@pulumiverse/fortios
Version:
A Pulumi package for creating and managing Fortios resources. Based on terraform-provider-fortios: version v1.16.0
1,171 lines (1,170 loc) • 56 kB
TypeScript
import * as pulumi from "@pulumi/pulumi";
import * as inputs from "../types/input";
import * as outputs from "../types/output";
/**
* Configure virtual IP for IPv4.
*
* ## Example Usage
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as fortios from "@pulumiverse/fortios";
*
* const trname = new fortios.firewall.Vip("trname", {
* arpReply: "enable",
* color: 0,
* dnsMappingTtl: 0,
* extintf: "any",
* extip: "1.0.0.1-1.0.0.2",
* extport: "0-65535",
* fosid: 0,
* httpCookieAge: 60,
* httpCookieDomainFromHost: "disable",
* httpCookieGeneration: 0,
* httpCookieShare: "same-ip",
* httpIpHeader: "disable",
* httpMultiplex: "disable",
* httpsCookieSecure: "disable",
* ldbMethod: "static",
* mappedips: [{
* range: "3.0.0.0-3.0.0.1",
* }],
* mappedport: "0-65535",
* maxEmbryonicConnections: 1000,
* natSourceVip: "disable",
* outlookWebAccess: "disable",
* persistence: "none",
* portforward: "disable",
* portmappingType: "1-to-1",
* protocol: "tcp",
* sslAlgorithm: "high",
* sslClientFallback: "enable",
* sslClientRenegotiation: "secure",
* sslClientSessionStateMax: 1000,
* sslClientSessionStateTimeout: 30,
* sslClientSessionStateType: "both",
* sslDhBits: "2048",
* sslHpkp: "disable",
* sslHpkpAge: 5184000,
* sslHpkpIncludeSubdomains: "disable",
* sslHsts: "disable",
* sslHstsAge: 5184000,
* sslHstsIncludeSubdomains: "disable",
* sslHttpLocationConversion: "disable",
* sslHttpMatchHost: "enable",
* sslMaxVersion: "tls-1.2",
* sslMinVersion: "tls-1.1",
* sslMode: "half",
* sslPfs: "require",
* sslSendEmptyFrags: "enable",
* sslServerAlgorithm: "client",
* sslServerMaxVersion: "client",
* sslServerMinVersion: "client",
* sslServerSessionStateMax: 100,
* sslServerSessionStateTimeout: 60,
* sslServerSessionStateType: "both",
* type: "static-nat",
* weblogicServer: "disable",
* websphereServer: "disable",
* });
* ```
*
* ## Import
*
* Firewall Vip can be imported using any of these accepted formats:
*
* ```sh
* $ pulumi import fortios:firewall/vip:Vip labelname {{name}}
* ```
*
* If you do not want to import arguments of block:
*
* $ export "FORTIOS_IMPORT_TABLE"="false"
*
* ```sh
* $ pulumi import fortios:firewall/vip:Vip labelname {{name}}
* ```
*
* $ unset "FORTIOS_IMPORT_TABLE"
*/
export declare class Vip extends pulumi.CustomResource {
/**
* Get an existing Vip resource's state with the given name, ID, and optional extra
* properties used to qualify the lookup.
*
* @param name The _unique_ name of the resulting resource.
* @param id The _unique_ provider ID of the resource to lookup.
* @param state Any extra arguments used during the lookup.
* @param opts Optional settings to control the behavior of the CustomResource.
*/
static get(name: string, id: pulumi.Input<pulumi.ID>, state?: VipState, opts?: pulumi.CustomResourceOptions): Vip;
/**
* Returns true if the given object is an instance of Vip. This is designed to work even
* when multiple copies of the Pulumi SDK have been loaded into the same process.
*/
static isInstance(obj: any): obj is Vip;
/**
* Enable/disable adding NAT46 route. Valid values: `disable`, `enable`.
*/
readonly addNat46Route: pulumi.Output<string>;
/**
* Enable to respond to ARP requests for this virtual IP address. Enabled by default. Valid values: `disable`, `enable`.
*/
readonly arpReply: pulumi.Output<string>;
/**
* Color of icon on the GUI.
*/
readonly color: pulumi.Output<number>;
/**
* Comment.
*/
readonly comment: pulumi.Output<string | undefined>;
/**
* DNS mapping TTL (Set to zero to use TTL in DNS response, default = 0).
*/
readonly dnsMappingTtl: pulumi.Output<number>;
/**
* Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
*/
readonly dynamicSortSubtable: pulumi.Output<string | undefined>;
/**
* External FQDN address name. The structure of `extaddr` block is documented below.
*/
readonly extaddrs: pulumi.Output<outputs.firewall.VipExtaddr[] | undefined>;
/**
* Interface connected to the source network that receives the packets that will be forwarded to the destination network.
*/
readonly extintf: pulumi.Output<string>;
/**
* IP address or address range on the external interface that you want to map to an address or address range on the destination network.
*/
readonly extip: pulumi.Output<string>;
/**
* Incoming port number range that you want to map to a port number range on the destination network.
*/
readonly extport: pulumi.Output<string>;
/**
* Custom defined ID.
*/
readonly fosid: pulumi.Output<number>;
/**
* Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
*/
readonly getAllTables: pulumi.Output<string | undefined>;
/**
* Enable to have the VIP send gratuitous ARPs. 0=disabled. Set from 5 up to 8640000 seconds to enable.
*/
readonly gratuitousArpInterval: pulumi.Output<number>;
/**
* Domain to use when integrating with FortiGSLB.
*/
readonly gslbDomainName: pulumi.Output<string>;
/**
* Hostname to use within the configured FortiGSLB domain.
*/
readonly gslbHostname: pulumi.Output<string>;
/**
* Publicly accessible IP addresses for the FortiGSLB service. The structure of `gslbPublicIps` block is documented below.
*/
readonly gslbPublicIps: pulumi.Output<outputs.firewall.VipGslbPublicIp[] | undefined>;
/**
* Enable/disable HTTP2 support (default = enable). Valid values: `enable`, `disable`.
*/
readonly h2Support: pulumi.Output<string>;
/**
* Enable/disable HTTP3/QUIC support (default = disable). Valid values: `enable`, `disable`.
*/
readonly h3Support: pulumi.Output<string>;
/**
* Time in minutes that client web browsers should keep a cookie. Default is 60 seconds. 0 = no time limit.
*/
readonly httpCookieAge: pulumi.Output<number>;
/**
* Domain that HTTP cookie persistence should apply to.
*/
readonly httpCookieDomain: pulumi.Output<string>;
/**
* Enable/disable use of HTTP cookie domain from host field in HTTP. Valid values: `disable`, `enable`.
*/
readonly httpCookieDomainFromHost: pulumi.Output<string>;
/**
* Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies.
*/
readonly httpCookieGeneration: pulumi.Output<number>;
/**
* Limit HTTP cookie persistence to the specified path.
*/
readonly httpCookiePath: pulumi.Output<string>;
/**
* Control sharing of cookies across virtual servers. same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing. Valid values: `disable`, `same-ip`.
*/
readonly httpCookieShare: pulumi.Output<string>;
/**
* For HTTP multiplexing, enable to add the original client IP address in the XForwarded-For HTTP header. Valid values: `enable`, `disable`.
*/
readonly httpIpHeader: pulumi.Output<string>;
/**
* For HTTP multiplexing, enter a custom HTTPS header name. The original client IP address is added to this header. If empty, X-Forwarded-For is used.
*/
readonly httpIpHeaderName: pulumi.Output<string>;
/**
* Enable/disable HTTP multiplexing. Valid values: `enable`, `disable`.
*/
readonly httpMultiplex: pulumi.Output<string>;
/**
* Maximum number of concurrent requests that a multiplex server can handle (default = unlimited).
*/
readonly httpMultiplexMaxConcurrentRequest: pulumi.Output<number>;
/**
* Maximum number of requests that a multiplex server can handle before disconnecting sessions (default = unlimited).
*/
readonly httpMultiplexMaxRequest: pulumi.Output<number>;
/**
* Time-to-live for idle connections to servers.
*/
readonly httpMultiplexTtl: pulumi.Output<number>;
/**
* Enable/disable redirection of HTTP to HTTPS Valid values: `enable`, `disable`.
*/
readonly httpRedirect: pulumi.Output<string>;
/**
* Maximum supported HTTP versions. default = HTTP2 Valid values: `http1`, `http2`.
*/
readonly httpSupportedMaxVersion: pulumi.Output<string>;
/**
* Enable/disable verification that inserted HTTPS cookies are secure. Valid values: `disable`, `enable`.
*/
readonly httpsCookieSecure: pulumi.Output<string>;
/**
* Start-mapped-IPv6-address [-end mapped-IPv6-address].
*/
readonly ipv6Mappedip: pulumi.Output<string>;
/**
* IPv6 port number range on the destination network to which the external port number range is mapped.
*/
readonly ipv6Mappedport: pulumi.Output<string>;
/**
* Method used to distribute sessions to real servers. Valid values: `static`, `round-robin`, `weighted`, `least-session`, `least-rtt`, `first-alive`, `http-host`.
*/
readonly ldbMethod: pulumi.Output<string>;
/**
* Mapped FQDN address name.
*/
readonly mappedAddr: pulumi.Output<string>;
/**
* IP address or address range on the destination network to which the external IP address is mapped. The structure of `mappedip` block is documented below.
*/
readonly mappedips: pulumi.Output<outputs.firewall.VipMappedip[] | undefined>;
/**
* Port number range on the destination network to which the external port number range is mapped.
*/
readonly mappedport: pulumi.Output<string>;
/**
* Maximum number of incomplete connections.
*/
readonly maxEmbryonicConnections: pulumi.Output<number>;
/**
* Name of the health check monitor to use when polling to determine a virtual server's connectivity status. The structure of `monitor` block is documented below.
*/
readonly monitors: pulumi.Output<outputs.firewall.VipMonitor[] | undefined>;
/**
* Virtual IP name.
*/
readonly name: pulumi.Output<string>;
/**
* Enable/disable NAT44. Valid values: `disable`, `enable`.
*/
readonly nat44: pulumi.Output<string>;
/**
* Enable/disable NAT46. Valid values: `disable`, `enable`.
*/
readonly nat46: pulumi.Output<string>;
/**
* Enable/disable forcing the source NAT mapped IP to the external IP for all traffic. Valid values: `disable`, `enable`.
*/
readonly natSourceVip: pulumi.Output<string>;
/**
* Enable/disable one click GSLB server integration with FortiGSLB. Valid values: `disable`, `enable`.
*/
readonly oneClickGslbServer: pulumi.Output<string>;
/**
* Enable to add the Front-End-Https header for Microsoft Outlook Web Access. Valid values: `disable`, `enable`.
*/
readonly outlookWebAccess: pulumi.Output<string>;
/**
* Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session. Valid values: `none`, `http-cookie`, `ssl-session-id`.
*/
readonly persistence: pulumi.Output<string>;
/**
* Enable/disable port forwarding. Valid values: `disable`, `enable`.
*/
readonly portforward: pulumi.Output<string>;
/**
* Port mapping type. Valid values: `1-to-1`, `m-to-n`.
*/
readonly portmappingType: pulumi.Output<string>;
/**
* Protocol to use when forwarding packets. Valid values: `tcp`, `udp`, `sctp`, `icmp`.
*/
readonly protocol: pulumi.Output<string>;
/**
* QUIC setting. The structure of `quic` block is documented below.
*/
readonly quic: pulumi.Output<outputs.firewall.VipQuic>;
/**
* Select the real servers that this server load balancing VIP will distribute traffic to. The structure of `realservers` block is documented below.
*/
readonly realservers: pulumi.Output<outputs.firewall.VipRealserver[] | undefined>;
/**
* Protocol to be load balanced by the virtual server (also called the server load balance virtual IP). Valid values: `http`, `https`, `imaps`, `pop3s`, `smtps`, `ssl`, `tcp`, `udp`, `ip`.
*/
readonly serverType: pulumi.Output<string>;
/**
* Service name. The structure of `service` block is documented below.
*/
readonly services: pulumi.Output<outputs.firewall.VipService[] | undefined>;
/**
* Source address filter. Each address must be either an IP/subnet (x.x.x.x/n) or a range (x.x.x.x-y.y.y.y). Separate addresses with spaces. The structure of `srcFilter` block is documented below.
*/
readonly srcFilters: pulumi.Output<outputs.firewall.VipSrcFilter[] | undefined>;
/**
* Enable/disable use of 'src-filter' to match destinations for the reverse SNAT rule. Valid values: `disable`, `enable`.
*/
readonly srcVipFilter: pulumi.Output<string>;
/**
* Interfaces to which the VIP applies. Separate the names with spaces. The structure of `srcintfFilter` block is documented below.
*/
readonly srcintfFilters: pulumi.Output<outputs.firewall.VipSrcintfFilter[] | undefined>;
/**
* Enable/disable FFDHE cipher suite for SSL key exchange. Valid values: `enable`, `disable`.
*/
readonly sslAcceptFfdheGroups: pulumi.Output<string>;
/**
* Permitted encryption algorithms for SSL sessions according to encryption strength. Valid values: `high`, `medium`, `low`, `custom`.
*/
readonly sslAlgorithm: pulumi.Output<string>;
/**
* The name of the SSL certificate to use for SSL acceleration.
*/
readonly sslCertificate: pulumi.Output<string>;
/**
* SSL/TLS cipher suites acceptable from a client, ordered by priority. The structure of `sslCipherSuites` block is documented below.
*/
readonly sslCipherSuites: pulumi.Output<outputs.firewall.VipSslCipherSuite[] | undefined>;
/**
* Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507). Valid values: `disable`, `enable`.
*/
readonly sslClientFallback: pulumi.Output<string>;
/**
* Maximum length of data in MB before triggering a client rekey (0 = disable).
*/
readonly sslClientRekeyCount: pulumi.Output<number>;
/**
* Allow, deny, or require secure renegotiation of client sessions to comply with RFC 5746. Valid values: `allow`, `deny`, `secure`.
*/
readonly sslClientRenegotiation: pulumi.Output<string>;
/**
* Maximum number of client to FortiGate SSL session states to keep.
*/
readonly sslClientSessionStateMax: pulumi.Output<number>;
/**
* Number of minutes to keep client to FortiGate SSL session state.
*/
readonly sslClientSessionStateTimeout: pulumi.Output<number>;
/**
* How to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate. Valid values: `disable`, `time`, `count`, `both`.
*/
readonly sslClientSessionStateType: pulumi.Output<string>;
/**
* Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions. Valid values: `768`, `1024`, `1536`, `2048`, `3072`, `4096`.
*/
readonly sslDhBits: pulumi.Output<string>;
/**
* Enable/disable including HPKP header in response. Valid values: `disable`, `enable`, `report-only`.
*/
readonly sslHpkp: pulumi.Output<string>;
/**
* Number of seconds the client should honour the HPKP setting.
*/
readonly sslHpkpAge: pulumi.Output<number>;
/**
* Certificate to generate backup HPKP pin from.
*/
readonly sslHpkpBackup: pulumi.Output<string>;
/**
* Indicate that HPKP header applies to all subdomains. Valid values: `disable`, `enable`.
*/
readonly sslHpkpIncludeSubdomains: pulumi.Output<string>;
/**
* Certificate to generate primary HPKP pin from.
*/
readonly sslHpkpPrimary: pulumi.Output<string>;
/**
* URL to report HPKP violations to.
*/
readonly sslHpkpReportUri: pulumi.Output<string | undefined>;
/**
* Enable/disable including HSTS header in response. Valid values: `disable`, `enable`.
*/
readonly sslHsts: pulumi.Output<string>;
/**
* Number of seconds the client should honour the HSTS setting.
*/
readonly sslHstsAge: pulumi.Output<number>;
/**
* Indicate that HSTS header applies to all subdomains. Valid values: `disable`, `enable`.
*/
readonly sslHstsIncludeSubdomains: pulumi.Output<string>;
/**
* Enable to replace HTTP with HTTPS in the reply's Location HTTP header field. Valid values: `enable`, `disable`.
*/
readonly sslHttpLocationConversion: pulumi.Output<string>;
/**
* Enable/disable HTTP host matching for location conversion. Valid values: `enable`, `disable`.
*/
readonly sslHttpMatchHost: pulumi.Output<string>;
/**
* Highest SSL/TLS version acceptable from a client.
*/
readonly sslMaxVersion: pulumi.Output<string>;
/**
* Lowest SSL/TLS version acceptable from a client.
*/
readonly sslMinVersion: pulumi.Output<string>;
/**
* Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full). Valid values: `half`, `full`.
*/
readonly sslMode: pulumi.Output<string>;
/**
* Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions. Valid values: `require`, `deny`, `allow`.
*/
readonly sslPfs: pulumi.Output<string>;
/**
* Enable/disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 & TLS 1.0 only). May need to be disabled for compatibility with older systems. Valid values: `enable`, `disable`.
*/
readonly sslSendEmptyFrags: pulumi.Output<string>;
/**
* Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength. Valid values: `high`, `medium`, `low`, `custom`, `client`.
*/
readonly sslServerAlgorithm: pulumi.Output<string>;
/**
* SSL/TLS cipher suites to offer to a server, ordered by priority. The structure of `sslServerCipherSuites` block is documented below.
*/
readonly sslServerCipherSuites: pulumi.Output<outputs.firewall.VipSslServerCipherSuite[] | undefined>;
/**
* Highest SSL/TLS version acceptable from a server. Use the client setting by default.
*/
readonly sslServerMaxVersion: pulumi.Output<string>;
/**
* Lowest SSL/TLS version acceptable from a server. Use the client setting by default.
*/
readonly sslServerMinVersion: pulumi.Output<string>;
/**
* Enable/disable secure renegotiation to comply with RFC 5746. Valid values: `enable`, `disable`.
*/
readonly sslServerRenegotiation: pulumi.Output<string>;
/**
* Maximum number of FortiGate to Server SSL session states to keep.
*/
readonly sslServerSessionStateMax: pulumi.Output<number>;
/**
* Number of minutes to keep FortiGate to Server SSL session state.
*/
readonly sslServerSessionStateTimeout: pulumi.Output<number>;
/**
* How to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate. Valid values: `disable`, `time`, `count`, `both`.
*/
readonly sslServerSessionStateType: pulumi.Output<string>;
/**
* Enable/disable VIP. Valid values: `disable`, `enable`.
*/
readonly status: pulumi.Output<string>;
/**
* Configure a static NAT, load balance, server load balance, DNS translation, or FQDN VIP.
*/
readonly type: pulumi.Output<string>;
/**
* Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
*/
readonly uuid: pulumi.Output<string>;
/**
* Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
*/
readonly vdomparam: pulumi.Output<string>;
/**
* Enable to add an HTTP header to indicate SSL offloading for a WebLogic server. Valid values: `disable`, `enable`.
*/
readonly weblogicServer: pulumi.Output<string>;
/**
* Enable to add an HTTP header to indicate SSL offloading for a WebSphere server. Valid values: `disable`, `enable`.
*/
readonly websphereServer: pulumi.Output<string>;
/**
* Create a Vip resource with the given unique name, arguments, and options.
*
* @param name The _unique_ name of the resource.
* @param args The arguments to use to populate this resource's properties.
* @param opts A bag of options that control this resource's behavior.
*/
constructor(name: string, args?: VipArgs, opts?: pulumi.CustomResourceOptions);
}
/**
* Input properties used for looking up and filtering Vip resources.
*/
export interface VipState {
/**
* Enable/disable adding NAT46 route. Valid values: `disable`, `enable`.
*/
addNat46Route?: pulumi.Input<string>;
/**
* Enable to respond to ARP requests for this virtual IP address. Enabled by default. Valid values: `disable`, `enable`.
*/
arpReply?: pulumi.Input<string>;
/**
* Color of icon on the GUI.
*/
color?: pulumi.Input<number>;
/**
* Comment.
*/
comment?: pulumi.Input<string>;
/**
* DNS mapping TTL (Set to zero to use TTL in DNS response, default = 0).
*/
dnsMappingTtl?: pulumi.Input<number>;
/**
* Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
*/
dynamicSortSubtable?: pulumi.Input<string>;
/**
* External FQDN address name. The structure of `extaddr` block is documented below.
*/
extaddrs?: pulumi.Input<pulumi.Input<inputs.firewall.VipExtaddr>[]>;
/**
* Interface connected to the source network that receives the packets that will be forwarded to the destination network.
*/
extintf?: pulumi.Input<string>;
/**
* IP address or address range on the external interface that you want to map to an address or address range on the destination network.
*/
extip?: pulumi.Input<string>;
/**
* Incoming port number range that you want to map to a port number range on the destination network.
*/
extport?: pulumi.Input<string>;
/**
* Custom defined ID.
*/
fosid?: pulumi.Input<number>;
/**
* Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
*/
getAllTables?: pulumi.Input<string>;
/**
* Enable to have the VIP send gratuitous ARPs. 0=disabled. Set from 5 up to 8640000 seconds to enable.
*/
gratuitousArpInterval?: pulumi.Input<number>;
/**
* Domain to use when integrating with FortiGSLB.
*/
gslbDomainName?: pulumi.Input<string>;
/**
* Hostname to use within the configured FortiGSLB domain.
*/
gslbHostname?: pulumi.Input<string>;
/**
* Publicly accessible IP addresses for the FortiGSLB service. The structure of `gslbPublicIps` block is documented below.
*/
gslbPublicIps?: pulumi.Input<pulumi.Input<inputs.firewall.VipGslbPublicIp>[]>;
/**
* Enable/disable HTTP2 support (default = enable). Valid values: `enable`, `disable`.
*/
h2Support?: pulumi.Input<string>;
/**
* Enable/disable HTTP3/QUIC support (default = disable). Valid values: `enable`, `disable`.
*/
h3Support?: pulumi.Input<string>;
/**
* Time in minutes that client web browsers should keep a cookie. Default is 60 seconds. 0 = no time limit.
*/
httpCookieAge?: pulumi.Input<number>;
/**
* Domain that HTTP cookie persistence should apply to.
*/
httpCookieDomain?: pulumi.Input<string>;
/**
* Enable/disable use of HTTP cookie domain from host field in HTTP. Valid values: `disable`, `enable`.
*/
httpCookieDomainFromHost?: pulumi.Input<string>;
/**
* Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies.
*/
httpCookieGeneration?: pulumi.Input<number>;
/**
* Limit HTTP cookie persistence to the specified path.
*/
httpCookiePath?: pulumi.Input<string>;
/**
* Control sharing of cookies across virtual servers. same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing. Valid values: `disable`, `same-ip`.
*/
httpCookieShare?: pulumi.Input<string>;
/**
* For HTTP multiplexing, enable to add the original client IP address in the XForwarded-For HTTP header. Valid values: `enable`, `disable`.
*/
httpIpHeader?: pulumi.Input<string>;
/**
* For HTTP multiplexing, enter a custom HTTPS header name. The original client IP address is added to this header. If empty, X-Forwarded-For is used.
*/
httpIpHeaderName?: pulumi.Input<string>;
/**
* Enable/disable HTTP multiplexing. Valid values: `enable`, `disable`.
*/
httpMultiplex?: pulumi.Input<string>;
/**
* Maximum number of concurrent requests that a multiplex server can handle (default = unlimited).
*/
httpMultiplexMaxConcurrentRequest?: pulumi.Input<number>;
/**
* Maximum number of requests that a multiplex server can handle before disconnecting sessions (default = unlimited).
*/
httpMultiplexMaxRequest?: pulumi.Input<number>;
/**
* Time-to-live for idle connections to servers.
*/
httpMultiplexTtl?: pulumi.Input<number>;
/**
* Enable/disable redirection of HTTP to HTTPS Valid values: `enable`, `disable`.
*/
httpRedirect?: pulumi.Input<string>;
/**
* Maximum supported HTTP versions. default = HTTP2 Valid values: `http1`, `http2`.
*/
httpSupportedMaxVersion?: pulumi.Input<string>;
/**
* Enable/disable verification that inserted HTTPS cookies are secure. Valid values: `disable`, `enable`.
*/
httpsCookieSecure?: pulumi.Input<string>;
/**
* Start-mapped-IPv6-address [-end mapped-IPv6-address].
*/
ipv6Mappedip?: pulumi.Input<string>;
/**
* IPv6 port number range on the destination network to which the external port number range is mapped.
*/
ipv6Mappedport?: pulumi.Input<string>;
/**
* Method used to distribute sessions to real servers. Valid values: `static`, `round-robin`, `weighted`, `least-session`, `least-rtt`, `first-alive`, `http-host`.
*/
ldbMethod?: pulumi.Input<string>;
/**
* Mapped FQDN address name.
*/
mappedAddr?: pulumi.Input<string>;
/**
* IP address or address range on the destination network to which the external IP address is mapped. The structure of `mappedip` block is documented below.
*/
mappedips?: pulumi.Input<pulumi.Input<inputs.firewall.VipMappedip>[]>;
/**
* Port number range on the destination network to which the external port number range is mapped.
*/
mappedport?: pulumi.Input<string>;
/**
* Maximum number of incomplete connections.
*/
maxEmbryonicConnections?: pulumi.Input<number>;
/**
* Name of the health check monitor to use when polling to determine a virtual server's connectivity status. The structure of `monitor` block is documented below.
*/
monitors?: pulumi.Input<pulumi.Input<inputs.firewall.VipMonitor>[]>;
/**
* Virtual IP name.
*/
name?: pulumi.Input<string>;
/**
* Enable/disable NAT44. Valid values: `disable`, `enable`.
*/
nat44?: pulumi.Input<string>;
/**
* Enable/disable NAT46. Valid values: `disable`, `enable`.
*/
nat46?: pulumi.Input<string>;
/**
* Enable/disable forcing the source NAT mapped IP to the external IP for all traffic. Valid values: `disable`, `enable`.
*/
natSourceVip?: pulumi.Input<string>;
/**
* Enable/disable one click GSLB server integration with FortiGSLB. Valid values: `disable`, `enable`.
*/
oneClickGslbServer?: pulumi.Input<string>;
/**
* Enable to add the Front-End-Https header for Microsoft Outlook Web Access. Valid values: `disable`, `enable`.
*/
outlookWebAccess?: pulumi.Input<string>;
/**
* Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session. Valid values: `none`, `http-cookie`, `ssl-session-id`.
*/
persistence?: pulumi.Input<string>;
/**
* Enable/disable port forwarding. Valid values: `disable`, `enable`.
*/
portforward?: pulumi.Input<string>;
/**
* Port mapping type. Valid values: `1-to-1`, `m-to-n`.
*/
portmappingType?: pulumi.Input<string>;
/**
* Protocol to use when forwarding packets. Valid values: `tcp`, `udp`, `sctp`, `icmp`.
*/
protocol?: pulumi.Input<string>;
/**
* QUIC setting. The structure of `quic` block is documented below.
*/
quic?: pulumi.Input<inputs.firewall.VipQuic>;
/**
* Select the real servers that this server load balancing VIP will distribute traffic to. The structure of `realservers` block is documented below.
*/
realservers?: pulumi.Input<pulumi.Input<inputs.firewall.VipRealserver>[]>;
/**
* Protocol to be load balanced by the virtual server (also called the server load balance virtual IP). Valid values: `http`, `https`, `imaps`, `pop3s`, `smtps`, `ssl`, `tcp`, `udp`, `ip`.
*/
serverType?: pulumi.Input<string>;
/**
* Service name. The structure of `service` block is documented below.
*/
services?: pulumi.Input<pulumi.Input<inputs.firewall.VipService>[]>;
/**
* Source address filter. Each address must be either an IP/subnet (x.x.x.x/n) or a range (x.x.x.x-y.y.y.y). Separate addresses with spaces. The structure of `srcFilter` block is documented below.
*/
srcFilters?: pulumi.Input<pulumi.Input<inputs.firewall.VipSrcFilter>[]>;
/**
* Enable/disable use of 'src-filter' to match destinations for the reverse SNAT rule. Valid values: `disable`, `enable`.
*/
srcVipFilter?: pulumi.Input<string>;
/**
* Interfaces to which the VIP applies. Separate the names with spaces. The structure of `srcintfFilter` block is documented below.
*/
srcintfFilters?: pulumi.Input<pulumi.Input<inputs.firewall.VipSrcintfFilter>[]>;
/**
* Enable/disable FFDHE cipher suite for SSL key exchange. Valid values: `enable`, `disable`.
*/
sslAcceptFfdheGroups?: pulumi.Input<string>;
/**
* Permitted encryption algorithms for SSL sessions according to encryption strength. Valid values: `high`, `medium`, `low`, `custom`.
*/
sslAlgorithm?: pulumi.Input<string>;
/**
* The name of the SSL certificate to use for SSL acceleration.
*/
sslCertificate?: pulumi.Input<string>;
/**
* SSL/TLS cipher suites acceptable from a client, ordered by priority. The structure of `sslCipherSuites` block is documented below.
*/
sslCipherSuites?: pulumi.Input<pulumi.Input<inputs.firewall.VipSslCipherSuite>[]>;
/**
* Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507). Valid values: `disable`, `enable`.
*/
sslClientFallback?: pulumi.Input<string>;
/**
* Maximum length of data in MB before triggering a client rekey (0 = disable).
*/
sslClientRekeyCount?: pulumi.Input<number>;
/**
* Allow, deny, or require secure renegotiation of client sessions to comply with RFC 5746. Valid values: `allow`, `deny`, `secure`.
*/
sslClientRenegotiation?: pulumi.Input<string>;
/**
* Maximum number of client to FortiGate SSL session states to keep.
*/
sslClientSessionStateMax?: pulumi.Input<number>;
/**
* Number of minutes to keep client to FortiGate SSL session state.
*/
sslClientSessionStateTimeout?: pulumi.Input<number>;
/**
* How to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate. Valid values: `disable`, `time`, `count`, `both`.
*/
sslClientSessionStateType?: pulumi.Input<string>;
/**
* Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions. Valid values: `768`, `1024`, `1536`, `2048`, `3072`, `4096`.
*/
sslDhBits?: pulumi.Input<string>;
/**
* Enable/disable including HPKP header in response. Valid values: `disable`, `enable`, `report-only`.
*/
sslHpkp?: pulumi.Input<string>;
/**
* Number of seconds the client should honour the HPKP setting.
*/
sslHpkpAge?: pulumi.Input<number>;
/**
* Certificate to generate backup HPKP pin from.
*/
sslHpkpBackup?: pulumi.Input<string>;
/**
* Indicate that HPKP header applies to all subdomains. Valid values: `disable`, `enable`.
*/
sslHpkpIncludeSubdomains?: pulumi.Input<string>;
/**
* Certificate to generate primary HPKP pin from.
*/
sslHpkpPrimary?: pulumi.Input<string>;
/**
* URL to report HPKP violations to.
*/
sslHpkpReportUri?: pulumi.Input<string>;
/**
* Enable/disable including HSTS header in response. Valid values: `disable`, `enable`.
*/
sslHsts?: pulumi.Input<string>;
/**
* Number of seconds the client should honour the HSTS setting.
*/
sslHstsAge?: pulumi.Input<number>;
/**
* Indicate that HSTS header applies to all subdomains. Valid values: `disable`, `enable`.
*/
sslHstsIncludeSubdomains?: pulumi.Input<string>;
/**
* Enable to replace HTTP with HTTPS in the reply's Location HTTP header field. Valid values: `enable`, `disable`.
*/
sslHttpLocationConversion?: pulumi.Input<string>;
/**
* Enable/disable HTTP host matching for location conversion. Valid values: `enable`, `disable`.
*/
sslHttpMatchHost?: pulumi.Input<string>;
/**
* Highest SSL/TLS version acceptable from a client.
*/
sslMaxVersion?: pulumi.Input<string>;
/**
* Lowest SSL/TLS version acceptable from a client.
*/
sslMinVersion?: pulumi.Input<string>;
/**
* Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full). Valid values: `half`, `full`.
*/
sslMode?: pulumi.Input<string>;
/**
* Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions. Valid values: `require`, `deny`, `allow`.
*/
sslPfs?: pulumi.Input<string>;
/**
* Enable/disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 & TLS 1.0 only). May need to be disabled for compatibility with older systems. Valid values: `enable`, `disable`.
*/
sslSendEmptyFrags?: pulumi.Input<string>;
/**
* Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength. Valid values: `high`, `medium`, `low`, `custom`, `client`.
*/
sslServerAlgorithm?: pulumi.Input<string>;
/**
* SSL/TLS cipher suites to offer to a server, ordered by priority. The structure of `sslServerCipherSuites` block is documented below.
*/
sslServerCipherSuites?: pulumi.Input<pulumi.Input<inputs.firewall.VipSslServerCipherSuite>[]>;
/**
* Highest SSL/TLS version acceptable from a server. Use the client setting by default.
*/
sslServerMaxVersion?: pulumi.Input<string>;
/**
* Lowest SSL/TLS version acceptable from a server. Use the client setting by default.
*/
sslServerMinVersion?: pulumi.Input<string>;
/**
* Enable/disable secure renegotiation to comply with RFC 5746. Valid values: `enable`, `disable`.
*/
sslServerRenegotiation?: pulumi.Input<string>;
/**
* Maximum number of FortiGate to Server SSL session states to keep.
*/
sslServerSessionStateMax?: pulumi.Input<number>;
/**
* Number of minutes to keep FortiGate to Server SSL session state.
*/
sslServerSessionStateTimeout?: pulumi.Input<number>;
/**
* How to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate. Valid values: `disable`, `time`, `count`, `both`.
*/
sslServerSessionStateType?: pulumi.Input<string>;
/**
* Enable/disable VIP. Valid values: `disable`, `enable`.
*/
status?: pulumi.Input<string>;
/**
* Configure a static NAT, load balance, server load balance, DNS translation, or FQDN VIP.
*/
type?: pulumi.Input<string>;
/**
* Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
*/
uuid?: pulumi.Input<string>;
/**
* Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
*/
vdomparam?: pulumi.Input<string>;
/**
* Enable to add an HTTP header to indicate SSL offloading for a WebLogic server. Valid values: `disable`, `enable`.
*/
weblogicServer?: pulumi.Input<string>;
/**
* Enable to add an HTTP header to indicate SSL offloading for a WebSphere server. Valid values: `disable`, `enable`.
*/
websphereServer?: pulumi.Input<string>;
}
/**
* The set of arguments for constructing a Vip resource.
*/
export interface VipArgs {
/**
* Enable/disable adding NAT46 route. Valid values: `disable`, `enable`.
*/
addNat46Route?: pulumi.Input<string>;
/**
* Enable to respond to ARP requests for this virtual IP address. Enabled by default. Valid values: `disable`, `enable`.
*/
arpReply?: pulumi.Input<string>;
/**
* Color of icon on the GUI.
*/
color?: pulumi.Input<number>;
/**
* Comment.
*/
comment?: pulumi.Input<string>;
/**
* DNS mapping TTL (Set to zero to use TTL in DNS response, default = 0).
*/
dnsMappingTtl?: pulumi.Input<number>;
/**
* Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
*/
dynamicSortSubtable?: pulumi.Input<string>;
/**
* External FQDN address name. The structure of `extaddr` block is documented below.
*/
extaddrs?: pulumi.Input<pulumi.Input<inputs.firewall.VipExtaddr>[]>;
/**
* Interface connected to the source network that receives the packets that will be forwarded to the destination network.
*/
extintf?: pulumi.Input<string>;
/**
* IP address or address range on the external interface that you want to map to an address or address range on the destination network.
*/
extip?: pulumi.Input<string>;
/**
* Incoming port number range that you want to map to a port number range on the destination network.
*/
extport?: pulumi.Input<string>;
/**
* Custom defined ID.
*/
fosid?: pulumi.Input<number>;
/**
* Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
*/
getAllTables?: pulumi.Input<string>;
/**
* Enable to have the VIP send gratuitous ARPs. 0=disabled. Set from 5 up to 8640000 seconds to enable.
*/
gratuitousArpInterval?: pulumi.Input<number>;
/**
* Domain to use when integrating with FortiGSLB.
*/
gslbDomainName?: pulumi.Input<string>;
/**
* Hostname to use within the configured FortiGSLB domain.
*/
gslbHostname?: pulumi.Input<string>;
/**
* Publicly accessible IP addresses for the FortiGSLB service. The structure of `gslbPublicIps` block is documented below.
*/
gslbPublicIps?: pulumi.Input<pulumi.Input<inputs.firewall.VipGslbPublicIp>[]>;
/**
* Enable/disable HTTP2 support (default = enable). Valid values: `enable`, `disable`.
*/
h2Support?: pulumi.Input<string>;
/**
* Enable/disable HTTP3/QUIC support (default = disable). Valid values: `enable`, `disable`.
*/
h3Support?: pulumi.Input<string>;
/**
* Time in minutes that client web browsers should keep a cookie. Default is 60 seconds. 0 = no time limit.
*/
httpCookieAge?: pulumi.Input<number>;
/**
* Domain that HTTP cookie persistence should apply to.
*/
httpCookieDomain?: pulumi.Input<string>;
/**
* Enable/disable use of HTTP cookie domain from host field in HTTP. Valid values: `disable`, `enable`.
*/
httpCookieDomainFromHost?: pulumi.Input<string>;
/**
* Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies.
*/
httpCookieGeneration?: pulumi.Input<number>;
/**
* Limit HTTP cookie persistence to the specified path.
*/
httpCookiePath?: pulumi.Input<string>;
/**
* Control sharing of cookies across virtual servers. same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing. Valid values: `disable`, `same-ip`.
*/
httpCookieShare?: pulumi.Input<string>;
/**
* For HTTP multiplexing, enable to add the original client IP address in the XForwarded-For HTTP header. Valid values: `enable`, `disable`.
*/
httpIpHeader?: pulumi.Input<string>;
/**
* For HTTP multiplexing, enter a custom HTTPS header name. The original client IP address is added to this header. If empty, X-Forwarded-For is used.
*/
httpIpHeaderName?: pulumi.Input<string>;
/**
* Enable/disable HTTP multiplexing. Valid values: `enable`, `disable`.
*/
httpMultiplex?: pulumi.Input<string>;
/**
* Maximum number of concurrent requests that a multiplex server can handle (default = unlimited).
*/
httpMultiplexMaxConcurrentRequest?: pulumi.Input<number>;
/**
* Maximum number of requests that a multiplex server can handle before disconnecting sessions (default = unlimited).
*/
httpMultiplexMaxRequest?: pulumi.Input<number>;
/**
* Time-to-live for idle connections to servers.
*/
httpMultiplexTtl?: pulumi.Input<number>;
/**
* Enable/disable redirection of HTTP to HTTPS Valid values: `enable`, `disable`.
*/
httpRedirect?: pulumi.Input<string>;
/**
* Maximum supported HTTP versions. default = HTTP2 Valid values: `http1`, `http2`.
*/
httpSupportedMaxVersion?: pulumi.Input<string>;
/**
* Enable/disable verification that inserted HTTPS cookies are secure. Valid values: `disable`, `enable`.
*/
httpsCookieSecure?: pulumi.Input<string>;
/**
* Start-mapped-IPv6-address [-end mapped-IPv6-address].
*/
ipv6Mappedip?: pulumi.Input<string>;
/**
* IPv6 port number range on the destination network to which the external port number range is mapped.
*/
ipv6Mappedport?: pulumi.Input<string>;
/**
* Method used to distribute sessions to real servers. Valid values: `static`, `round-robin`, `weighted`, `least-session`, `least-rtt`, `first-alive`, `http-host`.
*/
ldbMethod?: pulumi.Input<string>;
/**
* Mapped FQDN address name.
*/
mappedAddr?: pulumi.Input<string>;
/**
* IP address or address range on the destination network to which the external IP address is mapped. The structure of `mappedip` block is documented below.
*/
mappedips?: pulumi.Input<pulumi.Input<inputs.firewall.VipMappedip>[]>;
/**
* Port number range on the destination network to which the external port number range is mapped.
*/
mappedport?: pulumi.Input<string>;
/**
* Maximum number of incomplete connections.
*/
maxEmbryonicConnections?: pulumi.Input<number>;
/**
* Name of the health check monitor to use when polling to determine a virtual server's connectivity status. The structure of `monitor` block is documented below.
*/
monitors?: pulumi.Input<pulumi.Input<inputs.firewall.VipMonitor>[]>;
/**
* Virtual IP name.
*/
name?: pulumi.Input<string>;
/**
* Enable/disable NAT44. Valid values: `disable`, `enable`.
*/
nat44?: pulumi.Input<string>;
/**
* Enable/disable NAT46. Valid values: `disable`, `enable`.
*/
nat46?: pulumi.Input<string>;
/**
* Enable/disable forcing the source NAT mapped IP to the external IP for all traffic. Valid values: `disable`, `enable`.
*/
natSourceVip?: pulumi.Input<string>;
/**
* Enable/disable one click GSLB server integration with FortiGSLB. Valid values: `disable`, `enable`.
*/
oneClickGslbServer?: pulumi.Input<string>;
/**
* Enable to add the Front-End-Https header for Microsoft Outlook Web Access. Valid values: `disable`, `enable`.
*/
outlookWebAccess?: pulumi.Input<string>;
/**
* Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session. Valid values: `none`, `http-cookie`, `ssl-session-id`.
*/
persistence?: pulumi.Input<string>;
/**
* Enable/disable port forwarding. Valid values: `disable`, `enable`.
*/
portforward?: pulumi.Input<string>;
/**
* Port mapping type. Valid values: `1-to-1`, `m-to-n`.
*/
portmappingType?: pulumi.Input<string>;
/**
* Protocol to use when forwarding packets. Valid values: `tcp`, `udp`, `sctp`, `icmp`.
*/
protocol?: pulumi.Input<string>;
/**
* QUIC setting. The structure of `quic` block is documented below.
*/
quic?: pulumi.Input<inputs.firewall.VipQuic>;
/**
* Select the real servers that this server load balancing VIP will distribute traffic to. The structure of `realservers` block is documented below.
*/
realservers?: pulumi.Input<pulumi.Input<inputs.firewall.VipRealserver>[]>;
/**
* Protocol to be load balanced by the virtual server (also called the server load balance virtual IP). Valid values: `http`, `https`, `imaps`, `pop3s`, `smtps`, `ssl`, `tcp`, `udp`, `ip`.
*/
serverType?: pulumi.Input<string>;
/**
* Service name. The structure of `service` block is documented below.
*/
services?: pulumi.Input<pulumi.Input<inputs.firewall.VipService>[]>;
/**
* Source address filter. Each address must be either an IP/subnet (x.x.x.x/n) or a range (x.x.x.x-y.y.y.y). Separate addresses with spaces. The structure of `srcFilter` block is documented below.
*/
srcFilters?: pulumi.Input<pulumi.Input<inputs.firewall.VipSrcFilter>[]>;
/**
* Enable/disable use of 'src-filter' to match destinations for the reverse SNAT rule. Valid values: `disable`, `enable`.
*/
srcVipFilter?: pulumi.Input<string>;
/**
* Interfaces to which the VIP applies. Separate the names with spaces. The structure of `srcintfFilter` block is documented below.
*/
srcintfFilters?: pulumi.Input<pulumi.Input<inputs.firewall.VipSrcintfFilter>[]>;
/**
* Enable/disable FFDHE cipher suite for SSL key exchange. Valid values: `enable`, `disable`.
*/
sslAcceptFfdheGroups?: pulumi.Input<string>;
/**
* Permitted encryption algorithms for SSL sessions according to encryption strength. Valid values: `high`, `medium`, `low`, `custom`.
*/
sslAlgorithm?: pulumi.Input<string>;
/**
* The name of the SSL certificate to use for SSL acceleration.
*/
sslCertificate?: pulumi.Input<string>;
/**
* SSL/TLS cipher suites acceptable from a client, ordered by priority. The structure of `sslCipherSuites` block is documented below.
*/
sslCipherSuites?: pulumi.Input<pulumi.Input<inputs.firewall.VipSslCipherSuite>[]>;
/**
* Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507). Valid values: `disable`, `enable`.
*/
sslClientFallback?: pulumi.Input<string>;
/**
* Maximum length of data in MB before triggering a client rekey (0 = disable).
*/