- source
fmgr_pm_config_pblock_firewall_securitypolicy.py
- orphan
2.1.0
Warning
Starting in version 3.0.0, all input arguments will be named using the underscore naming convention (snake_case).
- Argument name before 3.0.0:
var-name
,var name
,var.name
- New argument name starting in 3.0.0:
var_name
FortiManager Ansible v2.4+ supports both previous argument name and new underscore name. You will receive deprecation warnings if you keep using the previous argument name. You can ignore the warning by setting deprecation_warnings=False in ansible.cfg.
- This module is able to configure a FortiManager device.
- Examples include all parameters and values need to be adjusted to data sources before usage.
- Tested with FortiManager v6.x and v7.x.
The below requirements are needed on the host that executes this module.
- ansible>=2.15.0
Supported Version Ranges: v7.0.3 -> latest
- access_token -The token to access FortiManager without using username and password. type: str required: false
- bypass_validation - Only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters. type: bool required: false default: False
- enable_log - Enable/Disable logging for task. type: bool required: false default: False
- forticloud_access_token - Access token of forticloud managed API users, this option is available with FortiManager later than 6.4.0. type: str required: false
- proposed_method - The overridden method for the underlying Json RPC request. type: str required: false choices: set, update, add
- rc_succeeded - The rc codes list with which the conditions to succeed will be overriden. type: list required: false
- rc_failed - The rc codes list with which the conditions to fail will be overriden. type: list required: false
- state - The directive to create, update or delete an object type: str required: true choices: present, absent
- workspace_locking_adom - Acquire the workspace lock if FortiManager is running in workspace mode. type: str required: false choices: global, custom adom including root
- workspace_locking_timeout - The maximum time in seconds to wait for other users to release workspace lock. type: integer required: false default: 300
- adom - The parameter in requested url type: str required: true
- pblock - The parameter in requested url type: str required: true
- pm_config_pblock_firewall_securitypolicy - Configure NGFW IPv4/IPv6 application policies. type: dict
- _policy_block Assigned policy block. type: int
more...
Supported Version Ranges:
v7.0.3 -> latest
- action Policy action (accept/deny). type: str choices: [deny, accept]
more...
Supported Version Ranges:
v7.0.3 -> latest
- app_category (Alias name: app-category) type: list
more...
Supported Version Ranges:
v7.0.3 -> latest
- app_group (Alias name: app-group) type: list
more...
Supported Version Ranges:
v7.0.3 -> latest
- application type: list
more...
Supported Version Ranges:
v7.0.3 -> latest
- application_list (Alias name: application-list) Name of an existing application list. type: str
more...
Supported Version Ranges:
v7.0.3 -> latest
- av_profile (Alias name: av-profile) Name of an existing antivirus profile. type: str
more...
Supported Version Ranges:
v7.0.3 -> latest
- cifs_profile (Alias name: cifs-profile) Name of an existing cifs profile. type: str
more...
Supported Version Ranges:
v7.0.3 -> latest
- comments Comment. type: str
more...
Supported Version Ranges:
v7.0.3 -> latest
- dlp_profile (Alias name: dlp-profile) Name of an existing dlp profile. type: str
more...
Supported Version Ranges:
v7.2.0 -> v7.2.1
,v7.2.4 -> v7.2.4
,v7.4.2 -> latest
- dnsfilter_profile (Alias name: dnsfilter-profile) Name of an existing dns filter profile. type: str
more...
Supported Version Ranges:
v7.0.3 -> latest
- dstaddr type: list
more...
Supported Version Ranges:
v7.0.3 -> v7.2.2
,v7.2.4 -> v7.2.4
,v7.4.2 -> latest
- dstaddr_negate (Alias name: dstaddr-negate) When enabled dstaddr/dstaddr6 specifies what the destination address must not be. type: str choices: [disable, enable]
more...
Supported Version Ranges:
v7.0.3 -> v7.2.2
,v7.2.4 -> v7.2.4
,v7.4.2 -> latest
- dstaddr6 type: list
more...
Supported Version Ranges:
v7.0.3 -> latest
- dstintf type: list
more...
Supported Version Ranges:
v7.0.3 -> latest
- emailfilter_profile (Alias name: emailfilter-profile) Name of an existing email filter profile. type: str
more...
Supported Version Ranges:
v7.0.3 -> latest
- enforce_default_app_port (Alias name: enforce-default-app-port) Enable/disable default application port enforcement for allowed applications. type: str choices: [disable, enable]
more...
Supported Version Ranges:
v7.0.3 -> latest
- file_filter_profile (Alias name: file-filter-profile) Name of an existing file-filter profile. type: str
more...
Supported Version Ranges:
v7.0.3 -> v7.2.2
,v7.2.4 -> v7.2.4
,v7.4.2 -> latest
- fsso_groups (Alias name: fsso-groups) type: list
more...
Supported Version Ranges:
v7.0.3 -> latest
- global_label (Alias name: global-label) Label for the policy that appears when the gui is in global view mode. type: str
more...
Supported Version Ranges:
v7.0.3 -> latest
- groups type: list
more...
Supported Version Ranges:
v7.0.3 -> latest
- icap_profile (Alias name: icap-profile) Name of an existing icap profile. type: str
more...
Supported Version Ranges:
v7.0.3 -> latest
- internet_service (Alias name: internet-service) Enable/disable use of internet services for this policy. type: str choices: [disable, enable]
more...
Supported Version Ranges:
v7.0.3 -> latest
- internet_service_custom (Alias name: internet-service-custom) type: list
more...
Supported Version Ranges:
v7.0.3 -> latest
- internet_service_custom_group (Alias name: internet-service-custom-group) type: list
more...
Supported Version Ranges:
v7.0.3 -> latest
- internet_service_group (Alias name: internet-service-group) type: list
more...
Supported Version Ranges:
v7.0.3 -> latest
- internet_service_name (Alias name: internet-service-name) type: list
more...
Supported Version Ranges:
v7.0.3 -> v7.2.2
,v7.2.4 -> v7.2.4
,v7.4.2 -> latest
- internet_service_negate (Alias name: internet-service-negate) When enabled internet-service specifies what the service must not be. type: str choices: [disable, enable]
more...
Supported Version Ranges:
v7.0.3 -> latest
- internet_service_src (Alias name: internet-service-src) Enable/disable use of internet services in source for this policy. type: str choices: [disable, enable]
more...
Supported Version Ranges:
v7.0.3 -> latest
- internet_service_src_custom (Alias name: internet-service-src-custom) type: list
more...
Supported Version Ranges:
v7.0.3 -> latest
- internet_service_src_custom_group (Alias name: internet-service-src-custom-group) type: list
more...
Supported Version Ranges:
v7.0.3 -> latest
- internet_service_src_group (Alias name: internet-service-src-group) type: list
more...
Supported Version Ranges:
v7.0.3 -> latest
- internet_service_src_name (Alias name: internet-service-src-name) type: list
more...
Supported Version Ranges:
v7.0.3 -> v7.2.2
,v7.2.4 -> v7.2.4
,v7.4.2 -> latest
- internet_service_src_negate (Alias name: internet-service-src-negate) When enabled internet-service-src specifies what the service must not be. type: str choices: [disable, enable]
more...
Supported Version Ranges:
v7.0.3 -> latest
- ips_sensor (Alias name: ips-sensor) Name of an existing ips sensor. type: str
more...
Supported Version Ranges:
v7.0.3 -> latest
- learning_mode (Alias name: learning-mode) Enable to allow everything, but log all of the meaningful data for security information gathering. type: str choices: [disable, enable]
more...
Supported Version Ranges:
v7.0.3 -> v7.2.2
,v7.2.4 -> v7.2.4
,v7.4.2 -> latest
- logtraffic Enable or disable logging. type: str choices: [disable, all, utm]
more...
Supported Version Ranges:
v7.0.3 -> latest
- name Policy name. type: str
more...
Supported Version Ranges:
v7.0.3 -> latest
- nat46 Enable/disable nat46. type: str choices: [disable, enable]
more...
Supported Version Ranges:
v7.0.3 -> v7.2.1
,v7.2.4 -> v7.2.4
,v7.4.2 -> latest
- nat64 Enable/disable nat64. type: str choices: [disable, enable]
more...
Supported Version Ranges:
v7.0.3 -> v7.2.1
,v7.2.4 -> v7.2.4
,v7.4.2 -> latest
- policyid Policy id. type: int
more...
Supported Version Ranges:
v7.0.3 -> latest
- profile_group (Alias name: profile-group) Name of profile group. type: str
more...
Supported Version Ranges:
v7.0.3 -> latest
- profile_protocol_options (Alias name: profile-protocol-options) Name of an existing protocol options profile. type: str
more...
Supported Version Ranges:
v7.0.3 -> v7.2.2
,v7.2.4 -> v7.2.4
,v7.4.2 -> latest
- profile_type (Alias name: profile-type) Determine whether the firewall policy allows security profile groups or single profiles only. type: str choices: [single, group]
more...
Supported Version Ranges:
v7.0.3 -> latest
- schedule Schedule name. type: str
more...
Supported Version Ranges:
v7.0.3 -> latest
- sctp_filter_profile (Alias name: sctp-filter-profile) Name of an existing sctp filter profile. type: str
more...
Supported Version Ranges:
v7.0.3 -> v7.2.2
,v7.2.4 -> v7.2.4
,v7.4.2 -> latest
- send_deny_packet (Alias name: send-deny-packet) Enable to send a reply when a session is denied or blocked by a firewall policy. type: str choices: [disable, enable]
more...
Supported Version Ranges:
v7.0.3 -> latest
- service type: list
more...
Supported Version Ranges:
v7.0.3 -> latest
- service_negate (Alias name: service-negate) When enabled service specifies what the service must not be. type: str choices: [disable, enable]
more...
Supported Version Ranges:
v7.0.3 -> latest
- srcaddr type: list
more...
Supported Version Ranges:
v7.0.3 -> v7.2.2
,v7.2.4 -> v7.2.4
,v7.4.2 -> latest
- srcaddr_negate (Alias name: srcaddr-negate) When enabled srcaddr/srcaddr6 specifies what the source address must not be. type: str choices: [disable, enable]
more...
Supported Version Ranges:
v7.0.3 -> v7.2.2
,v7.2.4 -> v7.2.4
,v7.4.2 -> latest
- srcaddr6 type: list
more...
Supported Version Ranges:
v7.0.3 -> latest
- srcintf type: list
more...
Supported Version Ranges:
v7.0.3 -> latest
- ssh_filter_profile (Alias name: ssh-filter-profile) Name of an existing ssh filter profile. type: str
more...
Supported Version Ranges:
v7.0.3 -> latest
- ssl_ssh_profile (Alias name: ssl-ssh-profile) Name of an existing ssl ssh profile. type: str
more...
Supported Version Ranges:
v7.0.3 -> v7.2.2
,v7.2.4 -> v7.2.4
,v7.4.2 -> latest
- status Enable or disable this policy. type: str choices: [disable, enable]
more...
Supported Version Ranges:
v7.0.3 -> latest
- url_category (Alias name: url-category) type: list
more...
Supported Version Ranges:
v7.0.3 -> latest
- users type: list
more...
Supported Version Ranges:
v7.0.3 -> latest
- utm_status (Alias name: utm-status) Enable security profiles. type: str choices: [disable, enable]
more...
Supported Version Ranges:
v7.0.3 -> latest
- uuid Universally unique identifier (uuid; automatically assigned but can be manually reset). type: str
more...
Supported Version Ranges:
v7.0.3 -> latest
- videofilter_profile (Alias name: videofilter-profile) Name of an existing videofilter profile. type: str
more...
Supported Version Ranges:
v7.0.3 -> v7.2.2
,v7.2.4 -> v7.2.4
,v7.4.2 -> latest
- voip_profile (Alias name: voip-profile) Name of an existing voip profile. type: str
more...
Supported Version Ranges:
v7.0.3 -> latest
- webfilter_profile (Alias name: webfilter-profile) Name of an existing web filter profile. type: str
more...
Supported Version Ranges:
v7.0.3 -> latest
- dlp_sensor (Alias name: dlp-sensor) Name of an existing dlp sensor. type: str
more...
Supported Version Ranges:
v7.0.3 -> latest
- mms_profile (Alias name: mms-profile) Name of an existing mms profile. type: str
more...
Supported Version Ranges:
v7.0.3 -> v7.2.0
- internet_service_id (Alias name: internet-service-id) type: list
more...
Supported Version Ranges:
v7.0.3 -> latest
- logtraffic_start (Alias name: logtraffic-start) Record logs when a session starts. type: str choices: [disable, enable]
more...
Supported Version Ranges:
v7.0.3 -> latest
- srcaddr4 type: list
more...
Supported Version Ranges:
v7.0.3 -> latest
- dstaddr4 type: list
more...
Supported Version Ranges:
v7.0.3 -> latest
- internet_service_src_id (Alias name: internet-service-src-id) type: list
more...
Supported Version Ranges:
v7.0.3 -> latest
- internet_service6 (Alias name: internet-service6) Enable/disable use of ipv6 internet services for this policy. type: str choices: [disable, enable]
more...
Supported Version Ranges:
v7.2.1 -> v7.2.1
,v7.2.4 -> v7.2.4
,v7.4.2 -> latest
- internet_service6_custom (Alias name: internet-service6-custom) type: list
more...
Supported Version Ranges:
v7.2.1 -> v7.2.1
,v7.2.4 -> v7.2.4
,v7.4.2 -> latest
- internet_service6_custom_group (Alias name: internet-service6-custom-group) type: list
more...
Supported Version Ranges:
v7.2.1 -> v7.2.1
,v7.2.4 -> v7.2.4
,v7.4.2 -> latest
- internet_service6_group (Alias name: internet-service6-group) type: list
more...
Supported Version Ranges:
v7.2.1 -> v7.2.1
,v7.2.4 -> v7.2.4
,v7.4.2 -> latest
- internet_service6_name (Alias name: internet-service6-name) type: list
more...
Supported Version Ranges:
v7.2.1 -> v7.2.1
,v7.2.4 -> v7.2.4
,v7.4.2 -> latest
- internet_service6_negate (Alias name: internet-service6-negate) When enabled internet-service6 specifies what the service must not be. type: str choices: [disable, enable]
more...
Supported Version Ranges:
v7.2.1 -> v7.2.1
,v7.2.4 -> v7.2.4
,v7.4.2 -> latest
- internet_service6_src (Alias name: internet-service6-src) Enable/disable use of ipv6 internet services in source for this policy. type: str choices: [disable, enable]
more...
Supported Version Ranges:
v7.2.1 -> v7.2.1
,v7.2.4 -> v7.2.4
,v7.4.2 -> latest
- internet_service6_src_custom (Alias name: internet-service6-src-custom) type: list
more...
Supported Version Ranges:
v7.2.1 -> v7.2.1
,v7.2.4 -> v7.2.4
,v7.4.2 -> latest
- internet_service6_src_custom_group (Alias name: internet-service6-src-custom-group) type: list
more...
Supported Version Ranges:
v7.2.1 -> v7.2.1
,v7.2.4 -> v7.2.4
,v7.4.2 -> latest
- internet_service6_src_group (Alias name: internet-service6-src-group) type: list
more...
Supported Version Ranges:
v7.2.1 -> v7.2.1
,v7.2.4 -> v7.2.4
,v7.4.2 -> latest
- internet_service6_src_name (Alias name: internet-service6-src-name) type: list
more...
Supported Version Ranges:
v7.2.1 -> v7.2.1
,v7.2.4 -> v7.2.4
,v7.4.2 -> latest
- internet_service6_src_negate (Alias name: internet-service6-src-negate) When enabled internet-service6-src specifies what the service must not be. type: str choices: [disable, enable]
more...
Supported Version Ranges:
v7.2.1 -> v7.2.1
,v7.2.4 -> v7.2.4
,v7.4.2 -> latest
- casb_profile (Alias name: casb-profile) Name of an existing casb profile. type: str
more...
Supported Version Ranges:
v7.4.2 -> latest
- diameter_filter_profile (Alias name: diameter-filter-profile) Name of an existing diameter filter profile. type: str
more...
Supported Version Ranges:
v7.4.2 -> latest
- dstaddr6_negate (Alias name: dstaddr6-negate) When enabled dstaddr6 specifies what the destination address must not be. type: str choices: [disable, enable]
more...
Supported Version Ranges:
v7.4.2 -> latest
- ips_voip_filter (Alias name: ips-voip-filter) Name of an existing voip (ips) profile. type: str
more...
Supported Version Ranges:
v7.4.2 -> latest
- srcaddr6_negate (Alias name: srcaddr6-negate) When enabled srcaddr6 specifies what the source address must not be. type: str choices: [disable, enable]
more...
Supported Version Ranges:
v7.4.2 -> latest
- virtual_patch_profile (Alias name: virtual-patch-profile) Name of an existing virtual-patch profile. type: str
more...
Supported Version Ranges:
v7.4.2 -> latest
Note
- Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work. - To create or update an object, use state: present directive. - To delete an object, use state: absent directive - Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded
- name: Example playbook (generated based on argument schema)
hosts: fortimanagers
connection: httpapi
vars:
ansible_httpapi_use_ssl: true
ansible_httpapi_validate_certs: false
ansible_httpapi_port: 443
tasks:
- name: Configure NGFW IPv4/IPv6 application policies.
fortinet.fortimanager.fmgr_pm_config_pblock_firewall_securitypolicy:
# bypass_validation: false
workspace_locking_adom: <value in [global, custom adom including root]>
workspace_locking_timeout: 300
# rc_succeeded: [0, -2, -3, ...]
# rc_failed: [-2, -3, ...]
adom: <your own value>
pblock: <your own value>
state: present # <value in [present, absent]>
pm_config_pblock_firewall_securitypolicy:
_policy_block: <integer>
action: <value in [deny, accept]>
app_category: <list or string>
app_group: <list or string>
application: <list or integer>
application_list: <string>
av_profile: <string>
cifs_profile: <string>
comments: <string>
dlp_profile: <string>
dnsfilter_profile: <string>
dstaddr: <list or string>
dstaddr_negate: <value in [disable, enable]>
dstaddr6: <list or string>
dstintf: <list or string>
emailfilter_profile: <string>
enforce_default_app_port: <value in [disable, enable]>
file_filter_profile: <string>
fsso_groups: <list or string>
global_label: <string>
groups: <list or string>
icap_profile: <string>
internet_service: <value in [disable, enable]>
internet_service_custom: <list or string>
internet_service_custom_group: <list or string>
internet_service_group: <list or string>
internet_service_name: <list or string>
internet_service_negate: <value in [disable, enable]>
internet_service_src: <value in [disable, enable]>
internet_service_src_custom: <list or string>
internet_service_src_custom_group: <list or string>
internet_service_src_group: <list or string>
internet_service_src_name: <list or string>
internet_service_src_negate: <value in [disable, enable]>
ips_sensor: <string>
learning_mode: <value in [disable, enable]>
logtraffic: <value in [disable, all, utm]>
name: <string>
nat46: <value in [disable, enable]>
nat64: <value in [disable, enable]>
policyid: <integer>
profile_group: <string>
profile_protocol_options: <string>
profile_type: <value in [single, group]>
schedule: <string>
sctp_filter_profile: <string>
send_deny_packet: <value in [disable, enable]>
service: <list or string>
service_negate: <value in [disable, enable]>
srcaddr: <list or string>
srcaddr_negate: <value in [disable, enable]>
srcaddr6: <list or string>
srcintf: <list or string>
ssh_filter_profile: <string>
ssl_ssh_profile: <string>
status: <value in [disable, enable]>
url_category: <list or string>
users: <list or string>
utm_status: <value in [disable, enable]>
uuid: <string>
videofilter_profile: <string>
voip_profile: <string>
webfilter_profile: <string>
dlp_sensor: <string>
mms_profile: <string>
internet_service_id: <list or string>
logtraffic_start: <value in [disable, enable]>
srcaddr4: <list or string>
dstaddr4: <list or string>
internet_service_src_id: <list or string>
internet_service6: <value in [disable, enable]>
internet_service6_custom: <list or string>
internet_service6_custom_group: <list or string>
internet_service6_group: <list or string>
internet_service6_name: <list or string>
internet_service6_negate: <value in [disable, enable]>
internet_service6_src: <value in [disable, enable]>
internet_service6_src_custom: <list or string>
internet_service6_src_custom_group: <list or string>
internet_service6_src_group: <list or string>
internet_service6_src_name: <list or string>
internet_service6_src_negate: <value in [disable, enable]>
casb_profile: <string>
diameter_filter_profile: <string>
dstaddr6_negate: <value in [disable, enable]>
ips_voip_filter: <string>
srcaddr6_negate: <value in [disable, enable]>
virtual_patch_profile: <string>
Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:
- meta - The result of the request.returned: always type: dict
- request_url - The full url requested. returned: always type: str sample: /sys/login/user
- response_code - The status of api request. returned: always type: int sample: 0
- response_data - The data body of the api response. returned: optional type: list or dict
- response_message - The descriptive message of the api response. returned: always type: str sample: OK
- system_information - The information of the target system. returned: always type: dict
- rc - The status the request. returned: always type: int sample: 0
- version_check_warning - Warning if the parameters used in the playbook are not supported by the current FortiManager version. returned: if at least one parameter not supported by the current FortiManager version type: list
- This module is not guaranteed to have a backwards compatible interface.
- Xinwei Du (@dux-fortinet)
- Xing Li (@lix-fortinet)
- Jie Xue (@JieX19)
- Link Zheng (@chillancezen)
- Frank Shen (@fshen01)
- Hongbin Lu (@fgtdev-hblu)