New in version 2.8.
The below requirements are needed on the host that executes this module.
Parameter | Choices/Defaults | Comments | |||
---|---|---|---|---|---|
endpoint_control_profile
-
|
Default: null
|
Configure FortiClient endpoint control profiles.
|
|||
description
-
|
Description.
|
||||
device-groups
-
|
Device groups.
|
||||
name
-
/ required
|
Device group object from available options. Source user.device-group.name user.device-category.name.
|
||||
forticlient-android-settings
-
|
FortiClient settings for Android platform.
|
||||
disable-wf-when-protected
-
|
|
Enable/disable FortiClient web category filtering when protected by FortiGate.
|
|||
forticlient-advanced-vpn
-
|
|
Enable/disable advanced FortiClient VPN configuration.
|
|||
forticlient-advanced-vpn-buffer
-
|
Advanced FortiClient VPN configuration.
|
||||
forticlient-vpn-provisioning
-
|
|
Enable/disable FortiClient VPN provisioning.
|
|||
forticlient-vpn-settings
-
|
FortiClient VPN settings.
|
||||
auth-method
-
|
|
Authentication method.
|
|||
name
-
/ required
|
VPN name.
|
||||
preshared-key
-
|
Pre-shared secret for PSK authentication.
|
||||
remote-gw
-
|
IP address or FQDN of the remote VPN gateway.
|
||||
sslvpn-access-port
-
|
SSL VPN access port (1 - 65535).
|
||||
sslvpn-require-certificate
-
|
|
Enable/disable requiring SSL VPN client certificate.
|
|||
type
-
|
|
VPN type (IPsec or SSL VPN).
|
|||
forticlient-wf
-
|
|
Enable/disable FortiClient web filtering.
|
|||
forticlient-wf-profile
-
|
The FortiClient web filter profile to apply. Source webfilter.profile.name.
|
||||
forticlient-ios-settings
-
|
FortiClient settings for iOS platform.
|
||||
client-vpn-provisioning
-
|
|
FortiClient VPN provisioning.
|
|||
client-vpn-settings
-
|
FortiClient VPN settings.
|
||||
auth-method
-
|
|
Authentication method.
|
|||
name
-
/ required
|
VPN name.
|
||||
preshared-key
-
|
Pre-shared secret for PSK authentication.
|
||||
remote-gw
-
|
IP address or FQDN of the remote VPN gateway.
|
||||
sslvpn-access-port
-
|
SSL VPN access port (1 - 65535).
|
||||
sslvpn-require-certificate
-
|
|
Enable/disable requiring SSL VPN client certificate.
|
|||
type
-
|
|
VPN type (IPsec or SSL VPN).
|
|||
vpn-configuration-content
-
|
Content of VPN configuration.
|
||||
vpn-configuration-name
-
|
Name of VPN configuration.
|
||||
configuration-content
-
|
Content of configuration profile.
|
||||
configuration-name
-
|
Name of configuration profile.
|
||||
disable-wf-when-protected
-
|
|
Enable/disable FortiClient web category filtering when protected by FortiGate.
|
|||
distribute-configuration-profile
-
|
|
Enable/disable configuration profile (.mobileconfig file) distribution.
|
|||
forticlient-wf
-
|
|
Enable/disable FortiClient web filtering.
|
|||
forticlient-wf-profile
-
|
The FortiClient web filter profile to apply. Source webfilter.profile.name.
|
||||
forticlient-winmac-settings
-
|
FortiClient settings for Windows/Mac platform.
|
||||
av-realtime-protection
-
|
|
Enable/disable FortiClient AntiVirus real-time protection.
|
|||
av-signature-up-to-date
-
|
|
Enable/disable FortiClient AV signature updates.
|
|||
forticlient-application-firewall
-
|
|
Enable/disable the FortiClient application firewall.
|
|||
forticlient-application-firewall-list
-
|
FortiClient application firewall rule list. Source application.list.name.
|
||||
forticlient-av
-
|
|
Enable/disable FortiClient AntiVirus scanning.
|
|||
forticlient-ems-compliance
-
|
|
Enable/disable FortiClient Enterprise Management Server (EMS) compliance.
|
|||
forticlient-ems-compliance-action
-
|
|
FortiClient EMS compliance action.
|
|||
forticlient-ems-entries
-
|
FortiClient EMS entries.
|
||||
name
-
/ required
|
FortiClient EMS name. Source endpoint-control.forticlient-ems.name.
|
||||
forticlient-linux-ver
-
|
Minimum FortiClient Linux version.
|
||||
forticlient-log-upload
-
|
|
Enable/disable uploading FortiClient logs.
|
|||
forticlient-log-upload-level
-
|
|
Select the FortiClient logs to upload.
|
|||
forticlient-log-upload-server
-
|
IP address or FQDN of the server to which to upload FortiClient logs.
|
||||
forticlient-mac-ver
-
|
Minimum FortiClient Mac OS version.
|
||||
forticlient-minimum-software-version
-
|
|
Enable/disable requiring clients to run FortiClient with a minimum software version number.
|
|||
forticlient-operating-system
-
|
FortiClient operating system.
|
||||
id
-
/ required
|
Operating system entry ID.
|
||||
os-name
-
|
Customize operating system name or Mac OS format:x.x.x
|
||||
os-type
-
|
|
Operating system type.
|
|||
forticlient-own-file
-
|
Checking the path and filename of the FortiClient application.
|
||||
file
-
|
File path and name.
|
||||
id
-
/ required
|
File ID.
|
||||
forticlient-registration-compliance-action
-
|
|
FortiClient registration compliance action.
|
|||
forticlient-registry-entry
-
|
FortiClient registry entry.
|
||||
id
-
/ required
|
Registry entry ID.
|
||||
registry-entry
-
|
Registry entry.
|
||||
forticlient-running-app
-
|
Use FortiClient to verify if the listed applications are running on the client.
|
||||
app-name
-
|
Application name.
|
||||
app-sha256-signature
-
|
App's SHA256 signature.
|
||||
app-sha256-signature2
-
|
App's SHA256 Signature.
|
||||
app-sha256-signature3
-
|
App's SHA256 Signature.
|
||||
app-sha256-signature4
-
|
App's SHA256 Signature.
|
||||
application-check-rule
-
|
|
Application check rule.
|
|||
id
-
/ required
|
Application ID.
|
||||
process-name
-
|
Process name.
|
||||
process-name2
-
|
Process name.
|
||||
process-name3
-
|
Process name.
|
||||
process-name4
-
|
Process name.
|
||||
forticlient-security-posture
-
|
|
Enable/disable FortiClient security posture check options.
|
|||
forticlient-security-posture-compliance-action
-
|
|
FortiClient security posture compliance action.
|
|||
forticlient-system-compliance
-
|
|
Enable/disable enforcement of FortiClient system compliance.
|
|||
forticlient-system-compliance-action
-
|
|
Block or warn clients not compliant with FortiClient requirements.
|
|||
forticlient-vuln-scan
-
|
|
Enable/disable FortiClient vulnerability scanning.
|
|||
forticlient-vuln-scan-compliance-action
-
|
|
FortiClient vulnerability compliance action.
|
|||
forticlient-vuln-scan-enforce
-
|
|
Configure the level of the vulnerability found that causes a FortiClient vulnerability compliance action.
|
|||
forticlient-vuln-scan-enforce-grace
-
|
FortiClient vulnerability scan enforcement grace period (0 - 30 days, default = 1).
|
||||
forticlient-vuln-scan-exempt
-
|
|
Enable/disable compliance exemption for vulnerabilities that cannot be patched automatically.
|
|||
forticlient-wf
-
|
|
Enable/disable FortiClient web filtering.
|
|||
forticlient-wf-profile
-
|
The FortiClient web filter profile to apply. Source webfilter.profile.name.
|
||||
forticlient-win-ver
-
|
Minimum FortiClient Windows version.
|
||||
os-av-software-installed
-
|
|
Enable/disable checking for OS recognized AntiVirus software.
|
|||
sandbox-address
-
|
FortiSandbox address.
|
||||
sandbox-analysis
-
|
|
Enable/disable sending files to FortiSandbox for analysis.
|
|||
on-net-addr
-
|
Addresses for on-net detection.
|
||||
name
-
/ required
|
Address object from available options. Source firewall.address.name firewall.addrgrp.name.
|
||||
profile-name
-
/ required
|
Profile name.
|
||||
replacemsg-override-group
-
|
Select an endpoint control replacement message override group from available options. Source system.replacemsg-group.name.
|
||||
src-addr
-
|
Source addresses.
|
||||
name
-
/ required
|
Address object from available options. Source firewall.address.name firewall.addrgrp.name.
|
||||
state
-
|
|
Indicates whether to create or remove the object
|
|||
user-groups
-
|
User groups.
|
||||
name
-
/ required
|
User group name. Source user.group.name.
|
||||
users
-
|
Users.
|
||||
name
-
/ required
|
User name. Source user.local.name.
|
||||
host
-
/ required
|
FortiOS or FortiGate ip address.
|
||||
https
boolean
|
|
Indicates if the requests towards FortiGate must use HTTPS protocol
|
|||
password
-
|
Default: ""
|
FortiOS or FortiGate password.
|
|||
username
-
/ required
|
FortiOS or FortiGate username.
|
||||
vdom
-
|
Default: "root"
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
|
Note
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
tasks:
- name: Configure FortiClient endpoint control profiles.
fortios_endpoint_control_profile:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
endpoint_control_profile:
state: "present"
description: "<your_own_value>"
device-groups:
-
name: "default_name_5 (source user.device-group.name user.device-category.name)"
forticlient-android-settings:
disable-wf-when-protected: "enable"
forticlient-advanced-vpn: "enable"
forticlient-advanced-vpn-buffer: "<your_own_value>"
forticlient-vpn-provisioning: "enable"
forticlient-vpn-settings:
-
auth-method: "psk"
name: "default_name_13"
preshared-key: "<your_own_value>"
remote-gw: "<your_own_value>"
sslvpn-access-port: "16"
sslvpn-require-certificate: "enable"
type: "ipsec"
forticlient-wf: "enable"
forticlient-wf-profile: "<your_own_value> (source webfilter.profile.name)"
forticlient-ios-settings:
client-vpn-provisioning: "enable"
client-vpn-settings:
-
auth-method: "psk"
name: "default_name_25"
preshared-key: "<your_own_value>"
remote-gw: "<your_own_value>"
sslvpn-access-port: "28"
sslvpn-require-certificate: "enable"
type: "ipsec"
vpn-configuration-content: "<your_own_value>"
vpn-configuration-name: "<your_own_value>"
configuration-content: "<your_own_value>"
configuration-name: "<your_own_value>"
disable-wf-when-protected: "enable"
distribute-configuration-profile: "enable"
forticlient-wf: "enable"
forticlient-wf-profile: "<your_own_value> (source webfilter.profile.name)"
forticlient-winmac-settings:
av-realtime-protection: "enable"
av-signature-up-to-date: "enable"
forticlient-application-firewall: "enable"
forticlient-application-firewall-list: "<your_own_value> (source application.list.name)"
forticlient-av: "enable"
forticlient-ems-compliance: "enable"
forticlient-ems-compliance-action: "block"
forticlient-ems-entries:
-
name: "default_name_48 (source endpoint-control.forticlient-ems.name)"
forticlient-linux-ver: "<your_own_value>"
forticlient-log-upload: "enable"
forticlient-log-upload-level: "traffic"
forticlient-log-upload-server: "<your_own_value>"
forticlient-mac-ver: "<your_own_value>"
forticlient-minimum-software-version: "enable"
forticlient-operating-system:
-
id: "56"
os-name: "<your_own_value>"
os-type: "custom"
forticlient-own-file:
-
file: "<your_own_value>"
id: "61"
forticlient-registration-compliance-action: "block"
forticlient-registry-entry:
-
id: "64"
registry-entry: "<your_own_value>"
forticlient-running-app:
-
app-name: "<your_own_value>"
app-sha256-signature: "<your_own_value>"
app-sha256-signature2: "<your_own_value>"
app-sha256-signature3: "<your_own_value>"
app-sha256-signature4: "<your_own_value>"
application-check-rule: "present"
id: "73"
process-name: "<your_own_value>"
process-name2: "<your_own_value>"
process-name3: "<your_own_value>"
process-name4: "<your_own_value>"
forticlient-security-posture: "enable"
forticlient-security-posture-compliance-action: "block"
forticlient-system-compliance: "enable"
forticlient-system-compliance-action: "block"
forticlient-vuln-scan: "enable"
forticlient-vuln-scan-compliance-action: "block"
forticlient-vuln-scan-enforce: "critical"
forticlient-vuln-scan-enforce-grace: "85"
forticlient-vuln-scan-exempt: "enable"
forticlient-wf: "enable"
forticlient-wf-profile: "<your_own_value> (source webfilter.profile.name)"
forticlient-win-ver: "<your_own_value>"
os-av-software-installed: "enable"
sandbox-address: "<your_own_value>"
sandbox-analysis: "enable"
on-net-addr:
-
name: "default_name_94 (source firewall.address.name firewall.addrgrp.name)"
profile-name: "<your_own_value>"
replacemsg-override-group: "<your_own_value> (source system.replacemsg-group.name)"
src-addr:
-
name: "default_name_98 (source firewall.address.name firewall.addrgrp.name)"
user-groups:
-
name: "default_name_100 (source user.group.name)"
users:
-
name: "default_name_102 (source user.local.name)"
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
build
string
|
always |
Build number of the fortigate image
Sample:
1547
|
http_method
string
|
always |
Last method used to provision the content into FortiGate
Sample:
PUT
|
http_status
string
|
always |
Last result given by FortiGate on last operation applied
Sample:
200
|
mkey
string
|
success |
Master key (id) used in the last call to FortiGate
Sample:
id
|
name
string
|
always |
Name of the table used to fulfill the request
Sample:
urlfilter
|
path
string
|
always |
Path of the table used to fulfill the request
Sample:
webfilter
|
revision
string
|
always |
Internal revision number
Sample:
17.0.2.10658
|
serial
string
|
always |
Serial number of the unit
Sample:
FGVMEVYYQT3AB5352
|
status
string
|
always |
Indication of the operation's result
Sample:
success
|
vdom
string
|
always |
Virtual domain used
Sample:
root
|
version
string
|
always |
Version of the FortiGate
Sample:
v5.6.3
|
Hint
If you notice any issues in this documentation you can edit this document to improve it.