You are reading an unmaintained version of the Ansible documentation. Unmaintained Ansible versions can contain unfixed security vulnerabilities (CVE). Please upgrade to a maintained version. See the latest Ansible documentation.

fortinet.fortimanager.fmgr_waf_profile – Web application firewall configuration.

Note

This plugin is part of the fortinet.fortimanager collection (version 2.1.4).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install fortinet.fortimanager.

To use it in a playbook, specify: fortinet.fortimanager.fmgr_waf_profile.

New in version 2.10: of fortinet.fortimanager

Synopsis
Parameters
Notes
Examples
Return Values

Synopsis 

This module is able to configure a FortiManager device.
Examples include all parameters and values which need to be adjusted to data sources before usage.

Parameters 

Parameter	Comments
adom string / required	the parameter (adom) in requested url
bypass_validation boolean	only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters Choices: no ← (default) yes
enable_log boolean	Enable/Disable logging for task Choices: no ← (default) yes
proposed_method string	The overridden method for the underlying Json RPC request Choices: update set add
rc_failed list / elements=string	the rc codes list with which the conditions to fail will be overriden
rc_succeeded list / elements=string	the rc codes list with which the conditions to succeed will be overriden
state string / required	the directive to create, update or delete an object Choices: present absent
waf_profile dictionary	the top level parameters set
address-list dictionary	no description
blocked-address string	Blocked address.
blocked-log string	Enable/disable logging on blocked addresses. Choices: disable enable
severity string	Severity. Choices: low medium high
status string	Status. Choices: disable enable
trusted-address string	Trusted address.
comment string	Comment.
constraint dictionary	no description
content-length dictionary	no description
action string	Action. Choices: allow block
length integer	Length of HTTP content in bytes (0 to 2147483647).
log string	Enable/disable logging. Choices: disable enable
severity string	Severity. Choices: low medium high
status string	Enable/disable the constraint. Choices: disable enable
exception list / elements=string	Exception.
address string	Host address.
content-length string	HTTP content length in request. Choices: disable enable
header-length string	HTTP header length in request. Choices: disable enable
hostname string	Enable/disable hostname check. Choices: disable enable
id integer	Exception ID.
line-length string	HTTP line length in request. Choices: disable enable
malformed string	Enable/disable malformed HTTP request check. Choices: disable enable
max-cookie string	Maximum number of cookies in HTTP request. Choices: disable enable
max-header-line string	Maximum number of HTTP header line. Choices: disable enable
max-range-segment string	Maximum number of range segments in HTTP range line. Choices: disable enable
max-url-param string	Maximum number of parameters in URL. Choices: disable enable
method string	Enable/disable HTTP method check. Choices: disable enable
param-length string	Maximum length of parameter in URL, HTTP POST request or HTTP body. Choices: disable enable
pattern string	URL pattern.
regex string	Enable/disable regular expression based pattern match. Choices: disable enable
url-param-length string	Maximum length of parameter in URL. Choices: disable enable
version string	Enable/disable HTTP version check. Choices: disable enable
header-length dictionary	no description
action string	Action. Choices: allow block
length integer	Length of HTTP header in bytes (0 to 2147483647).
log string	Enable/disable logging. Choices: disable enable
severity string	Severity. Choices: low medium high
status string	Enable/disable the constraint. Choices: disable enable
hostname dictionary	no description
action string	Action. Choices: allow block
log string	Enable/disable logging. Choices: disable enable
severity string	Severity. Choices: low medium high
status string	Enable/disable the constraint. Choices: disable enable
line-length dictionary	no description
action string	Action. Choices: allow block
length integer	Length of HTTP line in bytes (0 to 2147483647).
log string	Enable/disable logging. Choices: disable enable
severity string	Severity. Choices: low medium high
status string	Enable/disable the constraint. Choices: disable enable
malformed dictionary	no description
action string	Action. Choices: allow block
log string	Enable/disable logging. Choices: disable enable
severity string	Severity. Choices: low medium high
status string	Enable/disable the constraint. Choices: disable enable
max-cookie dictionary	no description
action string	Action. Choices: allow block
log string	Enable/disable logging. Choices: disable enable
max-cookie integer	Maximum number of cookies in HTTP request (0 to 2147483647).
severity string	Severity. Choices: low medium high
status string	Enable/disable the constraint. Choices: disable enable
max-header-line dictionary	no description
action string	Action. Choices: allow block
log string	Enable/disable logging. Choices: disable enable
max-header-line integer	Maximum number HTTP header lines (0 to 2147483647).
severity string	Severity. Choices: low medium high
status string	Enable/disable the constraint. Choices: disable enable
max-range-segment dictionary	no description
action string	Action. Choices: allow block
log string	Enable/disable logging. Choices: disable enable
max-range-segment integer	Maximum number of range segments in HTTP range line (0 to 2147483647).
severity string	Severity. Choices: low medium high
status string	Enable/disable the constraint. Choices: disable enable
max-url-param dictionary	no description
action string	Action. Choices: allow block
log string	Enable/disable logging. Choices: disable enable
max-url-param integer	Maximum number of parameters in URL (0 to 2147483647).
severity string	Severity. Choices: low medium high
status string	Enable/disable the constraint. Choices: disable enable
method dictionary	no description
action string	Action. Choices: allow block
log string	Enable/disable logging. Choices: disable enable
severity string	Severity. Choices: low medium high
status string	Enable/disable the constraint. Choices: disable enable
param-length dictionary	no description
action string	Action. Choices: allow block
length integer	Maximum length of parameter in URL, HTTP POST request or HTTP body in bytes (0 to 2147483647).
log string	Enable/disable logging. Choices: disable enable
severity string	Severity. Choices: low medium high
status string	Enable/disable the constraint. Choices: disable enable
url-param-length dictionary	no description
action string	Action. Choices: allow block
length integer	Maximum length of URL parameter in bytes (0 to 2147483647).
log string	Enable/disable logging. Choices: disable enable
severity string	Severity. Choices: low medium high
status string	Enable/disable the constraint. Choices: disable enable
version dictionary	no description
action string	Action. Choices: allow block
log string	Enable/disable logging. Choices: disable enable
severity string	Severity. Choices: low medium high
status string	Enable/disable the constraint. Choices: disable enable
extended-log string	Enable/disable extended logging. Choices: disable enable
external string	Disable/Enable external HTTP Inspection. Choices: disable enable
method dictionary	no description
default-allowed-methods list / elements=string	Methods. Choices: delete get head options post put trace others connect
log string	Enable/disable logging. Choices: disable enable
method-policy list / elements=string	Method-Policy.
address string	Host address.
allowed-methods list / elements=string	Allowed Methods. Choices: delete get head options post put trace others connect
id integer	HTTP method policy ID.
pattern string	URL pattern.
regex string	Enable/disable regular expression based pattern match. Choices: disable enable
severity string	Severity. Choices: low medium high
status string	Status. Choices: disable enable
name string	WAF Profile name.
signature dictionary	no description
credit-card-detection-threshold integer	The minimum number of Credit cards to detect violation.
custom-signature list / elements=string	Custom-Signature.
action string	Action. Choices: allow block erase
case-sensitivity string	Case sensitivity in pattern. Choices: disable enable
direction string	Traffic direction. Choices: request response
log string	Enable/disable logging. Choices: disable enable
name string	Signature name.
pattern string	Match pattern.
severity string	Severity. Choices: low medium high
status string	Status. Choices: disable enable
target list / elements=string	Match HTTP target. Choices: arg arg-name req-body req-cookie req-cookie-name req-filename req-header req-header-name req-raw-uri req-uri resp-body resp-hdr resp-status
disabled-signature string	Disabled signatures
disabled-sub-class string	Disabled signature subclasses.
main-class dictionary	no description
action string	Action. Choices: allow block erase
id integer	Main signature class ID.
log string	Enable/disable logging. Choices: disable enable
severity string	Severity. Choices: low medium high
status string	Status. Choices: disable enable
url-access list / elements=string	Url-Access.
access-pattern list / elements=string	Access-Pattern.
id integer	URL access pattern ID.
negate string	Enable/disable match negation. Choices: disable enable
pattern string	URL pattern.
regex string	Enable/disable regular expression based pattern match. Choices: disable enable
srcaddr string	Source address.
action string	Action. Choices: bypass permit block
address string	Host address.
id integer	URL access ID.
log string	Enable/disable logging. Choices: disable enable
severity string	Severity. Choices: low medium high
workspace_locking_adom string	the adom to lock for FortiManager running in workspace mode, the value can be global and others including root
workspace_locking_timeout integer	the maximum time in seconds to wait for other user to release the workspace lock Default: 300

Notes 

Note

Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.
To create or update an object, use state present directive.
To delete an object, use state absent directive.
Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded

Examples 

- hosts: fortimanager-inventory
  collections:
    - fortinet.fortimanager
  connection: httpapi
  vars:
     ansible_httpapi_use_ssl: True
     ansible_httpapi_validate_certs: False
     ansible_httpapi_port: 443
  tasks:
   - name: Web application firewall configuration.
     fmgr_waf_profile:
        bypass_validation: False
        workspace_locking_adom: <value in [global, custom adom including root]>
        workspace_locking_timeout: 300
        rc_succeeded: [0, -2, -3, ...]
        rc_failed: [-2, -3, ...]
        adom: <your own value>
        state: <value in [present, absent]>
        waf_profile:
           comment: <value of string>
           extended-log: <value in [disable, enable]>
           external: <value in [disable, enable]>
           name: <value of string>
           url-access:
             -
                 access-pattern:
                   -
                       id: <value of integer>
                       negate: <value in [disable, enable]>
                       pattern: <value of string>
                       regex: <value in [disable, enable]>
                       srcaddr: <value of string>
                 action: <value in [bypass, permit, block]>
                 address: <value of string>
                 id: <value of integer>
                 log: <value in [disable, enable]>
                 severity: <value in [low, medium, high]>
           address-list:
              blocked-address: <value of string>
              blocked-log: <value in [disable, enable]>
              severity: <value in [low, medium, high]>
              status: <value in [disable, enable]>
              trusted-address: <value of string>
           constraint:
              content-length:
                 action: <value in [allow, block]>
                 length: <value of integer>
                 log: <value in [disable, enable]>
                 severity: <value in [low, medium, high]>
                 status: <value in [disable, enable]>
              exception:
                -
                    address: <value of string>
                    content-length: <value in [disable, enable]>
                    header-length: <value in [disable, enable]>
                    hostname: <value in [disable, enable]>
                    id: <value of integer>
                    line-length: <value in [disable, enable]>
                    malformed: <value in [disable, enable]>
                    max-cookie: <value in [disable, enable]>
                    max-header-line: <value in [disable, enable]>
                    max-range-segment: <value in [disable, enable]>
                    max-url-param: <value in [disable, enable]>
                    method: <value in [disable, enable]>
                    param-length: <value in [disable, enable]>
                    pattern: <value of string>
                    regex: <value in [disable, enable]>
                    url-param-length: <value in [disable, enable]>
                    version: <value in [disable, enable]>
              header-length:
                 action: <value in [allow, block]>
                 length: <value of integer>
                 log: <value in [disable, enable]>
                 severity: <value in [low, medium, high]>
                 status: <value in [disable, enable]>
              hostname:
                 action: <value in [allow, block]>
                 log: <value in [disable, enable]>
                 severity: <value in [low, medium, high]>
                 status: <value in [disable, enable]>
              line-length:
                 action: <value in [allow, block]>
                 length: <value of integer>
                 log: <value in [disable, enable]>
                 severity: <value in [low, medium, high]>
                 status: <value in [disable, enable]>
              malformed:
                 action: <value in [allow, block]>
                 log: <value in [disable, enable]>
                 severity: <value in [low, medium, high]>
                 status: <value in [disable, enable]>
              max-cookie:
                 action: <value in [allow, block]>
                 log: <value in [disable, enable]>
                 max-cookie: <value of integer>
                 severity: <value in [low, medium, high]>
                 status: <value in [disable, enable]>
              max-header-line:
                 action: <value in [allow, block]>
                 log: <value in [disable, enable]>
                 max-header-line: <value of integer>
                 severity: <value in [low, medium, high]>
                 status: <value in [disable, enable]>
              max-range-segment:
                 action: <value in [allow, block]>
                 log: <value in [disable, enable]>
                 max-range-segment: <value of integer>
                 severity: <value in [low, medium, high]>
                 status: <value in [disable, enable]>
              max-url-param:
                 action: <value in [allow, block]>
                 log: <value in [disable, enable]>
                 max-url-param: <value of integer>
                 severity: <value in [low, medium, high]>
                 status: <value in [disable, enable]>
              method:
                 action: <value in [allow, block]>
                 log: <value in [disable, enable]>
                 severity: <value in [low, medium, high]>
                 status: <value in [disable, enable]>
              param-length:
                 action: <value in [allow, block]>
                 length: <value of integer>
                 log: <value in [disable, enable]>
                 severity: <value in [low, medium, high]>
                 status: <value in [disable, enable]>
              url-param-length:
                 action: <value in [allow, block]>
                 length: <value of integer>
                 log: <value in [disable, enable]>
                 severity: <value in [low, medium, high]>
                 status: <value in [disable, enable]>
              version:
                 action: <value in [allow, block]>
                 log: <value in [disable, enable]>
                 severity: <value in [low, medium, high]>
                 status: <value in [disable, enable]>
           method:
              default-allowed-methods:
                - delete
                - get
                - head
                - options
                - post
                - put
                - trace
                - others
                - connect
              log: <value in [disable, enable]>
              method-policy:
                -
                    address: <value of string>
                    allowed-methods:
                      - delete
                      - get
                      - head
                      - options
                      - post
                      - put
                      - trace
                      - others
                      - connect
                    id: <value of integer>
                    pattern: <value of string>
                    regex: <value in [disable, enable]>
              severity: <value in [low, medium, high]>
              status: <value in [disable, enable]>
           signature:
              credit-card-detection-threshold: <value of integer>
              custom-signature:
                -
                    action: <value in [allow, block, erase]>
                    case-sensitivity: <value in [disable, enable]>
                    direction: <value in [request, response]>
                    log: <value in [disable, enable]>
                    name: <value of string>
                    pattern: <value of string>
                    severity: <value in [low, medium, high]>
                    status: <value in [disable, enable]>
                    target:
                      - arg
                      - arg-name
                      - req-body
                      - req-cookie
                      - req-cookie-name
                      - req-filename
                      - req-header
                      - req-header-name
                      - req-raw-uri
                      - req-uri
                      - resp-body
                      - resp-hdr
                      - resp-status
              disabled-signature: <value of string>
              disabled-sub-class: <value of string>
              main-class:
                 action: <value in [allow, block, erase]>
                 id: <value of integer>
                 log: <value in [disable, enable]>
                 severity: <value in [low, medium, high]>
                 status: <value in [disable, enable]>

Return Values 

Common return values are documented here, the following are the fields unique to this module:

Key	Description
request_url string	The full url requested Returned: always Sample: “/sys/login/user”
response_code integer	The status of api request Returned: always Sample: 0
response_message string	The descriptive message of the api response Returned: always Sample: “OK.”

Authors

Link Zheng (@chillancezen)
Jie Xue (@JieX19)
Frank Shen (@fshen01)
Hongbin Lu (@fgtdev-hblu)

fortinet.fortimanager.fmgr_waf_profile – Web application firewall configuration.

Synopsis

Parameters

Notes

Examples

Return Values