fortinet.fortimanager.fmgr_webfilter_profile module – Configure Web filter profiles.
Note
This module is part of the fortinet.fortimanager collection (version 2.4.0).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install fortinet.fortimanager.
To use it in a playbook, specify: fortinet.fortimanager.fmgr_webfilter_profile.
New in fortinet.fortimanager 1.0.0
Synopsis
This module is able to configure a FortiManager device.
Examples include all parameters and values which need to be adjusted to data sources before usage.
Parameters
Parameter |
Comments |
|---|---|
The token to access FortiManager without using username and password. |
|
The parameter (adom) in requested url. |
|
Only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters. Choices:
|
|
Enable/Disable logging for task. Choices:
|
|
Authenticate Ansible client with forticloud API access token. |
|
The overridden method for the underlying Json RPC request. Choices:
|
|
The rc codes list with which the conditions to fail will be overriden. |
|
The rc codes list with which the conditions to succeed will be overriden. |
|
The directive to create, update or delete an object. Choices:
|
|
The top level parameters set. |
|
No description. |
|
Authentication methods. Choices:
|
|
Deprecated, please rename it to check_basic_auth. Enable/disable checking of HTTP Basic Auth field for known crede… Choices:
|
|
Deprecated, please rename it to check_uri. Enable/disable checking of GET URI parameters for known credentials. Choices:
|
|
Deprecated, please rename it to check_username_only. Enable/disable acting only on valid username credentials. Choices:
|
|
Deprecated, please rename it to custom_patterns. Custom-Patterns. |
|
Category that the pattern matches. Choices:
|
|
Target pattern. |
|
Pattern will be treated either as a regex pattern or literal string. Choices:
|
|
Deprecated, please rename it to default_action. Action to be taken when there is no matching rule. Choices:
|
|
Deprecated, please rename it to domain_controller. Domain for which to verify received credentials against. |
|
Deprecated, please rename it to inspection_entries. Inspection-Entries. |
|
Action to be taken upon an AntiPhishing match. Choices:
|
|
(list) Deprecated, please rename it to fortiguard_category. FortiGuard category to match. |
|
Inspection target name. |
|
LDAP server for which to verify received credentials against. |
|
Deprecated, please rename it to max_body_len. Maximum size of a POST body to check for credentials. |
|
Toggle AntiPhishing functionality. Choices:
|
|
Optional comments. |
|
Deprecated, please rename it to extended_log. Enable/disable extended logging for web filtering. Choices:
|
|
Deprecated, please rename it to feature_set. Flow/proxy feature set. Choices:
|
|
Deprecated, please rename it to file_filter. |
|
No description. |
|
Action taken for matched file. Choices:
|
|
Comment. |
|
Match files transmitted in the sessions originating or reply direction. Choices:
|
|
No description. Choices:
|
|
(list) Deprecated, please rename it to file_type. |
|
Add a file filter. |
|
Deprecated, please rename it to password_protected. Match password-protected files. Choices:
|
|
No description. Choices:
|
|
Enable/disable file filter logging. Choices:
|
|
Deprecated, please rename it to scan_archive_contents. Enable/disable file filter archive contents scan. Choices:
|
|
Enable/disable file filter. Choices:
|
|
Deprecated, please rename it to ftgd_wf. |
|
Deprecated, please rename it to category_override. Local categories take precedence over FortiGuard categories. |
|
(list or str) Deprecated, please rename it to exempt_quota. Do not stop quota for these categories. |
|
Filters. |
|
Action to take for matches. Choices:
|
|
(list or str) Deprecated, please rename it to auth_usr_grp. Groups with permission to authenticate. |
|
Categories and groups the filter examines. |
|
ID number. |
|
Enable/disable logging. Choices:
|
|
Deprecated, please rename it to override_replacemsg. Override replacement message. |
|
Deprecated, please rename it to warn_duration. Duration of warnings. |
|
Deprecated, please rename it to warning_duration_type. Re-display warning after closing browser or after a… Choices:
|
|
Deprecated, please rename it to warning_prompt. Warning prompts in each category or each domain. Choices:
|
|
Deprecated, please rename it to max_quota_timeout. Maximum FortiGuard quota used by single page view in seconds |
|
Options for FortiGuard Web Filter. Choices:
|
|
(list or str) Allow web filter profile overrides. |
|
Quota. |
|
(list or str) FortiGuard categories to apply quota to |
|
Duration of quota. |
|
ID number. |
|
Deprecated, please rename it to override_replacemsg. Override replacement message. |
|
Quota type. Choices:
|
|
Traffic quota unit of measurement. Choices:
|
|
Traffic quota value. |
|
Deprecated, please rename it to rate_crl_urls. Enable/disable rating CRL by URL. Choices:
|
|
Deprecated, please rename it to rate_css_urls. Enable/disable rating CSS by URL. Choices:
|
|
Deprecated, please rename it to rate_image_urls. Enable/disable rating images by URL. Choices:
|
|
Deprecated, please rename it to rate_javascript_urls. Enable/disable rating JavaScript by URL. Choices:
|
|
Deprecated, please rename it to https_replacemsg. Enable replacement messages for HTTPS. Choices:
|
|
Deprecated, please rename it to inspection_mode. Web filtering inspection mode. Choices:
|
|
Deprecated, please rename it to log_all_url. Enable/disable logging all URLs visited. Choices:
|
|
Profile name. |
|
Options. Choices:
|
|
No description. |
|
Deprecated, please rename it to ovrd_cookie. Allow/deny browser-based Choices:
|
|
Deprecated, please rename it to ovrd_dur. Override duration. |
|
Deprecated, please rename it to ovrd_dur_mode. Override duration mode. Choices:
|
|
Deprecated, please rename it to ovrd_scope. Override scope. Choices:
|
|
(list or str) Deprecated, please rename it to ovrd_user_group. User groups with permission to use the override. |
|
(list or str) Web filter profile with permission to create overrides. |
|
Deprecated, please rename it to profile_attribute. Profile attribute to retrieve from the RADIUS server. Choices:
|
|
Deprecated, please rename it to profile_type. Override profile type. Choices:
|
|
Deprecated, please rename it to ovrd_perm. Permitted override types. Choices:
|
|
Deprecated, please rename it to post_action. Action taken for HTTP POST traffic. Choices:
|
|
Deprecated, please rename it to replacemsg_group. Replacement message group. |
|
Deprecated, please rename it to url_extraction. |
|
Deprecated, please rename it to redirect_header. HTTP header name to use for client redirect on blocked requests |
|
Deprecated, please rename it to redirect_no_content. Enable / Disable empty message-body entity in HTTP response Choices:
|
|
Deprecated, please rename it to redirect_url. HTTP header value to use for client redirect on blocked requests |
|
Deprecated, please rename it to server_fqdn. URL extraction server FQDN |
|
Enable URL Extraction Choices:
|
|
No description. |
|
FortiGuard allowlist settings. Choices:
|
|
Enable/disable automatic addition of URLs detected by FortiSandbox to blacklist. Choices:
|
|
Enable/disable automatic addition of URLs detected by FortiSandbox to blocklist. Choices:
|
|
Deprecated, please rename it to bword_table. Banned word table ID. |
|
Deprecated, please rename it to bword_threshold. Banned word score threshold. |
|
Deprecated, please rename it to content_header_list. Content header list. |
|
(list) Deprecated, please rename it to keyword_match. Search keywords to log when match is found. |
|
Deprecated, please rename it to log_search. Enable/disable logging all search phrases. Choices:
|
|
Deprecated, please rename it to safe_search. Safe search type. Choices:
|
|
Deprecated, please rename it to urlfilter_table. URL filter table ID. |
|
Deprecated, please rename it to vimeo_restrict. Set Vimeo-restrict |
|
FortiGuard whitelist settings. Choices:
|
|
Deprecated, please rename it to youtube_restrict. YouTube EDU filter level. Choices:
|
|
Deprecated, please rename it to web_antiphishing_log. Enable/disable logging of AntiPhishing checks. Choices:
|
|
Deprecated, please rename it to web_content_log. Enable/disable logging logging blocked web content. Choices:
|
|
Deprecated, please rename it to web_extended_all_action_log. Enable/disable extended any filter action logging for web fil… Choices:
|
|
Deprecated, please rename it to web_filter_activex_log. Enable/disable logging ActiveX. Choices:
|
|
Deprecated, please rename it to web_filter_applet_log. Enable/disable logging Java applets. Choices:
|
|
Deprecated, please rename it to web_filter_command_block_log. Enable/disable logging blocked commands. Choices:
|
|
Deprecated, please rename it to web_filter_cookie_log. Enable/disable logging cookie filtering. Choices:
|
|
Deprecated, please rename it to web_filter_cookie_removal_log. Enable/disable logging blocked cookies. Choices:
|
|
Deprecated, please rename it to web_filter_js_log. Enable/disable logging Java scripts. Choices:
|
|
Deprecated, please rename it to web_filter_jscript_log. Enable/disable logging JScripts. Choices:
|
|
Deprecated, please rename it to web_filter_referer_log. Enable/disable logging referrers. Choices:
|
|
Deprecated, please rename it to web_filter_unknown_log. Enable/disable logging unknown scripts. Choices:
|
|
Deprecated, please rename it to web_filter_vbs_log. Enable/disable logging VBS scripts. Choices:
|
|
Deprecated, please rename it to web_flow_log_encoding. Log encoding in flow mode. Choices:
|
|
Deprecated, please rename it to web_ftgd_err_log. Enable/disable logging rating errors. Choices:
|
|
Deprecated, please rename it to web_ftgd_quota_usage. Enable/disable logging daily quota usage. Choices:
|
|
Deprecated, please rename it to web_invalid_domain_log. Enable/disable logging invalid domain names. Choices:
|
|
Deprecated, please rename it to web_url_log. Enable/disable logging URL filtering. Choices:
|
|
Enable/disable web proxy WISP. Choices:
|
|
Deprecated, please rename it to wisp_algorithm. WISP server selection algorithm. Choices:
|
|
(list or str) Deprecated, please rename it to wisp_servers. WISP servers. |
|
Deprecated, please rename it to youtube_channel_filter. Youtube-Channel-Filter. |
|
Deprecated, please rename it to channel_id. YouTube channel ID to be filtered. |
|
Comment. |
|
ID. |
|
Deprecated, please rename it to youtube_channel_status. YouTube channel filter status. Choices:
|
|
The adom to lock for FortiManager running in workspace mode, the value can be global and others including root. |
|
The maximum time in seconds to wait for other user to release the workspace lock. Default: |
Notes
Note
Starting in version 2.4.0, all input arguments are named using the underscore naming convention (snake_case). Please change the arguments such as “var-name” to “var_name”. Old argument names are still available yet you will receive deprecation warnings. You can ignore this warning by setting deprecation_warnings=False in ansible.cfg.
Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.
To create or update an object, use state present directive.
To delete an object, use state absent directive.
Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded
Examples
- name: Example playbook (generated based on argument schema)
hosts: fortimanagers
connection: httpapi
vars:
ansible_httpapi_use_ssl: true
ansible_httpapi_validate_certs: false
ansible_httpapi_port: 443
tasks:
- name: Configure Web filter profiles.
fortinet.fortimanager.fmgr_webfilter_profile:
# bypass_validation: false
workspace_locking_adom: <value in [global, custom adom including root]>
workspace_locking_timeout: 300
# rc_succeeded: [0, -2, -3, ...]
# rc_failed: [-2, -3, ...]
adom: <your own value>
state: present # <value in [present, absent]>
webfilter_profile:
comment: <string>
extended_log: <value in [disable, enable]>
https_replacemsg: <value in [disable, enable]>
inspection_mode: <value in [proxy, flow-based, dns]>
log_all_url: <value in [disable, enable]>
name: <string>
options:
- block-invalid-url
- jscript
- js
- vbs
- unknown
- wf-referer
- https-scan
- intrinsic
- wf-cookie
- per-user-bwl
- activexfilter
- cookiefilter
- https-url-scan
- javafilter
- rangeblock
- contenttype-check
- per-user-bal
ovrd_perm:
- bannedword-override
- urlfilter-override
- fortiguard-wf-override
- contenttype-check-override
post_action: <value in [normal, comfort, block]>
replacemsg_group: <string>
web_content_log: <value in [disable, enable]>
web_extended_all_action_log: <value in [disable, enable]>
web_filter_activex_log: <value in [disable, enable]>
web_filter_applet_log: <value in [disable, enable]>
web_filter_command_block_log: <value in [disable, enable]>
web_filter_cookie_log: <value in [disable, enable]>
web_filter_cookie_removal_log: <value in [disable, enable]>
web_filter_js_log: <value in [disable, enable]>
web_filter_jscript_log: <value in [disable, enable]>
web_filter_referer_log: <value in [disable, enable]>
web_filter_unknown_log: <value in [disable, enable]>
web_filter_vbs_log: <value in [disable, enable]>
web_ftgd_err_log: <value in [disable, enable]>
web_ftgd_quota_usage: <value in [disable, enable]>
web_invalid_domain_log: <value in [disable, enable]>
web_url_log: <value in [disable, enable]>
wisp: <value in [disable, enable]>
wisp_algorithm: <value in [auto-learning, primary-secondary, round-robin]>
wisp_servers: <list or string>
youtube_channel_filter:
-
channel_id: <string>
comment: <string>
id: <integer>
youtube_channel_status: <value in [disable, blacklist, whitelist]>
feature_set: <value in [proxy, flow]>
web_antiphishing_log: <value in [disable, enable]>
antiphish:
check_basic_auth: <value in [disable, enable]>
check_uri: <value in [disable, enable]>
check_username_only: <value in [disable, enable]>
custom_patterns:
-
category: <value in [username, password]>
pattern: <string>
type: <value in [regex, literal]>
default_action: <value in [log, block, exempt]>
domain_controller: <string>
inspection_entries:
-
action: <value in [log, block, exempt]>
fortiguard_category: <list or string>
name: <string>
max_body_len: <integer>
status: <value in [disable, enable]>
authentication: <value in [domain-controller, ldap]>
ldap: <string>
ftgd_wf:
exempt_quota: <list or string>
filters:
-
action: <value in [block, monitor, warning, ...]>
auth_usr_grp: <list or string>
category: <string>
id: <integer>
log: <value in [disable, enable]>
override_replacemsg: <string>
warn_duration: <string>
warning_duration_type: <value in [session, timeout]>
warning_prompt: <value in [per-domain, per-category]>
max_quota_timeout: <integer>
options:
- error-allow
- http-err-detail
- rate-image-urls
- strict-blocking
- rate-server-ip
- redir-block
- connect-request-bypass
- log-all-url
- ftgd-disable
ovrd: <list or string>
quota:
-
category: <list or string>
duration: <string>
id: <integer>
override_replacemsg: <string>
type: <value in [time, traffic]>
unit: <value in [B, KB, MB, ...]>
value: <integer>
rate_crl_urls: <value in [disable, enable]>
rate_css_urls: <value in [disable, enable]>
rate_image_urls: <value in [disable, enable]>
rate_javascript_urls: <value in [disable, enable]>
category_override: <string>
override:
ovrd_cookie: <value in [deny, allow]>
ovrd_dur: <string>
ovrd_dur_mode: <value in [constant, ask]>
ovrd_scope: <value in [user, user-group, ip, ...]>
ovrd_user_group: <list or string>
profile: <list or string>
profile_attribute: <value in [User-Name, User-Password, CHAP-Password, ...]>
profile_type: <value in [list, radius]>
url_extraction:
redirect_header: <string>
redirect_no_content: <value in [disable, enable]>
redirect_url: <string>
server_fqdn: <string>
status: <value in [disable, enable]>
web:
blacklist: <value in [disable, enable]>
bword_table: <string>
bword_threshold: <integer>
content_header_list: <string>
keyword_match: <list or string>
log_search: <value in [disable, enable]>
safe_search:
- google
- yahoo
- bing
- url
- header
urlfilter_table: <string>
whitelist:
- exempt-av
- exempt-webcontent
- exempt-activex-java-cookie
- exempt-dlp
- exempt-rangeblock
- extended-log-others
youtube_restrict: <value in [strict, none, moderate]>
allowlist:
- exempt-av
- exempt-webcontent
- exempt-activex-java-cookie
- exempt-dlp
- exempt-rangeblock
- extended-log-others
blocklist: <value in [disable, enable]>
vimeo_restrict: <string>
file_filter:
entries:
-
action: <value in [log, block]>
comment: <string>
direction: <value in [any, incoming, outgoing]>
encryption: <value in [any, yes]>
file_type: <list or string>
filter: <string>
password_protected: <value in [any, yes]>
protocol:
- http
- ftp
log: <value in [disable, enable]>
scan_archive_contents: <value in [disable, enable]>
status: <value in [disable, enable]>
web_flow_log_encoding: <value in [utf-8, punycode]>
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
The result of the request. Returned: always |
|
The full url requested. Returned: always Sample: |
|
The status of api request. Returned: always Sample: |
|
The api response. Returned: always |
|
The descriptive message of the api response. Returned: always Sample: |
|
The information of the target system. Returned: always |
|
The status the request. Returned: always Sample: |
|
Warning if the parameters used in the playbook are not supported by the current FortiManager version. Returned: complex |