fortios_ipv4_policy - Manage IPv4 policy objects on Fortinet FortiOS firewall devices¶

New in version 2.3.

Synopsis
Parameters
Notes
Examples
Return Values
Status
Maintenance
- Author

Synopsis ¶

This module provides management of firewall IPv4 policies on FortiOS devices.

Parameters ¶

Parameter	Choices/Defaults	Comments
application_list		Specifies Application Control name.
av_profile		Specifies Antivirus profile name.
backup bool	Choices: no ← yes	This argument will cause the module to create a backup of the current `running-config` from the remote device before any changes are made. The backup file is written to the i(backup) folder.
backup_filename		Specifies the backup filename. If omitted filename will be formatted like [email protected]:MM:SS
backup_path		Specifies where to store backup files. Required if backup=yes.
comment		free text to describe policy.
config_file (added in 2.4)		Path to configuration file. Required when file_mode is True.
dst_addr		Specifies destination address (or group) object name(s). Required when state=present.
dst_addr_negate bool	Choices: no ← yes	Negate destination address param.
dst_intf	Default: any	Specifies destination interface name(s).
file_mode bool (added in 2.4)	Choices: no ← yes	Don't connect to any device, only use config_file as input and Output.
fixedport bool	Choices: no ← yes	Use fixed port for nat.
host		Specifies the DNS hostname or IP address for connecting to the remote fortios device. Required when file_mode is False.
id required		Policy ID. Warning: policy ID number is different than Policy sequence number. The policy ID is the number assigned at policy creation. The sequence number represents the order in which the Fortigate will evaluate the rule for policy enforcement, and also the order in which rules are listed in the GUI and CLI. These two numbers do not necessarily correlate: this module is based off policy ID. TIP: policy ID can be viewed in the GUI by adding 'ID' to the display columns
ips_sensor		Specifies IPS Sensor profile name.
logtraffic (added in 2.4)	Choices: disable utm ← all	Logs sessions that matched policy.
logtraffic_start bool (added in 2.4)	Choices: no ← yes	Logs beginning of session as well.
nat bool	Choices: no ← yes	Enable or disable Nat.
password		Specifies the password used to authenticate to the remote device. Required when file_mode is True.
policy_action	Choices: accept deny	Specifies accept or deny action policy. Required when state=present. aliases: action
poolname		Specifies NAT pool name.
schedule	Default: always	defines policy schedule.
service		Specifies policy service(s), could be a list (ex: ['MAIL','DNS']). Required when state=present. aliases: services
service_negate bool	Choices: no ← yes	Negate policy service(s) defined in service value.
src_addr		Specifies source address (or group) object name(s). Required when state=present.
src_addr_negate bool	Choices: no ← yes	Negate source address param.
src_intf	Default: any	Specifies source interface name(s).
state	Choices: present ← absent	Specifies if policy id need to be added or deleted.
timeout	Default: 60	Timeout in seconds for connecting to the remote device.
username		Configures the username used to authenticate to the remote device. Required when file_mode is True.
vdom		Specifies on which vdom to apply configuration
webfilter_profile		Specifies Webfilter profile name.

Notes ¶

Note

This module requires pyFG library.

Examples ¶

- name: Allow external DNS call
  fortios_ipv4_policy:
    host: 192.168.0.254
    username: admin
    password: password
    id: 42
    src_addr: internal_network
    dst_addr: all
    service: dns
    nat: True
    state: present
    policy_action: accept
    logtraffic: disable

- name: Public Web
  fortios_ipv4_policy:
    host: 192.168.0.254
    username: admin
    password: password
    id: 42
    src_addr: all
    dst_addr: webservers
    services:
      - http
      - https
    state: present
    policy_action: accept

- name: Some Policy
  fortios_ipv4_policy:
    host: 192.168.0.254
    username: admin
    password: password
    id: 42
    comment: "no comment (created by ansible)"
    src_intf: vl1000
    src_addr:
      - some_serverA
      - some_serverB
    dst_intf:
      - vl2000
      - vl3000
    dst_addr: all
    services:
      - HTTP
      - HTTPS
    nat: True
    state: present
    policy_action: accept
    logtraffic: disable
  tags:
    - policy

Return Values ¶

Common return values are documented here, the following are the fields unique to this module:

Key	Returned	Description
change_string string	only if config changed	The commands executed by the module
firewall_address_config string	always	full firewall addresses config string
msg_error_list string	only when error	List of errors returned by CLI (use -vvv for better readability).

Status ¶

This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.

Maintenance ¶

This module is flagged as community which means that it is maintained by the Ansible Community. See Module Maintenance & Support for more info.

For a list of other modules that are also maintained by the Ansible Community, see here.

Author ¶

Benjamin Jolivot (@bjolivot)

Hint

If you notice any issues in this documentation you can edit this document to improve it.