fortios_waf_profile – Web application firewall configuration in Fortinet’s FortiOS and FortiGate

New in version 2.8.

Synopsis

  • This module is able to configure a FortiGate or FortiOS by allowing the user to set and modify waf feature and profile category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.2

Requirements

The below requirements are needed on the host that executes this module.

  • fortiosapi>=0.9.8

Parameters

Parameter Choices/Defaults Comments
host
- / required
FortiOS or FortiGate ip address.
https
boolean
    Choices:
  • no
  • yes ←
Indicates if the requests towards FortiGate must use HTTPS protocol
password
-
Default:
""
FortiOS or FortiGate password.
username
- / required
FortiOS or FortiGate username.
vdom
-
Default:
"root"
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
waf_profile
-
Default:
null
Web application firewall configuration.
address-list
-
Black address list and white address list.
blocked-address
-
Blocked address.
name
- / required
Address name. Source firewall.address.name firewall.addrgrp.name.
blocked-log
-
    Choices:
  • enable
  • disable
Enable/disable logging on blocked addresses.
severity
-
    Choices:
  • high
  • medium
  • low
Severity.
status
-
    Choices:
  • enable
  • disable
Status.
trusted-address
-
Trusted address.
name
- / required
Address name. Source firewall.address.name firewall.addrgrp.name.
comment
-
Comment.
constraint
-
WAF HTTP protocol restrictions.
content-length
-
HTTP content length in request.
action
-
    Choices:
  • allow
  • block
Action.
length
-
Length of HTTP content in bytes (0 to 2147483647).
log
-
    Choices:
  • enable
  • disable
Enable/disable logging.
severity
-
    Choices:
  • high
  • medium
  • low
Severity.
status
-
    Choices:
  • enable
  • disable
Enable/disable the constraint.
exception
-
HTTP constraint exception.
address
-
Host address. Source firewall.address.name firewall.addrgrp.name.
content-length
-
    Choices:
  • enable
  • disable
HTTP content length in request.
header-length
-
    Choices:
  • enable
  • disable
HTTP header length in request.
hostname
-
    Choices:
  • enable
  • disable
Enable/disable hostname check.
id
- / required
Exception ID.
line-length
-
    Choices:
  • enable
  • disable
HTTP line length in request.
malformed
-
    Choices:
  • enable
  • disable
Enable/disable malformed HTTP request check.
max-cookie
-
    Choices:
  • enable
  • disable
Maximum number of cookies in HTTP request.
max-header-line
-
    Choices:
  • enable
  • disable
Maximum number of HTTP header line.
max-range-segment
-
    Choices:
  • enable
  • disable
Maximum number of range segments in HTTP range line.
max-url-param
-
    Choices:
  • enable
  • disable
Maximum number of parameters in URL.
method
-
    Choices:
  • enable
  • disable
Enable/disable HTTP method check.
param-length
-
    Choices:
  • enable
  • disable
Maximum length of parameter in URL, HTTP POST request or HTTP body.
pattern
-
URL pattern.
regex
-
    Choices:
  • enable
  • disable
Enable/disable regular expression based pattern match.
url-param-length
-
    Choices:
  • enable
  • disable
Maximum length of parameter in URL.
version
-
    Choices:
  • enable
  • disable
Enable/disable HTTP version check.
header-length
-
HTTP header length in request.
action
-
    Choices:
  • allow
  • block
Action.
length
-
Length of HTTP header in bytes (0 to 2147483647).
log
-
    Choices:
  • enable
  • disable
Enable/disable logging.
severity
-
    Choices:
  • high
  • medium
  • low
Severity.
status
-
    Choices:
  • enable
  • disable
Enable/disable the constraint.
hostname
-
Enable/disable hostname check.
action
-
    Choices:
  • allow
  • block
Action.
log
-
    Choices:
  • enable
  • disable
Enable/disable logging.
severity
-
    Choices:
  • high
  • medium
  • low
Severity.
status
-
    Choices:
  • enable
  • disable
Enable/disable the constraint.
line-length
-
HTTP line length in request.
action
-
    Choices:
  • allow
  • block
Action.
length
-
Length of HTTP line in bytes (0 to 2147483647).
log
-
    Choices:
  • enable
  • disable
Enable/disable logging.
severity
-
    Choices:
  • high
  • medium
  • low
Severity.
status
-
    Choices:
  • enable
  • disable
Enable/disable the constraint.
malformed
-
Enable/disable malformed HTTP request check.
action
-
    Choices:
  • allow
  • block
Action.
log
-
    Choices:
  • enable
  • disable
Enable/disable logging.
severity
-
    Choices:
  • high
  • medium
  • low
Severity.
status
-
    Choices:
  • enable
  • disable
Enable/disable the constraint.
max-cookie
-
Maximum number of cookies in HTTP request.
action
-
    Choices:
  • allow
  • block
Action.
log
-
    Choices:
  • enable
  • disable
Enable/disable logging.
max-cookie
-
Maximum number of cookies in HTTP request (0 to 2147483647).
severity
-
    Choices:
  • high
  • medium
  • low
Severity.
status
-
    Choices:
  • enable
  • disable
Enable/disable the constraint.
max-header-line
-
Maximum number of HTTP header line.
action
-
    Choices:
  • allow
  • block
Action.
log
-
    Choices:
  • enable
  • disable
Enable/disable logging.
max-header-line
-
Maximum number HTTP header lines (0 to 2147483647).
severity
-
    Choices:
  • high
  • medium
  • low
Severity.
status
-
    Choices:
  • enable
  • disable
Enable/disable the constraint.
max-range-segment
-
Maximum number of range segments in HTTP range line.
action
-
    Choices:
  • allow
  • block
Action.
log
-
    Choices:
  • enable
  • disable
Enable/disable logging.
max-range-segment
-
Maximum number of range segments in HTTP range line (0 to 2147483647).
severity
-
    Choices:
  • high
  • medium
  • low
Severity.
status
-
    Choices:
  • enable
  • disable
Enable/disable the constraint.
max-url-param
-
Maximum number of parameters in URL.
action
-
    Choices:
  • allow
  • block
Action.
log
-
    Choices:
  • enable
  • disable
Enable/disable logging.
max-url-param
-
Maximum number of parameters in URL (0 to 2147483647).
severity
-
    Choices:
  • high
  • medium
  • low
Severity.
status
-
    Choices:
  • enable
  • disable
Enable/disable the constraint.
method
-
Enable/disable HTTP method check.
action
-
    Choices:
  • allow
  • block
Action.
log
-
    Choices:
  • enable
  • disable
Enable/disable logging.
severity
-
    Choices:
  • high
  • medium
  • low
Severity.
status
-
    Choices:
  • enable
  • disable
Enable/disable the constraint.
param-length
-
Maximum length of parameter in URL, HTTP POST request or HTTP body.
action
-
    Choices:
  • allow
  • block
Action.
length
-
Maximum length of parameter in URL, HTTP POST request or HTTP body in bytes (0 to 2147483647).
log
-
    Choices:
  • enable
  • disable
Enable/disable logging.
severity
-
    Choices:
  • high
  • medium
  • low
Severity.
status
-
    Choices:
  • enable
  • disable
Enable/disable the constraint.
url-param-length
-
Maximum length of parameter in URL.
action
-
    Choices:
  • allow
  • block
Action.
length
-
Maximum length of URL parameter in bytes (0 to 2147483647).
log
-
    Choices:
  • enable
  • disable
Enable/disable logging.
severity
-
    Choices:
  • high
  • medium
  • low
Severity.
status
-
    Choices:
  • enable
  • disable
Enable/disable the constraint.
version
-
Enable/disable HTTP version check.
action
-
    Choices:
  • allow
  • block
Action.
log
-
    Choices:
  • enable
  • disable
Enable/disable logging.
severity
-
    Choices:
  • high
  • medium
  • low
Severity.
status
-
    Choices:
  • enable
  • disable
Enable/disable the constraint.
extended-log
-
    Choices:
  • enable
  • disable
Enable/disable extended logging.
external
-
    Choices:
  • disable
  • enable
Disable/Enable external HTTP Inspection.
method
-
Method restriction.
default-allowed-methods
-
    Choices:
  • get
  • post
  • put
  • head
  • connect
  • trace
  • options
  • delete
  • others
Methods.
log
-
    Choices:
  • enable
  • disable
Enable/disable logging.
method-policy
-
HTTP method policy.
address
-
Host address. Source firewall.address.name firewall.addrgrp.name.
allowed-methods
-
    Choices:
  • get
  • post
  • put
  • head
  • connect
  • trace
  • options
  • delete
  • others
Allowed Methods.
id
- / required
HTTP method policy ID.
pattern
-
URL pattern.
regex
-
    Choices:
  • enable
  • disable
Enable/disable regular expression based pattern match.
severity
-
    Choices:
  • high
  • medium
  • low
Severity.
status
-
    Choices:
  • enable
  • disable
Status.
name
- / required
WAF Profile name.
signature
-
WAF signatures.
credit-card-detection-threshold
-
The minimum number of Credit cards to detect violation.
custom-signature
-
Custom signature.
action
-
    Choices:
  • allow
  • block
  • erase
Action.
case-sensitivity
-
    Choices:
  • disable
  • enable
Case sensitivity in pattern.
direction
-
    Choices:
  • request
  • response
Traffic direction.
log
-
    Choices:
  • enable
  • disable
Enable/disable logging.
name
- / required
Signature name.
pattern
-
Match pattern.
severity
-
    Choices:
  • high
  • medium
  • low
Severity.
status
-
    Choices:
  • enable
  • disable
Status.
target
-
    Choices:
  • arg
  • arg-name
  • req-body
  • req-cookie
  • req-cookie-name
  • req-filename
  • req-header
  • req-header-name
  • req-raw-uri
  • req-uri
  • resp-body
  • resp-hdr
  • resp-status
Match HTTP target.
disabled-signature
-
Disabled signatures
id
- / required
Signature ID. Source waf.signature.id.
disabled-sub-class
-
Disabled signature subclasses.
id
- / required
Signature subclass ID. Source waf.sub-class.id.
main-class
-
Main signature class.
action
-
    Choices:
  • allow
  • block
  • erase
Action.
id
- / required
Main signature class ID. Source waf.main-class.id.
log
-
    Choices:
  • enable
  • disable
Enable/disable logging.
severity
-
    Choices:
  • high
  • medium
  • low
Severity.
status
-
    Choices:
  • enable
  • disable
Status.
state
-
    Choices:
  • present
  • absent
Indicates whether to create or remove the object
url-access
-
URL access list
access-pattern
-
URL access pattern.
id
- / required
URL access pattern ID.
negate
-
    Choices:
  • enable
  • disable
Enable/disable match negation.
pattern
-
URL pattern.
regex
-
    Choices:
  • enable
  • disable
Enable/disable regular expression based pattern match.
srcaddr
-
Source address. Source firewall.address.name firewall.addrgrp.name.
action
-
    Choices:
  • bypass
  • permit
  • block
Action.
address
-
Host address. Source firewall.address.name firewall.addrgrp.name.
id
- / required
URL access ID.
log
-
    Choices:
  • enable
  • disable
Enable/disable logging.
severity
-
    Choices:
  • high
  • medium
  • low
Severity.

Notes

Note

  • Requires fortiosapi library developed by Fortinet
  • Run as a local_action in your playbook

Examples

- hosts: localhost
  vars:
   host: "192.168.122.40"
   username: "admin"
   password: ""
   vdom: "root"
  tasks:
  - name: Web application firewall configuration.
    fortios_waf_profile:
      host:  "{{ host }}"
      username: "{{ username }}"
      password: "{{ password }}"
      vdom:  "{{ vdom }}"
      https: "False"
      waf_profile:
        state: "present"
        address-list:
            blocked-address:
             -
                name: "default_name_5 (source firewall.address.name firewall.addrgrp.name)"
            blocked-log: "enable"
            severity: "high"
            status: "enable"
            trusted-address:
             -
                name: "default_name_10 (source firewall.address.name firewall.addrgrp.name)"
        comment: "Comment."
        constraint:
            content-length:
                action: "allow"
                length: "15"
                log: "enable"
                severity: "high"
                status: "enable"
            exception:
             -
                address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
                content-length: "enable"
                header-length: "enable"
                hostname: "enable"
                id:  "24"
                line-length: "enable"
                malformed: "enable"
                max-cookie: "enable"
                max-header-line: "enable"
                max-range-segment: "enable"
                max-url-param: "enable"
                method: "enable"
                param-length: "enable"
                pattern: "<your_own_value>"
                regex: "enable"
                url-param-length: "enable"
                version: "enable"
            header-length:
                action: "allow"
                length: "39"
                log: "enable"
                severity: "high"
                status: "enable"
            hostname:
                action: "allow"
                log: "enable"
                severity: "high"
                status: "enable"
            line-length:
                action: "allow"
                length: "50"
                log: "enable"
                severity: "high"
                status: "enable"
            malformed:
                action: "allow"
                log: "enable"
                severity: "high"
                status: "enable"
            max-cookie:
                action: "allow"
                log: "enable"
                max-cookie: "62"
                severity: "high"
                status: "enable"
            max-header-line:
                action: "allow"
                log: "enable"
                max-header-line: "68"
                severity: "high"
                status: "enable"
            max-range-segment:
                action: "allow"
                log: "enable"
                max-range-segment: "74"
                severity: "high"
                status: "enable"
            max-url-param:
                action: "allow"
                log: "enable"
                max-url-param: "80"
                severity: "high"
                status: "enable"
            method:
                action: "allow"
                log: "enable"
                severity: "high"
                status: "enable"
            param-length:
                action: "allow"
                length: "90"
                log: "enable"
                severity: "high"
                status: "enable"
            url-param-length:
                action: "allow"
                length: "96"
                log: "enable"
                severity: "high"
                status: "enable"
            version:
                action: "allow"
                log: "enable"
                severity: "high"
                status: "enable"
        extended-log: "enable"
        external: "disable"
        method:
            default-allowed-methods: "get"
            log: "enable"
            method-policy:
             -
                address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
                allowed-methods: "get"
                id:  "113"
                pattern: "<your_own_value>"
                regex: "enable"
            severity: "high"
            status: "enable"
        name: "default_name_118"
        signature:
            credit-card-detection-threshold: "120"
            custom-signature:
             -
                action: "allow"
                case-sensitivity: "disable"
                direction: "request"
                log: "enable"
                name: "default_name_126"
                pattern: "<your_own_value>"
                severity: "high"
                status: "enable"
                target: "arg"
            disabled-signature:
             -
                id:  "132 (source waf.signature.id)"
            disabled-sub-class:
             -
                id:  "134 (source waf.sub-class.id)"
            main-class:
             -
                action: "allow"
                id:  "137 (source waf.main-class.id)"
                log: "enable"
                severity: "high"
                status: "enable"
        url-access:
         -
            access-pattern:
             -
                id:  "143"
                negate: "enable"
                pattern: "<your_own_value>"
                regex: "enable"
                srcaddr: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
            action: "bypass"
            address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
            id:  "150"
            log: "enable"
            severity: "high"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
build
string
always
Build number of the fortigate image

Sample:
1547
http_method
string
always
Last method used to provision the content into FortiGate

Sample:
PUT
http_status
string
always
Last result given by FortiGate on last operation applied

Sample:
200
mkey
string
success
Master key (id) used in the last call to FortiGate

Sample:
id
name
string
always
Name of the table used to fulfill the request

Sample:
urlfilter
path
string
always
Path of the table used to fulfill the request

Sample:
webfilter
revision
string
always
Internal revision number

Sample:
17.0.2.10658
serial
string
always
Serial number of the unit

Sample:
FGVMEVYYQT3AB5352
status
string
always
Indication of the operation's result

Sample:
success
vdom
string
always
Virtual domain used

Sample:
root
version
string
always
Version of the FortiGate

Sample:
v5.6.3


Status

Authors

  • Miguel Angel Munoz (@mamunozgonzalez)
  • Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation you can edit this document to improve it.