fmgr_fwpol_ipv4

Metadata

Name: fmgr_fwpol_ipv4

Description: Allows the add/delete of Firewall Policies on Packages in FortiManager.

Author(s):

• Luke Weighall (github: @lweighall)
• Andrew Welsh (github: @Ghilli3)
• Jim Huber (github: @p4r4n0y1ng)

Ansible Version Added/Required: 2.8

Dev Status: COMPLETED/MERGED

Owning Developer: Luke Weighall

Module Github Link

Parameters

action

• Description: Policy action (allow/deny/ipsec).

  choice | deny | Blocks sessions that match the firewall policy.

  choice | accept | Allows session that match the firewall policy.

  choice | ipsec | Firewall policy becomes a policy-based IPsec VPN policy.

• Required: False

• choices: [‘deny’, ‘accept’, ‘ipsec’]

adom

• Description: The ADOM the configuration should belong to.
• Required: False
• default: root

app_category

• Description: Application category ID list.
• Required: False

app_group

• Description: Application group names.
• Required: False

application

• Description: Application ID list.
• Required: False

application_list

• Description: Name of an existing Application list.
• Required: False

auth_cert

• Description: HTTPS server certificate for policy authentication.
• Required: False

auth_path

• Description: Enable/disable authentication-based routing.

  choice | disable | Disable authentication-based routing.

  choice | enable | Enable authentication-based routing.

• Required: False

• choices: [‘disable’, ‘enable’]

auth_redirect_addr

• Description: HTTP-to-HTTPS redirect address for firewall authentication.
• Required: False

auto_asic_offload

• Description: Enable/disable offloading security profile processing to CP processors.

  choice | disable | Disable ASIC offloading.

  choice | enable | Enable auto ASIC offloading.

• Required: False

• choices: [‘disable’, ‘enable’]

av_profile

• Description: Name of an existing Antivirus profile.
• Required: False

block_notification

• Description: Enable/disable block notification.

  choice | disable | Disable setting.

  choice | enable | Enable setting.

• Required: False

• choices: [‘disable’, ‘enable’]

captive_portal_exempt

• Description: Enable to exempt some users from the captive portal.

  choice | disable | Disable exemption of captive portal.

  choice | enable | Enable exemption of captive portal.

• Required: False

• choices: [‘disable’, ‘enable’]

capture_packet

• Description: Enable/disable capture packets.

  choice | disable | Disable capture packets.

  choice | enable | Enable capture packets.

• Required: False

• choices: [‘disable’, ‘enable’]

comments

• Description: Comment.
• Required: False

custom_log_fields

• Description: Custom fields to append to log messages for this policy.
• Required: False

delay_tcp_npu_session

• Description: Enable TCP NPU session delay to guarantee packet order of 3-way handshake.

  choice | disable | Disable TCP NPU session delay in order to guarantee packet order of 3-way handshake.

  choice | enable | Enable TCP NPU session delay in order to guarantee packet order of 3-way handshake.

• Required: False

• choices: [‘disable’, ‘enable’]

devices

• Description: Names of devices or device groups that can be matched by the policy.
• Required: False

diffserv_forward

• Description: Enable to change packet’s DiffServ values to the specified diffservcode-forward value.

  choice | disable | Disable WAN optimization.

  choice | enable | Enable WAN optimization.

• Required: False

• choices: [‘disable’, ‘enable’]

diffserv_reverse

• Description: Enable to change packet’s reverse (reply) DiffServ values to the specified diffservcode-rev value.

  choice | disable | Disable setting.

  choice | enable | Enable setting.

• Required: False

• choices: [‘disable’, ‘enable’]

diffservcode_forward

• Description: Change packet’s DiffServ to this value.
• Required: False

diffservcode_rev

• Description: Change packet’s reverse (reply) DiffServ to this value.
• Required: False

disclaimer

• Description: Enable/disable user authentication disclaimer.

  choice | disable | Disable user authentication disclaimer.

  choice | enable | Enable user authentication disclaimer.

• Required: False

• choices: [‘disable’, ‘enable’]

dlp_sensor

• Description: Name of an existing DLP sensor.
• Required: False

dnsfilter_profile

• Description: Name of an existing DNS filter profile.
• Required: False

dscp_match

• Description: Enable DSCP check.

  choice | disable | Disable DSCP check.

  choice | enable | Enable DSCP check.

• Required: False

• choices: [‘disable’, ‘enable’]

dscp_negate

• Description: Enable negated DSCP match.

  choice | disable | Disable DSCP negate.

  choice | enable | Enable DSCP negate.

• Required: False

• choices: [‘disable’, ‘enable’]

dscp_value

• Description: DSCP value.
• Required: False

dsri

• Description: Enable DSRI to ignore HTTP server responses.

  choice | disable | Disable DSRI.

  choice | enable | Enable DSRI.

• Required: False

• choices: [‘disable’, ‘enable’]

dstaddr

• Description: Destination address and address group names.
• Required: False

dstaddr_negate

• Description: When enabled dstaddr specifies what the destination address must NOT be.

  choice | disable | Disable destination address negate.

  choice | enable | Enable destination address negate.

• Required: False

• choices: [‘disable’, ‘enable’]

dstintf

• Description: Outgoing (egress) interface.
• Required: False

firewall_session_dirty

• Description: How to handle sessions if the configuration of this firewall policy changes.

  choice | check-all | Flush all current sessions accepted by this policy.

  choice | check-new | Continue to allow sessions already accepted by this policy.

• Required: False

• choices: [‘check-all’, ‘check-new’]

fixedport

• Description: Enable to prevent source NAT from changing a session’s source port.

  choice | disable | Disable setting.

  choice | enable | Enable setting.

• Required: False

• choices: [‘disable’, ‘enable’]

fsso

• Description: Enable/disable Fortinet Single Sign-On.

  choice | disable | Disable setting.

  choice | enable | Enable setting.

• Required: False

• choices: [‘disable’, ‘enable’]

fsso_agent_for_ntlm

• Description: FSSO agent to use for NTLM authentication.
• Required: False

global_label

• Description: Label for the policy that appears when the GUI is in Global View mode.
• Required: False

groups

• Description: Names of user groups that can authenticate with this policy.
• Required: False

gtp_profile

• Description: GTP profile.
• Required: False

icap_profile

• Description: Name of an existing ICAP profile.
• Required: False

identity_based_route

• Description: Name of identity-based routing rule.
• Required: False

inbound

• Description: Policy-based IPsec VPN | only traffic from the remote network can initiate a VPN.

  choice | disable | Disable setting.

  choice | enable | Enable setting.

• Required: False

• choices: [‘disable’, ‘enable’]

internet_service

• Description: Enable/disable use of Internet Services for this policy. If enabled, dstaddr and service are not used.

  choice | disable | Disable use of Internet Services in policy.

  choice | enable | Enable use of Internet Services in policy.

• Required: False

• choices: [‘disable’, ‘enable’]

internet_service_custom

• Description: Custom Internet Service name.
• Required: False

internet_service_id

• Description: Internet Service ID.
• Required: False

internet_service_negate

• Description: When enabled internet-service specifies what the service must NOT be.

  choice | disable | Disable negated Internet Service match.

  choice | enable | Enable negated Internet Service match.

• Required: False

• choices: [‘disable’, ‘enable’]

internet_service_src

• Description: Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used.

  choice | disable | Disable use of Internet Services source in policy.

  choice | enable | Enable use of Internet Services source in policy.

• Required: False

• choices: [‘disable’, ‘enable’]

internet_service_src_custom

• Description: Custom Internet Service source name.
• Required: False

internet_service_src_id

• Description: Internet Service source ID.
• Required: False

internet_service_src_negate

• Description: When enabled internet-service-src specifies what the service must NOT be.

  choice | disable | Disable negated Internet Service source match.

  choice | enable | Enable negated Internet Service source match.

• Required: False

• choices: [‘disable’, ‘enable’]

ippool

• Description: Enable to use IP Pools for source NAT.

  choice | disable | Disable setting.

  choice | enable | Enable setting.

• Required: False

• choices: [‘disable’, ‘enable’]

ips_sensor

• Description: Name of an existing IPS sensor.
• Required: False

label

• Description: Label for the policy that appears when the GUI is in Section View mode.
• Required: False

learning_mode

• Description: Enable to allow everything, but log all of the meaningful data for security information gathering.

  choice | disable | Disable learning mode in firewall policy.

  choice | enable | Enable learning mode in firewall policy.

• Required: False

• choices: [‘disable’, ‘enable’]

logtraffic

• Description: Enable or disable logging. Log all sessions or security profile sessions.

  choice | disable | Disable all logging for this policy.

  choice | all | Log all sessions accepted or denied by this policy.

  choice | utm | Log traffic that has a security profile applied to it.

• Required: False

• choices: [‘disable’, ‘all’, ‘utm’]

logtraffic_start

• Description: Record logs when a session starts and ends.

  choice | disable | Disable setting.

  choice | enable | Enable setting.

• Required: False

• choices: [‘disable’, ‘enable’]

match_vip

• Description: Enable to match packets that have had their destination addresses changed by a VIP.

  choice | disable | Do not match DNATed packet.

  choice | enable | Match DNATed packet.

• Required: False

• choices: [‘disable’, ‘enable’]

mms_profile

• Description: Name of an existing MMS profile.
• Required: False

mode

• Description: Sets one of three modes for managing the object.

  Allows use of soft-adds instead of overwriting existing values

• Required: False

• default: add

• choices: [‘add’, ‘set’, ‘delete’, ‘update’]

name

• Description: Policy name.
• Required: False

nat

• Description: Enable/disable source NAT.

  choice | disable | Disable setting.

  choice | enable | Enable setting.

• Required: False

• choices: [‘disable’, ‘enable’]

natinbound

• Description: Policy-based IPsec VPN | apply destination NAT to inbound traffic.

  choice | disable | Disable setting.

  choice | enable | Enable setting.

• Required: False

• choices: [‘disable’, ‘enable’]

natip

• Description: Policy-based IPsec VPN | source NAT IP address for outgoing traffic.
• Required: False

natoutbound

• Description: Policy-based IPsec VPN | apply source NAT to outbound traffic.

  choice | disable | Disable setting.

  choice | enable | Enable setting.

• Required: False

• choices: [‘disable’, ‘enable’]

np_acceleration

• Description: Enable/disable UTM Network Processor acceleration.

  choice | disable | Disable UTM Network Processor acceleration.

  choice | enable | Enable UTM Network Processor acceleration.

• Required: False

• choices: [‘disable’, ‘enable’]

ntlm

• Description: Enable/disable NTLM authentication.

  choice | disable | Disable setting.

  choice | enable | Enable setting.

• Required: False

• choices: [‘disable’, ‘enable’]

ntlm_enabled_browsers

• Description: HTTP-User-Agent value of supported browsers.
• Required: False

ntlm_guest

• Description: Enable/disable NTLM guest user access.

  choice | disable | Disable setting.

  choice | enable | Enable setting.

• Required: False

• choices: [‘disable’, ‘enable’]

outbound

• Description: Policy-based IPsec VPN | only traffic from the internal network can initiate a VPN.

  choice | disable | Disable setting.

  choice | enable | Enable setting.

• Required: False

• choices: [‘disable’, ‘enable’]

package_name

• Description: The policy package you want to modify
• Required: False
• default: default

per_ip_shaper

• Description: Per-IP traffic shaper.
• Required: False

permit_any_host

• Description: Accept UDP packets from any host.

  choice | disable | Disable setting.

  choice | enable | Enable setting.

• Required: False

• choices: [‘disable’, ‘enable’]

permit_stun_host

• Description: Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host.

  choice | disable | Disable setting.

  choice | enable | Enable setting.

• Required: False

• choices: [‘disable’, ‘enable’]

policyid

• Description: Policy ID.
• Required: False

poolname

• Description: IP Pool names.
• Required: False

profile_group

• Description: Name of profile group.
• Required: False

profile_protocol_options

• Description: Name of an existing Protocol options profile.
• Required: False

profile_type

• Description: Determine whether the firewall policy allows security profile groups or single profiles only.

  choice | single | Do not allow security profile groups.

  choice | group | Allow security profile groups.

• Required: False

• choices: [‘single’, ‘group’]

radius_mac_auth_bypass

• Description: Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server.

  choice | disable | Disable MAC authentication bypass.

  choice | enable | Enable MAC authentication bypass.

• Required: False

• choices: [‘disable’, ‘enable’]

redirect_url

• Description: URL users are directed to after seeing and accepting the disclaimer or authenticating.
• Required: False

replacemsg_override_group

• Description: Override the default replacement message group for this policy.
• Required: False

rsso

• Description: Enable/disable RADIUS single sign-on (RSSO).

  choice | disable | Disable setting.

  choice | enable | Enable setting.

• Required: False

• choices: [‘disable’, ‘enable’]

rtp_addr

• Description: Address names if this is an RTP NAT policy.
• Required: False

rtp_nat

• Description: Enable Real Time Protocol (RTP) NAT.

  choice | disable | Disable setting.

  choice | enable | Enable setting.

• Required: False

• choices: [‘disable’, ‘enable’]

scan_botnet_connections

• Description: Block or monitor connections to Botnet servers or disable Botnet scanning.

  choice | disable | Do not scan connections to botnet servers.

  choice | block | Block connections to botnet servers.

  choice | monitor | Log connections to botnet servers.

• Required: False

• choices: [‘disable’, ‘block’, ‘monitor’]

schedule

• Description: Schedule name.
• Required: False

schedule_timeout

• Description: Enable to force current sessions to end when the schedule object times out.

  choice | disable | Disable schedule timeout.

  choice | enable | Enable schedule timeout.

• Required: False

• choices: [‘disable’, ‘enable’]

send_deny_packet

• Description: Enable to send a reply when a session is denied or blocked by a firewall policy.

  choice | disable | Disable deny-packet sending.

  choice | enable | Enable deny-packet sending.

• Required: False

• choices: [‘disable’, ‘enable’]

service

• Description: Service and service group names.
• Required: False

service_negate

• Description: When enabled service specifies what the service must NOT be.

  choice | disable | Disable negated service match.

  choice | enable | Enable negated service match.

• Required: False

• choices: [‘disable’, ‘enable’]

session_ttl

• Description: TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
• Required: False

spamfilter_profile

• Description: Name of an existing Spam filter profile.
• Required: False

srcaddr

• Description: Source address and address group names.
• Required: False

srcaddr_negate

• Description: When enabled srcaddr specifies what the source address must NOT be.

  choice | disable | Disable source address negate.

  choice | enable | Enable source address negate.

• Required: False

• choices: [‘disable’, ‘enable’]

srcintf

• Description: Incoming (ingress) interface.
• Required: False

ssh_filter_profile

• Description: Name of an existing SSH filter profile.
• Required: False

ssl_mirror

• Description: Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring).

  choice | disable | Disable SSL mirror.

  choice | enable | Enable SSL mirror.

• Required: False

• choices: [‘disable’, ‘enable’]

ssl_mirror_intf

• Description: SSL mirror interface name.
• Required: False

ssl_ssh_profile

• Description: Name of an existing SSL SSH profile.
• Required: False

status

• Description: Enable or disable this policy.

  choice | disable | Disable setting.

  choice | enable | Enable setting.

• Required: False

• choices: [‘disable’, ‘enable’]

tcp_mss_receiver

• Description: Receiver TCP maximum segment size (MSS).
• Required: False

tcp_mss_sender

• Description: Sender TCP maximum segment size (MSS).
• Required: False

tcp_session_without_syn

• Description: Enable/disable creation of TCP session without SYN flag.

  choice | all | Enable TCP session without SYN.

  choice | data-only | Enable TCP session data only.

  choice | disable | Disable TCP session without SYN.

• Required: False

• choices: [‘all’, ‘data-only’, ‘disable’]

timeout_send_rst

• Description: Enable/disable sending RST packets when TCP sessions expire.

  choice | disable | Disable sending of RST packet upon TCP session expiration.

  choice | enable | Enable sending of RST packet upon TCP session expiration.

• Required: False

• choices: [‘disable’, ‘enable’]

traffic_shaper

• Description: Traffic shaper.
• Required: False

traffic_shaper_reverse

• Description: Reverse traffic shaper.
• Required: False

url_category

• Description: URL category ID list.
• Required: False

users

• Description: Names of individual users that can authenticate with this policy.
• Required: False

utm_status

• Description: Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.

  choice | disable | Disable setting.

  choice | enable | Enable setting.

• Required: False

• choices: [‘disable’, ‘enable’]

vlan_cos_fwd

• Description: VLAN forward direction user priority | 255 passthrough, 0 lowest, 7 highest.
• Required: False

vlan_cos_rev

• Description: VLAN reverse direction user priority | 255 passthrough, 0 lowest, 7 highest..
• Required: False

vlan_filter

• Description: Set VLAN filters.
• Required: False

voip_profile

• Description: Name of an existing VoIP profile.
• Required: False

vpn_dst_node

• Description: EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!

  List of multiple child objects to be added. Expects a list of dictionaries.

  Dictionaries must use FortiManager API parameters, not the ansible ones listed below.

  If submitted, all other prefixed sub-parameters ARE IGNORED. This object is MUTUALLY EXCLUSIVE with its options.

  We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.

• Required: False

vpn_dst_node_host

• Description: VPN Destination Node Host.
• Required: False

vpn_dst_node_seq

• Description: VPN Destination Node Seq.
• Required: False

vpn_dst_node_subnet

• Description: VPN Destination Node Seq.
• Required: False

vpn_src_node

• Description: EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!

  List of multiple child objects to be added. Expects a list of dictionaries.

  Dictionaries must use FortiManager API parameters, not the ansible ones listed below.

  If submitted, all other prefixed sub-parameters ARE IGNORED. This object is MUTUALLY EXCLUSIVE with its options.

  We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.

• Required: False

vpn_src_node_host

• Description: VPN Source Node Host.
• Required: False

vpn_src_node_seq

• Description: VPN Source Node Seq.
• Required: False

vpn_src_node_subnet

• Description: VPN Source Node.
• Required: False

vpntunnel

• Description: Policy-based IPsec VPN | name of the IPsec VPN Phase 1.
• Required: False

waf_profile

• Description: Name of an existing Web application firewall profile.
• Required: False

wanopt

• Description: Enable/disable WAN optimization.

  choice | disable | Disable setting.

  choice | enable | Enable setting.

• Required: False

• choices: [‘disable’, ‘enable’]

wanopt_detection

• Description: WAN optimization auto-detection mode.

  choice | active | Active WAN optimization peer auto-detection.

  choice | passive | Passive WAN optimization peer auto-detection.

  choice | off | Turn off WAN optimization peer auto-detection.

• Required: False

• choices: [‘active’, ‘passive’, ‘off’]

wanopt_passive_opt

• Description: WAN optimization passive mode options. This option decides what IP address will be used to connect server.

  choice | default | Allow client side WAN opt peer to decide.

  choice | transparent | Use address of client to connect to server.

  choice | non-transparent | Use local FortiGate address to connect to server.

• Required: False

• choices: [‘default’, ‘transparent’, ‘non-transparent’]

wanopt_peer

• Description: WAN optimization peer.
• Required: False

wanopt_profile

• Description: WAN optimization profile.
• Required: False

wccp

• Description: Enable/disable forwarding traffic matching this policy to a configured WCCP server.

  choice | disable | Disable WCCP setting.

  choice | enable | Enable WCCP setting.

• Required: False

• choices: [‘disable’, ‘enable’]

webcache

• Description: Enable/disable web cache.

  choice | disable | Disable setting.

  choice | enable | Enable setting.

• Required: False

• choices: [‘disable’, ‘enable’]

webcache_https

• Description: Enable/disable web cache for HTTPS.

  choice | disable | Disable web cache for HTTPS.

  choice | enable | Enable web cache for HTTPS.

• Required: False

• choices: [‘disable’, ‘enable’]

webfilter_profile

• Description: Name of an existing Web filter profile.
• Required: False

wsso

• Description: Enable/disable WiFi Single Sign On (WSSO).

  choice | disable | Disable setting.

  choice | enable | Enable setting.

• Required: False

• choices: [‘disable’, ‘enable’]

Functions

• fmgr_firewall_policy_modify

def fmgr_firewall_policy_modify(fmgr, paramgram):
    """
    fmgr_firewall_policy -- Add/Set/Deletes Firewall Policy Objects defined in the "paramgram"

    :param fmgr: The fmgr object instance from fmgr_utils.py
    :type fmgr: class object
    :param paramgram: The formatted dictionary of options to process
    :type paramgram: dict

    :return: The response from the FortiManager
    :rtype: dict
    """

    mode = paramgram["mode"]
    adom = paramgram["adom"]
    # INIT A BASIC OBJECTS
    response = DEFAULT_RESULT_OBJ
    url = ""
    datagram = {}

    # EVAL THE MODE PARAMETER FOR SET OR ADD
    if mode in ['set', 'add', 'update']:
        url = '/pm/config/adom/{adom}/pkg/{pkg}/firewall/policy'.format(adom=adom, pkg=paramgram["package_name"])
        datagram = scrub_dict((prepare_dict(paramgram)))
        del datagram["package_name"]
        datagram = fmgr._tools.split_comma_strings_into_lists(datagram)

    # EVAL THE MODE PARAMETER FOR DELETE
    elif mode == "delete":
        url = '/pm/config/adom/{adom}/pkg/{pkg}/firewall' \
              '/policy/{policyid}'.format(adom=paramgram["adom"],
                                          pkg=paramgram["package_name"],
                                          policyid=paramgram["policyid"])
        datagram = {
            "policyid": paramgram["policyid"]
        }

    response = fmgr.process_request(url, datagram, paramgram["mode"])
    return response


#############
# END METHODS
#############

• main

def main():
    argument_spec = dict(
        adom=dict(type="str", default="root"),
        mode=dict(choices=["add", "set", "delete", "update"], type="str", default="add"),
        package_name=dict(type="str", required=False, default="default"),

        wsso=dict(required=False, type="str", choices=["disable", "enable"]),
        webfilter_profile=dict(required=False, type="str"),
        webcache_https=dict(required=False, type="str", choices=["disable", "enable"]),
        webcache=dict(required=False, type="str", choices=["disable", "enable"]),
        wccp=dict(required=False, type="str", choices=["disable", "enable"]),
        wanopt_profile=dict(required=False, type="str"),
        wanopt_peer=dict(required=False, type="str"),
        wanopt_passive_opt=dict(required=False, type="str", choices=["default", "transparent", "non-transparent"]),
        wanopt_detection=dict(required=False, type="str", choices=["active", "passive", "off"]),
        wanopt=dict(required=False, type="str", choices=["disable", "enable"]),
        waf_profile=dict(required=False, type="str"),
        vpntunnel=dict(required=False, type="str"),
        voip_profile=dict(required=False, type="str"),
        vlan_filter=dict(required=False, type="str"),
        vlan_cos_rev=dict(required=False, type="int"),
        vlan_cos_fwd=dict(required=False, type="int"),
        utm_status=dict(required=False, type="str", choices=["disable", "enable"]),
        users=dict(required=False, type="str"),
        url_category=dict(required=False, type="str"),
        traffic_shaper_reverse=dict(required=False, type="str"),
        traffic_shaper=dict(required=False, type="str"),
        timeout_send_rst=dict(required=False, type="str", choices=["disable", "enable"]),
        tcp_session_without_syn=dict(required=False, type="str", choices=["all", "data-only", "disable"]),
        tcp_mss_sender=dict(required=False, type="int"),
        tcp_mss_receiver=dict(required=False, type="int"),
        status=dict(required=False, type="str", choices=["disable", "enable"]),
        ssl_ssh_profile=dict(required=False, type="str"),
        ssl_mirror_intf=dict(required=False, type="str"),
        ssl_mirror=dict(required=False, type="str", choices=["disable", "enable"]),
        ssh_filter_profile=dict(required=False, type="str"),
        srcintf=dict(required=False, type="str"),
        srcaddr_negate=dict(required=False, type="str", choices=["disable", "enable"]),
        srcaddr=dict(required=False, type="str"),
        spamfilter_profile=dict(required=False, type="str"),
        session_ttl=dict(required=False, type="int"),
        service_negate=dict(required=False, type="str", choices=["disable", "enable"]),
        service=dict(required=False, type="str"),
        send_deny_packet=dict(required=False, type="str", choices=["disable", "enable"]),
        schedule_timeout=dict(required=False, type="str", choices=["disable", "enable"]),
        schedule=dict(required=False, type="str"),
        scan_botnet_connections=dict(required=False, type="str", choices=["disable", "block", "monitor"]),
        rtp_nat=dict(required=False, type="str", choices=["disable", "enable"]),
        rtp_addr=dict(required=False, type="str"),
        rsso=dict(required=False, type="str", choices=["disable", "enable"]),
        replacemsg_override_group=dict(required=False, type="str"),
        redirect_url=dict(required=False, type="str"),
        radius_mac_auth_bypass=dict(required=False, type="str", choices=["disable", "enable"]),
        profile_type=dict(required=False, type="str", choices=["single", "group"]),
        profile_protocol_options=dict(required=False, type="str"),
        profile_group=dict(required=False, type="str"),
        poolname=dict(required=False, type="str"),
        policyid=dict(required=False, type="str"),
        permit_stun_host=dict(required=False, type="str", choices=["disable", "enable"]),
        permit_any_host=dict(required=False, type="str", choices=["disable", "enable"]),
        per_ip_shaper=dict(required=False, type="str"),
        outbound=dict(required=False, type="str", choices=["disable", "enable"]),
        ntlm_guest=dict(required=False, type="str", choices=["disable", "enable"]),
        ntlm_enabled_browsers=dict(required=False, type="str"),
        ntlm=dict(required=False, type="str", choices=["disable", "enable"]),
        np_acceleration=dict(required=False, type="str", choices=["disable", "enable"]),
        natoutbound=dict(required=False, type="str", choices=["disable", "enable"]),
        natip=dict(required=False, type="str"),
        natinbound=dict(required=False, type="str", choices=["disable", "enable"]),
        nat=dict(required=False, type="str", choices=["disable", "enable"]),
        name=dict(required=False, type="str"),
        mms_profile=dict(required=False, type="str"),
        match_vip=dict(required=False, type="str", choices=["disable", "enable"]),
        logtraffic_start=dict(required=False, type="str", choices=["disable", "enable"]),
        logtraffic=dict(required=False, type="str", choices=["disable", "all", "utm"]),
        learning_mode=dict(required=False, type="str", choices=["disable", "enable"]),
        label=dict(required=False, type="str"),
        ips_sensor=dict(required=False, type="str"),
        ippool=dict(required=False, type="str", choices=["disable", "enable"]),
        internet_service_src_negate=dict(required=False, type="str", choices=["disable", "enable"]),
        internet_service_src_id=dict(required=False, type="str"),
        internet_service_src_custom=dict(required=False, type="str"),
        internet_service_src=dict(required=False, type="str", choices=["disable", "enable"]),
        internet_service_negate=dict(required=False, type="str", choices=["disable", "enable"]),
        internet_service_id=dict(required=False, type="str"),
        internet_service_custom=dict(required=False, type="str"),
        internet_service=dict(required=False, type="str", choices=["disable", "enable"]),
        inbound=dict(required=False, type="str", choices=["disable", "enable"]),
        identity_based_route=dict(required=False, type="str"),
        icap_profile=dict(required=False, type="str"),
        gtp_profile=dict(required=False, type="str"),
        groups=dict(required=False, type="str"),
        global_label=dict(required=False, type="str"),
        fsso_agent_for_ntlm=dict(required=False, type="str"),
        fsso=dict(required=False, type="str", choices=["disable", "enable"]),
        fixedport=dict(required=False, type="str", choices=["disable", "enable"]),
        firewall_session_dirty=dict(required=False, type="str", choices=["check-all", "check-new"]),
        dstintf=dict(required=False, type="str"),
        dstaddr_negate=dict(required=False, type="str", choices=["disable", "enable"]),
        dstaddr=dict(required=False, type="str"),
        dsri=dict(required=False, type="str", choices=["disable", "enable"]),
        dscp_value=dict(required=False, type="str"),
        dscp_negate=dict(required=False, type="str", choices=["disable", "enable"]),
        dscp_match=dict(required=False, type="str", choices=["disable", "enable"]),
        dnsfilter_profile=dict(required=False, type="str"),
        dlp_sensor=dict(required=False, type="str"),
        disclaimer=dict(required=False, type="str", choices=["disable", "enable"]),
        diffservcode_rev=dict(required=False, type="str"),
        diffservcode_forward=dict(required=False, type="str"),
        diffserv_reverse=dict(required=False, type="str", choices=["disable", "enable"]),
        diffserv_forward=dict(required=False, type="str", choices=["disable", "enable"]),
        devices=dict(required=False, type="str"),
        delay_tcp_npu_session=dict(required=False, type="str", choices=["disable", "enable"]),
        custom_log_fields=dict(required=False, type="str"),
        comments=dict(required=False, type="str"),
        capture_packet=dict(required=False, type="str", choices=["disable", "enable"]),
        captive_portal_exempt=dict(required=False, type="str", choices=["disable", "enable"]),
        block_notification=dict(required=False, type="str", choices=["disable", "enable"]),
        av_profile=dict(required=False, type="str"),
        auto_asic_offload=dict(required=False, type="str", choices=["disable", "enable"]),
        auth_redirect_addr=dict(required=False, type="str"),
        auth_path=dict(required=False, type="str", choices=["disable", "enable"]),
        auth_cert=dict(required=False, type="str"),
        application_list=dict(required=False, type="str"),
        application=dict(required=False, type="str"),
        app_group=dict(required=False, type="str"),
        app_category=dict(required=False, type="str"),
        action=dict(required=False, type="str", choices=["deny", "accept", "ipsec"]),
        vpn_dst_node=dict(required=False, type="list"),
        vpn_dst_node_host=dict(required=False, type="str"),
        vpn_dst_node_seq=dict(required=False, type="str"),
        vpn_dst_node_subnet=dict(required=False, type="str"),
        vpn_src_node=dict(required=False, type="list"),
        vpn_src_node_host=dict(required=False, type="str"),
        vpn_src_node_seq=dict(required=False, type="str"),
        vpn_src_node_subnet=dict(required=False, type="str"),

    )

    module = AnsibleModule(argument_spec=argument_spec, supports_check_mode=False, )
    # MODULE PARAMGRAM
    paramgram = {
        "mode": module.params["mode"],
        "adom": module.params["adom"],
        "package_name": module.params["package_name"],
        "wsso": module.params["wsso"],
        "webfilter-profile": module.params["webfilter_profile"],
        "webcache-https": module.params["webcache_https"],
        "webcache": module.params["webcache"],
        "wccp": module.params["wccp"],
        "wanopt-profile": module.params["wanopt_profile"],
        "wanopt-peer": module.params["wanopt_peer"],
        "wanopt-passive-opt": module.params["wanopt_passive_opt"],
        "wanopt-detection": module.params["wanopt_detection"],
        "wanopt": module.params["wanopt"],
        "waf-profile": module.params["waf_profile"],
        "vpntunnel": module.params["vpntunnel"],
        "voip-profile": module.params["voip_profile"],
        "vlan-filter": module.params["vlan_filter"],
        "vlan-cos-rev": module.params["vlan_cos_rev"],
        "vlan-cos-fwd": module.params["vlan_cos_fwd"],
        "utm-status": module.params["utm_status"],
        "users": module.params["users"],
        "url-category": module.params["url_category"],
        "traffic-shaper-reverse": module.params["traffic_shaper_reverse"],
        "traffic-shaper": module.params["traffic_shaper"],
        "timeout-send-rst": module.params["timeout_send_rst"],
        "tcp-session-without-syn": module.params["tcp_session_without_syn"],
        "tcp-mss-sender": module.params["tcp_mss_sender"],
        "tcp-mss-receiver": module.params["tcp_mss_receiver"],
        "status": module.params["status"],
        "ssl-ssh-profile": module.params["ssl_ssh_profile"],
        "ssl-mirror-intf": module.params["ssl_mirror_intf"],
        "ssl-mirror": module.params["ssl_mirror"],
        "ssh-filter-profile": module.params["ssh_filter_profile"],
        "srcintf": module.params["srcintf"],
        "srcaddr-negate": module.params["srcaddr_negate"],
        "srcaddr": module.params["srcaddr"],
        "spamfilter-profile": module.params["spamfilter_profile"],
        "session-ttl": module.params["session_ttl"],
        "service-negate": module.params["service_negate"],
        "service": module.params["service"],
        "send-deny-packet": module.params["send_deny_packet"],
        "schedule-timeout": module.params["schedule_timeout"],
        "schedule": module.params["schedule"],
        "scan-botnet-connections": module.params["scan_botnet_connections"],
        "rtp-nat": module.params["rtp_nat"],
        "rtp-addr": module.params["rtp_addr"],
        "rsso": module.params["rsso"],
        "replacemsg-override-group": module.params["replacemsg_override_group"],
        "redirect-url": module.params["redirect_url"],
        "radius-mac-auth-bypass": module.params["radius_mac_auth_bypass"],
        "profile-type": module.params["profile_type"],
        "profile-protocol-options": module.params["profile_protocol_options"],
        "profile-group": module.params["profile_group"],
        "poolname": module.params["poolname"],
        "policyid": module.params["policyid"],
        "permit-stun-host": module.params["permit_stun_host"],
        "permit-any-host": module.params["permit_any_host"],
        "per-ip-shaper": module.params["per_ip_shaper"],
        "outbound": module.params["outbound"],
        "ntlm-guest": module.params["ntlm_guest"],
        "ntlm-enabled-browsers": module.params["ntlm_enabled_browsers"],
        "ntlm": module.params["ntlm"],
        "np-acceleration": module.params["np_acceleration"],
        "natoutbound": module.params["natoutbound"],
        "natip": module.params["natip"],
        "natinbound": module.params["natinbound"],
        "nat": module.params["nat"],
        "name": module.params["name"],
        "mms-profile": module.params["mms_profile"],
        "match-vip": module.params["match_vip"],
        "logtraffic-start": module.params["logtraffic_start"],
        "logtraffic": module.params["logtraffic"],
        "learning-mode": module.params["learning_mode"],
        "label": module.params["label"],
        "ips-sensor": module.params["ips_sensor"],
        "ippool": module.params["ippool"],
        "internet-service-src-negate": module.params["internet_service_src_negate"],
        "internet-service-src-id": module.params["internet_service_src_id"],
        "internet-service-src-custom": module.params["internet_service_src_custom"],
        "internet-service-src": module.params["internet_service_src"],
        "internet-service-negate": module.params["internet_service_negate"],
        "internet-service-id": module.params["internet_service_id"],
        "internet-service-custom": module.params["internet_service_custom"],
        "internet-service": module.params["internet_service"],
        "inbound": module.params["inbound"],
        "identity-based-route": module.params["identity_based_route"],
        "icap-profile": module.params["icap_profile"],
        "gtp-profile": module.params["gtp_profile"],
        "groups": module.params["groups"],
        "global-label": module.params["global_label"],
        "fsso-agent-for-ntlm": module.params["fsso_agent_for_ntlm"],
        "fsso": module.params["fsso"],
        "fixedport": module.params["fixedport"],
        "firewall-session-dirty": module.params["firewall_session_dirty"],
        "dstintf": module.params["dstintf"],
        "dstaddr-negate": module.params["dstaddr_negate"],
        "dstaddr": module.params["dstaddr"],
        "dsri": module.params["dsri"],
        "dscp-value": module.params["dscp_value"],
        "dscp-negate": module.params["dscp_negate"],
        "dscp-match": module.params["dscp_match"],
        "dnsfilter-profile": module.params["dnsfilter_profile"],
        "dlp-sensor": module.params["dlp_sensor"],
        "disclaimer": module.params["disclaimer"],
        "diffservcode-rev": module.params["diffservcode_rev"],
        "diffservcode-forward": module.params["diffservcode_forward"],
        "diffserv-reverse": module.params["diffserv_reverse"],
        "diffserv-forward": module.params["diffserv_forward"],
        "devices": module.params["devices"],
        "delay-tcp-npu-session": module.params["delay_tcp_npu_session"],
        "custom-log-fields": module.params["custom_log_fields"],
        "comments": module.params["comments"],
        "capture-packet": module.params["capture_packet"],
        "captive-portal-exempt": module.params["captive_portal_exempt"],
        "block-notification": module.params["block_notification"],
        "av-profile": module.params["av_profile"],
        "auto-asic-offload": module.params["auto_asic_offload"],
        "auth-redirect-addr": module.params["auth_redirect_addr"],
        "auth-path": module.params["auth_path"],
        "auth-cert": module.params["auth_cert"],
        "application-list": module.params["application_list"],
        "application": module.params["application"],
        "app-group": module.params["app_group"],
        "app-category": module.params["app_category"],
        "action": module.params["action"],
        "vpn_dst_node": {
            "host": module.params["vpn_dst_node_host"],
            "seq": module.params["vpn_dst_node_seq"],
            "subnet": module.params["vpn_dst_node_subnet"],
        },
        "vpn_src_node": {
            "host": module.params["vpn_src_node_host"],
            "seq": module.params["vpn_src_node_seq"],
            "subnet": module.params["vpn_src_node_subnet"],
        }
    }
    module.paramgram = paramgram
    fmgr = None
    if module._socket_path:
        connection = Connection(module._socket_path)
        fmgr = FortiManagerHandler(connection, module)
        fmgr.tools = FMGRCommon()
    else:
        module.fail_json(**FAIL_SOCKET_MSG)

    list_overrides = ['vpn_dst_node', 'vpn_src_node']
    paramgram = fmgr.tools.paramgram_child_list_override(list_overrides=list_overrides,
                                                         paramgram=paramgram, module=module)

    # BEGIN MODULE-SPECIFIC LOGIC -- THINGS NEED TO HAPPEN DEPENDING ON THE ENDPOINT AND OPERATION
    results = DEFAULT_RESULT_OBJ
    try:
        if paramgram["mode"] == "delete":
            # WE NEED TO GET THE POLICY ID FROM THE NAME OF THE POLICY TO DELETE IT
            url = '/pm/config/adom/{adom}/pkg/{pkg}/firewall' \
                  '/policy/'.format(adom=paramgram["adom"],
                                    pkg=paramgram["package_name"])
            datagram = {
                "filter": ["name", "==", paramgram["name"]]
            }
            response = fmgr.process_request(url, datagram, FMGRMethods.GET)
            try:
                if response[1][0]["policyid"]:
                    policy_id = response[1][0]["policyid"]
                    paramgram["policyid"] = policy_id
            except BaseException:
                fmgr.return_response(module=module, results=response, good_codes=[0, ], stop_on_success=True,
                                     ansible_facts=fmgr.construct_ansible_facts(results, module.params, paramgram),
                                     msg="Couldn't find policy ID number for policy name specified.")
    except Exception as err:
        raise FMGBaseException(err)

    try:
        results = fmgr_firewall_policy_modify(fmgr, paramgram)
        fmgr.govern_response(module=module, results=results, good_codes=[0, -9998],
                             ansible_facts=fmgr.construct_ansible_facts(results, module.params, paramgram))
    except Exception as err:
        raise FMGBaseException(err)

    return module.exit_json(**results[1])

Module Source Code

#!/usr/bin/python
#
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
#

from __future__ import absolute_import, division, print_function

__metaclass__ = type

ANSIBLE_METADATA = {'status': ['preview'],
                    'supported_by': 'community',
                    'metadata_version': '1.1'}

DOCUMENTATION = '''
---
module: fmgr_fwpol_ipv4
version_added: "2.8"
notes:
    - Full Documentation at U(https://ftnt-ansible-docs.readthedocs.io/en/latest/).
author:
    - Luke Weighall (@lweighall)
    - Andrew Welsh (@Ghilli3)
    - Jim Huber (@p4r4n0y1ng)
short_description: Allows the add/delete of Firewall Policies on Packages in FortiManager.
description:
  -  Allows the add/delete of Firewall Policies on Packages in FortiManager.

options:
  adom:
    description:
      - The ADOM the configuration should belong to.
    required: false
    default: root

  mode:
    description:
      - Sets one of three modes for managing the object.
      - Allows use of soft-adds instead of overwriting existing values
    choices: ['add', 'set', 'delete', 'update']
    required: false
    default: add

  package_name:
    description:
      - The policy package you want to modify
    required: false
    default: "default"

  wsso:
    description:
      - Enable/disable WiFi Single Sign On (WSSO).
      - choice | disable | Disable setting.
      - choice | enable | Enable setting.
    required: false
    choices: ["disable", "enable"]

  webfilter_profile:
    description:
      - Name of an existing Web filter profile.
    required: false

  webcache_https:
    description:
      - Enable/disable web cache for HTTPS.
      - choice | disable | Disable web cache for HTTPS.
      - choice | enable | Enable web cache for HTTPS.
    required: false
    choices: ["disable", "enable"]

  webcache:
    description:
      - Enable/disable web cache.
      - choice | disable | Disable setting.
      - choice | enable | Enable setting.
    required: false
    choices: ["disable", "enable"]

  wccp:
    description:
      - Enable/disable forwarding traffic matching this policy to a configured WCCP server.
      - choice | disable | Disable WCCP setting.
      - choice | enable | Enable WCCP setting.
    required: false
    choices: ["disable", "enable"]

  wanopt_profile:
    description:
      - WAN optimization profile.
    required: false

  wanopt_peer:
    description:
      - WAN optimization peer.
    required: false

  wanopt_passive_opt:
    description:
      - WAN optimization passive mode options. This option decides what IP address will be used to connect server.
      - choice | default | Allow client side WAN opt peer to decide.
      - choice | transparent | Use address of client to connect to server.
      - choice | non-transparent | Use local FortiGate address to connect to server.
    required: false
    choices: ["default", "transparent", "non-transparent"]

  wanopt_detection:
    description:
      - WAN optimization auto-detection mode.
      - choice | active | Active WAN optimization peer auto-detection.
      - choice | passive | Passive WAN optimization peer auto-detection.
      - choice | off | Turn off WAN optimization peer auto-detection.
    required: false
    choices: ["active", "passive", "off"]

  wanopt:
    description:
      - Enable/disable WAN optimization.
      - choice | disable | Disable setting.
      - choice | enable | Enable setting.
    required: false
    choices: ["disable", "enable"]

  waf_profile:
    description:
      - Name of an existing Web application firewall profile.
    required: false

  vpntunnel:
    description:
      - Policy-based IPsec VPN |  name of the IPsec VPN Phase 1.
    required: false

  voip_profile:
    description:
      - Name of an existing VoIP profile.
    required: false

  vlan_filter:
    description:
      - Set VLAN filters.
    required: false

  vlan_cos_rev:
    description:
      - VLAN reverse direction user priority | 255 passthrough, 0 lowest, 7 highest..
    required: false

  vlan_cos_fwd:
    description:
      - VLAN forward direction user priority | 255 passthrough, 0 lowest, 7 highest.
    required: false

  utm_status:
    description:
      - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.
      - choice | disable | Disable setting.
      - choice | enable | Enable setting.
    required: false
    choices: ["disable", "enable"]

  users:
    description:
      - Names of individual users that can authenticate with this policy.
    required: false

  url_category:
    description:
      - URL category ID list.
    required: false

  traffic_shaper_reverse:
    description:
      - Reverse traffic shaper.
    required: false

  traffic_shaper:
    description:
      - Traffic shaper.
    required: false

  timeout_send_rst:
    description:
      - Enable/disable sending RST packets when TCP sessions expire.
      - choice | disable | Disable sending of RST packet upon TCP session expiration.
      - choice | enable | Enable sending of RST packet upon TCP session expiration.
    required: false
    choices: ["disable", "enable"]

  tcp_session_without_syn:
    description:
      - Enable/disable creation of TCP session without SYN flag.
      - choice | all | Enable TCP session without SYN.
      - choice | data-only | Enable TCP session data only.
      - choice | disable | Disable TCP session without SYN.
    required: false
    choices: ["all", "data-only", "disable"]

  tcp_mss_sender:
    description:
      - Sender TCP maximum segment size (MSS).
    required: false

  tcp_mss_receiver:
    description:
      - Receiver TCP maximum segment size (MSS).
    required: false

  status:
    description:
      - Enable or disable this policy.
      - choice | disable | Disable setting.
      - choice | enable | Enable setting.
    required: false
    choices: ["disable", "enable"]

  ssl_ssh_profile:
    description:
      - Name of an existing SSL SSH profile.
    required: false

  ssl_mirror_intf:
    description:
      - SSL mirror interface name.
    required: false

  ssl_mirror:
    description:
      - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring).
      - choice | disable | Disable SSL mirror.
      - choice | enable | Enable SSL mirror.
    required: false
    choices: ["disable", "enable"]

  ssh_filter_profile:
    description:
      - Name of an existing SSH filter profile.
    required: false

  srcintf:
    description:
      - Incoming (ingress) interface.
    required: false

  srcaddr_negate:
    description:
      - When enabled srcaddr specifies what the source address must NOT be.
      - choice | disable | Disable source address negate.
      - choice | enable | Enable source address negate.
    required: false
    choices: ["disable", "enable"]

  srcaddr:
    description:
      - Source address and address group names.
    required: false

  spamfilter_profile:
    description:
      - Name of an existing Spam filter profile.
    required: false

  session_ttl:
    description:
      - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
    required: false

  service_negate:
    description:
      - When enabled service specifies what the service must NOT be.
      - choice | disable | Disable negated service match.
      - choice | enable | Enable negated service match.
    required: false
    choices: ["disable", "enable"]

  service:
    description:
      - Service and service group names.
    required: false

  send_deny_packet:
    description:
      - Enable to send a reply when a session is denied or blocked by a firewall policy.
      - choice | disable | Disable deny-packet sending.
      - choice | enable | Enable deny-packet sending.
    required: false
    choices: ["disable", "enable"]

  schedule_timeout:
    description:
      - Enable to force current sessions to end when the schedule object times out.
      - choice | disable | Disable schedule timeout.
      - choice | enable | Enable schedule timeout.
    required: false
    choices: ["disable", "enable"]

  schedule:
    description:
      - Schedule name.
    required: false

  scan_botnet_connections:
    description:
      - Block or monitor connections to Botnet servers or disable Botnet scanning.
      - choice | disable | Do not scan connections to botnet servers.
      - choice | block | Block connections to botnet servers.
      - choice | monitor | Log connections to botnet servers.
    required: false
    choices: ["disable", "block", "monitor"]

  rtp_nat:
    description:
      - Enable Real Time Protocol (RTP) NAT.
      - choice | disable | Disable setting.
      - choice | enable | Enable setting.
    required: false
    choices: ["disable", "enable"]

  rtp_addr:
    description:
      - Address names if this is an RTP NAT policy.
    required: false

  rsso:
    description:
      - Enable/disable RADIUS single sign-on (RSSO).
      - choice | disable | Disable setting.
      - choice | enable | Enable setting.
    required: false
    choices: ["disable", "enable"]

  replacemsg_override_group:
    description:
      - Override the default replacement message group for this policy.
    required: false

  redirect_url:
    description:
      - URL users are directed to after seeing and accepting the disclaimer or authenticating.
    required: false

  radius_mac_auth_bypass:
    description:
      - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server.
      - choice | disable | Disable MAC authentication bypass.
      - choice | enable | Enable MAC authentication bypass.
    required: false
    choices: ["disable", "enable"]

  profile_type:
    description:
      - Determine whether the firewall policy allows security profile groups or single profiles only.
      - choice | single | Do not allow security profile groups.
      - choice | group | Allow security profile groups.
    required: false
    choices: ["single", "group"]

  profile_protocol_options:
    description:
      - Name of an existing Protocol options profile.
    required: false

  profile_group:
    description:
      - Name of profile group.
    required: false

  poolname:
    description:
      - IP Pool names.
    required: false

  policyid:
    description:
      - Policy ID.
    required: false

  permit_stun_host:
    description:
      - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host.
      - choice | disable | Disable setting.
      - choice | enable | Enable setting.
    required: false
    choices: ["disable", "enable"]

  permit_any_host:
    description:
      - Accept UDP packets from any host.
      - choice | disable | Disable setting.
      - choice | enable | Enable setting.
    required: false
    choices: ["disable", "enable"]

  per_ip_shaper:
    description:
      - Per-IP traffic shaper.
    required: false

  outbound:
    description:
      - Policy-based IPsec VPN |  only traffic from the internal network can initiate a VPN.
      - choice | disable | Disable setting.
      - choice | enable | Enable setting.
    required: false
    choices: ["disable", "enable"]

  ntlm_guest:
    description:
      - Enable/disable NTLM guest user access.
      - choice | disable | Disable setting.
      - choice | enable | Enable setting.
    required: false
    choices: ["disable", "enable"]

  ntlm_enabled_browsers:
    description:
      - HTTP-User-Agent value of supported browsers.
    required: false

  ntlm:
    description:
      - Enable/disable NTLM authentication.
      - choice | disable | Disable setting.
      - choice | enable | Enable setting.
    required: false
    choices: ["disable", "enable"]

  np_acceleration:
    description:
      - Enable/disable UTM Network Processor acceleration.
      - choice | disable | Disable UTM Network Processor acceleration.
      - choice | enable | Enable UTM Network Processor acceleration.
    required: false
    choices: ["disable", "enable"]

  natoutbound:
    description:
      - Policy-based IPsec VPN |  apply source NAT to outbound traffic.
      - choice | disable | Disable setting.
      - choice | enable | Enable setting.
    required: false
    choices: ["disable", "enable"]

  natip:
    description:
      - Policy-based IPsec VPN |  source NAT IP address for outgoing traffic.
    required: false

  natinbound:
    description:
      - Policy-based IPsec VPN |  apply destination NAT to inbound traffic.
      - choice | disable | Disable setting.
      - choice | enable | Enable setting.
    required: false
    choices: ["disable", "enable"]

  nat:
    description:
      - Enable/disable source NAT.
      - choice | disable | Disable setting.
      - choice | enable | Enable setting.
    required: false
    choices: ["disable", "enable"]

  name:
    description:
      - Policy name.
    required: false

  mms_profile:
    description:
      - Name of an existing MMS profile.
    required: false

  match_vip:
    description:
      - Enable to match packets that have had their destination addresses changed by a VIP.
      - choice | disable | Do not match DNATed packet.
      - choice | enable | Match DNATed packet.
    required: false
    choices: ["disable", "enable"]

  logtraffic_start:
    description:
      - Record logs when a session starts and ends.
      - choice | disable | Disable setting.
      - choice | enable | Enable setting.
    required: false
    choices: ["disable", "enable"]

  logtraffic:
    description:
      - Enable or disable logging. Log all sessions or security profile sessions.
      - choice | disable | Disable all logging for this policy.
      - choice | all | Log all sessions accepted or denied by this policy.
      - choice | utm | Log traffic that has a security profile applied to it.
    required: false
    choices: ["disable", "all", "utm"]

  learning_mode:
    description:
      - Enable to allow everything, but log all of the meaningful data for security information gathering.
      - choice | disable | Disable learning mode in firewall policy.
      - choice | enable | Enable learning mode in firewall policy.
    required: false
    choices: ["disable", "enable"]

  label:
    description:
      - Label for the policy that appears when the GUI is in Section View mode.
    required: false

  ips_sensor:
    description:
      - Name of an existing IPS sensor.
    required: false

  ippool:
    description:
      - Enable to use IP Pools for source NAT.
      - choice | disable | Disable setting.
      - choice | enable | Enable setting.
    required: false
    choices: ["disable", "enable"]

  internet_service_src_negate:
    description:
      - When enabled internet-service-src specifies what the service must NOT be.
      - choice | disable | Disable negated Internet Service source match.
      - choice | enable | Enable negated Internet Service source match.
    required: false
    choices: ["disable", "enable"]

  internet_service_src_id:
    description:
      - Internet Service source ID.
    required: false

  internet_service_src_custom:
    description:
      - Custom Internet Service source name.
    required: false

  internet_service_src:
    description:
      - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used.
      - choice | disable | Disable use of Internet Services source in policy.
      - choice | enable | Enable use of Internet Services source in policy.
    required: false
    choices: ["disable", "enable"]

  internet_service_negate:
    description:
      - When enabled internet-service specifies what the service must NOT be.
      - choice | disable | Disable negated Internet Service match.
      - choice | enable | Enable negated Internet Service match.
    required: false
    choices: ["disable", "enable"]

  internet_service_id:
    description:
      - Internet Service ID.
    required: false

  internet_service_custom:
    description:
      - Custom Internet Service name.
    required: false

  internet_service:
    description:
      - Enable/disable use of Internet Services for this policy. If enabled, dstaddr and service are not used.
      - choice | disable | Disable use of Internet Services in policy.
      - choice | enable | Enable use of Internet Services in policy.
    required: false
    choices: ["disable", "enable"]

  inbound:
    description:
      - Policy-based IPsec VPN |  only traffic from the remote network can initiate a VPN.
      - choice | disable | Disable setting.
      - choice | enable | Enable setting.
    required: false
    choices: ["disable", "enable"]

  identity_based_route:
    description:
      - Name of identity-based routing rule.
    required: false

  icap_profile:
    description:
      - Name of an existing ICAP profile.
    required: false

  gtp_profile:
    description:
      - GTP profile.
    required: false

  groups:
    description:
      - Names of user groups that can authenticate with this policy.
    required: false

  global_label:
    description:
      - Label for the policy that appears when the GUI is in Global View mode.
    required: false

  fsso_agent_for_ntlm:
    description:
      - FSSO agent to use for NTLM authentication.
    required: false

  fsso:
    description:
      - Enable/disable Fortinet Single Sign-On.
      - choice | disable | Disable setting.
      - choice | enable | Enable setting.
    required: false
    choices: ["disable", "enable"]

  fixedport:
    description:
      - Enable to prevent source NAT from changing a session's source port.
      - choice | disable | Disable setting.
      - choice | enable | Enable setting.
    required: false
    choices: ["disable", "enable"]

  firewall_session_dirty:
    description:
      - How to handle sessions if the configuration of this firewall policy changes.
      - choice | check-all | Flush all current sessions accepted by this policy.
      - choice | check-new | Continue to allow sessions already accepted by this policy.
    required: false
    choices: ["check-all", "check-new"]

  dstintf:
    description:
      - Outgoing (egress) interface.
    required: false

  dstaddr_negate:
    description:
      - When enabled dstaddr specifies what the destination address must NOT be.
      - choice | disable | Disable destination address negate.
      - choice | enable | Enable destination address negate.
    required: false
    choices: ["disable", "enable"]

  dstaddr:
    description:
      - Destination address and address group names.
    required: false

  dsri:
    description:
      - Enable DSRI to ignore HTTP server responses.
      - choice | disable | Disable DSRI.
      - choice | enable | Enable DSRI.
    required: false
    choices: ["disable", "enable"]

  dscp_value:
    description:
      - DSCP value.
    required: false

  dscp_negate:
    description:
      - Enable negated DSCP match.
      - choice | disable | Disable DSCP negate.
      - choice | enable | Enable DSCP negate.
    required: false
    choices: ["disable", "enable"]

  dscp_match:
    description:
      - Enable DSCP check.
      - choice | disable | Disable DSCP check.
      - choice | enable | Enable DSCP check.
    required: false
    choices: ["disable", "enable"]

  dnsfilter_profile:
    description:
      - Name of an existing DNS filter profile.
    required: false

  dlp_sensor:
    description:
      - Name of an existing DLP sensor.
    required: false

  disclaimer:
    description:
      - Enable/disable user authentication disclaimer.
      - choice | disable | Disable user authentication disclaimer.
      - choice | enable | Enable user authentication disclaimer.
    required: false
    choices: ["disable", "enable"]

  diffservcode_rev:
    description:
      - Change packet's reverse (reply) DiffServ to this value.
    required: false

  diffservcode_forward:
    description:
      - Change packet's DiffServ to this value.
    required: false

  diffserv_reverse:
    description:
      - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value.
      - choice | disable | Disable setting.
      - choice | enable | Enable setting.
    required: false
    choices: ["disable", "enable"]

  diffserv_forward:
    description:
      - Enable to change packet's DiffServ values to the specified diffservcode-forward value.
      - choice | disable | Disable WAN optimization.
      - choice | enable | Enable WAN optimization.
    required: false
    choices: ["disable", "enable"]

  devices:
    description:
      - Names of devices or device groups that can be matched by the policy.
    required: false

  delay_tcp_npu_session:
    description:
      - Enable TCP NPU session delay to guarantee packet order of 3-way handshake.
      - choice | disable | Disable TCP NPU session delay in order to guarantee packet order of 3-way handshake.
      - choice | enable | Enable TCP NPU session delay in order to guarantee packet order of 3-way handshake.
    required: false
    choices: ["disable", "enable"]

  custom_log_fields:
    description:
      - Custom fields to append to log messages for this policy.
    required: false

  comments:
    description:
      - Comment.
    required: false

  capture_packet:
    description:
      - Enable/disable capture packets.
      - choice | disable | Disable capture packets.
      - choice | enable | Enable capture packets.
    required: false
    choices: ["disable", "enable"]

  captive_portal_exempt:
    description:
      - Enable to exempt some users from the captive portal.
      - choice | disable | Disable exemption of captive portal.
      - choice | enable | Enable exemption of captive portal.
    required: false
    choices: ["disable", "enable"]

  block_notification:
    description:
      - Enable/disable block notification.
      - choice | disable | Disable setting.
      - choice | enable | Enable setting.
    required: false
    choices: ["disable", "enable"]

  av_profile:
    description:
      - Name of an existing Antivirus profile.
    required: false

  auto_asic_offload:
    description:
      - Enable/disable offloading security profile processing to CP processors.
      - choice | disable | Disable ASIC offloading.
      - choice | enable | Enable auto ASIC offloading.
    required: false
    choices: ["disable", "enable"]

  auth_redirect_addr:
    description:
      - HTTP-to-HTTPS redirect address for firewall authentication.
    required: false

  auth_path:
    description:
      - Enable/disable authentication-based routing.
      - choice | disable | Disable authentication-based routing.
      - choice | enable | Enable authentication-based routing.
    required: false
    choices: ["disable", "enable"]

  auth_cert:
    description:
      - HTTPS server certificate for policy authentication.
    required: false

  application_list:
    description:
      - Name of an existing Application list.
    required: false

  application:
    description:
      - Application ID list.
    required: false

  app_group:
    description:
      - Application group names.
    required: false

  app_category:
    description:
      - Application category ID list.
    required: false

  action:
    description:
      - Policy action (allow/deny/ipsec).
      - choice | deny | Blocks sessions that match the firewall policy.
      - choice | accept | Allows session that match the firewall policy.
      - choice | ipsec | Firewall policy becomes a policy-based IPsec VPN policy.
    required: false
    choices: ["deny", "accept", "ipsec"]

  vpn_dst_node:
    description:
      - EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
      - List of multiple child objects to be added. Expects a list of dictionaries.
      - Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
      - If submitted, all other prefixed sub-parameters ARE IGNORED. This object is MUTUALLY EXCLUSIVE with its options.
      - We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.
    required: false

  vpn_dst_node_host:
    description:
      - VPN Destination Node Host.
    required: false

  vpn_dst_node_seq:
    description:
      - VPN Destination Node Seq.
    required: false

  vpn_dst_node_subnet:
    description:
      - VPN Destination Node Seq.
    required: false

  vpn_src_node:
    description:
      - EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
      - List of multiple child objects to be added. Expects a list of dictionaries.
      - Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
      - If submitted, all other prefixed sub-parameters ARE IGNORED. This object is MUTUALLY EXCLUSIVE with its options.
      - We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.
    required: false

  vpn_src_node_host:
    description:
      - VPN Source Node Host.
    required: false

  vpn_src_node_seq:
    description:
      - VPN Source Node Seq.
    required: false

  vpn_src_node_subnet:
    description:
      - VPN Source Node.
    required: false


'''

EXAMPLES = '''
- name: ADD VERY BASIC IPV4 POLICY WITH NO NAT (WIDE OPEN)
  fmgr_fwpol_ipv4:
    mode: "set"
    adom: "ansible"
    package_name: "default"
    name: "Basic_IPv4_Policy"
    comments: "Created by Ansible"
    action: "accept"
    dstaddr: "all"
    srcaddr: "all"
    dstintf: "any"
    srcintf: "any"
    logtraffic: "utm"
    service: "ALL"
    schedule: "always"

- name: ADD VERY BASIC IPV4 POLICY WITH NAT AND MULTIPLE ENTRIES
  fmgr_fwpol_ipv4:
    mode: "set"
    adom: "ansible"
    package_name: "default"
    name: "Basic_IPv4_Policy_2"
    comments: "Created by Ansible"
    action: "accept"
    dstaddr: "google-play"
    srcaddr: "all"
    dstintf: "any"
    srcintf: "any"
    logtraffic: "utm"
    service: "HTTP, HTTPS"
    schedule: "always"
    nat: "enable"
    users: "karen, kevin"

- name: ADD VERY BASIC IPV4 POLICY WITH NAT AND MULTIPLE ENTRIES AND SEC PROFILES
  fmgr_fwpol_ipv4:
    mode: "set"
    adom: "ansible"
    package_name: "default"
    name: "Basic_IPv4_Policy_3"
    comments: "Created by Ansible"
    action: "accept"
    dstaddr: "google-play, autoupdate.opera.com"
    srcaddr: "corp_internal"
    dstintf: "zone_wan1, zone_wan2"
    srcintf: "zone_int1"
    logtraffic: "utm"
    service: "HTTP, HTTPS"
    schedule: "always"
    nat: "enable"
    users: "karen, kevin"
    av_profile: "sniffer-profile"
    ips_sensor: "default"

'''

RETURN = """
api_result:
  description: full API response, includes status code and message
  returned: always
  type: str
"""

from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.connection import Connection
from ansible.module_utils.network.fortimanager.fortimanager import FortiManagerHandler
from ansible.module_utils.network.fortimanager.common import FMGBaseException
from ansible.module_utils.network.fortimanager.common import FMGRCommon
from ansible.module_utils.network.fortimanager.common import FMGRMethods
from ansible.module_utils.network.fortimanager.common import DEFAULT_RESULT_OBJ
from ansible.module_utils.network.fortimanager.common import FAIL_SOCKET_MSG
from ansible.module_utils.network.fortimanager.common import prepare_dict
from ansible.module_utils.network.fortimanager.common import scrub_dict


def fmgr_firewall_policy_modify(fmgr, paramgram):
    """
    fmgr_firewall_policy -- Add/Set/Deletes Firewall Policy Objects defined in the "paramgram"

    :param fmgr: The fmgr object instance from fmgr_utils.py
    :type fmgr: class object
    :param paramgram: The formatted dictionary of options to process
    :type paramgram: dict

    :return: The response from the FortiManager
    :rtype: dict
    """

    mode = paramgram["mode"]
    adom = paramgram["adom"]
    # INIT A BASIC OBJECTS
    response = DEFAULT_RESULT_OBJ
    url = ""
    datagram = {}

    # EVAL THE MODE PARAMETER FOR SET OR ADD
    if mode in ['set', 'add', 'update']:
        url = '/pm/config/adom/{adom}/pkg/{pkg}/firewall/policy'.format(adom=adom, pkg=paramgram["package_name"])
        datagram = scrub_dict((prepare_dict(paramgram)))
        del datagram["package_name"]
        datagram = fmgr._tools.split_comma_strings_into_lists(datagram)

    # EVAL THE MODE PARAMETER FOR DELETE
    elif mode == "delete":
        url = '/pm/config/adom/{adom}/pkg/{pkg}/firewall' \
              '/policy/{policyid}'.format(adom=paramgram["adom"],
                                          pkg=paramgram["package_name"],
                                          policyid=paramgram["policyid"])
        datagram = {
            "policyid": paramgram["policyid"]
        }

    response = fmgr.process_request(url, datagram, paramgram["mode"])
    return response


#############
# END METHODS
#############


def main():
    argument_spec = dict(
        adom=dict(type="str", default="root"),
        mode=dict(choices=["add", "set", "delete", "update"], type="str", default="add"),
        package_name=dict(type="str", required=False, default="default"),

        wsso=dict(required=False, type="str", choices=["disable", "enable"]),
        webfilter_profile=dict(required=False, type="str"),
        webcache_https=dict(required=False, type="str", choices=["disable", "enable"]),
        webcache=dict(required=False, type="str", choices=["disable", "enable"]),
        wccp=dict(required=False, type="str", choices=["disable", "enable"]),
        wanopt_profile=dict(required=False, type="str"),
        wanopt_peer=dict(required=False, type="str"),
        wanopt_passive_opt=dict(required=False, type="str", choices=["default", "transparent", "non-transparent"]),
        wanopt_detection=dict(required=False, type="str", choices=["active", "passive", "off"]),
        wanopt=dict(required=False, type="str", choices=["disable", "enable"]),
        waf_profile=dict(required=False, type="str"),
        vpntunnel=dict(required=False, type="str"),
        voip_profile=dict(required=False, type="str"),
        vlan_filter=dict(required=False, type="str"),
        vlan_cos_rev=dict(required=False, type="int"),
        vlan_cos_fwd=dict(required=False, type="int"),
        utm_status=dict(required=False, type="str", choices=["disable", "enable"]),
        users=dict(required=False, type="str"),
        url_category=dict(required=False, type="str"),
        traffic_shaper_reverse=dict(required=False, type="str"),
        traffic_shaper=dict(required=False, type="str"),
        timeout_send_rst=dict(required=False, type="str", choices=["disable", "enable"]),
        tcp_session_without_syn=dict(required=False, type="str", choices=["all", "data-only", "disable"]),
        tcp_mss_sender=dict(required=False, type="int"),
        tcp_mss_receiver=dict(required=False, type="int"),
        status=dict(required=False, type="str", choices=["disable", "enable"]),
        ssl_ssh_profile=dict(required=False, type="str"),
        ssl_mirror_intf=dict(required=False, type="str"),
        ssl_mirror=dict(required=False, type="str", choices=["disable", "enable"]),
        ssh_filter_profile=dict(required=False, type="str"),
        srcintf=dict(required=False, type="str"),
        srcaddr_negate=dict(required=False, type="str", choices=["disable", "enable"]),
        srcaddr=dict(required=False, type="str"),
        spamfilter_profile=dict(required=False, type="str"),
        session_ttl=dict(required=False, type="int"),
        service_negate=dict(required=False, type="str", choices=["disable", "enable"]),
        service=dict(required=False, type="str"),
        send_deny_packet=dict(required=False, type="str", choices=["disable", "enable"]),
        schedule_timeout=dict(required=False, type="str", choices=["disable", "enable"]),
        schedule=dict(required=False, type="str"),
        scan_botnet_connections=dict(required=False, type="str", choices=["disable", "block", "monitor"]),
        rtp_nat=dict(required=False, type="str", choices=["disable", "enable"]),
        rtp_addr=dict(required=False, type="str"),
        rsso=dict(required=False, type="str", choices=["disable", "enable"]),
        replacemsg_override_group=dict(required=False, type="str"),
        redirect_url=dict(required=False, type="str"),
        radius_mac_auth_bypass=dict(required=False, type="str", choices=["disable", "enable"]),
        profile_type=dict(required=False, type="str", choices=["single", "group"]),
        profile_protocol_options=dict(required=False, type="str"),
        profile_group=dict(required=False, type="str"),
        poolname=dict(required=False, type="str"),
        policyid=dict(required=False, type="str"),
        permit_stun_host=dict(required=False, type="str", choices=["disable", "enable"]),
        permit_any_host=dict(required=False, type="str", choices=["disable", "enable"]),
        per_ip_shaper=dict(required=False, type="str"),
        outbound=dict(required=False, type="str", choices=["disable", "enable"]),
        ntlm_guest=dict(required=False, type="str", choices=["disable", "enable"]),
        ntlm_enabled_browsers=dict(required=False, type="str"),
        ntlm=dict(required=False, type="str", choices=["disable", "enable"]),
        np_acceleration=dict(required=False, type="str", choices=["disable", "enable"]),
        natoutbound=dict(required=False, type="str", choices=["disable", "enable"]),
        natip=dict(required=False, type="str"),
        natinbound=dict(required=False, type="str", choices=["disable", "enable"]),
        nat=dict(required=False, type="str", choices=["disable", "enable"]),
        name=dict(required=False, type="str"),
        mms_profile=dict(required=False, type="str"),
        match_vip=dict(required=False, type="str", choices=["disable", "enable"]),
        logtraffic_start=dict(required=False, type="str", choices=["disable", "enable"]),
        logtraffic=dict(required=False, type="str", choices=["disable", "all", "utm"]),
        learning_mode=dict(required=False, type="str", choices=["disable", "enable"]),
        label=dict(required=False, type="str"),
        ips_sensor=dict(required=False, type="str"),
        ippool=dict(required=False, type="str", choices=["disable", "enable"]),
        internet_service_src_negate=dict(required=False, type="str", choices=["disable", "enable"]),
        internet_service_src_id=dict(required=False, type="str"),
        internet_service_src_custom=dict(required=False, type="str"),
        internet_service_src=dict(required=False, type="str", choices=["disable", "enable"]),
        internet_service_negate=dict(required=False, type="str", choices=["disable", "enable"]),
        internet_service_id=dict(required=False, type="str"),
        internet_service_custom=dict(required=False, type="str"),
        internet_service=dict(required=False, type="str", choices=["disable", "enable"]),
        inbound=dict(required=False, type="str", choices=["disable", "enable"]),
        identity_based_route=dict(required=False, type="str"),
        icap_profile=dict(required=False, type="str"),
        gtp_profile=dict(required=False, type="str"),
        groups=dict(required=False, type="str"),
        global_label=dict(required=False, type="str"),
        fsso_agent_for_ntlm=dict(required=False, type="str"),
        fsso=dict(required=False, type="str", choices=["disable", "enable"]),
        fixedport=dict(required=False, type="str", choices=["disable", "enable"]),
        firewall_session_dirty=dict(required=False, type="str", choices=["check-all", "check-new"]),
        dstintf=dict(required=False, type="str"),
        dstaddr_negate=dict(required=False, type="str", choices=["disable", "enable"]),
        dstaddr=dict(required=False, type="str"),
        dsri=dict(required=False, type="str", choices=["disable", "enable"]),
        dscp_value=dict(required=False, type="str"),
        dscp_negate=dict(required=False, type="str", choices=["disable", "enable"]),
        dscp_match=dict(required=False, type="str", choices=["disable", "enable"]),
        dnsfilter_profile=dict(required=False, type="str"),
        dlp_sensor=dict(required=False, type="str"),
        disclaimer=dict(required=False, type="str", choices=["disable", "enable"]),
        diffservcode_rev=dict(required=False, type="str"),
        diffservcode_forward=dict(required=False, type="str"),
        diffserv_reverse=dict(required=False, type="str", choices=["disable", "enable"]),
        diffserv_forward=dict(required=False, type="str", choices=["disable", "enable"]),
        devices=dict(required=False, type="str"),
        delay_tcp_npu_session=dict(required=False, type="str", choices=["disable", "enable"]),
        custom_log_fields=dict(required=False, type="str"),
        comments=dict(required=False, type="str"),
        capture_packet=dict(required=False, type="str", choices=["disable", "enable"]),
        captive_portal_exempt=dict(required=False, type="str", choices=["disable", "enable"]),
        block_notification=dict(required=False, type="str", choices=["disable", "enable"]),
        av_profile=dict(required=False, type="str"),
        auto_asic_offload=dict(required=False, type="str", choices=["disable", "enable"]),
        auth_redirect_addr=dict(required=False, type="str"),
        auth_path=dict(required=False, type="str", choices=["disable", "enable"]),
        auth_cert=dict(required=False, type="str"),
        application_list=dict(required=False, type="str"),
        application=dict(required=False, type="str"),
        app_group=dict(required=False, type="str"),
        app_category=dict(required=False, type="str"),
        action=dict(required=False, type="str", choices=["deny", "accept", "ipsec"]),
        vpn_dst_node=dict(required=False, type="list"),
        vpn_dst_node_host=dict(required=False, type="str"),
        vpn_dst_node_seq=dict(required=False, type="str"),
        vpn_dst_node_subnet=dict(required=False, type="str"),
        vpn_src_node=dict(required=False, type="list"),
        vpn_src_node_host=dict(required=False, type="str"),
        vpn_src_node_seq=dict(required=False, type="str"),
        vpn_src_node_subnet=dict(required=False, type="str"),

    )

    module = AnsibleModule(argument_spec=argument_spec, supports_check_mode=False, )
    # MODULE PARAMGRAM
    paramgram = {
        "mode": module.params["mode"],
        "adom": module.params["adom"],
        "package_name": module.params["package_name"],
        "wsso": module.params["wsso"],
        "webfilter-profile": module.params["webfilter_profile"],
        "webcache-https": module.params["webcache_https"],
        "webcache": module.params["webcache"],
        "wccp": module.params["wccp"],
        "wanopt-profile": module.params["wanopt_profile"],
        "wanopt-peer": module.params["wanopt_peer"],
        "wanopt-passive-opt": module.params["wanopt_passive_opt"],
        "wanopt-detection": module.params["wanopt_detection"],
        "wanopt": module.params["wanopt"],
        "waf-profile": module.params["waf_profile"],
        "vpntunnel": module.params["vpntunnel"],
        "voip-profile": module.params["voip_profile"],
        "vlan-filter": module.params["vlan_filter"],
        "vlan-cos-rev": module.params["vlan_cos_rev"],
        "vlan-cos-fwd": module.params["vlan_cos_fwd"],
        "utm-status": module.params["utm_status"],
        "users": module.params["users"],
        "url-category": module.params["url_category"],
        "traffic-shaper-reverse": module.params["traffic_shaper_reverse"],
        "traffic-shaper": module.params["traffic_shaper"],
        "timeout-send-rst": module.params["timeout_send_rst"],
        "tcp-session-without-syn": module.params["tcp_session_without_syn"],
        "tcp-mss-sender": module.params["tcp_mss_sender"],
        "tcp-mss-receiver": module.params["tcp_mss_receiver"],
        "status": module.params["status"],
        "ssl-ssh-profile": module.params["ssl_ssh_profile"],
        "ssl-mirror-intf": module.params["ssl_mirror_intf"],
        "ssl-mirror": module.params["ssl_mirror"],
        "ssh-filter-profile": module.params["ssh_filter_profile"],
        "srcintf": module.params["srcintf"],
        "srcaddr-negate": module.params["srcaddr_negate"],
        "srcaddr": module.params["srcaddr"],
        "spamfilter-profile": module.params["spamfilter_profile"],
        "session-ttl": module.params["session_ttl"],
        "service-negate": module.params["service_negate"],
        "service": module.params["service"],
        "send-deny-packet": module.params["send_deny_packet"],
        "schedule-timeout": module.params["schedule_timeout"],
        "schedule": module.params["schedule"],
        "scan-botnet-connections": module.params["scan_botnet_connections"],
        "rtp-nat": module.params["rtp_nat"],
        "rtp-addr": module.params["rtp_addr"],
        "rsso": module.params["rsso"],
        "replacemsg-override-group": module.params["replacemsg_override_group"],
        "redirect-url": module.params["redirect_url"],
        "radius-mac-auth-bypass": module.params["radius_mac_auth_bypass"],
        "profile-type": module.params["profile_type"],
        "profile-protocol-options": module.params["profile_protocol_options"],
        "profile-group": module.params["profile_group"],
        "poolname": module.params["poolname"],
        "policyid": module.params["policyid"],
        "permit-stun-host": module.params["permit_stun_host"],
        "permit-any-host": module.params["permit_any_host"],
        "per-ip-shaper": module.params["per_ip_shaper"],
        "outbound": module.params["outbound"],
        "ntlm-guest": module.params["ntlm_guest"],
        "ntlm-enabled-browsers": module.params["ntlm_enabled_browsers"],
        "ntlm": module.params["ntlm"],
        "np-acceleration": module.params["np_acceleration"],
        "natoutbound": module.params["natoutbound"],
        "natip": module.params["natip"],
        "natinbound": module.params["natinbound"],
        "nat": module.params["nat"],
        "name": module.params["name"],
        "mms-profile": module.params["mms_profile"],
        "match-vip": module.params["match_vip"],
        "logtraffic-start": module.params["logtraffic_start"],
        "logtraffic": module.params["logtraffic"],
        "learning-mode": module.params["learning_mode"],
        "label": module.params["label"],
        "ips-sensor": module.params["ips_sensor"],
        "ippool": module.params["ippool"],
        "internet-service-src-negate": module.params["internet_service_src_negate"],
        "internet-service-src-id": module.params["internet_service_src_id"],
        "internet-service-src-custom": module.params["internet_service_src_custom"],
        "internet-service-src": module.params["internet_service_src"],
        "internet-service-negate": module.params["internet_service_negate"],
        "internet-service-id": module.params["internet_service_id"],
        "internet-service-custom": module.params["internet_service_custom"],
        "internet-service": module.params["internet_service"],
        "inbound": module.params["inbound"],
        "identity-based-route": module.params["identity_based_route"],
        "icap-profile": module.params["icap_profile"],
        "gtp-profile": module.params["gtp_profile"],
        "groups": module.params["groups"],
        "global-label": module.params["global_label"],
        "fsso-agent-for-ntlm": module.params["fsso_agent_for_ntlm"],
        "fsso": module.params["fsso"],
        "fixedport": module.params["fixedport"],
        "firewall-session-dirty": module.params["firewall_session_dirty"],
        "dstintf": module.params["dstintf"],
        "dstaddr-negate": module.params["dstaddr_negate"],
        "dstaddr": module.params["dstaddr"],
        "dsri": module.params["dsri"],
        "dscp-value": module.params["dscp_value"],
        "dscp-negate": module.params["dscp_negate"],
        "dscp-match": module.params["dscp_match"],
        "dnsfilter-profile": module.params["dnsfilter_profile"],
        "dlp-sensor": module.params["dlp_sensor"],
        "disclaimer": module.params["disclaimer"],
        "diffservcode-rev": module.params["diffservcode_rev"],
        "diffservcode-forward": module.params["diffservcode_forward"],
        "diffserv-reverse": module.params["diffserv_reverse"],
        "diffserv-forward": module.params["diffserv_forward"],
        "devices": module.params["devices"],
        "delay-tcp-npu-session": module.params["delay_tcp_npu_session"],
        "custom-log-fields": module.params["custom_log_fields"],
        "comments": module.params["comments"],
        "capture-packet": module.params["capture_packet"],
        "captive-portal-exempt": module.params["captive_portal_exempt"],
        "block-notification": module.params["block_notification"],
        "av-profile": module.params["av_profile"],
        "auto-asic-offload": module.params["auto_asic_offload"],
        "auth-redirect-addr": module.params["auth_redirect_addr"],
        "auth-path": module.params["auth_path"],
        "auth-cert": module.params["auth_cert"],
        "application-list": module.params["application_list"],
        "application": module.params["application"],
        "app-group": module.params["app_group"],
        "app-category": module.params["app_category"],
        "action": module.params["action"],
        "vpn_dst_node": {
            "host": module.params["vpn_dst_node_host"],
            "seq": module.params["vpn_dst_node_seq"],
            "subnet": module.params["vpn_dst_node_subnet"],
        },
        "vpn_src_node": {
            "host": module.params["vpn_src_node_host"],
            "seq": module.params["vpn_src_node_seq"],
            "subnet": module.params["vpn_src_node_subnet"],
        }
    }
    module.paramgram = paramgram
    fmgr = None
    if module._socket_path:
        connection = Connection(module._socket_path)
        fmgr = FortiManagerHandler(connection, module)
        fmgr.tools = FMGRCommon()
    else:
        module.fail_json(**FAIL_SOCKET_MSG)

    list_overrides = ['vpn_dst_node', 'vpn_src_node']
    paramgram = fmgr.tools.paramgram_child_list_override(list_overrides=list_overrides,
                                                         paramgram=paramgram, module=module)

    # BEGIN MODULE-SPECIFIC LOGIC -- THINGS NEED TO HAPPEN DEPENDING ON THE ENDPOINT AND OPERATION
    results = DEFAULT_RESULT_OBJ
    try:
        if paramgram["mode"] == "delete":
            # WE NEED TO GET THE POLICY ID FROM THE NAME OF THE POLICY TO DELETE IT
            url = '/pm/config/adom/{adom}/pkg/{pkg}/firewall' \
                  '/policy/'.format(adom=paramgram["adom"],
                                    pkg=paramgram["package_name"])
            datagram = {
                "filter": ["name", "==", paramgram["name"]]
            }
            response = fmgr.process_request(url, datagram, FMGRMethods.GET)
            try:
                if response[1][0]["policyid"]:
                    policy_id = response[1][0]["policyid"]
                    paramgram["policyid"] = policy_id
            except BaseException:
                fmgr.return_response(module=module, results=response, good_codes=[0, ], stop_on_success=True,
                                     ansible_facts=fmgr.construct_ansible_facts(results, module.params, paramgram),
                                     msg="Couldn't find policy ID number for policy name specified.")
    except Exception as err:
        raise FMGBaseException(err)

    try:
        results = fmgr_firewall_policy_modify(fmgr, paramgram)
        fmgr.govern_response(module=module, results=results, good_codes=[0, -9998],
                             ansible_facts=fmgr.construct_ansible_facts(results, module.params, paramgram))
    except Exception as err:
        raise FMGBaseException(err)

    return module.exit_json(**results[1])


if __name__ == "__main__":
    main()