New in version 2.8.
The below requirements are needed on the host that executes this module.
Parameter | Choices/Defaults | Comments | ||
---|---|---|---|---|
firewall_policy6
-
|
Default: null
|
Configure IPv6 policies.
|
||
action
-
|
|
Policy action (allow/deny/ipsec).
|
||
app-category
-
|
Application category ID list.
|
|||
id
-
/ required
|
Category IDs.
|
|||
app-group
-
|
Application group names.
|
|||
name
-
/ required
|
Application group names. Source application.group.name.
|
|||
application
-
|
Application ID list.
|
|||
id
-
/ required
|
Application IDs.
|
|||
application-list
-
|
Name of an existing Application list. Source application.list.name.
|
|||
av-profile
-
|
Name of an existing Antivirus profile. Source antivirus.profile.name.
|
|||
comments
-
|
Comment.
|
|||
custom-log-fields
-
|
Log field index numbers to append custom log fields to log messages for this policy.
|
|||
field-id
-
/ required
|
Custom log field. Source log.custom-field.id.
|
|||
devices
-
|
Names of devices or device groups that can be matched by the policy.
|
|||
name
-
/ required
|
Device or group name. Source user.device.alias user.device-group.name user.device-category.name.
|
|||
diffserv-forward
-
|
|
Enable to change packet's DiffServ values to the specified diffservcode-forward value.
|
||
diffserv-reverse
-
|
|
Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value.
|
||
diffservcode-forward
-
|
Change packet's DiffServ to this value.
|
|||
diffservcode-rev
-
|
Change packet's reverse (reply) DiffServ to this value.
|
|||
dlp-sensor
-
|
Name of an existing DLP sensor. Source dlp.sensor.name.
|
|||
dscp-match
-
|
|
Enable DSCP check.
|
||
dscp-negate
-
|
|
Enable negated DSCP match.
|
||
dscp-value
-
|
DSCP value.
|
|||
dsri
-
|
|
Enable DSRI to ignore HTTP server responses.
|
||
dstaddr
-
|
Destination address and address group names.
|
|||
name
-
/ required
|
Address name. Source firewall.address6.name firewall.addrgrp6.name firewall.vip6.name firewall.vipgrp6.name.
|
|||
dstaddr-negate
-
|
|
When enabled dstaddr specifies what the destination address must NOT be.
|
||
dstintf
-
|
Outgoing (egress) interface.
|
|||
name
-
/ required
|
Interface name. Source system.interface.name system.zone.name.
|
|||
firewall-session-dirty
-
|
|
How to handle sessions if the configuration of this firewall policy changes.
|
||
fixedport
-
|
|
Enable to prevent source NAT from changing a session's source port.
|
||
global-label
-
|
Label for the policy that appears when the GUI is in Global View mode.
|
|||
groups
-
|
Names of user groups that can authenticate with this policy.
|
|||
name
-
/ required
|
Group name. Source user.group.name.
|
|||
icap-profile
-
|
Name of an existing ICAP profile. Source icap.profile.name.
|
|||
inbound
-
|
|
Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN.
|
||
ippool
-
|
|
Enable to use IP Pools for source NAT.
|
||
ips-sensor
-
|
Name of an existing IPS sensor. Source ips.sensor.name.
|
|||
label
-
|
Label for the policy that appears when the GUI is in Section View mode.
|
|||
logtraffic
-
|
|
Enable or disable logging. Log all sessions or security profile sessions.
|
||
logtraffic-start
-
|
|
Record logs when a session starts and ends.
|
||
name
-
|
Policy name.
|
|||
nat
-
|
|
Enable/disable source NAT.
|
||
natinbound
-
|
|
Policy-based IPsec VPN: apply destination NAT to inbound traffic.
|
||
natoutbound
-
|
|
Policy-based IPsec VPN: apply source NAT to outbound traffic.
|
||
outbound
-
|
|
Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN.
|
||
per-ip-shaper
-
|
Per-IP traffic shaper. Source firewall.shaper.per-ip-shaper.name.
|
|||
policyid
-
/ required
|
Policy ID.
|
|||
poolname
-
|
IP Pool names.
|
|||
name
-
/ required
|
IP pool name. Source firewall.ippool6.name.
|
|||
profile-group
-
|
Name of profile group. Source firewall.profile-group.name.
|
|||
profile-protocol-options
-
|
Name of an existing Protocol options profile. Source firewall.profile-protocol-options.name.
|
|||
profile-type
-
|
|
Determine whether the firewall policy allows security profile groups or single profiles only.
|
||
replacemsg-override-group
-
|
Override the default replacement message group for this policy. Source system.replacemsg-group.name.
|
|||
rsso
-
|
|
Enable/disable RADIUS single sign-on (RSSO).
|
||
schedule
-
|
Schedule name. Source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name.
|
|||
send-deny-packet
-
|
|
Enable/disable return of deny-packet.
|
||
service
-
|
Service and service group names.
|
|||
name
-
/ required
|
Address name. Source firewall.service.custom.name firewall.service.group.name.
|
|||
service-negate
-
|
|
When enabled service specifies what the service must NOT be.
|
||
session-ttl
-
|
Session TTL in seconds for sessions accepted by this policy. 0 means use the system default session TTL.
|
|||
spamfilter-profile
-
|
Name of an existing Spam filter profile. Source spamfilter.profile.name.
|
|||
srcaddr
-
|
Source address and address group names.
|
|||
name
-
/ required
|
Address name. Source firewall.address6.name firewall.addrgrp6.name.
|
|||
srcaddr-negate
-
|
|
When enabled srcaddr specifies what the source address must NOT be.
|
||
srcintf
-
|
Incoming (ingress) interface.
|
|||
name
-
/ required
|
Interface name. Source system.zone.name system.interface.name.
|
|||
ssh-filter-profile
-
|
Name of an existing SSH filter profile. Source ssh-filter.profile.name.
|
|||
ssl-mirror
-
|
|
Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring).
|
||
ssl-mirror-intf
-
|
SSL mirror interface name.
|
|||
name
-
/ required
|
Interface name. Source system.zone.name system.interface.name.
|
|||
ssl-ssh-profile
-
|
Name of an existing SSL SSH profile. Source firewall.ssl-ssh-profile.name.
|
|||
state
-
|
|
Indicates whether to create or remove the object
|
||
status
-
|
|
Enable or disable this policy.
|
||
tcp-mss-receiver
-
|
Receiver TCP maximum segment size (MSS).
|
|||
tcp-mss-sender
-
|
Sender TCP maximum segment size (MSS).
|
|||
tcp-session-without-syn
-
|
|
Enable/disable creation of TCP session without SYN flag.
|
||
timeout-send-rst
-
|
|
Enable/disable sending RST packets when TCP sessions expire.
|
||
traffic-shaper
-
|
Reverse traffic shaper. Source firewall.shaper.traffic-shaper.name.
|
|||
traffic-shaper-reverse
-
|
Reverse traffic shaper. Source firewall.shaper.traffic-shaper.name.
|
|||
url-category
-
|
URL category ID list.
|
|||
id
-
/ required
|
URL category ID.
|
|||
users
-
|
Names of individual users that can authenticate with this policy.
|
|||
name
-
/ required
|
Names of individual users that can authenticate with this policy. Source user.local.name.
|
|||
utm-status
-
|
|
Enable AV/web/ips protection profile.
|
||
uuid
-
|
Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
|
|||
vlan-cos-fwd
-
|
VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest
|
|||
vlan-cos-rev
-
|
VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest
|
|||
vlan-filter
-
|
Set VLAN filters.
|
|||
voip-profile
-
|
Name of an existing VoIP profile. Source voip.profile.name.
|
|||
vpntunnel
-
|
Policy-based IPsec VPN: name of the IPsec VPN Phase 1. Source vpn.ipsec.phase1.name vpn.ipsec.manualkey.name.
|
|||
webfilter-profile
-
|
Name of an existing Web filter profile. Source webfilter.profile.name.
|
|||
host
-
/ required
|
FortiOS or FortiGate ip address.
|
|||
https
boolean
|
|
Indicates if the requests towards FortiGate must use HTTPS protocol
|
||
password
-
|
Default: ""
|
FortiOS or FortiGate password.
|
||
username
-
/ required
|
FortiOS or FortiGate username.
|
|||
vdom
-
|
Default: "root"
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
|
Note
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
tasks:
- name: Configure IPv6 policies.
fortios_firewall_policy6:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
firewall_policy6:
state: "present"
action: "accept"
app-category:
-
id: "5"
app-group:
-
name: "default_name_7 (source application.group.name)"
application:
-
id: "9"
application-list: "<your_own_value> (source application.list.name)"
av-profile: "<your_own_value> (source antivirus.profile.name)"
comments: "<your_own_value>"
custom-log-fields:
-
field-id: "<your_own_value> (source log.custom-field.id)"
devices:
-
name: "default_name_16 (source user.device.alias user.device-group.name user.device-category.name)"
diffserv-forward: "enable"
diffserv-reverse: "enable"
diffservcode-forward: "<your_own_value>"
diffservcode-rev: "<your_own_value>"
dlp-sensor: "<your_own_value> (source dlp.sensor.name)"
dscp-match: "enable"
dscp-negate: "enable"
dscp-value: "<your_own_value>"
dsri: "enable"
dstaddr:
-
name: "default_name_27 (source firewall.address6.name firewall.addrgrp6.name firewall.vip6.name firewall.vipgrp6.name)"
dstaddr-negate: "enable"
dstintf:
-
name: "default_name_30 (source system.interface.name system.zone.name)"
firewall-session-dirty: "check-all"
fixedport: "enable"
global-label: "<your_own_value>"
groups:
-
name: "default_name_35 (source user.group.name)"
icap-profile: "<your_own_value> (source icap.profile.name)"
inbound: "enable"
ippool: "enable"
ips-sensor: "<your_own_value> (source ips.sensor.name)"
label: "<your_own_value>"
logtraffic: "all"
logtraffic-start: "enable"
name: "default_name_43"
nat: "enable"
natinbound: "enable"
natoutbound: "enable"
outbound: "enable"
per-ip-shaper: "<your_own_value> (source firewall.shaper.per-ip-shaper.name)"
policyid: "49"
poolname:
-
name: "default_name_51 (source firewall.ippool6.name)"
profile-group: "<your_own_value> (source firewall.profile-group.name)"
profile-protocol-options: "<your_own_value> (source firewall.profile-protocol-options.name)"
profile-type: "single"
replacemsg-override-group: "<your_own_value> (source system.replacemsg-group.name)"
rsso: "enable"
schedule: "<your_own_value> (source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name)"
send-deny-packet: "enable"
service:
-
name: "default_name_60 (source firewall.service.custom.name firewall.service.group.name)"
service-negate: "enable"
session-ttl: "62"
spamfilter-profile: "<your_own_value> (source spamfilter.profile.name)"
srcaddr:
-
name: "default_name_65 (source firewall.address6.name firewall.addrgrp6.name)"
srcaddr-negate: "enable"
srcintf:
-
name: "default_name_68 (source system.zone.name system.interface.name)"
ssh-filter-profile: "<your_own_value> (source ssh-filter.profile.name)"
ssl-mirror: "enable"
ssl-mirror-intf:
-
name: "default_name_72 (source system.zone.name system.interface.name)"
ssl-ssh-profile: "<your_own_value> (source firewall.ssl-ssh-profile.name)"
status: "enable"
tcp-mss-receiver: "75"
tcp-mss-sender: "76"
tcp-session-without-syn: "all"
timeout-send-rst: "enable"
traffic-shaper: "<your_own_value> (source firewall.shaper.traffic-shaper.name)"
traffic-shaper-reverse: "<your_own_value> (source firewall.shaper.traffic-shaper.name)"
url-category:
-
id: "82"
users:
-
name: "default_name_84 (source user.local.name)"
utm-status: "enable"
uuid: "<your_own_value>"
vlan-cos-fwd: "87"
vlan-cos-rev: "88"
vlan-filter: "<your_own_value>"
voip-profile: "<your_own_value> (source voip.profile.name)"
vpntunnel: "<your_own_value> (source vpn.ipsec.phase1.name vpn.ipsec.manualkey.name)"
webfilter-profile: "<your_own_value> (source webfilter.profile.name)"
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
build
string
|
always |
Build number of the fortigate image
Sample:
1547
|
http_method
string
|
always |
Last method used to provision the content into FortiGate
Sample:
PUT
|
http_status
string
|
always |
Last result given by FortiGate on last operation applied
Sample:
200
|
mkey
string
|
success |
Master key (id) used in the last call to FortiGate
Sample:
key1
|
name
string
|
always |
Name of the table used to fulfill the request
Sample:
urlfilter
|
path
string
|
always |
Path of the table used to fulfill the request
Sample:
webfilter
|
revision
string
|
always |
Internal revision number
Sample:
17.0.2.10658
|
serial
string
|
always |
Serial number of the unit
Sample:
FGVMEVYYQT3AB5352
|
status
string
|
always |
Indication of the operation's result
Sample:
success
|
vdom
string
|
always |
Virtual domain used
Sample:
root
|
version
string
|
always |
Version of the FortiGate
Sample:
v5.6.3
|
Hint
If you notice any issues in this documentation you can edit this document to improve it.