 
    New in version 2.8.
The below requirements are needed on the host that executes this module.
| Parameter | Choices/Defaults | Comments | ||
|---|---|---|---|---|
| firewall_vip6 
                    -
                                         | Default: null | Configure virtual IP for IPv6. | ||
| arp-reply 
                    -
                                         | 
 | Enable to respond to ARP requests for this virtual IP address. Enabled by default. | ||
| color 
                    -
                                         | Color of icon on the GUI. | |||
| comment 
                    -
                                         | Comment. | |||
| extip 
                    -
                                         | IP address or address range on the external interface that you want to map to an address or address range on the destination network. | |||
| extport 
                    -
                                         | Incoming port number range that you want to map to a port number range on the destination network. | |||
| http-cookie-age 
                    -
                                         | Time in minutes that client web browsers should keep a cookie. Default is 60 seconds. 0 = no time limit. | |||
| http-cookie-domain 
                    -
                                         | Domain that HTTP cookie persistence should apply to. | |||
| http-cookie-domain-from-host 
                    -
                                         | 
 | Enable/disable use of HTTP cookie domain from host field in HTTP. | ||
| http-cookie-generation 
                    -
                                         | Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies. | |||
| http-cookie-path 
                    -
                                         | Limit HTTP cookie persistence to the specified path. | |||
| http-cookie-share 
                    -
                                         | 
 | Control sharing of cookies across virtual servers. same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing. | ||
| http-ip-header 
                    -
                                         | 
 | For HTTP multiplexing, enable to add the original client IP address in the XForwarded-For HTTP header. | ||
| http-ip-header-name 
                    -
                                         | For HTTP multiplexing, enter a custom HTTPS header name. The original client IP address is added to this header. If empty, X-Forwarded-For is used. | |||
| http-multiplex 
                    -
                                         | 
 | Enable/disable HTTP multiplexing. | ||
| https-cookie-secure 
                    -
                                         | 
 | Enable/disable verification that inserted HTTPS cookies are secure. | ||
| id 
                    -
                                         | Custom defined ID. | |||
| ldb-method 
                    -
                                         | 
 | Method used to distribute sessions to real servers. | ||
| mappedip 
                    -
                                         | Mapped IP address range in the format startIP-endIP. | |||
| mappedport 
                    -
                                         | Port number range on the destination network to which the external port number range is mapped. | |||
| max-embryonic-connections 
                    -
                                         | Maximum number of incomplete connections. | |||
| monitor 
                    -
                                         | Name of the health check monitor to use when polling to determine a virtual server's connectivity status. | |||
| name 
                    -
                     / required                     | Health monitor name. Source firewall.ldb-monitor.name. | |||
| name 
                    -
                     / required                     | Virtual ip6 name. | |||
| outlook-web-access 
                    -
                                         | 
 | Enable to add the Front-End-Https header for Microsoft Outlook Web Access. | ||
| persistence 
                    -
                                         | 
 | Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session. | ||
| portforward 
                    -
                                         | 
 | Enable port forwarding. | ||
| protocol 
                    -
                                         | 
 | Protocol to use when forwarding packets. | ||
| realservers 
                    -
                                         | Select the real servers that this server load balancing VIP will distribute traffic to. | |||
| client-ip 
                    -
                                         | Only clients in this IP range can connect to this real server. | |||
| healthcheck 
                    -
                                         | 
 | Enable to check the responsiveness of the real server before forwarding traffic. | ||
| holddown-interval 
                    -
                                         | Time in seconds that the health check monitor continues to monitor an unresponsive server that should be active. | |||
| http-host 
                    -
                                         | HTTP server domain name in HTTP header. | |||
| id 
                    -
                     / required                     | Real server ID. | |||
| ip 
                    -
                                         | IPv6 address of the real server. | |||
| max-connections 
                    -
                                         | Max number of active connections that can directed to the real server. When reached, sessions are sent to other real servers. | |||
| monitor 
                    -
                                         | Name of the health check monitor to use when polling to determine a virtual server's connectivity status. Source firewall .ldb-monitor.name. | |||
| port 
                    -
                                         | Port for communicating with the real server. Required if port forwarding is enabled. | |||
| status 
                    -
                                         | 
 | Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent. | ||
| weight 
                    -
                                         | Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. | |||
| server-type 
                    -
                                         | 
 | Protocol to be load balanced by the virtual server (also called the server load balance virtual IP). | ||
| src-filter 
                    -
                                         | Source IP6 filter (x:x:x:x:x:x:x:x/x). Separate addresses with spaces. | |||
| range 
                    -
                     / required                     | Source-filter range. | |||
| ssl-algorithm 
                    -
                                         | 
 | Permitted encryption algorithms for SSL sessions according to encryption strength. | ||
| ssl-certificate 
                    -
                                         | The name of the SSL certificate to use for SSL acceleration. Source vpn.certificate.local.name. | |||
| ssl-cipher-suites 
                    -
                                         | SSL/TLS cipher suites acceptable from a client, ordered by priority. | |||
| cipher 
                    -
                                         | 
 | Cipher suite name. | ||
| priority 
                    -
                     / required                     | SSL/TLS cipher suites priority. | |||
| versions 
                    -
                                         | 
 | SSL/TLS versions that the cipher suite can be used with. | ||
| ssl-client-fallback 
                    -
                                         | 
 | Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507). | ||
| ssl-client-renegotiation 
                    -
                                         | 
 | Allow, deny, or require secure renegotiation of client sessions to comply with RFC 5746. | ||
| ssl-client-session-state-max 
                    -
                                         | Maximum number of client to FortiGate SSL session states to keep. | |||
| ssl-client-session-state-timeout 
                    -
                                         | Number of minutes to keep client to FortiGate SSL session state. | |||
| ssl-client-session-state-type 
                    -
                                         | 
 | How to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate. | ||
| ssl-dh-bits 
                    -
                                         | 
 | Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions. | ||
| ssl-hpkp 
                    -
                                         | 
 | Enable/disable including HPKP header in response. | ||
| ssl-hpkp-age 
                    -
                                         | Number of minutes the web browser should keep HPKP. | |||
| ssl-hpkp-backup 
                    -
                                         | Certificate to generate backup HPKP pin from. Source vpn.certificate.local.name vpn.certificate.ca.name. | |||
| ssl-hpkp-include-subdomains 
                    -
                                         | 
 | Indicate that HPKP header applies to all subdomains. | ||
| ssl-hpkp-primary 
                    -
                                         | Certificate to generate primary HPKP pin from. Source vpn.certificate.local.name vpn.certificate.ca.name. | |||
| ssl-hpkp-report-uri 
                    -
                                         | URL to report HPKP violations to. | |||
| ssl-hsts 
                    -
                                         | 
 | Enable/disable including HSTS header in response. | ||
| ssl-hsts-age 
                    -
                                         | Number of seconds the client should honour the HSTS setting. | |||
| ssl-hsts-include-subdomains 
                    -
                                         | 
 | Indicate that HSTS header applies to all subdomains. | ||
| ssl-http-location-conversion 
                    -
                                         | 
 | Enable to replace HTTP with HTTPS in the reply's Location HTTP header field. | ||
| ssl-http-match-host 
                    -
                                         | 
 | Enable/disable HTTP host matching for location conversion. | ||
| ssl-max-version 
                    -
                                         | 
 | Highest SSL/TLS version acceptable from a client. | ||
| ssl-min-version 
                    -
                                         | 
 | Lowest SSL/TLS version acceptable from a client. | ||
| ssl-mode 
                    -
                                         | 
 | Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full). | ||
| ssl-pfs 
                    -
                                         | 
 | Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions. | ||
| ssl-send-empty-frags 
                    -
                                         | 
 | Enable/disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 & TLS 1.0 only). May need to be disabled for compatibility with older systems. | ||
| ssl-server-algorithm 
                    -
                                         | 
 | Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength. | ||
| ssl-server-cipher-suites 
                    -
                                         | SSL/TLS cipher suites to offer to a server, ordered by priority. | |||
| cipher 
                    -
                                         | 
 | Cipher suite name. | ||
| priority 
                    -
                     / required                     | SSL/TLS cipher suites priority. | |||
| versions 
                    -
                                         | 
 | SSL/TLS versions that the cipher suite can be used with. | ||
| ssl-server-max-version 
                    -
                                         | 
 | Highest SSL/TLS version acceptable from a server. Use the client setting by default. | ||
| ssl-server-min-version 
                    -
                                         | 
 | Lowest SSL/TLS version acceptable from a server. Use the client setting by default. | ||
| ssl-server-session-state-max 
                    -
                                         | Maximum number of FortiGate to Server SSL session states to keep. | |||
| ssl-server-session-state-timeout 
                    -
                                         | Number of minutes to keep FortiGate to Server SSL session state. | |||
| ssl-server-session-state-type 
                    -
                                         | 
 | How to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate. | ||
| state 
                    -
                                         | 
 | Indicates whether to create or remove the object | ||
| type 
                    -
                                         | 
 | Configure a static NAT or server load balance VIP. | ||
| uuid 
                    -
                                         | Universally Unique Identifier (UUID; automatically assigned but can be manually reset). | |||
| weblogic-server 
                    -
                                         | 
 | Enable to add an HTTP header to indicate SSL offloading for a WebLogic server. | ||
| websphere-server 
                    -
                                         | 
 | Enable to add an HTTP header to indicate SSL offloading for a WebSphere server. | ||
| host 
                    -
                     / required                     | FortiOS or FortiGate ip address. | |||
| https 
                    boolean
                                         | 
 | Indicates if the requests towards FortiGate must use HTTPS protocol | ||
| password 
                    -
                                         | Default: "" | FortiOS or FortiGate password. | ||
| username 
                    -
                     / required                     | FortiOS or FortiGate username. | |||
| vdom 
                    -
                                         | Default: "root" | Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. | ||
Note
- hosts: localhost
  vars:
   host: "192.168.122.40"
   username: "admin"
   password: ""
   vdom: "root"
  tasks:
  - name: Configure virtual IP for IPv6.
    fortios_firewall_vip6:
      host:  "{{ host }}"
      username: "{{ username }}"
      password: "{{ password }}"
      vdom:  "{{ vdom }}"
      firewall_vip6:
        state: "present"
        arp-reply: "disable"
        color: "4"
        comment: "Comment."
        extip: "<your_own_value>"
        extport: "<your_own_value>"
        http-cookie-age: "8"
        http-cookie-domain: "<your_own_value>"
        http-cookie-domain-from-host: "disable"
        http-cookie-generation: "11"
        http-cookie-path: "<your_own_value>"
        http-cookie-share: "disable"
        http-ip-header: "enable"
        http-ip-header-name: "<your_own_value>"
        http-multiplex: "enable"
        https-cookie-secure: "disable"
        id:  "18"
        ldb-method: "static"
        mappedip: "<your_own_value>"
        mappedport: "<your_own_value>"
        max-embryonic-connections: "22"
        monitor:
         -
            name: "default_name_24 (source firewall.ldb-monitor.name)"
        name: "default_name_25"
        outlook-web-access: "disable"
        persistence: "none"
        portforward: "disable"
        protocol: "tcp"
        realservers:
         -
            client-ip: "<your_own_value>"
            healthcheck: "disable"
            holddown-interval: "33"
            http-host: "myhostname"
            id:  "35"
            ip: "<your_own_value>"
            max-connections: "37"
            monitor: "<your_own_value> (source firewall.ldb-monitor.name)"
            port: "39"
            status: "active"
            weight: "41"
        server-type: "http"
        src-filter:
         -
            range: "<your_own_value>"
        ssl-algorithm: "high"
        ssl-certificate: "<your_own_value> (source vpn.certificate.local.name)"
        ssl-cipher-suites:
         -
            cipher: "TLS-RSA-WITH-3DES-EDE-CBC-SHA"
            priority: "49"
            versions: "ssl-3.0"
        ssl-client-fallback: "disable"
        ssl-client-renegotiation: "allow"
        ssl-client-session-state-max: "53"
        ssl-client-session-state-timeout: "54"
        ssl-client-session-state-type: "disable"
        ssl-dh-bits: "768"
        ssl-hpkp: "disable"
        ssl-hpkp-age: "58"
        ssl-hpkp-backup: "<your_own_value> (source vpn.certificate.local.name vpn.certificate.ca.name)"
        ssl-hpkp-include-subdomains: "disable"
        ssl-hpkp-primary: "<your_own_value> (source vpn.certificate.local.name vpn.certificate.ca.name)"
        ssl-hpkp-report-uri: "<your_own_value>"
        ssl-hsts: "disable"
        ssl-hsts-age: "64"
        ssl-hsts-include-subdomains: "disable"
        ssl-http-location-conversion: "enable"
        ssl-http-match-host: "enable"
        ssl-max-version: "ssl-3.0"
        ssl-min-version: "ssl-3.0"
        ssl-mode: "half"
        ssl-pfs: "require"
        ssl-send-empty-frags: "enable"
        ssl-server-algorithm: "high"
        ssl-server-cipher-suites:
         -
            cipher: "TLS-RSA-WITH-3DES-EDE-CBC-SHA"
            priority: "76"
            versions: "ssl-3.0"
        ssl-server-max-version: "ssl-3.0"
        ssl-server-min-version: "ssl-3.0"
        ssl-server-session-state-max: "80"
        ssl-server-session-state-timeout: "81"
        ssl-server-session-state-type: "disable"
        type: "static-nat"
        uuid: "<your_own_value>"
        weblogic-server: "disable"
        websphere-server: "disable"
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description | 
|---|---|---|
| build string | always | Build number of the fortigate image Sample: 1547 | 
| http_method string | always | Last method used to provision the content into FortiGate Sample: PUT | 
| http_status string | always | Last result given by FortiGate on last operation applied Sample: 200 | 
| mkey string | success | Master key (id) used in the last call to FortiGate Sample: key1 | 
| name string | always | Name of the table used to fulfill the request Sample: urlfilter | 
| path string | always | Path of the table used to fulfill the request Sample: webfilter | 
| revision string | always | Internal revision number Sample: 17.0.2.10658 | 
| serial string | always | Serial number of the unit Sample: FGVMEVYYQT3AB5352 | 
| status string | always | Indication of the operation's result Sample: success | 
| vdom string | always | Virtual domain used Sample: root | 
| version string | always | Version of the FortiGate Sample: v5.6.3 | 
Hint
If you notice any issues in this documentation you can edit this document to improve it.