssh-profile.name. | |||
| status string |
| Enable/disable this VDOM. | ||
| strict_src_check string |
| Enable/disable strict source verification. | ||
| tcp_session_without_syn string |
| Enable/disable allowing TCP session without SYN flags. | ||
| utf8_spam_tagging string |
| Enable/disable converting antispam tags to UTF-8 for better non-ASCII character support. | ||
| v4_ecmp_mode string |
| IPv4 Equal-cost multi-path (ECMP) routing and load balancing mode. | ||
| vpn_stats_log string |
| Enable/disable periodic VPN log statistics for one or more types of VPN. Separate names with a space. | ||
| vpn_stats_period integer | Period to send VPN log statistics (60 - 86400 sec). | |||
| wccp_cache_engine string |
| Enable/disable WCCP cache engine. | ||
| vdom string | Default: "root" | Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. | ||
Notes
Note
- Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks
Examples
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure VDOM settings.
fortios_system_settings:
vdom: "{{ vdom }}"
system_settings:
allow_subnet_overlap: "enable"
asymroute: "enable"
asymroute_icmp: "enable"
asymroute6: "enable"
asymroute6_icmp: "enable"
bfd: "enable"
bfd_desired_min_tx: "9"
bfd_detect_mult: "10"
bfd_dont_enforce_src_port: "enable"
bfd_required_min_rx: "12"
block_land_attack: "disable"
central_nat: "enable"
comments: "<your_own_value>"
compliance_check: "enable"
default_voip_alg_mode: "proxy-based"
deny_tcp_with_icmp: "enable"
device: "<your_own_value> (source system.interface.name)"
dhcp_proxy: "enable"
dhcp_server_ip: "<your_own_value>"
dhcp6_server_ip: "<your_own_value>"
discovered_device_timeout: "23"
ecmp_max_paths: "24"
email_portal_check_dns: "disable"
firewall_session_dirty: "check-all"
fw_session_hairpin: "enable"
gateway: "<your_own_value>"
gateway6: "<your_own_value>"
gui_advanced_policy: "enable"
gui_allow_unnamed_policy: "enable"
gui_antivirus: "enable"
gui_ap_profile: "enable"
gui_application_control: "enable"
gui_default_policy_columns:
-
name: "default_name_36"
gui_dhcp_advanced: "enable"
gui_dlp: "enable"
gui_dns_database: "enable"
gui_dnsfilter: "enable"
gui_domain_ip_reputation: "enable"
gui_dos_policy: "enable"
gui_dynamic_profile_display: "enable"
gui_dynamic_routing: "enable"
gui_email_collection: "enable"
gui_endpoint_control: "enable"
gui_endpoint_control_advanced: "enable"
gui_explicit_proxy: "enable"
gui_fortiap_split_tunneling: "enable"
gui_fortiextender_controller: "enable"
gui_icap: "enable"
gui_implicit_policy: "enable"
gui_ips: "enable"
gui_load_balance: "enable"
gui_local_in_policy: "enable"
gui_local_reports: "enable"
gui_multicast_policy: "enable"
gui_multiple_interface_policy: "enable"
gui_multiple_utm_profiles: "enable"
gui_nat46_64: "enable"
gui_object_colors: "enable"
gui_policy_based_ipsec: "enable"
gui_policy_learning: "enable"
gui_replacement_message_groups: "enable"
gui_spamfilter: "enable"
gui_sslvpn_personal_bookmarks: "enable"
gui_sslvpn_realms: "enable"
gui_switch_controller: "enable"
gui_threat_weight: "enable"
gui_traffic_shaping: "enable"
gui_voip_profile: "enable"
gui_vpn: "enable"
gui_waf_profile: "enable"
gui_wan_load_balancing: "enable"
gui_wanopt_cache: "enable"
gui_webfilter: "enable"
gui_webfilter_advanced: "enable"
gui_wireless_controller: "enable"
http_external_dest: "fortiweb"
ike_dn_format: "with-space"
ike_quick_crash_detect: "enable"
ike_session_resume: "enable"
implicit_allow_dns: "enable"
inspection_mode: "proxy"
ip: "<your_own_value>"
ip6: "<your_own_value>"
link_down_access: "enable"
lldp_transmission: "enable"
mac_ttl: "89"
manageip: "<your_own_value>"
manageip6: "<your_own_value>"
multicast_forward: "enable"
multicast_skip_policy: "enable"
multicast_ttl_notchange: "enable"
ngfw_mode: "profile-based"
opmode: "nat"
sccp_port: "97"
ses_denied_traffic: "enable"
sip_helper: "enable"
sip_nat_trace: "enable"
sip_ssl_port: "101"
sip_tcp_port: "102"
sip_udp_port: "103"
snat_hairpin_traffic: "enable"
ssl_ssh_profile: "<your_own_value> (source firewall.ssl-ssh-profile.name)"
status: "enable"
strict_src_check: "enable"
tcp_session_without_syn: "enable"
utf8_spam_tagging: "enable"
v4_ecmp_mode: "source-ip-based"
vpn_stats_log: "ipsec"
vpn_stats_period: "112"
wccp_cache_engine: "enable"
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| build string | always | Build number of the fortigate image Sample: 1547 |
| http_method string | always | Last method used to provision the content into FortiGate Sample: PUT |
| http_status string | always | Last result given by FortiGate on last operation applied Sample: 200 |
| mkey string | success | Master key (id) used in the last call to FortiGate Sample: id |
| name string | always | Name of the table used to fulfill the request Sample: urlfilter |
| path string | always | Path of the table used to fulfill the request Sample: webfilter |
| revision string | always | Internal revision number Sample: 17.0.2.10658 |
| serial string | always | Serial number of the unit Sample: FGVMEVYYQT3AB5352 |
| status string | always | Indication of the operation's result Sample: success |
| vdom string | always | Virtual domain used Sample: root |
| version string | always | Version of the FortiGate Sample: v5.6.3 |
Authors
- Link Zheng (@chillancezen)
- Jie Xue (@JieX19)
- Hongbin Lu (@fgtdev-hblu)
- Frank Shen (@frankshen01)
- Miguel Angel Munoz (@mamunozgonzalez)
- Nicolas Thomas (@thomnico)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.11/collections/fortinet/fortios/fortios_system_settings_module.html