Note
This plugin is part of the fortinet.fortios collection.
To install it use: ansible-galaxy collection install fortinet.fortios.
To use it in a playbook, specify: fortinet.fortios.fortios_waf_profile.
New in version 2.8: of fortinet.fortios
The below requirements are needed on the host that executes this module.
| Parameter | Choices/Defaults | Comments | |||
|---|---|---|---|---|---|
| host string | FortiOS or FortiGate IP address. | ||||
| https boolean |
| Indicates if the requests towards FortiGate must use HTTPS protocol. | |||
| password string | Default: "" | FortiOS or FortiGate password. | |||
| ssl_verify boolean added in 2.9 of fortinet.fortios |
| Ensures FortiGate certificate must be verified by a proper CA. | |||
| state string added in 2.9 of fortinet.fortios |
| Indicates whether to create or remove the object. This attribute was present already in previous version in a deeper level. It has been moved out to this outer level. | |||
| username string | FortiOS or FortiGate username. | ||||
| vdom string | Default: "root" | Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. | |||
| waf_profile dictionary | Web application firewall configuration. | ||||
| address_list dictionary | Black address list and white address list. | ||||
| blocked_address list / elements=string | Blocked address. | ||||
| name string / required | Address name. Source firewall.address.name firewall.addrgrp.name. | ||||
| blocked_log string |
| Enable/disable logging on blocked addresses. | |||
| severity string |
| Severity. | |||
| status string |
| Status. | |||
| trusted_address list / elements=string | Trusted address. | ||||
| name string / required | Address name. Source firewall.address.name firewall.addrgrp.name. | ||||
| comment string | Comment. | ||||
| constraint dictionary | WAF HTTP protocol restrictions. | ||||
| content_length dictionary | HTTP content length in request. | ||||
| action string |
| Action. | |||
| length integer | Length of HTTP content in bytes (0 to 2147483647). | ||||
| log string |
| Enable/disable logging. | |||
| severity string |
| Severity. | |||
| status string |
| Enable/disable the constraint. | |||
| exception list / elements=string | HTTP constraint exception. | ||||
| address string | Host address. Source firewall.address.name firewall.addrgrp.name. | ||||
| content_length string |
| HTTP content length in request. | |||
| header_length string |
| HTTP header length in request. | |||
| hostname string |
| Enable/disable hostname check. | |||
| id integer / required | Exception ID. | ||||
| line_length string |
| HTTP line length in request. | |||
| malformed string |
| Enable/disable malformed HTTP request check. | |||
| max_cookie string |
| Maximum number of cookies in HTTP request. | |||
| max_header_line string |
| Maximum number of HTTP header line. | |||
| max_range_segment string |
| Maximum number of range segments in HTTP range line. | |||
| max_url_param string |
| Maximum number of parameters in URL. | |||
| method string |
| Enable/disable HTTP method check. | |||
| param_length string |
| Maximum length of parameter in URL, HTTP POST request or HTTP body. | |||
| pattern string | URL pattern. | ||||
| regex string |
| Enable/disable regular expression based pattern match. | |||
| url_param_length string |
| Maximum length of parameter in URL. | |||
| version string |
| Enable/disable HTTP version check. | |||
| header_length dictionary | HTTP header length in request. | ||||
| action string |
| Action. | |||
| length integer | Length of HTTP header in bytes (0 to 2147483647). | ||||
| log string |
| Enable/disable logging. | |||
| severity string |
| Severity. | |||
| status string |
| Enable/disable the constraint. | |||
| hostname dictionary | Enable/disable hostname check. | ||||
| action string |
| Action. | |||
| log string |
| Enable/disable logging. | |||
| severity string |
| Severity. | |||
| status string |
| Enable/disable the constraint. | |||
| line_length dictionary | HTTP line length in request. | ||||
| action string |
| Action. | |||
| length integer | Length of HTTP line in bytes (0 to 2147483647). | ||||
| log string |
| Enable/disable logging. | |||
| severity string |
| Severity. | |||
| status string |
| Enable/disable the constraint. | |||
| malformed dictionary | Enable/disable malformed HTTP request check. | ||||
| action string |
| Action. | |||
| log string |
| Enable/disable logging. | |||
| severity string |
| Severity. | |||
| status string |
| Enable/disable the constraint. | |||
| max_cookie dictionary | Maximum number of cookies in HTTP request. | ||||
| action string |
| Action. | |||
| log string |
| Enable/disable logging. | |||
| max_cookie integer | Maximum number of cookies in HTTP request (0 to 2147483647). | ||||
| severity string |
| Severity. | |||
| status string |
| Enable/disable the constraint. | |||
| max_header_line dictionary | Maximum number of HTTP header line. | ||||
| action string |
| Action. | |||
| log string |
| Enable/disable logging. | |||
| max_header_line integer | Maximum number HTTP header lines (0 to 2147483647). | ||||
| severity string |
| Severity. | |||
| status string |
| Enable/disable the constraint. | |||
| max_range_segment dictionary | Maximum number of range segments in HTTP range line. | ||||
| action string |
| Action. | |||
| log string |
| Enable/disable logging. | |||
| max_range_segment integer | Maximum number of range segments in HTTP range line (0 to 2147483647). | ||||
| severity string |
| Severity. | |||
| status string |
| Enable/disable the constraint. | |||
| max_url_param dictionary | Maximum number of parameters in URL. | ||||
| action string |
| Action. | |||
| log string |
| Enable/disable logging. | |||
| max_url_param integer | Maximum number of parameters in URL (0 to 2147483647). | ||||
| severity string |
| Severity. | |||
| status string |
| Enable/disable the constraint. | |||
| method dictionary | Enable/disable HTTP method check. | ||||
| action string |
| Action. | |||
| log string |
| Enable/disable logging. | |||
| severity string |
| Severity. | |||
| status string |
| Enable/disable the constraint. | |||
| param_length dictionary | Maximum length of parameter in URL, HTTP POST request or HTTP body. | ||||
| action string |
| Action. | |||
| length integer | Maximum length of parameter in URL, HTTP POST request or HTTP body in bytes (0 to 2147483647). | ||||
| log string |
| Enable/disable logging. | |||
| severity string |
| Severity. | |||
| status string |
| Enable/disable the constraint. | |||
| url_param_length dictionary | Maximum length of parameter in URL. | ||||
| action string |
| Action. | |||
| length integer | Maximum length of URL parameter in bytes (0 to 2147483647). | ||||
| log string |
| Enable/disable logging. | |||
| severity string |
| Severity. | |||
| status string |
| Enable/disable the constraint. | |||
| version dictionary | Enable/disable HTTP version check. | ||||
| action string |
| Action. | |||
| log string |
| Enable/disable logging. | |||
| severity string |
| Severity. | |||
| status string |
| Enable/disable the constraint. | |||
| extended_log string |
| Enable/disable extended logging. | |||
| external string |
| Disable/Enable external HTTP Inspection. | |||
| method dictionary | Method restriction. | ||||
| default_allowed_methods string |
| Methods. | |||
| log string |
| Enable/disable logging. | |||
| method_policy list / elements=string | HTTP method policy. | ||||
| address string | Host address. Source firewall.address.name firewall.addrgrp.name. | ||||
| allowed_methods string |
| Allowed Methods. | |||
| id integer / required | HTTP method policy ID. | ||||
| pattern string | URL pattern. | ||||
| regex string |
| Enable/disable regular expression based pattern match. | |||
| severity string |
| Severity. | |||
| status string |
| Status. | |||
| name string / required | WAF Profile name. | ||||
| signature dictionary | WAF signatures. | ||||
| credit_card_detection_threshold integer | The minimum number of Credit cards to detect violation. | ||||
| custom_signature list / elements=string | Custom signature. | ||||
| action string |
| Action. | |||
| case_sensitivity string |
| Case sensitivity in pattern. | |||
| direction string |
| Traffic direction. | |||
| log string |
| Enable/disable logging. | |||
| name string / required | Signature name. | ||||
| pattern string | Match pattern. | ||||
| severity string |
| Severity. | |||
| status string |
| Status. | |||
| target string |
| Match HTTP target. | |||
| disabled_signature list / elements=string | Disabled signatures | ||||
| id integer / required | Signature ID. Source waf.signature.id. | ||||
| disabled_sub_class list / elements=string | Disabled signature subclasses. | ||||
| id integer / required | Signature subclass ID. Source waf.sub-class.id. | ||||
| main_class list / elements=string | Main signature class. | ||||
| action string |
| Action. | |||
| id integer / required | Main signature class ID. Source waf.main-class.id. | ||||
| log string |
| Enable/disable logging. | |||
| severity string |
| Severity. | |||
| status string |
| Status. | |||
| state string |
| Deprecated Starting with Ansible 2.9 we recommend using the top-level 'state' parameter. Indicates whether to create or remove the object. | |||
| url_access list / elements=string | URL access list | ||||
| access_pattern list / elements=string | URL access pattern. | ||||
| id integer / required | URL access pattern ID. | ||||
| negate string |
| Enable/disable match negation. | |||
| pattern string | URL pattern. | ||||
| regex string |
| Enable/disable regular expression based pattern match. | |||
| srcaddr string | Source address. Source firewall.address.name firewall.addrgrp.name. | ||||
| action string |
| Action. | |||
| address string | Host address. Source firewall.address.name firewall.addrgrp.name. | ||||
| id integer / required | URL access ID. | ||||
| log string |
| Enable/disable logging. | |||
| severity string |
| Severity. | |||
Note
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Web application firewall configuration.
fortios_waf_profile:
vdom: "{{ vdom }}"
state: "present"
waf_profile:
address_list:
blocked_address:
-
name: "default_name_5 (source firewall.address.name firewall.addrgrp.name)"
blocked_log: "enable"
severity: "high"
status: "enable"
trusted_address:
-
name: "default_name_10 (source firewall.address.name firewall.addrgrp.name)"
comment: "Comment."
constraint:
content_length:
action: "allow"
length: "15"
log: "enable"
severity: "high"
status: "enable"
exception:
-
address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
content_length: "enable"
header_length: "enable"
hostname: "enable"
id: "24"
line_length: "enable"
malformed: "enable"
max_cookie: "enable"
max_header_line: "enable"
max_range_segment: "enable"
max_url_param: "enable"
method: "enable"
param_length: "enable"
pattern: "<your_own_value>"
regex: "enable"
url_param_length: "enable"
version: "enable"
header_length:
action: "allow"
length: "39"
log: "enable"
severity: "high"
status: "enable"
hostname:
action: "allow"
log: "enable"
severity: "high"
status: "enable"
line_length:
action: "allow"
length: "50"
log: "enable"
severity: "high"
status: "enable"
malformed:
action: "allow"
log: "enable"
severity: "high"
status: "enable"
max_cookie:
action: "allow"
log: "enable"
max_cookie: "62"
severity: "high"
status: "enable"
max_header_line:
action: "allow"
log: "enable"
max_header_line: "68"
severity: "high"
status: "enable"
max_range_segment:
action: "allow"
log: "enable"
max_range_segment: "74"
severity: "high"
status: "enable"
max_url_param:
action: "allow"
log: "enable"
max_url_param: "80"
severity: "high"
status: "enable"
method:
action: "allow"
log: "enable"
severity: "high"
status: "enable"
param_length:
action: "allow"
length: "90"
log: "enable"
severity: "high"
status: "enable"
url_param_length:
action: "allow"
length: "96"
log: "enable"
severity: "high"
status: "enable"
version:
action: "allow"
log: "enable"
severity: "high"
status: "enable"
extended_log: "enable"
external: "disable"
method:
default_allowed_methods: "get"
log: "enable"
method_policy:
-
address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
allowed_methods: "get"
id: "113"
pattern: "<your_own_value>"
regex: "enable"
severity: "high"
status: "enable"
name: "default_name_118"
signature:
credit_card_detection_threshold: "120"
custom_signature:
-
action: "allow"
case_sensitivity: "disable"
direction: "request"
log: "enable"
name: "default_name_126"
pattern: "<your_own_value>"
severity: "high"
status: "enable"
target: "arg"
disabled_signature:
-
id: "132 (source waf.signature.id)"
disabled_sub_class:
-
id: "134 (source waf.sub-class.id)"
main_class:
-
action: "allow"
id: "137 (source waf.main-class.id)"
log: "enable"
severity: "high"
status: "enable"
url_access:
-
access_pattern:
-
id: "143"
negate: "enable"
pattern: "<your_own_value>"
regex: "enable"
srcaddr: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
action: "bypass"
address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
id: "150"
log: "enable"
severity: "high"
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| build string | always | Build number of the fortigate image Sample: 1547 |
| http_method string | always | Last method used to provision the content into FortiGate Sample: PUT |
| http_status string | always | Last result given by FortiGate on last operation applied Sample: 200 |
| mkey string | success | Master key (id) used in the last call to FortiGate Sample: id |
| name string | always | Name of the table used to fulfill the request Sample: urlfilter |
| path string | always | Path of the table used to fulfill the request Sample: webfilter |
| revision string | always | Internal revision number Sample: 17.0.2.10658 |
| serial string | always | Serial number of the unit Sample: FGVMEVYYQT3AB5352 |
| status string | always | Indication of the operation's result Sample: success |
| vdom string | always | Virtual domain used Sample: root |
| version string | always | Version of the FortiGate Sample: v5.6.3 |
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.10/collections/fortinet/fortios/fortios_waf_profile_module.html