#!/usr/bin/python # # This file is part of Ansible # # Ansible is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # Ansible is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Ansible. If not, see . # from __future__ import absolute_import, division, print_function __metaclass__ = type ANSIBLE_METADATA = {'status': ['preview'], 'supported_by': 'community', 'metadata_version': '1.1'} DOCUMENTATION = ''' --- module: fmgr_fwpol_ipv4 notes: - Full Documentation at U(https://ftnt-ansible-docs.readthedocs.io/en/latest/). author: - Luke Weighall (@lweighall) - Andrew Welsh (@Ghilli3) - Jim Huber (@p4r4n0y1ng) short_description: Allows the add/delete of Firewall Policies on Packages in FortiManager. description: - Allows the add/delete of Firewall Policies on Packages in FortiManager. options: adom: description: - The ADOM the configuration should belong to. required: false default: root mode: description: - Sets one of three modes for managing the object. - Allows use of soft-adds instead of overwriting existing values choices: ['add', 'set', 'delete', 'update'] required: false default: add package_name: description: - The policy package you want to modify required: false default: "default" fail_on_missing_dependency: description: - Normal behavior is to "skip" tasks that fail dependency checks, so other tasks can run. - If set to "enabled" if a failed dependency check happeens, Ansible will exit as with failure instead of skip. required: false default: "disable" choices: ["enable", "disable"] wsso: description: - Enable/disable WiFi Single Sign On (WSSO). - choice | disable | Disable setting. - choice | enable | Enable setting. required: false choices: ["disable", "enable"] webfilter_profile: description: - Name of an existing Web filter profile. required: false webcache_https: description: - Enable/disable web cache for HTTPS. - choice | disable | Disable web cache for HTTPS. - choice | enable | Enable web cache for HTTPS. required: false choices: ["disable", "enable"] webcache: description: - Enable/disable web cache. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false choices: ["disable", "enable"] wccp: description: - Enable/disable forwarding traffic matching this policy to a configured WCCP server. - choice | disable | Disable WCCP setting. - choice | enable | Enable WCCP setting. required: false choices: ["disable", "enable"] wanopt_profile: description: - WAN optimization profile. required: false wanopt_peer: description: - WAN optimization peer. required: false wanopt_passive_opt: description: - WAN optimization passive mode options. This option decides what IP address will be used to connect server. - choice | default | Allow client side WAN opt peer to decide. - choice | transparent | Use address of client to connect to server. - choice | non-transparent | Use local FortiGate address to connect to server. required: false choices: ["default", "transparent", "non-transparent"] wanopt_detection: description: - WAN optimization auto-detection mode. - choice | active | Active WAN optimization peer auto-detection. - choice | passive | Passive WAN optimization peer auto-detection. - choice | off | Turn off WAN optimization peer auto-detection. required: false choices: ["active", "passive", "off"] wanopt: description: - Enable/disable WAN optimization. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false choices: ["disable", "enable"] waf_profile: description: - Name of an existing Web application firewall profile. required: false vpntunnel: description: - Policy-based IPsec VPN | name of the IPsec VPN Phase 1. required: false voip_profile: description: - Name of an existing VoIP profile. required: false vlan_filter: description: - Set VLAN filters. required: false vlan_cos_rev: description: - VLAN reverse direction user priority | 255 passthrough, 0 lowest, 7 highest.. required: false vlan_cos_fwd: description: - VLAN forward direction user priority | 255 passthrough, 0 lowest, 7 highest. required: false utm_status: description: - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false choices: ["disable", "enable"] users: description: - Names of individual users that can authenticate with this policy. required: false url_category: description: - URL category ID list. required: false traffic_shaper_reverse: description: - Reverse traffic shaper. required: false traffic_shaper: description: - Traffic shaper. required: false timeout_send_rst: description: - Enable/disable sending RST packets when TCP sessions expire. - choice | disable | Disable sending of RST packet upon TCP session expiration. - choice | enable | Enable sending of RST packet upon TCP session expiration. required: false choices: ["disable", "enable"] tcp_session_without_syn: description: - Enable/disable creation of TCP session without SYN flag. - choice | all | Enable TCP session without SYN. - choice | data-only | Enable TCP session data only. - choice | disable | Disable TCP session without SYN. required: false choices: ["all", "data-only", "disable"] tcp_mss_sender: description: - Sender TCP maximum segment size (MSS). required: false tcp_mss_receiver: description: - Receiver TCP maximum segment size (MSS). required: false status: description: - Enable or disable this policy. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false choices: ["disable", "enable"] ssl_ssh_profile: description: - Name of an existing SSL SSH profile. required: false ssl_mirror_intf: description: - SSL mirror interface name. required: false ssl_mirror: description: - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). - choice | disable | Disable SSL mirror. - choice | enable | Enable SSL mirror. required: false choices: ["disable", "enable"] ssh_filter_profile: description: - Name of an existing SSH filter profile. required: false srcintf: description: - Incoming (ingress) interface. required: false srcaddr_negate: description: - When enabled srcaddr specifies what the source address must NOT be. - choice | disable | Disable source address negate. - choice | enable | Enable source address negate. required: false choices: ["disable", "enable"] srcaddr: description: - Source address and address group names. required: false spamfilter_profile: description: - Name of an existing Spam filter profile. required: false session_ttl: description: - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL). required: false service_negate: description: - When enabled service specifies what the service must NOT be. - choice | disable | Disable negated service match. - choice | enable | Enable negated service match. required: false choices: ["disable", "enable"] service: description: - Service and service group names. required: false send_deny_packet: description: - Enable to send a reply when a session is denied or blocked by a firewall policy. - choice | disable | Disable deny-packet sending. - choice | enable | Enable deny-packet sending. required: false choices: ["disable", "enable"] schedule_timeout: description: - Enable to force current sessions to end when the schedule object times out. - choice | disable | Disable schedule timeout. - choice | enable | Enable schedule timeout. required: false choices: ["disable", "enable"] schedule: description: - Schedule name. required: false scan_botnet_connections: description: - Block or monitor connections to Botnet servers or disable Botnet scanning. - choice | disable | Do not scan connections to botnet servers. - choice | block | Block connections to botnet servers. - choice | monitor | Log connections to botnet servers. required: false choices: ["disable", "block", "monitor"] rtp_nat: description: - Enable Real Time Protocol (RTP) NAT. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false choices: ["disable", "enable"] rtp_addr: description: - Address names if this is an RTP NAT policy. required: false rsso: description: - Enable/disable RADIUS single sign-on (RSSO). - choice | disable | Disable setting. - choice | enable | Enable setting. required: false choices: ["disable", "enable"] replacemsg_override_group: description: - Override the default replacement message group for this policy. required: false redirect_url: description: - URL users are directed to after seeing and accepting the disclaimer or authenticating. required: false radius_mac_auth_bypass: description: - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. - choice | disable | Disable MAC authentication bypass. - choice | enable | Enable MAC authentication bypass. required: false choices: ["disable", "enable"] profile_type: description: - Determine whether the firewall policy allows security profile groups or single profiles only. - choice | single | Do not allow security profile groups. - choice | group | Allow security profile groups. required: false choices: ["single", "group"] profile_protocol_options: description: - Name of an existing Protocol options profile. required: false profile_group: description: - Name of profile group. required: false poolname: description: - IP Pool names. required: false policyid: description: - Policy ID. required: false permit_stun_host: description: - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false choices: ["disable", "enable"] permit_any_host: description: - Accept UDP packets from any host. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false choices: ["disable", "enable"] per_ip_shaper: description: - Per-IP traffic shaper. required: false outbound: description: - Policy-based IPsec VPN | only traffic from the internal network can initiate a VPN. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false choices: ["disable", "enable"] ntlm_guest: description: - Enable/disable NTLM guest user access. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false choices: ["disable", "enable"] ntlm_enabled_browsers: description: - HTTP-User-Agent value of supported browsers. required: false ntlm: description: - Enable/disable NTLM authentication. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false choices: ["disable", "enable"] np_acceleration: description: - Enable/disable UTM Network Processor acceleration. - choice | disable | Disable UTM Network Processor acceleration. - choice | enable | Enable UTM Network Processor acceleration. required: false choices: ["disable", "enable"] natoutbound: description: - Policy-based IPsec VPN | apply source NAT to outbound traffic. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false choices: ["disable", "enable"] natip: description: - Policy-based IPsec VPN | source NAT IP address for outgoing traffic. required: false natinbound: description: - Policy-based IPsec VPN | apply destination NAT to inbound traffic. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false choices: ["disable", "enable"] nat: description: - Enable/disable source NAT. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false choices: ["disable", "enable"] name: description: - Policy name. required: false mms_profile: description: - Name of an existing MMS profile. required: false match_vip: description: - Enable to match packets that have had their destination addresses changed by a VIP. - choice | disable | Do not match DNATed packet. - choice | enable | Match DNATed packet. required: false choices: ["disable", "enable"] logtraffic_start: description: - Record logs when a session starts and ends. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false choices: ["disable", "enable"] logtraffic: description: - Enable or disable logging. Log all sessions or security profile sessions. - choice | disable | Disable all logging for this policy. - choice | all | Log all sessions accepted or denied by this policy. - choice | utm | Log traffic that has a security profile applied to it. required: false choices: ["disable", "all", "utm"] learning_mode: description: - Enable to allow everything, but log all of the meaningful data for security information gathering. - choice | disable | Disable learning mode in firewall policy. - choice | enable | Enable learning mode in firewall policy. required: false choices: ["disable", "enable"] label: description: - Label for the policy that appears when the GUI is in Section View mode. required: false ips_sensor: description: - Name of an existing IPS sensor. required: false ippool: description: - Enable to use IP Pools for source NAT. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false choices: ["disable", "enable"] internet_service_src_negate: description: - When enabled internet-service-src specifies what the service must NOT be. - choice | disable | Disable negated Internet Service source match. - choice | enable | Enable negated Internet Service source match. required: false choices: ["disable", "enable"] internet_service_src_id: description: - Internet Service source ID. required: false internet_service_src_custom: description: - Custom Internet Service source name. required: false internet_service_src: description: - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. - choice | disable | Disable use of Internet Services source in policy. - choice | enable | Enable use of Internet Services source in policy. required: false choices: ["disable", "enable"] internet_service_negate: description: - When enabled internet-service specifies what the service must NOT be. - choice | disable | Disable negated Internet Service match. - choice | enable | Enable negated Internet Service match. required: false choices: ["disable", "enable"] internet_service_id: description: - Internet Service ID. required: false internet_service_custom: description: - Custom Internet Service name. required: false internet_service: description: - Enable/disable use of Internet Services for this policy. If enabled, dstaddr and service are not used. - choice | disable | Disable use of Internet Services in policy. - choice | enable | Enable use of Internet Services in policy. required: false choices: ["disable", "enable"] inbound: description: - Policy-based IPsec VPN | only traffic from the remote network can initiate a VPN. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false choices: ["disable", "enable"] identity_based_route: description: - Name of identity-based routing rule. required: false icap_profile: description: - Name of an existing ICAP profile. required: false gtp_profile: description: - GTP profile. required: false groups: description: - Names of user groups that can authenticate with this policy. required: false global_label: description: - Label for the policy that appears when the GUI is in Global View mode. required: false fsso_agent_for_ntlm: description: - FSSO agent to use for NTLM authentication. required: false fsso: description: - Enable/disable Fortinet Single Sign-On. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false choices: ["disable", "enable"] fixedport: description: - Enable to prevent source NAT from changing a session's source port. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false choices: ["disable", "enable"] firewall_session_dirty: description: - How to handle sessions if the configuration of this firewall policy changes. - choice | check-all | Flush all current sessions accepted by this policy. - choice | check-new | Continue to allow sessions already accepted by this policy. required: false choices: ["check-all", "check-new"] dstintf: description: - Outgoing (egress) interface. required: false dstaddr_negate: description: - When enabled dstaddr specifies what the destination address must NOT be. - choice | disable | Disable destination address negate. - choice | enable | Enable destination address negate. required: false choices: ["disable", "enable"] dstaddr: description: - Destination address and address group names. required: false dsri: description: - Enable DSRI to ignore HTTP server responses. - choice | disable | Disable DSRI. - choice | enable | Enable DSRI. required: false choices: ["disable", "enable"] dscp_value: description: - DSCP value. required: false dscp_negate: description: - Enable negated DSCP match. - choice | disable | Disable DSCP negate. - choice | enable | Enable DSCP negate. required: false choices: ["disable", "enable"] dscp_match: description: - Enable DSCP check. - choice | disable | Disable DSCP check. - choice | enable | Enable DSCP check. required: false choices: ["disable", "enable"] dnsfilter_profile: description: - Name of an existing DNS filter profile. required: false dlp_sensor: description: - Name of an existing DLP sensor. required: false disclaimer: description: - Enable/disable user authentication disclaimer. - choice | disable | Disable user authentication disclaimer. - choice | enable | Enable user authentication disclaimer. required: false choices: ["disable", "enable"] diffservcode_rev: description: - Change packet's reverse (reply) DiffServ to this value. required: false diffservcode_forward: description: - Change packet's DiffServ to this value. required: false diffserv_reverse: description: - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false choices: ["disable", "enable"] diffserv_forward: description: - Enable to change packet's DiffServ values to the specified diffservcode-forward value. - choice | disable | Disable WAN optimization. - choice | enable | Enable WAN optimization. required: false choices: ["disable", "enable"] devices: description: - Names of devices or device groups that can be matched by the policy. required: false delay_tcp_npu_session: description: - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. - choice | disable | Disable TCP NPU session delay in order to guarantee packet order of 3-way handshake. - choice | enable | Enable TCP NPU session delay in order to guarantee packet order of 3-way handshake. required: false choices: ["disable", "enable"] custom_log_fields: description: - Custom fields to append to log messages for this policy. required: false comments: description: - Comment. required: false capture_packet: description: - Enable/disable capture packets. - choice | disable | Disable capture packets. - choice | enable | Enable capture packets. required: false choices: ["disable", "enable"] captive_portal_exempt: description: - Enable to exempt some users from the captive portal. - choice | disable | Disable exemption of captive portal. - choice | enable | Enable exemption of captive portal. required: false choices: ["disable", "enable"] block_notification: description: - Enable/disable block notification. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false choices: ["disable", "enable"] av_profile: description: - Name of an existing Antivirus profile. required: false auto_asic_offload: description: - Enable/disable offloading security profile processing to CP processors. - choice | disable | Disable ASIC offloading. - choice | enable | Enable auto ASIC offloading. required: false choices: ["disable", "enable"] auth_redirect_addr: description: - HTTP-to-HTTPS redirect address for firewall authentication. required: false auth_path: description: - Enable/disable authentication-based routing. - choice | disable | Disable authentication-based routing. - choice | enable | Enable authentication-based routing. required: false choices: ["disable", "enable"] auth_cert: description: - HTTPS server certificate for policy authentication. required: false application_list: description: - Name of an existing Application list. required: false application: description: - Application ID list. required: false app_group: description: - Application group names. required: false app_category: description: - Application category ID list. required: false action: description: - Policy action (allow/deny/ipsec). - choice | deny | Blocks sessions that match the firewall policy. - choice | accept | Allows session that match the firewall policy. - choice | ipsec | Firewall policy becomes a policy-based IPsec VPN policy. required: false choices: ["deny", "accept", "ipsec"] vpn_dst_node: description: - EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED! - List of multiple child objects to be added. Expects a list of dictionaries. - Dictionaries must use FortiManager API parameters, not the ansible ones listed below. - If submitted, all other prefixed sub-parameters ARE IGNORED. This object is MUTUALLY EXCLUSIVE with its options. - We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide. required: false vpn_dst_node_host: description: - VPN Destination Node Host. required: false vpn_dst_node_seq: description: - VPN Destination Node Seq. required: false vpn_dst_node_subnet: description: - VPN Destination Node Seq. required: false vpn_src_node: description: - EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED! - List of multiple child objects to be added. Expects a list of dictionaries. - Dictionaries must use FortiManager API parameters, not the ansible ones listed below. - If submitted, all other prefixed sub-parameters ARE IGNORED. This object is MUTUALLY EXCLUSIVE with its options. - We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide. required: false vpn_src_node_host: description: - VPN Source Node Host. required: false vpn_src_node_seq: description: - VPN Source Node Seq. required: false vpn_src_node_subnet: description: - VPN Source Node. required: false ''' EXAMPLES = ''' - name: ADD VERY BASIC IPV4 POLICY WITH NO NAT (WIDE OPEN) fmgr_fwpol_ipv4: mode: "set" adom: "ansible" package_name: "default" name: "Basic_IPv4_Policy" comments: "Created by Ansible" action: "accept" dstaddr: "all" srcaddr: "all" dstintf: "any" srcintf: "any" logtraffic: "utm" service: "ALL" schedule: "always" - name: ADD VERY BASIC IPV4 POLICY WITH NAT AND MULTIPLE ENTRIES fmgr_fwpol_ipv4: mode: "set" adom: "ansible" package_name: "default" name: "Basic_IPv4_Policy_2" comments: "Created by Ansible" action: "accept" dstaddr: "google-play" srcaddr: "all" dstintf: "any" srcintf: "any" logtraffic: "utm" service: "HTTP, HTTPS" schedule: "always" nat: "enable" users: "karen, kevin" - name: ADD VERY BASIC IPV4 POLICY WITH NAT AND MULTIPLE ENTRIES AND SEC PROFILES fmgr_fwpol_ipv4: mode: "set" adom: "ansible" package_name: "default" name: "Basic_IPv4_Policy_3" comments: "Created by Ansible" action: "accept" dstaddr: "google-play, autoupdate.opera.com" srcaddr: "corp_internal" dstintf: "zone_wan1, zone_wan2" srcintf: "zone_int1" logtraffic: "utm" service: "HTTP, HTTPS" schedule: "always" nat: "enable" users: "karen, kevin" av_profile: "sniffer-profile" ips_sensor: "default" ''' RETURN = """ api_result: description: full API response, includes status code and message returned: always type: str """ from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.connection import Connection from ansible_collections.fortinet.fortios.plugins.module_utils.fortimanager.fortimanager import FortiManagerHandler from ansible_collections.fortinet.fortios.plugins.module_utils.fortimanager.common import FMGBaseException from ansible_collections.fortinet.fortios.plugins.module_utils.fortimanager.common import FMGRCommon from ansible_collections.fortinet.fortios.plugins.module_utils.fortimanager.common import FMGRMethods from ansible_collections.fortinet.fortios.plugins.module_utils.fortimanager.common import DEFAULT_RESULT_OBJ from ansible_collections.fortinet.fortios.plugins.module_utils.fortimanager.common import FAIL_SOCKET_MSG from ansible_collections.fortinet.fortios.plugins.module_utils.fortimanager.common import prepare_dict from ansible_collections.fortinet.fortios.plugins.module_utils.fortimanager.common import scrub_dict def fmgr_firewall_policy_modify(fmgr, paramgram): """ fmgr_firewall_policy -- Add/Set/Deletes Firewall Policy Objects defined in the "paramgram" :param fmgr: The fmgr object instance from fmgr_utils.py :type fmgr: class object :param paramgram: The formatted dictionary of options to process :type paramgram: dict :return: The response from the FortiManager :rtype: dict """ mode = paramgram["mode"] adom = paramgram["adom"] # INIT A BASIC OBJECTS response = DEFAULT_RESULT_OBJ url = "" datagram = {} # EVAL THE MODE PARAMETER FOR SET OR ADD if mode in ['set', 'add', 'update']: url = '/pm/config/adom/{adom}/pkg/{pkg}/firewall/policy'.format(adom=adom, pkg=paramgram["package_name"]) datagram = scrub_dict((prepare_dict(paramgram))) del datagram["package_name"] datagram = fmgr._tools.split_comma_strings_into_lists(datagram) # EVAL THE MODE PARAMETER FOR DELETE elif mode == "delete": url = '/pm/config/adom/{adom}/pkg/{pkg}/firewall' \ '/policy/{policyid}'.format(adom=paramgram["adom"], pkg=paramgram["package_name"], policyid=paramgram["policyid"]) datagram = { "policyid": paramgram["policyid"] } response = fmgr.process_request(url, datagram, paramgram["mode"]) return response ############# # END METHODS ############# def main(): argument_spec = dict( adom=dict(type="str", default="root"), mode=dict(choices=["add", "set", "delete", "update"], type="str", default="add"), package_name=dict(type="str", required=False, default="default"), fail_on_missing_dependency=dict(type="str", required=False, default="disable", choices=["enable", "disable"]), wsso=dict(required=False, type="str", choices=["disable", "enable"]), webfilter_profile=dict(required=False, type="str"), webcache_https=dict(required=False, type="str", choices=["disable", "enable"]), webcache=dict(required=False, type="str", choices=["disable", "enable"]), wccp=dict(required=False, type="str", choices=["disable", "enable"]), wanopt_profile=dict(required=False, type="str"), wanopt_peer=dict(required=False, type="str"), wanopt_passive_opt=dict(required=False, type="str", choices=["default", "transparent", "non-transparent"]), wanopt_detection=dict(required=False, type="str", choices=["active", "passive", "off"]), wanopt=dict(required=False, type="str", choices=["disable", "enable"]), waf_profile=dict(required=False, type="str"), vpntunnel=dict(required=False, type="str"), voip_profile=dict(required=False, type="str"), vlan_filter=dict(required=False, type="str"), vlan_cos_rev=dict(required=False, type="int"), vlan_cos_fwd=dict(required=False, type="int"), utm_status=dict(required=False, type="str", choices=["disable", "enable"]), users=dict(required=False, type="str"), url_category=dict(required=False, type="str"), traffic_shaper_reverse=dict(required=False, type="str"), traffic_shaper=dict(required=False, type="str"), timeout_send_rst=dict(required=False, type="str", choices=["disable", "enable"]), tcp_session_without_syn=dict(required=False, type="str", choices=["all", "data-only", "disable"]), tcp_mss_sender=dict(required=False, type="int"), tcp_mss_receiver=dict(required=False, type="int"), status=dict(required=False, type="str", choices=["disable", "enable"]), ssl_ssh_profile=dict(required=False, type="str"), ssl_mirror_intf=dict(required=False, type="str"), ssl_mirror=dict(required=False, type="str", choices=["disable", "enable"]), ssh_filter_profile=dict(required=False, type="str"), srcintf=dict(required=False, type="str"), srcaddr_negate=dict(required=False, type="str", choices=["disable", "enable"]), srcaddr=dict(required=False, type="str"), spamfilter_profile=dict(required=False, type="str"), session_ttl=dict(required=False, type="int"), service_negate=dict(required=False, type="str", choices=["disable", "enable"]), service=dict(required=False, type="str"), send_deny_packet=dict(required=False, type="str", choices=["disable", "enable"]), schedule_timeout=dict(required=False, type="str", choices=["disable", "enable"]), schedule=dict(required=False, type="str"), scan_botnet_connections=dict(required=False, type="str", choices=["disable", "block", "monitor"]), rtp_nat=dict(required=False, type="str", choices=["disable", "enable"]), rtp_addr=dict(required=False, type="str"), rsso=dict(required=False, type="str", choices=["disable", "enable"]), replacemsg_override_group=dict(required=False, type="str"), redirect_url=dict(required=False, type="str"), radius_mac_auth_bypass=dict(required=False, type="str", choices=["disable", "enable"]), profile_type=dict(required=False, type="str", choices=["single", "group"]), profile_protocol_options=dict(required=False, type="str"), profile_group=dict(required=False, type="str"), poolname=dict(required=False, type="str"), policyid=dict(required=False, type="str"), permit_stun_host=dict(required=False, type="str", choices=["disable", "enable"]), permit_any_host=dict(required=False, type="str", choices=["disable", "enable"]), per_ip_shaper=dict(required=False, type="str"), outbound=dict(required=False, type="str", choices=["disable", "enable"]), ntlm_guest=dict(required=False, type="str", choices=["disable", "enable"]), ntlm_enabled_browsers=dict(required=False, type="str"), ntlm=dict(required=False, type="str", choices=["disable", "enable"]), np_acceleration=dict(required=False, type="str", choices=["disable", "enable"]), natoutbound=dict(required=False, type="str", choices=["disable", "enable"]), natip=dict(required=False, type="str"), natinbound=dict(required=False, type="str", choices=["disable", "enable"]), nat=dict(required=False, type="str", choices=["disable", "enable"]), name=dict(required=False, type="str"), mms_profile=dict(required=False, type="str"), match_vip=dict(required=False, type="str", choices=["disable", "enable"]), logtraffic_start=dict(required=False, type="str", choices=["disable", "enable"]), logtraffic=dict(required=False, type="str", choices=["disable", "all", "utm"]), learning_mode=dict(required=False, type="str", choices=["disable", "enable"]), label=dict(required=False, type="str"), ips_sensor=dict(required=False, type="str"), ippool=dict(required=False, type="str", choices=["disable", "enable"]), internet_service_src_negate=dict(required=False, type="str", choices=["disable", "enable"]), internet_service_src_id=dict(required=False, type="str"), internet_service_src_custom=dict(required=False, type="str"), internet_service_src=dict(required=False, type="str", choices=["disable", "enable"]), internet_service_negate=dict(required=False, type="str", choices=["disable", "enable"]), internet_service_id=dict(required=False, type="str"), internet_service_custom=dict(required=False, type="str"), internet_service=dict(required=False, type="str", choices=["disable", "enable"]), inbound=dict(required=False, type="str", choices=["disable", "enable"]), identity_based_route=dict(required=False, type="str"), icap_profile=dict(required=False, type="str"), gtp_profile=dict(required=False, type="str"), groups=dict(required=False, type="str"), global_label=dict(required=False, type="str"), fsso_agent_for_ntlm=dict(required=False, type="str"), fsso=dict(required=False, type="str", choices=["disable", "enable"]), fixedport=dict(required=False, type="str", choices=["disable", "enable"]), firewall_session_dirty=dict(required=False, type="str", choices=["check-all", "check-new"]), dstintf=dict(required=False, type="str"), dstaddr_negate=dict(required=False, type="str", choices=["disable", "enable"]), dstaddr=dict(required=False, type="str"), dsri=dict(required=False, type="str", choices=["disable", "enable"]), dscp_value=dict(required=False, type="str"), dscp_negate=dict(required=False, type="str", choices=["disable", "enable"]), dscp_match=dict(required=False, type="str", choices=["disable", "enable"]), dnsfilter_profile=dict(required=False, type="str"), dlp_sensor=dict(required=False, type="str"), disclaimer=dict(required=False, type="str", choices=["disable", "enable"]), diffservcode_rev=dict(required=False, type="str"), diffservcode_forward=dict(required=False, type="str"), diffserv_reverse=dict(required=False, type="str", choices=["disable", "enable"]), diffserv_forward=dict(required=False, type="str", choices=["disable", "enable"]), devices=dict(required=False, type="str"), delay_tcp_npu_session=dict(required=False, type="str", choices=["disable", "enable"]), custom_log_fields=dict(required=False, type="str"), comments=dict(required=False, type="str"), capture_packet=dict(required=False, type="str", choices=["disable", "enable"]), captive_portal_exempt=dict(required=False, type="str", choices=["disable", "enable"]), block_notification=dict(required=False, type="str", choices=["disable", "enable"]), av_profile=dict(required=False, type="str"), auto_asic_offload=dict(required=False, type="str", choices=["disable", "enable"]), auth_redirect_addr=dict(required=False, type="str"), auth_path=dict(required=False, type="str", choices=["disable", "enable"]), auth_cert=dict(required=False, type="str"), application_list=dict(required=False, type="str"), application=dict(required=False, type="str"), app_group=dict(required=False, type="str"), app_category=dict(required=False, type="str"), action=dict(required=False, type="str", choices=["deny", "accept", "ipsec"]), vpn_dst_node=dict(required=False, type="list"), vpn_dst_node_host=dict(required=False, type="str"), vpn_dst_node_seq=dict(required=False, type="str"), vpn_dst_node_subnet=dict(required=False, type="str"), vpn_src_node=dict(required=False, type="list"), vpn_src_node_host=dict(required=False, type="str"), vpn_src_node_seq=dict(required=False, type="str"), vpn_src_node_subnet=dict(required=False, type="str"), ) module = AnsibleModule(argument_spec=argument_spec, supports_check_mode=False, ) # MODULE PARAMGRAM paramgram = { "mode": module.params["mode"], "adom": module.params["adom"], "package_name": module.params["package_name"], "wsso": module.params["wsso"], "webfilter-profile": module.params["webfilter_profile"], "webcache-https": module.params["webcache_https"], "webcache": module.params["webcache"], "wccp": module.params["wccp"], "wanopt-profile": module.params["wanopt_profile"], "wanopt-peer": module.params["wanopt_peer"], "wanopt-passive-opt": module.params["wanopt_passive_opt"], "wanopt-detection": module.params["wanopt_detection"], "wanopt": module.params["wanopt"], "waf-profile": module.params["waf_profile"], "vpntunnel": module.params["vpntunnel"], "voip-profile": module.params["voip_profile"], "vlan-filter": module.params["vlan_filter"], "vlan-cos-rev": module.params["vlan_cos_rev"], "vlan-cos-fwd": module.params["vlan_cos_fwd"], "utm-status": module.params["utm_status"], "users": module.params["users"], "url-category": module.params["url_category"], "traffic-shaper-reverse": module.params["traffic_shaper_reverse"], "traffic-shaper": module.params["traffic_shaper"], "timeout-send-rst": module.params["timeout_send_rst"], "tcp-session-without-syn": module.params["tcp_session_without_syn"], "tcp-mss-sender": module.params["tcp_mss_sender"], "tcp-mss-receiver": module.params["tcp_mss_receiver"], "status": module.params["status"], "ssl-ssh-profile": module.params["ssl_ssh_profile"], "ssl-mirror-intf": module.params["ssl_mirror_intf"], "ssl-mirror": module.params["ssl_mirror"], "ssh-filter-profile": module.params["ssh_filter_profile"], "srcintf": module.params["srcintf"], "srcaddr-negate": module.params["srcaddr_negate"], "srcaddr": module.params["srcaddr"], "spamfilter-profile": module.params["spamfilter_profile"], "session-ttl": module.params["session_ttl"], "service-negate": module.params["service_negate"], "service": module.params["service"], "send-deny-packet": module.params["send_deny_packet"], "schedule-timeout": module.params["schedule_timeout"], "schedule": module.params["schedule"], "scan-botnet-connections": module.params["scan_botnet_connections"], "rtp-nat": module.params["rtp_nat"], "rtp-addr": module.params["rtp_addr"], "rsso": module.params["rsso"], "replacemsg-override-group": module.params["replacemsg_override_group"], "redirect-url": module.params["redirect_url"], "radius-mac-auth-bypass": module.params["radius_mac_auth_bypass"], "profile-type": module.params["profile_type"], "profile-protocol-options": module.params["profile_protocol_options"], "profile-group": module.params["profile_group"], "poolname": module.params["poolname"], "policyid": module.params["policyid"], "permit-stun-host": module.params["permit_stun_host"], "permit-any-host": module.params["permit_any_host"], "per-ip-shaper": module.params["per_ip_shaper"], "outbound": module.params["outbound"], "ntlm-guest": module.params["ntlm_guest"], "ntlm-enabled-browsers": module.params["ntlm_enabled_browsers"], "ntlm": module.params["ntlm"], "np-acceleration": module.params["np_acceleration"], "natoutbound": module.params["natoutbound"], "natip": module.params["natip"], "natinbound": module.params["natinbound"], "nat": module.params["nat"], "name": module.params["name"], "mms-profile": module.params["mms_profile"], "match-vip": module.params["match_vip"], "logtraffic-start": module.params["logtraffic_start"], "logtraffic": module.params["logtraffic"], "learning-mode": module.params["learning_mode"], "label": module.params["label"], "ips-sensor": module.params["ips_sensor"], "ippool": module.params["ippool"], "internet-service-src-negate": module.params["internet_service_src_negate"], "internet-service-src-id": module.params["internet_service_src_id"], "internet-service-src-custom": module.params["internet_service_src_custom"], "internet-service-src": module.params["internet_service_src"], "internet-service-negate": module.params["internet_service_negate"], "internet-service-id": module.params["internet_service_id"], "internet-service-custom": module.params["internet_service_custom"], "internet-service": module.params["internet_service"], "inbound": module.params["inbound"], "identity-based-route": module.params["identity_based_route"], "icap-profile": module.params["icap_profile"], "gtp-profile": module.params["gtp_profile"], "groups": module.params["groups"], "global-label": module.params["global_label"], "fsso-agent-for-ntlm": module.params["fsso_agent_for_ntlm"], "fsso": module.params["fsso"], "fixedport": module.params["fixedport"], "firewall-session-dirty": module.params["firewall_session_dirty"], "dstintf": module.params["dstintf"], "dstaddr-negate": module.params["dstaddr_negate"], "dstaddr": module.params["dstaddr"], "dsri": module.params["dsri"], "dscp-value": module.params["dscp_value"], "dscp-negate": module.params["dscp_negate"], "dscp-match": module.params["dscp_match"], "dnsfilter-profile": module.params["dnsfilter_profile"], "dlp-sensor": module.params["dlp_sensor"], "disclaimer": module.params["disclaimer"], "diffservcode-rev": module.params["diffservcode_rev"], "diffservcode-forward": module.params["diffservcode_forward"], "diffserv-reverse": module.params["diffserv_reverse"], "diffserv-forward": module.params["diffserv_forward"], "devices": module.params["devices"], "delay-tcp-npu-session": module.params["delay_tcp_npu_session"], "custom-log-fields": module.params["custom_log_fields"], "comments": module.params["comments"], "capture-packet": module.params["capture_packet"], "captive-portal-exempt": module.params["captive_portal_exempt"], "block-notification": module.params["block_notification"], "av-profile": module.params["av_profile"], "auto-asic-offload": module.params["auto_asic_offload"], "auth-redirect-addr": module.params["auth_redirect_addr"], "auth-path": module.params["auth_path"], "auth-cert": module.params["auth_cert"], "application-list": module.params["application_list"], "application": module.params["application"], "app-group": module.params["app_group"], "app-category": module.params["app_category"], "action": module.params["action"], "vpn_dst_node": { "host": module.params["vpn_dst_node_host"], "seq": module.params["vpn_dst_node_seq"], "subnet": module.params["vpn_dst_node_subnet"], }, "vpn_src_node": { "host": module.params["vpn_src_node_host"], "seq": module.params["vpn_src_node_seq"], "subnet": module.params["vpn_src_node_subnet"], } } module.paramgram = paramgram fmgr = None if module._socket_path: connection = Connection(module._socket_path) fmgr = FortiManagerHandler(connection, module) fmgr.tools = FMGRCommon() else: module.fail_json(**FAIL_SOCKET_MSG) list_overrides = ['vpn_dst_node', 'vpn_src_node'] paramgram = fmgr.tools.paramgram_child_list_override(list_overrides=list_overrides, paramgram=paramgram, module=module) # BEGIN MODULE-SPECIFIC LOGIC -- THINGS NEED TO HAPPEN DEPENDING ON THE ENDPOINT AND OPERATION results = DEFAULT_RESULT_OBJ try: if paramgram["mode"] == "delete": # WE NEED TO GET THE POLICY ID FROM THE NAME OF THE POLICY TO DELETE IT url = '/pm/config/adom/{adom}/pkg/{pkg}/firewall' \ '/policy/'.format(adom=paramgram["adom"], pkg=paramgram["package_name"]) datagram = { "filter": ["name", "==", paramgram["name"]] } response = fmgr.process_request(url, datagram, FMGRMethods.GET) try: if response[1][0]["policyid"]: policy_id = response[1][0]["policyid"] paramgram["policyid"] = policy_id except BaseException: fmgr.return_response(module=module, results=response, good_codes=[0, ], stop_on_success=True, ansible_facts=fmgr.construct_ansible_facts(results, module.params, paramgram), msg="Couldn't find policy ID number for policy name specified.") except Exception as err: raise FMGBaseException(err) try: results = fmgr_firewall_policy_modify(fmgr, paramgram) if module.params["fail_on_missing_dependency"] == "disable": fmgr.govern_response(module=module, results=results, good_codes=[0, -9998], ansible_facts=fmgr.construct_ansible_facts(results, module.params, paramgram)) if module.params["fail_on_missing_dependency"] == "enable" and results[0] == -10131: fmgr.govern_response(module=module, results=results, good_codes=[0, ], failed=True, skipped=False, ansible_facts=fmgr.construct_ansible_facts(results, module.params, paramgram)) except Exception as err: raise FMGBaseException(err) return module.exit_json(**results[1]) if __name__ == "__main__": main()