fmgd_webproxy_global – Configure Web proxy global settings.

Added in version 1.0.0.

Synopsis

  • This module is able to configure a FortiManager device.

  • Examples include all parameters and values need to be adjusted to data sources before usage.

  • Tested with FortiManager v7.x.

Requirements

The below requirements are needed on the host that executes this module.

  • ansible-core>=2.16.0

FortiManager Version Compatibility

Supported Version Ranges: v7.2.6 -> v7.2.12, v7.4.3 -> latest

Parameters

  • access_token -The token to access FortiManager without using username and password. type: str required: false
  • bypass_validation - Only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters. type: bool required: false default: False
  • enable_log - Enable/Disable logging for task. type: bool required: false default: False
  • forticloud_access_token - Access token of forticloud managed API users, this option is available with FortiManager later than 6.4.0. type: str required: false
  • proposed_method - The overridden method for the underlying Json RPC request. type: str required: false choices: set, update, add
  • rc_succeeded - The rc codes list with which the conditions to succeed will be overriden. type: list required: false
  • rc_failed - The rc codes list with which the conditions to fail will be overriden. type: list required: false
  • workspace_locking_adom - Acquire the workspace lock if FortiManager is running in workspace mode. type: str required: false choices: global, custom adom including root
  • workspace_locking_timeout - The maximum time in seconds to wait for other users to release workspace lock. type: integer required: false default: 300
  • device - The parameter in requested url type: str required: true
  • vdom - The parameter in requested url type: str required: true
  • webproxy_global - Configure Web proxy global settings. type: dict
    • always_learn_client_ip (Alias name: always-learn-client-ip) Enable/disable learning the clients ip address from headers for every request. type: str choices: [disable, enable] more...
    • fast_policy_match (Alias name: fast-policy-match) Enable/disable fast matching algorithm for explicit and transparent proxy policy. type: str choices: [disable, enable] more...
    • forward_proxy_auth (Alias name: forward-proxy-auth) Enable/disable forwarding proxy authentication headers. type: str choices: [disable, enable] more...
    • forward_server_affinity_timeout (Alias name: forward-server-affinity-timeout) Period of time before the source ips traffic is no longer assigned to the forwarding server (6 - 60 min, default = 30). type: int more...
    • ldap_user_cache (Alias name: ldap-user-cache) Enable/disable ldap user cache for explicit and transparent proxy user. type: str choices: [disable, enable] more...
    • learn_client_ip (Alias name: learn-client-ip) Enable/disable learning the clients ip address from headers. type: str choices: [disable, enable, traffic-process, log-only] more...
    • learn_client_ip_from_header (Alias name: learn-client-ip-from-header) Learn client ip address from the specified headers. type: list choices: [true-client-ip, x-real-ip, x-forwarded-for] more...
    • learn_client_ip_srcaddr (Alias name: learn-client-ip-srcaddr) Source address name (srcaddr or srcaddr6 must be set). type: list more...
    • learn_client_ip_srcaddr6 (Alias name: learn-client-ip-srcaddr6) Ipv6 source address name (srcaddr or srcaddr6 must be set). type: list more...
    • log_app_id (Alias name: log-app-id) Enable/disable always log application type in traffic log. type: str choices: [disable, enable] more...
    • log_forward_server (Alias name: log-forward-server) Enable/disable forward server name logging in forward traffic log. type: str choices: [disable, enable] more...
    • log_policy_pending (Alias name: log-policy-pending) Enable/disable logging sessions that are pending on policy matching. type: str choices: [disable, enable] more...
    • max_message_length (Alias name: max-message-length) Maximum length of http message, not including body (16 - 256 kbytes, default = 32). type: int more...
    • max_request_length (Alias name: max-request-length) Maximum length of http request line (2 - 64 kbytes, default = 8). type: int more...
    • max_waf_body_cache_length (Alias name: max-waf-body-cache-length) Maximum length of http messages processed by web application firewall (waf) (10 - 1024 kbytes, default = 32). type: int more...
    • policy_category_deep_inspect (Alias name: policy-category-deep-inspect) Enable/disable deep inspection for application level category policy matching. type: str choices: [disable, enable] more...
    • proxy_fqdn (Alias name: proxy-fqdn) Fully qualified domain name (fqdn) that clients connect to (default = default. type: str more...
    • proxy_transparent_cert_inspection (Alias name: proxy-transparent-cert-inspection) Enable/disable transparent proxy certificate inspection. type: str choices: [disable, enable] more...
    • src_affinity_exempt_addr (Alias name: src-affinity-exempt-addr) Ipv4 source addresses to exempt proxy affinity. type: list more...
    • src_affinity_exempt_addr6 (Alias name: src-affinity-exempt-addr6) Ipv6 source addresses to exempt proxy affinity. type: list more...
    • ssl_ca_cert (Alias name: ssl-ca-cert) Ssl ca certificate for ssl interception. type: list more...
    • ssl_cert (Alias name: ssl-cert) Ssl certificate for ssl interception. type: list more...
    • strict_web_check (Alias name: strict-web-check) Enable/disable strict web checking to block web sites that send incorrect headers that dont conform to http 1. type: str choices: [disable, enable] more...
    • webproxy_profile (Alias name: webproxy-profile) Name of the web proxy profile to apply when explicit proxy traffic is allowed by default and traffic is accepted that does not match an explicit proxy policy. type: list more...
    • tunnel_non_http (Alias name: tunnel-non-http) Enable/disable allowing non-http traffic. type: str choices: [disable, enable] more...
    • unknown_http_version (Alias name: unknown-http-version) Action to take when an unknown version of http is encountered: reject, allow (tunnel), or proceed with best-effort. type: str choices: [best-effort, reject, tunnel] more...
    • request_obs_fold (Alias name: request-obs-fold) Action when http/1. type: str choices: [block, replace-with-sp, keep] more...
    • http2_client_window_size (Alias name: http2-client-window-size) Http/2 client initial window size in bytes (65535 - 2147483647, default = 1048576 (1mb)). type: int more...
    • http2_server_window_size (Alias name: http2-server-window-size) Http/2 server initial window size in bytes (65535 - 2147483647, default = 1048576 (1mb)). type: int more...
    • explicit_outgoing_ip (Alias name: explicit-outgoing-ip) Outgoing http requests by explicit webproxy will have this ip address as their source address. type: list more...
    • explicit_outgoing_ip6 (Alias name: explicit-outgoing-ip6) Outgoing http requests by explicit webproxy will leave this ip. type: list more...
    • extended_log (Alias name: extended-log) Extended log. type: str choices: [disable, enable] more...
    • https_replacement_message (Alias name: https-replacement-message) Default action to enable or disable return replacement message for https requests. type: str choices: [disable, enable] more...
    • log_http_transaction (Alias name: log-http-transaction) Log http transaction. type: str choices: [disable, enable, all, utm] more...
    • message_upon_server_error (Alias name: message-upon-server-error) Enable/disable return of replacement message upon server error detection. type: str choices: [disable, enable] more...
    • realm Authentication realm. type: str more...
    • strict_guest (Alias name: strict-guest) Enable/disable strict guest user checking by the explicit web proxy. type: str choices: [disable, enable] more...
    • trace_auth_no_rsp (Alias name: trace-auth-no-rsp) Enable/disable logging timed-out authentication requests. type: str choices: [disable, enable] more...
    • use_dynamic_pkey (Alias name: use-dynamic-pkey) Use dynamic pkey. type: str choices: [disable, enable] more...
    • address_ip_rating (Alias name: address-ip-rating) Address ip rating. type: str choices: [disable, enable] more...
    • policy_partial_match (Alias name: policy-partial-match) Policy partial match. type: str choices: [disable, enable] more...
    • auth_sign_timeout (Alias name: auth-sign-timeout) Proxy auth query sign timeout in seconds (30 - 3600, default = 120). type: int more...

Notes

Note

  • Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.

  • To create or update an object, use state: present directive.

  • To delete an object, use state: absent directive

  • Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded

Examples

- name: Example playbook (generated based on argument schema)
  hosts: fortimanagers
  connection: httpapi
  gather_facts: false
  vars:
    ansible_httpapi_use_ssl: true
    ansible_httpapi_validate_certs: false
    ansible_httpapi_port: 443
  tasks:
    - name: Configure Web proxy global settings.
      fortinet.fmgdevice.fmgd_webproxy_global:
        # bypass_validation: false
        # workspace_locking_adom: <global or your adom name>
        # workspace_locking_timeout: 300
        # rc_succeeded: [0, -2, -3, ...]
        # rc_failed: [-2, -3, ...]
        device: <your own value>
        vdom: <your own value>
        webproxy_global:
          # always_learn_client_ip: <value in [disable, enable]>
          # fast_policy_match: <value in [disable, enable]>
          # forward_proxy_auth: <value in [disable, enable]>
          # forward_server_affinity_timeout: <integer>
          # ldap_user_cache: <value in [disable, enable]>
          # learn_client_ip: <value in [disable, enable, traffic-process, ...]>
          # learn_client_ip_from_header:
          #   - "true-client-ip"
          #   - "x-real-ip"
          #   - "x-forwarded-for"
          # learn_client_ip_srcaddr: <list or string>
          # learn_client_ip_srcaddr6: <list or string>
          # log_app_id: <value in [disable, enable]>
          # log_forward_server: <value in [disable, enable]>
          # log_policy_pending: <value in [disable, enable]>
          # max_message_length: <integer>
          # max_request_length: <integer>
          # max_waf_body_cache_length: <integer>
          # policy_category_deep_inspect: <value in [disable, enable]>
          # proxy_fqdn: <string>
          # proxy_transparent_cert_inspection: <value in [disable, enable]>
          # src_affinity_exempt_addr: <list or string>
          # src_affinity_exempt_addr6: <list or string>
          # ssl_ca_cert: <list or string>
          # ssl_cert: <list or string>
          # strict_web_check: <value in [disable, enable]>
          # webproxy_profile: <list or string>
          # tunnel_non_http: <value in [disable, enable]>
          # unknown_http_version: <value in [best-effort, reject, tunnel]>
          # request_obs_fold: <value in [block, replace-with-sp, keep]>
          # http2_client_window_size: <integer>
          # http2_server_window_size: <integer>
          # explicit_outgoing_ip: <list or string>
          # explicit_outgoing_ip6: <list or string>
          # extended_log: <value in [disable, enable]>
          # https_replacement_message: <value in [disable, enable]>
          # log_http_transaction: <value in [disable, enable, all, ...]>
          # message_upon_server_error: <value in [disable, enable]>
          # realm: <string>
          # strict_guest: <value in [disable, enable]>
          # trace_auth_no_rsp: <value in [disable, enable]>
          # use_dynamic_pkey: <value in [disable, enable]>
          # address_ip_rating: <value in [disable, enable]>
          # policy_partial_match: <value in [disable, enable]>
          # auth_sign_timeout: <integer>

Return Values

Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:

  • meta - The result of the request.returned: always type: dict
    • request_url - The full url requested. returned: always type: str sample: /sys/login/user
    • response_code - The status of api request. returned: always type: int sample: 0
    • response_data - The data body of the api response. returned: optional type: list or dict
    • response_message - The descriptive message of the api response. returned: always type: str sample: OK
    • system_information - The information of the target system. returned: always type: dict
  • rc - The status the request. returned: always type: int sample: 0
  • version_check_warning - Warning if the parameters used in the playbook are not supported by the current FortiManager version. returned: if at least one parameter not supported by the current FortiManager version type: list

Status

  • This module is not guaranteed to have a backwards compatible interface.

Authors

  • Xinwei Du (@dux-fortinet)

  • Xing Li (@lix-fortinet)

  • Jie Xue (@JieX19)

  • Link Zheng (@chillancezen)

  • Frank Shen (@fshen01)

  • Hongbin Lu (@fgtdev-hblu)