1. Packages
  2. Fortios
  3. API Docs
  4. vpn
  5. vpn/ipsec
  6. Phase1interface
Fortios v0.0.6 published on Tuesday, Jul 9, 2024 by pulumiverse

fortios.vpn/ipsec.Phase1interface

Explore with Pulumi AI

fortios logo
Fortios v0.0.6 published on Tuesday, Jul 9, 2024 by pulumiverse

    Configure VPN remote gateway.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as fortios from "@pulumiverse/fortios";
    
    const trname2 = new fortios.vpn.ipsec.Phase1interface("trname2", {
        acctVerify: "disable",
        addGwRoute: "disable",
        addRoute: "enable",
        assignIp: "enable",
        assignIpFrom: "range",
        authmethod: "psk",
        autoDiscoveryForwarder: "disable",
        autoDiscoveryPsk: "disable",
        autoDiscoveryReceiver: "disable",
        autoDiscoverySender: "disable",
        autoNegotiate: "enable",
        certIdValidation: "enable",
        childlessIke: "disable",
        clientAutoNegotiate: "disable",
        clientKeepAlive: "disable",
        defaultGw: "0.0.0.0",
        defaultGwPriority: 0,
        dhgrp: "14 5",
        digitalSignatureAuth: "disable",
        distance: 15,
        dnsMode: "manual",
        dpd: "on-demand",
        dpdRetrycount: 3,
        dpdRetryinterval: "20",
        eap: "disable",
        eapIdentity: "use-id-payload",
        encapLocalGw4: "0.0.0.0",
        encapLocalGw6: "::",
        encapRemoteGw4: "0.0.0.0",
        encapRemoteGw6: "::",
        encapsulation: "none",
        encapsulationAddress: "ike",
        enforceUniqueId: "disable",
        exchangeInterfaceIp: "disable",
        exchangeIpAddr4: "0.0.0.0",
        exchangeIpAddr6: "::",
        forticlientEnforcement: "disable",
        fragmentation: "enable",
        fragmentationMtu: 1200,
        groupAuthentication: "disable",
        haSyncEspSeqno: "enable",
        idleTimeout: "disable",
        idleTimeoutinterval: 15,
        ikeVersion: "1",
        includeLocalLan: "disable",
        "interface": "port3",
        ipVersion: "4",
        ipv4DnsServer1: "0.0.0.0",
        ipv4DnsServer2: "0.0.0.0",
        ipv4DnsServer3: "0.0.0.0",
        ipv4EndIp: "0.0.0.0",
        ipv4Netmask: "255.255.255.255",
        ipv4StartIp: "0.0.0.0",
        ipv4WinsServer1: "0.0.0.0",
        ipv4WinsServer2: "0.0.0.0",
        ipv6DnsServer1: "::",
        ipv6DnsServer2: "::",
        ipv6DnsServer3: "::",
        ipv6EndIp: "::",
        ipv6Prefix: 128,
        ipv6StartIp: "::",
        keepalive: 10,
        keylife: 86400,
        localGw: "0.0.0.0",
        localGw6: "::",
        localidType: "auto",
        meshSelectorType: "disable",
        mode: "main",
        modeCfg: "disable",
        monitorHoldDownDelay: 0,
        monitorHoldDownTime: "00:00",
        monitorHoldDownType: "immediate",
        monitorHoldDownWeekday: "sunday",
        nattraversal: "enable",
        negotiateTimeout: 30,
        netDevice: "disable",
        passiveMode: "disable",
        peertype: "any",
        ppk: "disable",
        priority: 0,
        proposal: "aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1",
        psksecret: "eweeeeeeeecee",
        reauth: "disable",
        rekey: "enable",
        remoteGw: "102.2.2.12",
        remoteGw6: "::",
        rsaSignatureFormat: "pkcs1",
        savePassword: "disable",
        sendCertChain: "enable",
        signatureHashAlg: "sha2-512 sha2-384 sha2-256 sha1",
        suiteB: "disable",
        tunnelSearch: "selectors",
        type: "static",
        unitySupport: "enable",
        wizardType: "custom",
        xauthtype: "disable",
    });
    
    import pulumi
    import pulumiverse_fortios as fortios
    
    trname2 = fortios.vpn.ipsec.Phase1interface("trname2",
        acct_verify="disable",
        add_gw_route="disable",
        add_route="enable",
        assign_ip="enable",
        assign_ip_from="range",
        authmethod="psk",
        auto_discovery_forwarder="disable",
        auto_discovery_psk="disable",
        auto_discovery_receiver="disable",
        auto_discovery_sender="disable",
        auto_negotiate="enable",
        cert_id_validation="enable",
        childless_ike="disable",
        client_auto_negotiate="disable",
        client_keep_alive="disable",
        default_gw="0.0.0.0",
        default_gw_priority=0,
        dhgrp="14 5",
        digital_signature_auth="disable",
        distance=15,
        dns_mode="manual",
        dpd="on-demand",
        dpd_retrycount=3,
        dpd_retryinterval="20",
        eap="disable",
        eap_identity="use-id-payload",
        encap_local_gw4="0.0.0.0",
        encap_local_gw6="::",
        encap_remote_gw4="0.0.0.0",
        encap_remote_gw6="::",
        encapsulation="none",
        encapsulation_address="ike",
        enforce_unique_id="disable",
        exchange_interface_ip="disable",
        exchange_ip_addr4="0.0.0.0",
        exchange_ip_addr6="::",
        forticlient_enforcement="disable",
        fragmentation="enable",
        fragmentation_mtu=1200,
        group_authentication="disable",
        ha_sync_esp_seqno="enable",
        idle_timeout="disable",
        idle_timeoutinterval=15,
        ike_version="1",
        include_local_lan="disable",
        interface="port3",
        ip_version="4",
        ipv4_dns_server1="0.0.0.0",
        ipv4_dns_server2="0.0.0.0",
        ipv4_dns_server3="0.0.0.0",
        ipv4_end_ip="0.0.0.0",
        ipv4_netmask="255.255.255.255",
        ipv4_start_ip="0.0.0.0",
        ipv4_wins_server1="0.0.0.0",
        ipv4_wins_server2="0.0.0.0",
        ipv6_dns_server1="::",
        ipv6_dns_server2="::",
        ipv6_dns_server3="::",
        ipv6_end_ip="::",
        ipv6_prefix=128,
        ipv6_start_ip="::",
        keepalive=10,
        keylife=86400,
        local_gw="0.0.0.0",
        local_gw6="::",
        localid_type="auto",
        mesh_selector_type="disable",
        mode="main",
        mode_cfg="disable",
        monitor_hold_down_delay=0,
        monitor_hold_down_time="00:00",
        monitor_hold_down_type="immediate",
        monitor_hold_down_weekday="sunday",
        nattraversal="enable",
        negotiate_timeout=30,
        net_device="disable",
        passive_mode="disable",
        peertype="any",
        ppk="disable",
        priority=0,
        proposal="aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1",
        psksecret="eweeeeeeeecee",
        reauth="disable",
        rekey="enable",
        remote_gw="102.2.2.12",
        remote_gw6="::",
        rsa_signature_format="pkcs1",
        save_password="disable",
        send_cert_chain="enable",
        signature_hash_alg="sha2-512 sha2-384 sha2-256 sha1",
        suite_b="disable",
        tunnel_search="selectors",
        type="static",
        unity_support="enable",
        wizard_type="custom",
        xauthtype="disable")
    
    package main
    
    import (
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    	"github.com/pulumiverse/pulumi-fortios/sdk/go/fortios/vpn"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := vpn.NewPhase1interface(ctx, "trname2", &vpn.Phase1interfaceArgs{
    			AcctVerify:             pulumi.String("disable"),
    			AddGwRoute:             pulumi.String("disable"),
    			AddRoute:               pulumi.String("enable"),
    			AssignIp:               pulumi.String("enable"),
    			AssignIpFrom:           pulumi.String("range"),
    			Authmethod:             pulumi.String("psk"),
    			AutoDiscoveryForwarder: pulumi.String("disable"),
    			AutoDiscoveryPsk:       pulumi.String("disable"),
    			AutoDiscoveryReceiver:  pulumi.String("disable"),
    			AutoDiscoverySender:    pulumi.String("disable"),
    			AutoNegotiate:          pulumi.String("enable"),
    			CertIdValidation:       pulumi.String("enable"),
    			ChildlessIke:           pulumi.String("disable"),
    			ClientAutoNegotiate:    pulumi.String("disable"),
    			ClientKeepAlive:        pulumi.String("disable"),
    			DefaultGw:              pulumi.String("0.0.0.0"),
    			DefaultGwPriority:      pulumi.Int(0),
    			Dhgrp:                  pulumi.String("14 5"),
    			DigitalSignatureAuth:   pulumi.String("disable"),
    			Distance:               pulumi.Int(15),
    			DnsMode:                pulumi.String("manual"),
    			Dpd:                    pulumi.String("on-demand"),
    			DpdRetrycount:          pulumi.Int(3),
    			DpdRetryinterval:       pulumi.String("20"),
    			Eap:                    pulumi.String("disable"),
    			EapIdentity:            pulumi.String("use-id-payload"),
    			EncapLocalGw4:          pulumi.String("0.0.0.0"),
    			EncapLocalGw6:          pulumi.String("::"),
    			EncapRemoteGw4:         pulumi.String("0.0.0.0"),
    			EncapRemoteGw6:         pulumi.String("::"),
    			Encapsulation:          pulumi.String("none"),
    			EncapsulationAddress:   pulumi.String("ike"),
    			EnforceUniqueId:        pulumi.String("disable"),
    			ExchangeInterfaceIp:    pulumi.String("disable"),
    			ExchangeIpAddr4:        pulumi.String("0.0.0.0"),
    			ExchangeIpAddr6:        pulumi.String("::"),
    			ForticlientEnforcement: pulumi.String("disable"),
    			Fragmentation:          pulumi.String("enable"),
    			FragmentationMtu:       pulumi.Int(1200),
    			GroupAuthentication:    pulumi.String("disable"),
    			HaSyncEspSeqno:         pulumi.String("enable"),
    			IdleTimeout:            pulumi.String("disable"),
    			IdleTimeoutinterval:    pulumi.Int(15),
    			IkeVersion:             pulumi.String("1"),
    			IncludeLocalLan:        pulumi.String("disable"),
    			Interface:              pulumi.String("port3"),
    			IpVersion:              pulumi.String("4"),
    			Ipv4DnsServer1:         pulumi.String("0.0.0.0"),
    			Ipv4DnsServer2:         pulumi.String("0.0.0.0"),
    			Ipv4DnsServer3:         pulumi.String("0.0.0.0"),
    			Ipv4EndIp:              pulumi.String("0.0.0.0"),
    			Ipv4Netmask:            pulumi.String("255.255.255.255"),
    			Ipv4StartIp:            pulumi.String("0.0.0.0"),
    			Ipv4WinsServer1:        pulumi.String("0.0.0.0"),
    			Ipv4WinsServer2:        pulumi.String("0.0.0.0"),
    			Ipv6DnsServer1:         pulumi.String("::"),
    			Ipv6DnsServer2:         pulumi.String("::"),
    			Ipv6DnsServer3:         pulumi.String("::"),
    			Ipv6EndIp:              pulumi.String("::"),
    			Ipv6Prefix:             pulumi.Int(128),
    			Ipv6StartIp:            pulumi.String("::"),
    			Keepalive:              pulumi.Int(10),
    			Keylife:                pulumi.Int(86400),
    			LocalGw:                pulumi.String("0.0.0.0"),
    			LocalGw6:               pulumi.String("::"),
    			LocalidType:            pulumi.String("auto"),
    			MeshSelectorType:       pulumi.String("disable"),
    			Mode:                   pulumi.String("main"),
    			ModeCfg:                pulumi.String("disable"),
    			MonitorHoldDownDelay:   pulumi.Int(0),
    			MonitorHoldDownTime:    pulumi.String("00:00"),
    			MonitorHoldDownType:    pulumi.String("immediate"),
    			MonitorHoldDownWeekday: pulumi.String("sunday"),
    			Nattraversal:           pulumi.String("enable"),
    			NegotiateTimeout:       pulumi.Int(30),
    			NetDevice:              pulumi.String("disable"),
    			PassiveMode:            pulumi.String("disable"),
    			Peertype:               pulumi.String("any"),
    			Ppk:                    pulumi.String("disable"),
    			Priority:               pulumi.Int(0),
    			Proposal:               pulumi.String("aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1"),
    			Psksecret:              pulumi.String("eweeeeeeeecee"),
    			Reauth:                 pulumi.String("disable"),
    			Rekey:                  pulumi.String("enable"),
    			RemoteGw:               pulumi.String("102.2.2.12"),
    			RemoteGw6:              pulumi.String("::"),
    			RsaSignatureFormat:     pulumi.String("pkcs1"),
    			SavePassword:           pulumi.String("disable"),
    			SendCertChain:          pulumi.String("enable"),
    			SignatureHashAlg:       pulumi.String("sha2-512 sha2-384 sha2-256 sha1"),
    			SuiteB:                 pulumi.String("disable"),
    			TunnelSearch:           pulumi.String("selectors"),
    			Type:                   pulumi.String("static"),
    			UnitySupport:           pulumi.String("enable"),
    			WizardType:             pulumi.String("custom"),
    			Xauthtype:              pulumi.String("disable"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Fortios = Pulumiverse.Fortios;
    
    return await Deployment.RunAsync(() => 
    {
        var trname2 = new Fortios.Vpn.Ipsec.Phase1interface("trname2", new()
        {
            AcctVerify = "disable",
            AddGwRoute = "disable",
            AddRoute = "enable",
            AssignIp = "enable",
            AssignIpFrom = "range",
            Authmethod = "psk",
            AutoDiscoveryForwarder = "disable",
            AutoDiscoveryPsk = "disable",
            AutoDiscoveryReceiver = "disable",
            AutoDiscoverySender = "disable",
            AutoNegotiate = "enable",
            CertIdValidation = "enable",
            ChildlessIke = "disable",
            ClientAutoNegotiate = "disable",
            ClientKeepAlive = "disable",
            DefaultGw = "0.0.0.0",
            DefaultGwPriority = 0,
            Dhgrp = "14 5",
            DigitalSignatureAuth = "disable",
            Distance = 15,
            DnsMode = "manual",
            Dpd = "on-demand",
            DpdRetrycount = 3,
            DpdRetryinterval = "20",
            Eap = "disable",
            EapIdentity = "use-id-payload",
            EncapLocalGw4 = "0.0.0.0",
            EncapLocalGw6 = "::",
            EncapRemoteGw4 = "0.0.0.0",
            EncapRemoteGw6 = "::",
            Encapsulation = "none",
            EncapsulationAddress = "ike",
            EnforceUniqueId = "disable",
            ExchangeInterfaceIp = "disable",
            ExchangeIpAddr4 = "0.0.0.0",
            ExchangeIpAddr6 = "::",
            ForticlientEnforcement = "disable",
            Fragmentation = "enable",
            FragmentationMtu = 1200,
            GroupAuthentication = "disable",
            HaSyncEspSeqno = "enable",
            IdleTimeout = "disable",
            IdleTimeoutinterval = 15,
            IkeVersion = "1",
            IncludeLocalLan = "disable",
            Interface = "port3",
            IpVersion = "4",
            Ipv4DnsServer1 = "0.0.0.0",
            Ipv4DnsServer2 = "0.0.0.0",
            Ipv4DnsServer3 = "0.0.0.0",
            Ipv4EndIp = "0.0.0.0",
            Ipv4Netmask = "255.255.255.255",
            Ipv4StartIp = "0.0.0.0",
            Ipv4WinsServer1 = "0.0.0.0",
            Ipv4WinsServer2 = "0.0.0.0",
            Ipv6DnsServer1 = "::",
            Ipv6DnsServer2 = "::",
            Ipv6DnsServer3 = "::",
            Ipv6EndIp = "::",
            Ipv6Prefix = 128,
            Ipv6StartIp = "::",
            Keepalive = 10,
            Keylife = 86400,
            LocalGw = "0.0.0.0",
            LocalGw6 = "::",
            LocalidType = "auto",
            MeshSelectorType = "disable",
            Mode = "main",
            ModeCfg = "disable",
            MonitorHoldDownDelay = 0,
            MonitorHoldDownTime = "00:00",
            MonitorHoldDownType = "immediate",
            MonitorHoldDownWeekday = "sunday",
            Nattraversal = "enable",
            NegotiateTimeout = 30,
            NetDevice = "disable",
            PassiveMode = "disable",
            Peertype = "any",
            Ppk = "disable",
            Priority = 0,
            Proposal = "aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1",
            Psksecret = "eweeeeeeeecee",
            Reauth = "disable",
            Rekey = "enable",
            RemoteGw = "102.2.2.12",
            RemoteGw6 = "::",
            RsaSignatureFormat = "pkcs1",
            SavePassword = "disable",
            SendCertChain = "enable",
            SignatureHashAlg = "sha2-512 sha2-384 sha2-256 sha1",
            SuiteB = "disable",
            TunnelSearch = "selectors",
            Type = "static",
            UnitySupport = "enable",
            WizardType = "custom",
            Xauthtype = "disable",
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.fortios.vpn.Phase1interface;
    import com.pulumi.fortios.vpn.Phase1interfaceArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var trname2 = new Phase1interface("trname2", Phase1interfaceArgs.builder()
                .acctVerify("disable")
                .addGwRoute("disable")
                .addRoute("enable")
                .assignIp("enable")
                .assignIpFrom("range")
                .authmethod("psk")
                .autoDiscoveryForwarder("disable")
                .autoDiscoveryPsk("disable")
                .autoDiscoveryReceiver("disable")
                .autoDiscoverySender("disable")
                .autoNegotiate("enable")
                .certIdValidation("enable")
                .childlessIke("disable")
                .clientAutoNegotiate("disable")
                .clientKeepAlive("disable")
                .defaultGw("0.0.0.0")
                .defaultGwPriority(0)
                .dhgrp("14 5")
                .digitalSignatureAuth("disable")
                .distance(15)
                .dnsMode("manual")
                .dpd("on-demand")
                .dpdRetrycount(3)
                .dpdRetryinterval("20")
                .eap("disable")
                .eapIdentity("use-id-payload")
                .encapLocalGw4("0.0.0.0")
                .encapLocalGw6("::")
                .encapRemoteGw4("0.0.0.0")
                .encapRemoteGw6("::")
                .encapsulation("none")
                .encapsulationAddress("ike")
                .enforceUniqueId("disable")
                .exchangeInterfaceIp("disable")
                .exchangeIpAddr4("0.0.0.0")
                .exchangeIpAddr6("::")
                .forticlientEnforcement("disable")
                .fragmentation("enable")
                .fragmentationMtu(1200)
                .groupAuthentication("disable")
                .haSyncEspSeqno("enable")
                .idleTimeout("disable")
                .idleTimeoutinterval(15)
                .ikeVersion("1")
                .includeLocalLan("disable")
                .interface_("port3")
                .ipVersion("4")
                .ipv4DnsServer1("0.0.0.0")
                .ipv4DnsServer2("0.0.0.0")
                .ipv4DnsServer3("0.0.0.0")
                .ipv4EndIp("0.0.0.0")
                .ipv4Netmask("255.255.255.255")
                .ipv4StartIp("0.0.0.0")
                .ipv4WinsServer1("0.0.0.0")
                .ipv4WinsServer2("0.0.0.0")
                .ipv6DnsServer1("::")
                .ipv6DnsServer2("::")
                .ipv6DnsServer3("::")
                .ipv6EndIp("::")
                .ipv6Prefix(128)
                .ipv6StartIp("::")
                .keepalive(10)
                .keylife(86400)
                .localGw("0.0.0.0")
                .localGw6("::")
                .localidType("auto")
                .meshSelectorType("disable")
                .mode("main")
                .modeCfg("disable")
                .monitorHoldDownDelay(0)
                .monitorHoldDownTime("00:00")
                .monitorHoldDownType("immediate")
                .monitorHoldDownWeekday("sunday")
                .nattraversal("enable")
                .negotiateTimeout(30)
                .netDevice("disable")
                .passiveMode("disable")
                .peertype("any")
                .ppk("disable")
                .priority(0)
                .proposal("aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1")
                .psksecret("eweeeeeeeecee")
                .reauth("disable")
                .rekey("enable")
                .remoteGw("102.2.2.12")
                .remoteGw6("::")
                .rsaSignatureFormat("pkcs1")
                .savePassword("disable")
                .sendCertChain("enable")
                .signatureHashAlg("sha2-512 sha2-384 sha2-256 sha1")
                .suiteB("disable")
                .tunnelSearch("selectors")
                .type("static")
                .unitySupport("enable")
                .wizardType("custom")
                .xauthtype("disable")
                .build());
    
        }
    }
    
    resources:
      trname2:
        type: fortios:vpn/ipsec:Phase1interface
        properties:
          acctVerify: disable
          addGwRoute: disable
          addRoute: enable
          assignIp: enable
          assignIpFrom: range
          authmethod: psk
          autoDiscoveryForwarder: disable
          autoDiscoveryPsk: disable
          autoDiscoveryReceiver: disable
          autoDiscoverySender: disable
          autoNegotiate: enable
          certIdValidation: enable
          childlessIke: disable
          clientAutoNegotiate: disable
          clientKeepAlive: disable
          defaultGw: 0.0.0.0
          defaultGwPriority: 0
          dhgrp: 14 5
          digitalSignatureAuth: disable
          distance: 15
          dnsMode: manual
          dpd: on-demand
          dpdRetrycount: 3
          dpdRetryinterval: '20'
          eap: disable
          eapIdentity: use-id-payload
          encapLocalGw4: 0.0.0.0
          encapLocalGw6: '::'
          encapRemoteGw4: 0.0.0.0
          encapRemoteGw6: '::'
          encapsulation: none
          encapsulationAddress: ike
          enforceUniqueId: disable
          exchangeInterfaceIp: disable
          exchangeIpAddr4: 0.0.0.0
          exchangeIpAddr6: '::'
          forticlientEnforcement: disable
          fragmentation: enable
          fragmentationMtu: 1200
          groupAuthentication: disable
          haSyncEspSeqno: enable
          idleTimeout: disable
          idleTimeoutinterval: 15
          ikeVersion: '1'
          includeLocalLan: disable
          interface: port3
          ipVersion: '4'
          ipv4DnsServer1: 0.0.0.0
          ipv4DnsServer2: 0.0.0.0
          ipv4DnsServer3: 0.0.0.0
          ipv4EndIp: 0.0.0.0
          ipv4Netmask: 255.255.255.255
          ipv4StartIp: 0.0.0.0
          ipv4WinsServer1: 0.0.0.0
          ipv4WinsServer2: 0.0.0.0
          ipv6DnsServer1: '::'
          ipv6DnsServer2: '::'
          ipv6DnsServer3: '::'
          ipv6EndIp: '::'
          ipv6Prefix: 128
          ipv6StartIp: '::'
          keepalive: 10
          keylife: 86400
          localGw: 0.0.0.0
          localGw6: '::'
          localidType: auto
          meshSelectorType: disable
          mode: main
          modeCfg: disable
          monitorHoldDownDelay: 0
          monitorHoldDownTime: 00:00
          monitorHoldDownType: immediate
          monitorHoldDownWeekday: sunday
          nattraversal: enable
          negotiateTimeout: 30
          netDevice: disable
          passiveMode: disable
          peertype: any
          ppk: disable
          priority: 0
          proposal: aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
          psksecret: eweeeeeeeecee
          reauth: disable
          rekey: enable
          remoteGw: 102.2.2.12
          remoteGw6: '::'
          rsaSignatureFormat: pkcs1
          savePassword: disable
          sendCertChain: enable
          signatureHashAlg: sha2-512 sha2-384 sha2-256 sha1
          suiteB: disable
          tunnelSearch: selectors
          type: static
          unitySupport: enable
          wizardType: custom
          xauthtype: disable
    

    Create Phase1interface Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new Phase1interface(name: string, args: Phase1interfaceArgs, opts?: CustomResourceOptions);
    @overload
    def Phase1interface(resource_name: str,
                        args: Phase1interfaceArgs,
                        opts: Optional[ResourceOptions] = None)
    
    @overload
    def Phase1interface(resource_name: str,
                        opts: Optional[ResourceOptions] = None,
                        interface: Optional[str] = None,
                        proposal: Optional[str] = None,
                        acct_verify: Optional[str] = None,
                        add_gw_route: Optional[str] = None,
                        add_route: Optional[str] = None,
                        aggregate_member: Optional[str] = None,
                        aggregate_weight: Optional[int] = None,
                        assign_ip: Optional[str] = None,
                        assign_ip_from: Optional[str] = None,
                        authmethod: Optional[str] = None,
                        authmethod_remote: Optional[str] = None,
                        authpasswd: Optional[str] = None,
                        authusr: Optional[str] = None,
                        authusrgrp: Optional[str] = None,
                        auto_discovery_crossover: Optional[str] = None,
                        auto_discovery_forwarder: Optional[str] = None,
                        auto_discovery_offer_interval: Optional[int] = None,
                        auto_discovery_psk: Optional[str] = None,
                        auto_discovery_receiver: Optional[str] = None,
                        auto_discovery_sender: Optional[str] = None,
                        auto_discovery_shortcuts: Optional[str] = None,
                        auto_negotiate: Optional[str] = None,
                        azure_ad_autoconnect: Optional[str] = None,
                        backup_gateways: Optional[Sequence[Phase1interfaceBackupGatewayArgs]] = None,
                        banner: Optional[str] = None,
                        cert_id_validation: Optional[str] = None,
                        cert_peer_username_strip: Optional[str] = None,
                        cert_peer_username_validation: Optional[str] = None,
                        cert_trust_store: Optional[str] = None,
                        certificates: Optional[Sequence[Phase1interfaceCertificateArgs]] = None,
                        childless_ike: Optional[str] = None,
                        client_auto_negotiate: Optional[str] = None,
                        client_keep_alive: Optional[str] = None,
                        client_resume: Optional[str] = None,
                        client_resume_interval: Optional[int] = None,
                        comments: Optional[str] = None,
                        default_gw: Optional[str] = None,
                        default_gw_priority: Optional[int] = None,
                        dev_id: Optional[str] = None,
                        dev_id_notification: Optional[str] = None,
                        dhcp6_ra_linkaddr: Optional[str] = None,
                        dhcp_ra_giaddr: Optional[str] = None,
                        dhgrp: Optional[str] = None,
                        digital_signature_auth: Optional[str] = None,
                        distance: Optional[int] = None,
                        dns_mode: Optional[str] = None,
                        domain: Optional[str] = None,
                        dpd: Optional[str] = None,
                        dpd_retrycount: Optional[int] = None,
                        dpd_retryinterval: Optional[str] = None,
                        dynamic_sort_subtable: Optional[str] = None,
                        eap: Optional[str] = None,
                        eap_cert_auth: Optional[str] = None,
                        eap_exclude_peergrp: Optional[str] = None,
                        eap_identity: Optional[str] = None,
                        ems_sn_check: Optional[str] = None,
                        encap_local_gw4: Optional[str] = None,
                        encap_local_gw6: Optional[str] = None,
                        encap_remote_gw4: Optional[str] = None,
                        encap_remote_gw6: Optional[str] = None,
                        encapsulation: Optional[str] = None,
                        encapsulation_address: Optional[str] = None,
                        enforce_unique_id: Optional[str] = None,
                        esn: Optional[str] = None,
                        exchange_fgt_device_id: Optional[str] = None,
                        exchange_interface_ip: Optional[str] = None,
                        exchange_ip_addr4: Optional[str] = None,
                        exchange_ip_addr6: Optional[str] = None,
                        fallback_tcp_threshold: Optional[int] = None,
                        fec_base: Optional[int] = None,
                        fec_codec: Optional[int] = None,
                        fec_codec_string: Optional[str] = None,
                        fec_egress: Optional[str] = None,
                        fec_health_check: Optional[str] = None,
                        fec_ingress: Optional[str] = None,
                        fec_mapping_profile: Optional[str] = None,
                        fec_receive_timeout: Optional[int] = None,
                        fec_redundant: Optional[int] = None,
                        fec_send_timeout: Optional[int] = None,
                        fgsp_sync: Optional[str] = None,
                        forticlient_enforcement: Optional[str] = None,
                        fortinet_esp: Optional[str] = None,
                        fragmentation: Optional[str] = None,
                        fragmentation_mtu: Optional[int] = None,
                        get_all_tables: Optional[str] = None,
                        group_authentication: Optional[str] = None,
                        group_authentication_secret: Optional[str] = None,
                        ha_sync_esp_seqno: Optional[str] = None,
                        idle_timeout: Optional[str] = None,
                        idle_timeoutinterval: Optional[int] = None,
                        ike_version: Optional[str] = None,
                        inbound_dscp_copy: Optional[str] = None,
                        include_local_lan: Optional[str] = None,
                        internal_domain_lists: Optional[Sequence[Phase1interfaceInternalDomainListArgs]] = None,
                        ip_delay_interval: Optional[int] = None,
                        ip_fragmentation: Optional[str] = None,
                        ip_version: Optional[str] = None,
                        ipv4_dns_server1: Optional[str] = None,
                        ipv4_dns_server2: Optional[str] = None,
                        ipv4_dns_server3: Optional[str] = None,
                        ipv4_end_ip: Optional[str] = None,
                        ipv4_exclude_ranges: Optional[Sequence[Phase1interfaceIpv4ExcludeRangeArgs]] = None,
                        ipv4_name: Optional[str] = None,
                        ipv4_netmask: Optional[str] = None,
                        ipv4_split_exclude: Optional[str] = None,
                        ipv4_split_include: Optional[str] = None,
                        ipv4_start_ip: Optional[str] = None,
                        ipv4_wins_server1: Optional[str] = None,
                        ipv4_wins_server2: Optional[str] = None,
                        ipv6_dns_server1: Optional[str] = None,
                        ipv6_dns_server2: Optional[str] = None,
                        ipv6_dns_server3: Optional[str] = None,
                        ipv6_end_ip: Optional[str] = None,
                        ipv6_exclude_ranges: Optional[Sequence[Phase1interfaceIpv6ExcludeRangeArgs]] = None,
                        ipv6_name: Optional[str] = None,
                        ipv6_prefix: Optional[int] = None,
                        ipv6_split_exclude: Optional[str] = None,
                        ipv6_split_include: Optional[str] = None,
                        ipv6_start_ip: Optional[str] = None,
                        keepalive: Optional[int] = None,
                        keylife: Optional[int] = None,
                        kms: Optional[str] = None,
                        link_cost: Optional[int] = None,
                        local_gw: Optional[str] = None,
                        local_gw6: Optional[str] = None,
                        localid: Optional[str] = None,
                        localid_type: Optional[str] = None,
                        loopback_asymroute: Optional[str] = None,
                        mesh_selector_type: Optional[str] = None,
                        mode: Optional[str] = None,
                        mode_cfg: Optional[str] = None,
                        mode_cfg_allow_client_selector: Optional[str] = None,
                        monitor: Optional[str] = None,
                        monitor_hold_down_delay: Optional[int] = None,
                        monitor_hold_down_time: Optional[str] = None,
                        monitor_hold_down_type: Optional[str] = None,
                        monitor_hold_down_weekday: Optional[str] = None,
                        monitor_min: Optional[int] = None,
                        name: Optional[str] = None,
                        nattraversal: Optional[str] = None,
                        negotiate_timeout: Optional[int] = None,
                        net_device: Optional[str] = None,
                        network_id: Optional[int] = None,
                        network_overlay: Optional[str] = None,
                        npu_offload: Optional[str] = None,
                        packet_redistribution: Optional[str] = None,
                        passive_mode: Optional[str] = None,
                        peer: Optional[str] = None,
                        peergrp: Optional[str] = None,
                        peerid: Optional[str] = None,
                        peertype: Optional[str] = None,
                        ppk: Optional[str] = None,
                        ppk_identity: Optional[str] = None,
                        ppk_secret: Optional[str] = None,
                        priority: Optional[int] = None,
                        psksecret: Optional[str] = None,
                        psksecret_remote: Optional[str] = None,
                        qkd: Optional[str] = None,
                        qkd_profile: Optional[str] = None,
                        reauth: Optional[str] = None,
                        rekey: Optional[str] = None,
                        remote_gw: Optional[str] = None,
                        remote_gw6: Optional[str] = None,
                        remote_gw6_country: Optional[str] = None,
                        remote_gw6_end_ip: Optional[str] = None,
                        remote_gw6_match: Optional[str] = None,
                        remote_gw6_start_ip: Optional[str] = None,
                        remote_gw6_subnet: Optional[str] = None,
                        remote_gw_country: Optional[str] = None,
                        remote_gw_end_ip: Optional[str] = None,
                        remote_gw_match: Optional[str] = None,
                        remote_gw_start_ip: Optional[str] = None,
                        remote_gw_subnet: Optional[str] = None,
                        remotegw_ddns: Optional[str] = None,
                        rsa_signature_format: Optional[str] = None,
                        rsa_signature_hash_override: Optional[str] = None,
                        save_password: Optional[str] = None,
                        send_cert_chain: Optional[str] = None,
                        signature_hash_alg: Optional[str] = None,
                        split_include_service: Optional[str] = None,
                        suite_b: Optional[str] = None,
                        transport: Optional[str] = None,
                        tunnel_search: Optional[str] = None,
                        type: Optional[str] = None,
                        unity_support: Optional[str] = None,
                        usrgrp: Optional[str] = None,
                        vdomparam: Optional[str] = None,
                        vni: Optional[int] = None,
                        wizard_type: Optional[str] = None,
                        xauthtype: Optional[str] = None)
    func NewPhase1interface(ctx *Context, name string, args Phase1interfaceArgs, opts ...ResourceOption) (*Phase1interface, error)
    public Phase1interface(string name, Phase1interfaceArgs args, CustomResourceOptions? opts = null)
    public Phase1interface(String name, Phase1interfaceArgs args)
    public Phase1interface(String name, Phase1interfaceArgs args, CustomResourceOptions options)
    
    type: fortios:vpn/ipsec/phase1interface:Phase1interface
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args Phase1interfaceArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args Phase1interfaceArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args Phase1interfaceArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args Phase1interfaceArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args Phase1interfaceArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Phase1interface Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The Phase1interface resource accepts the following input properties:

    Interface string
    Local physical, aggregate, or VLAN outgoing interface.
    Proposal string
    Phase1 proposal. Valid values: des-md5, des-sha1, des-sha256, des-sha384, des-sha512, 3des-md5, 3des-sha1, 3des-sha256, 3des-sha384, 3des-sha512, aes128-md5, aes128-sha1, aes128-sha256, aes128-sha384, aes128-sha512, aes128gcm-prfsha1, aes128gcm-prfsha256, aes128gcm-prfsha384, aes128gcm-prfsha512, aes192-md5, aes192-sha1, aes192-sha256, aes192-sha384, aes192-sha512, aes256-md5, aes256-sha1, aes256-sha256, aes256-sha384, aes256-sha512, aes256gcm-prfsha1, aes256gcm-prfsha256, aes256gcm-prfsha384, aes256gcm-prfsha512, chacha20poly1305-prfsha1, chacha20poly1305-prfsha256, chacha20poly1305-prfsha384, chacha20poly1305-prfsha512, aria128-md5, aria128-sha1, aria128-sha256, aria128-sha384, aria128-sha512, aria192-md5, aria192-sha1, aria192-sha256, aria192-sha384, aria192-sha512, aria256-md5, aria256-sha1, aria256-sha256, aria256-sha384, aria256-sha512, seed-md5, seed-sha1, seed-sha256, seed-sha384, seed-sha512.
    AcctVerify string
    Enable/disable verification of RADIUS accounting record. Valid values: enable, disable.
    AddGwRoute string
    Enable/disable automatically add a route to the remote gateway. Valid values: enable, disable.
    AddRoute string
    Enable/disable control addition of a route to peer destination selector. Valid values: disable, enable.
    AggregateMember string
    Enable/disable use as an aggregate member. Valid values: enable, disable.
    AggregateWeight int
    Link weight for aggregate.
    AssignIp string
    Enable/disable assignment of IP to IPsec interface via configuration method. Valid values: disable, enable.
    AssignIpFrom string
    Method by which the IP address will be assigned. Valid values: range, usrgrp, dhcp, name.
    Authmethod string
    Authentication method. Valid values: psk, signature.
    AuthmethodRemote string
    Authentication method (remote side). Valid values: psk, signature.
    Authpasswd string
    XAuth password (max 35 characters).
    Authusr string
    XAuth user name.
    Authusrgrp string
    Authentication user group.
    AutoDiscoveryCrossover string
    Allow/block set-up of short-cut tunnels between different network IDs. Valid values: allow, block.
    AutoDiscoveryForwarder string
    Enable/disable forwarding auto-discovery short-cut messages. Valid values: enable, disable.
    AutoDiscoveryOfferInterval int
    Interval between shortcut offer messages in seconds (1 - 300, default = 5).
    AutoDiscoveryPsk string
    Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values: enable, disable.
    AutoDiscoveryReceiver string
    Enable/disable accepting auto-discovery short-cut messages. Valid values: enable, disable.
    AutoDiscoverySender string
    Enable/disable sending auto-discovery short-cut messages. Valid values: enable, disable.
    AutoDiscoveryShortcuts string
    Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values: independent, dependent.
    AutoNegotiate string
    Enable/disable automatic initiation of IKE SA negotiation. Valid values: enable, disable.
    AzureAdAutoconnect string
    Enable/disable Azure AD Auto-Connect for FortiClient. Valid values: enable, disable.
    BackupGateways List<Pulumiverse.Fortios.Vpn.Ipsec.Inputs.Phase1interfaceBackupGateway>
    Instruct unity clients about the backup gateway address(es). The structure of backup_gateway block is documented below.
    string
    Message that unity client should display after connecting.
    CertIdValidation string
    Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values: enable, disable.
    CertPeerUsernameStrip string
    Enable/disable domain stripping on certificate identity. Valid values: disable, enable.
    CertPeerUsernameValidation string
    Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values: none, othername, rfc822name, cn.
    CertTrustStore string
    CA certificate trust store. Valid values: local, ems.
    Certificates List<Pulumiverse.Fortios.Vpn.Ipsec.Inputs.Phase1interfaceCertificate>
    The names of up to 4 signed personal certificates. The structure of certificate block is documented below.
    ChildlessIke string
    Enable/disable childless IKEv2 initiation (RFC 6023). Valid values: enable, disable.
    ClientAutoNegotiate string
    Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values: disable, enable.
    ClientKeepAlive string
    Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values: disable, enable.
    ClientResume string
    Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values: enable, disable.
    ClientResumeInterval int
    Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
    Comments string
    Comment.
    DefaultGw string
    IPv4 address of default route gateway to use for traffic exiting the interface.
    DefaultGwPriority int
    Priority for default gateway route. A higher priority number signifies a less preferred route.
    DevId string
    Device ID carried by the device ID notification.
    DevIdNotification string
    Enable/disable device ID notification. Valid values: disable, enable.
    Dhcp6RaLinkaddr string
    Relay agent IPv6 link address to use in DHCP6 requests.
    DhcpRaGiaddr string
    Relay agent gateway IP address to use in the giaddr field of DHCP requests.
    Dhgrp string
    DH group. Valid values: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, 31, 32.
    DigitalSignatureAuth string
    Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values: enable, disable.
    Distance int
    Distance for routes added by IKE (1 - 255).
    DnsMode string
    DNS server mode. Valid values: manual, auto.
    Domain string
    Instruct unity clients about the default DNS domain.
    Dpd string
    Dead Peer Detection mode. Valid values: disable, on-idle, on-demand.
    DpdRetrycount int
    Number of DPD retry attempts.
    DpdRetryinterval string
    DPD retry interval.
    DynamicSortSubtable string
    Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
    Eap string
    Enable/disable IKEv2 EAP authentication. Valid values: enable, disable.
    EapCertAuth string
    Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values: enable, disable.
    EapExcludePeergrp string
    Peer group excluded from EAP authentication.
    EapIdentity string
    IKEv2 EAP peer identity type. Valid values: use-id-payload, send-request.
    EmsSnCheck string
    Enable/disable verification of EMS serial number. Valid values: enable, disable.
    EncapLocalGw4 string
    Local IPv4 address of GRE/VXLAN tunnel.
    EncapLocalGw6 string
    Local IPv6 address of GRE/VXLAN tunnel.
    EncapRemoteGw4 string
    Remote IPv4 address of GRE/VXLAN tunnel.
    EncapRemoteGw6 string
    Remote IPv6 address of GRE/VXLAN tunnel.
    Encapsulation string
    Enable/disable GRE/VXLAN encapsulation.
    EncapsulationAddress string
    Source for GRE/VXLAN tunnel address. Valid values: ike, ipv4, ipv6.
    EnforceUniqueId string
    Enable/disable peer ID uniqueness check. Valid values: disable, keep-new, keep-old.
    Esn string
    Extended sequence number (ESN) negotiation. Valid values: require, allow, disable.
    ExchangeFgtDeviceId string
    Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values: enable, disable.
    ExchangeInterfaceIp string
    Enable/disable exchange of IPsec interface IP address. Valid values: enable, disable.
    ExchangeIpAddr4 string
    IPv4 address to exchange with peers.
    ExchangeIpAddr6 string
    IPv6 address to exchange with peers
    FallbackTcpThreshold int
    Timeout in seconds before falling back IKE/IPsec traffic to tcp.
    FecBase int
    Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
    FecCodec int
    ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec_string.
    FecCodecString string
    Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec. Valid values: rs, xor.
    FecEgress string
    Enable/disable Forward Error Correction for egress IPsec traffic. Valid values: enable, disable.
    FecHealthCheck string
    SD-WAN health check.
    FecIngress string
    Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values: enable, disable.
    FecMappingProfile string
    Forward Error Correction (FEC) mapping profile.
    FecReceiveTimeout int
    Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
    FecRedundant int
    Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
    FecSendTimeout int
    Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
    FgspSync string
    Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values: enable, disable.
    ForticlientEnforcement string
    Enable/disable FortiClient enforcement. Valid values: enable, disable.
    FortinetEsp string
    Enable/disable Fortinet ESP encapsulaton. Valid values: enable, disable.
    Fragmentation string
    Enable/disable fragment IKE message on re-transmission. Valid values: enable, disable.
    FragmentationMtu int
    IKE fragmentation MTU (500 - 16000).
    GetAllTables string
    Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
    GroupAuthentication string
    Enable/disable IKEv2 IDi group authentication. Valid values: enable, disable.
    GroupAuthenticationSecret string
    Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
    HaSyncEspSeqno string
    Enable/disable sequence number jump ahead for IPsec HA. Valid values: enable, disable.
    IdleTimeout string
    Enable/disable IPsec tunnel idle timeout. Valid values: enable, disable.
    IdleTimeoutinterval int
    IPsec tunnel idle timeout in minutes (5 - 43200).
    IkeVersion string
    IKE protocol version. Valid values: 1, 2.
    InboundDscpCopy string
    Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values: enable, disable.
    IncludeLocalLan string
    Enable/disable allow local LAN access on unity clients. Valid values: disable, enable.
    InternalDomainLists List<Pulumiverse.Fortios.Vpn.Ipsec.Inputs.Phase1interfaceInternalDomainList>
    One or more internal domain names in quotes separated by spaces. The structure of internal_domain_list block is documented below.
    IpDelayInterval int
    IP address reuse delay interval in seconds (0 - 28800).
    IpFragmentation string
    Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values: pre-encapsulation, post-encapsulation.
    IpVersion string
    IP version to use for VPN interface. Valid values: 4, 6.
    Ipv4DnsServer1 string
    IPv4 DNS server 1.
    Ipv4DnsServer2 string
    IPv4 DNS server 2.
    Ipv4DnsServer3 string
    IPv4 DNS server 3.
    Ipv4EndIp string
    End of IPv4 range.
    Ipv4ExcludeRanges List<Pulumiverse.Fortios.Vpn.Ipsec.Inputs.Phase1interfaceIpv4ExcludeRange>
    Configuration Method IPv4 exclude ranges. The structure of ipv4_exclude_range block is documented below.
    Ipv4Name string
    IPv4 address name.
    Ipv4Netmask string
    IPv4 Netmask.
    Ipv4SplitExclude string
    IPv4 subnets that should not be sent over the IPsec tunnel.
    Ipv4SplitInclude string
    IPv4 split-include subnets.
    Ipv4StartIp string
    Start of IPv4 range.
    Ipv4WinsServer1 string
    WINS server 1.
    Ipv4WinsServer2 string
    WINS server 2.
    Ipv6DnsServer1 string
    IPv6 DNS server 1.
    Ipv6DnsServer2 string
    IPv6 DNS server 2.
    Ipv6DnsServer3 string
    IPv6 DNS server 3.
    Ipv6EndIp string
    End of IPv6 range.
    Ipv6ExcludeRanges List<Pulumiverse.Fortios.Vpn.Ipsec.Inputs.Phase1interfaceIpv6ExcludeRange>
    Configuration method IPv6 exclude ranges. The structure of ipv6_exclude_range block is documented below.
    Ipv6Name string
    IPv6 address name.
    Ipv6Prefix int
    IPv6 prefix.
    Ipv6SplitExclude string
    IPv6 subnets that should not be sent over the IPsec tunnel.
    Ipv6SplitInclude string
    IPv6 split-include subnets.
    Ipv6StartIp string
    Start of IPv6 range.
    Keepalive int
    NAT-T keep alive interval.
    Keylife int
    Time to wait in seconds before phase 1 encryption key expires.
    Kms string
    Key Management Services server.
    LinkCost int
    VPN tunnel underlay link cost.
    LocalGw string
    IPv4 address of the local gateway's external interface.
    LocalGw6 string
    IPv6 address of the local gateway's external interface.
    Localid string
    Local ID.
    LocalidType string
    Local ID type. Valid values: auto, fqdn, user-fqdn, keyid, address, asn1dn.
    LoopbackAsymroute string
    Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values: enable, disable.
    MeshSelectorType string
    Add selectors containing subsets of the configuration depending on traffic. Valid values: disable, subnet, host.
    Mode string
    The ID protection mode used to establish a secure channel. Valid values: aggressive, main.
    ModeCfg string
    Enable/disable configuration method. Valid values: disable, enable.
    ModeCfgAllowClientSelector string
    Enable/disable mode-cfg client to use custom phase2 selectors. Valid values: disable, enable.
    Monitor string
    IPsec interface as backup for primary interface.
    MonitorHoldDownDelay int
    Time to wait in seconds before recovery once primary re-establishes.
    MonitorHoldDownTime string
    Time of day at which to fail back to primary after it re-establishes.
    MonitorHoldDownType string
    Recovery time method when primary interface re-establishes. Valid values: immediate, delay, time.
    MonitorHoldDownWeekday string
    Day of the week to recover once primary re-establishes. Valid values: everyday, sunday, monday, tuesday, wednesday, thursday, friday, saturday.
    MonitorMin int
    Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
    Name string
    IPsec remote gateway name.
    Nattraversal string
    Enable/disable NAT traversal. Valid values: enable, disable, forced.
    NegotiateTimeout int
    IKE SA negotiation timeout in seconds (1 - 300).
    NetDevice string
    Enable/disable kernel device creation. Valid values: enable, disable.
    NetworkId int
    VPN gateway network ID.
    NetworkOverlay string
    Enable/disable network overlays. Valid values: disable, enable.
    NpuOffload string
    Enable/disable offloading NPU. Valid values: enable, disable.
    PacketRedistribution string
    Enable/disable packet distribution (RPS) on the IPsec interface. Valid values: enable, disable.
    PassiveMode string
    Enable/disable IPsec passive mode for static tunnels. Valid values: enable, disable.
    Peer string
    Accept this peer certificate.
    Peergrp string
    Accept this peer certificate group.
    Peerid string
    Accept this peer identity.
    Peertype string
    Accept this peer type. Valid values: any, one, dialup, peer, peergrp.
    Ppk string
    Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values: disable, allow, require.
    PpkIdentity string
    IKEv2 Postquantum Preshared Key Identity.
    PpkSecret string
    IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
    Priority int
    Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
    Psksecret string
    Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
    PsksecretRemote string
    Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
    Qkd string
    Enable/disable use of Quantum Key Distribution (QKD) server. Valid values: disable, allow, require.
    QkdProfile string
    Quantum Key Distribution (QKD) server profile.
    Reauth string
    Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values: disable, enable.
    Rekey string
    Enable/disable phase1 rekey. Valid values: enable, disable.
    RemoteGw string
    IPv4 address of the remote gateway's external interface.
    RemoteGw6 string
    IPv6 address of the remote gateway's external interface.
    RemoteGw6Country string
    IPv6 addresses associated to a specific country.
    RemoteGw6EndIp string
    Last IPv6 address in the range.
    RemoteGw6Match string
    Set type of IPv6 remote gateway address matching. Valid values: any, ipprefix, iprange, geography.
    RemoteGw6StartIp string
    First IPv6 address in the range.
    RemoteGw6Subnet string
    IPv6 address and prefix.
    RemoteGwCountry string
    IPv4 addresses associated to a specific country.
    RemoteGwEndIp string
    Last IPv4 address in the range.
    RemoteGwMatch string
    Set type of IPv4 remote gateway address matching. Valid values: any, ipmask, iprange, geography.
    RemoteGwStartIp string
    First IPv4 address in the range.
    RemoteGwSubnet string
    IPv4 address and subnet mask.
    RemotegwDdns string
    Domain name of remote gateway. For example, name.ddns.com.
    RsaSignatureFormat string
    Digital Signature Authentication RSA signature format. Valid values: pkcs1, pss.
    RsaSignatureHashOverride string
    Enable/disable IKEv2 RSA signature hash algorithm override. Valid values: enable, disable.
    SavePassword string
    Enable/disable saving XAuth username and password on VPN clients. Valid values: disable, enable.
    SendCertChain string
    Enable/disable sending certificate chain. Valid values: enable, disable.
    SignatureHashAlg string
    Digital Signature Authentication hash algorithms. Valid values: sha1, sha2-256, sha2-384, sha2-512.
    SplitIncludeService string
    Split-include services.
    SuiteB string
    Use Suite-B. Valid values: disable, suite-b-gcm-128, suite-b-gcm-256.
    Transport string
    Set IKE transport protocol. Valid values: udp, udp-fallback-tcp, tcp.
    TunnelSearch string
    Tunnel search method for when the interface is shared. Valid values: selectors, nexthop.
    Type string
    Remote gateway type. Valid values: static, dynamic, ddns.
    UnitySupport string
    Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values: disable, enable.
    Usrgrp string
    User group name for dialup peers.
    Vdomparam string
    Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
    Vni int
    VNI of VXLAN tunnel.
    WizardType string
    GUI VPN Wizard Type.
    Xauthtype string
    XAuth type. Valid values: disable, client, pap, chap, auto.
    Interface string
    Local physical, aggregate, or VLAN outgoing interface.
    Proposal string
    Phase1 proposal. Valid values: des-md5, des-sha1, des-sha256, des-sha384, des-sha512, 3des-md5, 3des-sha1, 3des-sha256, 3des-sha384, 3des-sha512, aes128-md5, aes128-sha1, aes128-sha256, aes128-sha384, aes128-sha512, aes128gcm-prfsha1, aes128gcm-prfsha256, aes128gcm-prfsha384, aes128gcm-prfsha512, aes192-md5, aes192-sha1, aes192-sha256, aes192-sha384, aes192-sha512, aes256-md5, aes256-sha1, aes256-sha256, aes256-sha384, aes256-sha512, aes256gcm-prfsha1, aes256gcm-prfsha256, aes256gcm-prfsha384, aes256gcm-prfsha512, chacha20poly1305-prfsha1, chacha20poly1305-prfsha256, chacha20poly1305-prfsha384, chacha20poly1305-prfsha512, aria128-md5, aria128-sha1, aria128-sha256, aria128-sha384, aria128-sha512, aria192-md5, aria192-sha1, aria192-sha256, aria192-sha384, aria192-sha512, aria256-md5, aria256-sha1, aria256-sha256, aria256-sha384, aria256-sha512, seed-md5, seed-sha1, seed-sha256, seed-sha384, seed-sha512.
    AcctVerify string
    Enable/disable verification of RADIUS accounting record. Valid values: enable, disable.
    AddGwRoute string
    Enable/disable automatically add a route to the remote gateway. Valid values: enable, disable.
    AddRoute string
    Enable/disable control addition of a route to peer destination selector. Valid values: disable, enable.
    AggregateMember string
    Enable/disable use as an aggregate member. Valid values: enable, disable.
    AggregateWeight int
    Link weight for aggregate.
    AssignIp string
    Enable/disable assignment of IP to IPsec interface via configuration method. Valid values: disable, enable.
    AssignIpFrom string
    Method by which the IP address will be assigned. Valid values: range, usrgrp, dhcp, name.
    Authmethod string
    Authentication method. Valid values: psk, signature.
    AuthmethodRemote string
    Authentication method (remote side). Valid values: psk, signature.
    Authpasswd string
    XAuth password (max 35 characters).
    Authusr string
    XAuth user name.
    Authusrgrp string
    Authentication user group.
    AutoDiscoveryCrossover string
    Allow/block set-up of short-cut tunnels between different network IDs. Valid values: allow, block.
    AutoDiscoveryForwarder string
    Enable/disable forwarding auto-discovery short-cut messages. Valid values: enable, disable.
    AutoDiscoveryOfferInterval int
    Interval between shortcut offer messages in seconds (1 - 300, default = 5).
    AutoDiscoveryPsk string
    Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values: enable, disable.
    AutoDiscoveryReceiver string
    Enable/disable accepting auto-discovery short-cut messages. Valid values: enable, disable.
    AutoDiscoverySender string
    Enable/disable sending auto-discovery short-cut messages. Valid values: enable, disable.
    AutoDiscoveryShortcuts string
    Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values: independent, dependent.
    AutoNegotiate string
    Enable/disable automatic initiation of IKE SA negotiation. Valid values: enable, disable.
    AzureAdAutoconnect string
    Enable/disable Azure AD Auto-Connect for FortiClient. Valid values: enable, disable.
    BackupGateways []Phase1interfaceBackupGatewayArgs
    Instruct unity clients about the backup gateway address(es). The structure of backup_gateway block is documented below.
    string
    Message that unity client should display after connecting.
    CertIdValidation string
    Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values: enable, disable.
    CertPeerUsernameStrip string
    Enable/disable domain stripping on certificate identity. Valid values: disable, enable.
    CertPeerUsernameValidation string
    Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values: none, othername, rfc822name, cn.
    CertTrustStore string
    CA certificate trust store. Valid values: local, ems.
    Certificates []Phase1interfaceCertificateArgs
    The names of up to 4 signed personal certificates. The structure of certificate block is documented below.
    ChildlessIke string
    Enable/disable childless IKEv2 initiation (RFC 6023). Valid values: enable, disable.
    ClientAutoNegotiate string
    Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values: disable, enable.
    ClientKeepAlive string
    Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values: disable, enable.
    ClientResume string
    Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values: enable, disable.
    ClientResumeInterval int
    Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
    Comments string
    Comment.
    DefaultGw string
    IPv4 address of default route gateway to use for traffic exiting the interface.
    DefaultGwPriority int
    Priority for default gateway route. A higher priority number signifies a less preferred route.
    DevId string
    Device ID carried by the device ID notification.
    DevIdNotification string
    Enable/disable device ID notification. Valid values: disable, enable.
    Dhcp6RaLinkaddr string
    Relay agent IPv6 link address to use in DHCP6 requests.
    DhcpRaGiaddr string
    Relay agent gateway IP address to use in the giaddr field of DHCP requests.
    Dhgrp string
    DH group. Valid values: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, 31, 32.
    DigitalSignatureAuth string
    Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values: enable, disable.
    Distance int
    Distance for routes added by IKE (1 - 255).
    DnsMode string
    DNS server mode. Valid values: manual, auto.
    Domain string
    Instruct unity clients about the default DNS domain.
    Dpd string
    Dead Peer Detection mode. Valid values: disable, on-idle, on-demand.
    DpdRetrycount int
    Number of DPD retry attempts.
    DpdRetryinterval string
    DPD retry interval.
    DynamicSortSubtable string
    Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
    Eap string
    Enable/disable IKEv2 EAP authentication. Valid values: enable, disable.
    EapCertAuth string
    Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values: enable, disable.
    EapExcludePeergrp string
    Peer group excluded from EAP authentication.
    EapIdentity string
    IKEv2 EAP peer identity type. Valid values: use-id-payload, send-request.
    EmsSnCheck string
    Enable/disable verification of EMS serial number. Valid values: enable, disable.
    EncapLocalGw4 string
    Local IPv4 address of GRE/VXLAN tunnel.
    EncapLocalGw6 string
    Local IPv6 address of GRE/VXLAN tunnel.
    EncapRemoteGw4 string
    Remote IPv4 address of GRE/VXLAN tunnel.
    EncapRemoteGw6 string
    Remote IPv6 address of GRE/VXLAN tunnel.
    Encapsulation string
    Enable/disable GRE/VXLAN encapsulation.
    EncapsulationAddress string
    Source for GRE/VXLAN tunnel address. Valid values: ike, ipv4, ipv6.
    EnforceUniqueId string
    Enable/disable peer ID uniqueness check. Valid values: disable, keep-new, keep-old.
    Esn string
    Extended sequence number (ESN) negotiation. Valid values: require, allow, disable.
    ExchangeFgtDeviceId string
    Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values: enable, disable.
    ExchangeInterfaceIp string
    Enable/disable exchange of IPsec interface IP address. Valid values: enable, disable.
    ExchangeIpAddr4 string
    IPv4 address to exchange with peers.
    ExchangeIpAddr6 string
    IPv6 address to exchange with peers
    FallbackTcpThreshold int
    Timeout in seconds before falling back IKE/IPsec traffic to tcp.
    FecBase int
    Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
    FecCodec int
    ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec_string.
    FecCodecString string
    Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec. Valid values: rs, xor.
    FecEgress string
    Enable/disable Forward Error Correction for egress IPsec traffic. Valid values: enable, disable.
    FecHealthCheck string
    SD-WAN health check.
    FecIngress string
    Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values: enable, disable.
    FecMappingProfile string
    Forward Error Correction (FEC) mapping profile.
    FecReceiveTimeout int
    Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
    FecRedundant int
    Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
    FecSendTimeout int
    Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
    FgspSync string
    Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values: enable, disable.
    ForticlientEnforcement string
    Enable/disable FortiClient enforcement. Valid values: enable, disable.
    FortinetEsp string
    Enable/disable Fortinet ESP encapsulaton. Valid values: enable, disable.
    Fragmentation string
    Enable/disable fragment IKE message on re-transmission. Valid values: enable, disable.
    FragmentationMtu int
    IKE fragmentation MTU (500 - 16000).
    GetAllTables string
    Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
    GroupAuthentication string
    Enable/disable IKEv2 IDi group authentication. Valid values: enable, disable.
    GroupAuthenticationSecret string
    Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
    HaSyncEspSeqno string
    Enable/disable sequence number jump ahead for IPsec HA. Valid values: enable, disable.
    IdleTimeout string
    Enable/disable IPsec tunnel idle timeout. Valid values: enable, disable.
    IdleTimeoutinterval int
    IPsec tunnel idle timeout in minutes (5 - 43200).
    IkeVersion string
    IKE protocol version. Valid values: 1, 2.
    InboundDscpCopy string
    Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values: enable, disable.
    IncludeLocalLan string
    Enable/disable allow local LAN access on unity clients. Valid values: disable, enable.
    InternalDomainLists []Phase1interfaceInternalDomainListArgs
    One or more internal domain names in quotes separated by spaces. The structure of internal_domain_list block is documented below.
    IpDelayInterval int
    IP address reuse delay interval in seconds (0 - 28800).
    IpFragmentation string
    Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values: pre-encapsulation, post-encapsulation.
    IpVersion string
    IP version to use for VPN interface. Valid values: 4, 6.
    Ipv4DnsServer1 string
    IPv4 DNS server 1.
    Ipv4DnsServer2 string
    IPv4 DNS server 2.
    Ipv4DnsServer3 string
    IPv4 DNS server 3.
    Ipv4EndIp string
    End of IPv4 range.
    Ipv4ExcludeRanges []Phase1interfaceIpv4ExcludeRangeArgs
    Configuration Method IPv4 exclude ranges. The structure of ipv4_exclude_range block is documented below.
    Ipv4Name string
    IPv4 address name.
    Ipv4Netmask string
    IPv4 Netmask.
    Ipv4SplitExclude string
    IPv4 subnets that should not be sent over the IPsec tunnel.
    Ipv4SplitInclude string
    IPv4 split-include subnets.
    Ipv4StartIp string
    Start of IPv4 range.
    Ipv4WinsServer1 string
    WINS server 1.
    Ipv4WinsServer2 string
    WINS server 2.
    Ipv6DnsServer1 string
    IPv6 DNS server 1.
    Ipv6DnsServer2 string
    IPv6 DNS server 2.
    Ipv6DnsServer3 string
    IPv6 DNS server 3.
    Ipv6EndIp string
    End of IPv6 range.
    Ipv6ExcludeRanges []Phase1interfaceIpv6ExcludeRangeArgs
    Configuration method IPv6 exclude ranges. The structure of ipv6_exclude_range block is documented below.
    Ipv6Name string
    IPv6 address name.
    Ipv6Prefix int
    IPv6 prefix.
    Ipv6SplitExclude string
    IPv6 subnets that should not be sent over the IPsec tunnel.
    Ipv6SplitInclude string
    IPv6 split-include subnets.
    Ipv6StartIp string
    Start of IPv6 range.
    Keepalive int
    NAT-T keep alive interval.
    Keylife int
    Time to wait in seconds before phase 1 encryption key expires.
    Kms string
    Key Management Services server.
    LinkCost int
    VPN tunnel underlay link cost.
    LocalGw string
    IPv4 address of the local gateway's external interface.
    LocalGw6 string
    IPv6 address of the local gateway's external interface.
    Localid string
    Local ID.
    LocalidType string
    Local ID type. Valid values: auto, fqdn, user-fqdn, keyid, address, asn1dn.
    LoopbackAsymroute string
    Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values: enable, disable.
    MeshSelectorType string
    Add selectors containing subsets of the configuration depending on traffic. Valid values: disable, subnet, host.
    Mode string
    The ID protection mode used to establish a secure channel. Valid values: aggressive, main.
    ModeCfg string
    Enable/disable configuration method. Valid values: disable, enable.
    ModeCfgAllowClientSelector string
    Enable/disable mode-cfg client to use custom phase2 selectors. Valid values: disable, enable.
    Monitor string
    IPsec interface as backup for primary interface.
    MonitorHoldDownDelay int
    Time to wait in seconds before recovery once primary re-establishes.
    MonitorHoldDownTime string
    Time of day at which to fail back to primary after it re-establishes.
    MonitorHoldDownType string
    Recovery time method when primary interface re-establishes. Valid values: immediate, delay, time.
    MonitorHoldDownWeekday string
    Day of the week to recover once primary re-establishes. Valid values: everyday, sunday, monday, tuesday, wednesday, thursday, friday, saturday.
    MonitorMin int
    Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
    Name string
    IPsec remote gateway name.
    Nattraversal string
    Enable/disable NAT traversal. Valid values: enable, disable, forced.
    NegotiateTimeout int
    IKE SA negotiation timeout in seconds (1 - 300).
    NetDevice string
    Enable/disable kernel device creation. Valid values: enable, disable.
    NetworkId int
    VPN gateway network ID.
    NetworkOverlay string
    Enable/disable network overlays. Valid values: disable, enable.
    NpuOffload string
    Enable/disable offloading NPU. Valid values: enable, disable.
    PacketRedistribution string
    Enable/disable packet distribution (RPS) on the IPsec interface. Valid values: enable, disable.
    PassiveMode string
    Enable/disable IPsec passive mode for static tunnels. Valid values: enable, disable.
    Peer string
    Accept this peer certificate.
    Peergrp string
    Accept this peer certificate group.
    Peerid string
    Accept this peer identity.
    Peertype string
    Accept this peer type. Valid values: any, one, dialup, peer, peergrp.
    Ppk string
    Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values: disable, allow, require.
    PpkIdentity string
    IKEv2 Postquantum Preshared Key Identity.
    PpkSecret string
    IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
    Priority int
    Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
    Psksecret string
    Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
    PsksecretRemote string
    Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
    Qkd string
    Enable/disable use of Quantum Key Distribution (QKD) server. Valid values: disable, allow, require.
    QkdProfile string
    Quantum Key Distribution (QKD) server profile.
    Reauth string
    Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values: disable, enable.
    Rekey string
    Enable/disable phase1 rekey. Valid values: enable, disable.
    RemoteGw string
    IPv4 address of the remote gateway's external interface.
    RemoteGw6 string
    IPv6 address of the remote gateway's external interface.
    RemoteGw6Country string
    IPv6 addresses associated to a specific country.
    RemoteGw6EndIp string
    Last IPv6 address in the range.
    RemoteGw6Match string
    Set type of IPv6 remote gateway address matching. Valid values: any, ipprefix, iprange, geography.
    RemoteGw6StartIp string
    First IPv6 address in the range.
    RemoteGw6Subnet string
    IPv6 address and prefix.
    RemoteGwCountry string
    IPv4 addresses associated to a specific country.
    RemoteGwEndIp string
    Last IPv4 address in the range.
    RemoteGwMatch string
    Set type of IPv4 remote gateway address matching. Valid values: any, ipmask, iprange, geography.
    RemoteGwStartIp string
    First IPv4 address in the range.
    RemoteGwSubnet string
    IPv4 address and subnet mask.
    RemotegwDdns string
    Domain name of remote gateway. For example, name.ddns.com.
    RsaSignatureFormat string
    Digital Signature Authentication RSA signature format. Valid values: pkcs1, pss.
    RsaSignatureHashOverride string
    Enable/disable IKEv2 RSA signature hash algorithm override. Valid values: enable, disable.
    SavePassword string
    Enable/disable saving XAuth username and password on VPN clients. Valid values: disable, enable.
    SendCertChain string
    Enable/disable sending certificate chain. Valid values: enable, disable.
    SignatureHashAlg string
    Digital Signature Authentication hash algorithms. Valid values: sha1, sha2-256, sha2-384, sha2-512.
    SplitIncludeService string
    Split-include services.
    SuiteB string
    Use Suite-B. Valid values: disable, suite-b-gcm-128, suite-b-gcm-256.
    Transport string
    Set IKE transport protocol. Valid values: udp, udp-fallback-tcp, tcp.
    TunnelSearch string
    Tunnel search method for when the interface is shared. Valid values: selectors, nexthop.
    Type string
    Remote gateway type. Valid values: static, dynamic, ddns.
    UnitySupport string
    Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values: disable, enable.
    Usrgrp string
    User group name for dialup peers.
    Vdomparam string
    Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
    Vni int
    VNI of VXLAN tunnel.
    WizardType string
    GUI VPN Wizard Type.
    Xauthtype string
    XAuth type. Valid values: disable, client, pap, chap, auto.
    interface_ String
    Local physical, aggregate, or VLAN outgoing interface.
    proposal String
    Phase1 proposal. Valid values: des-md5, des-sha1, des-sha256, des-sha384, des-sha512, 3des-md5, 3des-sha1, 3des-sha256, 3des-sha384, 3des-sha512, aes128-md5, aes128-sha1, aes128-sha256, aes128-sha384, aes128-sha512, aes128gcm-prfsha1, aes128gcm-prfsha256, aes128gcm-prfsha384, aes128gcm-prfsha512, aes192-md5, aes192-sha1, aes192-sha256, aes192-sha384, aes192-sha512, aes256-md5, aes256-sha1, aes256-sha256, aes256-sha384, aes256-sha512, aes256gcm-prfsha1, aes256gcm-prfsha256, aes256gcm-prfsha384, aes256gcm-prfsha512, chacha20poly1305-prfsha1, chacha20poly1305-prfsha256, chacha20poly1305-prfsha384, chacha20poly1305-prfsha512, aria128-md5, aria128-sha1, aria128-sha256, aria128-sha384, aria128-sha512, aria192-md5, aria192-sha1, aria192-sha256, aria192-sha384, aria192-sha512, aria256-md5, aria256-sha1, aria256-sha256, aria256-sha384, aria256-sha512, seed-md5, seed-sha1, seed-sha256, seed-sha384, seed-sha512.
    acctVerify String
    Enable/disable verification of RADIUS accounting record. Valid values: enable, disable.
    addGwRoute String
    Enable/disable automatically add a route to the remote gateway. Valid values: enable, disable.
    addRoute String
    Enable/disable control addition of a route to peer destination selector. Valid values: disable, enable.
    aggregateMember String
    Enable/disable use as an aggregate member. Valid values: enable, disable.
    aggregateWeight Integer
    Link weight for aggregate.
    assignIp String
    Enable/disable assignment of IP to IPsec interface via configuration method. Valid values: disable, enable.
    assignIpFrom String
    Method by which the IP address will be assigned. Valid values: range, usrgrp, dhcp, name.
    authmethod String
    Authentication method. Valid values: psk, signature.
    authmethodRemote String
    Authentication method (remote side). Valid values: psk, signature.
    authpasswd String
    XAuth password (max 35 characters).
    authusr String
    XAuth user name.
    authusrgrp String
    Authentication user group.
    autoDiscoveryCrossover String
    Allow/block set-up of short-cut tunnels between different network IDs. Valid values: allow, block.
    autoDiscoveryForwarder String
    Enable/disable forwarding auto-discovery short-cut messages. Valid values: enable, disable.
    autoDiscoveryOfferInterval Integer
    Interval between shortcut offer messages in seconds (1 - 300, default = 5).
    autoDiscoveryPsk String
    Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values: enable, disable.
    autoDiscoveryReceiver String
    Enable/disable accepting auto-discovery short-cut messages. Valid values: enable, disable.
    autoDiscoverySender String
    Enable/disable sending auto-discovery short-cut messages. Valid values: enable, disable.
    autoDiscoveryShortcuts String
    Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values: independent, dependent.
    autoNegotiate String
    Enable/disable automatic initiation of IKE SA negotiation. Valid values: enable, disable.
    azureAdAutoconnect String
    Enable/disable Azure AD Auto-Connect for FortiClient. Valid values: enable, disable.
    backupGateways List<Phase1interfaceBackupGateway>
    Instruct unity clients about the backup gateway address(es). The structure of backup_gateway block is documented below.
    String
    Message that unity client should display after connecting.
    certIdValidation String
    Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values: enable, disable.
    certPeerUsernameStrip String
    Enable/disable domain stripping on certificate identity. Valid values: disable, enable.
    certPeerUsernameValidation String
    Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values: none, othername, rfc822name, cn.
    certTrustStore String
    CA certificate trust store. Valid values: local, ems.
    certificates List<Phase1interfaceCertificate>
    The names of up to 4 signed personal certificates. The structure of certificate block is documented below.
    childlessIke String
    Enable/disable childless IKEv2 initiation (RFC 6023). Valid values: enable, disable.
    clientAutoNegotiate String
    Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values: disable, enable.
    clientKeepAlive String
    Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values: disable, enable.
    clientResume String
    Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values: enable, disable.
    clientResumeInterval Integer
    Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
    comments String
    Comment.
    defaultGw String
    IPv4 address of default route gateway to use for traffic exiting the interface.
    defaultGwPriority Integer
    Priority for default gateway route. A higher priority number signifies a less preferred route.
    devId String
    Device ID carried by the device ID notification.
    devIdNotification String
    Enable/disable device ID notification. Valid values: disable, enable.
    dhcp6RaLinkaddr String
    Relay agent IPv6 link address to use in DHCP6 requests.
    dhcpRaGiaddr String
    Relay agent gateway IP address to use in the giaddr field of DHCP requests.
    dhgrp String
    DH group. Valid values: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, 31, 32.
    digitalSignatureAuth String
    Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values: enable, disable.
    distance Integer
    Distance for routes added by IKE (1 - 255).
    dnsMode String
    DNS server mode. Valid values: manual, auto.
    domain String
    Instruct unity clients about the default DNS domain.
    dpd String
    Dead Peer Detection mode. Valid values: disable, on-idle, on-demand.
    dpdRetrycount Integer
    Number of DPD retry attempts.
    dpdRetryinterval String
    DPD retry interval.
    dynamicSortSubtable String
    Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
    eap String
    Enable/disable IKEv2 EAP authentication. Valid values: enable, disable.
    eapCertAuth String
    Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values: enable, disable.
    eapExcludePeergrp String
    Peer group excluded from EAP authentication.
    eapIdentity String
    IKEv2 EAP peer identity type. Valid values: use-id-payload, send-request.
    emsSnCheck String
    Enable/disable verification of EMS serial number. Valid values: enable, disable.
    encapLocalGw4 String
    Local IPv4 address of GRE/VXLAN tunnel.
    encapLocalGw6 String
    Local IPv6 address of GRE/VXLAN tunnel.
    encapRemoteGw4 String
    Remote IPv4 address of GRE/VXLAN tunnel.
    encapRemoteGw6 String
    Remote IPv6 address of GRE/VXLAN tunnel.
    encapsulation String
    Enable/disable GRE/VXLAN encapsulation.
    encapsulationAddress String
    Source for GRE/VXLAN tunnel address. Valid values: ike, ipv4, ipv6.
    enforceUniqueId String
    Enable/disable peer ID uniqueness check. Valid values: disable, keep-new, keep-old.
    esn String
    Extended sequence number (ESN) negotiation. Valid values: require, allow, disable.
    exchangeFgtDeviceId String
    Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values: enable, disable.
    exchangeInterfaceIp String
    Enable/disable exchange of IPsec interface IP address. Valid values: enable, disable.
    exchangeIpAddr4 String
    IPv4 address to exchange with peers.
    exchangeIpAddr6 String
    IPv6 address to exchange with peers
    fallbackTcpThreshold Integer
    Timeout in seconds before falling back IKE/IPsec traffic to tcp.
    fecBase Integer
    Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
    fecCodec Integer
    ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec_string.
    fecCodecString String
    Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec. Valid values: rs, xor.
    fecEgress String
    Enable/disable Forward Error Correction for egress IPsec traffic. Valid values: enable, disable.
    fecHealthCheck String
    SD-WAN health check.
    fecIngress String
    Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values: enable, disable.
    fecMappingProfile String
    Forward Error Correction (FEC) mapping profile.
    fecReceiveTimeout Integer
    Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
    fecRedundant Integer
    Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
    fecSendTimeout Integer
    Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
    fgspSync String
    Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values: enable, disable.
    forticlientEnforcement String
    Enable/disable FortiClient enforcement. Valid values: enable, disable.
    fortinetEsp String
    Enable/disable Fortinet ESP encapsulaton. Valid values: enable, disable.
    fragmentation String
    Enable/disable fragment IKE message on re-transmission. Valid values: enable, disable.
    fragmentationMtu Integer
    IKE fragmentation MTU (500 - 16000).
    getAllTables String
    Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
    groupAuthentication String
    Enable/disable IKEv2 IDi group authentication. Valid values: enable, disable.
    groupAuthenticationSecret String
    Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
    haSyncEspSeqno String
    Enable/disable sequence number jump ahead for IPsec HA. Valid values: enable, disable.
    idleTimeout String
    Enable/disable IPsec tunnel idle timeout. Valid values: enable, disable.
    idleTimeoutinterval Integer
    IPsec tunnel idle timeout in minutes (5 - 43200).
    ikeVersion String
    IKE protocol version. Valid values: 1, 2.
    inboundDscpCopy String
    Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values: enable, disable.
    includeLocalLan String
    Enable/disable allow local LAN access on unity clients. Valid values: disable, enable.
    internalDomainLists List<Phase1interfaceInternalDomainList>
    One or more internal domain names in quotes separated by spaces. The structure of internal_domain_list block is documented below.
    ipDelayInterval Integer
    IP address reuse delay interval in seconds (0 - 28800).
    ipFragmentation String
    Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values: pre-encapsulation, post-encapsulation.
    ipVersion String
    IP version to use for VPN interface. Valid values: 4, 6.
    ipv4DnsServer1 String
    IPv4 DNS server 1.
    ipv4DnsServer2 String
    IPv4 DNS server 2.
    ipv4DnsServer3 String
    IPv4 DNS server 3.
    ipv4EndIp String
    End of IPv4 range.
    ipv4ExcludeRanges List<Phase1interfaceIpv4ExcludeRange>
    Configuration Method IPv4 exclude ranges. The structure of ipv4_exclude_range block is documented below.
    ipv4Name String
    IPv4 address name.
    ipv4Netmask String
    IPv4 Netmask.
    ipv4SplitExclude String
    IPv4 subnets that should not be sent over the IPsec tunnel.
    ipv4SplitInclude String
    IPv4 split-include subnets.
    ipv4StartIp String
    Start of IPv4 range.
    ipv4WinsServer1 String
    WINS server 1.
    ipv4WinsServer2 String
    WINS server 2.
    ipv6DnsServer1 String
    IPv6 DNS server 1.
    ipv6DnsServer2 String
    IPv6 DNS server 2.
    ipv6DnsServer3 String
    IPv6 DNS server 3.
    ipv6EndIp String
    End of IPv6 range.
    ipv6ExcludeRanges List<Phase1interfaceIpv6ExcludeRange>
    Configuration method IPv6 exclude ranges. The structure of ipv6_exclude_range block is documented below.
    ipv6Name String
    IPv6 address name.
    ipv6Prefix Integer
    IPv6 prefix.
    ipv6SplitExclude String
    IPv6 subnets that should not be sent over the IPsec tunnel.
    ipv6SplitInclude String
    IPv6 split-include subnets.
    ipv6StartIp String
    Start of IPv6 range.
    keepalive Integer
    NAT-T keep alive interval.
    keylife Integer
    Time to wait in seconds before phase 1 encryption key expires.
    kms String
    Key Management Services server.
    linkCost Integer
    VPN tunnel underlay link cost.
    localGw String
    IPv4 address of the local gateway's external interface.
    localGw6 String
    IPv6 address of the local gateway's external interface.
    localid String
    Local ID.
    localidType String
    Local ID type. Valid values: auto, fqdn, user-fqdn, keyid, address, asn1dn.
    loopbackAsymroute String
    Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values: enable, disable.
    meshSelectorType String
    Add selectors containing subsets of the configuration depending on traffic. Valid values: disable, subnet, host.
    mode String
    The ID protection mode used to establish a secure channel. Valid values: aggressive, main.
    modeCfg String
    Enable/disable configuration method. Valid values: disable, enable.
    modeCfgAllowClientSelector String
    Enable/disable mode-cfg client to use custom phase2 selectors. Valid values: disable, enable.
    monitor String
    IPsec interface as backup for primary interface.
    monitorHoldDownDelay Integer
    Time to wait in seconds before recovery once primary re-establishes.
    monitorHoldDownTime String
    Time of day at which to fail back to primary after it re-establishes.
    monitorHoldDownType String
    Recovery time method when primary interface re-establishes. Valid values: immediate, delay, time.
    monitorHoldDownWeekday String
    Day of the week to recover once primary re-establishes. Valid values: everyday, sunday, monday, tuesday, wednesday, thursday, friday, saturday.
    monitorMin Integer
    Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
    name String
    IPsec remote gateway name.
    nattraversal String
    Enable/disable NAT traversal. Valid values: enable, disable, forced.
    negotiateTimeout Integer
    IKE SA negotiation timeout in seconds (1 - 300).
    netDevice String
    Enable/disable kernel device creation. Valid values: enable, disable.
    networkId Integer
    VPN gateway network ID.
    networkOverlay String
    Enable/disable network overlays. Valid values: disable, enable.
    npuOffload String
    Enable/disable offloading NPU. Valid values: enable, disable.
    packetRedistribution String
    Enable/disable packet distribution (RPS) on the IPsec interface. Valid values: enable, disable.
    passiveMode String
    Enable/disable IPsec passive mode for static tunnels. Valid values: enable, disable.
    peer String
    Accept this peer certificate.
    peergrp String
    Accept this peer certificate group.
    peerid String
    Accept this peer identity.
    peertype String
    Accept this peer type. Valid values: any, one, dialup, peer, peergrp.
    ppk String
    Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values: disable, allow, require.
    ppkIdentity String
    IKEv2 Postquantum Preshared Key Identity.
    ppkSecret String
    IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
    priority Integer
    Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
    psksecret String
    Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
    psksecretRemote String
    Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
    qkd String
    Enable/disable use of Quantum Key Distribution (QKD) server. Valid values: disable, allow, require.
    qkdProfile String
    Quantum Key Distribution (QKD) server profile.
    reauth String
    Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values: disable, enable.
    rekey String
    Enable/disable phase1 rekey. Valid values: enable, disable.
    remoteGw String
    IPv4 address of the remote gateway's external interface.
    remoteGw6 String
    IPv6 address of the remote gateway's external interface.
    remoteGw6Country String
    IPv6 addresses associated to a specific country.
    remoteGw6EndIp String
    Last IPv6 address in the range.
    remoteGw6Match String
    Set type of IPv6 remote gateway address matching. Valid values: any, ipprefix, iprange, geography.
    remoteGw6StartIp String
    First IPv6 address in the range.
    remoteGw6Subnet String
    IPv6 address and prefix.
    remoteGwCountry String
    IPv4 addresses associated to a specific country.
    remoteGwEndIp String
    Last IPv4 address in the range.
    remoteGwMatch String
    Set type of IPv4 remote gateway address matching. Valid values: any, ipmask, iprange, geography.
    remoteGwStartIp String
    First IPv4 address in the range.
    remoteGwSubnet String
    IPv4 address and subnet mask.
    remotegwDdns String
    Domain name of remote gateway. For example, name.ddns.com.
    rsaSignatureFormat String
    Digital Signature Authentication RSA signature format. Valid values: pkcs1, pss.
    rsaSignatureHashOverride String
    Enable/disable IKEv2 RSA signature hash algorithm override. Valid values: enable, disable.
    savePassword String
    Enable/disable saving XAuth username and password on VPN clients. Valid values: disable, enable.
    sendCertChain String
    Enable/disable sending certificate chain. Valid values: enable, disable.
    signatureHashAlg String
    Digital Signature Authentication hash algorithms. Valid values: sha1, sha2-256, sha2-384, sha2-512.
    splitIncludeService String
    Split-include services.
    suiteB String
    Use Suite-B. Valid values: disable, suite-b-gcm-128, suite-b-gcm-256.
    transport String
    Set IKE transport protocol. Valid values: udp, udp-fallback-tcp, tcp.
    tunnelSearch String
    Tunnel search method for when the interface is shared. Valid values: selectors, nexthop.
    type String
    Remote gateway type. Valid values: static, dynamic, ddns.
    unitySupport String
    Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values: disable, enable.
    usrgrp String
    User group name for dialup peers.
    vdomparam String
    Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
    vni Integer
    VNI of VXLAN tunnel.
    wizardType String
    GUI VPN Wizard Type.
    xauthtype String
    XAuth type. Valid values: disable, client, pap, chap, auto.
    interface string
    Local physical, aggregate, or VLAN outgoing interface.
    proposal string
    Phase1 proposal. Valid values: des-md5, des-sha1, des-sha256, des-sha384, des-sha512, 3des-md5, 3des-sha1, 3des-sha256, 3des-sha384, 3des-sha512, aes128-md5, aes128-sha1, aes128-sha256, aes128-sha384, aes128-sha512, aes128gcm-prfsha1, aes128gcm-prfsha256, aes128gcm-prfsha384, aes128gcm-prfsha512, aes192-md5, aes192-sha1, aes192-sha256, aes192-sha384, aes192-sha512, aes256-md5, aes256-sha1, aes256-sha256, aes256-sha384, aes256-sha512, aes256gcm-prfsha1, aes256gcm-prfsha256, aes256gcm-prfsha384, aes256gcm-prfsha512, chacha20poly1305-prfsha1, chacha20poly1305-prfsha256, chacha20poly1305-prfsha384, chacha20poly1305-prfsha512, aria128-md5, aria128-sha1, aria128-sha256, aria128-sha384, aria128-sha512, aria192-md5, aria192-sha1, aria192-sha256, aria192-sha384, aria192-sha512, aria256-md5, aria256-sha1, aria256-sha256, aria256-sha384, aria256-sha512, seed-md5, seed-sha1, seed-sha256, seed-sha384, seed-sha512.
    acctVerify string
    Enable/disable verification of RADIUS accounting record. Valid values: enable, disable.
    addGwRoute string
    Enable/disable automatically add a route to the remote gateway. Valid values: enable, disable.
    addRoute string
    Enable/disable control addition of a route to peer destination selector. Valid values: disable, enable.
    aggregateMember string
    Enable/disable use as an aggregate member. Valid values: enable, disable.
    aggregateWeight number
    Link weight for aggregate.
    assignIp string
    Enable/disable assignment of IP to IPsec interface via configuration method. Valid values: disable, enable.
    assignIpFrom string
    Method by which the IP address will be assigned. Valid values: range, usrgrp, dhcp, name.
    authmethod string
    Authentication method. Valid values: psk, signature.
    authmethodRemote string
    Authentication method (remote side). Valid values: psk, signature.
    authpasswd string
    XAuth password (max 35 characters).
    authusr string
    XAuth user name.
    authusrgrp string
    Authentication user group.
    autoDiscoveryCrossover string
    Allow/block set-up of short-cut tunnels between different network IDs. Valid values: allow, block.
    autoDiscoveryForwarder string
    Enable/disable forwarding auto-discovery short-cut messages. Valid values: enable, disable.
    autoDiscoveryOfferInterval number
    Interval between shortcut offer messages in seconds (1 - 300, default = 5).
    autoDiscoveryPsk string
    Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values: enable, disable.
    autoDiscoveryReceiver string
    Enable/disable accepting auto-discovery short-cut messages. Valid values: enable, disable.
    autoDiscoverySender string
    Enable/disable sending auto-discovery short-cut messages. Valid values: enable, disable.
    autoDiscoveryShortcuts string
    Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values: independent, dependent.
    autoNegotiate string
    Enable/disable automatic initiation of IKE SA negotiation. Valid values: enable, disable.
    azureAdAutoconnect string
    Enable/disable Azure AD Auto-Connect for FortiClient. Valid values: enable, disable.
    backupGateways Phase1interfaceBackupGateway[]
    Instruct unity clients about the backup gateway address(es). The structure of backup_gateway block is documented below.
    string
    Message that unity client should display after connecting.
    certIdValidation string
    Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values: enable, disable.
    certPeerUsernameStrip string
    Enable/disable domain stripping on certificate identity. Valid values: disable, enable.
    certPeerUsernameValidation string
    Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values: none, othername, rfc822name, cn.
    certTrustStore string
    CA certificate trust store. Valid values: local, ems.
    certificates Phase1interfaceCertificate[]
    The names of up to 4 signed personal certificates. The structure of certificate block is documented below.
    childlessIke string
    Enable/disable childless IKEv2 initiation (RFC 6023). Valid values: enable, disable.
    clientAutoNegotiate string
    Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values: disable, enable.
    clientKeepAlive string
    Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values: disable, enable.
    clientResume string
    Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values: enable, disable.
    clientResumeInterval number
    Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
    comments string
    Comment.
    defaultGw string
    IPv4 address of default route gateway to use for traffic exiting the interface.
    defaultGwPriority number
    Priority for default gateway route. A higher priority number signifies a less preferred route.
    devId string
    Device ID carried by the device ID notification.
    devIdNotification string
    Enable/disable device ID notification. Valid values: disable, enable.
    dhcp6RaLinkaddr string
    Relay agent IPv6 link address to use in DHCP6 requests.
    dhcpRaGiaddr string
    Relay agent gateway IP address to use in the giaddr field of DHCP requests.
    dhgrp string
    DH group. Valid values: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, 31, 32.
    digitalSignatureAuth string
    Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values: enable, disable.
    distance number
    Distance for routes added by IKE (1 - 255).
    dnsMode string
    DNS server mode. Valid values: manual, auto.
    domain string
    Instruct unity clients about the default DNS domain.
    dpd string
    Dead Peer Detection mode. Valid values: disable, on-idle, on-demand.
    dpdRetrycount number
    Number of DPD retry attempts.
    dpdRetryinterval string
    DPD retry interval.
    dynamicSortSubtable string
    Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
    eap string
    Enable/disable IKEv2 EAP authentication. Valid values: enable, disable.
    eapCertAuth string
    Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values: enable, disable.
    eapExcludePeergrp string
    Peer group excluded from EAP authentication.
    eapIdentity string
    IKEv2 EAP peer identity type. Valid values: use-id-payload, send-request.
    emsSnCheck string
    Enable/disable verification of EMS serial number. Valid values: enable, disable.
    encapLocalGw4 string
    Local IPv4 address of GRE/VXLAN tunnel.
    encapLocalGw6 string
    Local IPv6 address of GRE/VXLAN tunnel.
    encapRemoteGw4 string
    Remote IPv4 address of GRE/VXLAN tunnel.
    encapRemoteGw6 string
    Remote IPv6 address of GRE/VXLAN tunnel.
    encapsulation string
    Enable/disable GRE/VXLAN encapsulation.
    encapsulationAddress string
    Source for GRE/VXLAN tunnel address. Valid values: ike, ipv4, ipv6.
    enforceUniqueId string
    Enable/disable peer ID uniqueness check. Valid values: disable, keep-new, keep-old.
    esn string
    Extended sequence number (ESN) negotiation. Valid values: require, allow, disable.
    exchangeFgtDeviceId string
    Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values: enable, disable.
    exchangeInterfaceIp string
    Enable/disable exchange of IPsec interface IP address. Valid values: enable, disable.
    exchangeIpAddr4 string
    IPv4 address to exchange with peers.
    exchangeIpAddr6 string
    IPv6 address to exchange with peers
    fallbackTcpThreshold number
    Timeout in seconds before falling back IKE/IPsec traffic to tcp.
    fecBase number
    Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
    fecCodec number
    ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec_string.
    fecCodecString string
    Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec. Valid values: rs, xor.
    fecEgress string
    Enable/disable Forward Error Correction for egress IPsec traffic. Valid values: enable, disable.
    fecHealthCheck string
    SD-WAN health check.
    fecIngress string
    Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values: enable, disable.
    fecMappingProfile string
    Forward Error Correction (FEC) mapping profile.
    fecReceiveTimeout number
    Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
    fecRedundant number
    Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
    fecSendTimeout number
    Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
    fgspSync string
    Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values: enable, disable.
    forticlientEnforcement string
    Enable/disable FortiClient enforcement. Valid values: enable, disable.
    fortinetEsp string
    Enable/disable Fortinet ESP encapsulaton. Valid values: enable, disable.
    fragmentation string
    Enable/disable fragment IKE message on re-transmission. Valid values: enable, disable.
    fragmentationMtu number
    IKE fragmentation MTU (500 - 16000).
    getAllTables string
    Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
    groupAuthentication string
    Enable/disable IKEv2 IDi group authentication. Valid values: enable, disable.
    groupAuthenticationSecret string
    Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
    haSyncEspSeqno string
    Enable/disable sequence number jump ahead for IPsec HA. Valid values: enable, disable.
    idleTimeout string
    Enable/disable IPsec tunnel idle timeout. Valid values: enable, disable.
    idleTimeoutinterval number
    IPsec tunnel idle timeout in minutes (5 - 43200).
    ikeVersion string
    IKE protocol version. Valid values: 1, 2.
    inboundDscpCopy string
    Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values: enable, disable.
    includeLocalLan string
    Enable/disable allow local LAN access on unity clients. Valid values: disable, enable.
    internalDomainLists Phase1interfaceInternalDomainList[]
    One or more internal domain names in quotes separated by spaces. The structure of internal_domain_list block is documented below.
    ipDelayInterval number
    IP address reuse delay interval in seconds (0 - 28800).
    ipFragmentation string
    Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values: pre-encapsulation, post-encapsulation.
    ipVersion string
    IP version to use for VPN interface. Valid values: 4, 6.
    ipv4DnsServer1 string
    IPv4 DNS server 1.
    ipv4DnsServer2 string
    IPv4 DNS server 2.
    ipv4DnsServer3 string
    IPv4 DNS server 3.
    ipv4EndIp string
    End of IPv4 range.
    ipv4ExcludeRanges Phase1interfaceIpv4ExcludeRange[]
    Configuration Method IPv4 exclude ranges. The structure of ipv4_exclude_range block is documented below.
    ipv4Name string
    IPv4 address name.
    ipv4Netmask string
    IPv4 Netmask.
    ipv4SplitExclude string
    IPv4 subnets that should not be sent over the IPsec tunnel.
    ipv4SplitInclude string
    IPv4 split-include subnets.
    ipv4StartIp string
    Start of IPv4 range.
    ipv4WinsServer1 string
    WINS server 1.
    ipv4WinsServer2 string
    WINS server 2.
    ipv6DnsServer1 string
    IPv6 DNS server 1.
    ipv6DnsServer2 string
    IPv6 DNS server 2.
    ipv6DnsServer3 string
    IPv6 DNS server 3.
    ipv6EndIp string
    End of IPv6 range.
    ipv6ExcludeRanges Phase1interfaceIpv6ExcludeRange[]
    Configuration method IPv6 exclude ranges. The structure of ipv6_exclude_range block is documented below.
    ipv6Name string
    IPv6 address name.
    ipv6Prefix number
    IPv6 prefix.
    ipv6SplitExclude string
    IPv6 subnets that should not be sent over the IPsec tunnel.
    ipv6SplitInclude string
    IPv6 split-include subnets.
    ipv6StartIp string
    Start of IPv6 range.
    keepalive number
    NAT-T keep alive interval.
    keylife number
    Time to wait in seconds before phase 1 encryption key expires.
    kms string
    Key Management Services server.
    linkCost number
    VPN tunnel underlay link cost.
    localGw string
    IPv4 address of the local gateway's external interface.
    localGw6 string
    IPv6 address of the local gateway's external interface.
    localid string
    Local ID.
    localidType string
    Local ID type. Valid values: auto, fqdn, user-fqdn, keyid, address, asn1dn.
    loopbackAsymroute string
    Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values: enable, disable.
    meshSelectorType string
    Add selectors containing subsets of the configuration depending on traffic. Valid values: disable, subnet, host.
    mode string
    The ID protection mode used to establish a secure channel. Valid values: aggressive, main.
    modeCfg string
    Enable/disable configuration method. Valid values: disable, enable.
    modeCfgAllowClientSelector string
    Enable/disable mode-cfg client to use custom phase2 selectors. Valid values: disable, enable.
    monitor string
    IPsec interface as backup for primary interface.
    monitorHoldDownDelay number
    Time to wait in seconds before recovery once primary re-establishes.
    monitorHoldDownTime string
    Time of day at which to fail back to primary after it re-establishes.
    monitorHoldDownType string
    Recovery time method when primary interface re-establishes. Valid values: immediate, delay, time.
    monitorHoldDownWeekday string
    Day of the week to recover once primary re-establishes. Valid values: everyday, sunday, monday, tuesday, wednesday, thursday, friday, saturday.
    monitorMin number
    Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
    name string
    IPsec remote gateway name.
    nattraversal string
    Enable/disable NAT traversal. Valid values: enable, disable, forced.
    negotiateTimeout number
    IKE SA negotiation timeout in seconds (1 - 300).
    netDevice string
    Enable/disable kernel device creation. Valid values: enable, disable.
    networkId number
    VPN gateway network ID.
    networkOverlay string
    Enable/disable network overlays. Valid values: disable, enable.
    npuOffload string
    Enable/disable offloading NPU. Valid values: enable, disable.
    packetRedistribution string
    Enable/disable packet distribution (RPS) on the IPsec interface. Valid values: enable, disable.
    passiveMode string
    Enable/disable IPsec passive mode for static tunnels. Valid values: enable, disable.
    peer string
    Accept this peer certificate.
    peergrp string
    Accept this peer certificate group.
    peerid string
    Accept this peer identity.
    peertype string
    Accept this peer type. Valid values: any, one, dialup, peer, peergrp.
    ppk string
    Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values: disable, allow, require.
    ppkIdentity string
    IKEv2 Postquantum Preshared Key Identity.
    ppkSecret string
    IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
    priority number
    Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
    psksecret string
    Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
    psksecretRemote string
    Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
    qkd string
    Enable/disable use of Quantum Key Distribution (QKD) server. Valid values: disable, allow, require.
    qkdProfile string
    Quantum Key Distribution (QKD) server profile.
    reauth string
    Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values: disable, enable.
    rekey string
    Enable/disable phase1 rekey. Valid values: enable, disable.
    remoteGw string
    IPv4 address of the remote gateway's external interface.
    remoteGw6 string
    IPv6 address of the remote gateway's external interface.
    remoteGw6Country string
    IPv6 addresses associated to a specific country.
    remoteGw6EndIp string
    Last IPv6 address in the range.
    remoteGw6Match string
    Set type of IPv6 remote gateway address matching. Valid values: any, ipprefix, iprange, geography.
    remoteGw6StartIp string
    First IPv6 address in the range.
    remoteGw6Subnet string
    IPv6 address and prefix.
    remoteGwCountry string
    IPv4 addresses associated to a specific country.
    remoteGwEndIp string
    Last IPv4 address in the range.
    remoteGwMatch string
    Set type of IPv4 remote gateway address matching. Valid values: any, ipmask, iprange, geography.
    remoteGwStartIp string
    First IPv4 address in the range.
    remoteGwSubnet string
    IPv4 address and subnet mask.
    remotegwDdns string
    Domain name of remote gateway. For example, name.ddns.com.
    rsaSignatureFormat string
    Digital Signature Authentication RSA signature format. Valid values: pkcs1, pss.
    rsaSignatureHashOverride string
    Enable/disable IKEv2 RSA signature hash algorithm override. Valid values: enable, disable.
    savePassword string
    Enable/disable saving XAuth username and password on VPN clients. Valid values: disable, enable.
    sendCertChain string
    Enable/disable sending certificate chain. Valid values: enable, disable.
    signatureHashAlg string
    Digital Signature Authentication hash algorithms. Valid values: sha1, sha2-256, sha2-384, sha2-512.
    splitIncludeService string
    Split-include services.
    suiteB string
    Use Suite-B. Valid values: disable, suite-b-gcm-128, suite-b-gcm-256.
    transport string
    Set IKE transport protocol. Valid values: udp, udp-fallback-tcp, tcp.
    tunnelSearch string
    Tunnel search method for when the interface is shared. Valid values: selectors, nexthop.
    type string
    Remote gateway type. Valid values: static, dynamic, ddns.
    unitySupport string
    Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values: disable, enable.
    usrgrp string
    User group name for dialup peers.
    vdomparam string
    Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
    vni number
    VNI of VXLAN tunnel.
    wizardType string
    GUI VPN Wizard Type.
    xauthtype string
    XAuth type. Valid values: disable, client, pap, chap, auto.
    interface str
    Local physical, aggregate, or VLAN outgoing interface.
    proposal str
    Phase1 proposal. Valid values: des-md5, des-sha1, des-sha256, des-sha384, des-sha512, 3des-md5, 3des-sha1, 3des-sha256, 3des-sha384, 3des-sha512, aes128-md5, aes128-sha1, aes128-sha256, aes128-sha384, aes128-sha512, aes128gcm-prfsha1, aes128gcm-prfsha256, aes128gcm-prfsha384, aes128gcm-prfsha512, aes192-md5, aes192-sha1, aes192-sha256, aes192-sha384, aes192-sha512, aes256-md5, aes256-sha1, aes256-sha256, aes256-sha384, aes256-sha512, aes256gcm-prfsha1, aes256gcm-prfsha256, aes256gcm-prfsha384, aes256gcm-prfsha512, chacha20poly1305-prfsha1, chacha20poly1305-prfsha256, chacha20poly1305-prfsha384, chacha20poly1305-prfsha512, aria128-md5, aria128-sha1, aria128-sha256, aria128-sha384, aria128-sha512, aria192-md5, aria192-sha1, aria192-sha256, aria192-sha384, aria192-sha512, aria256-md5, aria256-sha1, aria256-sha256, aria256-sha384, aria256-sha512, seed-md5, seed-sha1, seed-sha256, seed-sha384, seed-sha512.
    acct_verify str
    Enable/disable verification of RADIUS accounting record. Valid values: enable, disable.
    add_gw_route str
    Enable/disable automatically add a route to the remote gateway. Valid values: enable, disable.
    add_route str
    Enable/disable control addition of a route to peer destination selector. Valid values: disable, enable.
    aggregate_member str
    Enable/disable use as an aggregate member. Valid values: enable, disable.
    aggregate_weight int
    Link weight for aggregate.
    assign_ip str
    Enable/disable assignment of IP to IPsec interface via configuration method. Valid values: disable, enable.
    assign_ip_from str
    Method by which the IP address will be assigned. Valid values: range, usrgrp, dhcp, name.
    authmethod str
    Authentication method. Valid values: psk, signature.
    authmethod_remote str
    Authentication method (remote side). Valid values: psk, signature.
    authpasswd str
    XAuth password (max 35 characters).
    authusr str
    XAuth user name.
    authusrgrp str
    Authentication user group.
    auto_discovery_crossover str
    Allow/block set-up of short-cut tunnels between different network IDs. Valid values: allow, block.
    auto_discovery_forwarder str
    Enable/disable forwarding auto-discovery short-cut messages. Valid values: enable, disable.
    auto_discovery_offer_interval int
    Interval between shortcut offer messages in seconds (1 - 300, default = 5).
    auto_discovery_psk str
    Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values: enable, disable.
    auto_discovery_receiver str
    Enable/disable accepting auto-discovery short-cut messages. Valid values: enable, disable.
    auto_discovery_sender str
    Enable/disable sending auto-discovery short-cut messages. Valid values: enable, disable.
    auto_discovery_shortcuts str
    Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values: independent, dependent.
    auto_negotiate str
    Enable/disable automatic initiation of IKE SA negotiation. Valid values: enable, disable.
    azure_ad_autoconnect str
    Enable/disable Azure AD Auto-Connect for FortiClient. Valid values: enable, disable.
    backup_gateways Sequence[Phase1interfaceBackupGatewayArgs]
    Instruct unity clients about the backup gateway address(es). The structure of backup_gateway block is documented below.
    str
    Message that unity client should display after connecting.
    cert_id_validation str
    Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values: enable, disable.
    cert_peer_username_strip str
    Enable/disable domain stripping on certificate identity. Valid values: disable, enable.
    cert_peer_username_validation str
    Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values: none, othername, rfc822name, cn.
    cert_trust_store str
    CA certificate trust store. Valid values: local, ems.
    certificates Sequence[Phase1interfaceCertificateArgs]
    The names of up to 4 signed personal certificates. The structure of certificate block is documented below.
    childless_ike str
    Enable/disable childless IKEv2 initiation (RFC 6023). Valid values: enable, disable.
    client_auto_negotiate str
    Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values: disable, enable.
    client_keep_alive str
    Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values: disable, enable.
    client_resume str
    Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values: enable, disable.
    client_resume_interval int
    Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
    comments str
    Comment.
    default_gw str
    IPv4 address of default route gateway to use for traffic exiting the interface.
    default_gw_priority int
    Priority for default gateway route. A higher priority number signifies a less preferred route.
    dev_id str
    Device ID carried by the device ID notification.
    dev_id_notification str
    Enable/disable device ID notification. Valid values: disable, enable.
    dhcp6_ra_linkaddr str
    Relay agent IPv6 link address to use in DHCP6 requests.
    dhcp_ra_giaddr str
    Relay agent gateway IP address to use in the giaddr field of DHCP requests.
    dhgrp str
    DH group. Valid values: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, 31, 32.
    digital_signature_auth str
    Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values: enable, disable.
    distance int
    Distance for routes added by IKE (1 - 255).
    dns_mode str
    DNS server mode. Valid values: manual, auto.
    domain str
    Instruct unity clients about the default DNS domain.
    dpd str
    Dead Peer Detection mode. Valid values: disable, on-idle, on-demand.
    dpd_retrycount int
    Number of DPD retry attempts.
    dpd_retryinterval str
    DPD retry interval.
    dynamic_sort_subtable str
    Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
    eap str
    Enable/disable IKEv2 EAP authentication. Valid values: enable, disable.
    eap_cert_auth str
    Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values: enable, disable.
    eap_exclude_peergrp str
    Peer group excluded from EAP authentication.
    eap_identity str
    IKEv2 EAP peer identity type. Valid values: use-id-payload, send-request.
    ems_sn_check str
    Enable/disable verification of EMS serial number. Valid values: enable, disable.
    encap_local_gw4 str
    Local IPv4 address of GRE/VXLAN tunnel.
    encap_local_gw6 str
    Local IPv6 address of GRE/VXLAN tunnel.
    encap_remote_gw4 str
    Remote IPv4 address of GRE/VXLAN tunnel.
    encap_remote_gw6 str
    Remote IPv6 address of GRE/VXLAN tunnel.
    encapsulation str
    Enable/disable GRE/VXLAN encapsulation.
    encapsulation_address str
    Source for GRE/VXLAN tunnel address. Valid values: ike, ipv4, ipv6.
    enforce_unique_id str
    Enable/disable peer ID uniqueness check. Valid values: disable, keep-new, keep-old.
    esn str
    Extended sequence number (ESN) negotiation. Valid values: require, allow, disable.
    exchange_fgt_device_id str
    Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values: enable, disable.
    exchange_interface_ip str
    Enable/disable exchange of IPsec interface IP address. Valid values: enable, disable.
    exchange_ip_addr4 str
    IPv4 address to exchange with peers.
    exchange_ip_addr6 str
    IPv6 address to exchange with peers
    fallback_tcp_threshold int
    Timeout in seconds before falling back IKE/IPsec traffic to tcp.
    fec_base int
    Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
    fec_codec int
    ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec_string.
    fec_codec_string str
    Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec. Valid values: rs, xor.
    fec_egress str
    Enable/disable Forward Error Correction for egress IPsec traffic. Valid values: enable, disable.
    fec_health_check str
    SD-WAN health check.
    fec_ingress str
    Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values: enable, disable.
    fec_mapping_profile str
    Forward Error Correction (FEC) mapping profile.
    fec_receive_timeout int
    Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
    fec_redundant int
    Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
    fec_send_timeout int
    Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
    fgsp_sync str
    Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values: enable, disable.
    forticlient_enforcement str
    Enable/disable FortiClient enforcement. Valid values: enable, disable.
    fortinet_esp str
    Enable/disable Fortinet ESP encapsulaton. Valid values: enable, disable.
    fragmentation str
    Enable/disable fragment IKE message on re-transmission. Valid values: enable, disable.
    fragmentation_mtu int
    IKE fragmentation MTU (500 - 16000).
    get_all_tables str
    Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
    group_authentication str
    Enable/disable IKEv2 IDi group authentication. Valid values: enable, disable.
    group_authentication_secret str
    Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
    ha_sync_esp_seqno str
    Enable/disable sequence number jump ahead for IPsec HA. Valid values: enable, disable.
    idle_timeout str
    Enable/disable IPsec tunnel idle timeout. Valid values: enable, disable.
    idle_timeoutinterval int
    IPsec tunnel idle timeout in minutes (5 - 43200).
    ike_version str
    IKE protocol version. Valid values: 1, 2.
    inbound_dscp_copy str
    Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values: enable, disable.
    include_local_lan str
    Enable/disable allow local LAN access on unity clients. Valid values: disable, enable.
    internal_domain_lists Sequence[Phase1interfaceInternalDomainListArgs]
    One or more internal domain names in quotes separated by spaces. The structure of internal_domain_list block is documented below.
    ip_delay_interval int
    IP address reuse delay interval in seconds (0 - 28800).
    ip_fragmentation str
    Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values: pre-encapsulation, post-encapsulation.
    ip_version str
    IP version to use for VPN interface. Valid values: 4, 6.
    ipv4_dns_server1 str
    IPv4 DNS server 1.
    ipv4_dns_server2 str
    IPv4 DNS server 2.
    ipv4_dns_server3 str
    IPv4 DNS server 3.
    ipv4_end_ip str
    End of IPv4 range.
    ipv4_exclude_ranges Sequence[Phase1interfaceIpv4ExcludeRangeArgs]
    Configuration Method IPv4 exclude ranges. The structure of ipv4_exclude_range block is documented below.
    ipv4_name str
    IPv4 address name.
    ipv4_netmask str
    IPv4 Netmask.
    ipv4_split_exclude str
    IPv4 subnets that should not be sent over the IPsec tunnel.
    ipv4_split_include str
    IPv4 split-include subnets.
    ipv4_start_ip str
    Start of IPv4 range.
    ipv4_wins_server1 str
    WINS server 1.
    ipv4_wins_server2 str
    WINS server 2.
    ipv6_dns_server1 str
    IPv6 DNS server 1.
    ipv6_dns_server2 str
    IPv6 DNS server 2.
    ipv6_dns_server3 str
    IPv6 DNS server 3.
    ipv6_end_ip str
    End of IPv6 range.
    ipv6_exclude_ranges Sequence[Phase1interfaceIpv6ExcludeRangeArgs]
    Configuration method IPv6 exclude ranges. The structure of ipv6_exclude_range block is documented below.
    ipv6_name str
    IPv6 address name.
    ipv6_prefix int
    IPv6 prefix.
    ipv6_split_exclude str
    IPv6 subnets that should not be sent over the IPsec tunnel.
    ipv6_split_include str
    IPv6 split-include subnets.
    ipv6_start_ip str
    Start of IPv6 range.
    keepalive int
    NAT-T keep alive interval.
    keylife int
    Time to wait in seconds before phase 1 encryption key expires.
    kms str
    Key Management Services server.
    link_cost int
    VPN tunnel underlay link cost.
    local_gw str
    IPv4 address of the local gateway's external interface.
    local_gw6 str
    IPv6 address of the local gateway's external interface.
    localid str
    Local ID.
    localid_type str
    Local ID type. Valid values: auto, fqdn, user-fqdn, keyid, address, asn1dn.
    loopback_asymroute str
    Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values: enable, disable.
    mesh_selector_type str
    Add selectors containing subsets of the configuration depending on traffic. Valid values: disable, subnet, host.
    mode str
    The ID protection mode used to establish a secure channel. Valid values: aggressive, main.
    mode_cfg str
    Enable/disable configuration method. Valid values: disable, enable.
    mode_cfg_allow_client_selector str
    Enable/disable mode-cfg client to use custom phase2 selectors. Valid values: disable, enable.
    monitor str
    IPsec interface as backup for primary interface.
    monitor_hold_down_delay int
    Time to wait in seconds before recovery once primary re-establishes.
    monitor_hold_down_time str
    Time of day at which to fail back to primary after it re-establishes.
    monitor_hold_down_type str
    Recovery time method when primary interface re-establishes. Valid values: immediate, delay, time.
    monitor_hold_down_weekday str
    Day of the week to recover once primary re-establishes. Valid values: everyday, sunday, monday, tuesday, wednesday, thursday, friday, saturday.
    monitor_min int
    Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
    name str
    IPsec remote gateway name.
    nattraversal str
    Enable/disable NAT traversal. Valid values: enable, disable, forced.
    negotiate_timeout int
    IKE SA negotiation timeout in seconds (1 - 300).
    net_device str
    Enable/disable kernel device creation. Valid values: enable, disable.
    network_id int
    VPN gateway network ID.
    network_overlay str
    Enable/disable network overlays. Valid values: disable, enable.
    npu_offload str
    Enable/disable offloading NPU. Valid values: enable, disable.
    packet_redistribution str
    Enable/disable packet distribution (RPS) on the IPsec interface. Valid values: enable, disable.
    passive_mode str
    Enable/disable IPsec passive mode for static tunnels. Valid values: enable, disable.
    peer str
    Accept this peer certificate.
    peergrp str
    Accept this peer certificate group.
    peerid str
    Accept this peer identity.
    peertype str
    Accept this peer type. Valid values: any, one, dialup, peer, peergrp.
    ppk str
    Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values: disable, allow, require.
    ppk_identity str
    IKEv2 Postquantum Preshared Key Identity.
    ppk_secret str
    IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
    priority int
    Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
    psksecret str
    Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
    psksecret_remote str
    Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
    qkd str
    Enable/disable use of Quantum Key Distribution (QKD) server. Valid values: disable, allow, require.
    qkd_profile str
    Quantum Key Distribution (QKD) server profile.
    reauth str
    Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values: disable, enable.
    rekey str
    Enable/disable phase1 rekey. Valid values: enable, disable.
    remote_gw str
    IPv4 address of the remote gateway's external interface.
    remote_gw6 str
    IPv6 address of the remote gateway's external interface.
    remote_gw6_country str
    IPv6 addresses associated to a specific country.
    remote_gw6_end_ip str
    Last IPv6 address in the range.
    remote_gw6_match str
    Set type of IPv6 remote gateway address matching. Valid values: any, ipprefix, iprange, geography.
    remote_gw6_start_ip str
    First IPv6 address in the range.
    remote_gw6_subnet str
    IPv6 address and prefix.
    remote_gw_country str
    IPv4 addresses associated to a specific country.
    remote_gw_end_ip str
    Last IPv4 address in the range.
    remote_gw_match str
    Set type of IPv4 remote gateway address matching. Valid values: any, ipmask, iprange, geography.
    remote_gw_start_ip str
    First IPv4 address in the range.
    remote_gw_subnet str
    IPv4 address and subnet mask.
    remotegw_ddns str
    Domain name of remote gateway. For example, name.ddns.com.
    rsa_signature_format str
    Digital Signature Authentication RSA signature format. Valid values: pkcs1, pss.
    rsa_signature_hash_override str
    Enable/disable IKEv2 RSA signature hash algorithm override. Valid values: enable, disable.
    save_password str
    Enable/disable saving XAuth username and password on VPN clients. Valid values: disable, enable.
    send_cert_chain str
    Enable/disable sending certificate chain. Valid values: enable, disable.
    signature_hash_alg str
    Digital Signature Authentication hash algorithms. Valid values: sha1, sha2-256, sha2-384, sha2-512.
    split_include_service str
    Split-include services.
    suite_b str
    Use Suite-B. Valid values: disable, suite-b-gcm-128, suite-b-gcm-256.
    transport str
    Set IKE transport protocol. Valid values: udp, udp-fallback-tcp, tcp.
    tunnel_search str
    Tunnel search method for when the interface is shared. Valid values: selectors, nexthop.
    type str
    Remote gateway type. Valid values: static, dynamic, ddns.
    unity_support str
    Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values: disable, enable.
    usrgrp str
    User group name for dialup peers.
    vdomparam str
    Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
    vni int
    VNI of VXLAN tunnel.
    wizard_type str
    GUI VPN Wizard Type.
    xauthtype str
    XAuth type. Valid values: disable, client, pap, chap, auto.
    interface String
    Local physical, aggregate, or VLAN outgoing interface.
    proposal String
    Phase1 proposal. Valid values: des-md5, des-sha1, des-sha256, des-sha384, des-sha512, 3des-md5, 3des-sha1, 3des-sha256, 3des-sha384, 3des-sha512, aes128-md5, aes128-sha1, aes128-sha256, aes128-sha384, aes128-sha512, aes128gcm-prfsha1, aes128gcm-prfsha256, aes128gcm-prfsha384, aes128gcm-prfsha512, aes192-md5, aes192-sha1, aes192-sha256, aes192-sha384, aes192-sha512, aes256-md5, aes256-sha1, aes256-sha256, aes256-sha384, aes256-sha512, aes256gcm-prfsha1, aes256gcm-prfsha256, aes256gcm-prfsha384, aes256gcm-prfsha512, chacha20poly1305-prfsha1, chacha20poly1305-prfsha256, chacha20poly1305-prfsha384, chacha20poly1305-prfsha512, aria128-md5, aria128-sha1, aria128-sha256, aria128-sha384, aria128-sha512, aria192-md5, aria192-sha1, aria192-sha256, aria192-sha384, aria192-sha512, aria256-md5, aria256-sha1, aria256-sha256, aria256-sha384, aria256-sha512, seed-md5, seed-sha1, seed-sha256, seed-sha384, seed-sha512.
    acctVerify String
    Enable/disable verification of RADIUS accounting record. Valid values: enable, disable.
    addGwRoute String
    Enable/disable automatically add a route to the remote gateway. Valid values: enable, disable.
    addRoute String
    Enable/disable control addition of a route to peer destination selector. Valid values: disable, enable.
    aggregateMember String
    Enable/disable use as an aggregate member. Valid values: enable, disable.
    aggregateWeight Number
    Link weight for aggregate.
    assignIp String
    Enable/disable assignment of IP to IPsec interface via configuration method. Valid values: disable, enable.
    assignIpFrom String
    Method by which the IP address will be assigned. Valid values: range, usrgrp, dhcp, name.
    authmethod String
    Authentication method. Valid values: psk, signature.
    authmethodRemote String
    Authentication method (remote side). Valid values: psk, signature.
    authpasswd String
    XAuth password (max 35 characters).
    authusr String
    XAuth user name.
    authusrgrp String
    Authentication user group.
    autoDiscoveryCrossover String
    Allow/block set-up of short-cut tunnels between different network IDs. Valid values: allow, block.
    autoDiscoveryForwarder String
    Enable/disable forwarding auto-discovery short-cut messages. Valid values: enable, disable.
    autoDiscoveryOfferInterval Number
    Interval between shortcut offer messages in seconds (1 - 300, default = 5).
    autoDiscoveryPsk String
    Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values: enable, disable.
    autoDiscoveryReceiver String
    Enable/disable accepting auto-discovery short-cut messages. Valid values: enable, disable.
    autoDiscoverySender String
    Enable/disable sending auto-discovery short-cut messages. Valid values: enable, disable.
    autoDiscoveryShortcuts String
    Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values: independent, dependent.
    autoNegotiate String
    Enable/disable automatic initiation of IKE SA negotiation. Valid values: enable, disable.
    azureAdAutoconnect String
    Enable/disable Azure AD Auto-Connect for FortiClient. Valid values: enable, disable.
    backupGateways List<Property Map>
    Instruct unity clients about the backup gateway address(es). The structure of backup_gateway block is documented below.
    String
    Message that unity client should display after connecting.
    certIdValidation String
    Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values: enable, disable.
    certPeerUsernameStrip String
    Enable/disable domain stripping on certificate identity. Valid values: disable, enable.
    certPeerUsernameValidation String
    Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values: none, othername, rfc822name, cn.
    certTrustStore String
    CA certificate trust store. Valid values: local, ems.
    certificates List<Property Map>
    The names of up to 4 signed personal certificates. The structure of certificate block is documented below.
    childlessIke String
    Enable/disable childless IKEv2 initiation (RFC 6023). Valid values: enable, disable.
    clientAutoNegotiate String
    Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values: disable, enable.
    clientKeepAlive String
    Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values: disable, enable.
    clientResume String
    Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values: enable, disable.
    clientResumeInterval Number
    Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
    comments String
    Comment.
    defaultGw String
    IPv4 address of default route gateway to use for traffic exiting the interface.
    defaultGwPriority Number
    Priority for default gateway route. A higher priority number signifies a less preferred route.
    devId String
    Device ID carried by the device ID notification.
    devIdNotification String
    Enable/disable device ID notification. Valid values: disable, enable.
    dhcp6RaLinkaddr String
    Relay agent IPv6 link address to use in DHCP6 requests.
    dhcpRaGiaddr String
    Relay agent gateway IP address to use in the giaddr field of DHCP requests.
    dhgrp String
    DH group. Valid values: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, 31, 32.
    digitalSignatureAuth String
    Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values: enable, disable.
    distance Number
    Distance for routes added by IKE (1 - 255).
    dnsMode String
    DNS server mode. Valid values: manual, auto.
    domain String
    Instruct unity clients about the default DNS domain.
    dpd String
    Dead Peer Detection mode. Valid values: disable, on-idle, on-demand.
    dpdRetrycount Number
    Number of DPD retry attempts.
    dpdRetryinterval String
    DPD retry interval.
    dynamicSortSubtable String
    Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
    eap String
    Enable/disable IKEv2 EAP authentication. Valid values: enable, disable.
    eapCertAuth String
    Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values: enable, disable.
    eapExcludePeergrp String
    Peer group excluded from EAP authentication.
    eapIdentity String
    IKEv2 EAP peer identity type. Valid values: use-id-payload, send-request.
    emsSnCheck String
    Enable/disable verification of EMS serial number. Valid values: enable, disable.
    encapLocalGw4 String
    Local IPv4 address of GRE/VXLAN tunnel.
    encapLocalGw6 String
    Local IPv6 address of GRE/VXLAN tunnel.
    encapRemoteGw4 String
    Remote IPv4 address of GRE/VXLAN tunnel.
    encapRemoteGw6 String
    Remote IPv6 address of GRE/VXLAN tunnel.
    encapsulation String
    Enable/disable GRE/VXLAN encapsulation.
    encapsulationAddress String
    Source for GRE/VXLAN tunnel address. Valid values: ike, ipv4, ipv6.
    enforceUniqueId String
    Enable/disable peer ID uniqueness check. Valid values: disable, keep-new, keep-old.
    esn String
    Extended sequence number (ESN) negotiation. Valid values: require, allow, disable.
    exchangeFgtDeviceId String
    Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values: enable, disable.
    exchangeInterfaceIp String
    Enable/disable exchange of IPsec interface IP address. Valid values: enable, disable.
    exchangeIpAddr4 String
    IPv4 address to exchange with peers.
    exchangeIpAddr6 String
    IPv6 address to exchange with peers
    fallbackTcpThreshold Number
    Timeout in seconds before falling back IKE/IPsec traffic to tcp.
    fecBase Number
    Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
    fecCodec Number
    ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec_string.
    fecCodecString String
    Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec. Valid values: rs, xor.
    fecEgress String
    Enable/disable Forward Error Correction for egress IPsec traffic. Valid values: enable, disable.
    fecHealthCheck String
    SD-WAN health check.
    fecIngress String
    Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values: enable, disable.
    fecMappingProfile String
    Forward Error Correction (FEC) mapping profile.
    fecReceiveTimeout Number
    Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
    fecRedundant Number
    Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
    fecSendTimeout Number
    Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
    fgspSync String
    Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values: enable, disable.
    forticlientEnforcement String
    Enable/disable FortiClient enforcement. Valid values: enable, disable.
    fortinetEsp String
    Enable/disable Fortinet ESP encapsulaton. Valid values: enable, disable.
    fragmentation String
    Enable/disable fragment IKE message on re-transmission. Valid values: enable, disable.
    fragmentationMtu Number
    IKE fragmentation MTU (500 - 16000).
    getAllTables String
    Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
    groupAuthentication String
    Enable/disable IKEv2 IDi group authentication. Valid values: enable, disable.
    groupAuthenticationSecret String
    Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
    haSyncEspSeqno String
    Enable/disable sequence number jump ahead for IPsec HA. Valid values: enable, disable.
    idleTimeout String
    Enable/disable IPsec tunnel idle timeout. Valid values: enable, disable.
    idleTimeoutinterval Number
    IPsec tunnel idle timeout in minutes (5 - 43200).
    ikeVersion String
    IKE protocol version. Valid values: 1, 2.
    inboundDscpCopy String
    Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values: enable, disable.
    includeLocalLan String
    Enable/disable allow local LAN access on unity clients. Valid values: disable, enable.
    internalDomainLists List<Property Map>
    One or more internal domain names in quotes separated by spaces. The structure of internal_domain_list block is documented below.
    ipDelayInterval Number
    IP address reuse delay interval in seconds (0 - 28800).
    ipFragmentation String
    Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values: pre-encapsulation, post-encapsulation.
    ipVersion String
    IP version to use for VPN interface. Valid values: 4, 6.
    ipv4DnsServer1 String
    IPv4 DNS server 1.
    ipv4DnsServer2 String
    IPv4 DNS server 2.
    ipv4DnsServer3 String
    IPv4 DNS server 3.
    ipv4EndIp String
    End of IPv4 range.
    ipv4ExcludeRanges List<Property Map>
    Configuration Method IPv4 exclude ranges. The structure of ipv4_exclude_range block is documented below.
    ipv4Name String
    IPv4 address name.
    ipv4Netmask String
    IPv4 Netmask.
    ipv4SplitExclude String
    IPv4 subnets that should not be sent over the IPsec tunnel.
    ipv4SplitInclude String
    IPv4 split-include subnets.
    ipv4StartIp String
    Start of IPv4 range.
    ipv4WinsServer1 String
    WINS server 1.
    ipv4WinsServer2 String
    WINS server 2.
    ipv6DnsServer1 String
    IPv6 DNS server 1.
    ipv6DnsServer2 String
    IPv6 DNS server 2.
    ipv6DnsServer3 String
    IPv6 DNS server 3.
    ipv6EndIp String
    End of IPv6 range.
    ipv6ExcludeRanges List<Property Map>
    Configuration method IPv6 exclude ranges. The structure of ipv6_exclude_range block is documented below.
    ipv6Name String
    IPv6 address name.
    ipv6Prefix Number
    IPv6 prefix.
    ipv6SplitExclude String
    IPv6 subnets that should not be sent over the IPsec tunnel.
    ipv6SplitInclude String
    IPv6 split-include subnets.
    ipv6StartIp String
    Start of IPv6 range.
    keepalive Number
    NAT-T keep alive interval.
    keylife Number
    Time to wait in seconds before phase 1 encryption key expires.
    kms String
    Key Management Services server.
    linkCost Number
    VPN tunnel underlay link cost.
    localGw String
    IPv4 address of the local gateway's external interface.
    localGw6 String
    IPv6 address of the local gateway's external interface.
    localid String
    Local ID.
    localidType String
    Local ID type. Valid values: auto, fqdn, user-fqdn, keyid, address, asn1dn.
    loopbackAsymroute String
    Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values: enable, disable.
    meshSelectorType String
    Add selectors containing subsets of the configuration depending on traffic. Valid values: disable, subnet, host.
    mode String
    The ID protection mode used to establish a secure channel. Valid values: aggressive, main.
    modeCfg String
    Enable/disable configuration method. Valid values: disable, enable.
    modeCfgAllowClientSelector String
    Enable/disable mode-cfg client to use custom phase2 selectors. Valid values: disable, enable.
    monitor String
    IPsec interface as backup for primary interface.
    monitorHoldDownDelay Number
    Time to wait in seconds before recovery once primary re-establishes.
    monitorHoldDownTime String
    Time of day at which to fail back to primary after it re-establishes.
    monitorHoldDownType String
    Recovery time method when primary interface re-establishes. Valid values: immediate, delay, time.
    monitorHoldDownWeekday String
    Day of the week to recover once primary re-establishes. Valid values: everyday, sunday, monday, tuesday, wednesday, thursday, friday, saturday.
    monitorMin Number
    Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
    name String
    IPsec remote gateway name.
    nattraversal String
    Enable/disable NAT traversal. Valid values: enable, disable, forced.
    negotiateTimeout Number
    IKE SA negotiation timeout in seconds (1 - 300).
    netDevice String
    Enable/disable kernel device creation. Valid values: enable, disable.
    networkId Number
    VPN gateway network ID.
    networkOverlay String
    Enable/disable network overlays. Valid values: disable, enable.
    npuOffload String
    Enable/disable offloading NPU. Valid values: enable, disable.
    packetRedistribution String
    Enable/disable packet distribution (RPS) on the IPsec interface. Valid values: enable, disable.
    passiveMode String
    Enable/disable IPsec passive mode for static tunnels. Valid values: enable, disable.
    peer String
    Accept this peer certificate.
    peergrp String
    Accept this peer certificate group.
    peerid String
    Accept this peer identity.
    peertype String
    Accept this peer type. Valid values: any, one, dialup, peer, peergrp.
    ppk String
    Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values: disable, allow, require.
    ppkIdentity String
    IKEv2 Postquantum Preshared Key Identity.
    ppkSecret String
    IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
    priority Number
    Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
    psksecret String
    Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
    psksecretRemote String
    Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
    qkd String
    Enable/disable use of Quantum Key Distribution (QKD) server. Valid values: disable, allow, require.
    qkdProfile String
    Quantum Key Distribution (QKD) server profile.
    reauth String
    Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values: disable, enable.
    rekey String
    Enable/disable phase1 rekey. Valid values: enable, disable.
    remoteGw String
    IPv4 address of the remote gateway's external interface.
    remoteGw6 String
    IPv6 address of the remote gateway's external interface.
    remoteGw6Country String
    IPv6 addresses associated to a specific country.
    remoteGw6EndIp String
    Last IPv6 address in the range.
    remoteGw6Match String
    Set type of IPv6 remote gateway address matching. Valid values: any, ipprefix, iprange, geography.
    remoteGw6StartIp String
    First IPv6 address in the range.
    remoteGw6Subnet String
    IPv6 address and prefix.
    remoteGwCountry String
    IPv4 addresses associated to a specific country.
    remoteGwEndIp String
    Last IPv4 address in the range.
    remoteGwMatch String
    Set type of IPv4 remote gateway address matching. Valid values: any, ipmask, iprange, geography.
    remoteGwStartIp String
    First IPv4 address in the range.
    remoteGwSubnet String
    IPv4 address and subnet mask.
    remotegwDdns String
    Domain name of remote gateway. For example, name.ddns.com.
    rsaSignatureFormat String
    Digital Signature Authentication RSA signature format. Valid values: pkcs1, pss.
    rsaSignatureHashOverride String
    Enable/disable IKEv2 RSA signature hash algorithm override. Valid values: enable, disable.
    savePassword String
    Enable/disable saving XAuth username and password on VPN clients. Valid values: disable, enable.
    sendCertChain String
    Enable/disable sending certificate chain. Valid values: enable, disable.
    signatureHashAlg String
    Digital Signature Authentication hash algorithms. Valid values: sha1, sha2-256, sha2-384, sha2-512.
    splitIncludeService String
    Split-include services.
    suiteB String
    Use Suite-B. Valid values: disable, suite-b-gcm-128, suite-b-gcm-256.
    transport String
    Set IKE transport protocol. Valid values: udp, udp-fallback-tcp, tcp.
    tunnelSearch String
    Tunnel search method for when the interface is shared. Valid values: selectors, nexthop.
    type String
    Remote gateway type. Valid values: static, dynamic, ddns.
    unitySupport String
    Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values: disable, enable.
    usrgrp String
    User group name for dialup peers.
    vdomparam String
    Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
    vni Number
    VNI of VXLAN tunnel.
    wizardType String
    GUI VPN Wizard Type.
    xauthtype String
    XAuth type. Valid values: disable, client, pap, chap, auto.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Phase1interface resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing Phase1interface Resource

    Get an existing Phase1interface resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: Phase1interfaceState, opts?: CustomResourceOptions): Phase1interface
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            acct_verify: Optional[str] = None,
            add_gw_route: Optional[str] = None,
            add_route: Optional[str] = None,
            aggregate_member: Optional[str] = None,
            aggregate_weight: Optional[int] = None,
            assign_ip: Optional[str] = None,
            assign_ip_from: Optional[str] = None,
            authmethod: Optional[str] = None,
            authmethod_remote: Optional[str] = None,
            authpasswd: Optional[str] = None,
            authusr: Optional[str] = None,
            authusrgrp: Optional[str] = None,
            auto_discovery_crossover: Optional[str] = None,
            auto_discovery_forwarder: Optional[str] = None,
            auto_discovery_offer_interval: Optional[int] = None,
            auto_discovery_psk: Optional[str] = None,
            auto_discovery_receiver: Optional[str] = None,
            auto_discovery_sender: Optional[str] = None,
            auto_discovery_shortcuts: Optional[str] = None,
            auto_negotiate: Optional[str] = None,
            azure_ad_autoconnect: Optional[str] = None,
            backup_gateways: Optional[Sequence[Phase1interfaceBackupGatewayArgs]] = None,
            banner: Optional[str] = None,
            cert_id_validation: Optional[str] = None,
            cert_peer_username_strip: Optional[str] = None,
            cert_peer_username_validation: Optional[str] = None,
            cert_trust_store: Optional[str] = None,
            certificates: Optional[Sequence[Phase1interfaceCertificateArgs]] = None,
            childless_ike: Optional[str] = None,
            client_auto_negotiate: Optional[str] = None,
            client_keep_alive: Optional[str] = None,
            client_resume: Optional[str] = None,
            client_resume_interval: Optional[int] = None,
            comments: Optional[str] = None,
            default_gw: Optional[str] = None,
            default_gw_priority: Optional[int] = None,
            dev_id: Optional[str] = None,
            dev_id_notification: Optional[str] = None,
            dhcp6_ra_linkaddr: Optional[str] = None,
            dhcp_ra_giaddr: Optional[str] = None,
            dhgrp: Optional[str] = None,
            digital_signature_auth: Optional[str] = None,
            distance: Optional[int] = None,
            dns_mode: Optional[str] = None,
            domain: Optional[str] = None,
            dpd: Optional[str] = None,
            dpd_retrycount: Optional[int] = None,
            dpd_retryinterval: Optional[str] = None,
            dynamic_sort_subtable: Optional[str] = None,
            eap: Optional[str] = None,
            eap_cert_auth: Optional[str] = None,
            eap_exclude_peergrp: Optional[str] = None,
            eap_identity: Optional[str] = None,
            ems_sn_check: Optional[str] = None,
            encap_local_gw4: Optional[str] = None,
            encap_local_gw6: Optional[str] = None,
            encap_remote_gw4: Optional[str] = None,
            encap_remote_gw6: Optional[str] = None,
            encapsulation: Optional[str] = None,
            encapsulation_address: Optional[str] = None,
            enforce_unique_id: Optional[str] = None,
            esn: Optional[str] = None,
            exchange_fgt_device_id: Optional[str] = None,
            exchange_interface_ip: Optional[str] = None,
            exchange_ip_addr4: Optional[str] = None,
            exchange_ip_addr6: Optional[str] = None,
            fallback_tcp_threshold: Optional[int] = None,
            fec_base: Optional[int] = None,
            fec_codec: Optional[int] = None,
            fec_codec_string: Optional[str] = None,
            fec_egress: Optional[str] = None,
            fec_health_check: Optional[str] = None,
            fec_ingress: Optional[str] = None,
            fec_mapping_profile: Optional[str] = None,
            fec_receive_timeout: Optional[int] = None,
            fec_redundant: Optional[int] = None,
            fec_send_timeout: Optional[int] = None,
            fgsp_sync: Optional[str] = None,
            forticlient_enforcement: Optional[str] = None,
            fortinet_esp: Optional[str] = None,
            fragmentation: Optional[str] = None,
            fragmentation_mtu: Optional[int] = None,
            get_all_tables: Optional[str] = None,
            group_authentication: Optional[str] = None,
            group_authentication_secret: Optional[str] = None,
            ha_sync_esp_seqno: Optional[str] = None,
            idle_timeout: Optional[str] = None,
            idle_timeoutinterval: Optional[int] = None,
            ike_version: Optional[str] = None,
            inbound_dscp_copy: Optional[str] = None,
            include_local_lan: Optional[str] = None,
            interface: Optional[str] = None,
            internal_domain_lists: Optional[Sequence[Phase1interfaceInternalDomainListArgs]] = None,
            ip_delay_interval: Optional[int] = None,
            ip_fragmentation: Optional[str] = None,
            ip_version: Optional[str] = None,
            ipv4_dns_server1: Optional[str] = None,
            ipv4_dns_server2: Optional[str] = None,
            ipv4_dns_server3: Optional[str] = None,
            ipv4_end_ip: Optional[str] = None,
            ipv4_exclude_ranges: Optional[Sequence[Phase1interfaceIpv4ExcludeRangeArgs]] = None,
            ipv4_name: Optional[str] = None,
            ipv4_netmask: Optional[str] = None,
            ipv4_split_exclude: Optional[str] = None,
            ipv4_split_include: Optional[str] = None,
            ipv4_start_ip: Optional[str] = None,
            ipv4_wins_server1: Optional[str] = None,
            ipv4_wins_server2: Optional[str] = None,
            ipv6_dns_server1: Optional[str] = None,
            ipv6_dns_server2: Optional[str] = None,
            ipv6_dns_server3: Optional[str] = None,
            ipv6_end_ip: Optional[str] = None,
            ipv6_exclude_ranges: Optional[Sequence[Phase1interfaceIpv6ExcludeRangeArgs]] = None,
            ipv6_name: Optional[str] = None,
            ipv6_prefix: Optional[int] = None,
            ipv6_split_exclude: Optional[str] = None,
            ipv6_split_include: Optional[str] = None,
            ipv6_start_ip: Optional[str] = None,
            keepalive: Optional[int] = None,
            keylife: Optional[int] = None,
            kms: Optional[str] = None,
            link_cost: Optional[int] = None,
            local_gw: Optional[str] = None,
            local_gw6: Optional[str] = None,
            localid: Optional[str] = None,
            localid_type: Optional[str] = None,
            loopback_asymroute: Optional[str] = None,
            mesh_selector_type: Optional[str] = None,
            mode: Optional[str] = None,
            mode_cfg: Optional[str] = None,
            mode_cfg_allow_client_selector: Optional[str] = None,
            monitor: Optional[str] = None,
            monitor_hold_down_delay: Optional[int] = None,
            monitor_hold_down_time: Optional[str] = None,
            monitor_hold_down_type: Optional[str] = None,
            monitor_hold_down_weekday: Optional[str] = None,
            monitor_min: Optional[int] = None,
            name: Optional[str] = None,
            nattraversal: Optional[str] = None,
            negotiate_timeout: Optional[int] = None,
            net_device: Optional[str] = None,
            network_id: Optional[int] = None,
            network_overlay: Optional[str] = None,
            npu_offload: Optional[str] = None,
            packet_redistribution: Optional[str] = None,
            passive_mode: Optional[str] = None,
            peer: Optional[str] = None,
            peergrp: Optional[str] = None,
            peerid: Optional[str] = None,
            peertype: Optional[str] = None,
            ppk: Optional[str] = None,
            ppk_identity: Optional[str] = None,
            ppk_secret: Optional[str] = None,
            priority: Optional[int] = None,
            proposal: Optional[str] = None,
            psksecret: Optional[str] = None,
            psksecret_remote: Optional[str] = None,
            qkd: Optional[str] = None,
            qkd_profile: Optional[str] = None,
            reauth: Optional[str] = None,
            rekey: Optional[str] = None,
            remote_gw: Optional[str] = None,
            remote_gw6: Optional[str] = None,
            remote_gw6_country: Optional[str] = None,
            remote_gw6_end_ip: Optional[str] = None,
            remote_gw6_match: Optional[str] = None,
            remote_gw6_start_ip: Optional[str] = None,
            remote_gw6_subnet: Optional[str] = None,
            remote_gw_country: Optional[str] = None,
            remote_gw_end_ip: Optional[str] = None,
            remote_gw_match: Optional[str] = None,
            remote_gw_start_ip: Optional[str] = None,
            remote_gw_subnet: Optional[str] = None,
            remotegw_ddns: Optional[str] = None,
            rsa_signature_format: Optional[str] = None,
            rsa_signature_hash_override: Optional[str] = None,
            save_password: Optional[str] = None,
            send_cert_chain: Optional[str] = None,
            signature_hash_alg: Optional[str] = None,
            split_include_service: Optional[str] = None,
            suite_b: Optional[str] = None,
            transport: Optional[str] = None,
            tunnel_search: Optional[str] = None,
            type: Optional[str] = None,
            unity_support: Optional[str] = None,
            usrgrp: Optional[str] = None,
            vdomparam: Optional[str] = None,
            vni: Optional[int] = None,
            wizard_type: Optional[str] = None,
            xauthtype: Optional[str] = None) -> Phase1interface
    func GetPhase1interface(ctx *Context, name string, id IDInput, state *Phase1interfaceState, opts ...ResourceOption) (*Phase1interface, error)
    public static Phase1interface Get(string name, Input<string> id, Phase1interfaceState? state, CustomResourceOptions? opts = null)
    public static Phase1interface get(String name, Output<String> id, Phase1interfaceState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AcctVerify string
    Enable/disable verification of RADIUS accounting record. Valid values: enable, disable.
    AddGwRoute string
    Enable/disable automatically add a route to the remote gateway. Valid values: enable, disable.
    AddRoute string
    Enable/disable control addition of a route to peer destination selector. Valid values: disable, enable.
    AggregateMember string
    Enable/disable use as an aggregate member. Valid values: enable, disable.
    AggregateWeight int
    Link weight for aggregate.
    AssignIp string
    Enable/disable assignment of IP to IPsec interface via configuration method. Valid values: disable, enable.
    AssignIpFrom string
    Method by which the IP address will be assigned. Valid values: range, usrgrp, dhcp, name.
    Authmethod string
    Authentication method. Valid values: psk, signature.
    AuthmethodRemote string
    Authentication method (remote side). Valid values: psk, signature.
    Authpasswd string
    XAuth password (max 35 characters).
    Authusr string
    XAuth user name.
    Authusrgrp string
    Authentication user group.
    AutoDiscoveryCrossover string
    Allow/block set-up of short-cut tunnels between different network IDs. Valid values: allow, block.
    AutoDiscoveryForwarder string
    Enable/disable forwarding auto-discovery short-cut messages. Valid values: enable, disable.
    AutoDiscoveryOfferInterval int
    Interval between shortcut offer messages in seconds (1 - 300, default = 5).
    AutoDiscoveryPsk string
    Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values: enable, disable.
    AutoDiscoveryReceiver string
    Enable/disable accepting auto-discovery short-cut messages. Valid values: enable, disable.
    AutoDiscoverySender string
    Enable/disable sending auto-discovery short-cut messages. Valid values: enable, disable.
    AutoDiscoveryShortcuts string
    Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values: independent, dependent.
    AutoNegotiate string
    Enable/disable automatic initiation of IKE SA negotiation. Valid values: enable, disable.
    AzureAdAutoconnect string
    Enable/disable Azure AD Auto-Connect for FortiClient. Valid values: enable, disable.
    BackupGateways List<Pulumiverse.Fortios.Vpn.Ipsec.Inputs.Phase1interfaceBackupGateway>
    Instruct unity clients about the backup gateway address(es). The structure of backup_gateway block is documented below.
    Banner string
    Message that unity client should display after connecting.
    CertIdValidation string
    Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values: enable, disable.
    CertPeerUsernameStrip string
    Enable/disable domain stripping on certificate identity. Valid values: disable, enable.
    CertPeerUsernameValidation string
    Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values: none, othername, rfc822name, cn.
    CertTrustStore string
    CA certificate trust store. Valid values: local, ems.
    Certificates List<Pulumiverse.Fortios.Vpn.Ipsec.Inputs.Phase1interfaceCertificate>
    The names of up to 4 signed personal certificates. The structure of certificate block is documented below.
    ChildlessIke string
    Enable/disable childless IKEv2 initiation (RFC 6023). Valid values: enable, disable.
    ClientAutoNegotiate string
    Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values: disable, enable.
    ClientKeepAlive string
    Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values: disable, enable.
    ClientResume string
    Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values: enable, disable.
    ClientResumeInterval int
    Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
    Comments string
    Comment.
    DefaultGw string
    IPv4 address of default route gateway to use for traffic exiting the interface.
    DefaultGwPriority int
    Priority for default gateway route. A higher priority number signifies a less preferred route.
    DevId string
    Device ID carried by the device ID notification.
    DevIdNotification string
    Enable/disable device ID notification. Valid values: disable, enable.
    Dhcp6RaLinkaddr string
    Relay agent IPv6 link address to use in DHCP6 requests.
    DhcpRaGiaddr string
    Relay agent gateway IP address to use in the giaddr field of DHCP requests.
    Dhgrp string
    DH group. Valid values: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, 31, 32.
    DigitalSignatureAuth string
    Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values: enable, disable.
    Distance int
    Distance for routes added by IKE (1 - 255).
    DnsMode string
    DNS server mode. Valid values: manual, auto.
    Domain string
    Instruct unity clients about the default DNS domain.
    Dpd string
    Dead Peer Detection mode. Valid values: disable, on-idle, on-demand.
    DpdRetrycount int
    Number of DPD retry attempts.
    DpdRetryinterval string
    DPD retry interval.
    DynamicSortSubtable string
    Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
    Eap string
    Enable/disable IKEv2 EAP authentication. Valid values: enable, disable.
    EapCertAuth string
    Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values: enable, disable.
    EapExcludePeergrp string
    Peer group excluded from EAP authentication.
    EapIdentity string
    IKEv2 EAP peer identity type. Valid values: use-id-payload, send-request.
    EmsSnCheck string
    Enable/disable verification of EMS serial number. Valid values: enable, disable.
    EncapLocalGw4 string
    Local IPv4 address of GRE/VXLAN tunnel.
    EncapLocalGw6 string
    Local IPv6 address of GRE/VXLAN tunnel.
    EncapRemoteGw4 string
    Remote IPv4 address of GRE/VXLAN tunnel.
    EncapRemoteGw6 string
    Remote IPv6 address of GRE/VXLAN tunnel.
    Encapsulation string
    Enable/disable GRE/VXLAN encapsulation.
    EncapsulationAddress string
    Source for GRE/VXLAN tunnel address. Valid values: ike, ipv4, ipv6.
    EnforceUniqueId string
    Enable/disable peer ID uniqueness check. Valid values: disable, keep-new, keep-old.
    Esn string
    Extended sequence number (ESN) negotiation. Valid values: require, allow, disable.
    ExchangeFgtDeviceId string
    Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values: enable, disable.
    ExchangeInterfaceIp string
    Enable/disable exchange of IPsec interface IP address. Valid values: enable, disable.
    ExchangeIpAddr4 string
    IPv4 address to exchange with peers.
    ExchangeIpAddr6 string
    IPv6 address to exchange with peers
    FallbackTcpThreshold int
    Timeout in seconds before falling back IKE/IPsec traffic to tcp.
    FecBase int
    Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
    FecCodec int
    ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec_string.
    FecCodecString string
    Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec. Valid values: rs, xor.
    FecEgress string
    Enable/disable Forward Error Correction for egress IPsec traffic. Valid values: enable, disable.
    FecHealthCheck string
    SD-WAN health check.
    FecIngress string
    Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values: enable, disable.
    FecMappingProfile string
    Forward Error Correction (FEC) mapping profile.
    FecReceiveTimeout int
    Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
    FecRedundant int
    Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
    FecSendTimeout int
    Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
    FgspSync string
    Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values: enable, disable.
    ForticlientEnforcement string
    Enable/disable FortiClient enforcement. Valid values: enable, disable.
    FortinetEsp string
    Enable/disable Fortinet ESP encapsulaton. Valid values: enable, disable.
    Fragmentation string
    Enable/disable fragment IKE message on re-transmission. Valid values: enable, disable.
    FragmentationMtu int
    IKE fragmentation MTU (500 - 16000).
    GetAllTables string
    Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
    GroupAuthentication string
    Enable/disable IKEv2 IDi group authentication. Valid values: enable, disable.
    GroupAuthenticationSecret string
    Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
    HaSyncEspSeqno string
    Enable/disable sequence number jump ahead for IPsec HA. Valid values: enable, disable.
    IdleTimeout string
    Enable/disable IPsec tunnel idle timeout. Valid values: enable, disable.
    IdleTimeoutinterval int
    IPsec tunnel idle timeout in minutes (5 - 43200).
    IkeVersion string
    IKE protocol version. Valid values: 1, 2.
    InboundDscpCopy string
    Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values: enable, disable.
    IncludeLocalLan string
    Enable/disable allow local LAN access on unity clients. Valid values: disable, enable.
    Interface string
    Local physical, aggregate, or VLAN outgoing interface.
    InternalDomainLists List<Pulumiverse.Fortios.Vpn.Ipsec.Inputs.Phase1interfaceInternalDomainList>
    One or more internal domain names in quotes separated by spaces. The structure of internal_domain_list block is documented below.
    IpDelayInterval int
    IP address reuse delay interval in seconds (0 - 28800).
    IpFragmentation string
    Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values: pre-encapsulation, post-encapsulation.
    IpVersion string
    IP version to use for VPN interface. Valid values: 4, 6.
    Ipv4DnsServer1 string
    IPv4 DNS server 1.
    Ipv4DnsServer2 string
    IPv4 DNS server 2.
    Ipv4DnsServer3 string
    IPv4 DNS server 3.
    Ipv4EndIp string
    End of IPv4 range.
    Ipv4ExcludeRanges List<Pulumiverse.Fortios.Vpn.Ipsec.Inputs.Phase1interfaceIpv4ExcludeRange>
    Configuration Method IPv4 exclude ranges. The structure of ipv4_exclude_range block is documented below.
    Ipv4Name string
    IPv4 address name.
    Ipv4Netmask string
    IPv4 Netmask.
    Ipv4SplitExclude string
    IPv4 subnets that should not be sent over the IPsec tunnel.
    Ipv4SplitInclude string
    IPv4 split-include subnets.
    Ipv4StartIp string
    Start of IPv4 range.
    Ipv4WinsServer1 string
    WINS server 1.
    Ipv4WinsServer2 string
    WINS server 2.
    Ipv6DnsServer1 string
    IPv6 DNS server 1.
    Ipv6DnsServer2 string
    IPv6 DNS server 2.
    Ipv6DnsServer3 string
    IPv6 DNS server 3.
    Ipv6EndIp string
    End of IPv6 range.
    Ipv6ExcludeRanges List<Pulumiverse.Fortios.Vpn.Ipsec.Inputs.Phase1interfaceIpv6ExcludeRange>
    Configuration method IPv6 exclude ranges. The structure of ipv6_exclude_range block is documented below.
    Ipv6Name string
    IPv6 address name.
    Ipv6Prefix int
    IPv6 prefix.
    Ipv6SplitExclude string
    IPv6 subnets that should not be sent over the IPsec tunnel.
    Ipv6SplitInclude string
    IPv6 split-include subnets.
    Ipv6StartIp string
    Start of IPv6 range.
    Keepalive int
    NAT-T keep alive interval.
    Keylife int
    Time to wait in seconds before phase 1 encryption key expires.
    Kms string
    Key Management Services server.
    LinkCost int
    VPN tunnel underlay link cost.
    LocalGw string
    IPv4 address of the local gateway's external interface.
    LocalGw6 string
    IPv6 address of the local gateway's external interface.
    Localid string
    Local ID.
    LocalidType string
    Local ID type. Valid values: auto, fqdn, user-fqdn, keyid, address, asn1dn.
    LoopbackAsymroute string
    Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values: enable, disable.
    MeshSelectorType string
    Add selectors containing subsets of the configuration depending on traffic. Valid values: disable, subnet, host.
    Mode string
    The ID protection mode used to establish a secure channel. Valid values: aggressive, main.
    ModeCfg string
    Enable/disable configuration method. Valid values: disable, enable.
    ModeCfgAllowClientSelector string
    Enable/disable mode-cfg client to use custom phase2 selectors. Valid values: disable, enable.
    Monitor string
    IPsec interface as backup for primary interface.
    MonitorHoldDownDelay int
    Time to wait in seconds before recovery once primary re-establishes.
    MonitorHoldDownTime string
    Time of day at which to fail back to primary after it re-establishes.
    MonitorHoldDownType string
    Recovery time method when primary interface re-establishes. Valid values: immediate, delay, time.
    MonitorHoldDownWeekday string
    Day of the week to recover once primary re-establishes. Valid values: everyday, sunday, monday, tuesday, wednesday, thursday, friday, saturday.
    MonitorMin int
    Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
    Name string
    IPsec remote gateway name.
    Nattraversal string
    Enable/disable NAT traversal. Valid values: enable, disable, forced.
    NegotiateTimeout int
    IKE SA negotiation timeout in seconds (1 - 300).
    NetDevice string
    Enable/disable kernel device creation. Valid values: enable, disable.
    NetworkId int
    VPN gateway network ID.
    NetworkOverlay string
    Enable/disable network overlays. Valid values: disable, enable.
    NpuOffload string
    Enable/disable offloading NPU. Valid values: enable, disable.
    PacketRedistribution string
    Enable/disable packet distribution (RPS) on the IPsec interface. Valid values: enable, disable.
    PassiveMode string
    Enable/disable IPsec passive mode for static tunnels. Valid values: enable, disable.
    Peer string
    Accept this peer certificate.
    Peergrp string
    Accept this peer certificate group.
    Peerid string
    Accept this peer identity.
    Peertype string
    Accept this peer type. Valid values: any, one, dialup, peer, peergrp.
    Ppk string
    Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values: disable, allow, require.
    PpkIdentity string
    IKEv2 Postquantum Preshared Key Identity.
    PpkSecret string
    IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
    Priority int
    Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
    Proposal string
    Phase1 proposal. Valid values: des-md5, des-sha1, des-sha256, des-sha384, des-sha512, 3des-md5, 3des-sha1, 3des-sha256, 3des-sha384, 3des-sha512, aes128-md5, aes128-sha1, aes128-sha256, aes128-sha384, aes128-sha512, aes128gcm-prfsha1, aes128gcm-prfsha256, aes128gcm-prfsha384, aes128gcm-prfsha512, aes192-md5, aes192-sha1, aes192-sha256, aes192-sha384, aes192-sha512, aes256-md5, aes256-sha1, aes256-sha256, aes256-sha384, aes256-sha512, aes256gcm-prfsha1, aes256gcm-prfsha256, aes256gcm-prfsha384, aes256gcm-prfsha512, chacha20poly1305-prfsha1, chacha20poly1305-prfsha256, chacha20poly1305-prfsha384, chacha20poly1305-prfsha512, aria128-md5, aria128-sha1, aria128-sha256, aria128-sha384, aria128-sha512, aria192-md5, aria192-sha1, aria192-sha256, aria192-sha384, aria192-sha512, aria256-md5, aria256-sha1, aria256-sha256, aria256-sha384, aria256-sha512, seed-md5, seed-sha1, seed-sha256, seed-sha384, seed-sha512.
    Psksecret string
    Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
    PsksecretRemote string
    Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
    Qkd string
    Enable/disable use of Quantum Key Distribution (QKD) server. Valid values: disable, allow, require.
    QkdProfile string
    Quantum Key Distribution (QKD) server profile.
    Reauth string
    Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values: disable, enable.
    Rekey string
    Enable/disable phase1 rekey. Valid values: enable, disable.
    RemoteGw string
    IPv4 address of the remote gateway's external interface.
    RemoteGw6 string
    IPv6 address of the remote gateway's external interface.
    RemoteGw6Country string
    IPv6 addresses associated to a specific country.
    RemoteGw6EndIp string
    Last IPv6 address in the range.
    RemoteGw6Match string
    Set type of IPv6 remote gateway address matching. Valid values: any, ipprefix, iprange, geography.
    RemoteGw6StartIp string
    First IPv6 address in the range.
    RemoteGw6Subnet string
    IPv6 address and prefix.
    RemoteGwCountry string
    IPv4 addresses associated to a specific country.
    RemoteGwEndIp string
    Last IPv4 address in the range.
    RemoteGwMatch string
    Set type of IPv4 remote gateway address matching. Valid values: any, ipmask, iprange, geography.
    RemoteGwStartIp string
    First IPv4 address in the range.
    RemoteGwSubnet string
    IPv4 address and subnet mask.
    RemotegwDdns string
    Domain name of remote gateway. For example, name.ddns.com.
    RsaSignatureFormat string
    Digital Signature Authentication RSA signature format. Valid values: pkcs1, pss.
    RsaSignatureHashOverride string
    Enable/disable IKEv2 RSA signature hash algorithm override. Valid values: enable, disable.
    SavePassword string
    Enable/disable saving XAuth username and password on VPN clients. Valid values: disable, enable.
    SendCertChain string
    Enable/disable sending certificate chain. Valid values: enable, disable.
    SignatureHashAlg string
    Digital Signature Authentication hash algorithms. Valid values: sha1, sha2-256, sha2-384, sha2-512.
    SplitIncludeService string
    Split-include services.
    SuiteB string
    Use Suite-B. Valid values: disable, suite-b-gcm-128, suite-b-gcm-256.
    Transport string
    Set IKE transport protocol. Valid values: udp, udp-fallback-tcp, tcp.
    TunnelSearch string
    Tunnel search method for when the interface is shared. Valid values: selectors, nexthop.
    Type string
    Remote gateway type. Valid values: static, dynamic, ddns.
    UnitySupport string
    Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values: disable, enable.
    Usrgrp string
    User group name for dialup peers.
    Vdomparam string
    Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
    Vni int
    VNI of VXLAN tunnel.
    WizardType string
    GUI VPN Wizard Type.
    Xauthtype string
    XAuth type. Valid values: disable, client, pap, chap, auto.
    AcctVerify string
    Enable/disable verification of RADIUS accounting record. Valid values: enable, disable.
    AddGwRoute string
    Enable/disable automatically add a route to the remote gateway. Valid values: enable, disable.
    AddRoute string
    Enable/disable control addition of a route to peer destination selector. Valid values: disable, enable.
    AggregateMember string
    Enable/disable use as an aggregate member. Valid values: enable, disable.
    AggregateWeight int
    Link weight for aggregate.
    AssignIp string
    Enable/disable assignment of IP to IPsec interface via configuration method. Valid values: disable, enable.
    AssignIpFrom string
    Method by which the IP address will be assigned. Valid values: range, usrgrp, dhcp, name.
    Authmethod string
    Authentication method. Valid values: psk, signature.
    AuthmethodRemote string
    Authentication method (remote side). Valid values: psk, signature.
    Authpasswd string
    XAuth password (max 35 characters).
    Authusr string
    XAuth user name.
    Authusrgrp string
    Authentication user group.
    AutoDiscoveryCrossover string
    Allow/block set-up of short-cut tunnels between different network IDs. Valid values: allow, block.
    AutoDiscoveryForwarder string
    Enable/disable forwarding auto-discovery short-cut messages. Valid values: enable, disable.
    AutoDiscoveryOfferInterval int
    Interval between shortcut offer messages in seconds (1 - 300, default = 5).
    AutoDiscoveryPsk string
    Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values: enable, disable.
    AutoDiscoveryReceiver string
    Enable/disable accepting auto-discovery short-cut messages. Valid values: enable, disable.
    AutoDiscoverySender string
    Enable/disable sending auto-discovery short-cut messages. Valid values: enable, disable.
    AutoDiscoveryShortcuts string
    Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values: independent, dependent.
    AutoNegotiate string
    Enable/disable automatic initiation of IKE SA negotiation. Valid values: enable, disable.
    AzureAdAutoconnect string
    Enable/disable Azure AD Auto-Connect for FortiClient. Valid values: enable, disable.
    BackupGateways []Phase1interfaceBackupGatewayArgs
    Instruct unity clients about the backup gateway address(es). The structure of backup_gateway block is documented below.
    Banner string
    Message that unity client should display after connecting.
    CertIdValidation string
    Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values: enable, disable.
    CertPeerUsernameStrip string
    Enable/disable domain stripping on certificate identity. Valid values: disable, enable.
    CertPeerUsernameValidation string
    Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values: none, othername, rfc822name, cn.
    CertTrustStore string
    CA certificate trust store. Valid values: local, ems.
    Certificates []Phase1interfaceCertificateArgs
    The names of up to 4 signed personal certificates. The structure of certificate block is documented below.
    ChildlessIke string
    Enable/disable childless IKEv2 initiation (RFC 6023). Valid values: enable, disable.
    ClientAutoNegotiate string
    Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values: disable, enable.
    ClientKeepAlive string
    Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values: disable, enable.
    ClientResume string
    Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values: enable, disable.
    ClientResumeInterval int
    Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
    Comments string
    Comment.
    DefaultGw string
    IPv4 address of default route gateway to use for traffic exiting the interface.
    DefaultGwPriority int
    Priority for default gateway route. A higher priority number signifies a less preferred route.
    DevId string
    Device ID carried by the device ID notification.
    DevIdNotification string
    Enable/disable device ID notification. Valid values: disable, enable.
    Dhcp6RaLinkaddr string
    Relay agent IPv6 link address to use in DHCP6 requests.
    DhcpRaGiaddr string
    Relay agent gateway IP address to use in the giaddr field of DHCP requests.
    Dhgrp string
    DH group. Valid values: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, 31, 32.
    DigitalSignatureAuth string
    Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values: enable, disable.
    Distance int
    Distance for routes added by IKE (1 - 255).
    DnsMode string
    DNS server mode. Valid values: manual, auto.
    Domain string
    Instruct unity clients about the default DNS domain.
    Dpd string
    Dead Peer Detection mode. Valid values: disable, on-idle, on-demand.
    DpdRetrycount int
    Number of DPD retry attempts.
    DpdRetryinterval string
    DPD retry interval.
    DynamicSortSubtable string
    Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
    Eap string
    Enable/disable IKEv2 EAP authentication. Valid values: enable, disable.
    EapCertAuth string
    Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values: enable, disable.
    EapExcludePeergrp string
    Peer group excluded from EAP authentication.
    EapIdentity string
    IKEv2 EAP peer identity type. Valid values: use-id-payload, send-request.
    EmsSnCheck string
    Enable/disable verification of EMS serial number. Valid values: enable, disable.
    EncapLocalGw4 string
    Local IPv4 address of GRE/VXLAN tunnel.
    EncapLocalGw6 string
    Local IPv6 address of GRE/VXLAN tunnel.
    EncapRemoteGw4 string
    Remote IPv4 address of GRE/VXLAN tunnel.
    EncapRemoteGw6 string
    Remote IPv6 address of GRE/VXLAN tunnel.
    Encapsulation string
    Enable/disable GRE/VXLAN encapsulation.
    EncapsulationAddress string
    Source for GRE/VXLAN tunnel address. Valid values: ike, ipv4, ipv6.
    EnforceUniqueId string
    Enable/disable peer ID uniqueness check. Valid values: disable, keep-new, keep-old.
    Esn string
    Extended sequence number (ESN) negotiation. Valid values: require, allow, disable.
    ExchangeFgtDeviceId string
    Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values: enable, disable.
    ExchangeInterfaceIp string
    Enable/disable exchange of IPsec interface IP address. Valid values: enable, disable.
    ExchangeIpAddr4 string
    IPv4 address to exchange with peers.
    ExchangeIpAddr6 string
    IPv6 address to exchange with peers
    FallbackTcpThreshold int
    Timeout in seconds before falling back IKE/IPsec traffic to tcp.
    FecBase int
    Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
    FecCodec int
    ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec_string.
    FecCodecString string
    Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec. Valid values: rs, xor.
    FecEgress string
    Enable/disable Forward Error Correction for egress IPsec traffic. Valid values: enable, disable.
    FecHealthCheck string
    SD-WAN health check.
    FecIngress string
    Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values: enable, disable.
    FecMappingProfile string
    Forward Error Correction (FEC) mapping profile.
    FecReceiveTimeout int
    Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
    FecRedundant int
    Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
    FecSendTimeout int
    Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
    FgspSync string
    Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values: enable, disable.
    ForticlientEnforcement string
    Enable/disable FortiClient enforcement. Valid values: enable, disable.
    FortinetEsp string
    Enable/disable Fortinet ESP encapsulaton. Valid values: enable, disable.
    Fragmentation string
    Enable/disable fragment IKE message on re-transmission. Valid values: enable, disable.
    FragmentationMtu int
    IKE fragmentation MTU (500 - 16000).
    GetAllTables string
    Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
    GroupAuthentication string
    Enable/disable IKEv2 IDi group authentication. Valid values: enable, disable.
    GroupAuthenticationSecret string
    Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
    HaSyncEspSeqno string
    Enable/disable sequence number jump ahead for IPsec HA. Valid values: enable, disable.
    IdleTimeout string
    Enable/disable IPsec tunnel idle timeout. Valid values: enable, disable.
    IdleTimeoutinterval int
    IPsec tunnel idle timeout in minutes (5 - 43200).
    IkeVersion string
    IKE protocol version. Valid values: 1, 2.
    InboundDscpCopy string
    Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values: enable, disable.
    IncludeLocalLan string
    Enable/disable allow local LAN access on unity clients. Valid values: disable, enable.
    Interface string
    Local physical, aggregate, or VLAN outgoing interface.
    InternalDomainLists []Phase1interfaceInternalDomainListArgs
    One or more internal domain names in quotes separated by spaces. The structure of internal_domain_list block is documented below.
    IpDelayInterval int
    IP address reuse delay interval in seconds (0 - 28800).
    IpFragmentation string
    Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values: pre-encapsulation, post-encapsulation.
    IpVersion string
    IP version to use for VPN interface. Valid values: 4, 6.
    Ipv4DnsServer1 string
    IPv4 DNS server 1.
    Ipv4DnsServer2 string
    IPv4 DNS server 2.
    Ipv4DnsServer3 string
    IPv4 DNS server 3.
    Ipv4EndIp string
    End of IPv4 range.
    Ipv4ExcludeRanges []Phase1interfaceIpv4ExcludeRangeArgs
    Configuration Method IPv4 exclude ranges. The structure of ipv4_exclude_range block is documented below.
    Ipv4Name string
    IPv4 address name.
    Ipv4Netmask string
    IPv4 Netmask.
    Ipv4SplitExclude string
    IPv4 subnets that should not be sent over the IPsec tunnel.
    Ipv4SplitInclude string
    IPv4 split-include subnets.
    Ipv4StartIp string
    Start of IPv4 range.
    Ipv4WinsServer1 string
    WINS server 1.
    Ipv4WinsServer2 string
    WINS server 2.
    Ipv6DnsServer1 string
    IPv6 DNS server 1.
    Ipv6DnsServer2 string
    IPv6 DNS server 2.
    Ipv6DnsServer3 string
    IPv6 DNS server 3.
    Ipv6EndIp string
    End of IPv6 range.
    Ipv6ExcludeRanges []Phase1interfaceIpv6ExcludeRangeArgs
    Configuration method IPv6 exclude ranges. The structure of ipv6_exclude_range block is documented below.
    Ipv6Name string
    IPv6 address name.
    Ipv6Prefix int
    IPv6 prefix.
    Ipv6SplitExclude string
    IPv6 subnets that should not be sent over the IPsec tunnel.
    Ipv6SplitInclude string
    IPv6 split-include subnets.
    Ipv6StartIp string
    Start of IPv6 range.
    Keepalive int
    NAT-T keep alive interval.
    Keylife int
    Time to wait in seconds before phase 1 encryption key expires.
    Kms string
    Key Management Services server.
    LinkCost int
    VPN tunnel underlay link cost.
    LocalGw string
    IPv4 address of the local gateway's external interface.
    LocalGw6 string
    IPv6 address of the local gateway's external interface.
    Localid string
    Local ID.
    LocalidType string
    Local ID type. Valid values: auto, fqdn, user-fqdn, keyid, address, asn1dn.
    LoopbackAsymroute string
    Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values: enable, disable.
    MeshSelectorType string
    Add selectors containing subsets of the configuration depending on traffic. Valid values: disable, subnet, host.
    Mode string
    The ID protection mode used to establish a secure channel. Valid values: aggressive, main.
    ModeCfg string
    Enable/disable configuration method. Valid values: disable, enable.
    ModeCfgAllowClientSelector string
    Enable/disable mode-cfg client to use custom phase2 selectors. Valid values: disable, enable.
    Monitor string
    IPsec interface as backup for primary interface.
    MonitorHoldDownDelay int
    Time to wait in seconds before recovery once primary re-establishes.
    MonitorHoldDownTime string
    Time of day at which to fail back to primary after it re-establishes.
    MonitorHoldDownType string
    Recovery time method when primary interface re-establishes. Valid values: immediate, delay, time.
    MonitorHoldDownWeekday string
    Day of the week to recover once primary re-establishes. Valid values: everyday, sunday, monday, tuesday, wednesday, thursday, friday, saturday.
    MonitorMin int
    Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
    Name string
    IPsec remote gateway name.
    Nattraversal string
    Enable/disable NAT traversal. Valid values: enable, disable, forced.
    NegotiateTimeout int
    IKE SA negotiation timeout in seconds (1 - 300).
    NetDevice string
    Enable/disable kernel device creation. Valid values: enable, disable.
    NetworkId int
    VPN gateway network ID.
    NetworkOverlay string
    Enable/disable network overlays. Valid values: disable, enable.
    NpuOffload string
    Enable/disable offloading NPU. Valid values: enable, disable.
    PacketRedistribution string
    Enable/disable packet distribution (RPS) on the IPsec interface. Valid values: enable, disable.
    PassiveMode string
    Enable/disable IPsec passive mode for static tunnels. Valid values: enable, disable.
    Peer string
    Accept this peer certificate.
    Peergrp string
    Accept this peer certificate group.
    Peerid string
    Accept this peer identity.
    Peertype string
    Accept this peer type. Valid values: any, one, dialup, peer, peergrp.
    Ppk string
    Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values: disable, allow, require.
    PpkIdentity string
    IKEv2 Postquantum Preshared Key Identity.
    PpkSecret string
    IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
    Priority int
    Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
    Proposal string
    Phase1 proposal. Valid values: des-md5, des-sha1, des-sha256, des-sha384, des-sha512, 3des-md5, 3des-sha1, 3des-sha256, 3des-sha384, 3des-sha512, aes128-md5, aes128-sha1, aes128-sha256, aes128-sha384, aes128-sha512, aes128gcm-prfsha1, aes128gcm-prfsha256, aes128gcm-prfsha384, aes128gcm-prfsha512, aes192-md5, aes192-sha1, aes192-sha256, aes192-sha384, aes192-sha512, aes256-md5, aes256-sha1, aes256-sha256, aes256-sha384, aes256-sha512, aes256gcm-prfsha1, aes256gcm-prfsha256, aes256gcm-prfsha384, aes256gcm-prfsha512, chacha20poly1305-prfsha1, chacha20poly1305-prfsha256, chacha20poly1305-prfsha384, chacha20poly1305-prfsha512, aria128-md5, aria128-sha1, aria128-sha256, aria128-sha384, aria128-sha512, aria192-md5, aria192-sha1, aria192-sha256, aria192-sha384, aria192-sha512, aria256-md5, aria256-sha1, aria256-sha256, aria256-sha384, aria256-sha512, seed-md5, seed-sha1, seed-sha256, seed-sha384, seed-sha512.
    Psksecret string
    Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
    PsksecretRemote string
    Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
    Qkd string
    Enable/disable use of Quantum Key Distribution (QKD) server. Valid values: disable, allow, require.
    QkdProfile string
    Quantum Key Distribution (QKD) server profile.
    Reauth string
    Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values: disable, enable.
    Rekey string
    Enable/disable phase1 rekey. Valid values: enable, disable.
    RemoteGw string
    IPv4 address of the remote gateway's external interface.
    RemoteGw6 string
    IPv6 address of the remote gateway's external interface.
    RemoteGw6Country string
    IPv6 addresses associated to a specific country.
    RemoteGw6EndIp string
    Last IPv6 address in the range.
    RemoteGw6Match string
    Set type of IPv6 remote gateway address matching. Valid values: any, ipprefix, iprange, geography.
    RemoteGw6StartIp string
    First IPv6 address in the range.
    RemoteGw6Subnet string
    IPv6 address and prefix.
    RemoteGwCountry string
    IPv4 addresses associated to a specific country.
    RemoteGwEndIp string
    Last IPv4 address in the range.
    RemoteGwMatch string
    Set type of IPv4 remote gateway address matching. Valid values: any, ipmask, iprange, geography.
    RemoteGwStartIp string
    First IPv4 address in the range.
    RemoteGwSubnet string
    IPv4 address and subnet mask.
    RemotegwDdns string
    Domain name of remote gateway. For example, name.ddns.com.
    RsaSignatureFormat string
    Digital Signature Authentication RSA signature format. Valid values: pkcs1, pss.
    RsaSignatureHashOverride string
    Enable/disable IKEv2 RSA signature hash algorithm override. Valid values: enable, disable.
    SavePassword string
    Enable/disable saving XAuth username and password on VPN clients. Valid values: disable, enable.
    SendCertChain string
    Enable/disable sending certificate chain. Valid values: enable, disable.
    SignatureHashAlg string
    Digital Signature Authentication hash algorithms. Valid values: sha1, sha2-256, sha2-384, sha2-512.
    SplitIncludeService string
    Split-include services.
    SuiteB string
    Use Suite-B. Valid values: disable, suite-b-gcm-128, suite-b-gcm-256.
    Transport string
    Set IKE transport protocol. Valid values: udp, udp-fallback-tcp, tcp.
    TunnelSearch string
    Tunnel search method for when the interface is shared. Valid values: selectors, nexthop.
    Type string
    Remote gateway type. Valid values: static, dynamic, ddns.
    UnitySupport string
    Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values: disable, enable.
    Usrgrp string
    User group name for dialup peers.
    Vdomparam string
    Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
    Vni int
    VNI of VXLAN tunnel.
    WizardType string
    GUI VPN Wizard Type.
    Xauthtype string
    XAuth type. Valid values: disable, client, pap, chap, auto.
    acctVerify String
    Enable/disable verification of RADIUS accounting record. Valid values: enable, disable.
    addGwRoute String
    Enable/disable automatically add a route to the remote gateway. Valid values: enable, disable.
    addRoute String
    Enable/disable control addition of a route to peer destination selector. Valid values: disable, enable.
    aggregateMember String
    Enable/disable use as an aggregate member. Valid values: enable, disable.
    aggregateWeight Integer
    Link weight for aggregate.
    assignIp String
    Enable/disable assignment of IP to IPsec interface via configuration method. Valid values: disable, enable.
    assignIpFrom String
    Method by which the IP address will be assigned. Valid values: range, usrgrp, dhcp, name.
    authmethod String
    Authentication method. Valid values: psk, signature.
    authmethodRemote String
    Authentication method (remote side). Valid values: psk, signature.
    authpasswd String
    XAuth password (max 35 characters).
    authusr String
    XAuth user name.
    authusrgrp String
    Authentication user group.
    autoDiscoveryCrossover String
    Allow/block set-up of short-cut tunnels between different network IDs. Valid values: allow, block.
    autoDiscoveryForwarder String
    Enable/disable forwarding auto-discovery short-cut messages. Valid values: enable, disable.
    autoDiscoveryOfferInterval Integer
    Interval between shortcut offer messages in seconds (1 - 300, default = 5).
    autoDiscoveryPsk String
    Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values: enable, disable.
    autoDiscoveryReceiver String
    Enable/disable accepting auto-discovery short-cut messages. Valid values: enable, disable.
    autoDiscoverySender String
    Enable/disable sending auto-discovery short-cut messages. Valid values: enable, disable.
    autoDiscoveryShortcuts String
    Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values: independent, dependent.
    autoNegotiate String
    Enable/disable automatic initiation of IKE SA negotiation. Valid values: enable, disable.
    azureAdAutoconnect String
    Enable/disable Azure AD Auto-Connect for FortiClient. Valid values: enable, disable.
    backupGateways List<Phase1interfaceBackupGateway>
    Instruct unity clients about the backup gateway address(es). The structure of backup_gateway block is documented below.
    banner String
    Message that unity client should display after connecting.
    certIdValidation String
    Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values: enable, disable.
    certPeerUsernameStrip String
    Enable/disable domain stripping on certificate identity. Valid values: disable, enable.
    certPeerUsernameValidation String
    Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values: none, othername, rfc822name, cn.
    certTrustStore String
    CA certificate trust store. Valid values: local, ems.
    certificates List<Phase1interfaceCertificate>
    The names of up to 4 signed personal certificates. The structure of certificate block is documented below.
    childlessIke String
    Enable/disable childless IKEv2 initiation (RFC 6023). Valid values: enable, disable.
    clientAutoNegotiate String
    Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values: disable, enable.
    clientKeepAlive String
    Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values: disable, enable.
    clientResume String
    Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values: enable, disable.
    clientResumeInterval Integer
    Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
    comments String
    Comment.
    defaultGw String
    IPv4 address of default route gateway to use for traffic exiting the interface.
    defaultGwPriority Integer
    Priority for default gateway route. A higher priority number signifies a less preferred route.
    devId String
    Device ID carried by the device ID notification.
    devIdNotification String
    Enable/disable device ID notification. Valid values: disable, enable.
    dhcp6RaLinkaddr String
    Relay agent IPv6 link address to use in DHCP6 requests.
    dhcpRaGiaddr String
    Relay agent gateway IP address to use in the giaddr field of DHCP requests.
    dhgrp String
    DH group. Valid values: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, 31, 32.
    digitalSignatureAuth String
    Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values: enable, disable.
    distance Integer
    Distance for routes added by IKE (1 - 255).
    dnsMode String
    DNS server mode. Valid values: manual, auto.
    domain String
    Instruct unity clients about the default DNS domain.
    dpd String
    Dead Peer Detection mode. Valid values: disable, on-idle, on-demand.
    dpdRetrycount Integer
    Number of DPD retry attempts.
    dpdRetryinterval String
    DPD retry interval.
    dynamicSortSubtable String
    Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
    eap String
    Enable/disable IKEv2 EAP authentication. Valid values: enable, disable.
    eapCertAuth String
    Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values: enable, disable.
    eapExcludePeergrp String
    Peer group excluded from EAP authentication.
    eapIdentity String
    IKEv2 EAP peer identity type. Valid values: use-id-payload, send-request.
    emsSnCheck String
    Enable/disable verification of EMS serial number. Valid values: enable, disable.
    encapLocalGw4 String
    Local IPv4 address of GRE/VXLAN tunnel.
    encapLocalGw6 String
    Local IPv6 address of GRE/VXLAN tunnel.
    encapRemoteGw4 String
    Remote IPv4 address of GRE/VXLAN tunnel.
    encapRemoteGw6 String
    Remote IPv6 address of GRE/VXLAN tunnel.
    encapsulation String
    Enable/disable GRE/VXLAN encapsulation.
    encapsulationAddress String
    Source for GRE/VXLAN tunnel address. Valid values: ike, ipv4, ipv6.
    enforceUniqueId String
    Enable/disable peer ID uniqueness check. Valid values: disable, keep-new, keep-old.
    esn String
    Extended sequence number (ESN) negotiation. Valid values: require, allow, disable.
    exchangeFgtDeviceId String
    Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values: enable, disable.
    exchangeInterfaceIp String
    Enable/disable exchange of IPsec interface IP address. Valid values: enable, disable.
    exchangeIpAddr4 String
    IPv4 address to exchange with peers.
    exchangeIpAddr6 String
    IPv6 address to exchange with peers
    fallbackTcpThreshold Integer
    Timeout in seconds before falling back IKE/IPsec traffic to tcp.
    fecBase Integer
    Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
    fecCodec Integer
    ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec_string.
    fecCodecString String
    Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec. Valid values: rs, xor.
    fecEgress String
    Enable/disable Forward Error Correction for egress IPsec traffic. Valid values: enable, disable.
    fecHealthCheck String
    SD-WAN health check.
    fecIngress String
    Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values: enable, disable.
    fecMappingProfile String
    Forward Error Correction (FEC) mapping profile.
    fecReceiveTimeout Integer
    Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
    fecRedundant Integer
    Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
    fecSendTimeout Integer
    Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
    fgspSync String
    Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values: enable, disable.
    forticlientEnforcement String
    Enable/disable FortiClient enforcement. Valid values: enable, disable.
    fortinetEsp String
    Enable/disable Fortinet ESP encapsulaton. Valid values: enable, disable.
    fragmentation String
    Enable/disable fragment IKE message on re-transmission. Valid values: enable, disable.
    fragmentationMtu Integer
    IKE fragmentation MTU (500 - 16000).
    getAllTables String
    Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
    groupAuthentication String
    Enable/disable IKEv2 IDi group authentication. Valid values: enable, disable.
    groupAuthenticationSecret String
    Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
    haSyncEspSeqno String
    Enable/disable sequence number jump ahead for IPsec HA. Valid values: enable, disable.
    idleTimeout String
    Enable/disable IPsec tunnel idle timeout. Valid values: enable, disable.
    idleTimeoutinterval Integer
    IPsec tunnel idle timeout in minutes (5 - 43200).
    ikeVersion String
    IKE protocol version. Valid values: 1, 2.
    inboundDscpCopy String
    Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values: enable, disable.
    includeLocalLan String
    Enable/disable allow local LAN access on unity clients. Valid values: disable, enable.
    interface_ String
    Local physical, aggregate, or VLAN outgoing interface.
    internalDomainLists List<Phase1interfaceInternalDomainList>
    One or more internal domain names in quotes separated by spaces. The structure of internal_domain_list block is documented below.
    ipDelayInterval Integer
    IP address reuse delay interval in seconds (0 - 28800).
    ipFragmentation String
    Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values: pre-encapsulation, post-encapsulation.
    ipVersion String
    IP version to use for VPN interface. Valid values: 4, 6.
    ipv4DnsServer1 String
    IPv4 DNS server 1.
    ipv4DnsServer2 String
    IPv4 DNS server 2.
    ipv4DnsServer3 String
    IPv4 DNS server 3.
    ipv4EndIp String
    End of IPv4 range.
    ipv4ExcludeRanges List<Phase1interfaceIpv4ExcludeRange>
    Configuration Method IPv4 exclude ranges. The structure of ipv4_exclude_range block is documented below.
    ipv4Name String
    IPv4 address name.
    ipv4Netmask String
    IPv4 Netmask.
    ipv4SplitExclude String
    IPv4 subnets that should not be sent over the IPsec tunnel.
    ipv4SplitInclude String
    IPv4 split-include subnets.
    ipv4StartIp String
    Start of IPv4 range.
    ipv4WinsServer1 String
    WINS server 1.
    ipv4WinsServer2 String
    WINS server 2.
    ipv6DnsServer1 String
    IPv6 DNS server 1.
    ipv6DnsServer2 String
    IPv6 DNS server 2.
    ipv6DnsServer3 String
    IPv6 DNS server 3.
    ipv6EndIp String
    End of IPv6 range.
    ipv6ExcludeRanges List<Phase1interfaceIpv6ExcludeRange>
    Configuration method IPv6 exclude ranges. The structure of ipv6_exclude_range block is documented below.
    ipv6Name String
    IPv6 address name.
    ipv6Prefix Integer
    IPv6 prefix.
    ipv6SplitExclude String
    IPv6 subnets that should not be sent over the IPsec tunnel.
    ipv6SplitInclude String
    IPv6 split-include subnets.
    ipv6StartIp String
    Start of IPv6 range.
    keepalive Integer
    NAT-T keep alive interval.
    keylife Integer
    Time to wait in seconds before phase 1 encryption key expires.
    kms String
    Key Management Services server.
    linkCost Integer
    VPN tunnel underlay link cost.
    localGw String
    IPv4 address of the local gateway's external interface.
    localGw6 String
    IPv6 address of the local gateway's external interface.
    localid String
    Local ID.
    localidType String
    Local ID type. Valid values: auto, fqdn, user-fqdn, keyid, address, asn1dn.
    loopbackAsymroute String
    Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values: enable, disable.
    meshSelectorType String
    Add selectors containing subsets of the configuration depending on traffic. Valid values: disable, subnet, host.
    mode String
    The ID protection mode used to establish a secure channel. Valid values: aggressive, main.
    modeCfg String
    Enable/disable configuration method. Valid values: disable, enable.
    modeCfgAllowClientSelector String
    Enable/disable mode-cfg client to use custom phase2 selectors. Valid values: disable, enable.
    monitor String
    IPsec interface as backup for primary interface.
    monitorHoldDownDelay Integer
    Time to wait in seconds before recovery once primary re-establishes.
    monitorHoldDownTime String
    Time of day at which to fail back to primary after it re-establishes.
    monitorHoldDownType String
    Recovery time method when primary interface re-establishes. Valid values: immediate, delay, time.
    monitorHoldDownWeekday String
    Day of the week to recover once primary re-establishes. Valid values: everyday, sunday, monday, tuesday, wednesday, thursday, friday, saturday.
    monitorMin Integer
    Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
    name String
    IPsec remote gateway name.
    nattraversal String
    Enable/disable NAT traversal. Valid values: enable, disable, forced.
    negotiateTimeout Integer
    IKE SA negotiation timeout in seconds (1 - 300).
    netDevice String
    Enable/disable kernel device creation. Valid values: enable, disable.
    networkId Integer
    VPN gateway network ID.
    networkOverlay String
    Enable/disable network overlays. Valid values: disable, enable.
    npuOffload String
    Enable/disable offloading NPU. Valid values: enable, disable.
    packetRedistribution String
    Enable/disable packet distribution (RPS) on the IPsec interface. Valid values: enable, disable.
    passiveMode String
    Enable/disable IPsec passive mode for static tunnels. Valid values: enable, disable.
    peer String
    Accept this peer certificate.
    peergrp String
    Accept this peer certificate group.
    peerid String
    Accept this peer identity.
    peertype String
    Accept this peer type. Valid values: any, one, dialup, peer, peergrp.
    ppk String
    Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values: disable, allow, require.
    ppkIdentity String
    IKEv2 Postquantum Preshared Key Identity.
    ppkSecret String
    IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
    priority Integer
    Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
    proposal String
    Phase1 proposal. Valid values: des-md5, des-sha1, des-sha256, des-sha384, des-sha512, 3des-md5, 3des-sha1, 3des-sha256, 3des-sha384, 3des-sha512, aes128-md5, aes128-sha1, aes128-sha256, aes128-sha384, aes128-sha512, aes128gcm-prfsha1, aes128gcm-prfsha256, aes128gcm-prfsha384, aes128gcm-prfsha512, aes192-md5, aes192-sha1, aes192-sha256, aes192-sha384, aes192-sha512, aes256-md5, aes256-sha1, aes256-sha256, aes256-sha384, aes256-sha512, aes256gcm-prfsha1, aes256gcm-prfsha256, aes256gcm-prfsha384, aes256gcm-prfsha512, chacha20poly1305-prfsha1, chacha20poly1305-prfsha256, chacha20poly1305-prfsha384, chacha20poly1305-prfsha512, aria128-md5, aria128-sha1, aria128-sha256, aria128-sha384, aria128-sha512, aria192-md5, aria192-sha1, aria192-sha256, aria192-sha384, aria192-sha512, aria256-md5, aria256-sha1, aria256-sha256, aria256-sha384, aria256-sha512, seed-md5, seed-sha1, seed-sha256, seed-sha384, seed-sha512.
    psksecret String
    Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
    psksecretRemote String
    Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
    qkd String
    Enable/disable use of Quantum Key Distribution (QKD) server. Valid values: disable, allow, require.
    qkdProfile String
    Quantum Key Distribution (QKD) server profile.
    reauth String
    Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values: disable, enable.
    rekey String
    Enable/disable phase1 rekey. Valid values: enable, disable.
    remoteGw String
    IPv4 address of the remote gateway's external interface.
    remoteGw6 String
    IPv6 address of the remote gateway's external interface.
    remoteGw6Country String
    IPv6 addresses associated to a specific country.
    remoteGw6EndIp String
    Last IPv6 address in the range.
    remoteGw6Match String
    Set type of IPv6 remote gateway address matching. Valid values: any, ipprefix, iprange, geography.
    remoteGw6StartIp String
    First IPv6 address in the range.
    remoteGw6Subnet String
    IPv6 address and prefix.
    remoteGwCountry String
    IPv4 addresses associated to a specific country.
    remoteGwEndIp String
    Last IPv4 address in the range.
    remoteGwMatch String
    Set type of IPv4 remote gateway address matching. Valid values: any, ipmask, iprange, geography.
    remoteGwStartIp String
    First IPv4 address in the range.
    remoteGwSubnet String
    IPv4 address and subnet mask.
    remotegwDdns String
    Domain name of remote gateway. For example, name.ddns.com.
    rsaSignatureFormat String
    Digital Signature Authentication RSA signature format. Valid values: pkcs1, pss.
    rsaSignatureHashOverride String
    Enable/disable IKEv2 RSA signature hash algorithm override. Valid values: enable, disable.
    savePassword String
    Enable/disable saving XAuth username and password on VPN clients. Valid values: disable, enable.
    sendCertChain String
    Enable/disable sending certificate chain. Valid values: enable, disable.
    signatureHashAlg String
    Digital Signature Authentication hash algorithms. Valid values: sha1, sha2-256, sha2-384, sha2-512.
    splitIncludeService String
    Split-include services.
    suiteB String
    Use Suite-B. Valid values: disable, suite-b-gcm-128, suite-b-gcm-256.
    transport String
    Set IKE transport protocol. Valid values: udp, udp-fallback-tcp, tcp.
    tunnelSearch String
    Tunnel search method for when the interface is shared. Valid values: selectors, nexthop.
    type String
    Remote gateway type. Valid values: static, dynamic, ddns.
    unitySupport String
    Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values: disable, enable.
    usrgrp String
    User group name for dialup peers.
    vdomparam String
    Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
    vni Integer
    VNI of VXLAN tunnel.
    wizardType String
    GUI VPN Wizard Type.
    xauthtype String
    XAuth type. Valid values: disable, client, pap, chap, auto.
    acctVerify string
    Enable/disable verification of RADIUS accounting record. Valid values: enable, disable.
    addGwRoute string
    Enable/disable automatically add a route to the remote gateway. Valid values: enable, disable.
    addRoute string
    Enable/disable control addition of a route to peer destination selector. Valid values: disable, enable.
    aggregateMember string
    Enable/disable use as an aggregate member. Valid values: enable, disable.
    aggregateWeight number
    Link weight for aggregate.
    assignIp string
    Enable/disable assignment of IP to IPsec interface via configuration method. Valid values: disable, enable.
    assignIpFrom string
    Method by which the IP address will be assigned. Valid values: range, usrgrp, dhcp, name.
    authmethod string
    Authentication method. Valid values: psk, signature.
    authmethodRemote string
    Authentication method (remote side). Valid values: psk, signature.
    authpasswd string
    XAuth password (max 35 characters).
    authusr string
    XAuth user name.
    authusrgrp string
    Authentication user group.
    autoDiscoveryCrossover string
    Allow/block set-up of short-cut tunnels between different network IDs. Valid values: allow, block.
    autoDiscoveryForwarder string
    Enable/disable forwarding auto-discovery short-cut messages. Valid values: enable, disable.
    autoDiscoveryOfferInterval number
    Interval between shortcut offer messages in seconds (1 - 300, default = 5).
    autoDiscoveryPsk string
    Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values: enable, disable.
    autoDiscoveryReceiver string
    Enable/disable accepting auto-discovery short-cut messages. Valid values: enable, disable.
    autoDiscoverySender string
    Enable/disable sending auto-discovery short-cut messages. Valid values: enable, disable.
    autoDiscoveryShortcuts string
    Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values: independent, dependent.
    autoNegotiate string
    Enable/disable automatic initiation of IKE SA negotiation. Valid values: enable, disable.
    azureAdAutoconnect string
    Enable/disable Azure AD Auto-Connect for FortiClient. Valid values: enable, disable.
    backupGateways Phase1interfaceBackupGateway[]
    Instruct unity clients about the backup gateway address(es). The structure of backup_gateway block is documented below.
    banner string
    Message that unity client should display after connecting.
    certIdValidation string
    Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values: enable, disable.
    certPeerUsernameStrip string
    Enable/disable domain stripping on certificate identity. Valid values: disable, enable.
    certPeerUsernameValidation string
    Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values: none, othername, rfc822name, cn.
    certTrustStore string
    CA certificate trust store. Valid values: local, ems.
    certificates Phase1interfaceCertificate[]
    The names of up to 4 signed personal certificates. The structure of certificate block is documented below.
    childlessIke string
    Enable/disable childless IKEv2 initiation (RFC 6023). Valid values: enable, disable.
    clientAutoNegotiate string
    Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values: disable, enable.
    clientKeepAlive string
    Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values: disable, enable.
    clientResume string
    Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values: enable, disable.
    clientResumeInterval number
    Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
    comments string
    Comment.
    defaultGw string
    IPv4 address of default route gateway to use for traffic exiting the interface.
    defaultGwPriority number
    Priority for default gateway route. A higher priority number signifies a less preferred route.
    devId string
    Device ID carried by the device ID notification.
    devIdNotification string
    Enable/disable device ID notification. Valid values: disable, enable.
    dhcp6RaLinkaddr string
    Relay agent IPv6 link address to use in DHCP6 requests.
    dhcpRaGiaddr string
    Relay agent gateway IP address to use in the giaddr field of DHCP requests.
    dhgrp string
    DH group. Valid values: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, 31, 32.
    digitalSignatureAuth string
    Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values: enable, disable.
    distance number
    Distance for routes added by IKE (1 - 255).
    dnsMode string
    DNS server mode. Valid values: manual, auto.
    domain string
    Instruct unity clients about the default DNS domain.
    dpd string
    Dead Peer Detection mode. Valid values: disable, on-idle, on-demand.
    dpdRetrycount number
    Number of DPD retry attempts.
    dpdRetryinterval string
    DPD retry interval.
    dynamicSortSubtable string
    Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
    eap string
    Enable/disable IKEv2 EAP authentication. Valid values: enable, disable.
    eapCertAuth string
    Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values: enable, disable.
    eapExcludePeergrp string
    Peer group excluded from EAP authentication.
    eapIdentity string
    IKEv2 EAP peer identity type. Valid values: use-id-payload, send-request.
    emsSnCheck string
    Enable/disable verification of EMS serial number. Valid values: enable, disable.
    encapLocalGw4 string
    Local IPv4 address of GRE/VXLAN tunnel.
    encapLocalGw6 string
    Local IPv6 address of GRE/VXLAN tunnel.
    encapRemoteGw4 string
    Remote IPv4 address of GRE/VXLAN tunnel.
    encapRemoteGw6 string
    Remote IPv6 address of GRE/VXLAN tunnel.
    encapsulation string
    Enable/disable GRE/VXLAN encapsulation.
    encapsulationAddress string
    Source for GRE/VXLAN tunnel address. Valid values: ike, ipv4, ipv6.
    enforceUniqueId string
    Enable/disable peer ID uniqueness check. Valid values: disable, keep-new, keep-old.
    esn string
    Extended sequence number (ESN) negotiation. Valid values: require, allow, disable.
    exchangeFgtDeviceId string
    Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values: enable, disable.
    exchangeInterfaceIp string
    Enable/disable exchange of IPsec interface IP address. Valid values: enable, disable.
    exchangeIpAddr4 string
    IPv4 address to exchange with peers.
    exchangeIpAddr6 string
    IPv6 address to exchange with peers
    fallbackTcpThreshold number
    Timeout in seconds before falling back IKE/IPsec traffic to tcp.
    fecBase number
    Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
    fecCodec number
    ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec_string.
    fecCodecString string
    Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec. Valid values: rs, xor.
    fecEgress string
    Enable/disable Forward Error Correction for egress IPsec traffic. Valid values: enable, disable.
    fecHealthCheck string
    SD-WAN health check.
    fecIngress string
    Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values: enable, disable.
    fecMappingProfile string
    Forward Error Correction (FEC) mapping profile.
    fecReceiveTimeout number
    Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
    fecRedundant number
    Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
    fecSendTimeout number
    Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
    fgspSync string
    Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values: enable, disable.
    forticlientEnforcement string
    Enable/disable FortiClient enforcement. Valid values: enable, disable.
    fortinetEsp string
    Enable/disable Fortinet ESP encapsulaton. Valid values: enable, disable.
    fragmentation string
    Enable/disable fragment IKE message on re-transmission. Valid values: enable, disable.
    fragmentationMtu number
    IKE fragmentation MTU (500 - 16000).
    getAllTables string
    Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
    groupAuthentication string
    Enable/disable IKEv2 IDi group authentication. Valid values: enable, disable.
    groupAuthenticationSecret string
    Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
    haSyncEspSeqno string
    Enable/disable sequence number jump ahead for IPsec HA. Valid values: enable, disable.
    idleTimeout string
    Enable/disable IPsec tunnel idle timeout. Valid values: enable, disable.
    idleTimeoutinterval number
    IPsec tunnel idle timeout in minutes (5 - 43200).
    ikeVersion string
    IKE protocol version. Valid values: 1, 2.
    inboundDscpCopy string
    Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values: enable, disable.
    includeLocalLan string
    Enable/disable allow local LAN access on unity clients. Valid values: disable, enable.
    interface string
    Local physical, aggregate, or VLAN outgoing interface.
    internalDomainLists Phase1interfaceInternalDomainList[]
    One or more internal domain names in quotes separated by spaces. The structure of internal_domain_list block is documented below.
    ipDelayInterval number
    IP address reuse delay interval in seconds (0 - 28800).
    ipFragmentation string
    Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values: pre-encapsulation, post-encapsulation.
    ipVersion string
    IP version to use for VPN interface. Valid values: 4, 6.
    ipv4DnsServer1 string
    IPv4 DNS server 1.
    ipv4DnsServer2 string
    IPv4 DNS server 2.
    ipv4DnsServer3 string
    IPv4 DNS server 3.
    ipv4EndIp string
    End of IPv4 range.
    ipv4ExcludeRanges Phase1interfaceIpv4ExcludeRange[]
    Configuration Method IPv4 exclude ranges. The structure of ipv4_exclude_range block is documented below.
    ipv4Name string
    IPv4 address name.
    ipv4Netmask string
    IPv4 Netmask.
    ipv4SplitExclude string
    IPv4 subnets that should not be sent over the IPsec tunnel.
    ipv4SplitInclude string
    IPv4 split-include subnets.
    ipv4StartIp string
    Start of IPv4 range.
    ipv4WinsServer1 string
    WINS server 1.
    ipv4WinsServer2 string
    WINS server 2.
    ipv6DnsServer1 string
    IPv6 DNS server 1.
    ipv6DnsServer2 string
    IPv6 DNS server 2.
    ipv6DnsServer3 string
    IPv6 DNS server 3.
    ipv6EndIp string
    End of IPv6 range.
    ipv6ExcludeRanges Phase1interfaceIpv6ExcludeRange[]
    Configuration method IPv6 exclude ranges. The structure of ipv6_exclude_range block is documented below.
    ipv6Name string
    IPv6 address name.
    ipv6Prefix number
    IPv6 prefix.
    ipv6SplitExclude string
    IPv6 subnets that should not be sent over the IPsec tunnel.
    ipv6SplitInclude string
    IPv6 split-include subnets.
    ipv6StartIp string
    Start of IPv6 range.
    keepalive number
    NAT-T keep alive interval.
    keylife number
    Time to wait in seconds before phase 1 encryption key expires.
    kms string
    Key Management Services server.
    linkCost number
    VPN tunnel underlay link cost.
    localGw string
    IPv4 address of the local gateway's external interface.
    localGw6 string
    IPv6 address of the local gateway's external interface.
    localid string
    Local ID.
    localidType string
    Local ID type. Valid values: auto, fqdn, user-fqdn, keyid, address, asn1dn.
    loopbackAsymroute string
    Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values: enable, disable.
    meshSelectorType string
    Add selectors containing subsets of the configuration depending on traffic. Valid values: disable, subnet, host.
    mode string
    The ID protection mode used to establish a secure channel. Valid values: aggressive, main.
    modeCfg string
    Enable/disable configuration method. Valid values: disable, enable.
    modeCfgAllowClientSelector string
    Enable/disable mode-cfg client to use custom phase2 selectors. Valid values: disable, enable.
    monitor string
    IPsec interface as backup for primary interface.
    monitorHoldDownDelay number
    Time to wait in seconds before recovery once primary re-establishes.
    monitorHoldDownTime string
    Time of day at which to fail back to primary after it re-establishes.
    monitorHoldDownType string
    Recovery time method when primary interface re-establishes. Valid values: immediate, delay, time.
    monitorHoldDownWeekday string
    Day of the week to recover once primary re-establishes. Valid values: everyday, sunday, monday, tuesday, wednesday, thursday, friday, saturday.
    monitorMin number
    Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
    name string
    IPsec remote gateway name.
    nattraversal string
    Enable/disable NAT traversal. Valid values: enable, disable, forced.
    negotiateTimeout number
    IKE SA negotiation timeout in seconds (1 - 300).
    netDevice string
    Enable/disable kernel device creation. Valid values: enable, disable.
    networkId number
    VPN gateway network ID.
    networkOverlay string
    Enable/disable network overlays. Valid values: disable, enable.
    npuOffload string
    Enable/disable offloading NPU. Valid values: enable, disable.
    packetRedistribution string
    Enable/disable packet distribution (RPS) on the IPsec interface. Valid values: enable, disable.
    passiveMode string
    Enable/disable IPsec passive mode for static tunnels. Valid values: enable, disable.
    peer string
    Accept this peer certificate.
    peergrp string
    Accept this peer certificate group.
    peerid string
    Accept this peer identity.
    peertype string
    Accept this peer type. Valid values: any, one, dialup, peer, peergrp.
    ppk string
    Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values: disable, allow, require.
    ppkIdentity string
    IKEv2 Postquantum Preshared Key Identity.
    ppkSecret string
    IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
    priority number
    Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
    proposal string
    Phase1 proposal. Valid values: des-md5, des-sha1, des-sha256, des-sha384, des-sha512, 3des-md5, 3des-sha1, 3des-sha256, 3des-sha384, 3des-sha512, aes128-md5, aes128-sha1, aes128-sha256, aes128-sha384, aes128-sha512, aes128gcm-prfsha1, aes128gcm-prfsha256, aes128gcm-prfsha384, aes128gcm-prfsha512, aes192-md5, aes192-sha1, aes192-sha256, aes192-sha384, aes192-sha512, aes256-md5, aes256-sha1, aes256-sha256, aes256-sha384, aes256-sha512, aes256gcm-prfsha1, aes256gcm-prfsha256, aes256gcm-prfsha384, aes256gcm-prfsha512, chacha20poly1305-prfsha1, chacha20poly1305-prfsha256, chacha20poly1305-prfsha384, chacha20poly1305-prfsha512, aria128-md5, aria128-sha1, aria128-sha256, aria128-sha384, aria128-sha512, aria192-md5, aria192-sha1, aria192-sha256, aria192-sha384, aria192-sha512, aria256-md5, aria256-sha1, aria256-sha256, aria256-sha384, aria256-sha512, seed-md5, seed-sha1, seed-sha256, seed-sha384, seed-sha512.
    psksecret string
    Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
    psksecretRemote string
    Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
    qkd string
    Enable/disable use of Quantum Key Distribution (QKD) server. Valid values: disable, allow, require.
    qkdProfile string
    Quantum Key Distribution (QKD) server profile.
    reauth string
    Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values: disable, enable.
    rekey string
    Enable/disable phase1 rekey. Valid values: enable, disable.
    remoteGw string
    IPv4 address of the remote gateway's external interface.
    remoteGw6 string
    IPv6 address of the remote gateway's external interface.
    remoteGw6Country string
    IPv6 addresses associated to a specific country.
    remoteGw6EndIp string
    Last IPv6 address in the range.
    remoteGw6Match string
    Set type of IPv6 remote gateway address matching. Valid values: any, ipprefix, iprange, geography.
    remoteGw6StartIp string
    First IPv6 address in the range.
    remoteGw6Subnet string
    IPv6 address and prefix.
    remoteGwCountry string
    IPv4 addresses associated to a specific country.
    remoteGwEndIp string
    Last IPv4 address in the range.
    remoteGwMatch string
    Set type of IPv4 remote gateway address matching. Valid values: any, ipmask, iprange, geography.
    remoteGwStartIp string
    First IPv4 address in the range.
    remoteGwSubnet string
    IPv4 address and subnet mask.
    remotegwDdns string
    Domain name of remote gateway. For example, name.ddns.com.
    rsaSignatureFormat string
    Digital Signature Authentication RSA signature format. Valid values: pkcs1, pss.
    rsaSignatureHashOverride string
    Enable/disable IKEv2 RSA signature hash algorithm override. Valid values: enable, disable.
    savePassword string
    Enable/disable saving XAuth username and password on VPN clients. Valid values: disable, enable.
    sendCertChain string
    Enable/disable sending certificate chain. Valid values: enable, disable.
    signatureHashAlg string
    Digital Signature Authentication hash algorithms. Valid values: sha1, sha2-256, sha2-384, sha2-512.
    splitIncludeService string
    Split-include services.
    suiteB string
    Use Suite-B. Valid values: disable, suite-b-gcm-128, suite-b-gcm-256.
    transport string
    Set IKE transport protocol. Valid values: udp, udp-fallback-tcp, tcp.
    tunnelSearch string
    Tunnel search method for when the interface is shared. Valid values: selectors, nexthop.
    type string
    Remote gateway type. Valid values: static, dynamic, ddns.
    unitySupport string
    Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values: disable, enable.
    usrgrp string
    User group name for dialup peers.
    vdomparam string
    Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
    vni number
    VNI of VXLAN tunnel.
    wizardType string
    GUI VPN Wizard Type.
    xauthtype string
    XAuth type. Valid values: disable, client, pap, chap, auto.
    acct_verify str
    Enable/disable verification of RADIUS accounting record. Valid values: enable, disable.
    add_gw_route str
    Enable/disable automatically add a route to the remote gateway. Valid values: enable, disable.
    add_route str
    Enable/disable control addition of a route to peer destination selector. Valid values: disable, enable.
    aggregate_member str
    Enable/disable use as an aggregate member. Valid values: enable, disable.
    aggregate_weight int
    Link weight for aggregate.
    assign_ip str
    Enable/disable assignment of IP to IPsec interface via configuration method. Valid values: disable, enable.
    assign_ip_from str
    Method by which the IP address will be assigned. Valid values: range, usrgrp, dhcp, name.
    authmethod str
    Authentication method. Valid values: psk, signature.
    authmethod_remote str
    Authentication method (remote side). Valid values: psk, signature.
    authpasswd str
    XAuth password (max 35 characters).
    authusr str
    XAuth user name.
    authusrgrp str
    Authentication user group.
    auto_discovery_crossover str
    Allow/block set-up of short-cut tunnels between different network IDs. Valid values: allow, block.
    auto_discovery_forwarder str
    Enable/disable forwarding auto-discovery short-cut messages. Valid values: enable, disable.
    auto_discovery_offer_interval int
    Interval between shortcut offer messages in seconds (1 - 300, default = 5).
    auto_discovery_psk str
    Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values: enable, disable.
    auto_discovery_receiver str
    Enable/disable accepting auto-discovery short-cut messages. Valid values: enable, disable.
    auto_discovery_sender str
    Enable/disable sending auto-discovery short-cut messages. Valid values: enable, disable.
    auto_discovery_shortcuts str
    Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values: independent, dependent.
    auto_negotiate str
    Enable/disable automatic initiation of IKE SA negotiation. Valid values: enable, disable.
    azure_ad_autoconnect str
    Enable/disable Azure AD Auto-Connect for FortiClient. Valid values: enable, disable.
    backup_gateways Sequence[Phase1interfaceBackupGatewayArgs]
    Instruct unity clients about the backup gateway address(es). The structure of backup_gateway block is documented below.
    banner str
    Message that unity client should display after connecting.
    cert_id_validation str
    Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values: enable, disable.
    cert_peer_username_strip str
    Enable/disable domain stripping on certificate identity. Valid values: disable, enable.
    cert_peer_username_validation str
    Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values: none, othername, rfc822name, cn.
    cert_trust_store str
    CA certificate trust store. Valid values: local, ems.
    certificates Sequence[Phase1interfaceCertificateArgs]
    The names of up to 4 signed personal certificates. The structure of certificate block is documented below.
    childless_ike str
    Enable/disable childless IKEv2 initiation (RFC 6023). Valid values: enable, disable.
    client_auto_negotiate str
    Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values: disable, enable.
    client_keep_alive str
    Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values: disable, enable.
    client_resume str
    Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values: enable, disable.
    client_resume_interval int
    Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
    comments str
    Comment.
    default_gw str
    IPv4 address of default route gateway to use for traffic exiting the interface.
    default_gw_priority int
    Priority for default gateway route. A higher priority number signifies a less preferred route.
    dev_id str
    Device ID carried by the device ID notification.
    dev_id_notification str
    Enable/disable device ID notification. Valid values: disable, enable.
    dhcp6_ra_linkaddr str
    Relay agent IPv6 link address to use in DHCP6 requests.
    dhcp_ra_giaddr str
    Relay agent gateway IP address to use in the giaddr field of DHCP requests.
    dhgrp str
    DH group. Valid values: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, 31, 32.
    digital_signature_auth str
    Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values: enable, disable.
    distance int
    Distance for routes added by IKE (1 - 255).
    dns_mode str
    DNS server mode. Valid values: manual, auto.
    domain str
    Instruct unity clients about the default DNS domain.
    dpd str
    Dead Peer Detection mode. Valid values: disable, on-idle, on-demand.
    dpd_retrycount int
    Number of DPD retry attempts.
    dpd_retryinterval str
    DPD retry interval.
    dynamic_sort_subtable str
    Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
    eap str
    Enable/disable IKEv2 EAP authentication. Valid values: enable, disable.
    eap_cert_auth str
    Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values: enable, disable.
    eap_exclude_peergrp str
    Peer group excluded from EAP authentication.
    eap_identity str
    IKEv2 EAP peer identity type. Valid values: use-id-payload, send-request.
    ems_sn_check str
    Enable/disable verification of EMS serial number. Valid values: enable, disable.
    encap_local_gw4 str
    Local IPv4 address of GRE/VXLAN tunnel.
    encap_local_gw6 str
    Local IPv6 address of GRE/VXLAN tunnel.
    encap_remote_gw4 str
    Remote IPv4 address of GRE/VXLAN tunnel.
    encap_remote_gw6 str
    Remote IPv6 address of GRE/VXLAN tunnel.
    encapsulation str
    Enable/disable GRE/VXLAN encapsulation.
    encapsulation_address str
    Source for GRE/VXLAN tunnel address. Valid values: ike, ipv4, ipv6.
    enforce_unique_id str
    Enable/disable peer ID uniqueness check. Valid values: disable, keep-new, keep-old.
    esn str
    Extended sequence number (ESN) negotiation. Valid values: require, allow, disable.
    exchange_fgt_device_id str
    Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values: enable, disable.
    exchange_interface_ip str
    Enable/disable exchange of IPsec interface IP address. Valid values: enable, disable.
    exchange_ip_addr4 str
    IPv4 address to exchange with peers.
    exchange_ip_addr6 str
    IPv6 address to exchange with peers
    fallback_tcp_threshold int
    Timeout in seconds before falling back IKE/IPsec traffic to tcp.
    fec_base int
    Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
    fec_codec int
    ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec_string.
    fec_codec_string str
    Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec. Valid values: rs, xor.
    fec_egress str
    Enable/disable Forward Error Correction for egress IPsec traffic. Valid values: enable, disable.
    fec_health_check str
    SD-WAN health check.
    fec_ingress str
    Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values: enable, disable.
    fec_mapping_profile str
    Forward Error Correction (FEC) mapping profile.
    fec_receive_timeout int
    Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
    fec_redundant int
    Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
    fec_send_timeout int
    Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
    fgsp_sync str
    Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values: enable, disable.
    forticlient_enforcement str
    Enable/disable FortiClient enforcement. Valid values: enable, disable.
    fortinet_esp str
    Enable/disable Fortinet ESP encapsulaton. Valid values: enable, disable.
    fragmentation str
    Enable/disable fragment IKE message on re-transmission. Valid values: enable, disable.
    fragmentation_mtu int
    IKE fragmentation MTU (500 - 16000).
    get_all_tables str
    Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
    group_authentication str
    Enable/disable IKEv2 IDi group authentication. Valid values: enable, disable.
    group_authentication_secret str
    Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
    ha_sync_esp_seqno str
    Enable/disable sequence number jump ahead for IPsec HA. Valid values: enable, disable.
    idle_timeout str
    Enable/disable IPsec tunnel idle timeout. Valid values: enable, disable.
    idle_timeoutinterval int
    IPsec tunnel idle timeout in minutes (5 - 43200).
    ike_version str
    IKE protocol version. Valid values: 1, 2.
    inbound_dscp_copy str
    Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values: enable, disable.
    include_local_lan str
    Enable/disable allow local LAN access on unity clients. Valid values: disable, enable.
    interface str
    Local physical, aggregate, or VLAN outgoing interface.
    internal_domain_lists Sequence[Phase1interfaceInternalDomainListArgs]
    One or more internal domain names in quotes separated by spaces. The structure of internal_domain_list block is documented below.
    ip_delay_interval int
    IP address reuse delay interval in seconds (0 - 28800).
    ip_fragmentation str
    Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values: pre-encapsulation, post-encapsulation.
    ip_version str
    IP version to use for VPN interface. Valid values: 4, 6.
    ipv4_dns_server1 str
    IPv4 DNS server 1.
    ipv4_dns_server2 str
    IPv4 DNS server 2.
    ipv4_dns_server3 str
    IPv4 DNS server 3.
    ipv4_end_ip str
    End of IPv4 range.
    ipv4_exclude_ranges Sequence[Phase1interfaceIpv4ExcludeRangeArgs]
    Configuration Method IPv4 exclude ranges. The structure of ipv4_exclude_range block is documented below.
    ipv4_name str
    IPv4 address name.
    ipv4_netmask str
    IPv4 Netmask.
    ipv4_split_exclude str
    IPv4 subnets that should not be sent over the IPsec tunnel.
    ipv4_split_include str
    IPv4 split-include subnets.
    ipv4_start_ip str
    Start of IPv4 range.
    ipv4_wins_server1 str
    WINS server 1.
    ipv4_wins_server2 str
    WINS server 2.
    ipv6_dns_server1 str
    IPv6 DNS server 1.
    ipv6_dns_server2 str
    IPv6 DNS server 2.
    ipv6_dns_server3 str
    IPv6 DNS server 3.
    ipv6_end_ip str
    End of IPv6 range.
    ipv6_exclude_ranges Sequence[Phase1interfaceIpv6ExcludeRangeArgs]
    Configuration method IPv6 exclude ranges. The structure of ipv6_exclude_range block is documented below.
    ipv6_name str
    IPv6 address name.
    ipv6_prefix int
    IPv6 prefix.
    ipv6_split_exclude str
    IPv6 subnets that should not be sent over the IPsec tunnel.
    ipv6_split_include str
    IPv6 split-include subnets.
    ipv6_start_ip str
    Start of IPv6 range.
    keepalive int
    NAT-T keep alive interval.
    keylife int
    Time to wait in seconds before phase 1 encryption key expires.
    kms str
    Key Management Services server.
    link_cost int
    VPN tunnel underlay link cost.
    local_gw str
    IPv4 address of the local gateway's external interface.
    local_gw6 str
    IPv6 address of the local gateway's external interface.
    localid str
    Local ID.
    localid_type str
    Local ID type. Valid values: auto, fqdn, user-fqdn, keyid, address, asn1dn.
    loopback_asymroute str
    Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values: enable, disable.
    mesh_selector_type str
    Add selectors containing subsets of the configuration depending on traffic. Valid values: disable, subnet, host.
    mode str
    The ID protection mode used to establish a secure channel. Valid values: aggressive, main.
    mode_cfg str
    Enable/disable configuration method. Valid values: disable, enable.
    mode_cfg_allow_client_selector str
    Enable/disable mode-cfg client to use custom phase2 selectors. Valid values: disable, enable.
    monitor str
    IPsec interface as backup for primary interface.
    monitor_hold_down_delay int
    Time to wait in seconds before recovery once primary re-establishes.
    monitor_hold_down_time str
    Time of day at which to fail back to primary after it re-establishes.
    monitor_hold_down_type str
    Recovery time method when primary interface re-establishes. Valid values: immediate, delay, time.
    monitor_hold_down_weekday str
    Day of the week to recover once primary re-establishes. Valid values: everyday, sunday, monday, tuesday, wednesday, thursday, friday, saturday.
    monitor_min int
    Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
    name str
    IPsec remote gateway name.
    nattraversal str
    Enable/disable NAT traversal. Valid values: enable, disable, forced.
    negotiate_timeout int
    IKE SA negotiation timeout in seconds (1 - 300).
    net_device str
    Enable/disable kernel device creation. Valid values: enable, disable.
    network_id int
    VPN gateway network ID.
    network_overlay str
    Enable/disable network overlays. Valid values: disable, enable.
    npu_offload str
    Enable/disable offloading NPU. Valid values: enable, disable.
    packet_redistribution str
    Enable/disable packet distribution (RPS) on the IPsec interface. Valid values: enable, disable.
    passive_mode str
    Enable/disable IPsec passive mode for static tunnels. Valid values: enable, disable.
    peer str
    Accept this peer certificate.
    peergrp str
    Accept this peer certificate group.
    peerid str
    Accept this peer identity.
    peertype str
    Accept this peer type. Valid values: any, one, dialup, peer, peergrp.
    ppk str
    Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values: disable, allow, require.
    ppk_identity str
    IKEv2 Postquantum Preshared Key Identity.
    ppk_secret str
    IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
    priority int
    Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
    proposal str
    Phase1 proposal. Valid values: des-md5, des-sha1, des-sha256, des-sha384, des-sha512, 3des-md5, 3des-sha1, 3des-sha256, 3des-sha384, 3des-sha512, aes128-md5, aes128-sha1, aes128-sha256, aes128-sha384, aes128-sha512, aes128gcm-prfsha1, aes128gcm-prfsha256, aes128gcm-prfsha384, aes128gcm-prfsha512, aes192-md5, aes192-sha1, aes192-sha256, aes192-sha384, aes192-sha512, aes256-md5, aes256-sha1, aes256-sha256, aes256-sha384, aes256-sha512, aes256gcm-prfsha1, aes256gcm-prfsha256, aes256gcm-prfsha384, aes256gcm-prfsha512, chacha20poly1305-prfsha1, chacha20poly1305-prfsha256, chacha20poly1305-prfsha384, chacha20poly1305-prfsha512, aria128-md5, aria128-sha1, aria128-sha256, aria128-sha384, aria128-sha512, aria192-md5, aria192-sha1, aria192-sha256, aria192-sha384, aria192-sha512, aria256-md5, aria256-sha1, aria256-sha256, aria256-sha384, aria256-sha512, seed-md5, seed-sha1, seed-sha256, seed-sha384, seed-sha512.
    psksecret str
    Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
    psksecret_remote str
    Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
    qkd str
    Enable/disable use of Quantum Key Distribution (QKD) server. Valid values: disable, allow, require.
    qkd_profile str
    Quantum Key Distribution (QKD) server profile.
    reauth str
    Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values: disable, enable.
    rekey str
    Enable/disable phase1 rekey. Valid values: enable, disable.
    remote_gw str
    IPv4 address of the remote gateway's external interface.
    remote_gw6 str
    IPv6 address of the remote gateway's external interface.
    remote_gw6_country str
    IPv6 addresses associated to a specific country.
    remote_gw6_end_ip str
    Last IPv6 address in the range.
    remote_gw6_match str
    Set type of IPv6 remote gateway address matching. Valid values: any, ipprefix, iprange, geography.
    remote_gw6_start_ip str
    First IPv6 address in the range.
    remote_gw6_subnet str
    IPv6 address and prefix.
    remote_gw_country str
    IPv4 addresses associated to a specific country.
    remote_gw_end_ip str
    Last IPv4 address in the range.
    remote_gw_match str
    Set type of IPv4 remote gateway address matching. Valid values: any, ipmask, iprange, geography.
    remote_gw_start_ip str
    First IPv4 address in the range.
    remote_gw_subnet str
    IPv4 address and subnet mask.
    remotegw_ddns str
    Domain name of remote gateway. For example, name.ddns.com.
    rsa_signature_format str
    Digital Signature Authentication RSA signature format. Valid values: pkcs1, pss.
    rsa_signature_hash_override str
    Enable/disable IKEv2 RSA signature hash algorithm override. Valid values: enable, disable.
    save_password str
    Enable/disable saving XAuth username and password on VPN clients. Valid values: disable, enable.
    send_cert_chain str
    Enable/disable sending certificate chain. Valid values: enable, disable.
    signature_hash_alg str
    Digital Signature Authentication hash algorithms. Valid values: sha1, sha2-256, sha2-384, sha2-512.
    split_include_service str
    Split-include services.
    suite_b str
    Use Suite-B. Valid values: disable, suite-b-gcm-128, suite-b-gcm-256.
    transport str
    Set IKE transport protocol. Valid values: udp, udp-fallback-tcp, tcp.
    tunnel_search str
    Tunnel search method for when the interface is shared. Valid values: selectors, nexthop.
    type str
    Remote gateway type. Valid values: static, dynamic, ddns.
    unity_support str
    Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values: disable, enable.
    usrgrp str
    User group name for dialup peers.
    vdomparam str
    Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
    vni int
    VNI of VXLAN tunnel.
    wizard_type str
    GUI VPN Wizard Type.
    xauthtype str
    XAuth type. Valid values: disable, client, pap, chap, auto.
    acctVerify String
    Enable/disable verification of RADIUS accounting record. Valid values: enable, disable.
    addGwRoute String
    Enable/disable automatically add a route to the remote gateway. Valid values: enable, disable.
    addRoute String
    Enable/disable control addition of a route to peer destination selector. Valid values: disable, enable.
    aggregateMember String
    Enable/disable use as an aggregate member. Valid values: enable, disable.
    aggregateWeight Number
    Link weight for aggregate.
    assignIp String
    Enable/disable assignment of IP to IPsec interface via configuration method. Valid values: disable, enable.
    assignIpFrom String
    Method by which the IP address will be assigned. Valid values: range, usrgrp, dhcp, name.
    authmethod String
    Authentication method. Valid values: psk, signature.
    authmethodRemote String
    Authentication method (remote side). Valid values: psk, signature.
    authpasswd String
    XAuth password (max 35 characters).
    authusr String
    XAuth user name.
    authusrgrp String
    Authentication user group.
    autoDiscoveryCrossover String
    Allow/block set-up of short-cut tunnels between different network IDs. Valid values: allow, block.
    autoDiscoveryForwarder String
    Enable/disable forwarding auto-discovery short-cut messages. Valid values: enable, disable.
    autoDiscoveryOfferInterval Number
    Interval between shortcut offer messages in seconds (1 - 300, default = 5).
    autoDiscoveryPsk String
    Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values: enable, disable.
    autoDiscoveryReceiver String
    Enable/disable accepting auto-discovery short-cut messages. Valid values: enable, disable.
    autoDiscoverySender String
    Enable/disable sending auto-discovery short-cut messages. Valid values: enable, disable.
    autoDiscoveryShortcuts String
    Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values: independent, dependent.
    autoNegotiate String
    Enable/disable automatic initiation of IKE SA negotiation. Valid values: enable, disable.
    azureAdAutoconnect String
    Enable/disable Azure AD Auto-Connect for FortiClient. Valid values: enable, disable.
    backupGateways List<Property Map>
    Instruct unity clients about the backup gateway address(es). The structure of backup_gateway block is documented below.
    banner String
    Message that unity client should display after connecting.
    certIdValidation String
    Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values: enable, disable.
    certPeerUsernameStrip String
    Enable/disable domain stripping on certificate identity. Valid values: disable, enable.
    certPeerUsernameValidation String
    Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values: none, othername, rfc822name, cn.
    certTrustStore String
    CA certificate trust store. Valid values: local, ems.
    certificates List<Property Map>
    The names of up to 4 signed personal certificates. The structure of certificate block is documented below.
    childlessIke String
    Enable/disable childless IKEv2 initiation (RFC 6023). Valid values: enable, disable.
    clientAutoNegotiate String
    Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values: disable, enable.
    clientKeepAlive String
    Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values: disable, enable.
    clientResume String
    Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values: enable, disable.
    clientResumeInterval Number
    Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
    comments String
    Comment.
    defaultGw String
    IPv4 address of default route gateway to use for traffic exiting the interface.
    defaultGwPriority Number
    Priority for default gateway route. A higher priority number signifies a less preferred route.
    devId String
    Device ID carried by the device ID notification.
    devIdNotification String
    Enable/disable device ID notification. Valid values: disable, enable.
    dhcp6RaLinkaddr String
    Relay agent IPv6 link address to use in DHCP6 requests.
    dhcpRaGiaddr String
    Relay agent gateway IP address to use in the giaddr field of DHCP requests.
    dhgrp String
    DH group. Valid values: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, 31, 32.
    digitalSignatureAuth String
    Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values: enable, disable.
    distance Number
    Distance for routes added by IKE (1 - 255).
    dnsMode String
    DNS server mode. Valid values: manual, auto.
    domain String
    Instruct unity clients about the default DNS domain.
    dpd String
    Dead Peer Detection mode. Valid values: disable, on-idle, on-demand.
    dpdRetrycount Number
    Number of DPD retry attempts.
    dpdRetryinterval String
    DPD retry interval.
    dynamicSortSubtable String
    Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
    eap String
    Enable/disable IKEv2 EAP authentication. Valid values: enable, disable.
    eapCertAuth String
    Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values: enable, disable.
    eapExcludePeergrp String
    Peer group excluded from EAP authentication.
    eapIdentity String
    IKEv2 EAP peer identity type. Valid values: use-id-payload, send-request.
    emsSnCheck String
    Enable/disable verification of EMS serial number. Valid values: enable, disable.
    encapLocalGw4 String
    Local IPv4 address of GRE/VXLAN tunnel.
    encapLocalGw6 String
    Local IPv6 address of GRE/VXLAN tunnel.
    encapRemoteGw4 String
    Remote IPv4 address of GRE/VXLAN tunnel.
    encapRemoteGw6 String
    Remote IPv6 address of GRE/VXLAN tunnel.
    encapsulation String
    Enable/disable GRE/VXLAN encapsulation.
    encapsulationAddress String
    Source for GRE/VXLAN tunnel address. Valid values: ike, ipv4, ipv6.
    enforceUniqueId String
    Enable/disable peer ID uniqueness check. Valid values: disable, keep-new, keep-old.
    esn String
    Extended sequence number (ESN) negotiation. Valid values: require, allow, disable.
    exchangeFgtDeviceId String
    Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values: enable, disable.
    exchangeInterfaceIp String
    Enable/disable exchange of IPsec interface IP address. Valid values: enable, disable.
    exchangeIpAddr4 String
    IPv4 address to exchange with peers.
    exchangeIpAddr6 String
    IPv6 address to exchange with peers
    fallbackTcpThreshold Number
    Timeout in seconds before falling back IKE/IPsec traffic to tcp.
    fecBase Number
    Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
    fecCodec Number
    ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec_string.
    fecCodecString String
    Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec. Valid values: rs, xor.
    fecEgress String
    Enable/disable Forward Error Correction for egress IPsec traffic. Valid values: enable, disable.
    fecHealthCheck String
    SD-WAN health check.
    fecIngress String
    Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values: enable, disable.
    fecMappingProfile String
    Forward Error Correction (FEC) mapping profile.
    fecReceiveTimeout Number
    Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
    fecRedundant Number
    Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
    fecSendTimeout Number
    Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
    fgspSync String
    Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values: enable, disable.
    forticlientEnforcement String
    Enable/disable FortiClient enforcement. Valid values: enable, disable.
    fortinetEsp String
    Enable/disable Fortinet ESP encapsulaton. Valid values: enable, disable.
    fragmentation String
    Enable/disable fragment IKE message on re-transmission. Valid values: enable, disable.
    fragmentationMtu Number
    IKE fragmentation MTU (500 - 16000).
    getAllTables String
    Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
    groupAuthentication String
    Enable/disable IKEv2 IDi group authentication. Valid values: enable, disable.
    groupAuthenticationSecret String
    Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
    haSyncEspSeqno String
    Enable/disable sequence number jump ahead for IPsec HA. Valid values: enable, disable.
    idleTimeout String
    Enable/disable IPsec tunnel idle timeout. Valid values: enable, disable.
    idleTimeoutinterval Number
    IPsec tunnel idle timeout in minutes (5 - 43200).
    ikeVersion String
    IKE protocol version. Valid values: 1, 2.
    inboundDscpCopy String
    Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values: enable, disable.
    includeLocalLan String
    Enable/disable allow local LAN access on unity clients. Valid values: disable, enable.
    interface String
    Local physical, aggregate, or VLAN outgoing interface.
    internalDomainLists List<Property Map>
    One or more internal domain names in quotes separated by spaces. The structure of internal_domain_list block is documented below.
    ipDelayInterval Number
    IP address reuse delay interval in seconds (0 - 28800).
    ipFragmentation String
    Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values: pre-encapsulation, post-encapsulation.
    ipVersion String
    IP version to use for VPN interface. Valid values: 4, 6.
    ipv4DnsServer1 String
    IPv4 DNS server 1.
    ipv4DnsServer2 String
    IPv4 DNS server 2.
    ipv4DnsServer3 String
    IPv4 DNS server 3.
    ipv4EndIp String
    End of IPv4 range.
    ipv4ExcludeRanges List<Property Map>
    Configuration Method IPv4 exclude ranges. The structure of ipv4_exclude_range block is documented below.
    ipv4Name String
    IPv4 address name.
    ipv4Netmask String
    IPv4 Netmask.
    ipv4SplitExclude String
    IPv4 subnets that should not be sent over the IPsec tunnel.
    ipv4SplitInclude String
    IPv4 split-include subnets.
    ipv4StartIp String
    Start of IPv4 range.
    ipv4WinsServer1 String
    WINS server 1.
    ipv4WinsServer2 String
    WINS server 2.
    ipv6DnsServer1 String
    IPv6 DNS server 1.
    ipv6DnsServer2 String
    IPv6 DNS server 2.
    ipv6DnsServer3 String
    IPv6 DNS server 3.
    ipv6EndIp String
    End of IPv6 range.
    ipv6ExcludeRanges List<Property Map>
    Configuration method IPv6 exclude ranges. The structure of ipv6_exclude_range block is documented below.
    ipv6Name String
    IPv6 address name.
    ipv6Prefix Number
    IPv6 prefix.
    ipv6SplitExclude String
    IPv6 subnets that should not be sent over the IPsec tunnel.
    ipv6SplitInclude String
    IPv6 split-include subnets.
    ipv6StartIp String
    Start of IPv6 range.
    keepalive Number
    NAT-T keep alive interval.
    keylife Number
    Time to wait in seconds before phase 1 encryption key expires.
    kms String
    Key Management Services server.
    linkCost Number
    VPN tunnel underlay link cost.
    localGw String
    IPv4 address of the local gateway's external interface.
    localGw6 String
    IPv6 address of the local gateway's external interface.
    localid String
    Local ID.
    localidType String
    Local ID type. Valid values: auto, fqdn, user-fqdn, keyid, address, asn1dn.
    loopbackAsymroute String
    Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values: enable, disable.
    meshSelectorType String
    Add selectors containing subsets of the configuration depending on traffic. Valid values: disable, subnet, host.
    mode String
    The ID protection mode used to establish a secure channel. Valid values: aggressive, main.
    modeCfg String
    Enable/disable configuration method. Valid values: disable, enable.
    modeCfgAllowClientSelector String
    Enable/disable mode-cfg client to use custom phase2 selectors. Valid values: disable, enable.
    monitor String
    IPsec interface as backup for primary interface.
    monitorHoldDownDelay Number
    Time to wait in seconds before recovery once primary re-establishes.
    monitorHoldDownTime String
    Time of day at which to fail back to primary after it re-establishes.
    monitorHoldDownType String
    Recovery time method when primary interface re-establishes. Valid values: immediate, delay, time.
    monitorHoldDownWeekday String
    Day of the week to recover once primary re-establishes. Valid values: everyday, sunday, monday, tuesday, wednesday, thursday, friday, saturday.
    monitorMin Number
    Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
    name String
    IPsec remote gateway name.
    nattraversal String
    Enable/disable NAT traversal. Valid values: enable, disable, forced.
    negotiateTimeout Number
    IKE SA negotiation timeout in seconds (1 - 300).
    netDevice String
    Enable/disable kernel device creation. Valid values: enable, disable.
    networkId Number
    VPN gateway network ID.
    networkOverlay String
    Enable/disable network overlays. Valid values: disable, enable.
    npuOffload String
    Enable/disable offloading NPU. Valid values: enable, disable.
    packetRedistribution String
    Enable/disable packet distribution (RPS) on the IPsec interface. Valid values: enable, disable.
    passiveMode String
    Enable/disable IPsec passive mode for static tunnels. Valid values: enable, disable.
    peer String
    Accept this peer certificate.
    peergrp String
    Accept this peer certificate group.
    peerid String
    Accept this peer identity.
    peertype String
    Accept this peer type. Valid values: any, one, dialup, peer, peergrp.
    ppk String
    Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values: disable, allow, require.
    ppkIdentity String
    IKEv2 Postquantum Preshared Key Identity.
    ppkSecret String
    IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
    priority Number
    Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
    proposal String
    Phase1 proposal. Valid values: des-md5, des-sha1, des-sha256, des-sha384, des-sha512, 3des-md5, 3des-sha1, 3des-sha256, 3des-sha384, 3des-sha512, aes128-md5, aes128-sha1, aes128-sha256, aes128-sha384, aes128-sha512, aes128gcm-prfsha1, aes128gcm-prfsha256, aes128gcm-prfsha384, aes128gcm-prfsha512, aes192-md5, aes192-sha1, aes192-sha256, aes192-sha384, aes192-sha512, aes256-md5, aes256-sha1, aes256-sha256, aes256-sha384, aes256-sha512, aes256gcm-prfsha1, aes256gcm-prfsha256, aes256gcm-prfsha384, aes256gcm-prfsha512, chacha20poly1305-prfsha1, chacha20poly1305-prfsha256, chacha20poly1305-prfsha384, chacha20poly1305-prfsha512, aria128-md5, aria128-sha1, aria128-sha256, aria128-sha384, aria128-sha512, aria192-md5, aria192-sha1, aria192-sha256, aria192-sha384, aria192-sha512, aria256-md5, aria256-sha1, aria256-sha256, aria256-sha384, aria256-sha512, seed-md5, seed-sha1, seed-sha256, seed-sha384, seed-sha512.
    psksecret String
    Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
    psksecretRemote String
    Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
    qkd String
    Enable/disable use of Quantum Key Distribution (QKD) server. Valid values: disable, allow, require.
    qkdProfile String
    Quantum Key Distribution (QKD) server profile.
    reauth String
    Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values: disable, enable.
    rekey String
    Enable/disable phase1 rekey. Valid values: enable, disable.
    remoteGw String
    IPv4 address of the remote gateway's external interface.
    remoteGw6 String
    IPv6 address of the remote gateway's external interface.
    remoteGw6Country String
    IPv6 addresses associated to a specific country.
    remoteGw6EndIp String
    Last IPv6 address in the range.
    remoteGw6Match String
    Set type of IPv6 remote gateway address matching. Valid values: any, ipprefix, iprange, geography.
    remoteGw6StartIp String
    First IPv6 address in the range.
    remoteGw6Subnet String
    IPv6 address and prefix.
    remoteGwCountry String
    IPv4 addresses associated to a specific country.
    remoteGwEndIp String
    Last IPv4 address in the range.
    remoteGwMatch String
    Set type of IPv4 remote gateway address matching. Valid values: any, ipmask, iprange, geography.
    remoteGwStartIp String
    First IPv4 address in the range.
    remoteGwSubnet String
    IPv4 address and subnet mask.
    remotegwDdns String
    Domain name of remote gateway. For example, name.ddns.com.
    rsaSignatureFormat String
    Digital Signature Authentication RSA signature format. Valid values: pkcs1, pss.
    rsaSignatureHashOverride String
    Enable/disable IKEv2 RSA signature hash algorithm override. Valid values: enable, disable.
    savePassword String
    Enable/disable saving XAuth username and password on VPN clients. Valid values: disable, enable.
    sendCertChain String
    Enable/disable sending certificate chain. Valid values: enable, disable.
    signatureHashAlg String
    Digital Signature Authentication hash algorithms. Valid values: sha1, sha2-256, sha2-384, sha2-512.
    splitIncludeService String
    Split-include services.
    suiteB String
    Use Suite-B. Valid values: disable, suite-b-gcm-128, suite-b-gcm-256.
    transport String
    Set IKE transport protocol. Valid values: udp, udp-fallback-tcp, tcp.
    tunnelSearch String
    Tunnel search method for when the interface is shared. Valid values: selectors, nexthop.
    type String
    Remote gateway type. Valid values: static, dynamic, ddns.
    unitySupport String
    Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values: disable, enable.
    usrgrp String
    User group name for dialup peers.
    vdomparam String
    Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
    vni Number
    VNI of VXLAN tunnel.
    wizardType String
    GUI VPN Wizard Type.
    xauthtype String
    XAuth type. Valid values: disable, client, pap, chap, auto.

    Supporting Types

    Phase1interfaceBackupGateway, Phase1interfaceBackupGatewayArgs

    Address string
    Address of backup gateway.
    Address string
    Address of backup gateway.
    address String
    Address of backup gateway.
    address string
    Address of backup gateway.
    address str
    Address of backup gateway.
    address String
    Address of backup gateway.

    Phase1interfaceCertificate, Phase1interfaceCertificateArgs

    Name string
    Certificate name.
    Name string
    Certificate name.
    name String
    Certificate name.
    name string
    Certificate name.
    name str
    Certificate name.
    name String
    Certificate name.

    Phase1interfaceInternalDomainList, Phase1interfaceInternalDomainListArgs

    DomainName string

    Domain name.

    The ipv4_exclude_range block supports:

    DomainName string

    Domain name.

    The ipv4_exclude_range block supports:

    domainName String

    Domain name.

    The ipv4_exclude_range block supports:

    domainName string

    Domain name.

    The ipv4_exclude_range block supports:

    domain_name str

    Domain name.

    The ipv4_exclude_range block supports:

    domainName String

    Domain name.

    The ipv4_exclude_range block supports:

    Phase1interfaceIpv4ExcludeRange, Phase1interfaceIpv4ExcludeRangeArgs

    EndIp string
    Id int
    an identifier for the resource with format {{name}}.
    StartIp string
    EndIp string
    Id int
    an identifier for the resource with format {{name}}.
    StartIp string
    endIp String
    id Integer
    an identifier for the resource with format {{name}}.
    startIp String
    endIp string
    id number
    an identifier for the resource with format {{name}}.
    startIp string
    end_ip str
    id int
    an identifier for the resource with format {{name}}.
    start_ip str
    endIp String
    id Number
    an identifier for the resource with format {{name}}.
    startIp String

    Phase1interfaceIpv6ExcludeRange, Phase1interfaceIpv6ExcludeRangeArgs

    EndIp string
    Id int
    an identifier for the resource with format {{name}}.
    StartIp string
    EndIp string
    Id int
    an identifier for the resource with format {{name}}.
    StartIp string
    endIp String
    id Integer
    an identifier for the resource with format {{name}}.
    startIp String
    endIp string
    id number
    an identifier for the resource with format {{name}}.
    startIp string
    end_ip str
    id int
    an identifier for the resource with format {{name}}.
    start_ip str
    endIp String
    id Number
    an identifier for the resource with format {{name}}.
    startIp String

    Import

    VpnIpsec Phase1Interface can be imported using any of these accepted formats:

    $ pulumi import fortios:vpn/ipsec/phase1interface:Phase1interface labelname {{name}}
    

    If you do not want to import arguments of block:

    $ export “FORTIOS_IMPORT_TABLE”=“false”

    $ pulumi import fortios:vpn/ipsec/phase1interface:Phase1interface labelname {{name}}
    

    $ unset “FORTIOS_IMPORT_TABLE”

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    fortios pulumiverse/pulumi-fortios
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the fortios Terraform Provider.
    fortios logo
    Fortios v0.0.6 published on Tuesday, Jul 9, 2024 by pulumiverse