W3cubDocs

/Ansible

community.fortios.fmgr_secprof_web – Manage web filter security profiles in FortiManager

Note

This plugin is part of the community.fortios collection (version 1.0.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.fortios.

To use it in a playbook, specify: community.fortios.fmgr_secprof_web.

Synopsis

  • Manage web filter security profiles in FortiManager through playbooks using the FMG API

Parameters

Parameter Choices/Defaults Comments
adom
string
Default:
"root"
The ADOM the configuration should belong to.
comment
string
Optional comments.
extended_log
string
    Choices:
  • disable
  • enable
Enable/disable extended logging for web filtering.
choice | disable | Disable setting.
choice | enable | Enable setting.
ftgd_wf
string
EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
List of multiple child objects to be added. Expects a list of dictionaries.
Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
If submitted, all other prefixed sub-parameters ARE IGNORED.
This object is MUTUALLY EXCLUSIVE with its options.
We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.
WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS
ftgd_wf_exempt_quota
string
Do not stop quota for these categories.
ftgd_wf_filters_action
string
    Choices:
  • block
  • monitor
  • warning
  • authenticate
Action to take for matches.
choice | block | Block access.
choice | monitor | Allow access while logging the action.
choice | warning | Allow access after warning the user.
choice | authenticate | Authenticate user before allowing access.
ftgd_wf_filters_auth_usr_grp
string
Groups with permission to authenticate.
ftgd_wf_filters_category
string
Categories and groups the filter examines.
ftgd_wf_filters_log
string
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
ftgd_wf_filters_override_replacemsg
string
Override replacement message.
ftgd_wf_filters_warn_duration
string
Duration of warnings.
ftgd_wf_filters_warning_duration_type
string
    Choices:
  • session
  • timeout
Re-display warning after closing browser or after a timeout.
choice | session | After session ends.
choice | timeout | After timeout occurs.
ftgd_wf_filters_warning_prompt
string
    Choices:
  • per-domain
  • per-category
Warning prompts in each category or each domain.
choice | per-domain | Per-domain warnings.
choice | per-category | Per-category warnings.
ftgd_wf_max_quota_timeout
string
Maximum FortiGuard quota used by single page view in seconds (excludes streams).
ftgd_wf_options
string
    Choices:
  • error-allow
  • rate-server-ip
  • connect-request-bypass
  • ftgd-disable
Options for FortiGuard Web Filter.
FLAG Based Options. Specify multiple in list form.
flag | error-allow | Allow web pages with a rating error to pass through.
flag | rate-server-ip | Rate the server IP in addition to the domain name.
flag | connect-request-bypass | Bypass connection which has CONNECT request.
flag | ftgd-disable | Disable FortiGuard scanning.
ftgd_wf_ovrd
string
Allow web filter profile overrides.
ftgd_wf_quota_category
string
FortiGuard categories to apply quota to (category action must be set to monitor).
ftgd_wf_quota_duration
string
Duration of quota.
ftgd_wf_quota_override_replacemsg
string
Override replacement message.
ftgd_wf_quota_type
string
    Choices:
  • time
  • traffic
Quota type.
choice | time | Use a time-based quota.
choice | traffic | Use a traffic-based quota.
ftgd_wf_quota_unit
string
    Choices:
  • B
  • KB
  • MB
  • GB
Traffic quota unit of measurement.
choice | B | Quota in bytes.
choice | KB | Quota in kilobytes.
choice | MB | Quota in megabytes.
choice | GB | Quota in gigabytes.
ftgd_wf_quota_value
string
Traffic quota value.
ftgd_wf_rate_crl_urls
string
    Choices:
  • disable
  • enable
Enable/disable rating CRL by URL.
choice | disable | Disable rating CRL by URL.
choice | enable | Enable rating CRL by URL.
ftgd_wf_rate_css_urls
string
    Choices:
  • disable
  • enable
Enable/disable rating CSS by URL.
choice | disable | Disable rating CSS by URL.
choice | enable | Enable rating CSS by URL.
ftgd_wf_rate_image_urls
string
    Choices:
  • disable
  • enable
Enable/disable rating images by URL.
choice | disable | Disable rating images by URL (blocked images are replaced with blanks).
choice | enable | Enable rating images by URL (blocked images are replaced with blanks).
ftgd_wf_rate_javascript_urls
string
    Choices:
  • disable
  • enable
Enable/disable rating JavaScript by URL.
choice | disable | Disable rating JavaScript by URL.
choice | enable | Enable rating JavaScript by URL.
https_replacemsg
string
    Choices:
  • disable
  • enable
Enable replacement messages for HTTPS.
choice | disable | Disable setting.
choice | enable | Enable setting.
inspection_mode
string
    Choices:
  • proxy
  • flow-based
Web filtering inspection mode.
choice | proxy | Proxy.
choice | flow-based | Flow based.
log_all_url
string
    Choices:
  • disable
  • enable
Enable/disable logging all URLs visited.
choice | disable | Disable setting.
choice | enable | Enable setting.
mode
string
    Choices:
  • add
  • set
  • delete
  • update
Sets one of three modes for managing the object.
Allows use of soft-adds instead of overwriting existing values
name
string
Profile name.
options
string
    Choices:
  • block-invalid-url
  • jscript
  • js
  • vbs
  • unknown
  • wf-referer
  • intrinsic
  • wf-cookie
  • per-user-bwl
  • activexfilter
  • cookiefilter
  • javafilter
FLAG Based Options. Specify multiple in list form.
flag | block-invalid-url | Block sessions contained an invalid domain name.
flag | jscript | Javascript block.
flag | js | JS block.
flag | vbs | VB script block.
flag | unknown | Unknown script block.
flag | wf-referer | Referring block.
flag | intrinsic | Intrinsic script block.
flag | wf-cookie | Cookie block.
flag | per-user-bwl | Per-user black/white list filter
flag | activexfilter | ActiveX filter.
flag | cookiefilter | Cookie filter.
flag | javafilter | Java applet filter.
override
string
EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
List of multiple child objects to be added. Expects a list of dictionaries.
Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
If submitted, all other prefixed sub-parameters ARE IGNORED.
This object is MUTUALLY EXCLUSIVE with its options.
We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.
WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS
override_ovrd_cookie
string
    Choices:
  • deny
  • allow
Allow/deny browser-based (cookie) overrides.
choice | deny | Deny browser-based (cookie) override.
choice | allow | Allow browser-based (cookie) override.
override_ovrd_dur
string
Override duration.
override_ovrd_dur_mode
string
    Choices:
  • constant
  • ask
Override duration mode.
choice | constant | Constant mode.
choice | ask | Prompt for duration when initiating an override.
override_ovrd_scope
string
    Choices:
  • user
  • user-group
  • ip
  • ask
  • browser
Override scope.
choice | user | Override for the user.
choice | user-group | Override for the user's group.
choice | ip | Override for the initiating IP.
choice | ask | Prompt for scope when initiating an override.
choice | browser | Create browser-based (cookie) override.
override_ovrd_user_group
string
User groups with permission to use the override.
override_profile
string
Web filter profile with permission to create overrides.
override_profile_attribute
string
    Choices:
  • User-Name
  • NAS-IP-Address
  • Framed-IP-Address
  • Framed-IP-Netmask
  • Filter-Id
  • Login-IP-Host
  • Reply-Message
  • Callback-Number
  • Callback-Id
  • Framed-Route
  • Framed-IPX-Network
  • Class
  • Called-Station-Id
  • Calling-Station-Id
  • NAS-Identifier
  • Proxy-State
  • Login-LAT-Service
  • Login-LAT-Node
  • Login-LAT-Group
  • Framed-AppleTalk-Zone
  • Acct-Session-Id
  • Acct-Multi-Session-Id
Profile attribute to retrieve from the RADIUS server.
choice | User-Name | Use this attribute.
choice | NAS-IP-Address | Use this attribute.
choice | Framed-IP-Address | Use this attribute.
choice | Framed-IP-Netmask | Use this attribute.
choice | Filter-Id | Use this attribute.
choice | Login-IP-Host | Use this attribute.
choice | Reply-Message | Use this attribute.
choice | Callback-Number | Use this attribute.
choice | Callback-Id | Use this attribute.
choice | Framed-Route | Use this attribute.
choice | Framed-IPX-Network | Use this attribute.
choice | Class | Use this attribute.
choice | Called-Station-Id | Use this attribute.
choice | Calling-Station-Id | Use this attribute.
choice | NAS-Identifier | Use this attribute.
choice | Proxy-State | Use this attribute.
choice | Login-LAT-Service | Use this attribute.
choice | Login-LAT-Node | Use this attribute.
choice | Login-LAT-Group | Use this attribute.
choice | Framed-AppleTalk-Zone | Use this attribute.
choice | Acct-Session-Id | Use this attribute.
choice | Acct-Multi-Session-Id | Use this attribute.
override_profile_type
string
    Choices:
  • list
  • radius
Override profile type.
choice | list | Profile chosen from list.
choice | radius | Profile determined by RADIUS server.
ovrd_perm
string
    Choices:
  • bannedword-override
  • urlfilter-override
  • fortiguard-wf-override
  • contenttype-check-override
FLAG Based Options. Specify multiple in list form.
flag | bannedword-override | Banned word override.
flag | urlfilter-override | URL filter override.
flag | fortiguard-wf-override | FortiGuard Web Filter override.
flag | contenttype-check-override | Content-type header override.
post_action
string
    Choices:
  • normal
  • block
Action taken for HTTP POST traffic.
choice | normal | Normal, POST requests are allowed.
choice | block | POST requests are blocked.
replacemsg_group
string
Replacement message group.
url_extraction
string
EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
List of multiple child objects to be added. Expects a list of dictionaries.
Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
If submitted, all other prefixed sub-parameters ARE IGNORED.
This object is MUTUALLY EXCLUSIVE with its options.
We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.
WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS
url_extraction_redirect_header
string
HTTP header name to use for client redirect on blocked requests
url_extraction_redirect_no_content
string
    Choices:
  • disable
  • enable
Enable / Disable empty message-body entity in HTTP response
choice | disable | Disable setting.
choice | enable | Enable setting.
url_extraction_redirect_url
string
HTTP header value to use for client redirect on blocked requests
url_extraction_server_fqdn
string
URL extraction server FQDN (fully qualified domain name)
url_extraction_status
string
    Choices:
  • disable
  • enable
Enable URL Extraction
choice | disable | Disable setting.
choice | enable | Enable setting.
web
string
EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
List of multiple child objects to be added. Expects a list of dictionaries.
Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
If submitted, all other prefixed sub-parameters ARE IGNORED.
This object is MUTUALLY EXCLUSIVE with its options.
We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.
WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS
web_blacklist
string
    Choices:
  • disable
  • enable
Enable/disable automatic addition of URLs detected by FortiSandbox to blacklist.
choice | disable | Disable setting.
choice | enable | Enable setting.
web_bword_table
string
Banned word table ID.
web_bword_threshold
string
Banned word score threshold.
web_content_header_list
string
Content header list.
web_content_log
string
    Choices:
  • disable
  • enable
Enable/disable logging logging blocked web content.
choice | disable | Disable setting.
choice | enable | Enable setting.
web_extended_all_action_log
string
    Choices:
  • disable
  • enable
Enable/disable extended any filter action logging for web filtering.
choice | disable | Disable setting.
choice | enable | Enable setting.
web_filter_activex_log
string
    Choices:
  • disable
  • enable
Enable/disable logging ActiveX.
choice | disable | Disable setting.
choice | enable | Enable setting.
web_filter_applet_log
string
    Choices:
  • disable
  • enable
Enable/disable logging Java applets.
choice | disable | Disable setting.
choice | enable | Enable setting.
web_filter_command_block_log
string
    Choices:
  • disable
  • enable
Enable/disable logging blocked commands.
choice | disable | Disable setting.
choice | enable | Enable setting.
web_filter_cookie_log
string
    Choices:
  • disable
  • enable
Enable/disable logging cookie filtering.
choice | disable | Disable setting.
choice | enable | Enable setting.
web_filter_cookie_removal_log
string
    Choices:
  • disable
  • enable
Enable/disable logging blocked cookies.
choice | disable | Disable setting.
choice | enable | Enable setting.
web_filter_js_log
string
    Choices:
  • disable
  • enable
Enable/disable logging Java scripts.
choice | disable | Disable setting.
choice | enable | Enable setting.
web_filter_jscript_log
string
    Choices:
  • disable
  • enable
Enable/disable logging JScripts.
choice | disable | Disable setting.
choice | enable | Enable setting.
web_filter_referer_log
string
    Choices:
  • disable
  • enable
Enable/disable logging referrers.
choice | disable | Disable setting.
choice | enable | Enable setting.
web_filter_unknown_log
string
    Choices:
  • disable
  • enable
Enable/disable logging unknown scripts.
choice | disable | Disable setting.
choice | enable | Enable setting.
web_filter_vbs_log
string
    Choices:
  • disable
  • enable
Enable/disable logging VBS scripts.
choice | disable | Disable setting.
choice | enable | Enable setting.
web_ftgd_err_log
string
    Choices:
  • disable
  • enable
Enable/disable logging rating errors.
choice | disable | Disable setting.
choice | enable | Enable setting.
web_ftgd_quota_usage
string
    Choices:
  • disable
  • enable
Enable/disable logging daily quota usage.
choice | disable | Disable setting.
choice | enable | Enable setting.
web_invalid_domain_log
string
    Choices:
  • disable
  • enable
Enable/disable logging invalid domain names.
choice | disable | Disable setting.
choice | enable | Enable setting.
web_keyword_match
string
Search keywords to log when match is found.
web_log_search
string
    Choices:
  • disable
  • enable
Enable/disable logging all search phrases.
choice | disable | Disable setting.
choice | enable | Enable setting.
web_safe_search
string
    Choices:
  • url
  • header
Safe search type.
FLAG Based Options. Specify multiple in list form.
flag | url | Insert safe search string into URL.
flag | header | Insert safe search header.
web_url_log
string
    Choices:
  • disable
  • enable
Enable/disable logging URL filtering.
choice | disable | Disable setting.
choice | enable | Enable setting.
web_urlfilter_table
string
URL filter table ID.
web_whitelist
string
    Choices:
  • exempt-av
  • exempt-webcontent
  • exempt-activex-java-cookie
  • exempt-dlp
  • exempt-rangeblock
  • extended-log-others
FortiGuard whitelist settings.
FLAG Based Options. Specify multiple in list form.
flag | exempt-av | Exempt antivirus.
flag | exempt-webcontent | Exempt web content.
flag | exempt-activex-java-cookie | Exempt ActiveX-JAVA-Cookie.
flag | exempt-dlp | Exempt DLP.
flag | exempt-rangeblock | Exempt RangeBlock.
flag | extended-log-others | Support extended log.
web_youtube_restrict
string
    Choices:
  • strict
  • none
  • moderate
YouTube EDU filter level.
choice | strict | Strict access for YouTube.
choice | none | Full access for YouTube.
choice | moderate | Moderate access for YouTube.
wisp
string
    Choices:
  • disable
  • enable
Enable/disable web proxy WISP.
choice | disable | Disable web proxy WISP.
choice | enable | Enable web proxy WISP.
wisp_algorithm
string
    Choices:
  • auto-learning
  • primary-secondary
  • round-robin
WISP server selection algorithm.
choice | auto-learning | Select the lightest loading healthy server.
choice | primary-secondary | Select the first healthy server in order.
choice | round-robin | Select the next healthy server.
wisp_servers
string
WISP servers.
youtube_channel_filter
string
EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
List of multiple child objects to be added. Expects a list of dictionaries.
Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
If submitted, all other prefixed sub-parameters ARE IGNORED.
This object is MUTUALLY EXCLUSIVE with its options.
We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.
WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS
youtube_channel_filter_channel_id
string
YouTube channel ID to be filtered.
youtube_channel_filter_comment
string
Comment.
youtube_channel_status
string
    Choices:
  • disable
  • blacklist
  • whitelist
YouTube channel filter status.
choice | disable | Disable YouTube channel filter.
choice | blacklist | Block matches.
choice | whitelist | Allow matches.

Notes

Examples

- name: DELETE Profile
  community.fortios.fmgr_secprof_web:
    name: "Ansible_Web_Filter_Profile"
    mode: "delete"

- name: CREATE Profile
  community.fortios.fmgr_secprof_web:
    name: "Ansible_Web_Filter_Profile"
    comment: "Created by Ansible Module TEST"
    mode: "set"
    extended_log: "enable"
    inspection_mode: "proxy"
    log_all_url: "enable"
    options: "js"
    ovrd_perm: "bannedword-override"
    post_action: "block"
    web_content_log: "enable"
    web_extended_all_action_log: "enable"
    web_filter_activex_log: "enable"
    web_filter_applet_log: "enable"
    web_filter_command_block_log: "enable"
    web_filter_cookie_log: "enable"
    web_filter_cookie_removal_log: "enable"
    web_filter_js_log: "enable"
    web_filter_jscript_log: "enable"
    web_filter_referer_log: "enable"
    web_filter_unknown_log: "enable"
    web_filter_vbs_log: "enable"
    web_ftgd_err_log: "enable"
    web_ftgd_quota_usage: "enable"
    web_invalid_domain_log: "enable"
    web_url_log: "enable"
    wisp: "enable"
    wisp_algorithm: "auto-learning"
    youtube_channel_status: "blacklist"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
api_result
string
always
full API response, includes status code and message



Authors

  • Luke Weighall (@lweighall)
  • Andrew Welsh (@Ghilli3)
  • Jim Huber (@p4r4n0y1ng)

© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/community/fortios/fmgr_secprof_web_module.html