fmgd_webproxy_explicit – Configure explicit Web proxy settings.

Added in version 1.0.0.

Synopsis

  • This module is able to configure a FortiManager device.

  • Examples include all parameters and values need to be adjusted to data sources before usage.

  • Tested with FortiManager v7.x.

Requirements

The below requirements are needed on the host that executes this module.

  • ansible-core>=2.16.0

FortiManager Version Compatibility

Supported Version Ranges: v7.2.6 -> v7.2.12, v7.4.3 -> latest

Parameters

  • access_token -The token to access FortiManager without using username and password. type: str required: false
  • bypass_validation - Only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters. type: bool required: false default: False
  • enable_log - Enable/Disable logging for task. type: bool required: false default: False
  • forticloud_access_token - Access token of forticloud managed API users, this option is available with FortiManager later than 6.4.0. type: str required: false
  • proposed_method - The overridden method for the underlying Json RPC request. type: str required: false choices: set, update, add
  • rc_succeeded - The rc codes list with which the conditions to succeed will be overriden. type: list required: false
  • rc_failed - The rc codes list with which the conditions to fail will be overriden. type: list required: false
  • state - The directive to create, update or delete an object type: str required: true choices: present, absent
  • workspace_locking_adom - Acquire the workspace lock if FortiManager is running in workspace mode. type: str required: false choices: global, custom adom including root
  • workspace_locking_timeout - The maximum time in seconds to wait for other users to release workspace lock. type: integer required: false default: 300
  • device - The parameter in requested url type: str required: true
  • vdom - The parameter in requested url type: str required: true
  • webproxy_explicit - Configure explicit Web proxy settings. type: dict
    • client_cert (Alias name: client-cert) Enable/disable to request client certificate. type: str choices: [disable, enable] more...
    • empty_cert_action (Alias name: empty-cert-action) Action of an empty client certificate. type: str choices: [block, accept, accept-unmanageable] more...
    • ftp_incoming_port (Alias name: ftp-incoming-port) Accept incoming ftp-over-http requests on one or more ports (0 - 65535, default = 0; use the same as http). type: list more...
    • ftp_over_http (Alias name: ftp-over-http) Enable to proxy ftp-over-http sessions sent from a web browser. type: str choices: [disable, enable] more...
    • http_connection_mode (Alias name: http-connection-mode) Http connection mode (default = static). type: str choices: [static, multiplex, serverpool] more...
    • http_incoming_port (Alias name: http-incoming-port) Accept incoming http requests on one or more ports (0 - 65535, default = 8080). type: list more...
    • https_incoming_port (Alias name: https-incoming-port) Accept incoming https requests on one or more ports (0 - 65535, default = 0, use the same as http). type: list more...
    • https_replacement_message (Alias name: https-replacement-message) Enable/disable sending the client a replacement message for https requests. type: str choices: [disable, enable] more...
    • incoming_ip (Alias name: incoming-ip) Restrict the explicit http proxy to only accept sessions from this ip address. type: str more...
    • incoming_ip6 (Alias name: incoming-ip6) Restrict the explicit web proxy to only accept sessions from this ipv6 address. type: str more...
    • ipv6_status (Alias name: ipv6-status) Enable/disable allowing an ipv6 web proxy destination in policies and all ipv6 related entries in this command. type: str choices: [disable, enable] more...
    • message_upon_server_error (Alias name: message-upon-server-error) Enable/disable displaying a replacement message when a server error is detected. type: str choices: [disable, enable] more...
    • outgoing_ip (Alias name: outgoing-ip) Outgoing http requests will have this ip address as their source address. type: list more...
    • outgoing_ip6 (Alias name: outgoing-ip6) Outgoing http requests will leave this ipv6. type: list more...
    • pac_file_data (Alias name: pac-file-data) Pac file contents enclosed in quotes (maximum of 256k bytes). type: str more...
    • pac_file_name (Alias name: pac-file-name) Pac file name. type: str more...
    • pac_file_server_port (Alias name: pac-file-server-port) Port number that pac traffic from client web browsers uses to connect to the explicit web proxy (0 - 65535, default = 0; use the same as http). type: list more...
    • pac_file_server_status (Alias name: pac-file-server-status) Enable/disable proxy auto-configuration (pac) for users of this explicit proxy profile. type: str choices: [disable, enable] more...
    • pac_file_through_https (Alias name: pac-file-through-https) Enable/disable to get proxy auto-configuration (pac) through https. type: str choices: [disable, enable] more...
    • pac_file_url (Alias name: pac-file-url) Pac file url. type: str more...
    • pac_policy (Alias name: pac-policy) Pac policy. type: list more...
      • comments Optional comments. type: str more...
      • dstaddr Destination address objects. type: list more...
      • pac_file_data (Alias name: pac-file-data) Pac file contents enclosed in quotes (maximum of 256k bytes). type: str more...
      • pac_file_name (Alias name: pac-file-name) Pac file name. type: str more...
      • policyid Policy id. type: int more...
      • srcaddr Source address objects. type: list more...
      • srcaddr6 Source address6 objects. type: list more...
      • status Enable/disable policy. type: str choices: [disable, enable] more...
    • pref_dns_result (Alias name: pref-dns-result) Prefer resolving addresses using the configured ipv4 or ipv6 dns server (default = ipv4). type: str choices: [ipv4, ipv6, ipv4-strict, ipv6-strict] more...
    • realm Authentication realm used to identify the explicit web proxy (maximum of 63 characters). type: str more...
    • sec_default_action (Alias name: sec-default-action) Accept or deny explicit web proxy sessions when no web proxy firewall policy exists. type: str choices: [deny, accept] more...
    • secure_web_proxy (Alias name: secure-web-proxy) Enable/disable/require the secure web proxy for http and https session. type: str choices: [disable, enable, secure] more...
    • secure_web_proxy_cert (Alias name: secure-web-proxy-cert) Name of certificates for secure web proxy. type: list more...
    • socks Enable/disable the socks proxy. type: str choices: [disable, enable] more...
    • socks_incoming_port (Alias name: socks-incoming-port) Accept incoming socks proxy requests on one or more ports (0 - 65535, default = 0; use the same as http). type: list more...
    • ssl_algorithm (Alias name: ssl-algorithm) Relative strength of encryption algorithms accepted in https deep scan: high, medium, or low. type: str choices: [high, medium, low] more...
    • ssl_dh_bits (Alias name: ssl-dh-bits) Bit-size of diffie-hellman (dh) prime used in dhe-rsa negotiation (default = 2048). type: str choices: [768, 1024, 1536, 2048] more...
    • status Enable/disable the explicit web proxy for http and https session. type: str choices: [disable, enable] more...
    • strict_guest (Alias name: strict-guest) Enable/disable strict guest user checking by the explicit web proxy. type: str choices: [disable, enable] more...
    • trace_auth_no_rsp (Alias name: trace-auth-no-rsp) Enable/disable logging timed-out authentication requests. type: str choices: [disable, enable] more...
    • unknown_http_version (Alias name: unknown-http-version) How to handle http sessions that do not comply with http 0. type: str choices: [best-effort, reject, tunnel] more...
    • user_agent_detect (Alias name: user-agent-detect) Enable/disable to detect device type by http user-agent if no client certificate provided. type: str choices: [disable, enable] more...
    • interface Specify outgoing interface to reach server. type: list more...
    • interface_select_method (Alias name: interface-select-method) Specify how to select outgoing interface to reach server. type: str choices: [sdwan, specify] more...
    • vrf_select (Alias name: vrf-select) Vrf id used for connection to server. type: int more...
    • name Object name type: str more...
    • return_to_sender (Alias name: return-to-sender) Enable/disable return-to-sender. type: str choices: [disable, enable] more...

Notes

Note

  • Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.

  • To create or update an object, use state: present directive.

  • To delete an object, use state: absent directive

  • Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded

Examples

- name: Example playbook (generated based on argument schema)
  hosts: fortimanagers
  connection: httpapi
  gather_facts: false
  vars:
    ansible_httpapi_use_ssl: true
    ansible_httpapi_validate_certs: false
    ansible_httpapi_port: 443
  tasks:
    - name: Configure explicit Web proxy settings.
      fortinet.fmgdevice.fmgd_webproxy_explicit:
        # bypass_validation: false
        # workspace_locking_adom: <global or your adom name>
        # workspace_locking_timeout: 300
        # rc_succeeded: [0, -2, -3, ...]
        # rc_failed: [-2, -3, ...]
        device: <your own value>
        vdom: <your own value>
        state: present # <value in [present, absent]>
        webproxy_explicit:
          name: "your value" # Required variable, string
          # client_cert: <value in [disable, enable]>
          # empty_cert_action: <value in [block, accept, accept-unmanageable]>
          # ftp_incoming_port: <list or string>
          # ftp_over_http: <value in [disable, enable]>
          # http_connection_mode: <value in [static, multiplex, serverpool]>
          # http_incoming_port: <list or string>
          # https_incoming_port: <list or string>
          # https_replacement_message: <value in [disable, enable]>
          # incoming_ip: <string>
          # incoming_ip6: <string>
          # ipv6_status: <value in [disable, enable]>
          # message_upon_server_error: <value in [disable, enable]>
          # outgoing_ip: <list or string>
          # outgoing_ip6: <list or string>
          # pac_file_data: <string>
          # pac_file_name: <string>
          # pac_file_server_port: <list or string>
          # pac_file_server_status: <value in [disable, enable]>
          # pac_file_through_https: <value in [disable, enable]>
          # pac_file_url: <string>
          # pac_policy:
          #   - comments: <string>
          #     dstaddr: <list or string>
          #     pac_file_data: <string>
          #     pac_file_name: <string>
          #     policyid: <integer>
          #     srcaddr: <list or string>
          #     srcaddr6: <list or string>
          #     status: <value in [disable, enable]>
          # pref_dns_result: <value in [ipv4, ipv6, ipv4-strict, ...]>
          # realm: <string>
          # sec_default_action: <value in [deny, accept]>
          # secure_web_proxy: <value in [disable, enable, secure]>
          # secure_web_proxy_cert: <list or string>
          # socks: <value in [disable, enable]>
          # socks_incoming_port: <list or string>
          # ssl_algorithm: <value in [high, medium, low]>
          # ssl_dh_bits: <value in [768, 1024, 1536, ...]>
          # status: <value in [disable, enable]>
          # strict_guest: <value in [disable, enable]>
          # trace_auth_no_rsp: <value in [disable, enable]>
          # unknown_http_version: <value in [best-effort, reject, tunnel]>
          # user_agent_detect: <value in [disable, enable]>
          # interface: <list or string>
          # interface_select_method: <value in [sdwan, specify]>
          # vrf_select: <integer>
          # return_to_sender: <value in [disable, enable]>

Return Values

Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:

  • meta - The result of the request.returned: always type: dict
    • request_url - The full url requested. returned: always type: str sample: /sys/login/user
    • response_code - The status of api request. returned: always type: int sample: 0
    • response_data - The data body of the api response. returned: optional type: list or dict
    • response_message - The descriptive message of the api response. returned: always type: str sample: OK
    • system_information - The information of the target system. returned: always type: dict
  • rc - The status the request. returned: always type: int sample: 0
  • version_check_warning - Warning if the parameters used in the playbook are not supported by the current FortiManager version. returned: if at least one parameter not supported by the current FortiManager version type: list

Status

  • This module is not guaranteed to have a backwards compatible interface.

Authors

  • Xinwei Du (@dux-fortinet)

  • Xing Li (@lix-fortinet)

  • Jie Xue (@JieX19)

  • Link Zheng (@chillancezen)

  • Frank Shen (@fshen01)

  • Hongbin Lu (@fgtdev-hblu)