From a1e2d290fca707822f7a254a780797d9fedcc636 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miguel=20Angel=20Mu=C3=B1oz=20Gonz=C3=A1lez?= Date: Wed, 13 Feb 2019 12:31:04 +0100 Subject: [PATCH] Fortinet's FortiOS system settings (#52112) --- .../fortios/fortios_system_settings.py | 1203 +++++++++++++++++ 1 file changed, 1203 insertions(+) create mode 100644 lib/ansible/modules/network/fortios/fortios_system_settings.py diff --git a/lib/ansible/modules/network/fortios/fortios_system_settings.py b/lib/ansible/modules/network/fortios/fortios_system_settings.py new file mode 100644 index 0000000000..cdb7524301 --- /dev/null +++ b/lib/ansible/modules/network/fortios/fortios_system_settings.py @@ -0,0 +1,1203 @@ +#!/usr/bin/python +from __future__ import (absolute_import, division, print_function) +# Copyright 2019 Fortinet, Inc. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +# the lib use python logging can get it if the following is set in your +# Ansible config. + +__metaclass__ = type + +ANSIBLE_METADATA = {'status': ['preview'], + 'supported_by': 'community', + 'metadata_version': '1.1'} + +DOCUMENTATION = ''' +--- +module: fortios_system_settings +short_description: Configure VDOM settings in Fortinet's FortiOS and FortiGate. +description: + - This module is able to configure a FortiGate or FortiOS by + allowing the user to configure system feature and settings category. + Examples includes all options and need to be adjusted to datasources before usage. + Tested with FOS v6.0.2 +version_added: "2.8" +author: + - Miguel Angel Munoz (@mamunozgonzalez) + - Nicolas Thomas (@thomnico) +notes: + - Requires fortiosapi library developed by Fortinet + - Run as a local_action in your playbook +requirements: + - fortiosapi>=0.9.8 +options: + host: + description: + - FortiOS or FortiGate ip adress. + required: true + username: + description: + - FortiOS or FortiGate username. + required: true + password: + description: + - FortiOS or FortiGate password. + default: "" + vdom: + description: + - Virtual domain, among those defined previously. A vdom is a + virtual instance of the FortiGate that can be configured and + used as a different unit. + default: root + https: + description: + - Indicates if the requests towards FortiGate must use HTTPS + protocol + type: bool + default: true + system_settings: + description: + - Configure VDOM settings. + default: null + suboptions: + allow-subnet-overlap: + description: + - Enable/disable allowing interface subnets to use overlapping IP addresses. + choices: + - enable + - disable + asymroute: + description: + - Enable/disable IPv4 asymmetric routing. + choices: + - enable + - disable + asymroute-icmp: + description: + - Enable/disable ICMP asymmetric routing. + choices: + - enable + - disable + asymroute6: + description: + - Enable/disable asymmetric IPv6 routing. + choices: + - enable + - disable + asymroute6-icmp: + description: + - Enable/disable asymmetric ICMPv6 routing. + choices: + - enable + - disable + bfd: + description: + - Enable/disable Bi-directional Forwarding Detection (BFD) on all interfaces. + choices: + - enable + - disable + bfd-desired-min-tx: + description: + - BFD desired minimal transmit interval (1 - 100000 ms, default = 50). + bfd-detect-mult: + description: + - BFD detection multiplier (1 - 50, default = 3). + bfd-dont-enforce-src-port: + description: + - Enable to not enforce verifying the source port of BFD Packets. + choices: + - enable + - disable + bfd-required-min-rx: + description: + - BFD required minimal receive interval (1 - 100000 ms, default = 50). + block-land-attack: + description: + - Enable/disable blocking of land attacks. + choices: + - disable + - enable + central-nat: + description: + - Enable/disable central NAT. + choices: + - enable + - disable + comments: + description: + - VDOM comments. + compliance-check: + description: + - Enable/disable PCI DSS compliance checking. + choices: + - enable + - disable + default-voip-alg-mode: + description: + - Configure how the FortiGate handles VoIP traffic when a policy that accepts the traffic doesn't include a VoIP profile. + choices: + - proxy-based + - kernel-helper-based + deny-tcp-with-icmp: + description: + - Enable/disable denying TCP by sending an ICMP communication prohibited packet. + choices: + - enable + - disable + device: + description: + - Interface to use for management access for NAT mode. Source system.interface.name. + dhcp-proxy: + description: + - Enable/disable the DHCP Proxy. + choices: + - enable + - disable + dhcp-server-ip: + description: + - DHCP Server IPv4 address. + dhcp6-server-ip: + description: + - DHCPv6 server IPv6 address. + discovered-device-timeout: + description: + - Timeout for discovered devices (1 - 365 days, default = 28). + ecmp-max-paths: + description: + - Maximum number of Equal Cost Multi-Path (ECMP) next-hops. Set to 1 to disable ECMP routing (1 - 100, default = 10). + email-portal-check-dns: + description: + - Enable/disable using DNS to validate email addresses collected by a captive portal. + choices: + - disable + - enable + firewall-session-dirty: + description: + - Select how to manage sessions affected by firewall policy configuration changes. + choices: + - check-all + - check-new + - check-policy-option + fw-session-hairpin: + description: + - Enable/disable checking for a matching policy each time hairpin traffic goes through the FortiGate. + choices: + - enable + - disable + gateway: + description: + - Transparent mode IPv4 default gateway IP address. + gateway6: + description: + - Transparent mode IPv4 default gateway IP address. + gui-advanced-policy: + description: + - Enable/disable advanced policy configuration on the GUI. + choices: + - enable + - disable + gui-allow-unnamed-policy: + description: + - Enable/disable the requirement for policy naming on the GUI. + choices: + - enable + - disable + gui-antivirus: + description: + - Enable/disable AntiVirus on the GUI. + choices: + - enable + - disable + gui-ap-profile: + description: + - Enable/disable FortiAP profiles on the GUI. + choices: + - enable + - disable + gui-application-control: + description: + - Enable/disable application control on the GUI. + choices: + - enable + - disable + gui-default-policy-columns: + description: + - Default columns to display for policy lists on GUI. + suboptions: + name: + description: + - Select column name. + required: true + gui-dhcp-advanced: + description: + - Enable/disable advanced DHCP options on the GUI. + choices: + - enable + - disable + gui-dlp: + description: + - Enable/disable DLP on the GUI. + choices: + - enable + - disable + gui-dns-database: + description: + - Enable/disable DNS database settings on the GUI. + choices: + - enable + - disable + gui-dnsfilter: + description: + - Enable/disable DNS Filtering on the GUI. + choices: + - enable + - disable + gui-domain-ip-reputation: + description: + - Enable/disable Domain and IP Reputation on the GUI. + choices: + - enable + - disable + gui-dos-policy: + description: + - Enable/disable DoS policies on the GUI. + choices: + - enable + - disable + gui-dynamic-profile-display: + description: + - Enable/disable RADIUS Single Sign On (RSSO) on the GUI. + choices: + - enable + - disable + gui-dynamic-routing: + description: + - Enable/disable dynamic routing on the GUI. + choices: + - enable + - disable + gui-email-collection: + description: + - Enable/disable email collection on the GUI. + choices: + - enable + - disable + gui-endpoint-control: + description: + - Enable/disable endpoint control on the GUI. + choices: + - enable + - disable + gui-endpoint-control-advanced: + description: + - Enable/disable advanced endpoint control options on the GUI. + choices: + - enable + - disable + gui-explicit-proxy: + description: + - Enable/disable the explicit proxy on the GUI. + choices: + - enable + - disable + gui-fortiap-split-tunneling: + description: + - Enable/disable FortiAP split tunneling on the GUI. + choices: + - enable + - disable + gui-fortiextender-controller: + description: + - Enable/disable FortiExtender on the GUI. + choices: + - enable + - disable + gui-icap: + description: + - Enable/disable ICAP on the GUI. + choices: + - enable + - disable + gui-implicit-policy: + description: + - Enable/disable implicit firewall policies on the GUI. + choices: + - enable + - disable + gui-ips: + description: + - Enable/disable IPS on the GUI. + choices: + - enable + - disable + gui-load-balance: + description: + - Enable/disable server load balancing on the GUI. + choices: + - enable + - disable + gui-local-in-policy: + description: + - Enable/disable Local-In policies on the GUI. + choices: + - enable + - disable + gui-local-reports: + description: + - Enable/disable local reports on the GUI. + choices: + - enable + - disable + gui-multicast-policy: + description: + - Enable/disable multicast firewall policies on the GUI. + choices: + - enable + - disable + gui-multiple-interface-policy: + description: + - Enable/disable adding multiple interfaces to a policy on the GUI. + choices: + - enable + - disable + gui-multiple-utm-profiles: + description: + - Enable/disable multiple UTM profiles on the GUI. + choices: + - enable + - disable + gui-nat46-64: + description: + - Enable/disable NAT46 and NAT64 settings on the GUI. + choices: + - enable + - disable + gui-object-colors: + description: + - Enable/disable object colors on the GUI. + choices: + - enable + - disable + gui-policy-based-ipsec: + description: + - Enable/disable policy-based IPsec VPN on the GUI. + choices: + - enable + - disable + gui-policy-learning: + description: + - Enable/disable firewall policy learning mode on the GUI. + choices: + - enable + - disable + gui-replacement-message-groups: + description: + - Enable/disable replacement message groups on the GUI. + choices: + - enable + - disable + gui-spamfilter: + description: + - Enable/disable Antispam on the GUI. + choices: + - enable + - disable + gui-sslvpn-personal-bookmarks: + description: + - Enable/disable SSL-VPN personal bookmark management on the GUI. + choices: + - enable + - disable + gui-sslvpn-realms: + description: + - Enable/disable SSL-VPN realms on the GUI. + choices: + - enable + - disable + gui-switch-controller: + description: + - Enable/disable the switch controller on the GUI. + choices: + - enable + - disable + gui-threat-weight: + description: + - Enable/disable threat weight on the GUI. + choices: + - enable + - disable + gui-traffic-shaping: + description: + - Enable/disable traffic shaping on the GUI. + choices: + - enable + - disable + gui-voip-profile: + description: + - Enable/disable VoIP profiles on the GUI. + choices: + - enable + - disable + gui-vpn: + description: + - Enable/disable VPN tunnels on the GUI. + choices: + - enable + - disable + gui-waf-profile: + description: + - Enable/disable Web Application Firewall on the GUI. + choices: + - enable + - disable + gui-wan-load-balancing: + description: + - Enable/disable SD-WAN on the GUI. + choices: + - enable + - disable + gui-wanopt-cache: + description: + - Enable/disable WAN Optimization and Web Caching on the GUI. + choices: + - enable + - disable + gui-webfilter: + description: + - Enable/disable Web filtering on the GUI. + choices: + - enable + - disable + gui-webfilter-advanced: + description: + - Enable/disable advanced web filtering on the GUI. + choices: + - enable + - disable + gui-wireless-controller: + description: + - Enable/disable the wireless controller on the GUI. + choices: + - enable + - disable + http-external-dest: + description: + - Offload HTTP traffic to FortiWeb or FortiCache. + choices: + - fortiweb + - forticache + ike-dn-format: + description: + - Configure IKE ASN.1 Distinguished Name format conventions. + choices: + - with-space + - no-space + ike-quick-crash-detect: + description: + - Enable/disable IKE quick crash detection (RFC 6290). + choices: + - enable + - disable + ike-session-resume: + description: + - Enable/disable IKEv2 session resumption (RFC 5723). + choices: + - enable + - disable + implicit-allow-dns: + description: + - Enable/disable implicitly allowing DNS traffic. + choices: + - enable + - disable + inspection-mode: + description: + - Inspection mode (proxy-based or flow-based). + choices: + - proxy + - flow + ip: + description: + - IP address and netmask. + ip6: + description: + - IPv6 address prefix for NAT mode. + link-down-access: + description: + - Enable/disable link down access traffic. + choices: + - enable + - disable + lldp-transmission: + description: + - Enable/disable Link Layer Discovery Protocol (LLDP) for this VDOM or apply global settings to this VDOM. + choices: + - enable + - disable + - global + mac-ttl: + description: + - Duration of MAC addresses in Transparent mode (300 - 8640000 sec, default = 300). + manageip: + description: + - Transparent mode IPv4 management IP address and netmask. + manageip6: + description: + - Transparent mode IPv6 management IP address and netmask. + multicast-forward: + description: + - Enable/disable multicast forwarding. + choices: + - enable + - disable + multicast-skip-policy: + description: + - Enable/disable allowing multicast traffic through the FortiGate without a policy check. + choices: + - enable + - disable + multicast-ttl-notchange: + description: + - Enable/disable preventing the FortiGate from changing the TTL for forwarded multicast packets. + choices: + - enable + - disable + ngfw-mode: + description: + - Next Generation Firewall (NGFW) mode. + choices: + - profile-based + - policy-based + opmode: + description: + - Firewall operation mode (NAT or Transparent). + choices: + - nat + - transparent + prp-trailer-action: + description: + - Enable/disable action to take on PRP trailer. + choices: + - enable + - disable + sccp-port: + description: + - TCP port the SCCP proxy monitors for SCCP traffic (0 - 65535, default = 2000). + ses-denied-traffic: + description: + - Enable/disable including denied session in the session table. + choices: + - enable + - disable + sip-helper: + description: + - Enable/disable the SIP session helper to process SIP sessions unless SIP sessions are accepted by the SIP application layer gateway + (ALG). + choices: + - enable + - disable + sip-nat-trace: + description: + - Enable/disable recording the original SIP source IP address when NAT is used. + choices: + - enable + - disable + sip-ssl-port: + description: + - TCP port the SIP proxy monitors for SIP SSL/TLS traffic (0 - 65535, default = 5061). + sip-tcp-port: + description: + - TCP port the SIP proxy monitors for SIP traffic (0 - 65535, default = 5060). + sip-udp-port: + description: + - UDP port the SIP proxy monitors for SIP traffic (0 - 65535, default = 5060). + snat-hairpin-traffic: + description: + - Enable/disable source NAT (SNAT) for hairpin traffic. + choices: + - enable + - disable + ssl-ssh-profile: + description: + - Profile for SSL/SSH inspection. Source firewall.ssl-ssh-profile.name. + status: + description: + - Enable/disable this VDOM. + choices: + - enable + - disable + strict-src-check: + description: + - Enable/disable strict source verification. + choices: + - enable + - disable + tcp-session-without-syn: + description: + - Enable/disable allowing TCP session without SYN flags. + choices: + - enable + - disable + utf8-spam-tagging: + description: + - Enable/disable converting antispam tags to UTF-8 for better non-ASCII character support. + choices: + - enable + - disable + v4-ecmp-mode: + description: + - IPv4 Equal-cost multi-path (ECMP) routing and load balancing mode. + choices: + - source-ip-based + - weight-based + - usage-based + - source-dest-ip-based + vpn-stats-log: + description: + - Enable/disable periodic VPN log statistics for one or more types of VPN. Separate names with a space. + choices: + - ipsec + - pptp + - l2tp + - ssl + vpn-stats-period: + description: + - Period to send VPN log statistics (60 - 86400 sec). + wccp-cache-engine: + description: + - Enable/disable WCCP cache engine. + choices: + - enable + - disable +''' + +EXAMPLES = ''' +- hosts: localhost + vars: + host: "192.168.122.40" + username: "admin" + password: "" + vdom: "root" + tasks: + - name: Configure VDOM settings. + fortios_system_settings: + host: "{{ host }}" + username: "{{ username }}" + password: "{{ password }}" + vdom: "{{ vdom }}" + https: "False" + system_settings: + allow-subnet-overlap: "enable" + asymroute: "enable" + asymroute-icmp: "enable" + asymroute6: "enable" + asymroute6-icmp: "enable" + bfd: "enable" + bfd-desired-min-tx: "9" + bfd-detect-mult: "10" + bfd-dont-enforce-src-port: "enable" + bfd-required-min-rx: "12" + block-land-attack: "disable" + central-nat: "enable" + comments: "" + compliance-check: "enable" + default-voip-alg-mode: "proxy-based" + deny-tcp-with-icmp: "enable" + device: " (source system.interface.name)" + dhcp-proxy: "enable" + dhcp-server-ip: "" + dhcp6-server-ip: "" + discovered-device-timeout: "23" + ecmp-max-paths: "24" + email-portal-check-dns: "disable" + firewall-session-dirty: "check-all" + fw-session-hairpin: "enable" + gateway: "" + gateway6: "" + gui-advanced-policy: "enable" + gui-allow-unnamed-policy: "enable" + gui-antivirus: "enable" + gui-ap-profile: "enable" + gui-application-control: "enable" + gui-default-policy-columns: + - + name: "default_name_36" + gui-dhcp-advanced: "enable" + gui-dlp: "enable" + gui-dns-database: "enable" + gui-dnsfilter: "enable" + gui-domain-ip-reputation: "enable" + gui-dos-policy: "enable" + gui-dynamic-profile-display: "enable" + gui-dynamic-routing: "enable" + gui-email-collection: "enable" + gui-endpoint-control: "enable" + gui-endpoint-control-advanced: "enable" + gui-explicit-proxy: "enable" + gui-fortiap-split-tunneling: "enable" + gui-fortiextender-controller: "enable" + gui-icap: "enable" + gui-implicit-policy: "enable" + gui-ips: "enable" + gui-load-balance: "enable" + gui-local-in-policy: "enable" + gui-local-reports: "enable" + gui-multicast-policy: "enable" + gui-multiple-interface-policy: "enable" + gui-multiple-utm-profiles: "enable" + gui-nat46-64: "enable" + gui-object-colors: "enable" + gui-policy-based-ipsec: "enable" + gui-policy-learning: "enable" + gui-replacement-message-groups: "enable" + gui-spamfilter: "enable" + gui-sslvpn-personal-bookmarks: "enable" + gui-sslvpn-realms: "enable" + gui-switch-controller: "enable" + gui-threat-weight: "enable" + gui-traffic-shaping: "enable" + gui-voip-profile: "enable" + gui-vpn: "enable" + gui-waf-profile: "enable" + gui-wan-load-balancing: "enable" + gui-wanopt-cache: "enable" + gui-webfilter: "enable" + gui-webfilter-advanced: "enable" + gui-wireless-controller: "enable" + http-external-dest: "fortiweb" + ike-dn-format: "with-space" + ike-quick-crash-detect: "enable" + ike-session-resume: "enable" + implicit-allow-dns: "enable" + inspection-mode: "proxy" + ip: "" + ip6: "" + link-down-access: "enable" + lldp-transmission: "enable" + mac-ttl: "89" + manageip: "" + manageip6: "" + multicast-forward: "enable" + multicast-skip-policy: "enable" + multicast-ttl-notchange: "enable" + ngfw-mode: "profile-based" + opmode: "nat" + prp-trailer-action: "enable" + sccp-port: "98" + ses-denied-traffic: "enable" + sip-helper: "enable" + sip-nat-trace: "enable" + sip-ssl-port: "102" + sip-tcp-port: "103" + sip-udp-port: "104" + snat-hairpin-traffic: "enable" + ssl-ssh-profile: " (source firewall.ssl-ssh-profile.name)" + status: "enable" + strict-src-check: "enable" + tcp-session-without-syn: "enable" + utf8-spam-tagging: "enable" + v4-ecmp-mode: "source-ip-based" + vpn-stats-log: "ipsec" + vpn-stats-period: "113" + wccp-cache-engine: "enable" +''' + +RETURN = ''' +build: + description: Build number of the fortigate image + returned: always + type: str + sample: '1547' +http_method: + description: Last method used to provision the content into FortiGate + returned: always + type: str + sample: 'PUT' +http_status: + description: Last result given by FortiGate on last operation applied + returned: always + type: str + sample: "200" +mkey: + description: Master key (id) used in the last call to FortiGate + returned: success + type: str + sample: "id" +name: + description: Name of the table used to fulfill the request + returned: always + type: str + sample: "urlfilter" +path: + description: Path of the table used to fulfill the request + returned: always + type: str + sample: "webfilter" +revision: + description: Internal revision number + returned: always + type: str + sample: "17.0.2.10658" +serial: + description: Serial number of the unit + returned: always + type: str + sample: "FGVMEVYYQT3AB5352" +status: + description: Indication of the operation's result + returned: always + type: str + sample: "success" +vdom: + description: Virtual domain used + returned: always + type: str + sample: "root" +version: + description: Version of the FortiGate + returned: always + type: str + sample: "v5.6.3" + +''' + +from ansible.module_utils.basic import AnsibleModule + +fos = None + + +def login(data): + host = data['host'] + username = data['username'] + password = data['password'] + + fos.debug('on') + if 'https' in data and not data['https']: + fos.https('off') + else: + fos.https('on') + + fos.login(host, username, password) + + +def filter_system_settings_data(json): + option_list = ['allow-subnet-overlap', 'asymroute', 'asymroute-icmp', + 'asymroute6', 'asymroute6-icmp', 'bfd', + 'bfd-desired-min-tx', 'bfd-detect-mult', 'bfd-dont-enforce-src-port', + 'bfd-required-min-rx', 'block-land-attack', 'central-nat', + 'comments', 'compliance-check', 'default-voip-alg-mode', + 'deny-tcp-with-icmp', 'device', 'dhcp-proxy', + 'dhcp-server-ip', 'dhcp6-server-ip', 'discovered-device-timeout', + 'ecmp-max-paths', 'email-portal-check-dns', 'firewall-session-dirty', + 'fw-session-hairpin', 'gateway', 'gateway6', + 'gui-advanced-policy', 'gui-allow-unnamed-policy', 'gui-antivirus', + 'gui-ap-profile', 'gui-application-control', 'gui-default-policy-columns', + 'gui-dhcp-advanced', 'gui-dlp', 'gui-dns-database', + 'gui-dnsfilter', 'gui-domain-ip-reputation', 'gui-dos-policy', + 'gui-dynamic-profile-display', 'gui-dynamic-routing', 'gui-email-collection', + 'gui-endpoint-control', 'gui-endpoint-control-advanced', 'gui-explicit-proxy', + 'gui-fortiap-split-tunneling', 'gui-fortiextender-controller', 'gui-icap', + 'gui-implicit-policy', 'gui-ips', 'gui-load-balance', + 'gui-local-in-policy', 'gui-local-reports', 'gui-multicast-policy', + 'gui-multiple-interface-policy', 'gui-multiple-utm-profiles', 'gui-nat46-64', + 'gui-object-colors', 'gui-policy-based-ipsec', 'gui-policy-learning', + 'gui-replacement-message-groups', 'gui-spamfilter', 'gui-sslvpn-personal-bookmarks', + 'gui-sslvpn-realms', 'gui-switch-controller', 'gui-threat-weight', + 'gui-traffic-shaping', 'gui-voip-profile', 'gui-vpn', + 'gui-waf-profile', 'gui-wan-load-balancing', 'gui-wanopt-cache', + 'gui-webfilter', 'gui-webfilter-advanced', 'gui-wireless-controller', + 'http-external-dest', 'ike-dn-format', 'ike-quick-crash-detect', + 'ike-session-resume', 'implicit-allow-dns', 'inspection-mode', + 'ip', 'ip6', 'link-down-access', + 'lldp-transmission', 'mac-ttl', 'manageip', + 'manageip6', 'multicast-forward', 'multicast-skip-policy', + 'multicast-ttl-notchange', 'ngfw-mode', 'opmode', + 'prp-trailer-action', 'sccp-port', 'ses-denied-traffic', + 'sip-helper', 'sip-nat-trace', 'sip-ssl-port', + 'sip-tcp-port', 'sip-udp-port', 'snat-hairpin-traffic', + 'ssl-ssh-profile', 'status', 'strict-src-check', + 'tcp-session-without-syn', 'utf8-spam-tagging', 'v4-ecmp-mode', + 'vpn-stats-log', 'vpn-stats-period', 'wccp-cache-engine'] + dictionary = {} + + for attribute in option_list: + if attribute in json and json[attribute] is not None: + dictionary[attribute] = json[attribute] + + return dictionary + + +def system_settings(data, fos): + vdom = data['vdom'] + system_settings_data = data['system_settings'] + filtered_data = filter_system_settings_data(system_settings_data) + return fos.set('system', + 'settings', + data=filtered_data, + vdom=vdom) + + +def fortios_system(data, fos): + login(data) + + methodlist = ['system_settings'] + for method in methodlist: + if data[method]: + resp = eval(method)(data, fos) + break + + fos.logout() + return not resp['status'] == "success", resp['status'] == "success", resp + + +def main(): + fields = { + "host": {"required": True, "type": "str"}, + "username": {"required": True, "type": "str"}, + "password": {"required": False, "type": "str", "no_log": True}, + "vdom": {"required": False, "type": "str", "default": "root"}, + "https": {"required": False, "type": "bool", "default": True}, + "system_settings": { + "required": False, "type": "dict", + "options": { + "allow-subnet-overlap": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "asymroute": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "asymroute-icmp": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "asymroute6": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "asymroute6-icmp": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "bfd": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "bfd-desired-min-tx": {"required": False, "type": "int"}, + "bfd-detect-mult": {"required": False, "type": "int"}, + "bfd-dont-enforce-src-port": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "bfd-required-min-rx": {"required": False, "type": "int"}, + "block-land-attack": {"required": False, "type": "str", + "choices": ["disable", "enable"]}, + "central-nat": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "comments": {"required": False, "type": "str"}, + "compliance-check": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "default-voip-alg-mode": {"required": False, "type": "str", + "choices": ["proxy-based", "kernel-helper-based"]}, + "deny-tcp-with-icmp": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "device": {"required": False, "type": "str"}, + "dhcp-proxy": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "dhcp-server-ip": {"required": False, "type": "str"}, + "dhcp6-server-ip": {"required": False, "type": "str"}, + "discovered-device-timeout": {"required": False, "type": "int"}, + "ecmp-max-paths": {"required": False, "type": "int"}, + "email-portal-check-dns": {"required": False, "type": "str", + "choices": ["disable", "enable"]}, + "firewall-session-dirty": {"required": False, "type": "str", + "choices": ["check-all", "check-new", "check-policy-option"]}, + "fw-session-hairpin": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gateway": {"required": False, "type": "str"}, + "gateway6": {"required": False, "type": "str"}, + "gui-advanced-policy": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-allow-unnamed-policy": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-antivirus": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-ap-profile": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-application-control": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-default-policy-columns": {"required": False, "type": "list", + "options": { + "name": {"required": True, "type": "str"} + }}, + "gui-dhcp-advanced": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-dlp": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-dns-database": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-dnsfilter": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-domain-ip-reputation": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-dos-policy": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-dynamic-profile-display": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-dynamic-routing": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-email-collection": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-endpoint-control": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-endpoint-control-advanced": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-explicit-proxy": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-fortiap-split-tunneling": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-fortiextender-controller": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-icap": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-implicit-policy": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-ips": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-load-balance": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-local-in-policy": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-local-reports": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-multicast-policy": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-multiple-interface-policy": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-multiple-utm-profiles": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-nat46-64": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-object-colors": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-policy-based-ipsec": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-policy-learning": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-replacement-message-groups": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-spamfilter": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-sslvpn-personal-bookmarks": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-sslvpn-realms": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-switch-controller": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-threat-weight": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-traffic-shaping": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-voip-profile": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-vpn": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-waf-profile": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-wan-load-balancing": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-wanopt-cache": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-webfilter": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-webfilter-advanced": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "gui-wireless-controller": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "http-external-dest": {"required": False, "type": "str", + "choices": ["fortiweb", "forticache"]}, + "ike-dn-format": {"required": False, "type": "str", + "choices": ["with-space", "no-space"]}, + "ike-quick-crash-detect": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "ike-session-resume": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "implicit-allow-dns": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "inspection-mode": {"required": False, "type": "str", + "choices": ["proxy", "flow"]}, + "ip": {"required": False, "type": "str"}, + "ip6": {"required": False, "type": "str"}, + "link-down-access": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "lldp-transmission": {"required": False, "type": "str", + "choices": ["enable", "disable", "global"]}, + "mac-ttl": {"required": False, "type": "int"}, + "manageip": {"required": False, "type": "str"}, + "manageip6": {"required": False, "type": "str"}, + "multicast-forward": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "multicast-skip-policy": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "multicast-ttl-notchange": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "ngfw-mode": {"required": False, "type": "str", + "choices": ["profile-based", "policy-based"]}, + "opmode": {"required": False, "type": "str", + "choices": ["nat", "transparent"]}, + "prp-trailer-action": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "sccp-port": {"required": False, "type": "int"}, + "ses-denied-traffic": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "sip-helper": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "sip-nat-trace": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "sip-ssl-port": {"required": False, "type": "int"}, + "sip-tcp-port": {"required": False, "type": "int"}, + "sip-udp-port": {"required": False, "type": "int"}, + "snat-hairpin-traffic": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "ssl-ssh-profile": {"required": False, "type": "str"}, + "status": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "strict-src-check": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "tcp-session-without-syn": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "utf8-spam-tagging": {"required": False, "type": "str", + "choices": ["enable", "disable"]}, + "v4-ecmp-mode": {"required": False, "type": "str", + "choices": ["source-ip-based", "weight-based", "usage-based", + "source-dest-ip-based"]}, + "vpn-stats-log": {"required": False, "type": "str", + "choices": ["ipsec", "pptp", "l2tp", + "ssl"]}, + "vpn-stats-period": {"required": False, "type": "int"}, + "wccp-cache-engine": {"required": False, "type": "str", + "choices": ["enable", "disable"]} + + } + } + } + + module = AnsibleModule(argument_spec=fields, + supports_check_mode=False) + try: + from fortiosapi import FortiOSAPI + except ImportError: + module.fail_json(msg="fortiosapi module is required") + + global fos + fos = FortiOSAPI() + + is_error, has_changed, result = fortios_system(module.params, fos) + + if not is_error: + module.exit_json(changed=has_changed, meta=result) + else: + module.fail_json(msg="Error in repo", meta=result) + + +if __name__ == '__main__': + main()