| Parameter | Choices/Defaults | Comments | 
                
                                                            | firewall_vip6 
                    dictionary
                                                                 | Default: 
 null | Configure virtual IP for IPv6. | 
                                                        
                                                |  | arp_reply 
                    string
                                                                 |  | Enable to respond to ARP requests for this virtual IP address. Enabled by default. | 
                            
                                                |  | color 
                    integer
                                                                 |  | Color of icon on the GUI. | 
                            
                                                |  | comment 
                    string
                                                                 |  | Comment. | 
                            
                                                |  | extip 
                    string
                                                                 |  | IP address or address range on the external interface that you want to map to an address or address range on the destination network. | 
                            
                                                |  | extport 
                    string
                                                                 |  | Incoming port number range that you want to map to a port number range on the destination network. | 
                            
                                                |  | http_cookie_age 
                    integer
                                                                 |  | Time in minutes that client web browsers should keep a cookie. Default is 60 seconds. 0 = no time limit. | 
                            
                                                |  | http_cookie_domain 
                    string
                                                                 |  | Domain that HTTP cookie persistence should apply to. | 
                            
                                                |  | http_cookie_domain_from_host 
                    string
                                                                 |  | Enable/disable use of HTTP cookie domain from host field in HTTP. | 
                            
                                                |  | http_cookie_generation 
                    integer
                                                                 |  | Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies. | 
                            
                                                |  | http_cookie_path 
                    string
                                                                 |  | Limit HTTP cookie persistence to the specified path. | 
                            
                                                |  | http_cookie_share 
                    string
                                                                 |  | Control sharing of cookies across virtual servers. same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing. | 
                            
                                                |  | http_ip_header 
                    string
                                                                 |  | For HTTP multiplexing, enable to add the original client IP address in the XForwarded-For HTTP header. | 
                            
                                                |  | http_ip_header_name 
                    string
                                                                 |  | For HTTP multiplexing, enter a custom HTTPS header name. The original client IP address is added to this header. If empty, X-Forwarded-For is used. | 
                            
                                                |  | http_multiplex 
                    string
                                                                 |  | Enable/disable HTTP multiplexing. | 
                            
                                                |  | https_cookie_secure 
                    string
                                                                 |  | Enable/disable verification that inserted HTTPS cookies are secure. | 
                            
                                                |  | id 
                    integer
                                                                 |  | Custom defined ID. | 
                            
                                                |  | ldb_method 
                    string
                                                                 | Choices:
                                                                                                                                                            staticround-robinweightedleast-sessionleast-rttfirst-alivehttp-host | Method used to distribute sessions to real servers. | 
                            
                                                |  | mappedip 
                    string
                                                                 |  | Mapped IP address range in the format startIP-endIP. | 
                            
                                                |  | mappedport 
                    string
                                                                 |  | Port number range on the destination network to which the external port number range is mapped. | 
                            
                                                |  | max_embryonic_connections 
                    integer
                                                                 |  | Maximum number of incomplete connections. | 
                            
                                                |  | monitor 
                    list
                                                                 |  | Name of the health check monitor to use when polling to determine a virtual server's connectivity status. | 
                                                        
                                                |  |  | name 
                    string
                                             / required                     |  | Health monitor name. Source firewall.ldb-monitor.name. | 
                                            
                                                |  | name 
                    string
                                             / required                     |  | Virtual ip6 name. | 
                            
                                                |  | outlook_web_access 
                    string
                                                                 |  | Enable to add the Front-End-Https header for Microsoft Outlook Web Access. | 
                            
                                                |  | persistence 
                    string
                                                                 | Choices:
                                                                                                                                                            nonehttp-cookiessl-session-id | Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session. | 
                            
                                                |  | portforward 
                    string
                                                                 |  | Enable port forwarding. | 
                            
                                                |  | protocol 
                    string
                                                                 |  | Protocol to use when forwarding packets. | 
                            
                                                |  | realservers 
                    list
                                                                 |  | Select the real servers that this server load balancing VIP will distribute traffic to. | 
                                                        
                                                |  |  | client_ip 
                    string
                                                                 |  | Only clients in this IP range can connect to this real server. | 
                            
                                                |  |  | healthcheck 
                    string
                                                                 | Choices:
                                                                                                                                                            disableenablevip | Enable to check the responsiveness of the real server before forwarding traffic. | 
                            
                                                |  |  | holddown_interval 
                    integer
                                                                 |  | Time in seconds that the health check monitor continues to monitor an unresponsive server that should be active. | 
                            
                                                |  |  | http_host 
                    string
                                                                 |  | HTTP server domain name in HTTP header. | 
                            
                                                |  |  | id 
                    integer
                                             / required                     |  | Real server ID. | 
                            
                                                |  |  | ip 
                    string
                                                                 |  | IPv6 address of the real server. | 
                            
                                                |  |  | max_connections 
                    integer
                                                                 |  | Max number of active connections that can directed to the real server. When reached, sessions are sent to other real servers. | 
                            
                                                |  |  | monitor 
                    string
                                                                 |  | Name of the health check monitor to use when polling to determine a virtual server's connectivity status. Source firewall .ldb-monitor.name. | 
                            
                                                |  |  | port 
                    integer
                                                                 |  | Port for communicating with the real server. Required if port forwarding is enabled. | 
                            
                                                |  |  | status 
                    string
                                                                 | Choices:
                                                                                                                                                            activestandbydisable | Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent. | 
                            
                                                |  |  | weight 
                    integer
                                                                 |  | Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. | 
                                            
                                                |  | server_type 
                    string
                                                                 | Choices:
                                                                                                                                                            httphttpsimapspop3ssmtpsssltcpudpip | Protocol to be load balanced by the virtual server (also called the server load balance virtual IP). | 
                            
                                                |  | src_filter 
                    list
                                                                 |  | Source IP6 filter (x:x:x:x:x:x:x:x/x). Separate addresses with spaces. | 
                                                        
                                                |  |  | range 
                    string
                                             / required                     |  | Source-filter range. | 
                                            
                                                |  | ssl_algorithm 
                    string
                                                                 | Choices:
                                                                                                                                                            highmediumlowcustom | Permitted encryption algorithms for SSL sessions according to encryption strength. | 
                            
                                                |  | ssl_certificate 
                    string
                                                                 |  | The name of the SSL certificate to use for SSL acceleration. Source vpn.certificate.local.name. | 
                            
                                                |  | ssl_cipher_suites 
                    list
                                                                 |  | SSL/TLS cipher suites acceptable from a client, ordered by priority. | 
                                                        
                                                |  |  | cipher 
                    string
                                                                 | Choices:
                                                                                                                                                            TLS-RSA-WITH-3DES-EDE-CBC-SHATLS-DHE-RSA-WITH-DES-CBC-SHATLS-DHE-DSS-WITH-DES-CBC-SHA | Cipher suite name. | 
                            
                                                |  |  | priority 
                    integer
                                             / required                     |  | SSL/TLS cipher suites priority. | 
                            
                                                |  |  | versions 
                    string
                                                                 | Choices:
                                                                                                                                                            ssl-3.0tls-1.0tls-1.1tls-1.2 | SSL/TLS versions that the cipher suite can be used with. | 
                                            
                                                |  | ssl_client_fallback 
                    string
                                                                 |  | Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507). | 
                            
                                                |  | ssl_client_renegotiation 
                    string
                                                                 | Choices:
                                                                                                                                                            allowdenysecure | Allow, deny, or require secure renegotiation of client sessions to comply with RFC 5746. | 
                            
                                                |  | ssl_client_session_state_max 
                    integer
                                                                 |  | Maximum number of client to FortiGate SSL session states to keep. | 
                            
                                                |  | ssl_client_session_state_timeout 
                    integer
                                                                 |  | Number of minutes to keep client to FortiGate SSL session state. | 
                            
                                                |  | ssl_client_session_state_type 
                    string
                                                                 | Choices:
                                                                                                                                                            disabletimecountboth | How to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate. | 
                            
                                                |  | ssl_dh_bits 
                    string
                                                                 | Choices:
                                                                                                                                                            76810241536204830724096 | Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions. | 
                            
                                                |  | ssl_hpkp 
                    string
                                                                 | Choices:
                                                                                                                                                            disableenablereport-only | Enable/disable including HPKP header in response. | 
                            
                                                |  | ssl_hpkp_age 
                    integer
                                                                 |  | Number of minutes the web browser should keep HPKP. | 
                            
                                                |  | ssl_hpkp_backup 
                    string
                                                                 |  | Certificate to generate backup HPKP pin from. Source vpn.certificate.local.name vpn.certificate.ca.name. | 
                            
                                                |  | ssl_hpkp_include_subdomains 
                    string
                                                                 |  | Indicate that HPKP header applies to all subdomains. | 
                            
                                                |  | ssl_hpkp_primary 
                    string
                                                                 |  | Certificate to generate primary HPKP pin from. Source vpn.certificate.local.name vpn.certificate.ca.name. | 
                            
                                                |  | ssl_hpkp_report_uri 
                    string
                                                                 |  | URL to report HPKP violations to. | 
                            
                                                |  | ssl_hsts 
                    string
                                                                 |  | Enable/disable including HSTS header in response. | 
                            
                                                |  | ssl_hsts_age 
                    integer
                                                                 |  | Number of seconds the client should honour the HSTS setting. | 
                            
                                                |  | ssl_hsts_include_subdomains 
                    string
                                                                 |  | Indicate that HSTS header applies to all subdomains. | 
                            
                                                |  | ssl_http_location_conversion 
                    string
                                                                 |  | Enable to replace HTTP with HTTPS in the reply's Location HTTP header field. | 
                            
                                                |  | ssl_http_match_host 
                    string
                                                                 |  | Enable/disable HTTP host matching for location conversion. | 
                            
                                                |  | ssl_max_version 
                    string
                                                                 | Choices:
                                                                                                                                                            ssl-3.0tls-1.0tls-1.1tls-1.2 | Highest SSL/TLS version acceptable from a client. | 
                            
                                                |  | ssl_min_version 
                    string
                                                                 | Choices:
                                                                                                                                                            ssl-3.0tls-1.0tls-1.1tls-1.2 | Lowest SSL/TLS version acceptable from a client. | 
                            
                                                |  | ssl_mode 
                    string
                                                                 |  | Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full). | 
                            
                                                |  | ssl_pfs 
                    string
                                                                 | Choices:
                                                                                                                                                            requiredenyallow | Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions. | 
                            
                                                |  | ssl_send_empty_frags 
                    string
                                                                 |  | Enable/disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 & TLS 1.0 only). May need to be disabled for compatibility with older systems. | 
                            
                                                |  | ssl_server_algorithm 
                    string
                                                                 | Choices:
                                                                                                                                                            highmediumlowcustomclient | Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength. | 
                            
                                                |  | ssl_server_cipher_suites 
                    list
                                                                 |  | SSL/TLS cipher suites to offer to a server, ordered by priority. | 
                                                        
                                                |  |  | cipher 
                    string
                                                                 | Choices:
                                                                                                                                                            TLS-RSA-WITH-3DES-EDE-CBC-SHATLS-DHE-RSA-WITH-DES-CBC-SHATLS-DHE-DSS-WITH-DES-CBC-SHA | Cipher suite name. | 
                            
                                                |  |  | priority 
                    integer
                                             / required                     |  | SSL/TLS cipher suites priority. | 
                            
                                                |  |  | versions 
                    string
                                                                 | Choices:
                                                                                                                                                            ssl-3.0tls-1.0tls-1.1tls-1.2 | SSL/TLS versions that the cipher suite can be used with. | 
                                            
                                                |  | ssl_server_max_version 
                    string
                                                                 | Choices:
                                                                                                                                                            ssl-3.0tls-1.0tls-1.1tls-1.2client | Highest SSL/TLS version acceptable from a server. Use the client setting by default. | 
                            
                                                |  | ssl_server_min_version 
                    string
                                                                 | Choices:
                                                                                                                                                            ssl-3.0tls-1.0tls-1.1tls-1.2client | Lowest SSL/TLS version acceptable from a server. Use the client setting by default. | 
                            
                                                |  | ssl_server_session_state_max 
                    integer
                                                                 |  | Maximum number of FortiGate to Server SSL session states to keep. | 
                            
                                                |  | ssl_server_session_state_timeout 
                    integer
                                                                 |  | Number of minutes to keep FortiGate to Server SSL session state. | 
                            
                                                |  | ssl_server_session_state_type 
                    string
                                                                 | Choices:
                                                                                                                                                            disabletimecountboth | How to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate. | 
                            
                                                |  | state 
                    string
                                                                 |  | Deprecated Starting with Ansible 2.9 we recommend using the top-level 'state' parameter. 
 Indicates whether to create or remove the object. | 
                            
                                                |  | type 
                    string
                                                                 | Choices:
                                                                                                                                                            static-natserver-load-balance | Configure a static NAT or server load balance VIP. | 
                            
                                                |  | uuid 
                    string
                                                                 |  | Universally Unique Identifier (UUID; automatically assigned but can be manually reset). | 
                            
                                                |  | weblogic_server 
                    string
                                                                 |  | Enable to add an HTTP header to indicate SSL offloading for a WebLogic server. | 
                            
                                                |  | websphere_server 
                    string
                                                                 |  | Enable to add an HTTP header to indicate SSL offloading for a WebSphere server. | 
                                            
                                                            | host 
                    string
                                                                 |  | FortiOS or FortiGate IP address. | 
                            
                                                            | https 
                    boolean
                                                                 |  | Indicates if the requests towards FortiGate must use HTTPS protocol. | 
                            
                                                            | password 
                    string
                                                                 | Default: 
 "" | FortiOS or FortiGate password. | 
                            
                                                            | ssl_verify 
                    boolean
                                                                 added in 2.9 |  | Ensures FortiGate certificate must be verified by a proper CA. | 
                            
                                                            | state 
                    string
                                                                 added in 2.9 |  | Indicates whether to create or remove the object. This attribute was present already in previous version in a deeper level. It has been moved out to this outer level. | 
                            
                                                            | username 
                    string
                                                                 |  | FortiOS or FortiGate username. | 
                            
                                                            | vdom 
                    string
                                                                 | Default: 
 "root" | Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. |