fortios_ipv4_policy - Manage IPv4 policy objects on Fortinet FortiOS firewall devices

New in version 2.3.

Synopsis

Parameters

Parameter Choices/Defaults Comments
application_list
Specifies Application Control name.
av_profile
Specifies Antivirus profile name.
backup
bool
    Choices:
  • no ←
  • yes
This argument will cause the module to create a backup of the current running-config from the remote device before any changes are made. The backup file is written to the i(backup) folder.
backup_filename
Specifies the backup filename. If omitted filename will be formatted like [email protected]:MM:SS
backup_path
Specifies where to store backup files. Required if backup=yes.
comment
free text to describe policy.
config_file
(added in 2.4)
Path to configuration file. Required when file_mode is True.
dst_addr
Specifies destination address (or group) object name(s). Required when state=present.
dst_addr_negate
bool
    Choices:
  • no ←
  • yes
Negate destination address param.
dst_intf Default:
any
Specifies destination interface name(s).
file_mode
bool

(added in 2.4)
    Choices:
  • no ←
  • yes
Don't connect to any device, only use config_file as input and Output.
fixedport
bool
    Choices:
  • no ←
  • yes
Use fixed port for nat.
host
Specifies the DNS hostname or IP address for connecting to the remote fortios device. Required when file_mode is False.
id
required
Policy ID. Warning: policy ID number is different than Policy sequence number. The policy ID is the number assigned at policy creation. The sequence number represents the order in which the Fortigate will evaluate the rule for policy enforcement, and also the order in which rules are listed in the GUI and CLI. These two numbers do not necessarily correlate: this module is based off policy ID. TIP: policy ID can be viewed in the GUI by adding 'ID' to the display columns
ips_sensor
Specifies IPS Sensor profile name.
logtraffic
(added in 2.4)
    Choices:
  • disable
  • utm ←
  • all
Logs sessions that matched policy.
logtraffic_start
bool

(added in 2.4)
    Choices:
  • no ←
  • yes
Logs beginning of session as well.
nat
bool
    Choices:
  • no ←
  • yes
Enable or disable Nat.
password
Specifies the password used to authenticate to the remote device. Required when file_mode is True.
policy_action
    Choices:
  • accept
  • deny
Specifies accept or deny action policy. Required when state=present.

aliases: action
poolname
Specifies NAT pool name.
schedule Default:
always
defines policy schedule.
service
Specifies policy service(s), could be a list (ex: ['MAIL','DNS']). Required when state=present.

aliases: services
service_negate
bool
    Choices:
  • no ←
  • yes
Negate policy service(s) defined in service value.
src_addr
Specifies source address (or group) object name(s). Required when state=present.
src_addr_negate
bool
    Choices:
  • no ←
  • yes
Negate source address param.
src_intf Default:
any
Specifies source interface name(s).
state
    Choices:
  • present ←
  • absent
Specifies if policy id need to be added or deleted.
timeout Default:
60
Timeout in seconds for connecting to the remote device.
username
Configures the username used to authenticate to the remote device. Required when file_mode is True.
vdom
Specifies on which vdom to apply configuration
webfilter_profile
Specifies Webfilter profile name.

Notes

Note

  • This module requires pyFG library.

Examples

- name: Allow external DNS call
  fortios_ipv4_policy:
    host: 192.168.0.254
    username: admin
    password: password
    id: 42
    src_addr: internal_network
    dst_addr: all
    service: dns
    nat: True
    state: present
    policy_action: accept
    logtraffic: disable

- name: Public Web
  fortios_ipv4_policy:
    host: 192.168.0.254
    username: admin
    password: password
    id: 42
    src_addr: all
    dst_addr: webservers
    services:
      - http
      - https
    state: present
    policy_action: accept

- name: Some Policy
  fortios_ipv4_policy:
    host: 192.168.0.254
    username: admin
    password: password
    id: 42
    comment: "no comment (created by ansible)"
    src_intf: vl1000
    src_addr:
      - some_serverA
      - some_serverB
    dst_intf:
      - vl2000
      - vl3000
    dst_addr: all
    services:
      - HTTP
      - HTTPS
    nat: True
    state: present
    policy_action: accept
    logtraffic: disable
  tags:
    - policy

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
change_string
string
only if config changed
The commands executed by the module

firewall_address_config
string
always
full firewall addresses config string

msg_error_list
string
only when error
List of errors returned by CLI (use -vvv for better readability).



Status

This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.

Maintenance

This module is flagged as community which means that it is maintained by the Ansible Community. See Module Maintenance & Support for more info.

For a list of other modules that are also maintained by the Ansible Community, see here.

Author

  • Benjamin Jolivot (@bjolivot)

Hint

If you notice any issues in this documentation you can edit this document to improve it.