fortios_webfilter_profile – Configure Web filter profiles in Fortinet’s FortiOS and FortiGate

New in version 2.8.

Synopsis

• This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify webfilter feature and profile category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.5

Requirements

The below requirements are needed on the host that executes this module.

• fortiosapi>=0.9.8

Parameters

Parameter					Choices/Defaults	Comments
host string						FortiOS or FortiGate IP address.
https boolean					Choices: no yes ←	Indicates if the requests towards FortiGate must use HTTPS protocol.
password string					Default: ""	FortiOS or FortiGate password.
ssl_verify boolean added in 2.9					Choices: no yes ←	Ensures FortiGate certificate must be verified by a proper CA.
state string added in 2.9					Choices: present absent	Indicates whether to create or remove the object. This attribute was present already in previous version in a deeper level. It has been moved out to this outer level.
username string						FortiOS or FortiGate username.
vdom string					Default: "root"	Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
webfilter_profile dictionary					Default: null	Configure Web filter profiles.
	comment string					Optional comments.
	extended_log string				Choices: enable disable	Enable/disable extended logging for web filtering.
	ftgd_wf dictionary					FortiGuard Web Filter settings.
		exempt_quota string				Do not stop quota for these categories.
		filters list				FortiGuard filters.
			action string		Choices: block authenticate monitor warning	Action to take for matches.
			auth_usr_grp string			Groups with permission to authenticate.
				name string / required		User group name. Source user.group.name.
			category integer			Categories and groups the filter examines.
			id integer / required			ID number.
			log string		Choices: enable disable	Enable/disable logging.
			override_replacemsg string			Override replacement message.
			warn_duration string			Duration of warnings.
			warning_duration_type string		Choices: session timeout	Re-display warning after closing browser or after a timeout.
			warning_prompt string		Choices: per-domain per-category	Warning prompts in each category or each domain.
		max_quota_timeout integer				Maximum FortiGuard quota used by single page view in seconds (excludes streams).
		options string			Choices: error-allow rate-server-ip connect-request-bypass ftgd-disable	Options for FortiGuard Web Filter.
		ovrd string				Allow web filter profile overrides.
		quota list				FortiGuard traffic quota settings.
			category string			FortiGuard categories to apply quota to (category action must be set to monitor).
			duration string			Duration of quota.
			id integer / required			ID number.
			override_replacemsg string			Override replacement message.
			type string		Choices: time traffic	Quota type.
			unit string		Choices: B KB MB GB	Traffic quota unit of measurement.
			value integer			Traffic quota value.
		rate_crl_urls string			Choices: disable enable	Enable/disable rating CRL by URL.
		rate_css_urls string			Choices: disable enable	Enable/disable rating CSS by URL.
		rate_image_urls string			Choices: disable enable	Enable/disable rating images by URL.
		rate_javascript_urls string			Choices: disable enable	Enable/disable rating JavaScript by URL.
	https_replacemsg string				Choices: enable disable	Enable replacement messages for HTTPS.
	inspection_mode string				Choices: proxy flow-based	Web filtering inspection mode.
	log_all_url string				Choices: enable disable	Enable/disable logging all URLs visited.
	name string / required					Profile name.
	options string				Choices: activexfilter cookiefilter javafilter block-invalid-url jscript js vbs unknown intrinsic wf-referer wf-cookie per-user-bwl	Options.
	override dictionary					Web Filter override settings.
		ovrd_cookie string			Choices: allow deny	Allow/deny browser-based (cookie) overrides.
		ovrd_dur string				Override duration.
		ovrd_dur_mode string			Choices: constant ask	Override duration mode.
		ovrd_scope string			Choices: user user-group ip browser ask	Override scope.
		ovrd_user_group string				User groups with permission to use the override.
			name string / required			User group name. Source user.group.name.
		profile list				Web filter profile with permission to create overrides.
			name string / required			Web profile. Source webfilter.profile.name.
		profile_attribute string			Choices: User-Name NAS-IP-Address Framed-IP-Address Framed-IP-Netmask Filter-Id Login-IP-Host Reply-Message Callback-Number Callback-Id Framed-Route Framed-IPX-Network Class Called-Station-Id Calling-Station-Id NAS-Identifier Proxy-State Login-LAT-Service Login-LAT-Node Login-LAT-Group Framed-AppleTalk-Zone Acct-Session-Id Acct-Multi-Session-Id	Profile attribute to retrieve from the RADIUS server.
		profile_type string			Choices: list radius	Override profile type.
	ovrd_perm string				Choices: bannedword-override urlfilter-override fortiguard-wf-override contenttype-check-override	Permitted override types.
	post_action string				Choices: normal block	Action taken for HTTP POST traffic.
	replacemsg_group string					Replacement message group. Source system.replacemsg-group.name.
	state string				Choices: present absent	Deprecated Starting with Ansible 2.9 we recommend using the top-level 'state' parameter. Indicates whether to create or remove the object.
	web dictionary					Web content filtering settings.
		blacklist string			Choices: enable disable	Enable/disable automatic addition of URLs detected by FortiSandbox to blacklist.
		bword_table integer				Banned word table ID. Source webfilter.content.id.
		bword_threshold integer				Banned word score threshold.
		content_header_list integer				Content header list. Source webfilter.content-header.id.
		keyword_match string				Search keywords to log when match is found.
			pattern string / required			Pattern/keyword to search for.
		log_search string			Choices: enable disable	Enable/disable logging all search phrases.
		safe_search string			Choices: url header	Safe search type.
		urlfilter_table integer				URL filter table ID. Source webfilter.urlfilter.id.
		whitelist string			Choices: exempt-av exempt-webcontent exempt-activex-java-cookie exempt-dlp exempt-rangeblock extended-log-others	FortiGuard whitelist settings.
		youtube_restrict string			Choices: none strict moderate	YouTube EDU filter level.
	web_content_log string				Choices: enable disable	Enable/disable logging logging blocked web content.
	web_extended_all_action_log string				Choices: enable disable	Enable/disable extended any filter action logging for web filtering.
	web_filter_activex_log string				Choices: enable disable	Enable/disable logging ActiveX.
	web_filter_applet_log string				Choices: enable disable	Enable/disable logging Java applets.
	web_filter_command_block_log string				Choices: enable disable	Enable/disable logging blocked commands.
	web_filter_cookie_log string				Choices: enable disable	Enable/disable logging cookie filtering.
	web_filter_cookie_removal_log string				Choices: enable disable	Enable/disable logging blocked cookies.
	web_filter_js_log string				Choices: enable disable	Enable/disable logging Java scripts.
	web_filter_jscript_log string				Choices: enable disable	Enable/disable logging JScripts.
	web_filter_referer_log string				Choices: enable disable	Enable/disable logging referrers.
	web_filter_unknown_log string				Choices: enable disable	Enable/disable logging unknown scripts.
	web_filter_vbs_log string				Choices: enable disable	Enable/disable logging VBS scripts.
	web_ftgd_err_log string				Choices: enable disable	Enable/disable logging rating errors.
	web_ftgd_quota_usage string				Choices: enable disable	Enable/disable logging daily quota usage.
	web_invalid_domain_log string				Choices: enable disable	Enable/disable logging invalid domain names.
	web_url_log string				Choices: enable disable	Enable/disable logging URL filtering.
	wisp string				Choices: enable disable	Enable/disable web proxy WISP.
	wisp_algorithm string				Choices: primary-secondary round-robin auto-learning	WISP server selection algorithm.
	wisp_servers list					WISP servers.
		name string / required				Server name. Source web-proxy.wisp.name.
	youtube_channel_filter list					YouTube channel filter.
		channel_id string				YouTube channel ID to be filtered.
		comment string				Comment.
		id integer / required				ID.
	youtube_channel_status string				Choices: disable blacklist whitelist	YouTube channel filter status.

Notes

Note

• Requires fortiosapi library developed by Fortinet
• Run as a local_action in your playbook

Examples

- hosts: localhost
  vars:
   host: "192.168.122.40"
   username: "admin"
   password: ""
   vdom: "root"
   ssl_verify: "False"
  tasks:
  - name: Configure Web filter profiles.
    fortios_webfilter_profile:
      host:  "{{ host }}"
      username: "{{ username }}"
      password: "{{ password }}"
      vdom:  "{{ vdom }}"
      https: "False"
      state: "present"
      webfilter_profile:
        comment: "Optional comments."
        extended_log: "enable"
        ftgd_wf:
            exempt_quota: "<your_own_value>"
            filters:
             -
                action: "block"
                auth_usr_grp:
                 -
                    name: "default_name_10 (source user.group.name)"
                category: "11"
                id:  "12"
                log: "enable"
                override_replacemsg: "<your_own_value>"
                warn_duration: "<your_own_value>"
                warning_duration_type: "session"
                warning_prompt: "per-domain"
            max_quota_timeout: "18"
            options: "error-allow"
            ovrd: "<your_own_value>"
            quota:
             -
                category: "<your_own_value>"
                duration: "<your_own_value>"
                id:  "24"
                override_replacemsg: "<your_own_value>"
                type: "time"
                unit: "B"
                value: "28"
            rate_crl_urls: "disable"
            rate_css_urls: "disable"
            rate_image_urls: "disable"
            rate_javascript_urls: "disable"
        https_replacemsg: "enable"
        inspection_mode: "proxy"
        log_all_url: "enable"
        name: "default_name_36"
        options: "activexfilter"
        override:
            ovrd_cookie: "allow"
            ovrd_dur: "<your_own_value>"
            ovrd_dur_mode: "constant"
            ovrd_scope: "user"
            ovrd_user_group:
             -
                name: "default_name_44 (source user.group.name)"
            profile:
             -
                name: "default_name_46 (source webfilter.profile.name)"
            profile_attribute: "User-Name"
            profile_type: "list"
        ovrd_perm: "bannedword-override"
        post_action: "normal"
        replacemsg_group: "<your_own_value> (source system.replacemsg-group.name)"
        web:
            blacklist: "enable"
            bword_table: "54 (source webfilter.content.id)"
            bword_threshold: "55"
            content_header_list: "56 (source webfilter.content-header.id)"
            keyword_match:
             -
                pattern: "<your_own_value>"
            log_search: "enable"
            safe_search: "url"
            urlfilter_table: "61 (source webfilter.urlfilter.id)"
            whitelist: "exempt-av"
            youtube_restrict: "none"
        web_content_log: "enable"
        web_extended_all_action_log: "enable"
        web_filter_activex_log: "enable"
        web_filter_applet_log: "enable"
        web_filter_command_block_log: "enable"
        web_filter_cookie_log: "enable"
        web_filter_cookie_removal_log: "enable"
        web_filter_js_log: "enable"
        web_filter_jscript_log: "enable"
        web_filter_referer_log: "enable"
        web_filter_unknown_log: "enable"
        web_filter_vbs_log: "enable"
        web_ftgd_err_log: "enable"
        web_ftgd_quota_usage: "enable"
        web_invalid_domain_log: "enable"
        web_url_log: "enable"
        wisp: "enable"
        wisp_algorithm: "primary-secondary"
        wisp_servers:
         -
            name: "default_name_83 (source web-proxy.wisp.name)"
        youtube_channel_filter:
         -
            channel_id: "<your_own_value>"
            comment: "Comment."
            id:  "87"
        youtube_channel_status: "disable"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Returned	Description
build string	always	Build number of the fortigate image Sample: 1547
http_method string	always	Last method used to provision the content into FortiGate Sample: PUT
http_status string	always	Last result given by FortiGate on last operation applied Sample: 200
mkey string	success	Master key (id) used in the last call to FortiGate Sample: id
name string	always	Name of the table used to fulfill the request Sample: urlfilter
path string	always	Path of the table used to fulfill the request Sample: webfilter
revision string	always	Internal revision number Sample: 17.0.2.10658
serial string	always	Serial number of the unit Sample: FGVMEVYYQT3AB5352
status string	always	Indication of the operation's result Sample: success
vdom string	always	Virtual domain used Sample: root
version string	always	Version of the FortiGate Sample: v5.6.3

Status

• This module is not guaranteed to have a backwards compatible interface. [preview]
• This module is maintained by the Ansible Community. [community]

Authors

• Miguel Angel Munoz (@mamunozgonzalez)
• Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation, you can edit this document to improve it.