Parameter |
Choices/Defaults |
Comments |
firewall_vip
dictionary
|
Default:
null
|
Configure virtual IP for IPv4.
|
|
arp_reply
string
|
|
Enable to respond to ARP requests for this virtual IP address. Enabled by default.
|
|
color
integer
|
|
Color of icon on the GUI.
|
|
comment
string
|
|
Comment.
|
|
dns_mapping_ttl
integer
|
|
DNS mapping TTL (Set to zero to use TTL in DNS response).
|
|
extaddr
list
|
|
External FQDN address name.
|
|
|
name
string
/ required
|
|
Address name. Source firewall.address.name firewall.addrgrp.name.
|
|
extintf
string
|
|
Interface connected to the source network that receives the packets that will be forwarded to the destination network. Source system .interface.name.
|
|
extip
string
|
|
IP address or address range on the external interface that you want to map to an address or address range on the destination network.
|
|
extport
string
|
|
Incoming port number range that you want to map to a port number range on the destination network.
|
|
gratuitous_arp_interval
integer
|
|
Enable to have the VIP send gratuitous ARPs. 0=disabled. Set from 5 up to 8640000 seconds to enable.
|
|
http_cookie_age
integer
|
|
Time in minutes that client web browsers should keep a cookie. Default is 60 seconds. 0 = no time limit.
|
|
http_cookie_domain
string
|
|
Domain that HTTP cookie persistence should apply to.
|
|
http_cookie_domain_from_host
string
|
|
Enable/disable use of HTTP cookie domain from host field in HTTP.
|
|
http_cookie_generation
integer
|
|
Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies.
|
|
http_cookie_path
string
|
|
Limit HTTP cookie persistence to the specified path.
|
|
http_cookie_share
string
|
|
Control sharing of cookies across virtual servers. same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.
|
|
http_ip_header
string
|
|
For HTTP multiplexing, enable to add the original client IP address in the XForwarded-For HTTP header.
|
|
http_ip_header_name
string
|
|
For HTTP multiplexing, enter a custom HTTPS header name. The original client IP address is added to this header. If empty, X-Forwarded-For is used.
|
|
http_multiplex
string
|
|
Enable/disable HTTP multiplexing.
|
|
https_cookie_secure
string
|
|
Enable/disable verification that inserted HTTPS cookies are secure.
|
|
id
integer
|
|
Custom defined ID.
|
|
ldb_method
string
|
Choices:
- static
- round-robin
- weighted
- least-session
- least-rtt
- first-alive
- http-host
|
Method used to distribute sessions to real servers.
|
|
mapped_addr
string
|
|
Mapped FQDN address name. Source firewall.address.name.
|
|
mappedip
list
|
|
IP address or address range on the destination network to which the external IP address is mapped.
|
|
|
range
string
/ required
|
|
Mapped IP range.
|
|
mappedport
string
|
|
Port number range on the destination network to which the external port number range is mapped.
|
|
max_embryonic_connections
integer
|
|
Maximum number of incomplete connections.
|
|
monitor
list
|
|
Name of the health check monitor to use when polling to determine a virtual server's connectivity status.
|
|
|
name
string
/ required
|
|
Health monitor name. Source firewall.ldb-monitor.name.
|
|
name
string
/ required
|
|
Virtual IP name.
|
|
nat_source_vip
string
|
|
Enable/disable forcing the source NAT mapped IP to the external IP for all traffic.
|
|
outlook_web_access
string
|
|
Enable to add the Front-End-Https header for Microsoft Outlook Web Access.
|
|
persistence
string
|
Choices:
- none
- http-cookie
- ssl-session-id
|
Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.
|
|
portforward
string
|
|
Enable/disable port forwarding.
|
|
portmapping_type
string
|
|
Port mapping type.
|
|
protocol
string
|
Choices:
- tcp
- udp
- sctp
- icmp
|
Protocol to use when forwarding packets.
|
|
realservers
list
|
|
Select the real servers that this server load balancing VIP will distribute traffic to.
|
|
|
client_ip
string
|
|
Only clients in this IP range can connect to this real server.
|
|
|
healthcheck
string
|
Choices:
- disable
- enable
- vip
|
Enable to check the responsiveness of the real server before forwarding traffic.
|
|
|
holddown_interval
integer
|
|
Time in seconds that the health check monitor continues to monitor and unresponsive server that should be active.
|
|
|
http_host
string
|
|
HTTP server domain name in HTTP header.
|
|
|
id
integer
/ required
|
|
Real server ID.
|
|
|
ip
string
|
|
IP address of the real server.
|
|
|
max_connections
integer
|
|
Max number of active connections that can be directed to the real server. When reached, sessions are sent to other real servers.
|
|
|
monitor
string
|
|
Name of the health check monitor to use when polling to determine a virtual server's connectivity status. Source firewall .ldb-monitor.name.
|
|
|
port
integer
|
|
Port for communicating with the real server. Required if port forwarding is enabled.
|
|
|
status
string
|
Choices:
- active
- standby
- disable
|
Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.
|
|
|
weight
integer
|
|
Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections.
|
|
server_type
string
|
Choices:
- http
- https
- imaps
- pop3s
- smtps
- ssl
- tcp
- udp
- ip
|
Protocol to be load balanced by the virtual server (also called the server load balance virtual IP).
|
|
service
list
|
|
Service name.
|
|
|
name
string
/ required
|
|
Service name. Source firewall.service.custom.name firewall.service.group.name.
|
|
src_filter
list
|
|
Source address filter. Each address must be either an IP/subnet (x.x.x.x/n) or a range (x.x.x.x-y.y.y.y). Separate addresses with spaces.
|
|
|
range
string
/ required
|
|
Source-filter range.
|
|
srcintf_filter
list
|
|
Interfaces to which the VIP applies. Separate the names with spaces.
|
|
|
interface_name
string
|
|
Interface name. Source system.interface.name.
|
|
ssl_algorithm
string
|
Choices:
- high
- medium
- low
- custom
|
Permitted encryption algorithms for SSL sessions according to encryption strength.
|
|
ssl_certificate
string
|
|
The name of the SSL certificate to use for SSL acceleration. Source vpn.certificate.local.name.
|
|
ssl_cipher_suites
list
|
|
SSL/TLS cipher suites acceptable from a client, ordered by priority.
|
|
|
cipher
string
|
Choices:
- TLS-RSA-WITH-3DES-EDE-CBC-SHA
- TLS-DHE-RSA-WITH-DES-CBC-SHA
- TLS-DHE-DSS-WITH-DES-CBC-SHA
|
Cipher suite name.
|
|
|
priority
integer
/ required
|
|
SSL/TLS cipher suites priority.
|
|
|
versions
string
|
Choices:
- ssl-3.0
- tls-1.0
- tls-1.1
- tls-1.2
|
SSL/TLS versions that the cipher suite can be used with.
|
|
ssl_client_fallback
string
|
|
Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507).
|
|
ssl_client_renegotiation
string
|
Choices:
- allow
- deny
- secure
|
Allow, deny, or require secure renegotiation of client sessions to comply with RFC 5746.
|
|
ssl_client_session_state_max
integer
|
|
Maximum number of client to FortiGate SSL session states to keep.
|
|
ssl_client_session_state_timeout
integer
|
|
Number of minutes to keep client to FortiGate SSL session state.
|
|
ssl_client_session_state_type
string
|
Choices:
- disable
- time
- count
- both
|
How to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate.
|
|
ssl_dh_bits
string
|
Choices:
- 768
- 1024
- 1536
- 2048
- 3072
- 4096
|
Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.
|
|
ssl_hpkp
string
|
Choices:
- disable
- enable
- report-only
|
Enable/disable including HPKP header in response.
|
|
ssl_hpkp_age
integer
|
|
Number of seconds the client should honour the HPKP setting.
|
|
ssl_hpkp_backup
string
|
|
Certificate to generate backup HPKP pin from. Source vpn.certificate.local.name vpn.certificate.ca.name.
|
|
ssl_hpkp_include_subdomains
string
|
|
Indicate that HPKP header applies to all subdomains.
|
|
ssl_hpkp_primary
string
|
|
Certificate to generate primary HPKP pin from. Source vpn.certificate.local.name vpn.certificate.ca.name.
|
|
ssl_hpkp_report_uri
string
|
|
URL to report HPKP violations to.
|
|
ssl_hsts
string
|
|
Enable/disable including HSTS header in response.
|
|
ssl_hsts_age
integer
|
|
Number of seconds the client should honour the HSTS setting.
|
|
ssl_hsts_include_subdomains
string
|
|
Indicate that HSTS header applies to all subdomains.
|
|
ssl_http_location_conversion
string
|
|
Enable to replace HTTP with HTTPS in the reply's Location HTTP header field.
|
|
ssl_http_match_host
string
|
|
Enable/disable HTTP host matching for location conversion.
|
|
ssl_max_version
string
|
Choices:
- ssl-3.0
- tls-1.0
- tls-1.1
- tls-1.2
|
Highest SSL/TLS version acceptable from a client.
|
|
ssl_min_version
string
|
Choices:
- ssl-3.0
- tls-1.0
- tls-1.1
- tls-1.2
|
Lowest SSL/TLS version acceptable from a client.
|
|
ssl_mode
string
|
|
Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full).
|
|
ssl_pfs
string
|
Choices:
- require
- deny
- allow
|
Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions.
|
|
ssl_send_empty_frags
string
|
|
Enable/disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 & TLS 1.0 only). May need to be disabled for compatibility with older systems.
|
|
ssl_server_algorithm
string
|
Choices:
- high
- medium
- low
- custom
- client
|
Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.
|
|
ssl_server_cipher_suites
list
|
|
SSL/TLS cipher suites to offer to a server, ordered by priority.
|
|
|
cipher
string
|
Choices:
- TLS-RSA-WITH-3DES-EDE-CBC-SHA
- TLS-DHE-RSA-WITH-DES-CBC-SHA
- TLS-DHE-DSS-WITH-DES-CBC-SHA
|
Cipher suite name.
|
|
|
priority
integer
/ required
|
|
SSL/TLS cipher suites priority.
|
|
|
versions
string
|
Choices:
- ssl-3.0
- tls-1.0
- tls-1.1
- tls-1.2
|
SSL/TLS versions that the cipher suite can be used with.
|
|
ssl_server_max_version
string
|
Choices:
- ssl-3.0
- tls-1.0
- tls-1.1
- tls-1.2
- client
|
Highest SSL/TLS version acceptable from a server. Use the client setting by default.
|
|
ssl_server_min_version
string
|
Choices:
- ssl-3.0
- tls-1.0
- tls-1.1
- tls-1.2
- client
|
Lowest SSL/TLS version acceptable from a server. Use the client setting by default.
|
|
ssl_server_session_state_max
integer
|
|
Maximum number of FortiGate to Server SSL session states to keep.
|
|
ssl_server_session_state_timeout
integer
|
|
Number of minutes to keep FortiGate to Server SSL session state.
|
|
ssl_server_session_state_type
string
|
Choices:
- disable
- time
- count
- both
|
How to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate.
|
|
state
string
|
|
Deprecated
Starting with Ansible 2.9 we recommend using the top-level 'state' parameter.
Indicates whether to create or remove the object.
|
|
type
string
|
Choices:
- static-nat
- load-balance
- server-load-balance
- dns-translation
- fqdn
|
Configure a static NAT, load balance, server load balance, DNS translation, or FQDN VIP.
|
|
uuid
string
|
|
Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
|
|
weblogic_server
string
|
|
Enable to add an HTTP header to indicate SSL offloading for a WebLogic server.
|
|
websphere_server
string
|
|
Enable to add an HTTP header to indicate SSL offloading for a WebSphere server.
|
host
string
|
|
FortiOS or FortiGate IP address.
|
https
boolean
|
|
Indicates if the requests towards FortiGate must use HTTPS protocol.
|
password
string
|
Default:
""
|
FortiOS or FortiGate password.
|
ssl_verify
boolean
added in 2.9 |
|
Ensures FortiGate certificate must be verified by a proper CA.
|
state
string
added in 2.9 |
|
Indicates whether to create or remove the object. This attribute was present already in previous version in a deeper level. It has been moved out to this outer level.
|
username
string
|
|
FortiOS or FortiGate username.
|
vdom
string
|
Default:
"root"
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
|