fmgd_vpn_certificate_setting – VPN certificate setting.
Added in version 1.0.0.
Synopsis
This module is able to configure a FortiManager device.
Examples include all parameters and values need to be adjusted to data sources before usage.
Tested with FortiManager v7.x.
Requirements
The below requirements are needed on the host that executes this module.
ansible-core>=2.16.0
FortiManager Version Compatibility
Supported Version Ranges: v7.2.6 -> v7.2.12, v7.4.3 -> latest
Parameters
- access_token -The token to access FortiManager without using username and password. type: str required: false
- bypass_validation - Only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters. type: bool required: false default: False
- enable_log - Enable/Disable logging for task. type: bool required: false default: False
- forticloud_access_token - Access token of forticloud managed API users, this option is available with FortiManager later than 6.4.0. type: str required: false
- proposed_method - The overridden method for the underlying Json RPC request. type: str required: false choices: set, update, add
- rc_succeeded - The rc codes list with which the conditions to succeed will be overriden. type: list required: false
- rc_failed - The rc codes list with which the conditions to fail will be overriden. type: list required: false
- workspace_locking_adom - Acquire the workspace lock if FortiManager is running in workspace mode. type: str required: false choices: global, custom adom including root
- workspace_locking_timeout - The maximum time in seconds to wait for other users to release workspace lock. type: integer required: false default: 300
- device - The parameter in requested url type: str required: true
- vdom - The parameter in requested url type: str required: true
- vpn_certificate_setting - VPN certificate setting. type: dict
- cert_expire_warning (Alias name: cert-expire-warning) Number of days before a certificate expires to send a warning. type: int more...
- certname_dsa1024 (Alias name: certname-dsa1024) 1024 bit dsa key certificate for re-signing server certificates for ssl inspection. type: list more...
- certname_dsa2048 (Alias name: certname-dsa2048) 2048 bit dsa key certificate for re-signing server certificates for ssl inspection. type: list more...
- certname_ecdsa256 (Alias name: certname-ecdsa256) 256 bit ecdsa key certificate for re-signing server certificates for ssl inspection. type: list more...
- certname_ecdsa384 (Alias name: certname-ecdsa384) 384 bit ecdsa key certificate for re-signing server certificates for ssl inspection. type: list more...
- certname_ecdsa521 (Alias name: certname-ecdsa521) 521 bit ecdsa key certificate for re-signing server certificates for ssl inspection. type: list more...
- certname_ed25519 (Alias name: certname-ed25519) 253 bit eddsa key certificate for re-signing server certificates for ssl inspection. type: list more...
- certname_ed448 (Alias name: certname-ed448) 456 bit eddsa key certificate for re-signing server certificates for ssl inspection. type: list more...
- certname_rsa1024 (Alias name: certname-rsa1024) 1024 bit rsa key certificate for re-signing server certificates for ssl inspection. type: list more...
- certname_rsa2048 (Alias name: certname-rsa2048) 2048 bit rsa key certificate for re-signing server certificates for ssl inspection. type: list more...
- certname_rsa4096 (Alias name: certname-rsa4096) 4096 bit rsa key certificate for re-signing server certificates for ssl inspection. type: list more...
- check_ca_cert (Alias name: check-ca-cert) Enable/disable verification of the user certificate and pass authentication if any ca in the chain is trusted (default = enable). type: str choices: [disable, enable] more...
- check_ca_chain (Alias name: check-ca-chain) Enable/disable verification of the entire certificate chain and pass authentication only if the chain is complete and all of the cas in the chain are trusted (default = disable). type: str choices: [disable, enable] more...
- cmp_key_usage_checking (Alias name: cmp-key-usage-checking) Enable/disable server certificate key usage checking in cmp mode (default = enable). type: str choices: [disable, enable] more...
- cmp_save_extra_certs (Alias name: cmp-save-extra-certs) Enable/disable saving extra certificates in cmp mode (default = disable). type: str choices: [disable, enable] more...
- cn_allow_multi (Alias name: cn-allow-multi) When searching for a matching certificate, allow multiple cn fields in certificate subject name (default = enable). type: str choices: [disable, enable] more...
- cn_match (Alias name: cn-match) When searching for a matching certificate, control how to do cn value matching with certificate subject name (default = substring). type: str choices: [substring, value] more...
- crl_verification (Alias name: crl-verification) Crl verification. type: dict
more...
- chain_crl_absence (Alias name: chain-crl-absence) Crl verification option when crl of any certificate in chain is absent (default = ignore). type: str choices: [ignore, revoke] more...
- expiry Crl verification option when crl is expired (default = ignore). type: str choices: [ignore, revoke] more...
- leaf_crl_absence (Alias name: leaf-crl-absence) Crl verification option when leaf crl is absent (default = ignore). type: str choices: [ignore, revoke] more...
- interface Specify outgoing interface to reach server. type: list more...
- interface_select_method (Alias name: interface-select-method) Specify how to select outgoing interface to reach server. type: str choices: [auto, sdwan, specify] more...
- ocsp_default_server (Alias name: ocsp-default-server) Default ocsp server. type: list more...
- ocsp_option (Alias name: ocsp-option) Specify whether the ocsp url is from certificate or configured ocsp server. type: str choices: [certificate, server] more...
- ocsp_status (Alias name: ocsp-status) Enable/disable receiving certificates using the ocsp. type: str choices: [disable, enable, mandatory] more...
- proxy Proxy server fqdn or ip for ocsp/ca queries during certificate verification. type: str more...
- proxy_password (Alias name: proxy-password) Proxy server password. type: list more...
- proxy_port (Alias name: proxy-port) Proxy server port (1 - 65535, default = 8080). type: int more...
- proxy_username (Alias name: proxy-username) Proxy server user name. type: str more...
- source_ip (Alias name: source-ip) Source ip address for dynamic aia and ocsp queries. type: str more...
- ssl_min_proto_version (Alias name: ssl-min-proto-version) Minimum supported protocol version for ssl/tls connections (default is to follow system global setting). type: str choices: [default, TLSv1, TLSv1-1, TLSv1-2, SSLv3, TLSv1-3] more...
- strict_ocsp_check (Alias name: strict-ocsp-check) Enable/disable strict mode ocsp checking. type: str choices: [disable, enable] more...
- subject_match (Alias name: subject-match) When searching for a matching certificate, control how to do rdn value matching with certificate subject name (default = substring). type: str choices: [substring, value] more...
- subject_set (Alias name: subject-set) When searching for a matching certificate, control how to do rdn set matching with certificate subject name (default = subset). type: str choices: [subset, superset] more...
- ssl_ocsp_source_ip (Alias name: ssl-ocsp-source-ip) Source ip address to use to communicate with the ocsp server. type: str more...
- strict_crl_check (Alias name: strict-crl-check) Enable/disable strict mode crl checking. type: str choices: [disable, enable] more...
- vrf_select (Alias name: vrf-select) Vrf id used for connection to server. type: int more...
Notes
Note
Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.
To create or update an object, use state: present directive.
To delete an object, use state: absent directive
Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded
Examples
- name: Example playbook (generated based on argument schema)
hosts: fortimanagers
connection: httpapi
gather_facts: false
vars:
ansible_httpapi_use_ssl: true
ansible_httpapi_validate_certs: false
ansible_httpapi_port: 443
tasks:
- name: VPN certificate setting.
fortinet.fmgdevice.fmgd_vpn_certificate_setting:
# bypass_validation: false
# workspace_locking_adom: <global or your adom name>
# workspace_locking_timeout: 300
# rc_succeeded: [0, -2, -3, ...]
# rc_failed: [-2, -3, ...]
device: <your own value>
vdom: <your own value>
vpn_certificate_setting:
# cert_expire_warning: <integer>
# certname_dsa1024: <list or string>
# certname_dsa2048: <list or string>
# certname_ecdsa256: <list or string>
# certname_ecdsa384: <list or string>
# certname_ecdsa521: <list or string>
# certname_ed25519: <list or string>
# certname_ed448: <list or string>
# certname_rsa1024: <list or string>
# certname_rsa2048: <list or string>
# certname_rsa4096: <list or string>
# check_ca_cert: <value in [disable, enable]>
# check_ca_chain: <value in [disable, enable]>
# cmp_key_usage_checking: <value in [disable, enable]>
# cmp_save_extra_certs: <value in [disable, enable]>
# cn_allow_multi: <value in [disable, enable]>
# cn_match: <value in [substring, value]>
# crl_verification:
# chain_crl_absence: <value in [ignore, revoke]>
# expiry: <value in [ignore, revoke]>
# leaf_crl_absence: <value in [ignore, revoke]>
# interface: <list or string>
# interface_select_method: <value in [auto, sdwan, specify]>
# ocsp_default_server: <list or string>
# ocsp_option: <value in [certificate, server]>
# ocsp_status: <value in [disable, enable, mandatory]>
# proxy: <string>
# proxy_password: <list or string>
# proxy_port: <integer>
# proxy_username: <string>
# source_ip: <string>
# ssl_min_proto_version: <value in [default, TLSv1, TLSv1-1, ...]>
# strict_ocsp_check: <value in [disable, enable]>
# subject_match: <value in [substring, value]>
# subject_set: <value in [subset, superset]>
# ssl_ocsp_source_ip: <string>
# strict_crl_check: <value in [disable, enable]>
# vrf_select: <integer>
Return Values
Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:
- meta - The result of the request.returned: always type: dict
- request_url - The full url requested. returned: always type: str sample: /sys/login/user
- response_code - The status of api request. returned: always type: int sample: 0
- response_data - The data body of the api response. returned: optional type: list or dict
- response_message - The descriptive message of the api response. returned: always type: str sample: OK
- system_information - The information of the target system. returned: always type: dict
- rc - The status the request. returned: always type: int sample: 0
- version_check_warning - Warning if the parameters used in the playbook are not supported by the current FortiManager version. returned: if at least one parameter not supported by the current FortiManager version type: list
Status
This module is not guaranteed to have a backwards compatible interface.