fmgd_vpn_ipsec_phase1 – Configure VPN remote gateway.
Added in version 1.0.0.
Synopsis
This module is able to configure a FortiManager device.
Examples include all parameters and values need to be adjusted to data sources before usage.
Tested with FortiManager v7.x.
Requirements
The below requirements are needed on the host that executes this module.
ansible-core>=2.16.0
FortiManager Version Compatibility
Supported Version Ranges: v7.2.6 -> v7.2.12, v7.4.3 -> latest
Parameters
- access_token -The token to access FortiManager without using username and password. type: str required: false
- bypass_validation - Only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters. type: bool required: false default: False
- enable_log - Enable/Disable logging for task. type: bool required: false default: False
- forticloud_access_token - Access token of forticloud managed API users, this option is available with FortiManager later than 6.4.0. type: str required: false
- proposed_method - The overridden method for the underlying Json RPC request. type: str required: false choices: set, update, add
- rc_succeeded - The rc codes list with which the conditions to succeed will be overriden. type: list required: false
- rc_failed - The rc codes list with which the conditions to fail will be overriden. type: list required: false
- state - The directive to create, update or delete an object type: str required: true choices: present, absent
- workspace_locking_adom - Acquire the workspace lock if FortiManager is running in workspace mode. type: str required: false choices: global, custom adom including root
- workspace_locking_timeout - The maximum time in seconds to wait for other users to release workspace lock. type: integer required: false default: 300
- device - The parameter in requested url type: str required: true
- vdom - The parameter in requested url type: str required: true
- vpn_ipsec_phase1 - Configure VPN remote gateway. type: dict
- acct_verify (Alias name: acct-verify) Enable/disable verification of radius accounting record. type: str choices: [disable, enable] more...
- add_gw_route (Alias name: add-gw-route) Enable/disable automatically add a route to the remote gateway. type: str choices: [disable, enable] more...
- add_route (Alias name: add-route) Enable/disable control addition of a route to peer destination selector. type: str choices: [disable, enable] more...
- assign_ip (Alias name: assign-ip) Enable/disable assignment of ip to ipsec interface via configuration method. type: str choices: [disable, enable] more...
- assign_ip_from (Alias name: assign-ip-from) Method by which the ip address will be assigned. type: str choices: [range, usrgrp, dhcp, name] more...
- authmethod Authentication method. type: str choices: [psk, rsa-signature, signature] more...
- authmethod_remote (Alias name: authmethod-remote) Authentication method (remote side). type: str choices: [psk, signature] more...
- authpasswd Xauth password (max 35 characters). type: list more...
- authusr Xauth user name. type: str more...
- authusrgrp Authentication user group. type: list more...
- auto_negotiate (Alias name: auto-negotiate) Enable/disable automatic initiation of ike sa negotiation. type: str choices: [disable, enable] more...
- azure_ad_autoconnect (Alias name: azure-ad-autoconnect) Enable/disable azure ad auto-connect for forticlient. type: str choices: [disable, enable] more...
- backup_gateway (Alias name: backup-gateway) Instruct unity clients about the backup gateway address(es). type: list more...
- banner Message that unity client should display after connecting. type: str more...
- cert_id_validation (Alias name: cert-id-validation) Enable/disable cross validation of peer id and the identity in the peers certificate as specified in rfc 4945. type: str choices: [disable, enable] more...
- cert_peer_username_strip (Alias name: cert-peer-username-strip) Enable/disable domain stripping on certificate identity. type: str choices: [disable, enable] more...
- cert_peer_username_validation (Alias name: cert-peer-username-validation) Enable/disable cross validation of peer username and the identity in the peers certificate. type: str choices: [othername, rfc822name, cn, none] more...
- cert_trust_store (Alias name: cert-trust-store) Ca certificate trust store. type: str choices: [local, ems] more...
- certificate Names of up to 4 signed personal certificates. type: list more...
- childless_ike (Alias name: childless-ike) Enable/disable childless ikev2 initiation (rfc 6023). type: str choices: [disable, enable] more...
- client_auto_negotiate (Alias name: client-auto-negotiate) Enable/disable allowing the vpn client to bring up the tunnel when there is no traffic. type: str choices: [disable, enable] more...
- client_keep_alive (Alias name: client-keep-alive) Enable/disable allowing the vpn client to keep the tunnel up when there is no traffic. type: str choices: [disable, enable] more...
- client_resume (Alias name: client-resume) Enable/disable resumption of offline forticlient sessions. type: str choices: [disable, enable] more...
- client_resume_interval (Alias name: client-resume-interval) Maximum time in seconds during which a vpn client may resume using a tunnel after a client pc has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800). type: int more...
- comments Comment. type: str more...
- dev_id (Alias name: dev-id) Device id carried by the device id notification. type: str more...
- dev_id_notification (Alias name: dev-id-notification) Enable/disable device id notification. type: str choices: [disable, enable] more...
- dhcp_ra_giaddr (Alias name: dhcp-ra-giaddr) Relay agent gateway ip address to use in the giaddr field of dhcp requests. type: str more...
- dhcp6_ra_linkaddr (Alias name: dhcp6-ra-linkaddr) Relay agent ipv6 link address to use in dhcp6 requests. type: str more...
- dhgrp Dh group. type: list choices: [1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, 31, 32] more...
- digital_signature_auth (Alias name: digital-signature-auth) Enable/disable ikev2 digital signature authentication (rfc 7427). type: str choices: [disable, enable] more...
- distance Distance for routes added by ike (1 - 255). type: int more...
- dns_mode (Alias name: dns-mode) Dns server mode. type: str choices: [auto, manual] more...
- domain Instruct unity clients about the single default dns domain. type: str more...
- dpd Dead peer detection mode. type: str choices: [disable, enable, on-idle, on-demand] more...
- dpd_retrycount (Alias name: dpd-retrycount) Number of dpd retry attempts. type: int more...
- dpd_retryinterval (Alias name: dpd-retryinterval) Dpd retry interval. type: list more...
- eap Enable/disable ikev2 eap authentication. type: str choices: [disable, enable] more...
- eap_cert_auth (Alias name: eap-cert-auth) Enable/disable peer certificate authentication in addition to eap if peer is a forticlient endpoint. type: str choices: [disable, enable] more...
- eap_exclude_peergrp (Alias name: eap-exclude-peergrp) Peer group excluded from eap authentication. type: list more...
- eap_identity (Alias name: eap-identity) Ikev2 eap peer identity type. type: str choices: [use-id-payload, send-request] more...
- ems_sn_check (Alias name: ems-sn-check) Enable/disable verification of ems serial number. type: str choices: [disable, enable] more...
- enforce_unique_id (Alias name: enforce-unique-id) Enable/disable peer id uniqueness check. type: str choices: [disable, keep-new, keep-old] more...
- esn Extended sequence number (esn) negotiation. type: str choices: [disable, require, allow] more...
- exchange_fgt_device_id (Alias name: exchange-fgt-device-id) Enable/disable device identifier exchange with peer fortigate units for use of vpn monitor data by fortimanager. type: str choices: [disable, enable] more...
- fallback_tcp_threshold (Alias name: fallback-tcp-threshold) Timeout in seconds before falling back ike/ipsec traffic to tcp. type: int more...
- fec_base (Alias name: fec-base) Number of base forward error correction packets (1 - 20). type: int more...
- fec_codec (Alias name: fec-codec) Forward error correction encoding/decoding algorithm. type: str choices: [rs, xor] more...
- fec_egress (Alias name: fec-egress) Enable/disable forward error correction for egress ipsec traffic. type: str choices: [disable, enable] more...
- fec_health_check (Alias name: fec-health-check) Sd-wan health check. type: list more...
- fec_ingress (Alias name: fec-ingress) Enable/disable forward error correction for ingress ipsec traffic. type: str choices: [disable, enable] more...
- fec_mapping_profile (Alias name: fec-mapping-profile) Forward error correction (fec) mapping profile. type: list more...
- fec_receive_timeout (Alias name: fec-receive-timeout) Timeout in milliseconds before dropping forward error correction packets (1 - 1000). type: int more...
- fec_redundant (Alias name: fec-redundant) Number of redundant forward error correction packets (1 - 5 for reed-solomon, 1 for xor). type: int more...
- fec_send_timeout (Alias name: fec-send-timeout) Timeout in milliseconds before sending forward error correction packets (1 - 1000). type: int more...
- fgsp_sync (Alias name: fgsp-sync) Enable/disable ipsec syncing of tunnels for fgsp ipsec. type: str choices: [disable, enable] more...
- fortinet_esp (Alias name: fortinet-esp) Enable/disable fortinet esp encapsulaton. type: str choices: [disable, enable] more...
- fragmentation Enable/disable fragment ike message on re-transmission. type: str choices: [disable, enable] more...
- fragmentation_mtu (Alias name: fragmentation-mtu) Ike fragmentation mtu (500 - 16000). type: int more...
- group_authentication (Alias name: group-authentication) Enable/disable ikev2 idi group authentication. type: str choices: [disable, enable] more...
- group_authentication_secret (Alias name: group-authentication-secret) Password for ikev2 id group authentication. type: list more...
- ha_sync_esp_seqno (Alias name: ha-sync-esp-seqno) Enable/disable sequence number jump ahead for ipsec ha. type: str choices: [disable, enable] more...
- idle_timeout (Alias name: idle-timeout) Enable/disable ipsec tunnel idle timeout. type: str choices: [disable, enable] more...
- idle_timeoutinterval (Alias name: idle-timeoutinterval) Ipsec tunnel idle timeout in minutes (5 - 43200). type: int more...
- ike_version (Alias name: ike-version) Ike protocol version. type: str choices: [1, 2] more...
- inbound_dscp_copy (Alias name: inbound-dscp-copy) Enable/disable copy the dscp in the esp header to the inner ip header. type: str choices: [disable, enable] more...
- include_local_lan (Alias name: include-local-lan) Enable/disable allow local lan access on unity clients. type: str choices: [disable, enable] more...
- interface Local physical, aggregate, or vlan outgoing interface. type: list more...
- internal_domain_list (Alias name: internal-domain-list) One or more internal domain names in quotes separated by spaces. type: list more...
- ip_delay_interval (Alias name: ip-delay-interval) Ip address reuse delay interval in seconds (0 - 28800). type: int more...
- ipv4_dns_server1 (Alias name: ipv4-dns-server1) Ipv4 dns server 1. type: str more...
- ipv4_dns_server2 (Alias name: ipv4-dns-server2) Ipv4 dns server 2. type: str more...
- ipv4_dns_server3 (Alias name: ipv4-dns-server3) Ipv4 dns server 3. type: str more...
- ipv4_end_ip (Alias name: ipv4-end-ip) End of ipv4 range. type: str more...
- ipv4_exclude_range (Alias name: ipv4-exclude-range) Ipv4 exclude range. type: list more...
- ipv4_name (Alias name: ipv4-name) Ipv4 address name. type: list more...
- ipv4_netmask (Alias name: ipv4-netmask) Ipv4 netmask. type: str more...
- ipv4_split_exclude (Alias name: ipv4-split-exclude) Ipv4 subnets that should not be sent over the ipsec tunnel. type: list more...
- ipv4_split_include (Alias name: ipv4-split-include) Ipv4 split-include subnets. type: list more...
- ipv4_start_ip (Alias name: ipv4-start-ip) Start of ipv4 range. type: str more...
- ipv4_wins_server1 (Alias name: ipv4-wins-server1) Wins server 1. type: str more...
- ipv4_wins_server2 (Alias name: ipv4-wins-server2) Wins server 2. type: str more...
- ipv6_dns_server1 (Alias name: ipv6-dns-server1) Ipv6 dns server 1. type: str more...
- ipv6_dns_server2 (Alias name: ipv6-dns-server2) Ipv6 dns server 2. type: str more...
- ipv6_dns_server3 (Alias name: ipv6-dns-server3) Ipv6 dns server 3. type: str more...
- ipv6_end_ip (Alias name: ipv6-end-ip) End of ipv6 range. type: str more...
- ipv6_exclude_range (Alias name: ipv6-exclude-range) Ipv6 exclude range. type: list more...
- ipv6_name (Alias name: ipv6-name) Ipv6 address name. type: list more...
- ipv6_prefix (Alias name: ipv6-prefix) Ipv6 prefix. type: int more...
- ipv6_split_exclude (Alias name: ipv6-split-exclude) Ipv6 subnets that should not be sent over the ipsec tunnel. type: list more...
- ipv6_split_include (Alias name: ipv6-split-include) Ipv6 split-include subnets. type: list more...
- ipv6_start_ip (Alias name: ipv6-start-ip) Start of ipv6 range. type: str more...
- keepalive Nat-t keep alive interval. type: int more...
- keylife Time to wait in seconds before phase 1 encryption key expires. type: int more...
- kms Key management services server. type: list more...
- link_cost (Alias name: link-cost) Vpn tunnel underlay link cost. type: int more...
- local_gw (Alias name: local-gw) Local vpn gateway. type: str more...
- localid Local id. type: str more...
- localid_type (Alias name: localid-type) Local id type. type: str choices: [auto, fqdn, user-fqdn, keyid, address, asn1dn] more...
- loopback_asymroute (Alias name: loopback-asymroute) Enable/disable asymmetric routing for ike traffic on loopback interface. type: str choices: [disable, enable] more...
- mesh_selector_type (Alias name: mesh-selector-type) Add selectors containing subsets of the configuration depending on traffic. type: str choices: [disable, subnet, host] more...
- mode Id protection mode used to establish a secure channel. type: str choices: [main, aggressive] more...
- mode_cfg (Alias name: mode-cfg) Enable/disable configuration method. type: str choices: [disable, enable] more...
- mode_cfg_allow_client_selector (Alias name: mode-cfg-allow-client-selector) Enable/disable mode-cfg client to use custom phase2 selectors. type: str choices: [disable, enable] more...
- name Ipsec remote gateway name. type: str more...
- nattraversal Enable/disable nat traversal. type: str choices: [disable, enable, forced] more...
- negotiate_timeout (Alias name: negotiate-timeout) Ike sa negotiation timeout in seconds (1 - 300). type: int more...
- network_id (Alias name: network-id) Vpn gateway network id. type: int more...
- network_overlay (Alias name: network-overlay) Enable/disable network overlays. type: str choices: [disable, enable] more...
- npu_offload (Alias name: npu-offload) Enable/disable offloading npu. type: str choices: [disable, enable] more...
- peer Accept this peer certificate. type: list more...
- peergrp Accept this peer certificate group. type: list more...
- peerid Accept this peer identity. type: str more...
- peertype Accept this peer type. type: str choices: [any, one, dialup, peer, peergrp] more...
- ppk Enable/disable ikev2 postquantum preshared key (ppk). type: str choices: [disable, allow, require] more...
- ppk_identity (Alias name: ppk-identity) Ikev2 postquantum preshared key identity. type: str more...
- ppk_secret (Alias name: ppk-secret) Ikev2 postquantum preshared key (ascii string or hexadecimal encoded with a leading 0x). type: list more...
- priority Priority for routes added by ike (1 - 65535). type: int more...
- proposal Phase1 proposal. type: str choices: [des-md5, des-sha1, 3des-md5, 3des-sha1, aes128-md5, aes128-sha1, aes192-md5, aes192-sha1, aes256-md5, aes256-sha1, des-sha256, 3des-sha256, aes128-sha256, aes192-sha256, aes256-sha256, des-sha384, des-sha512, 3des-sha384, 3des-sha512, aes128-sha384, aes128-sha512, aes192-sha384, aes192-sha512, aes256-sha384, aes256-sha512, aria128-md5, aria128-sha1, aria128-sha256, aria128-sha384, aria128-sha512, aria192-md5, aria192-sha1, aria192-sha256, aria192-sha384, aria192-sha512, aria256-md5, aria256-sha1, aria256-sha256, aria256-sha384, aria256-sha512, seed-md5, seed-sha1, seed-sha256, seed-sha384, seed-sha512, aes128gcm-prfsha1, aes128gcm-prfsha256, aes128gcm-prfsha384, aes128gcm-prfsha512, aes256gcm-prfsha1, aes256gcm-prfsha256, aes256gcm-prfsha384, aes256gcm-prfsha512, chacha20poly1305-prfsha1, chacha20poly1305-prfsha256, chacha20poly1305-prfsha384, chacha20poly1305-prfsha512] more...
- psksecret Pre-shared secret for psk authentication (ascii string or hexadecimal encoded with a leading 0x). type: list more...
- psksecret_remote (Alias name: psksecret-remote) Pre-shared secret for remote side psk authentication (ascii string or hexadecimal encoded with a leading 0x). type: list more...
- qkd Enable/disable use of quantum key distribution (qkd) server. type: str choices: [disable, allow, require] more...
- qkd_profile (Alias name: qkd-profile) Quantum key distribution (qkd) server profile. type: list more...
- reauth Enable/disable re-authentication upon ike sa lifetime expiration. type: str choices: [disable, enable] more...
- rekey Enable/disable phase1 rekey. type: str choices: [disable, enable] more...
- remote_gw (Alias name: remote-gw) Remote vpn gateway. type: str more...
- remote_gw_country (Alias name: remote-gw-country) Ipv4 addresses associated to a specific country. type: str more...
- remote_gw_end_ip (Alias name: remote-gw-end-ip) Last ipv4 address in the range. type: str more...
- remote_gw_match (Alias name: remote-gw-match) Set type of ipv4 remote gateway address matching. type: str choices: [any, ipmask, iprange, geography, ztna] more...
- remote_gw_start_ip (Alias name: remote-gw-start-ip) First ipv4 address in the range. type: str more...
- remote_gw_subnet (Alias name: remote-gw-subnet) Ipv4 address and subnet mask. type: list more...
- remote_gw6_country (Alias name: remote-gw6-country) Ipv6 addresses associated to a specific country. type: str more...
- remote_gw6_end_ip (Alias name: remote-gw6-end-ip) Last ipv6 address in the range. type: str more...
- remote_gw6_match (Alias name: remote-gw6-match) Set type of ipv6 remote gateway address matching. type: str choices: [any, iprange, geography, ipprefix] more...
- remote_gw6_start_ip (Alias name: remote-gw6-start-ip) First ipv6 address in the range. type: str more...
- remote_gw6_subnet (Alias name: remote-gw6-subnet) Ipv6 address and prefix. type: str more...
- remotegw_ddns (Alias name: remotegw-ddns) Domain name of remote gateway. type: str more...
- rsa_signature_format (Alias name: rsa-signature-format) Digital signature authentication rsa signature format. type: str choices: [pkcs1, pss] more...
- rsa_signature_hash_override (Alias name: rsa-signature-hash-override) Enable/disable ikev2 rsa signature hash algorithm override. type: str choices: [disable, enable] more...
- save_password (Alias name: save-password) Enable/disable saving xauth username and password on vpn clients. type: str choices: [disable, enable] more...
- send_cert_chain (Alias name: send-cert-chain) Enable/disable sending certificate chain. type: str choices: [disable, enable] more...
- signature_hash_alg (Alias name: signature-hash-alg) Digital signature authentication hash algorithms. type: list choices: [sha1, sha2-256, sha2-384, sha2-512] more...
- split_include_service (Alias name: split-include-service) Split-include services. type: list more...
- suite_b (Alias name: suite-b) Use suite-b. type: str choices: [disable, suite-b-gcm-128, suite-b-gcm-256] more...
- transit_gateway (Alias name: transit-gateway) Ipsec tunnel created by autoscaling to be used as a transit gateway. type: str choices: [disable, enable] more...
- transport Set ike transport protocol. type: str choices: [udp, tcp, udp-fallback-tcp, auto] more...
- type Remote gateway type. type: str choices: [static, dynamic, ddns] more...
- unity_support (Alias name: unity-support) Enable/disable support for cisco unity configuration method extensions. type: str choices: [disable, enable] more...
- usrgrp User group name for dialup peers. type: list more...
- wizard_type (Alias name: wizard-type) Gui vpn wizard type. type: str choices: [custom, dialup-forticlient, dialup-ios, dialup-android, dialup-cisco, static-fortigate, static-cisco, dialup-windows, dialup-fortigate, dialup-cisco-fw, simplified-static-fortigate, hub-fortigate-auto-discovery, spoke-fortigate-auto-discovery, fabric-overlay-orchestrator] more...
- xauthtype Xauth type. type: str choices: [disable, client, pap, chap, auto] more...
- forticlient_enforcement (Alias name: forticlient-enforcement) Enable/disable forticlient enforcement. type: str choices: [disable, enable] more...
- addke1 Addke1 group. type: list choices: [0, 1080, 1081, 1082, 1083, 1084, 1085, 1089, 1090, 1091, 1092, 1093, 1094, 35, 36, 37] more...
- addke2 Addke2 group. type: list choices: [0, 1080, 1081, 1082, 1083, 1084, 1085, 1089, 1090, 1091, 1092, 1093, 1094, 35, 36, 37] more...
- addke3 Addke3 group. type: list choices: [0, 1080, 1081, 1082, 1083, 1084, 1085, 1089, 1090, 1091, 1092, 1093, 1094, 35, 36, 37] more...
- addke4 Addke4 group. type: list choices: [0, 1080, 1081, 1082, 1083, 1084, 1085, 1089, 1090, 1091, 1092, 1093, 1094, 35, 36, 37] more...
- addke5 Addke5 group. type: list choices: [0, 1080, 1081, 1082, 1083, 1084, 1085, 1089, 1090, 1091, 1092, 1093, 1094, 35, 36, 37] more...
- addke6 Addke6 group. type: list choices: [0, 1080, 1081, 1082, 1083, 1084, 1085, 1089, 1090, 1091, 1092, 1093, 1094, 35, 36, 37] more...
- addke7 Addke7 group. type: list choices: [0, 1080, 1081, 1082, 1083, 1084, 1085, 1089, 1090, 1091, 1092, 1093, 1094, 35, 36, 37] more...
- auto_transport_threshold (Alias name: auto-transport-threshold) Timeout in seconds before falling back to next transport protocol. type: int more...
- ipv6_auto_linklocal (Alias name: ipv6-auto-linklocal) Enable/disable auto generation of ipv6 link-local address using last 8 bytes of mode-cfg assigned ipv6 address. type: str choices: [disable, enable] more...
- remote_gw_ztna_tags (Alias name: remote-gw-ztna-tags) Ipv4 ztna posture tags. type: list more...
- shared_idle_timeout (Alias name: shared-idle-timeout) Enable/disable ipsec tunnel shared idle timeout. type: str choices: [disable, enable] more...
- qkd_hybrid (Alias name: qkd-hybrid) Enable/disable use of quantum key distribution (qkd) hybrid keys. type: str choices: [disable, require, allow] more...
- dns_suffix_search (Alias name: dns-suffix-search) One or more dns domain name suffixes in quotes separated by spaces. type: list more...
Notes
Note
Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.
To create or update an object, use state: present directive.
To delete an object, use state: absent directive
Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded
Examples
- name: Example playbook (generated based on argument schema)
hosts: fortimanagers
connection: httpapi
gather_facts: false
vars:
ansible_httpapi_use_ssl: true
ansible_httpapi_validate_certs: false
ansible_httpapi_port: 443
tasks:
- name: Configure VPN remote gateway.
fortinet.fmgdevice.fmgd_vpn_ipsec_phase1:
# bypass_validation: false
# workspace_locking_adom: <global or your adom name>
# workspace_locking_timeout: 300
# rc_succeeded: [0, -2, -3, ...]
# rc_failed: [-2, -3, ...]
device: <your own value>
vdom: <your own value>
state: present # <value in [present, absent]>
vpn_ipsec_phase1:
name: "your value" # Required variable, string
# acct_verify: <value in [disable, enable]>
# add_gw_route: <value in [disable, enable]>
# add_route: <value in [disable, enable]>
# assign_ip: <value in [disable, enable]>
# assign_ip_from: <value in [range, usrgrp, dhcp, ...]>
# authmethod: <value in [psk, rsa-signature, signature]>
# authmethod_remote: <value in [psk, signature]>
# authpasswd: <list or string>
# authusr: <string>
# authusrgrp: <list or string>
# auto_negotiate: <value in [disable, enable]>
# azure_ad_autoconnect: <value in [disable, enable]>
# backup_gateway: <list or string>
# banner: <string>
# cert_id_validation: <value in [disable, enable]>
# cert_peer_username_strip: <value in [disable, enable]>
# cert_peer_username_validation: <value in [othername, rfc822name, cn, ...]>
# cert_trust_store: <value in [local, ems]>
# certificate: <list or string>
# childless_ike: <value in [disable, enable]>
# client_auto_negotiate: <value in [disable, enable]>
# client_keep_alive: <value in [disable, enable]>
# client_resume: <value in [disable, enable]>
# client_resume_interval: <integer>
# comments: <string>
# dev_id: <string>
# dev_id_notification: <value in [disable, enable]>
# dhcp_ra_giaddr: <string>
# dhcp6_ra_linkaddr: <string>
# dhgrp:
# - "1"
# - "2"
# - "5"
# - "14"
# - "15"
# - "16"
# - "17"
# - "18"
# - "19"
# - "20"
# - "21"
# - "27"
# - "28"
# - "29"
# - "30"
# - "31"
# - "32"
# digital_signature_auth: <value in [disable, enable]>
# distance: <integer>
# dns_mode: <value in [auto, manual]>
# domain: <string>
# dpd: <value in [disable, enable, on-idle, ...]>
# dpd_retrycount: <integer>
# dpd_retryinterval: <list or integer>
# eap: <value in [disable, enable]>
# eap_cert_auth: <value in [disable, enable]>
# eap_exclude_peergrp: <list or string>
# eap_identity: <value in [use-id-payload, send-request]>
# ems_sn_check: <value in [disable, enable]>
# enforce_unique_id: <value in [disable, keep-new, keep-old]>
# esn: <value in [disable, require, allow]>
# exchange_fgt_device_id: <value in [disable, enable]>
# fallback_tcp_threshold: <integer>
# fec_base: <integer>
# fec_codec: <value in [rs, xor]>
# fec_egress: <value in [disable, enable]>
# fec_health_check: <list or string>
# fec_ingress: <value in [disable, enable]>
# fec_mapping_profile: <list or string>
# fec_receive_timeout: <integer>
# fec_redundant: <integer>
# fec_send_timeout: <integer>
# fgsp_sync: <value in [disable, enable]>
# fortinet_esp: <value in [disable, enable]>
# fragmentation: <value in [disable, enable]>
# fragmentation_mtu: <integer>
# group_authentication: <value in [disable, enable]>
# group_authentication_secret: <list or string>
# ha_sync_esp_seqno: <value in [disable, enable]>
# idle_timeout: <value in [disable, enable]>
# idle_timeoutinterval: <integer>
# ike_version: <value in [1, 2]>
# inbound_dscp_copy: <value in [disable, enable]>
# include_local_lan: <value in [disable, enable]>
# interface: <list or string>
# internal_domain_list: <list or string>
# ip_delay_interval: <integer>
# ipv4_dns_server1: <string>
# ipv4_dns_server2: <string>
# ipv4_dns_server3: <string>
# ipv4_end_ip: <string>
# ipv4_exclude_range:
# - end_ip: <string>
# id: <integer>
# start_ip: <string>
# ipv4_name: <list or string>
# ipv4_netmask: <string>
# ipv4_split_exclude: <list or string>
# ipv4_split_include: <list or string>
# ipv4_start_ip: <string>
# ipv4_wins_server1: <string>
# ipv4_wins_server2: <string>
# ipv6_dns_server1: <string>
# ipv6_dns_server2: <string>
# ipv6_dns_server3: <string>
# ipv6_end_ip: <string>
# ipv6_exclude_range:
# - end_ip: <string>
# id: <integer>
# start_ip: <string>
# ipv6_name: <list or string>
# ipv6_prefix: <integer>
# ipv6_split_exclude: <list or string>
# ipv6_split_include: <list or string>
# ipv6_start_ip: <string>
# keepalive: <integer>
# keylife: <integer>
# kms: <list or string>
# link_cost: <integer>
# local_gw: <string>
# localid: <string>
# localid_type: <value in [auto, fqdn, user-fqdn, ...]>
# loopback_asymroute: <value in [disable, enable]>
# mesh_selector_type: <value in [disable, subnet, host]>
# mode: <value in [main, aggressive]>
# mode_cfg: <value in [disable, enable]>
# mode_cfg_allow_client_selector: <value in [disable, enable]>
# nattraversal: <value in [disable, enable, forced]>
# negotiate_timeout: <integer>
# network_id: <integer>
# network_overlay: <value in [disable, enable]>
# npu_offload: <value in [disable, enable]>
# peer: <list or string>
# peergrp: <list or string>
# peerid: <string>
# peertype: <value in [any, one, dialup, ...]>
# ppk: <value in [disable, allow, require]>
# ppk_identity: <string>
# ppk_secret: <list or string>
# priority: <integer>
# proposal: <value in [des-md5, des-sha1, 3des-md5, ...]>
# psksecret: <list or string>
# psksecret_remote: <list or string>
# qkd: <value in [disable, allow, require]>
# qkd_profile: <list or string>
# reauth: <value in [disable, enable]>
# rekey: <value in [disable, enable]>
# remote_gw: <string>
# remote_gw_country: <string>
# remote_gw_end_ip: <string>
# remote_gw_match: <value in [any, ipmask, iprange, ...]>
# remote_gw_start_ip: <string>
# remote_gw_subnet: <list or string>
# remote_gw6_country: <string>
# remote_gw6_end_ip: <string>
# remote_gw6_match: <value in [any, iprange, geography, ...]>
# remote_gw6_start_ip: <string>
# remote_gw6_subnet: <string>
# remotegw_ddns: <string>
# rsa_signature_format: <value in [pkcs1, pss]>
# rsa_signature_hash_override: <value in [disable, enable]>
# save_password: <value in [disable, enable]>
# send_cert_chain: <value in [disable, enable]>
# signature_hash_alg:
# - "sha1"
# - "sha2-256"
# - "sha2-384"
# - "sha2-512"
# split_include_service: <list or string>
# suite_b: <value in [disable, suite-b-gcm-128, suite-b-gcm-256]>
# transit_gateway: <value in [disable, enable]>
# transport: <value in [udp, tcp, udp-fallback-tcp, ...]>
# type: <value in [static, dynamic, ddns]>
# unity_support: <value in [disable, enable]>
# usrgrp: <list or string>
# wizard_type: <value in [custom, dialup-forticlient, dialup-ios, ...]>
# xauthtype: <value in [disable, client, pap, ...]>
# forticlient_enforcement: <value in [disable, enable]>
# addke1:
# - "0"
# - "1080"
# - "1081"
# - "1082"
# - "1083"
# - "1084"
# - "1085"
# - "1089"
# - "1090"
# - "1091"
# - "1092"
# - "1093"
# - "1094"
# - "35"
# - "36"
# - "37"
# addke2:
# - "0"
# - "1080"
# - "1081"
# - "1082"
# - "1083"
# - "1084"
# - "1085"
# - "1089"
# - "1090"
# - "1091"
# - "1092"
# - "1093"
# - "1094"
# - "35"
# - "36"
# - "37"
# addke3:
# - "0"
# - "1080"
# - "1081"
# - "1082"
# - "1083"
# - "1084"
# - "1085"
# - "1089"
# - "1090"
# - "1091"
# - "1092"
# - "1093"
# - "1094"
# - "35"
# - "36"
# - "37"
# addke4:
# - "0"
# - "1080"
# - "1081"
# - "1082"
# - "1083"
# - "1084"
# - "1085"
# - "1089"
# - "1090"
# - "1091"
# - "1092"
# - "1093"
# - "1094"
# - "35"
# - "36"
# - "37"
# addke5:
# - "0"
# - "1080"
# - "1081"
# - "1082"
# - "1083"
# - "1084"
# - "1085"
# - "1089"
# - "1090"
# - "1091"
# - "1092"
# - "1093"
# - "1094"
# - "35"
# - "36"
# - "37"
# addke6:
# - "0"
# - "1080"
# - "1081"
# - "1082"
# - "1083"
# - "1084"
# - "1085"
# - "1089"
# - "1090"
# - "1091"
# - "1092"
# - "1093"
# - "1094"
# - "35"
# - "36"
# - "37"
# addke7:
# - "0"
# - "1080"
# - "1081"
# - "1082"
# - "1083"
# - "1084"
# - "1085"
# - "1089"
# - "1090"
# - "1091"
# - "1092"
# - "1093"
# - "1094"
# - "35"
# - "36"
# - "37"
# auto_transport_threshold: <integer>
# ipv6_auto_linklocal: <value in [disable, enable]>
# remote_gw_ztna_tags: <list or string>
# shared_idle_timeout: <value in [disable, enable]>
# qkd_hybrid: <value in [disable, require, allow]>
# dns_suffix_search: <list or string>
Return Values
Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:
- meta - The result of the request.returned: always type: dict
- request_url - The full url requested. returned: always type: str sample: /sys/login/user
- response_code - The status of api request. returned: always type: int sample: 0
- response_data - The data body of the api response. returned: optional type: list or dict
- response_message - The descriptive message of the api response. returned: always type: str sample: OK
- system_information - The information of the target system. returned: always type: dict
- rc - The status the request. returned: always type: int sample: 0
- version_check_warning - Warning if the parameters used in the playbook are not supported by the current FortiManager version. returned: if at least one parameter not supported by the current FortiManager version type: list
Status
This module is not guaranteed to have a backwards compatible interface.