fortinet.fortimanager.fmgr_webfilter_profile – Configure Web filter profiles.

Note

This plugin is part of the fortinet.fortimanager collection (version 2.1.3).

To install it use: ansible-galaxy collection install fortinet.fortimanager.

To use it in a playbook, specify: fortinet.fortimanager.fmgr_webfilter_profile.

New in version 2.10: of fortinet.fortimanager

Synopsis

  • This module is able to configure a FortiManager device.

  • Examples include all parameters and values which need to be adjusted to data sources before usage.

Parameters

Parameter Choices/Defaults Comments
adom
string / required
the parameter (adom) in requested url
bypass_validation
boolean
    Choices:
  • no ←
  • yes
only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters
enable_log
boolean
    Choices:
  • no ←
  • yes
Enable/Disable logging for task
proposed_method
string
    Choices:
  • update
  • set
  • add
The overridden method for the underlying Json RPC request
rc_failed
list / elements=string
the rc codes list with which the conditions to fail will be overriden
rc_succeeded
list / elements=string
the rc codes list with which the conditions to succeed will be overriden
state
string / required
    Choices:
  • present
  • absent
the directive to create, update or delete an object
webfilter_profile
dictionary
the top level parameters set
antiphish
dictionary
no description
authentication
string
    Choices:
  • domain-controller
  • ldap
Authentication methods.
check-basic-auth
string
    Choices:
  • disable
  • enable
Enable/disable checking of HTTP Basic Auth field for known credentials.
check-uri
string
    Choices:
  • disable
  • enable
Enable/disable checking of GET URI parameters for known credentials.
check-username-only
string
    Choices:
  • disable
  • enable
Enable/disable acting only on valid username credentials. Action will be taken for valid usernames regardless of passw...
custom-patterns
list / elements=string
no description
category
string
    Choices:
  • username
  • password
Category that the pattern matches.
pattern
string
Target pattern.
type
string
    Choices:
  • regex
  • literal
Pattern will be treated either as a regex pattern or literal string.
default-action
string
    Choices:
  • log
  • block
  • exempt
Action to be taken when there is no matching rule.
domain-controller
string
Domain for which to verify received credentials against.
inspection-entries
list / elements=string
no description
action
string
    Choices:
  • log
  • block
  • exempt
Action to be taken upon an AntiPhishing match.
fortiguard-category
string
no description
name
string
Inspection target name.
ldap
string
LDAP server for which to verify received credentials against.
max-body-len
integer
Maximum size of a POST body to check for credentials.
status
string
    Choices:
  • disable
  • enable
Toggle AntiPhishing functionality.
comment
string
Optional comments.
extended-log
string
    Choices:
  • disable
  • enable
Enable/disable extended logging for web filtering.
feature-set
string
    Choices:
  • proxy
  • flow
Flow/proxy feature set.
ftgd-wf
dictionary
no description
exempt-quota
string
Do not stop quota for these categories.
filters
list / elements=string
no description
action
string
    Choices:
  • block
  • monitor
  • warning
  • authenticate
Action to take for matches.
auth-usr-grp
string
Groups with permission to authenticate.
category
string
Categories and groups the filter examines.
id
integer
ID number.
log
string
    Choices:
  • disable
  • enable
Enable/disable logging.
override-replacemsg
string
Override replacement message.
warn-duration
string
Duration of warnings.
warning-duration-type
string
    Choices:
  • session
  • timeout
Re-display warning after closing browser or after a timeout.
warning-prompt
string
    Choices:
  • per-domain
  • per-category
Warning prompts in each category or each domain.
max-quota-timeout
integer
Maximum FortiGuard quota used by single page view in seconds (excludes streams).
options
list / elements=string
    Choices:
  • error-allow
  • http-err-detail
  • rate-image-urls
  • strict-blocking
  • rate-server-ip
  • redir-block
  • connect-request-bypass
  • log-all-url
  • ftgd-disable
no description
ovrd
string
Allow web filter profile overrides.
quota
list / elements=string
no description
category
string
FortiGuard categories to apply quota to (category action must be set to monitor).
duration
string
Duration of quota.
id
integer
ID number.
override-replacemsg
string
Override replacement message.
type
string
    Choices:
  • time
  • traffic
Quota type.
unit
string
    Choices:
  • B
  • KB
  • MB
  • GB
Traffic quota unit of measurement.
value
integer
Traffic quota value.
rate-crl-urls
string
    Choices:
  • disable
  • enable
Enable/disable rating CRL by URL.
rate-css-urls
string
    Choices:
  • disable
  • enable
Enable/disable rating CSS by URL.
rate-image-urls
string
    Choices:
  • disable
  • enable
no description
rate-javascript-urls
string
    Choices:
  • disable
  • enable
Enable/disable rating JavaScript by URL.
https-replacemsg
string
    Choices:
  • disable
  • enable
Enable replacement messages for HTTPS.
inspection-mode
string
    Choices:
  • proxy
  • flow-based
  • dns
Web filtering inspection mode.
log-all-url
string
    Choices:
  • disable
  • enable
Enable/disable logging all URLs visited.
name
string
Profile name.
options
list / elements=string
    Choices:
  • block-invalid-url
  • jscript
  • js
  • vbs
  • unknown
  • wf-referer
  • https-scan
  • intrinsic
  • wf-cookie
  • per-user-bwl
  • activexfilter
  • cookiefilter
  • https-url-scan
  • javafilter
  • rangeblock
  • contenttype-check
  • per-user-bal
no description
override
dictionary
no description
ovrd-cookie
string
    Choices:
  • deny
  • allow
Allow/deny browser-based (cookie) overrides.
ovrd-dur
string
Override duration.
ovrd-dur-mode
string
    Choices:
  • constant
  • ask
Override duration mode.
ovrd-scope
string
    Choices:
  • user
  • user-group
  • ip
  • ask
  • browser
Override scope.
ovrd-user-group
string
User groups with permission to use the override.
profile
string
Web filter profile with permission to create overrides.
profile-attribute
string
    Choices:
  • User-Name
  • User-Password
  • CHAP-Password
  • NAS-IP-Address
  • NAS-Port
  • Service-Type
  • Framed-Protocol
  • Framed-IP-Address
  • Framed-IP-Netmask
  • Framed-Routing
  • Filter-Id
  • Framed-MTU
  • Framed-Compression
  • Login-IP-Host
  • Login-Service
  • Login-TCP-Port
  • Reply-Message
  • Callback-Number
  • Callback-Id
  • Framed-Route
  • Framed-IPX-Network
  • State
  • Class
  • Vendor-Specific
  • Session-Timeout
  • Idle-Timeout
  • Termination-Action
  • Called-Station-Id
  • Calling-Station-Id
  • NAS-Identifier
  • Proxy-State
  • Login-LAT-Service
  • Login-LAT-Node
  • Login-LAT-Group
  • Framed-AppleTalk-Link
  • Framed-AppleTalk-Network
  • Framed-AppleTalk-Zone
  • Acct-Status-Type
  • Acct-Delay-Time
  • Acct-Input-Octets
  • Acct-Output-Octets
  • Acct-Session-Id
  • Acct-Authentic
  • Acct-Session-Time
  • Acct-Input-Packets
  • Acct-Output-Packets
  • Acct-Terminate-Cause
  • Acct-Multi-Session-Id
  • Acct-Link-Count
  • CHAP-Challenge
  • NAS-Port-Type
  • Port-Limit
  • Login-LAT-Port
Profile attribute to retrieve from the RADIUS server.
profile-type
string
    Choices:
  • list
  • radius
Override profile type.
ovrd-perm
list / elements=string
    Choices:
  • bannedword-override
  • urlfilter-override
  • fortiguard-wf-override
  • contenttype-check-override
no description
post-action
string
    Choices:
  • normal
  • comfort
  • block
Action taken for HTTP POST traffic.
replacemsg-group
string
Replacement message group.
url-extraction
dictionary
no description
redirect-header
string
HTTP header name to use for client redirect on blocked requests
redirect-no-content
string
    Choices:
  • disable
  • enable
Enable / Disable empty message-body entity in HTTP response
redirect-url
string
HTTP header value to use for client redirect on blocked requests
server-fqdn
string
URL extraction server FQDN (fully qualified domain name)
status
string
    Choices:
  • disable
  • enable
Enable URL Extraction
web
dictionary
no description
allowlist
list / elements=string
    Choices:
  • exempt-av
  • exempt-webcontent
  • exempt-activex-java-cookie
  • exempt-dlp
  • exempt-rangeblock
  • extended-log-others
no description
blacklist
string
    Choices:
  • disable
  • enable
Enable/disable automatic addition of URLs detected by FortiSandbox to blacklist.
blocklist
string
    Choices:
  • disable
  • enable
Enable/disable automatic addition of URLs detected by FortiSandbox to blocklist.
bword-table
string
Banned word table ID.
bword-threshold
integer
Banned word score threshold.
content-header-list
string
Content header list.
keyword-match
string
no description
log-search
string
    Choices:
  • disable
  • enable
Enable/disable logging all search phrases.
safe-search
list / elements=string
    Choices:
  • google
  • yahoo
  • bing
  • url
  • header
no description
urlfilter-table
string
URL filter table ID.
whitelist
list / elements=string
    Choices:
  • exempt-av
  • exempt-webcontent
  • exempt-activex-java-cookie
  • exempt-dlp
  • exempt-rangeblock
  • extended-log-others
no description
youtube-restrict
string
    Choices:
  • strict
  • none
  • moderate
YouTube EDU filter level.
web-antiphishing-log
string
    Choices:
  • disable
  • enable
Enable/disable logging of AntiPhishing checks.
web-content-log
string
    Choices:
  • disable
  • enable
Enable/disable logging logging blocked web content.
web-extended-all-action-log
string
    Choices:
  • disable
  • enable
Enable/disable extended any filter action logging for web filtering.
web-filter-activex-log
string
    Choices:
  • disable
  • enable
Enable/disable logging ActiveX.
web-filter-applet-log
string
    Choices:
  • disable
  • enable
Enable/disable logging Java applets.
web-filter-command-block-log
string
    Choices:
  • disable
  • enable
Enable/disable logging blocked commands.
web-filter-cookie-log
string
    Choices:
  • disable
  • enable
Enable/disable logging cookie filtering.
web-filter-cookie-removal-log
string
    Choices:
  • disable
  • enable
Enable/disable logging blocked cookies.
web-filter-js-log
string
    Choices:
  • disable
  • enable
Enable/disable logging Java scripts.
web-filter-jscript-log
string
    Choices:
  • disable
  • enable
Enable/disable logging JScripts.
web-filter-referer-log
string
    Choices:
  • disable
  • enable
Enable/disable logging referrers.
web-filter-unknown-log
string
    Choices:
  • disable
  • enable
Enable/disable logging unknown scripts.
web-filter-vbs-log
string
    Choices:
  • disable
  • enable
Enable/disable logging VBS scripts.
web-ftgd-err-log
string
    Choices:
  • disable
  • enable
Enable/disable logging rating errors.
web-ftgd-quota-usage
string
    Choices:
  • disable
  • enable
Enable/disable logging daily quota usage.
web-invalid-domain-log
string
    Choices:
  • disable
  • enable
Enable/disable logging invalid domain names.
web-url-log
string
    Choices:
  • disable
  • enable
Enable/disable logging URL filtering.
wisp
string
    Choices:
  • disable
  • enable
Enable/disable web proxy WISP.
wisp-algorithm
string
    Choices:
  • auto-learning
  • primary-secondary
  • round-robin
WISP server selection algorithm.
wisp-servers
string
WISP servers.
youtube-channel-filter
list / elements=string
no description
channel-id
string
YouTube channel ID to be filtered.
comment
string
Comment.
id
integer
ID.
youtube-channel-status
string
    Choices:
  • disable
  • blacklist
  • whitelist
YouTube channel filter status.
workspace_locking_adom
string
the adom to lock for FortiManager running in workspace mode, the value can be global and others including root
workspace_locking_timeout
integer
Default:
300
the maximum time in seconds to wait for other user to release the workspace lock

Notes

Note

  • Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.

  • To create or update an object, use state present directive.

  • To delete an object, use state absent directive.

  • Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded

Examples

- hosts: fortimanager-inventory
  collections:
    - fortinet.fortimanager
  connection: httpapi
  vars:
     ansible_httpapi_use_ssl: True
     ansible_httpapi_validate_certs: False
     ansible_httpapi_port: 443
  tasks:
   - name: Configure Web filter profiles.
     fmgr_webfilter_profile:
        bypass_validation: False
        workspace_locking_adom: <value in [global, custom adom including root]>
        workspace_locking_timeout: 300
        rc_succeeded: [0, -2, -3, ...]
        rc_failed: [-2, -3, ...]
        adom: <your own value>
        state: <value in [present, absent]>
        webfilter_profile:
           comment: <value of string>
           extended-log: <value in [disable, enable]>
           https-replacemsg: <value in [disable, enable]>
           inspection-mode: <value in [proxy, flow-based, dns]>
           log-all-url: <value in [disable, enable]>
           name: <value of string>
           options:
             - block-invalid-url
             - jscript
             - js
             - vbs
             - unknown
             - wf-referer
             - https-scan
             - intrinsic
             - wf-cookie
             - per-user-bwl
             - activexfilter
             - cookiefilter
             - https-url-scan
             - javafilter
             - rangeblock
             - contenttype-check
             - per-user-bal
           ovrd-perm:
             - bannedword-override
             - urlfilter-override
             - fortiguard-wf-override
             - contenttype-check-override
           post-action: <value in [normal, comfort, block]>
           replacemsg-group: <value of string>
           web-content-log: <value in [disable, enable]>
           web-extended-all-action-log: <value in [disable, enable]>
           web-filter-activex-log: <value in [disable, enable]>
           web-filter-applet-log: <value in [disable, enable]>
           web-filter-command-block-log: <value in [disable, enable]>
           web-filter-cookie-log: <value in [disable, enable]>
           web-filter-cookie-removal-log: <value in [disable, enable]>
           web-filter-js-log: <value in [disable, enable]>
           web-filter-jscript-log: <value in [disable, enable]>
           web-filter-referer-log: <value in [disable, enable]>
           web-filter-unknown-log: <value in [disable, enable]>
           web-filter-vbs-log: <value in [disable, enable]>
           web-ftgd-err-log: <value in [disable, enable]>
           web-ftgd-quota-usage: <value in [disable, enable]>
           web-invalid-domain-log: <value in [disable, enable]>
           web-url-log: <value in [disable, enable]>
           wisp: <value in [disable, enable]>
           wisp-algorithm: <value in [auto-learning, primary-secondary, round-robin]>
           wisp-servers: <value of string>
           youtube-channel-filter:
             -
                 channel-id: <value of string>
                 comment: <value of string>
                 id: <value of integer>
           youtube-channel-status: <value in [disable, blacklist, whitelist]>
           feature-set: <value in [proxy, flow]>
           web-antiphishing-log: <value in [disable, enable]>
           antiphish:
              check-basic-auth: <value in [disable, enable]>
              check-uri: <value in [disable, enable]>
              check-username-only: <value in [disable, enable]>
              custom-patterns:
                -
                    category: <value in [username, password]>
                    pattern: <value of string>
                    type: <value in [regex, literal]>
              default-action: <value in [log, block, exempt]>
              domain-controller: <value of string>
              inspection-entries:
                -
                    action: <value in [log, block, exempt]>
                    fortiguard-category: <value of string>
                    name: <value of string>
              max-body-len: <value of integer>
              status: <value in [disable, enable]>
              authentication: <value in [domain-controller, ldap]>
              ldap: <value of string>
           ftgd-wf:
              exempt-quota: <value of string>
              filters:
                -
                    action: <value in [block, monitor, warning, ...]>
                    auth-usr-grp: <value of string>
                    category: <value of string>
                    id: <value of integer>
                    log: <value in [disable, enable]>
                    override-replacemsg: <value of string>
                    warn-duration: <value of string>
                    warning-duration-type: <value in [session, timeout]>
                    warning-prompt: <value in [per-domain, per-category]>
              max-quota-timeout: <value of integer>
              options:
                - error-allow
                - http-err-detail
                - rate-image-urls
                - strict-blocking
                - rate-server-ip
                - redir-block
                - connect-request-bypass
                - log-all-url
                - ftgd-disable
              ovrd: <value of string>
              quota:
                -
                    category: <value of string>
                    duration: <value of string>
                    id: <value of integer>
                    override-replacemsg: <value of string>
                    type: <value in [time, traffic]>
                    unit: <value in [B, KB, MB, ...]>
                    value: <value of integer>
              rate-crl-urls: <value in [disable, enable]>
              rate-css-urls: <value in [disable, enable]>
              rate-image-urls: <value in [disable, enable]>
              rate-javascript-urls: <value in [disable, enable]>
           override:
              ovrd-cookie: <value in [deny, allow]>
              ovrd-dur: <value of string>
              ovrd-dur-mode: <value in [constant, ask]>
              ovrd-scope: <value in [user, user-group, ip, ...]>
              ovrd-user-group: <value of string>
              profile: <value of string>
              profile-attribute: <value in [User-Name, User-Password, CHAP-Password, ...]>
              profile-type: <value in [list, radius]>
           url-extraction:
              redirect-header: <value of string>
              redirect-no-content: <value in [disable, enable]>
              redirect-url: <value of string>
              server-fqdn: <value of string>
              status: <value in [disable, enable]>
           web:
              blacklist: <value in [disable, enable]>
              bword-table: <value of string>
              bword-threshold: <value of integer>
              content-header-list: <value of string>
              keyword-match: <value of string>
              log-search: <value in [disable, enable]>
              safe-search:
                - google
                - yahoo
                - bing
                - url
                - header
              urlfilter-table: <value of string>
              whitelist:
                - exempt-av
                - exempt-webcontent
                - exempt-activex-java-cookie
                - exempt-dlp
                - exempt-rangeblock
                - extended-log-others
              youtube-restrict: <value in [strict, none, moderate]>
              allowlist:
                - exempt-av
                - exempt-webcontent
                - exempt-activex-java-cookie
                - exempt-dlp
                - exempt-rangeblock
                - extended-log-others
              blocklist: <value in [disable, enable]>

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
request_url
string
always
The full url requested

Sample:
/sys/login/user
response_code
integer
always
The status of api request

response_message
string
always
The descriptive message of the api response

Sample:
OK.


Authors

  • Link Zheng (@chillancezen)

  • Jie Xue (@JieX19)

  • Frank Shen (@fshen01)

  • Hongbin Lu (@fgtdev-hblu)