| Parameter | Choices/Defaults | Comments | 
                
                                                            | application_list 
                    -
                                                                 |  | Specifies Application Control name. | 
                            
                                                            | av_profile 
                    -
                                                                 |  | Specifies Antivirus profile name. | 
                            
                                                            | backup 
                    boolean
                                                                 |  | This argument will cause the module to create a backup of the current running-configfrom the remote device before any changes are made.  The backup file is written to the i(backup) folder. | 
                            
                                                            | backup_filename 
                    string
                                                                 |  | Specifies the backup filename. If omitted filename will be formatted like HOST_config.YYYY-MM-DD@HH:MM:SS | 
                            
                                                            | backup_path 
                    path
                                                                 |  | Specifies where to store backup files. Required if backup=yes. | 
                            
                                                            | comment 
                    -
                                                                 |  | free text to describe policy. | 
                            
                                                            | config_file 
                    path
                                                                 added in 2.4 |  | Path to configuration file. Required when file_mode is True. | 
                            
                                                            | dst_addr 
                    -
                                                                 |  | Specifies destination address (or group) object name(s). Required when state=present. | 
                            
                                                            | dst_addr_negate 
                    boolean
                                                                 |  | Negate destination address param. | 
                            
                                                            | dst_intf 
                    -
                                                                 | Default: 
 "any" | Specifies destination interface name(s). | 
                            
                                                            | file_mode 
                    boolean
                                                                 added in 2.4 |  | Don't connect to any device, only use config_file as input and Output. | 
                            
                                                            | fixedport 
                    boolean
                                                                 |  | Use fixed port for nat. | 
                            
                                                            | host 
                    string
                                                                 |  | Specifies the DNS hostname or IP address for connecting to the remote fortios device. Required when file_mode is False. | 
                            
                                                            | id 
                    -
                                             / required                     |  | Policy ID. Warning: policy ID number is different than Policy sequence number. The policy ID is the number assigned at policy creation. The sequence number represents the order in which the Fortigate will evaluate the rule for policy enforcement, and also the order in which rules are listed in the GUI and CLI. These two numbers do not necessarily correlate: this module is based off policy ID. TIP: policy ID can be viewed in the GUI by adding 'ID' to the display columns | 
                            
                                                            | ips_sensor 
                    -
                                                                 |  | Specifies IPS Sensor profile name. | 
                            
                                                            | logtraffic 
                    -
                                                                 added in 2.4 | Choices:
                                                                                                                                                            disableutm ←all | Logs sessions that matched policy. | 
                            
                                                            | logtraffic_start 
                    boolean
                                                                 added in 2.4 |  | Logs beginning of session as well. | 
                            
                                                            | nat 
                    boolean
                                                                 |  | Enable or disable Nat. | 
                            
                                                            | password 
                    string
                                                                 |  | Specifies the password used to authenticate to the remote device. Required when file_mode is True. | 
                            
                                                            | policy_action 
                    -
                                                                 |  | Specifies accept or deny action policy. Required when state=present. aliases: action
 | 
                            
                                                            | poolname 
                    -
                                                                 |  | Specifies NAT pool name. | 
                            
                                                            | schedule 
                    -
                                                                 | Default: 
 "always" | defines policy schedule. | 
                            
                                                            | service 
                    -
                                                                 |  | Specifies policy service(s), could be a list (ex: ['MAIL','DNS']). Required when state=present. aliases: services
 | 
                            
                                                            | service_negate 
                    boolean
                                                                 |  | Negate policy service(s) defined in service value. | 
                            
                                                            | src_addr 
                    -
                                                                 |  | Specifies source address (or group) object name(s). Required when state=present. | 
                            
                                                            | src_addr_negate 
                    boolean
                                                                 |  | Negate source address param. | 
                            
                                                            | src_intf 
                    -
                                                                 | Default: 
 "any" | Specifies source interface name(s). | 
                            
                                                            | state 
                    -
                                                                 | Choices:
                                                                                                                                                            present ←absent | Specifies if policy id need to be added or deleted. | 
                            
                                                            | timeout 
                    integer
                                                                 | Default: 
 60 | Timeout in seconds for connecting to the remote device. | 
                            
                                                            | username 
                    string
                                                                 |  | Configures the username used to authenticate to the remote device. Required when file_mode is True. | 
                            
                                                            | vdom 
                    string
                                                                 |  | Specifies on which vdom to apply configuration | 
                            
                                                            | webfilter_profile 
                    -
                                                                 |  | Specifies Webfilter profile name. |