fmgd_application_list – Configure application control lists.

Added in version 1.1.0.

Synopsis

  • This module is able to configure a FortiManager device.

  • Examples include all parameters and values need to be adjusted to data sources before usage.

  • Tested with FortiManager v7.x.

Requirements

The below requirements are needed on the host that executes this module.

  • ansible-core>=2.16.0

FortiManager Version Compatibility

Supported Version Ranges: v7.4.8 -> v7.4.10, v7.6.4 -> latest

Parameters

  • access_token -The token to access FortiManager without using username and password. type: str required: false
  • bypass_validation - Only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters. type: bool required: false default: False
  • enable_log - Enable/Disable logging for task. type: bool required: false default: False
  • forticloud_access_token - Access token of forticloud managed API users, this option is available with FortiManager later than 6.4.0. type: str required: false
  • proposed_method - The overridden method for the underlying Json RPC request. type: str required: false choices: set, update, add
  • rc_succeeded - The rc codes list with which the conditions to succeed will be overriden. type: list required: false
  • rc_failed - The rc codes list with which the conditions to fail will be overriden. type: list required: false
  • state - The directive to create, update or delete an object type: str required: true choices: present, absent
  • workspace_locking_adom - Acquire the workspace lock if FortiManager is running in workspace mode. type: str required: false choices: global, custom adom including root
  • workspace_locking_timeout - The maximum time in seconds to wait for other users to release workspace lock. type: integer required: false default: 300
  • device - The parameter in requested url type: str required: true
  • vdom - The parameter in requested url type: str required: true
  • application_list - Configure application control lists. type: dict
    • app_replacemsg (Alias name: app-replacemsg) Enable/disable replacement messages for blocked applications. type: str choices: [disable, enable] more...
    • comment Comments. type: str more...
    • control_default_network_services (Alias name: control-default-network-services) Enable/disable enforcement of protocols over selected ports. type: str choices: [disable, enable] more...
    • deep_app_inspection (Alias name: deep-app-inspection) Enable/disable deep application inspection. type: str choices: [disable, enable] more...
    • default_network_services (Alias name: default-network-services) Default network services. type: list more...
      • id Entry id. type: int more...
      • port Port number. type: int more...
      • services Network protocols. type: list choices: [http, ssh, telnet, ftp, dns, smtp, pop3, imap, snmp, nntp, https] more...
      • violation_action (Alias name: violation-action) Action for protocols not in the allowlist for selected port. type: str choices: [block, monitor, pass] more...
    • enforce_default_app_port (Alias name: enforce-default-app-port) Enable/disable default application port enforcement for allowed applications. type: str choices: [disable, enable] more...
    • entries Entries. type: list more...
      • action Pass or block traffic, or reset connection for traffic from this application. type: str choices: [pass, block, reset] more...
      • application Id of allowed applications. type: list more...
      • behavior Application behavior filter. type: list more...
      • category Category id list. type: list more...
      • exclusion Id of excluded applications. type: list more...
      • id Entry id. type: int more...
      • log Enable/disable logging for this application list. type: str choices: [disable, enable] more...
      • log_packet (Alias name: log-packet) Enable/disable packet logging. type: str choices: [disable, enable] more...
      • parameters Parameters. type: list more...
        • id Parameter tuple id. type: int more...
        • members Members. type: list more...
          • id Parameter. type: int more...
          • name Parameter name. type: str more...
          • value Parameter value. type: str more...
        • value Parameter value. type: str more...
      • popularity Application popularity filter (1 - 5, from least to most popular). type: list choices: [1, 2, 3, 4, 5] more...
      • protocols Application protocol filter. type: list more...
      • quarantine Quarantine method. type: str choices: [none, attacker] more...
      • quarantine_expiry (Alias name: quarantine-expiry) Duration of quarantine. type: str more...
      • quarantine_log (Alias name: quarantine-log) Enable/disable quarantine logging. type: str choices: [disable, enable] more...
      • rate_count (Alias name: rate-count) Count of the rate. type: int more...
      • rate_duration (Alias name: rate-duration) Duration (sec) of the rate. type: int more...
      • rate_mode (Alias name: rate-mode) Rate limit mode. type: str choices: [periodical, continuous] more...
      • rate_track (Alias name: rate-track) Track the packet protocol field. type: str choices: [none, src-ip, dest-ip, dhcp-client-mac, dns-domain] more...
      • risk Risk, or impact, of allowing traffic from this application to occur (1 - 5; low, elevated, medium, high, and critical). type: list more...
      • session_ttl (Alias name: session-ttl) Session ttl (0 = default). type: int more...
      • shaper Traffic shaper. type: list more...
      • technology Application technology filter. type: list more...
      • vendor Application vendor filter. type: list more...
      • shaper_reverse (Alias name: shaper-reverse) Reverse traffic shaper. type: list more...
      • per_ip_shaper (Alias name: per-ip-shaper) Per-ip traffic shaper. type: list more...
      • sub_category (Alias name: sub-category) Application sub-category id list. type: list more...
      • tags Tag filter. type: list more...
    • extended_log (Alias name: extended-log) Enable/disable extended logging. type: str choices: [disable, enable] more...
    • force_inclusion_ssl_di_sigs (Alias name: force-inclusion-ssl-di-sigs) Enable/disable forced inclusion of ssl deep inspection signatures. type: str choices: [disable, enable] more...
    • name List name. type: str more...
    • options Basic application protocol signatures allowed by default. type: list choices: [allow-dns, allow-icmp, allow-http, allow-ssl, allow-quic] more...
    • other_application_action (Alias name: other-application-action) Action for other applications. type: str choices: [pass, block] more...
    • other_application_log (Alias name: other-application-log) Enable/disable logging for other applications. type: str choices: [disable, enable] more...
    • p2p_block_list (Alias name: p2p-block-list) P2p applications to be block listed. type: list choices: [skype, edonkey, bittorrent] more...
    • replacemsg_group (Alias name: replacemsg-group) Replacement message group. type: list more...
    • unknown_application_action (Alias name: unknown-application-action) Pass or block traffic from unknown applications. type: str choices: [pass, block] more...
    • unknown_application_log (Alias name: unknown-application-log) Enable/disable logging for unknown applications. type: str choices: [disable, enable] more...
    • p2p_black_list (Alias name: p2p-black-list) P2p applications to be black listed. type: list choices: [skype, edonkey, bittorrent] more...

Notes

Note

  • Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.

  • To create or update an object, use state: present directive.

  • To delete an object, use state: absent directive

  • Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded

Examples

- name: Example playbook (generated based on argument schema)
  hosts: fortimanagers
  connection: httpapi
  gather_facts: false
  vars:
    ansible_httpapi_use_ssl: true
    ansible_httpapi_validate_certs: false
    ansible_httpapi_port: 443
  tasks:
    - name: Configure application control lists.
      fortinet.fmgdevice.fmgd_application_list:
        # bypass_validation: false
        # workspace_locking_adom: <global or your adom name>
        # workspace_locking_timeout: 300
        # rc_succeeded: [0, -2, -3, ...]
        # rc_failed: [-2, -3, ...]
        device: <your own value>
        vdom: <your own value>
        state: present # <value in [present, absent]>
        application_list:
          name: "your value" # Required variable, string
          # app_replacemsg: <value in [disable, enable]>
          # comment: <string>
          # control_default_network_services: <value in [disable, enable]>
          # deep_app_inspection: <value in [disable, enable]>
          # default_network_services:
          #   - id: <integer>
          #     port: <integer>
          #     services:
          #       - "http"
          #       - "ssh"
          #       - "telnet"
          #       - "ftp"
          #       - "dns"
          #       - "smtp"
          #       - "pop3"
          #       - "imap"
          #       - "snmp"
          #       - "nntp"
          #       - "https"
          #     violation_action: <value in [block, monitor, pass]>
          # enforce_default_app_port: <value in [disable, enable]>
          # entries:
          #   - action: <value in [pass, block, reset]>
          #     application: <list or integer>
          #     behavior: <list or string>
          #     category: <list or string>
          #     exclusion: <list or integer>
          #     id: <integer>
          #     log: <value in [disable, enable]>
          #     log_packet: <value in [disable, enable]>
          #     parameters:
          #       - id: <integer>
          #         members:
          #           - id: <integer>
          #             name: <string>
          #             value: <string>
          #         value: <string>
          #     popularity:
          #       - "1"
          #       - "2"
          #       - "3"
          #       - "4"
          #       - "5"
          #     protocols: <list or string>
          #     quarantine: <value in [none, attacker]>
          #     quarantine_expiry: <string>
          #     quarantine_log: <value in [disable, enable]>
          #     rate_count: <integer>
          #     rate_duration: <integer>
          #     rate_mode: <value in [periodical, continuous]>
          #     rate_track: <value in [none, src-ip, dest-ip, ...]>
          #     risk: <list or integer>
          #     session_ttl: <integer>
          #     shaper: <list or string>
          #     technology: <list or string>
          #     vendor: <list or string>
          #     shaper_reverse: <list or string>
          #     per_ip_shaper: <list or string>
          #     sub_category: <list or integer>
          #     tags: <list or string>
          # extended_log: <value in [disable, enable]>
          # force_inclusion_ssl_di_sigs: <value in [disable, enable]>
          # options:
          #   - "allow-dns"
          #   - "allow-icmp"
          #   - "allow-http"
          #   - "allow-ssl"
          #   - "allow-quic"
          # other_application_action: <value in [pass, block]>
          # other_application_log: <value in [disable, enable]>
          # p2p_block_list:
          #   - "skype"
          #   - "edonkey"
          #   - "bittorrent"
          # replacemsg_group: <list or string>
          # unknown_application_action: <value in [pass, block]>
          # unknown_application_log: <value in [disable, enable]>
          # p2p_black_list:
          #   - "skype"
          #   - "edonkey"
          #   - "bittorrent"

Return Values

Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:

  • meta - The result of the request.returned: always type: dict
    • request_url - The full url requested. returned: always type: str sample: /sys/login/user
    • response_code - The status of api request. returned: always type: int sample: 0
    • response_data - The data body of the api response. returned: optional type: list or dict
    • response_message - The descriptive message of the api response. returned: always type: str sample: OK
    • system_information - The information of the target system. returned: always type: dict
  • rc - The status the request. returned: always type: int sample: 0
  • version_check_warning - Warning if the parameters used in the playbook are not supported by the current FortiManager version. returned: if at least one parameter not supported by the current FortiManager version type: list

Status

  • This module is not guaranteed to have a backwards compatible interface.

Authors

  • Xinwei Du (@dux-fortinet)

  • Xing Li (@lix-fortinet)

  • Jie Xue (@JieX19)

  • Link Zheng (@chillancezen)

  • Frank Shen (@fshen01)

  • Hongbin Lu (@fgtdev-hblu)