community.fortios.fmgr_secprof_waf – FortiManager web application firewall security profile

Note

This plugin is part of the community.fortios collection (version 1.0.0).

To install it use: ansible-galaxy collection install community.fortios.

To use it in a playbook, specify: community.fortios.fmgr_secprof_waf.

Synopsis

  • Manage web application firewall security profiles for FGTs via FMG

Parameters

Parameter Choices/Defaults Comments
address_list
string
EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
List of multiple child objects to be added. Expects a list of dictionaries.
Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
If submitted, all other prefixed sub-parameters ARE IGNORED.
This object is MUTUALLY EXCLUSIVE with its options.
We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.
WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS
address_list_blocked_address
string
Blocked address.
address_list_blocked_log
string
    Choices:
  • disable
  • enable
Enable/disable logging on blocked addresses.
choice | disable | Disable setting.
choice | enable | Enable setting.
address_list_severity
string
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.
address_list_status
string
    Choices:
  • disable
  • enable
Status.
choice | disable | Disable setting.
choice | enable | Enable setting.
address_list_trusted_address
string
Trusted address.
adom
string
Default:
"root"
The ADOM the configuration should belong to.
comment
string
Comment.
constraint
string
EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
List of multiple child objects to be added. Expects a list of dictionaries.
Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
If submitted, all other prefixed sub-parameters ARE IGNORED.
This object is MUTUALLY EXCLUSIVE with its options.
We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.
WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS
constraint_content_length_action
string
    Choices:
  • allow
  • block
Action.
choice | allow | Allow.
choice | block | Block.
constraint_content_length_length
string
Length of HTTP content in bytes (0 to 2147483647).
constraint_content_length_log
string
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_content_length_severity
string
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.
constraint_content_length_status
string
    Choices:
  • disable
  • enable
Enable/disable the constraint.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_exception_address
string
Host address.
constraint_exception_content_length
string
    Choices:
  • disable
  • enable
HTTP content length in request.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_exception_header_length
string
    Choices:
  • disable
  • enable
HTTP header length in request.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_exception_hostname
string
    Choices:
  • disable
  • enable
Enable/disable hostname check.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_exception_line_length
string
    Choices:
  • disable
  • enable
HTTP line length in request.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_exception_malformed
string
    Choices:
  • disable
  • enable
Enable/disable malformed HTTP request check.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_exception_max_cookie
string
    Choices:
  • disable
  • enable
Maximum number of cookies in HTTP request.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_exception_max_header_line
string
    Choices:
  • disable
  • enable
Maximum number of HTTP header line.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_exception_max_range_segment
string
    Choices:
  • disable
  • enable
Maximum number of range segments in HTTP range line.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_exception_max_url_param
string
    Choices:
  • disable
  • enable
Maximum number of parameters in URL.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_exception_method
string
    Choices:
  • disable
  • enable
Enable/disable HTTP method check.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_exception_param_length
string
    Choices:
  • disable
  • enable
Maximum length of parameter in URL, HTTP POST request or HTTP body.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_exception_pattern
string
URL pattern.
constraint_exception_regex
string
    Choices:
  • disable
  • enable
Enable/disable regular expression based pattern match.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_exception_url_param_length
string
    Choices:
  • disable
  • enable
Maximum length of parameter in URL.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_exception_version
string
    Choices:
  • disable
  • enable
Enable/disable HTTP version check.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_header_length_action
string
    Choices:
  • allow
  • block
Action.
choice | allow | Allow.
choice | block | Block.
constraint_header_length_length
string
Length of HTTP header in bytes (0 to 2147483647).
constraint_header_length_log
string
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_header_length_severity
string
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.
constraint_header_length_status
string
    Choices:
  • disable
  • enable
Enable/disable the constraint.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_hostname_action
string
    Choices:
  • allow
  • block
Action for a hostname constraint.
choice | allow | Allow.
choice | block | Block.
constraint_hostname_log
string
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_hostname_severity
string
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.
constraint_hostname_status
string
    Choices:
  • disable
  • enable
Enable/disable the constraint.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_line_length_action
string
    Choices:
  • allow
  • block
Action.
choice | allow | Allow.
choice | block | Block.
constraint_line_length_length
string
Length of HTTP line in bytes (0 to 2147483647).
constraint_line_length_log
string
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_line_length_severity
string
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.
constraint_line_length_status
string
    Choices:
  • disable
  • enable
Enable/disable the constraint.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_malformed_action
string
    Choices:
  • allow
  • block
Action.
choice | allow | Allow.
choice | block | Block.
constraint_malformed_log
string
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_malformed_severity
string
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.
constraint_malformed_status
string
    Choices:
  • disable
  • enable
Enable/disable the constraint.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_max_cookie_action
string
    Choices:
  • allow
  • block
Action.
choice | allow | Allow.
choice | block | Block.
constraint_max_cookie_log
string
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_max_cookie_max_cookie
string
Maximum number of cookies in HTTP request (0 to 2147483647).
constraint_max_cookie_severity
string
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.
constraint_max_cookie_status
string
    Choices:
  • disable
  • enable
Enable/disable the constraint.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_max_header_line_action
string
    Choices:
  • allow
  • block
Action.
choice | allow | Allow.
choice | block | Block.
constraint_max_header_line_log
string
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_max_header_line_max_header_line
string
Maximum number HTTP header lines (0 to 2147483647).
constraint_max_header_line_severity
string
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.
constraint_max_header_line_status
string
    Choices:
  • disable
  • enable
Enable/disable the constraint.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_max_range_segment_action
string
    Choices:
  • allow
  • block
Action.
choice | allow | Allow.
choice | block | Block.
constraint_max_range_segment_log
string
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_max_range_segment_max_range_segment
string
Maximum number of range segments in HTTP range line (0 to 2147483647).
constraint_max_range_segment_severity
string
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.
constraint_max_range_segment_status
string
    Choices:
  • disable
  • enable
Enable/disable the constraint.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_max_url_param_action
string
    Choices:
  • allow
  • block
Action.
choice | allow | Allow.
choice | block | Block.
constraint_max_url_param_log
string
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_max_url_param_max_url_param
string
Maximum number of parameters in URL (0 to 2147483647).
constraint_max_url_param_severity
string
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.
constraint_max_url_param_status
string
    Choices:
  • disable
  • enable
Enable/disable the constraint.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_method_action
string
    Choices:
  • allow
  • block
Action.
choice | allow | Allow.
choice | block | Block.
constraint_method_log
string
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_method_severity
string
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.
constraint_method_status
string
    Choices:
  • disable
  • enable
Enable/disable the constraint.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_param_length_action
string
    Choices:
  • allow
  • block
Action.
choice | allow | Allow.
choice | block | Block.
constraint_param_length_length
string
Maximum length of parameter in URL, HTTP POST request or HTTP body in bytes (0 to 2147483647).
constraint_param_length_log
string
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_param_length_severity
string
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.
constraint_param_length_status
string
    Choices:
  • disable
  • enable
Enable/disable the constraint.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_url_param_length_action
string
    Choices:
  • allow
  • block
Action.
choice | allow | Allow.
choice | block | Block.
constraint_url_param_length_length
string
Maximum length of URL parameter in bytes (0 to 2147483647).
constraint_url_param_length_log
string
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_url_param_length_severity
string
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.
constraint_url_param_length_status
string
    Choices:
  • disable
  • enable
Enable/disable the constraint.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_version_action
string
    Choices:
  • allow
  • block
Action.
choice | allow | Allow.
choice | block | Block.
constraint_version_log
string
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_version_severity
string
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.
constraint_version_status
string
    Choices:
  • disable
  • enable
Enable/disable the constraint.
choice | disable | Disable setting.
choice | enable | Enable setting.
extended_log
string
    Choices:
  • disable
  • enable
Enable/disable extended logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
external
string
    Choices:
  • disable
  • enable
Disable/Enable external HTTP Inspection.
choice | disable | Disable external inspection.
choice | enable | Enable external inspection.
method
string
EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
List of multiple child objects to be added. Expects a list of dictionaries.
Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
If submitted, all other prefixed sub-parameters ARE IGNORED.
This object is MUTUALLY EXCLUSIVE with its options.
We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.
WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS
method_default_allowed_methods
string
    Choices:
  • delete
  • get
  • head
  • options
  • post
  • put
  • trace
  • others
  • connect
Methods.
FLAG Based Options. Specify multiple in list form.
flag | delete | HTTP DELETE method.
flag | get | HTTP GET method.
flag | head | HTTP HEAD method.
flag | options | HTTP OPTIONS method.
flag | post | HTTP POST method.
flag | put | HTTP PUT method.
flag | trace | HTTP TRACE method.
flag | others | Other HTTP methods.
flag | connect | HTTP CONNECT method.
method_log
string
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
method_method_policy_address
string
Host address.
method_method_policy_allowed_methods
string
    Choices:
  • delete
  • get
  • head
  • options
  • post
  • put
  • trace
  • others
  • connect
Allowed Methods.
FLAG Based Options. Specify multiple in list form.
flag | delete | HTTP DELETE method.
flag | get | HTTP GET method.
flag | head | HTTP HEAD method.
flag | options | HTTP OPTIONS method.
flag | post | HTTP POST method.
flag | put | HTTP PUT method.
flag | trace | HTTP TRACE method.
flag | others | Other HTTP methods.
flag | connect | HTTP CONNECT method.
method_method_policy_pattern
string
URL pattern.
method_method_policy_regex
string
    Choices:
  • disable
  • enable
Enable/disable regular expression based pattern match.
choice | disable | Disable setting.
choice | enable | Enable setting.
method_severity
string
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | low severity
choice | medium | medium severity
choice | high | High severity
method_status
string
    Choices:
  • disable
  • enable
Status.
choice | disable | Disable setting.
choice | enable | Enable setting.
mode
string
    Choices:
  • add ←
  • set
  • delete
  • update
Sets one of three modes for managing the object.
Allows use of soft-adds instead of overwriting existing values
name
string
WAF Profile name.
signature
string
EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
List of multiple child objects to be added. Expects a list of dictionaries.
Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
If submitted, all other prefixed sub-parameters ARE IGNORED.
This object is MUTUALLY EXCLUSIVE with its options.
We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.
WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS
signature_credit_card_detection_threshold
string
The minimum number of Credit cards to detect violation.
signature_custom_signature_action
string
    Choices:
  • allow
  • block
  • erase
Action.
choice | allow | Allow.
choice | block | Block.
choice | erase | Erase credit card numbers.
signature_custom_signature_case_sensitivity
string
    Choices:
  • disable
  • enable
Case sensitivity in pattern.
choice | disable | Case insensitive in pattern.
choice | enable | Case sensitive in pattern.
signature_custom_signature_direction
string
    Choices:
  • request
  • response
Traffic direction.
choice | request | Match HTTP request.
choice | response | Match HTTP response.
signature_custom_signature_log
string
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
signature_custom_signature_name
string
Signature name.
signature_custom_signature_pattern
string
Match pattern.
signature_custom_signature_severity
string
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.
signature_custom_signature_status
string
    Choices:
  • disable
  • enable
Status.
choice | disable | Disable setting.
choice | enable | Enable setting.
signature_custom_signature_target
string
    Choices:
  • arg
  • arg-name
  • req-body
  • req-cookie
  • req-cookie-name
  • req-filename
  • req-header
  • req-header-name
  • req-raw-uri
  • req-uri
  • resp-body
  • resp-hdr
  • resp-status
Match HTTP target.
FLAG Based Options. Specify multiple in list form.
flag | arg | HTTP arguments.
flag | arg-name | Names of HTTP arguments.
flag | req-body | HTTP request body.
flag | req-cookie | HTTP request cookies.
flag | req-cookie-name | HTTP request cookie names.
flag | req-filename | HTTP request file name.
flag | req-header | HTTP request headers.
flag | req-header-name | HTTP request header names.
flag | req-raw-uri | Raw URI of HTTP request.
flag | req-uri | URI of HTTP request.
flag | resp-body | HTTP response body.
flag | resp-hdr | HTTP response headers.
flag | resp-status | HTTP response status.
signature_disabled_signature
string
Disabled signatures
signature_disabled_sub_class
string
Disabled signature subclasses.
signature_main_class_action
string
    Choices:
  • allow
  • block
  • erase
Action.
choice | allow | Allow.
choice | block | Block.
choice | erase | Erase credit card numbers.
signature_main_class_log
string
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
signature_main_class_severity
string
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.
signature_main_class_status
string
    Choices:
  • disable
  • enable
Status.
choice | disable | Disable setting.
choice | enable | Enable setting.
url_access
string
EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
List of multiple child objects to be added. Expects a list of dictionaries.
Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
If submitted, all other prefixed sub-parameters ARE IGNORED.
This object is MUTUALLY EXCLUSIVE with its options.
We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.
WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS
url_access_access_pattern_negate
string
    Choices:
  • disable
  • enable
Enable/disable match negation.
choice | disable | Disable setting.
choice | enable | Enable setting.
url_access_access_pattern_pattern
string
URL pattern.
url_access_access_pattern_regex
string
    Choices:
  • disable
  • enable
Enable/disable regular expression based pattern match.
choice | disable | Disable setting.
choice | enable | Enable setting.
url_access_access_pattern_srcaddr
string
Source address.
url_access_action
string
    Choices:
  • bypass
  • permit
  • block
Action.
choice | bypass | Allow the HTTP request, also bypass further WAF scanning.
choice | permit | Allow the HTTP request, and continue further WAF scanning.
choice | block | Block HTTP request.
url_access_address
string
Host address.
url_access_log
string
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
url_access_severity
string
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.

Examples

- name: DELETE Profile
  community.fortios.fmgr_secprof_waf:
    name: "Ansible_WAF_Profile"
    comment: "Created by Ansible Module TEST"
    mode: "delete"

- name: CREATE Profile
  community.fortios.fmgr_secprof_waf:
    name: "Ansible_WAF_Profile"
    comment: "Created by Ansible Module TEST"
    mode: "set"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
api_result
string
always
full API response, includes status code and message



Authors

  • Luke Weighall (@lweighall)

  • Andrew Welsh (@Ghilli3)

  • Jim Huber (@p4r4n0y1ng)