 
    New in version 2.8.
The below requirements are needed on the host that executes this module.
| Parameter | Choices/Defaults | Comments | ||
|---|---|---|---|---|
| firewall_sniffer 
                    -
                                         | Default: null | Configure sniffer. | ||
| anomaly 
                    -
                                         | Configuration method to edit Denial of Service (DoS) anomaly settings. | |||
| action 
                    -
                                         | 
 | Action taken when the threshold is reached. | ||
| log 
                    -
                                         | 
 | Enable/disable anomaly logging. | ||
| name 
                    -
                     / required                     | Anomaly name. | |||
| quarantine 
                    -
                                         | 
 | Quarantine method. | ||
| quarantine-expiry 
                    -
                                         | Duration of quarantine. (Format | |||
| quarantine-log 
                    -
                                         | 
 | Enable/disable quarantine logging. | ||
| status 
                    -
                                         | 
 | Enable/disable this anomaly. | ||
| threshold 
                    -
                                         | Anomaly threshold. Number of detected instances per minute that triggers the anomaly action. | |||
| threshold(default) 
                    -
                                         | Number of detected instances per minute which triggers action (1 - 2147483647, default = 1000). Note that each anomaly has a different threshold value assigned to it. | |||
| application-list 
                    -
                                         | Name of an existing application list. Source application.list.name. | |||
| application-list-status 
                    -
                                         | 
 | Enable/disable application control profile. | ||
| av-profile 
                    -
                                         | Name of an existing antivirus profile. Source antivirus.profile.name. | |||
| av-profile-status 
                    -
                                         | 
 | Enable/disable antivirus profile. | ||
| dlp-sensor 
                    -
                                         | Name of an existing DLP sensor. Source dlp.sensor.name. | |||
| dlp-sensor-status 
                    -
                                         | 
 | Enable/disable DLP sensor. | ||
| dsri 
                    -
                                         | 
 | Enable/disable DSRI. | ||
| host 
                    -
                                         | Hosts to filter for in sniffer traffic (Format examples: 1.1.1.1, 2.2.2.0/24, 3.3.3.3/255.255.255.0, 4.4.4.0-4.4.4.240). | |||
| id 
                    -
                     / required                     | Sniffer ID. | |||
| interface 
                    -
                                         | Interface name that traffic sniffing will take place on. Source system.interface.name. | |||
| ips-dos-status 
                    -
                                         | 
 | Enable/disable IPS DoS anomaly detection. | ||
| ips-sensor 
                    -
                                         | Name of an existing IPS sensor. Source ips.sensor.name. | |||
| ips-sensor-status 
                    -
                                         | 
 | Enable/disable IPS sensor. | ||
| ipv6 
                    -
                                         | 
 | Enable/disable sniffing IPv6 packets. | ||
| logtraffic 
                    -
                                         | 
 | Either log all sessions, only sessions that have a security profile applied, or disable all logging for this policy. | ||
| max-packet-count 
                    -
                                         | Maximum packet count (1 - 1000000, default = 10000). | |||
| non-ip 
                    -
                                         | 
 | Enable/disable sniffing non-IP packets. | ||
| port 
                    -
                                         | Ports to sniff (Format examples: 10, :20, 30:40, 50-, 100-200). | |||
| protocol 
                    -
                                         | Integer value for the protocol type as defined by IANA (0 - 255). | |||
| scan-botnet-connections 
                    -
                                         | 
 | Enable/disable scanning of connections to Botnet servers. | ||
| spamfilter-profile 
                    -
                                         | Name of an existing spam filter profile. Source spamfilter.profile.name. | |||
| spamfilter-profile-status 
                    -
                                         | 
 | Enable/disable spam filter. | ||
| state 
                    -
                                         | 
 | Indicates whether to create or remove the object | ||
| status 
                    -
                                         | 
 | Enable/disable the active status of the sniffer. | ||
| vlan 
                    -
                                         | List of VLANs to sniff. | |||
| webfilter-profile 
                    -
                                         | Name of an existing web filter profile. Source webfilter.profile.name. | |||
| webfilter-profile-status 
                    -
                                         | 
 | Enable/disable web filter profile. | ||
| host 
                    -
                     / required                     | FortiOS or FortiGate ip adress. | |||
| https 
                    boolean
                                         | 
 | Indicates if the requests towards FortiGate must use HTTPS protocol | ||
| password 
                    -
                                         | Default: "" | FortiOS or FortiGate password. | ||
| username 
                    -
                     / required                     | FortiOS or FortiGate username. | |||
| vdom 
                    -
                                         | Default: "root" | Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. | ||
Note
- hosts: localhost
  vars:
   host: "192.168.122.40"
   username: "admin"
   password: ""
   vdom: "root"
  tasks:
  - name: Configure sniffer.
    fortios_firewall_sniffer:
      host:  "{{ host }}"
      username: "{{ username }}"
      password: "{{ password }}"
      vdom:  "{{ vdom }}"
      https: "False"
      firewall_sniffer:
        state: "present"
        anomaly:
         -
            action: "pass"
            log: "enable"
            name: "default_name_6"
            quarantine: "none"
            quarantine-expiry: "<your_own_value>"
            quarantine-log: "disable"
            status: "disable"
            threshold: "11"
            threshold(default): "12"
        application-list: "<your_own_value> (source application.list.name)"
        application-list-status: "enable"
        av-profile: "<your_own_value> (source antivirus.profile.name)"
        av-profile-status: "enable"
        dlp-sensor: "<your_own_value> (source dlp.sensor.name)"
        dlp-sensor-status: "enable"
        dsri: "enable"
        host: "myhostname"
        id:  "21"
        interface: "<your_own_value> (source system.interface.name)"
        ips-dos-status: "enable"
        ips-sensor: "<your_own_value> (source ips.sensor.name)"
        ips-sensor-status: "enable"
        ipv6: "enable"
        logtraffic: "all"
        max-packet-count: "28"
        non-ip: "enable"
        port: "<your_own_value>"
        protocol: "<your_own_value>"
        scan-botnet-connections: "disable"
        spamfilter-profile: "<your_own_value> (source spamfilter.profile.name)"
        spamfilter-profile-status: "enable"
        status: "enable"
        vlan: "<your_own_value>"
        webfilter-profile: "<your_own_value> (source webfilter.profile.name)"
        webfilter-profile-status: "enable"
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description | 
|---|---|---|
| build string | always | Build number of the fortigate image Sample: 1547 | 
| http_method string | always | Last method used to provision the content into FortiGate Sample: PUT | 
| http_status string | always | Last result given by FortiGate on last operation applied Sample: 200 | 
| mkey string | success | Master key (id) used in the last call to FortiGate Sample: id | 
| name string | always | Name of the table used to fulfill the request Sample: urlfilter | 
| path string | always | Path of the table used to fulfill the request Sample: webfilter | 
| revision string | always | Internal revision number Sample: 17.0.2.10658 | 
| serial string | always | Serial number of the unit Sample: FGVMEVYYQT3AB5352 | 
| status string | always | Indication of the operation's result Sample: success | 
| vdom string | always | Virtual domain used Sample: root | 
| version string | always | Version of the FortiGate Sample: v5.6.3 | 
Hint
If you notice any issues in this documentation you can edit this document to improve it.