1#!/usr/bin/python 2from __future__ import (absolute_import, division, print_function) 3# Copyright 2019 Fortinet, Inc. 4# 5# This program is free software: you can redistribute it and/or modify 6# it under the terms of the GNU General Public License as published by 7# the Free Software Foundation, either version 3 of the License, or 8# (at your option) any later version. 9# 10# This program is distributed in the hope that it will be useful, 11# but WITHOUT ANY WARRANTY; without even the implied warranty of 12# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13# GNU General Public License for more details. 14# 15# You should have received a copy of the GNU General Public License 16# along with this program. If not, see <https://www.gnu.org/licenses/>. 17 18__metaclass__ = type 19 20ANSIBLE_METADATA = {'status': ['preview'], 21 'supported_by': 'community', 22 'metadata_version': '1.1'} 23 24DOCUMENTATION = ''' 25--- 26module: fortios_firewall_proxy_policy 27short_description: Configure proxy policies in Fortinet's FortiOS and FortiGate. 28description: 29 - This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the 30 user to set and modify firewall feature and proxy_policy category. 31 Examples include all parameters and values need to be adjusted to datasources before usage. 32 Tested with FOS v6.0.5 33version_added: "2.8" 34author: 35 - Miguel Angel Munoz (@mamunozgonzalez) 36 - Nicolas Thomas (@thomnico) 37notes: 38 - Requires fortiosapi library developed by Fortinet 39 - Run as a local_action in your playbook 40requirements: 41 - fortiosapi>=0.9.8 42options: 43 host: 44 description: 45 - FortiOS or FortiGate IP address. 46 type: str 47 required: false 48 username: 49 description: 50 - FortiOS or FortiGate username. 51 type: str 52 required: false 53 password: 54 description: 55 - FortiOS or FortiGate password. 56 type: str 57 default: "" 58 vdom: 59 description: 60 - Virtual domain, among those defined previously. A vdom is a 61 virtual instance of the FortiGate that can be configured and 62 used as a different unit. 63 type: str 64 default: root 65 https: 66 description: 67 - Indicates if the requests towards FortiGate must use HTTPS protocol. 68 type: bool 69 default: true 70 ssl_verify: 71 description: 72 - Ensures FortiGate certificate must be verified by a proper CA. 73 type: bool 74 default: true 75 version_added: 2.9 76 state: 77 description: 78 - Indicates whether to create or remove the object. 79 This attribute was present already in previous version in a deeper level. 80 It has been moved out to this outer level. 81 type: str 82 required: false 83 choices: 84 - present 85 - absent 86 version_added: 2.9 87 firewall_proxy_policy: 88 description: 89 - Configure proxy policies. 90 default: null 91 type: dict 92 suboptions: 93 state: 94 description: 95 - B(Deprecated) 96 - Starting with Ansible 2.9 we recommend using the top-level 'state' parameter. 97 - HORIZONTALLINE 98 - Indicates whether to create or remove the object. 99 type: str 100 required: false 101 choices: 102 - present 103 - absent 104 action: 105 description: 106 - Accept or deny traffic matching the policy parameters. 107 type: str 108 choices: 109 - accept 110 - deny 111 - redirect 112 application_list: 113 description: 114 - Name of an existing Application list. Source application.list.name. 115 type: str 116 av_profile: 117 description: 118 - Name of an existing Antivirus profile. Source antivirus.profile.name. 119 type: str 120 comments: 121 description: 122 - Optional comments. 123 type: str 124 disclaimer: 125 description: 126 - "Web proxy disclaimer setting: by domain, policy, or user." 127 type: str 128 choices: 129 - disable 130 - domain 131 - policy 132 - user 133 dlp_sensor: 134 description: 135 - Name of an existing DLP sensor. Source dlp.sensor.name. 136 type: str 137 dstaddr: 138 description: 139 - Destination address objects. 140 type: list 141 suboptions: 142 name: 143 description: 144 - Address name. Source firewall.address.name firewall.addrgrp.name firewall.proxy-address.name firewall.proxy-addrgrp.name 145 firewall.vip.name firewall.vipgrp.name firewall.vip46.name firewall.vipgrp46.name system.external-resource.name. 146 required: true 147 type: str 148 dstaddr_negate: 149 description: 150 - When enabled, destination addresses match against any address EXCEPT the specified destination addresses. 151 type: str 152 choices: 153 - enable 154 - disable 155 dstaddr6: 156 description: 157 - IPv6 destination address objects. 158 type: list 159 suboptions: 160 name: 161 description: 162 - Address name. Source firewall.address6.name firewall.addrgrp6.name firewall.vip6.name firewall.vipgrp6.name firewall.vip64.name 163 firewall.vipgrp64.name system.external-resource.name. 164 required: true 165 type: str 166 dstintf: 167 description: 168 - Destination interface names. 169 type: list 170 suboptions: 171 name: 172 description: 173 - Interface name. Source system.interface.name system.zone.name. 174 required: true 175 type: str 176 global_label: 177 description: 178 - Global web-based manager visible label. 179 type: str 180 groups: 181 description: 182 - Names of group objects. 183 type: list 184 suboptions: 185 name: 186 description: 187 - Group name. Source user.group.name. 188 required: true 189 type: str 190 http_tunnel_auth: 191 description: 192 - Enable/disable HTTP tunnel authentication. 193 type: str 194 choices: 195 - enable 196 - disable 197 icap_profile: 198 description: 199 - Name of an existing ICAP profile. Source icap.profile.name. 200 type: str 201 internet_service: 202 description: 203 - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. 204 type: str 205 choices: 206 - enable 207 - disable 208 internet_service_custom: 209 description: 210 - Custom Internet Service name. 211 type: list 212 suboptions: 213 name: 214 description: 215 - Custom name. Source firewall.internet-service-custom.name. 216 required: true 217 type: str 218 internet_service_id: 219 description: 220 - Internet Service ID. 221 type: list 222 suboptions: 223 id: 224 description: 225 - Internet Service ID. Source firewall.internet-service.id. 226 required: true 227 type: int 228 internet_service_negate: 229 description: 230 - When enabled, Internet Services match against any internet service EXCEPT the selected Internet Service. 231 type: str 232 choices: 233 - enable 234 - disable 235 ips_sensor: 236 description: 237 - Name of an existing IPS sensor. Source ips.sensor.name. 238 type: str 239 label: 240 description: 241 - VDOM-specific GUI visible label. 242 type: str 243 logtraffic: 244 description: 245 - Enable/disable logging traffic through the policy. 246 type: str 247 choices: 248 - all 249 - utm 250 - disable 251 logtraffic_start: 252 description: 253 - Enable/disable policy log traffic start. 254 type: str 255 choices: 256 - enable 257 - disable 258 policyid: 259 description: 260 - Policy ID. 261 required: true 262 type: int 263 poolname: 264 description: 265 - Name of IP pool object. 266 type: list 267 suboptions: 268 name: 269 description: 270 - IP pool name. Source firewall.ippool.name. 271 required: true 272 type: str 273 profile_group: 274 description: 275 - Name of profile group. Source firewall.profile-group.name. 276 type: str 277 profile_protocol_options: 278 description: 279 - Name of an existing Protocol options profile. Source firewall.profile-protocol-options.name. 280 type: str 281 profile_type: 282 description: 283 - Determine whether the firewall policy allows security profile groups or single profiles only. 284 type: str 285 choices: 286 - single 287 - group 288 proxy: 289 description: 290 - Type of explicit proxy. 291 type: str 292 choices: 293 - explicit-web 294 - transparent-web 295 - ftp 296 - ssh 297 - ssh-tunnel 298 - wanopt 299 redirect_url: 300 description: 301 - Redirect URL for further explicit web proxy processing. 302 type: str 303 replacemsg_override_group: 304 description: 305 - Authentication replacement message override group. Source system.replacemsg-group.name. 306 type: str 307 scan_botnet_connections: 308 description: 309 - Enable/disable scanning of connections to Botnet servers. 310 type: str 311 choices: 312 - disable 313 - block 314 - monitor 315 schedule: 316 description: 317 - Name of schedule object. Source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name. 318 type: str 319 service: 320 description: 321 - Name of service objects. 322 type: list 323 suboptions: 324 name: 325 description: 326 - Service name. Source firewall.service.custom.name firewall.service.group.name. 327 required: true 328 type: str 329 service_negate: 330 description: 331 - When enabled, services match against any service EXCEPT the specified destination services. 332 type: str 333 choices: 334 - enable 335 - disable 336 session_ttl: 337 description: 338 - TTL in seconds for sessions accepted by this policy (0 means use the system ). 339 type: int 340 spamfilter_profile: 341 description: 342 - Name of an existing Spam filter profile. Source spamfilter.profile.name. 343 type: str 344 srcaddr: 345 description: 346 - Source address objects. 347 type: list 348 suboptions: 349 name: 350 description: 351 - Address name. Source firewall.address.name firewall.addrgrp.name firewall.proxy-address.name firewall.proxy-addrgrp.name system 352 .external-resource.name. 353 required: true 354 type: str 355 srcaddr_negate: 356 description: 357 - When enabled, source addresses match against any address EXCEPT the specified source addresses. 358 type: str 359 choices: 360 - enable 361 - disable 362 srcaddr6: 363 description: 364 - IPv6 source address objects. 365 type: list 366 suboptions: 367 name: 368 description: 369 - Address name. Source firewall.address6.name firewall.addrgrp6.name system.external-resource.name. 370 required: true 371 type: str 372 srcintf: 373 description: 374 - Source interface names. 375 type: list 376 suboptions: 377 name: 378 description: 379 - Interface name. Source system.interface.name system.zone.name. 380 required: true 381 type: str 382 ssh_filter_profile: 383 description: 384 - Name of an existing SSH filter profile. Source ssh-filter.profile.name. 385 type: str 386 ssl_ssh_profile: 387 description: 388 - Name of an existing SSL SSH profile. Source firewall.ssl-ssh-profile.name. 389 type: str 390 status: 391 description: 392 - Enable/disable the active status of the policy. 393 type: str 394 choices: 395 - enable 396 - disable 397 transparent: 398 description: 399 - Enable to use the IP address of the client to connect to the server. 400 type: str 401 choices: 402 - enable 403 - disable 404 users: 405 description: 406 - Names of user objects. 407 type: list 408 suboptions: 409 name: 410 description: 411 - Group name. Source user.local.name. 412 required: true 413 type: str 414 utm_status: 415 description: 416 - Enable the use of UTM profiles/sensors/lists. 417 type: str 418 choices: 419 - enable 420 - disable 421 uuid: 422 description: 423 - Universally Unique Identifier (UUID; automatically assigned but can be manually reset). 424 type: str 425 waf_profile: 426 description: 427 - Name of an existing Web application firewall profile. Source waf.profile.name. 428 type: str 429 webcache: 430 description: 431 - Enable/disable web caching. 432 type: str 433 choices: 434 - enable 435 - disable 436 webcache_https: 437 description: 438 - Enable/disable web caching for HTTPS (Requires deep-inspection enabled in ssl-ssh-profile). 439 type: str 440 choices: 441 - disable 442 - enable 443 webfilter_profile: 444 description: 445 - Name of an existing Web filter profile. Source webfilter.profile.name. 446 type: str 447 webproxy_forward_server: 448 description: 449 - Name of web proxy forward server. Source web-proxy.forward-server.name web-proxy.forward-server-group.name. 450 type: str 451 webproxy_profile: 452 description: 453 - Name of web proxy profile. Source web-proxy.profile.name. 454 type: str 455''' 456 457EXAMPLES = ''' 458- hosts: localhost 459 vars: 460 host: "192.168.122.40" 461 username: "admin" 462 password: "" 463 vdom: "root" 464 ssl_verify: "False" 465 tasks: 466 - name: Configure proxy policies. 467 fortios_firewall_proxy_policy: 468 host: "{{ host }}" 469 username: "{{ username }}" 470 password: "{{ password }}" 471 vdom: "{{ vdom }}" 472 https: "False" 473 state: "present" 474 firewall_proxy_policy: 475 action: "accept" 476 application_list: "<your_own_value> (source application.list.name)" 477 av_profile: "<your_own_value> (source antivirus.profile.name)" 478 comments: "<your_own_value>" 479 disclaimer: "disable" 480 dlp_sensor: "<your_own_value> (source dlp.sensor.name)" 481 dstaddr: 482 - 483 name: "default_name_10 (source firewall.address.name firewall.addrgrp.name firewall.proxy-address.name firewall.proxy-addrgrp.name firewall.vip 484 .name firewall.vipgrp.name firewall.vip46.name firewall.vipgrp46.name system.external-resource.name)" 485 dstaddr_negate: "enable" 486 dstaddr6: 487 - 488 name: "default_name_13 (source firewall.address6.name firewall.addrgrp6.name firewall.vip6.name firewall.vipgrp6.name firewall.vip64.name firewall 489 .vipgrp64.name system.external-resource.name)" 490 dstintf: 491 - 492 name: "default_name_15 (source system.interface.name system.zone.name)" 493 global_label: "<your_own_value>" 494 groups: 495 - 496 name: "default_name_18 (source user.group.name)" 497 http_tunnel_auth: "enable" 498 icap_profile: "<your_own_value> (source icap.profile.name)" 499 internet_service: "enable" 500 internet_service_custom: 501 - 502 name: "default_name_23 (source firewall.internet-service-custom.name)" 503 internet_service_id: 504 - 505 id: "25 (source firewall.internet-service.id)" 506 internet_service_negate: "enable" 507 ips_sensor: "<your_own_value> (source ips.sensor.name)" 508 label: "<your_own_value>" 509 logtraffic: "all" 510 logtraffic_start: "enable" 511 policyid: "31" 512 poolname: 513 - 514 name: "default_name_33 (source firewall.ippool.name)" 515 profile_group: "<your_own_value> (source firewall.profile-group.name)" 516 profile_protocol_options: "<your_own_value> (source firewall.profile-protocol-options.name)" 517 profile_type: "single" 518 proxy: "explicit-web" 519 redirect_url: "<your_own_value>" 520 replacemsg_override_group: "<your_own_value> (source system.replacemsg-group.name)" 521 scan_botnet_connections: "disable" 522 schedule: "<your_own_value> (source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name)" 523 service: 524 - 525 name: "default_name_43 (source firewall.service.custom.name firewall.service.group.name)" 526 service_negate: "enable" 527 session_ttl: "45" 528 spamfilter_profile: "<your_own_value> (source spamfilter.profile.name)" 529 srcaddr: 530 - 531 name: "default_name_48 (source firewall.address.name firewall.addrgrp.name firewall.proxy-address.name firewall.proxy-addrgrp.name system 532 .external-resource.name)" 533 srcaddr_negate: "enable" 534 srcaddr6: 535 - 536 name: "default_name_51 (source firewall.address6.name firewall.addrgrp6.name system.external-resource.name)" 537 srcintf: 538 - 539 name: "default_name_53 (source system.interface.name system.zone.name)" 540 ssh_filter_profile: "<your_own_value> (source ssh-filter.profile.name)" 541 ssl_ssh_profile: "<your_own_value> (source firewall.ssl-ssh-profile.name)" 542 status: "enable" 543 transparent: "enable" 544 users: 545 - 546 name: "default_name_59 (source user.local.name)" 547 utm_status: "enable" 548 uuid: "<your_own_value>" 549 waf_profile: "<your_own_value> (source waf.profile.name)" 550 webcache: "enable" 551 webcache_https: "disable" 552 webfilter_profile: "<your_own_value> (source webfilter.profile.name)" 553 webproxy_forward_server: "<your_own_value> (source web-proxy.forward-server.name web-proxy.forward-server-group.name)" 554 webproxy_profile: "<your_own_value> (source web-proxy.profile.name)" 555''' 556 557RETURN = ''' 558build: 559 description: Build number of the fortigate image 560 returned: always 561 type: str 562 sample: '1547' 563http_method: 564 description: Last method used to provision the content into FortiGate 565 returned: always 566 type: str 567 sample: 'PUT' 568http_status: 569 description: Last result given by FortiGate on last operation applied 570 returned: always 571 type: str 572 sample: "200" 573mkey: 574 description: Master key (id) used in the last call to FortiGate 575 returned: success 576 type: str 577 sample: "id" 578name: 579 description: Name of the table used to fulfill the request 580 returned: always 581 type: str 582 sample: "urlfilter" 583path: 584 description: Path of the table used to fulfill the request 585 returned: always 586 type: str 587 sample: "webfilter" 588revision: 589 description: Internal revision number 590 returned: always 591 type: str 592 sample: "17.0.2.10658" 593serial: 594 description: Serial number of the unit 595 returned: always 596 type: str 597 sample: "FGVMEVYYQT3AB5352" 598status: 599 description: Indication of the operation's result 600 returned: always 601 type: str 602 sample: "success" 603vdom: 604 description: Virtual domain used 605 returned: always 606 type: str 607 sample: "root" 608version: 609 description: Version of the FortiGate 610 returned: always 611 type: str 612 sample: "v5.6.3" 613 614''' 615 616from ansible.module_utils.basic import AnsibleModule 617from ansible.module_utils.connection import Connection 618from ansible.module_utils.network.fortios.fortios import FortiOSHandler 619from ansible.module_utils.network.fortimanager.common import FAIL_SOCKET_MSG 620 621 622def login(data, fos): 623 host = data['host'] 624 username = data['username'] 625 password = data['password'] 626 ssl_verify = data['ssl_verify'] 627 628 fos.debug('on') 629 if 'https' in data and not data['https']: 630 fos.https('off') 631 else: 632 fos.https('on') 633 634 fos.login(host, username, password, verify=ssl_verify) 635 636 637def filter_firewall_proxy_policy_data(json): 638 option_list = ['action', 'application_list', 'av_profile', 639 'comments', 'disclaimer', 'dlp_sensor', 640 'dstaddr', 'dstaddr_negate', 'dstaddr6', 641 'dstintf', 'global_label', 'groups', 642 'http_tunnel_auth', 'icap_profile', 'internet_service', 643 'internet_service_custom', 'internet_service_id', 'internet_service_negate', 644 'ips_sensor', 'label', 'logtraffic', 645 'logtraffic_start', 'policyid', 'poolname', 646 'profile_group', 'profile_protocol_options', 'profile_type', 647 'proxy', 'redirect_url', 'replacemsg_override_group', 648 'scan_botnet_connections', 'schedule', 'service', 649 'service_negate', 'session_ttl', 'spamfilter_profile', 650 'srcaddr', 'srcaddr_negate', 'srcaddr6', 651 'srcintf', 'ssh_filter_profile', 'ssl_ssh_profile', 652 'status', 'transparent', 'users', 653 'utm_status', 'uuid', 'waf_profile', 654 'webcache', 'webcache_https', 'webfilter_profile', 655 'webproxy_forward_server', 'webproxy_profile'] 656 dictionary = {} 657 658 for attribute in option_list: 659 if attribute in json and json[attribute] is not None: 660 dictionary[attribute] = json[attribute] 661 662 return dictionary 663 664 665def underscore_to_hyphen(data): 666 if isinstance(data, list): 667 for elem in data: 668 elem = underscore_to_hyphen(elem) 669 elif isinstance(data, dict): 670 new_data = {} 671 for k, v in data.items(): 672 new_data[k.replace('_', '-')] = underscore_to_hyphen(v) 673 data = new_data 674 675 return data 676 677 678def firewall_proxy_policy(data, fos): 679 vdom = data['vdom'] 680 if 'state' in data and data['state']: 681 state = data['state'] 682 elif 'state' in data['firewall_proxy_policy'] and data['firewall_proxy_policy']: 683 state = data['firewall_proxy_policy']['state'] 684 else: 685 state = True 686 firewall_proxy_policy_data = data['firewall_proxy_policy'] 687 filtered_data = underscore_to_hyphen(filter_firewall_proxy_policy_data(firewall_proxy_policy_data)) 688 689 if state == "present": 690 return fos.set('firewall', 691 'proxy-policy', 692 data=filtered_data, 693 vdom=vdom) 694 695 elif state == "absent": 696 return fos.delete('firewall', 697 'proxy-policy', 698 mkey=filtered_data['policyid'], 699 vdom=vdom) 700 701 702def is_successful_status(status): 703 return status['status'] == "success" or \ 704 status['http_method'] == "DELETE" and status['http_status'] == 404 705 706 707def fortios_firewall(data, fos): 708 709 if data['firewall_proxy_policy']: 710 resp = firewall_proxy_policy(data, fos) 711 712 return not is_successful_status(resp), \ 713 resp['status'] == "success", \ 714 resp 715 716 717def main(): 718 fields = { 719 "host": {"required": False, "type": "str"}, 720 "username": {"required": False, "type": "str"}, 721 "password": {"required": False, "type": "str", "default": "", "no_log": True}, 722 "vdom": {"required": False, "type": "str", "default": "root"}, 723 "https": {"required": False, "type": "bool", "default": True}, 724 "ssl_verify": {"required": False, "type": "bool", "default": True}, 725 "state": {"required": False, "type": "str", 726 "choices": ["present", "absent"]}, 727 "firewall_proxy_policy": { 728 "required": False, "type": "dict", "default": None, 729 "options": { 730 "state": {"required": False, "type": "str", 731 "choices": ["present", "absent"]}, 732 "action": {"required": False, "type": "str", 733 "choices": ["accept", "deny", "redirect"]}, 734 "application_list": {"required": False, "type": "str"}, 735 "av_profile": {"required": False, "type": "str"}, 736 "comments": {"required": False, "type": "str"}, 737 "disclaimer": {"required": False, "type": "str", 738 "choices": ["disable", "domain", "policy", 739 "user"]}, 740 "dlp_sensor": {"required": False, "type": "str"}, 741 "dstaddr": {"required": False, "type": "list", 742 "options": { 743 "name": {"required": True, "type": "str"} 744 }}, 745 "dstaddr_negate": {"required": False, "type": "str", 746 "choices": ["enable", "disable"]}, 747 "dstaddr6": {"required": False, "type": "list", 748 "options": { 749 "name": {"required": True, "type": "str"} 750 }}, 751 "dstintf": {"required": False, "type": "list", 752 "options": { 753 "name": {"required": True, "type": "str"} 754 }}, 755 "global_label": {"required": False, "type": "str"}, 756 "groups": {"required": False, "type": "list", 757 "options": { 758 "name": {"required": True, "type": "str"} 759 }}, 760 "http_tunnel_auth": {"required": False, "type": "str", 761 "choices": ["enable", "disable"]}, 762 "icap_profile": {"required": False, "type": "str"}, 763 "internet_service": {"required": False, "type": "str", 764 "choices": ["enable", "disable"]}, 765 "internet_service_custom": {"required": False, "type": "list", 766 "options": { 767 "name": {"required": True, "type": "str"} 768 }}, 769 "internet_service_id": {"required": False, "type": "list", 770 "options": { 771 "id": {"required": True, "type": "int"} 772 }}, 773 "internet_service_negate": {"required": False, "type": "str", 774 "choices": ["enable", "disable"]}, 775 "ips_sensor": {"required": False, "type": "str"}, 776 "label": {"required": False, "type": "str"}, 777 "logtraffic": {"required": False, "type": "str", 778 "choices": ["all", "utm", "disable"]}, 779 "logtraffic_start": {"required": False, "type": "str", 780 "choices": ["enable", "disable"]}, 781 "policyid": {"required": True, "type": "int"}, 782 "poolname": {"required": False, "type": "list", 783 "options": { 784 "name": {"required": True, "type": "str"} 785 }}, 786 "profile_group": {"required": False, "type": "str"}, 787 "profile_protocol_options": {"required": False, "type": "str"}, 788 "profile_type": {"required": False, "type": "str", 789 "choices": ["single", "group"]}, 790 "proxy": {"required": False, "type": "str", 791 "choices": ["explicit-web", "transparent-web", "ftp", 792 "ssh", "ssh-tunnel", "wanopt"]}, 793 "redirect_url": {"required": False, "type": "str"}, 794 "replacemsg_override_group": {"required": False, "type": "str"}, 795 "scan_botnet_connections": {"required": False, "type": "str", 796 "choices": ["disable", "block", "monitor"]}, 797 "schedule": {"required": False, "type": "str"}, 798 "service": {"required": False, "type": "list", 799 "options": { 800 "name": {"required": True, "type": "str"} 801 }}, 802 "service_negate": {"required": False, "type": "str", 803 "choices": ["enable", "disable"]}, 804 "session_ttl": {"required": False, "type": "int"}, 805 "spamfilter_profile": {"required": False, "type": "str"}, 806 "srcaddr": {"required": False, "type": "list", 807 "options": { 808 "name": {"required": True, "type": "str"} 809 }}, 810 "srcaddr_negate": {"required": False, "type": "str", 811 "choices": ["enable", "disable"]}, 812 "srcaddr6": {"required": False, "type": "list", 813 "options": { 814 "name": {"required": True, "type": "str"} 815 }}, 816 "srcintf": {"required": False, "type": "list", 817 "options": { 818 "name": {"required": True, "type": "str"} 819 }}, 820 "ssh_filter_profile": {"required": False, "type": "str"}, 821 "ssl_ssh_profile": {"required": False, "type": "str"}, 822 "status": {"required": False, "type": "str", 823 "choices": ["enable", "disable"]}, 824 "transparent": {"required": False, "type": "str", 825 "choices": ["enable", "disable"]}, 826 "users": {"required": False, "type": "list", 827 "options": { 828 "name": {"required": True, "type": "str"} 829 }}, 830 "utm_status": {"required": False, "type": "str", 831 "choices": ["enable", "disable"]}, 832 "uuid": {"required": False, "type": "str"}, 833 "waf_profile": {"required": False, "type": "str"}, 834 "webcache": {"required": False, "type": "str", 835 "choices": ["enable", "disable"]}, 836 "webcache_https": {"required": False, "type": "str", 837 "choices": ["disable", "enable"]}, 838 "webfilter_profile": {"required": False, "type": "str"}, 839 "webproxy_forward_server": {"required": False, "type": "str"}, 840 "webproxy_profile": {"required": False, "type": "str"} 841 842 } 843 } 844 } 845 846 module = AnsibleModule(argument_spec=fields, 847 supports_check_mode=False) 848 849 # legacy_mode refers to using fortiosapi instead of HTTPAPI 850 legacy_mode = 'host' in module.params and module.params['host'] is not None and \ 851 'username' in module.params and module.params['username'] is not None and \ 852 'password' in module.params and module.params['password'] is not None 853 854 if not legacy_mode: 855 if module._socket_path: 856 connection = Connection(module._socket_path) 857 fos = FortiOSHandler(connection) 858 859 is_error, has_changed, result = fortios_firewall(module.params, fos) 860 else: 861 module.fail_json(**FAIL_SOCKET_MSG) 862 else: 863 try: 864 from fortiosapi import FortiOSAPI 865 except ImportError: 866 module.fail_json(msg="fortiosapi module is required") 867 868 fos = FortiOSAPI() 869 870 login(module.params, fos) 871 is_error, has_changed, result = fortios_firewall(module.params, fos) 872 fos.logout() 873 874 if not is_error: 875 module.exit_json(changed=has_changed, meta=result) 876 else: 877 module.fail_json(msg="Error in repo", meta=result) 878 879 880if __name__ == '__main__': 881 main() 882