fmgr_secprof_web – Manage web filter security profiles in FortiManager¶
New in version 2.8.
Synopsis¶
Manage web filter security profiles in FortiManager through playbooks using the FMG API
Parameters¶
Parameter | Choices/Defaults | Comments |
---|---|---|
adom
-
|
Default: "root"
|
The ADOM the configuration should belong to.
|
comment
-
|
Optional comments.
|
|
extended_log
-
|
|
Enable/disable extended logging for web filtering.
choice | disable | Disable setting.
choice | enable | Enable setting.
|
ftgd_wf
-
|
EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
List of multiple child objects to be added. Expects a list of dictionaries.
Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
If submitted, all other prefixed sub-parameters ARE IGNORED.
This object is MUTUALLY EXCLUSIVE with its options.
We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.
WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS
|
|
ftgd_wf_exempt_quota
-
|
Do not stop quota for these categories.
|
|
ftgd_wf_filters_action
-
|
|
Action to take for matches.
choice | block | Block access.
choice | monitor | Allow access while logging the action.
choice | warning | Allow access after warning the user.
choice | authenticate | Authenticate user before allowing access.
|
ftgd_wf_filters_auth_usr_grp
-
|
Groups with permission to authenticate.
|
|
ftgd_wf_filters_category
-
|
Categories and groups the filter examines.
|
|
ftgd_wf_filters_log
-
|
|
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
|
ftgd_wf_filters_override_replacemsg
-
|
Override replacement message.
|
|
ftgd_wf_filters_warn_duration
-
|
Duration of warnings.
|
|
ftgd_wf_filters_warning_duration_type
-
|
|
Re-display warning after closing browser or after a timeout.
choice | session | After session ends.
choice | timeout | After timeout occurs.
|
ftgd_wf_filters_warning_prompt
-
|
|
Warning prompts in each category or each domain.
choice | per-domain | Per-domain warnings.
choice | per-category | Per-category warnings.
|
ftgd_wf_max_quota_timeout
-
|
Maximum FortiGuard quota used by single page view in seconds (excludes streams).
|
|
ftgd_wf_options
-
|
|
Options for FortiGuard Web Filter.
FLAG Based Options. Specify multiple in list form.
flag | error-allow | Allow web pages with a rating error to pass through.
flag | rate-server-ip | Rate the server IP in addition to the domain name.
flag | connect-request-bypass | Bypass connection which has CONNECT request.
flag | ftgd-disable | Disable FortiGuard scanning.
|
ftgd_wf_ovrd
-
|
Allow web filter profile overrides.
|
|
ftgd_wf_quota_category
-
|
FortiGuard categories to apply quota to (category action must be set to monitor).
|
|
ftgd_wf_quota_duration
-
|
Duration of quota.
|
|
ftgd_wf_quota_override_replacemsg
-
|
Override replacement message.
|
|
ftgd_wf_quota_type
-
|
|
Quota type.
choice | time | Use a time-based quota.
choice | traffic | Use a traffic-based quota.
|
ftgd_wf_quota_unit
-
|
|
Traffic quota unit of measurement.
choice | B | Quota in bytes.
choice | KB | Quota in kilobytes.
choice | MB | Quota in megabytes.
choice | GB | Quota in gigabytes.
|
ftgd_wf_quota_value
-
|
Traffic quota value.
|
|
ftgd_wf_rate_crl_urls
-
|
|
Enable/disable rating CRL by URL.
choice | disable | Disable rating CRL by URL.
choice | enable | Enable rating CRL by URL.
|
ftgd_wf_rate_css_urls
-
|
|
Enable/disable rating CSS by URL.
choice | disable | Disable rating CSS by URL.
choice | enable | Enable rating CSS by URL.
|
ftgd_wf_rate_image_urls
-
|
|
Enable/disable rating images by URL.
choice | disable | Disable rating images by URL (blocked images are replaced with blanks).
choice | enable | Enable rating images by URL (blocked images are replaced with blanks).
|
ftgd_wf_rate_javascript_urls
-
|
|
Enable/disable rating JavaScript by URL.
choice | disable | Disable rating JavaScript by URL.
choice | enable | Enable rating JavaScript by URL.
|
https_replacemsg
-
|
|
Enable replacement messages for HTTPS.
choice | disable | Disable setting.
choice | enable | Enable setting.
|
inspection_mode
-
|
|
Web filtering inspection mode.
choice | proxy | Proxy.
choice | flow-based | Flow based.
|
log_all_url
-
|
|
Enable/disable logging all URLs visited.
choice | disable | Disable setting.
choice | enable | Enable setting.
|
mode
-
|
|
Sets one of three modes for managing the object.
Allows use of soft-adds instead of overwriting existing values
|
name
-
|
Profile name.
|
|
options
-
|
|
FLAG Based Options. Specify multiple in list form.
flag | block-invalid-url | Block sessions contained an invalid domain name.
flag | jscript | Javascript block.
flag | js | JS block.
flag | vbs | VB script block.
flag | unknown | Unknown script block.
flag | wf-referer | Referring block.
flag | intrinsic | Intrinsic script block.
flag | wf-cookie | Cookie block.
flag | per-user-bwl | Per-user black/white list filter
flag | activexfilter | ActiveX filter.
flag | cookiefilter | Cookie filter.
flag | javafilter | Java applet filter.
|
override
-
|
EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
List of multiple child objects to be added. Expects a list of dictionaries.
Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
If submitted, all other prefixed sub-parameters ARE IGNORED.
This object is MUTUALLY EXCLUSIVE with its options.
We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.
WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS
|
|
override_ovrd_cookie
-
|
|
Allow/deny browser-based (cookie) overrides.
choice | deny | Deny browser-based (cookie) override.
choice | allow | Allow browser-based (cookie) override.
|
override_ovrd_dur
-
|
Override duration.
|
|
override_ovrd_dur_mode
-
|
|
Override duration mode.
choice | constant | Constant mode.
choice | ask | Prompt for duration when initiating an override.
|
override_ovrd_scope
-
|
|
Override scope.
choice | user | Override for the user.
choice | user-group | Override for the user's group.
choice | ip | Override for the initiating IP.
choice | ask | Prompt for scope when initiating an override.
choice | browser | Create browser-based (cookie) override.
|
override_ovrd_user_group
-
|
User groups with permission to use the override.
|
|
override_profile
-
|
Web filter profile with permission to create overrides.
|
|
override_profile_attribute
-
|
|
Profile attribute to retrieve from the RADIUS server.
choice | User-Name | Use this attribute.
choice | NAS-IP-Address | Use this attribute.
choice | Framed-IP-Address | Use this attribute.
choice | Framed-IP-Netmask | Use this attribute.
choice | Filter-Id | Use this attribute.
choice | Login-IP-Host | Use this attribute.
choice | Reply-Message | Use this attribute.
choice | Callback-Number | Use this attribute.
choice | Callback-Id | Use this attribute.
choice | Framed-Route | Use this attribute.
choice | Framed-IPX-Network | Use this attribute.
choice | Class | Use this attribute.
choice | Called-Station-Id | Use this attribute.
choice | Calling-Station-Id | Use this attribute.
choice | NAS-Identifier | Use this attribute.
choice | Proxy-State | Use this attribute.
choice | Login-LAT-Service | Use this attribute.
choice | Login-LAT-Node | Use this attribute.
choice | Login-LAT-Group | Use this attribute.
choice | Framed-AppleTalk-Zone | Use this attribute.
choice | Acct-Session-Id | Use this attribute.
choice | Acct-Multi-Session-Id | Use this attribute.
|
override_profile_type
-
|
|
Override profile type.
choice | list | Profile chosen from list.
choice | radius | Profile determined by RADIUS server.
|
ovrd_perm
-
|
|
FLAG Based Options. Specify multiple in list form.
flag | bannedword-override | Banned word override.
flag | urlfilter-override | URL filter override.
flag | fortiguard-wf-override | FortiGuard Web Filter override.
flag | contenttype-check-override | Content-type header override.
|
post_action
-
|
|
Action taken for HTTP POST traffic.
choice | normal | Normal, POST requests are allowed.
choice | block | POST requests are blocked.
|
replacemsg_group
-
|
Replacement message group.
|
|
url_extraction
-
|
EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
List of multiple child objects to be added. Expects a list of dictionaries.
Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
If submitted, all other prefixed sub-parameters ARE IGNORED.
This object is MUTUALLY EXCLUSIVE with its options.
We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.
WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS
|
|
url_extraction_redirect_header
-
|
HTTP header name to use for client redirect on blocked requests
|
|
url_extraction_redirect_no_content
-
|
|
Enable / Disable empty message-body entity in HTTP response
choice | disable | Disable setting.
choice | enable | Enable setting.
|
url_extraction_redirect_url
-
|
HTTP header value to use for client redirect on blocked requests
|
|
url_extraction_server_fqdn
-
|
URL extraction server FQDN (fully qualified domain name)
|
|
url_extraction_status
-
|
|
Enable URL Extraction
choice | disable | Disable setting.
choice | enable | Enable setting.
|
web
-
|
EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
List of multiple child objects to be added. Expects a list of dictionaries.
Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
If submitted, all other prefixed sub-parameters ARE IGNORED.
This object is MUTUALLY EXCLUSIVE with its options.
We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.
WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS
|
|
web_blacklist
-
|
|
Enable/disable automatic addition of URLs detected by FortiSandbox to blacklist.
choice | disable | Disable setting.
choice | enable | Enable setting.
|
web_bword_table
-
|
Banned word table ID.
|
|
web_bword_threshold
-
|
Banned word score threshold.
|
|
web_content_header_list
-
|
Content header list.
|
|
web_content_log
-
|
|
Enable/disable logging logging blocked web content.
choice | disable | Disable setting.
choice | enable | Enable setting.
|
web_extended_all_action_log
-
|
|
Enable/disable extended any filter action logging for web filtering.
choice | disable | Disable setting.
choice | enable | Enable setting.
|
web_filter_activex_log
-
|
|
Enable/disable logging ActiveX.
choice | disable | Disable setting.
choice | enable | Enable setting.
|
web_filter_applet_log
-
|
|
Enable/disable logging Java applets.
choice | disable | Disable setting.
choice | enable | Enable setting.
|
web_filter_command_block_log
-
|
|
Enable/disable logging blocked commands.
choice | disable | Disable setting.
choice | enable | Enable setting.
|
web_filter_cookie_log
-
|
|
Enable/disable logging cookie filtering.
choice | disable | Disable setting.
choice | enable | Enable setting.
|
web_filter_cookie_removal_log
-
|
|
Enable/disable logging blocked cookies.
choice | disable | Disable setting.
choice | enable | Enable setting.
|
web_filter_js_log
-
|
|
Enable/disable logging Java scripts.
choice | disable | Disable setting.
choice | enable | Enable setting.
|
web_filter_jscript_log
-
|
|
Enable/disable logging JScripts.
choice | disable | Disable setting.
choice | enable | Enable setting.
|
web_filter_referer_log
-
|
|
Enable/disable logging referrers.
choice | disable | Disable setting.
choice | enable | Enable setting.
|
web_filter_unknown_log
-
|
|
Enable/disable logging unknown scripts.
choice | disable | Disable setting.
choice | enable | Enable setting.
|
web_filter_vbs_log
-
|
|
Enable/disable logging VBS scripts.
choice | disable | Disable setting.
choice | enable | Enable setting.
|
web_ftgd_err_log
-
|
|
Enable/disable logging rating errors.
choice | disable | Disable setting.
choice | enable | Enable setting.
|
web_ftgd_quota_usage
-
|
|
Enable/disable logging daily quota usage.
choice | disable | Disable setting.
choice | enable | Enable setting.
|
web_invalid_domain_log
-
|
|
Enable/disable logging invalid domain names.
choice | disable | Disable setting.
choice | enable | Enable setting.
|
web_keyword_match
-
|
Search keywords to log when match is found.
|
|
web_log_search
-
|
|
Enable/disable logging all search phrases.
choice | disable | Disable setting.
choice | enable | Enable setting.
|
web_safe_search
-
|
|
Safe search type.
FLAG Based Options. Specify multiple in list form.
flag | url | Insert safe search string into URL.
flag | header | Insert safe search header.
|
web_url_log
-
|
|
Enable/disable logging URL filtering.
choice | disable | Disable setting.
choice | enable | Enable setting.
|
web_urlfilter_table
-
|
URL filter table ID.
|
|
web_whitelist
-
|
|
FortiGuard whitelist settings.
FLAG Based Options. Specify multiple in list form.
flag | exempt-av | Exempt antivirus.
flag | exempt-webcontent | Exempt web content.
flag | exempt-activex-java-cookie | Exempt ActiveX-JAVA-Cookie.
flag | exempt-dlp | Exempt DLP.
flag | exempt-rangeblock | Exempt RangeBlock.
flag | extended-log-others | Support extended log.
|
web_youtube_restrict
-
|
|
YouTube EDU filter level.
choice | strict | Strict access for YouTube.
choice | none | Full access for YouTube.
choice | moderate | Moderate access for YouTube.
|
wisp
-
|
|
Enable/disable web proxy WISP.
choice | disable | Disable web proxy WISP.
choice | enable | Enable web proxy WISP.
|
wisp_algorithm
-
|
|
WISP server selection algorithm.
choice | auto-learning | Select the lightest loading healthy server.
choice | primary-secondary | Select the first healthy server in order.
choice | round-robin | Select the next healthy server.
|
wisp_servers
-
|
WISP servers.
|
|
youtube_channel_filter
-
|
EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
List of multiple child objects to be added. Expects a list of dictionaries.
Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
If submitted, all other prefixed sub-parameters ARE IGNORED.
This object is MUTUALLY EXCLUSIVE with its options.
We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.
WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS
|
|
youtube_channel_filter_channel_id
-
|
YouTube channel ID to be filtered.
|
|
youtube_channel_filter_comment
-
|
Comment.
|
|
youtube_channel_status
-
|
|
YouTube channel filter status.
choice | disable | Disable YouTube channel filter.
choice | blacklist | Block matches.
choice | whitelist | Allow matches.
|
Notes¶
Note
Full Documentation at https://ftnt-ansible-docs.readthedocs.io/en/latest/.
Examples¶
- name: DELETE Profile
fmgr_secprof_web:
name: "Ansible_Web_Filter_Profile"
mode: "delete"
- name: CREATE Profile
fmgr_secprof_web:
name: "Ansible_Web_Filter_Profile"
comment: "Created by Ansible Module TEST"
mode: "set"
extended_log: "enable"
inspection_mode: "proxy"
log_all_url: "enable"
options: "js"
ovrd_perm: "bannedword-override"
post_action: "block"
web_content_log: "enable"
web_extended_all_action_log: "enable"
web_filter_activex_log: "enable"
web_filter_applet_log: "enable"
web_filter_command_block_log: "enable"
web_filter_cookie_log: "enable"
web_filter_cookie_removal_log: "enable"
web_filter_js_log: "enable"
web_filter_jscript_log: "enable"
web_filter_referer_log: "enable"
web_filter_unknown_log: "enable"
web_filter_vbs_log: "enable"
web_ftgd_err_log: "enable"
web_ftgd_quota_usage: "enable"
web_invalid_domain_log: "enable"
web_url_log: "enable"
wisp: "enable"
wisp_algorithm: "auto-learning"
youtube_channel_status: "blacklist"
Return Values¶
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
api_result
string
|
always |
full API response, includes status code and message
|
Status¶
This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community. [community]