1#!/usr/bin/python 2from __future__ import (absolute_import, division, print_function) 3# Copyright 2019 Fortinet, Inc. 4# 5# This program is free software: you can redistribute it and/or modify 6# it under the terms of the GNU General Public License as published by 7# the Free Software Foundation, either version 3 of the License, or 8# (at your option) any later version. 9# 10# This program is distributed in the hope that it will be useful, 11# but WITHOUT ANY WARRANTY; without even the implied warranty of 12# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13# GNU General Public License for more details. 14# 15# You should have received a copy of the GNU General Public License 16# along with this program. If not, see <https://www.gnu.org/licenses/>. 17 18__metaclass__ = type 19 20ANSIBLE_METADATA = {'status': ['preview'], 21 'supported_by': 'community', 22 'metadata_version': '1.1'} 23 24DOCUMENTATION = ''' 25--- 26module: fortios_system_settings 27short_description: Configure VDOM settings in Fortinet's FortiOS and FortiGate. 28description: 29 - This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the 30 user to set and modify system feature and settings category. 31 Examples include all parameters and values need to be adjusted to datasources before usage. 32 Tested with FOS v6.0.5 33version_added: "2.8" 34author: 35 - Miguel Angel Munoz (@mamunozgonzalez) 36 - Nicolas Thomas (@thomnico) 37notes: 38 - Requires fortiosapi library developed by Fortinet 39 - Run as a local_action in your playbook 40requirements: 41 - fortiosapi>=0.9.8 42options: 43 host: 44 description: 45 - FortiOS or FortiGate IP address. 46 type: str 47 required: false 48 username: 49 description: 50 - FortiOS or FortiGate username. 51 type: str 52 required: false 53 password: 54 description: 55 - FortiOS or FortiGate password. 56 type: str 57 default: "" 58 vdom: 59 description: 60 - Virtual domain, among those defined previously. A vdom is a 61 virtual instance of the FortiGate that can be configured and 62 used as a different unit. 63 type: str 64 default: root 65 https: 66 description: 67 - Indicates if the requests towards FortiGate must use HTTPS protocol. 68 type: bool 69 default: true 70 ssl_verify: 71 description: 72 - Ensures FortiGate certificate must be verified by a proper CA. 73 type: bool 74 default: true 75 version_added: 2.9 76 system_settings: 77 description: 78 - Configure VDOM settings. 79 default: null 80 type: dict 81 suboptions: 82 allow_linkdown_path: 83 description: 84 - Enable/disable link down path. 85 type: str 86 choices: 87 - enable 88 - disable 89 allow_subnet_overlap: 90 description: 91 - Enable/disable allowing interface subnets to use overlapping IP addresses. 92 type: str 93 choices: 94 - enable 95 - disable 96 asymroute: 97 description: 98 - Enable/disable IPv4 asymmetric routing. 99 type: str 100 choices: 101 - enable 102 - disable 103 asymroute_icmp: 104 description: 105 - Enable/disable ICMP asymmetric routing. 106 type: str 107 choices: 108 - enable 109 - disable 110 asymroute6: 111 description: 112 - Enable/disable asymmetric IPv6 routing. 113 type: str 114 choices: 115 - enable 116 - disable 117 asymroute6_icmp: 118 description: 119 - Enable/disable asymmetric ICMPv6 routing. 120 type: str 121 choices: 122 - enable 123 - disable 124 bfd: 125 description: 126 - Enable/disable Bi-directional Forwarding Detection (BFD) on all interfaces. 127 type: str 128 choices: 129 - enable 130 - disable 131 bfd_desired_min_tx: 132 description: 133 - BFD desired minimal transmit interval (1 - 100000 ms). 134 type: int 135 bfd_detect_mult: 136 description: 137 - BFD detection multiplier (1 - 50). 138 type: int 139 bfd_dont_enforce_src_port: 140 description: 141 - Enable to not enforce verifying the source port of BFD Packets. 142 type: str 143 choices: 144 - enable 145 - disable 146 bfd_required_min_rx: 147 description: 148 - BFD required minimal receive interval (1 - 100000 ms). 149 type: int 150 block_land_attack: 151 description: 152 - Enable/disable blocking of land attacks. 153 type: str 154 choices: 155 - disable 156 - enable 157 central_nat: 158 description: 159 - Enable/disable central NAT. 160 type: str 161 choices: 162 - enable 163 - disable 164 comments: 165 description: 166 - VDOM comments. 167 type: str 168 compliance_check: 169 description: 170 - Enable/disable PCI DSS compliance checking. 171 type: str 172 choices: 173 - enable 174 - disable 175 default_voip_alg_mode: 176 description: 177 - Configure how the FortiGate handles VoIP traffic when a policy that accepts the traffic doesn't include a VoIP profile. 178 type: str 179 choices: 180 - proxy-based 181 - kernel-helper-based 182 deny_tcp_with_icmp: 183 description: 184 - Enable/disable denying TCP by sending an ICMP communication prohibited packet. 185 type: str 186 choices: 187 - enable 188 - disable 189 device: 190 description: 191 - Interface to use for management access for NAT mode. Source system.interface.name. 192 type: str 193 dhcp_proxy: 194 description: 195 - Enable/disable the DHCP Proxy. 196 type: str 197 choices: 198 - enable 199 - disable 200 dhcp_server_ip: 201 description: 202 - DHCP Server IPv4 address. 203 type: str 204 dhcp6_server_ip: 205 description: 206 - DHCPv6 server IPv6 address. 207 type: str 208 discovered_device_timeout: 209 description: 210 - Timeout for discovered devices (1 - 365 days). 211 type: int 212 ecmp_max_paths: 213 description: 214 - Maximum number of Equal Cost Multi-Path (ECMP) next-hops. Set to 1 to disable ECMP routing (1 - 100). 215 type: int 216 email_portal_check_dns: 217 description: 218 - Enable/disable using DNS to validate email addresses collected by a captive portal. 219 type: str 220 choices: 221 - disable 222 - enable 223 firewall_session_dirty: 224 description: 225 - Select how to manage sessions affected by firewall policy configuration changes. 226 type: str 227 choices: 228 - check-all 229 - check-new 230 - check-policy-option 231 fw_session_hairpin: 232 description: 233 - Enable/disable checking for a matching policy each time hairpin traffic goes through the FortiGate. 234 type: str 235 choices: 236 - enable 237 - disable 238 gateway: 239 description: 240 - Transparent mode IPv4 default gateway IP address. 241 type: str 242 gateway6: 243 description: 244 - Transparent mode IPv4 default gateway IP address. 245 type: str 246 gui_advanced_policy: 247 description: 248 - Enable/disable advanced policy configuration on the GUI. 249 type: str 250 choices: 251 - enable 252 - disable 253 gui_allow_unnamed_policy: 254 description: 255 - Enable/disable the requirement for policy naming on the GUI. 256 type: str 257 choices: 258 - enable 259 - disable 260 gui_antivirus: 261 description: 262 - Enable/disable AntiVirus on the GUI. 263 type: str 264 choices: 265 - enable 266 - disable 267 gui_ap_profile: 268 description: 269 - Enable/disable FortiAP profiles on the GUI. 270 type: str 271 choices: 272 - enable 273 - disable 274 gui_application_control: 275 description: 276 - Enable/disable application control on the GUI. 277 type: str 278 choices: 279 - enable 280 - disable 281 gui_default_policy_columns: 282 description: 283 - Default columns to display for policy lists on GUI. 284 type: list 285 suboptions: 286 name: 287 description: 288 - Select column name. 289 required: true 290 type: str 291 gui_dhcp_advanced: 292 description: 293 - Enable/disable advanced DHCP options on the GUI. 294 type: str 295 choices: 296 - enable 297 - disable 298 gui_dlp: 299 description: 300 - Enable/disable DLP on the GUI. 301 type: str 302 choices: 303 - enable 304 - disable 305 gui_dns_database: 306 description: 307 - Enable/disable DNS database settings on the GUI. 308 type: str 309 choices: 310 - enable 311 - disable 312 gui_dnsfilter: 313 description: 314 - Enable/disable DNS Filtering on the GUI. 315 type: str 316 choices: 317 - enable 318 - disable 319 gui_domain_ip_reputation: 320 description: 321 - Enable/disable Domain and IP Reputation on the GUI. 322 type: str 323 choices: 324 - enable 325 - disable 326 gui_dos_policy: 327 description: 328 - Enable/disable DoS policies on the GUI. 329 type: str 330 choices: 331 - enable 332 - disable 333 gui_dynamic_profile_display: 334 description: 335 - Enable/disable RADIUS Single Sign On (RSSO) on the GUI. 336 type: str 337 choices: 338 - enable 339 - disable 340 gui_dynamic_routing: 341 description: 342 - Enable/disable dynamic routing on the GUI. 343 type: str 344 choices: 345 - enable 346 - disable 347 gui_email_collection: 348 description: 349 - Enable/disable email collection on the GUI. 350 type: str 351 choices: 352 - enable 353 - disable 354 gui_endpoint_control: 355 description: 356 - Enable/disable endpoint control on the GUI. 357 type: str 358 choices: 359 - enable 360 - disable 361 gui_endpoint_control_advanced: 362 description: 363 - Enable/disable advanced endpoint control options on the GUI. 364 type: str 365 choices: 366 - enable 367 - disable 368 gui_explicit_proxy: 369 description: 370 - Enable/disable the explicit proxy on the GUI. 371 type: str 372 choices: 373 - enable 374 - disable 375 gui_fortiap_split_tunneling: 376 description: 377 - Enable/disable FortiAP split tunneling on the GUI. 378 type: str 379 choices: 380 - enable 381 - disable 382 gui_fortiextender_controller: 383 description: 384 - Enable/disable FortiExtender on the GUI. 385 type: str 386 choices: 387 - enable 388 - disable 389 gui_icap: 390 description: 391 - Enable/disable ICAP on the GUI. 392 type: str 393 choices: 394 - enable 395 - disable 396 gui_implicit_policy: 397 description: 398 - Enable/disable implicit firewall policies on the GUI. 399 type: str 400 choices: 401 - enable 402 - disable 403 gui_ips: 404 description: 405 - Enable/disable IPS on the GUI. 406 type: str 407 choices: 408 - enable 409 - disable 410 gui_load_balance: 411 description: 412 - Enable/disable server load balancing on the GUI. 413 type: str 414 choices: 415 - enable 416 - disable 417 gui_local_in_policy: 418 description: 419 - Enable/disable Local-In policies on the GUI. 420 type: str 421 choices: 422 - enable 423 - disable 424 gui_local_reports: 425 description: 426 - Enable/disable local reports on the GUI. 427 type: str 428 choices: 429 - enable 430 - disable 431 gui_multicast_policy: 432 description: 433 - Enable/disable multicast firewall policies on the GUI. 434 type: str 435 choices: 436 - enable 437 - disable 438 gui_multiple_interface_policy: 439 description: 440 - Enable/disable adding multiple interfaces to a policy on the GUI. 441 type: str 442 choices: 443 - enable 444 - disable 445 gui_multiple_utm_profiles: 446 description: 447 - Enable/disable multiple UTM profiles on the GUI. 448 type: str 449 choices: 450 - enable 451 - disable 452 gui_nat46_64: 453 description: 454 - Enable/disable NAT46 and NAT64 settings on the GUI. 455 type: str 456 choices: 457 - enable 458 - disable 459 gui_object_colors: 460 description: 461 - Enable/disable object colors on the GUI. 462 type: str 463 choices: 464 - enable 465 - disable 466 gui_policy_based_ipsec: 467 description: 468 - Enable/disable policy-based IPsec VPN on the GUI. 469 type: str 470 choices: 471 - enable 472 - disable 473 gui_policy_learning: 474 description: 475 - Enable/disable firewall policy learning mode on the GUI. 476 type: str 477 choices: 478 - enable 479 - disable 480 gui_replacement_message_groups: 481 description: 482 - Enable/disable replacement message groups on the GUI. 483 type: str 484 choices: 485 - enable 486 - disable 487 gui_spamfilter: 488 description: 489 - Enable/disable Antispam on the GUI. 490 type: str 491 choices: 492 - enable 493 - disable 494 gui_sslvpn_personal_bookmarks: 495 description: 496 - Enable/disable SSL-VPN personal bookmark management on the GUI. 497 type: str 498 choices: 499 - enable 500 - disable 501 gui_sslvpn_realms: 502 description: 503 - Enable/disable SSL-VPN realms on the GUI. 504 type: str 505 choices: 506 - enable 507 - disable 508 gui_switch_controller: 509 description: 510 - Enable/disable the switch controller on the GUI. 511 type: str 512 choices: 513 - enable 514 - disable 515 gui_threat_weight: 516 description: 517 - Enable/disable threat weight on the GUI. 518 type: str 519 choices: 520 - enable 521 - disable 522 gui_traffic_shaping: 523 description: 524 - Enable/disable traffic shaping on the GUI. 525 type: str 526 choices: 527 - enable 528 - disable 529 gui_voip_profile: 530 description: 531 - Enable/disable VoIP profiles on the GUI. 532 type: str 533 choices: 534 - enable 535 - disable 536 gui_vpn: 537 description: 538 - Enable/disable VPN tunnels on the GUI. 539 type: str 540 choices: 541 - enable 542 - disable 543 gui_waf_profile: 544 description: 545 - Enable/disable Web Application Firewall on the GUI. 546 type: str 547 choices: 548 - enable 549 - disable 550 gui_wan_load_balancing: 551 description: 552 - Enable/disable SD-WAN on the GUI. 553 type: str 554 choices: 555 - enable 556 - disable 557 gui_wanopt_cache: 558 description: 559 - Enable/disable WAN Optimization and Web Caching on the GUI. 560 type: str 561 choices: 562 - enable 563 - disable 564 gui_webfilter: 565 description: 566 - Enable/disable Web filtering on the GUI. 567 type: str 568 choices: 569 - enable 570 - disable 571 gui_webfilter_advanced: 572 description: 573 - Enable/disable advanced web filtering on the GUI. 574 type: str 575 choices: 576 - enable 577 - disable 578 gui_wireless_controller: 579 description: 580 - Enable/disable the wireless controller on the GUI. 581 type: str 582 choices: 583 - enable 584 - disable 585 http_external_dest: 586 description: 587 - Offload HTTP traffic to FortiWeb or FortiCache. 588 type: str 589 choices: 590 - fortiweb 591 - forticache 592 ike_dn_format: 593 description: 594 - Configure IKE ASN.1 Distinguished Name format conventions. 595 type: str 596 choices: 597 - with-space 598 - no-space 599 ike_quick_crash_detect: 600 description: 601 - Enable/disable IKE quick crash detection (RFC 6290). 602 type: str 603 choices: 604 - enable 605 - disable 606 ike_session_resume: 607 description: 608 - Enable/disable IKEv2 session resumption (RFC 5723). 609 type: str 610 choices: 611 - enable 612 - disable 613 implicit_allow_dns: 614 description: 615 - Enable/disable implicitly allowing DNS traffic. 616 type: str 617 choices: 618 - enable 619 - disable 620 inspection_mode: 621 description: 622 - Inspection mode (proxy-based or flow-based). 623 type: str 624 choices: 625 - proxy 626 - flow 627 ip: 628 description: 629 - IP address and netmask. 630 type: str 631 ip6: 632 description: 633 - IPv6 address prefix for NAT mode. 634 type: str 635 link_down_access: 636 description: 637 - Enable/disable link down access traffic. 638 type: str 639 choices: 640 - enable 641 - disable 642 lldp_transmission: 643 description: 644 - Enable/disable Link Layer Discovery Protocol (LLDP) for this VDOM or apply global settings to this VDOM. 645 type: str 646 choices: 647 - enable 648 - disable 649 - global 650 mac_ttl: 651 description: 652 - Duration of MAC addresses in Transparent mode (300 - 8640000 sec). 653 type: int 654 manageip: 655 description: 656 - Transparent mode IPv4 management IP address and netmask. 657 type: str 658 manageip6: 659 description: 660 - Transparent mode IPv6 management IP address and netmask. 661 type: str 662 multicast_forward: 663 description: 664 - Enable/disable multicast forwarding. 665 type: str 666 choices: 667 - enable 668 - disable 669 multicast_skip_policy: 670 description: 671 - Enable/disable allowing multicast traffic through the FortiGate without a policy check. 672 type: str 673 choices: 674 - enable 675 - disable 676 multicast_ttl_notchange: 677 description: 678 - Enable/disable preventing the FortiGate from changing the TTL for forwarded multicast packets. 679 type: str 680 choices: 681 - enable 682 - disable 683 ngfw_mode: 684 description: 685 - Next Generation Firewall (NGFW) mode. 686 type: str 687 choices: 688 - profile-based 689 - policy-based 690 opmode: 691 description: 692 - Firewall operation mode (NAT or Transparent). 693 type: str 694 choices: 695 - nat 696 - transparent 697 prp_trailer_action: 698 description: 699 - Enable/disable action to take on PRP trailer. 700 type: str 701 choices: 702 - enable 703 - disable 704 sccp_port: 705 description: 706 - TCP port the SCCP proxy monitors for SCCP traffic (0 - 65535). 707 type: int 708 ses_denied_traffic: 709 description: 710 - Enable/disable including denied session in the session table. 711 type: str 712 choices: 713 - enable 714 - disable 715 sip_helper: 716 description: 717 - Enable/disable the SIP session helper to process SIP sessions unless SIP sessions are accepted by the SIP application layer gateway 718 (ALG). 719 type: str 720 choices: 721 - enable 722 - disable 723 sip_nat_trace: 724 description: 725 - Enable/disable recording the original SIP source IP address when NAT is used. 726 type: str 727 choices: 728 - enable 729 - disable 730 sip_ssl_port: 731 description: 732 - TCP port the SIP proxy monitors for SIP SSL/TLS traffic (0 - 65535). 733 type: int 734 sip_tcp_port: 735 description: 736 - TCP port the SIP proxy monitors for SIP traffic (0 - 65535). 737 type: int 738 sip_udp_port: 739 description: 740 - UDP port the SIP proxy monitors for SIP traffic (0 - 65535). 741 type: int 742 snat_hairpin_traffic: 743 description: 744 - Enable/disable source NAT (SNAT) for hairpin traffic. 745 type: str 746 choices: 747 - enable 748 - disable 749 ssl_ssh_profile: 750 description: 751 - Profile for SSL/SSH inspection. Source firewall.ssl-ssh-profile.name. 752 type: str 753 status: 754 description: 755 - Enable/disable this VDOM. 756 type: str 757 choices: 758 - enable 759 - disable 760 strict_src_check: 761 description: 762 - Enable/disable strict source verification. 763 type: str 764 choices: 765 - enable 766 - disable 767 tcp_session_without_syn: 768 description: 769 - Enable/disable allowing TCP session without SYN flags. 770 type: str 771 choices: 772 - enable 773 - disable 774 utf8_spam_tagging: 775 description: 776 - Enable/disable converting antispam tags to UTF-8 for better non-ASCII character support. 777 type: str 778 choices: 779 - enable 780 - disable 781 v4_ecmp_mode: 782 description: 783 - IPv4 Equal-cost multi-path (ECMP) routing and load balancing mode. 784 type: str 785 choices: 786 - source-ip-based 787 - weight-based 788 - usage-based 789 - source-dest-ip-based 790 vpn_stats_log: 791 description: 792 - Enable/disable periodic VPN log statistics for one or more types of VPN. Separate names with a space. 793 type: str 794 choices: 795 - ipsec 796 - pptp 797 - l2tp 798 - ssl 799 vpn_stats_period: 800 description: 801 - Period to send VPN log statistics (60 - 86400 sec). 802 type: int 803 wccp_cache_engine: 804 description: 805 - Enable/disable WCCP cache engine. 806 type: str 807 choices: 808 - enable 809 - disable 810''' 811 812EXAMPLES = ''' 813- hosts: localhost 814 vars: 815 host: "192.168.122.40" 816 username: "admin" 817 password: "" 818 vdom: "root" 819 ssl_verify: "False" 820 tasks: 821 - name: Configure VDOM settings. 822 fortios_system_settings: 823 host: "{{ host }}" 824 username: "{{ username }}" 825 password: "{{ password }}" 826 vdom: "{{ vdom }}" 827 https: "False" 828 system_settings: 829 allow_linkdown_path: "enable" 830 allow_subnet_overlap: "enable" 831 asymroute: "enable" 832 asymroute_icmp: "enable" 833 asymroute6: "enable" 834 asymroute6_icmp: "enable" 835 bfd: "enable" 836 bfd_desired_min_tx: "10" 837 bfd_detect_mult: "11" 838 bfd_dont_enforce_src_port: "enable" 839 bfd_required_min_rx: "13" 840 block_land_attack: "disable" 841 central_nat: "enable" 842 comments: "<your_own_value>" 843 compliance_check: "enable" 844 default_voip_alg_mode: "proxy-based" 845 deny_tcp_with_icmp: "enable" 846 device: "<your_own_value> (source system.interface.name)" 847 dhcp_proxy: "enable" 848 dhcp_server_ip: "<your_own_value>" 849 dhcp6_server_ip: "<your_own_value>" 850 discovered_device_timeout: "24" 851 ecmp_max_paths: "25" 852 email_portal_check_dns: "disable" 853 firewall_session_dirty: "check-all" 854 fw_session_hairpin: "enable" 855 gateway: "<your_own_value>" 856 gateway6: "<your_own_value>" 857 gui_advanced_policy: "enable" 858 gui_allow_unnamed_policy: "enable" 859 gui_antivirus: "enable" 860 gui_ap_profile: "enable" 861 gui_application_control: "enable" 862 gui_default_policy_columns: 863 - 864 name: "default_name_37" 865 gui_dhcp_advanced: "enable" 866 gui_dlp: "enable" 867 gui_dns_database: "enable" 868 gui_dnsfilter: "enable" 869 gui_domain_ip_reputation: "enable" 870 gui_dos_policy: "enable" 871 gui_dynamic_profile_display: "enable" 872 gui_dynamic_routing: "enable" 873 gui_email_collection: "enable" 874 gui_endpoint_control: "enable" 875 gui_endpoint_control_advanced: "enable" 876 gui_explicit_proxy: "enable" 877 gui_fortiap_split_tunneling: "enable" 878 gui_fortiextender_controller: "enable" 879 gui_icap: "enable" 880 gui_implicit_policy: "enable" 881 gui_ips: "enable" 882 gui_load_balance: "enable" 883 gui_local_in_policy: "enable" 884 gui_local_reports: "enable" 885 gui_multicast_policy: "enable" 886 gui_multiple_interface_policy: "enable" 887 gui_multiple_utm_profiles: "enable" 888 gui_nat46_64: "enable" 889 gui_object_colors: "enable" 890 gui_policy_based_ipsec: "enable" 891 gui_policy_learning: "enable" 892 gui_replacement_message_groups: "enable" 893 gui_spamfilter: "enable" 894 gui_sslvpn_personal_bookmarks: "enable" 895 gui_sslvpn_realms: "enable" 896 gui_switch_controller: "enable" 897 gui_threat_weight: "enable" 898 gui_traffic_shaping: "enable" 899 gui_voip_profile: "enable" 900 gui_vpn: "enable" 901 gui_waf_profile: "enable" 902 gui_wan_load_balancing: "enable" 903 gui_wanopt_cache: "enable" 904 gui_webfilter: "enable" 905 gui_webfilter_advanced: "enable" 906 gui_wireless_controller: "enable" 907 http_external_dest: "fortiweb" 908 ike_dn_format: "with-space" 909 ike_quick_crash_detect: "enable" 910 ike_session_resume: "enable" 911 implicit_allow_dns: "enable" 912 inspection_mode: "proxy" 913 ip: "<your_own_value>" 914 ip6: "<your_own_value>" 915 link_down_access: "enable" 916 lldp_transmission: "enable" 917 mac_ttl: "90" 918 manageip: "<your_own_value>" 919 manageip6: "<your_own_value>" 920 multicast_forward: "enable" 921 multicast_skip_policy: "enable" 922 multicast_ttl_notchange: "enable" 923 ngfw_mode: "profile-based" 924 opmode: "nat" 925 prp_trailer_action: "enable" 926 sccp_port: "99" 927 ses_denied_traffic: "enable" 928 sip_helper: "enable" 929 sip_nat_trace: "enable" 930 sip_ssl_port: "103" 931 sip_tcp_port: "104" 932 sip_udp_port: "105" 933 snat_hairpin_traffic: "enable" 934 ssl_ssh_profile: "<your_own_value> (source firewall.ssl-ssh-profile.name)" 935 status: "enable" 936 strict_src_check: "enable" 937 tcp_session_without_syn: "enable" 938 utf8_spam_tagging: "enable" 939 v4_ecmp_mode: "source-ip-based" 940 vpn_stats_log: "ipsec" 941 vpn_stats_period: "114" 942 wccp_cache_engine: "enable" 943''' 944 945RETURN = ''' 946build: 947 description: Build number of the fortigate image 948 returned: always 949 type: str 950 sample: '1547' 951http_method: 952 description: Last method used to provision the content into FortiGate 953 returned: always 954 type: str 955 sample: 'PUT' 956http_status: 957 description: Last result given by FortiGate on last operation applied 958 returned: always 959 type: str 960 sample: "200" 961mkey: 962 description: Master key (id) used in the last call to FortiGate 963 returned: success 964 type: str 965 sample: "id" 966name: 967 description: Name of the table used to fulfill the request 968 returned: always 969 type: str 970 sample: "urlfilter" 971path: 972 description: Path of the table used to fulfill the request 973 returned: always 974 type: str 975 sample: "webfilter" 976revision: 977 description: Internal revision number 978 returned: always 979 type: str 980 sample: "17.0.2.10658" 981serial: 982 description: Serial number of the unit 983 returned: always 984 type: str 985 sample: "FGVMEVYYQT3AB5352" 986status: 987 description: Indication of the operation's result 988 returned: always 989 type: str 990 sample: "success" 991vdom: 992 description: Virtual domain used 993 returned: always 994 type: str 995 sample: "root" 996version: 997 description: Version of the FortiGate 998 returned: always 999 type: str 1000 sample: "v5.6.3" 1001 1002''' 1003 1004from ansible.module_utils.basic import AnsibleModule 1005from ansible.module_utils.connection import Connection 1006from ansible.module_utils.network.fortios.fortios import FortiOSHandler 1007from ansible.module_utils.network.fortimanager.common import FAIL_SOCKET_MSG 1008 1009 1010def login(data, fos): 1011 host = data['host'] 1012 username = data['username'] 1013 password = data['password'] 1014 ssl_verify = data['ssl_verify'] 1015 1016 fos.debug('on') 1017 if 'https' in data and not data['https']: 1018 fos.https('off') 1019 else: 1020 fos.https('on') 1021 1022 fos.login(host, username, password, verify=ssl_verify) 1023 1024 1025def filter_system_settings_data(json): 1026 option_list = ['allow_linkdown_path', 'allow_subnet_overlap', 'asymroute', 1027 'asymroute_icmp', 'asymroute6', 'asymroute6_icmp', 1028 'bfd', 'bfd_desired_min_tx', 'bfd_detect_mult', 1029 'bfd_dont_enforce_src_port', 'bfd_required_min_rx', 'block_land_attack', 1030 'central_nat', 'comments', 'compliance_check', 1031 'default_voip_alg_mode', 'deny_tcp_with_icmp', 'device', 1032 'dhcp_proxy', 'dhcp_server_ip', 'dhcp6_server_ip', 1033 'discovered_device_timeout', 'ecmp_max_paths', 'email_portal_check_dns', 1034 'firewall_session_dirty', 'fw_session_hairpin', 'gateway', 1035 'gateway6', 'gui_advanced_policy', 'gui_allow_unnamed_policy', 1036 'gui_antivirus', 'gui_ap_profile', 'gui_application_control', 1037 'gui_default_policy_columns', 'gui_dhcp_advanced', 'gui_dlp', 1038 'gui_dns_database', 'gui_dnsfilter', 'gui_domain_ip_reputation', 1039 'gui_dos_policy', 'gui_dynamic_profile_display', 'gui_dynamic_routing', 1040 'gui_email_collection', 'gui_endpoint_control', 'gui_endpoint_control_advanced', 1041 'gui_explicit_proxy', 'gui_fortiap_split_tunneling', 'gui_fortiextender_controller', 1042 'gui_icap', 'gui_implicit_policy', 'gui_ips', 1043 'gui_load_balance', 'gui_local_in_policy', 'gui_local_reports', 1044 'gui_multicast_policy', 'gui_multiple_interface_policy', 'gui_multiple_utm_profiles', 1045 'gui_nat46_64', 'gui_object_colors', 'gui_policy_based_ipsec', 1046 'gui_policy_learning', 'gui_replacement_message_groups', 'gui_spamfilter', 1047 'gui_sslvpn_personal_bookmarks', 'gui_sslvpn_realms', 'gui_switch_controller', 1048 'gui_threat_weight', 'gui_traffic_shaping', 'gui_voip_profile', 1049 'gui_vpn', 'gui_waf_profile', 'gui_wan_load_balancing', 1050 'gui_wanopt_cache', 'gui_webfilter', 'gui_webfilter_advanced', 1051 'gui_wireless_controller', 'http_external_dest', 'ike_dn_format', 1052 'ike_quick_crash_detect', 'ike_session_resume', 'implicit_allow_dns', 1053 'inspection_mode', 'ip', 'ip6', 1054 'link_down_access', 'lldp_transmission', 'mac_ttl', 1055 'manageip', 'manageip6', 'multicast_forward', 1056 'multicast_skip_policy', 'multicast_ttl_notchange', 'ngfw_mode', 1057 'opmode', 'prp_trailer_action', 'sccp_port', 1058 'ses_denied_traffic', 'sip_helper', 'sip_nat_trace', 1059 'sip_ssl_port', 'sip_tcp_port', 'sip_udp_port', 1060 'snat_hairpin_traffic', 'ssl_ssh_profile', 'status', 1061 'strict_src_check', 'tcp_session_without_syn', 'utf8_spam_tagging', 1062 'v4_ecmp_mode', 'vpn_stats_log', 'vpn_stats_period', 1063 'wccp_cache_engine'] 1064 dictionary = {} 1065 1066 for attribute in option_list: 1067 if attribute in json and json[attribute] is not None: 1068 dictionary[attribute] = json[attribute] 1069 1070 return dictionary 1071 1072 1073def underscore_to_hyphen(data): 1074 if isinstance(data, list): 1075 for elem in data: 1076 elem = underscore_to_hyphen(elem) 1077 elif isinstance(data, dict): 1078 new_data = {} 1079 for k, v in data.items(): 1080 new_data[k.replace('_', '-')] = underscore_to_hyphen(v) 1081 data = new_data 1082 1083 return data 1084 1085 1086def system_settings(data, fos): 1087 vdom = data['vdom'] 1088 system_settings_data = data['system_settings'] 1089 filtered_data = underscore_to_hyphen(filter_system_settings_data(system_settings_data)) 1090 1091 return fos.set('system', 1092 'settings', 1093 data=filtered_data, 1094 vdom=vdom) 1095 1096 1097def is_successful_status(status): 1098 return status['status'] == "success" or \ 1099 status['http_method'] == "DELETE" and status['http_status'] == 404 1100 1101 1102def fortios_system(data, fos): 1103 1104 if data['system_settings']: 1105 resp = system_settings(data, fos) 1106 1107 return not is_successful_status(resp), \ 1108 resp['status'] == "success", \ 1109 resp 1110 1111 1112def main(): 1113 fields = { 1114 "host": {"required": False, "type": "str"}, 1115 "username": {"required": False, "type": "str"}, 1116 "password": {"required": False, "type": "str", "default": "", "no_log": True}, 1117 "vdom": {"required": False, "type": "str", "default": "root"}, 1118 "https": {"required": False, "type": "bool", "default": True}, 1119 "ssl_verify": {"required": False, "type": "bool", "default": True}, 1120 "system_settings": { 1121 "required": False, "type": "dict", "default": None, 1122 "options": { 1123 "allow_linkdown_path": {"required": False, "type": "str", 1124 "choices": ["enable", "disable"]}, 1125 "allow_subnet_overlap": {"required": False, "type": "str", 1126 "choices": ["enable", "disable"]}, 1127 "asymroute": {"required": False, "type": "str", 1128 "choices": ["enable", "disable"]}, 1129 "asymroute_icmp": {"required": False, "type": "str", 1130 "choices": ["enable", "disable"]}, 1131 "asymroute6": {"required": False, "type": "str", 1132 "choices": ["enable", "disable"]}, 1133 "asymroute6_icmp": {"required": False, "type": "str", 1134 "choices": ["enable", "disable"]}, 1135 "bfd": {"required": False, "type": "str", 1136 "choices": ["enable", "disable"]}, 1137 "bfd_desired_min_tx": {"required": False, "type": "int"}, 1138 "bfd_detect_mult": {"required": False, "type": "int"}, 1139 "bfd_dont_enforce_src_port": {"required": False, "type": "str", 1140 "choices": ["enable", "disable"]}, 1141 "bfd_required_min_rx": {"required": False, "type": "int"}, 1142 "block_land_attack": {"required": False, "type": "str", 1143 "choices": ["disable", "enable"]}, 1144 "central_nat": {"required": False, "type": "str", 1145 "choices": ["enable", "disable"]}, 1146 "comments": {"required": False, "type": "str"}, 1147 "compliance_check": {"required": False, "type": "str", 1148 "choices": ["enable", "disable"]}, 1149 "default_voip_alg_mode": {"required": False, "type": "str", 1150 "choices": ["proxy-based", "kernel-helper-based"]}, 1151 "deny_tcp_with_icmp": {"required": False, "type": "str", 1152 "choices": ["enable", "disable"]}, 1153 "device": {"required": False, "type": "str"}, 1154 "dhcp_proxy": {"required": False, "type": "str", 1155 "choices": ["enable", "disable"]}, 1156 "dhcp_server_ip": {"required": False, "type": "str"}, 1157 "dhcp6_server_ip": {"required": False, "type": "str"}, 1158 "discovered_device_timeout": {"required": False, "type": "int"}, 1159 "ecmp_max_paths": {"required": False, "type": "int"}, 1160 "email_portal_check_dns": {"required": False, "type": "str", 1161 "choices": ["disable", "enable"]}, 1162 "firewall_session_dirty": {"required": False, "type": "str", 1163 "choices": ["check-all", "check-new", "check-policy-option"]}, 1164 "fw_session_hairpin": {"required": False, "type": "str", 1165 "choices": ["enable", "disable"]}, 1166 "gateway": {"required": False, "type": "str"}, 1167 "gateway6": {"required": False, "type": "str"}, 1168 "gui_advanced_policy": {"required": False, "type": "str", 1169 "choices": ["enable", "disable"]}, 1170 "gui_allow_unnamed_policy": {"required": False, "type": "str", 1171 "choices": ["enable", "disable"]}, 1172 "gui_antivirus": {"required": False, "type": "str", 1173 "choices": ["enable", "disable"]}, 1174 "gui_ap_profile": {"required": False, "type": "str", 1175 "choices": ["enable", "disable"]}, 1176 "gui_application_control": {"required": False, "type": "str", 1177 "choices": ["enable", "disable"]}, 1178 "gui_default_policy_columns": {"required": False, "type": "list", 1179 "options": { 1180 "name": {"required": True, "type": "str"} 1181 }}, 1182 "gui_dhcp_advanced": {"required": False, "type": "str", 1183 "choices": ["enable", "disable"]}, 1184 "gui_dlp": {"required": False, "type": "str", 1185 "choices": ["enable", "disable"]}, 1186 "gui_dns_database": {"required": False, "type": "str", 1187 "choices": ["enable", "disable"]}, 1188 "gui_dnsfilter": {"required": False, "type": "str", 1189 "choices": ["enable", "disable"]}, 1190 "gui_domain_ip_reputation": {"required": False, "type": "str", 1191 "choices": ["enable", "disable"]}, 1192 "gui_dos_policy": {"required": False, "type": "str", 1193 "choices": ["enable", "disable"]}, 1194 "gui_dynamic_profile_display": {"required": False, "type": "str", 1195 "choices": ["enable", "disable"]}, 1196 "gui_dynamic_routing": {"required": False, "type": "str", 1197 "choices": ["enable", "disable"]}, 1198 "gui_email_collection": {"required": False, "type": "str", 1199 "choices": ["enable", "disable"]}, 1200 "gui_endpoint_control": {"required": False, "type": "str", 1201 "choices": ["enable", "disable"]}, 1202 "gui_endpoint_control_advanced": {"required": False, "type": "str", 1203 "choices": ["enable", "disable"]}, 1204 "gui_explicit_proxy": {"required": False, "type": "str", 1205 "choices": ["enable", "disable"]}, 1206 "gui_fortiap_split_tunneling": {"required": False, "type": "str", 1207 "choices": ["enable", "disable"]}, 1208 "gui_fortiextender_controller": {"required": False, "type": "str", 1209 "choices": ["enable", "disable"]}, 1210 "gui_icap": {"required": False, "type": "str", 1211 "choices": ["enable", "disable"]}, 1212 "gui_implicit_policy": {"required": False, "type": "str", 1213 "choices": ["enable", "disable"]}, 1214 "gui_ips": {"required": False, "type": "str", 1215 "choices": ["enable", "disable"]}, 1216 "gui_load_balance": {"required": False, "type": "str", 1217 "choices": ["enable", "disable"]}, 1218 "gui_local_in_policy": {"required": False, "type": "str", 1219 "choices": ["enable", "disable"]}, 1220 "gui_local_reports": {"required": False, "type": "str", 1221 "choices": ["enable", "disable"]}, 1222 "gui_multicast_policy": {"required": False, "type": "str", 1223 "choices": ["enable", "disable"]}, 1224 "gui_multiple_interface_policy": {"required": False, "type": "str", 1225 "choices": ["enable", "disable"]}, 1226 "gui_multiple_utm_profiles": {"required": False, "type": "str", 1227 "choices": ["enable", "disable"]}, 1228 "gui_nat46_64": {"required": False, "type": "str", 1229 "choices": ["enable", "disable"]}, 1230 "gui_object_colors": {"required": False, "type": "str", 1231 "choices": ["enable", "disable"]}, 1232 "gui_policy_based_ipsec": {"required": False, "type": "str", 1233 "choices": ["enable", "disable"]}, 1234 "gui_policy_learning": {"required": False, "type": "str", 1235 "choices": ["enable", "disable"]}, 1236 "gui_replacement_message_groups": {"required": False, "type": "str", 1237 "choices": ["enable", "disable"]}, 1238 "gui_spamfilter": {"required": False, "type": "str", 1239 "choices": ["enable", "disable"]}, 1240 "gui_sslvpn_personal_bookmarks": {"required": False, "type": "str", 1241 "choices": ["enable", "disable"]}, 1242 "gui_sslvpn_realms": {"required": False, "type": "str", 1243 "choices": ["enable", "disable"]}, 1244 "gui_switch_controller": {"required": False, "type": "str", 1245 "choices": ["enable", "disable"]}, 1246 "gui_threat_weight": {"required": False, "type": "str", 1247 "choices": ["enable", "disable"]}, 1248 "gui_traffic_shaping": {"required": False, "type": "str", 1249 "choices": ["enable", "disable"]}, 1250 "gui_voip_profile": {"required": False, "type": "str", 1251 "choices": ["enable", "disable"]}, 1252 "gui_vpn": {"required": False, "type": "str", 1253 "choices": ["enable", "disable"]}, 1254 "gui_waf_profile": {"required": False, "type": "str", 1255 "choices": ["enable", "disable"]}, 1256 "gui_wan_load_balancing": {"required": False, "type": "str", 1257 "choices": ["enable", "disable"]}, 1258 "gui_wanopt_cache": {"required": False, "type": "str", 1259 "choices": ["enable", "disable"]}, 1260 "gui_webfilter": {"required": False, "type": "str", 1261 "choices": ["enable", "disable"]}, 1262 "gui_webfilter_advanced": {"required": False, "type": "str", 1263 "choices": ["enable", "disable"]}, 1264 "gui_wireless_controller": {"required": False, "type": "str", 1265 "choices": ["enable", "disable"]}, 1266 "http_external_dest": {"required": False, "type": "str", 1267 "choices": ["fortiweb", "forticache"]}, 1268 "ike_dn_format": {"required": False, "type": "str", 1269 "choices": ["with-space", "no-space"]}, 1270 "ike_quick_crash_detect": {"required": False, "type": "str", 1271 "choices": ["enable", "disable"]}, 1272 "ike_session_resume": {"required": False, "type": "str", 1273 "choices": ["enable", "disable"]}, 1274 "implicit_allow_dns": {"required": False, "type": "str", 1275 "choices": ["enable", "disable"]}, 1276 "inspection_mode": {"required": False, "type": "str", 1277 "choices": ["proxy", "flow"]}, 1278 "ip": {"required": False, "type": "str"}, 1279 "ip6": {"required": False, "type": "str"}, 1280 "link_down_access": {"required": False, "type": "str", 1281 "choices": ["enable", "disable"]}, 1282 "lldp_transmission": {"required": False, "type": "str", 1283 "choices": ["enable", "disable", "global"]}, 1284 "mac_ttl": {"required": False, "type": "int"}, 1285 "manageip": {"required": False, "type": "str"}, 1286 "manageip6": {"required": False, "type": "str"}, 1287 "multicast_forward": {"required": False, "type": "str", 1288 "choices": ["enable", "disable"]}, 1289 "multicast_skip_policy": {"required": False, "type": "str", 1290 "choices": ["enable", "disable"]}, 1291 "multicast_ttl_notchange": {"required": False, "type": "str", 1292 "choices": ["enable", "disable"]}, 1293 "ngfw_mode": {"required": False, "type": "str", 1294 "choices": ["profile-based", "policy-based"]}, 1295 "opmode": {"required": False, "type": "str", 1296 "choices": ["nat", "transparent"]}, 1297 "prp_trailer_action": {"required": False, "type": "str", 1298 "choices": ["enable", "disable"]}, 1299 "sccp_port": {"required": False, "type": "int"}, 1300 "ses_denied_traffic": {"required": False, "type": "str", 1301 "choices": ["enable", "disable"]}, 1302 "sip_helper": {"required": False, "type": "str", 1303 "choices": ["enable", "disable"]}, 1304 "sip_nat_trace": {"required": False, "type": "str", 1305 "choices": ["enable", "disable"]}, 1306 "sip_ssl_port": {"required": False, "type": "int"}, 1307 "sip_tcp_port": {"required": False, "type": "int"}, 1308 "sip_udp_port": {"required": False, "type": "int"}, 1309 "snat_hairpin_traffic": {"required": False, "type": "str", 1310 "choices": ["enable", "disable"]}, 1311 "ssl_ssh_profile": {"required": False, "type": "str"}, 1312 "status": {"required": False, "type": "str", 1313 "choices": ["enable", "disable"]}, 1314 "strict_src_check": {"required": False, "type": "str", 1315 "choices": ["enable", "disable"]}, 1316 "tcp_session_without_syn": {"required": False, "type": "str", 1317 "choices": ["enable", "disable"]}, 1318 "utf8_spam_tagging": {"required": False, "type": "str", 1319 "choices": ["enable", "disable"]}, 1320 "v4_ecmp_mode": {"required": False, "type": "str", 1321 "choices": ["source-ip-based", "weight-based", "usage-based", 1322 "source-dest-ip-based"]}, 1323 "vpn_stats_log": {"required": False, "type": "str", 1324 "choices": ["ipsec", "pptp", "l2tp", 1325 "ssl"]}, 1326 "vpn_stats_period": {"required": False, "type": "int"}, 1327 "wccp_cache_engine": {"required": False, "type": "str", 1328 "choices": ["enable", "disable"]} 1329 1330 } 1331 } 1332 } 1333 1334 module = AnsibleModule(argument_spec=fields, 1335 supports_check_mode=False) 1336 1337 # legacy_mode refers to using fortiosapi instead of HTTPAPI 1338 legacy_mode = 'host' in module.params and module.params['host'] is not None and \ 1339 'username' in module.params and module.params['username'] is not None and \ 1340 'password' in module.params and module.params['password'] is not None 1341 1342 if not legacy_mode: 1343 if module._socket_path: 1344 connection = Connection(module._socket_path) 1345 fos = FortiOSHandler(connection) 1346 1347 is_error, has_changed, result = fortios_system(module.params, fos) 1348 else: 1349 module.fail_json(**FAIL_SOCKET_MSG) 1350 else: 1351 try: 1352 from fortiosapi import FortiOSAPI 1353 except ImportError: 1354 module.fail_json(msg="fortiosapi module is required") 1355 1356 fos = FortiOSAPI() 1357 1358 login(module.params, fos) 1359 is_error, has_changed, result = fortios_system(module.params, fos) 1360 fos.logout() 1361 1362 if not is_error: 1363 module.exit_json(changed=has_changed, meta=result) 1364 else: 1365 module.fail_json(msg="Error in repo", meta=result) 1366 1367 1368if __name__ == '__main__': 1369 main() 1370