Try SpotterManage web filter security profiles in FortiManager
Authors: Luke Weighall (@lweighall), Andrew Welsh (@Ghilli3), Jim Huber (@p4r4n0y1ng)
preview | supported by community
Install with ansible-galaxy collection install community.general:==0.1.1
collections:
- name: community.general
version: 0.1.1Manage web filter security profiles in FortiManager through playbooks using the FMG API
- name: DELETE Profile
fmgr_secprof_web:
name: "Ansible_Web_Filter_Profile"
mode: "delete"
- name: CREATE Profile
fmgr_secprof_web:
name: "Ansible_Web_Filter_Profile"
comment: "Created by Ansible Module TEST"
mode: "set"
extended_log: "enable"
inspection_mode: "proxy"
log_all_url: "enable"
options: "js"
ovrd_perm: "bannedword-override"
post_action: "block"
web_content_log: "enable"
web_extended_all_action_log: "enable"
web_filter_activex_log: "enable"
web_filter_applet_log: "enable"
web_filter_command_block_log: "enable"
web_filter_cookie_log: "enable"
web_filter_cookie_removal_log: "enable"
web_filter_js_log: "enable"
web_filter_jscript_log: "enable"
web_filter_referer_log: "enable"
web_filter_unknown_log: "enable"
web_filter_vbs_log: "enable"
web_ftgd_err_log: "enable"
web_ftgd_quota_usage: "enable"
web_invalid_domain_log: "enable"
web_url_log: "enable"
wisp: "enable"
wisp_algorithm: "auto-learning"
youtube_channel_status: "blacklist"
web:
description:
- EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
- List of multiple child objects to be added. Expects a list of dictionaries.
- Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
- If submitted, all other prefixed sub-parameters ARE IGNORED.
- This object is MUTUALLY EXCLUSIVE with its options.
- We expect that you know what you are doing with these list parameters, and are leveraging
the JSON API Guide.
- WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE
TASKS
required: false
adom:
default: root
description:
- The ADOM the configuration should belong to.
required: false
mode:
choices:
- add
- set
- delete
- update
default: add
description:
- Sets one of three modes for managing the object.
- Allows use of soft-adds instead of overwriting existing values
required: false
name:
description:
- Profile name.
required: false
wisp:
choices:
- disable
- enable
description:
- Enable/disable web proxy WISP.
- choice | disable | Disable web proxy WISP.
- choice | enable | Enable web proxy WISP.
required: false
comment:
description:
- Optional comments.
required: false
ftgd_wf:
description:
- EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
- List of multiple child objects to be added. Expects a list of dictionaries.
- Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
- If submitted, all other prefixed sub-parameters ARE IGNORED.
- This object is MUTUALLY EXCLUSIVE with its options.
- We expect that you know what you are doing with these list parameters, and are leveraging
the JSON API Guide.
- WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE
TASKS
required: false
options:
choices:
- block-invalid-url
- jscript
- js
- vbs
- unknown
- wf-referer
- intrinsic
- wf-cookie
- per-user-bwl
- activexfilter
- cookiefilter
- javafilter
description:
- FLAG Based Options. Specify multiple in list form.
- flag | block-invalid-url | Block sessions contained an invalid domain name.
- flag | jscript | Javascript block.
- flag | js | JS block.
- flag | vbs | VB script block.
- flag | unknown | Unknown script block.
- flag | wf-referer | Referring block.
- flag | intrinsic | Intrinsic script block.
- flag | wf-cookie | Cookie block.
- flag | per-user-bwl | Per-user black/white list filter
- flag | activexfilter | ActiveX filter.
- flag | cookiefilter | Cookie filter.
- flag | javafilter | Java applet filter.
required: false
override:
description:
- EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
- List of multiple child objects to be added. Expects a list of dictionaries.
- Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
- If submitted, all other prefixed sub-parameters ARE IGNORED.
- This object is MUTUALLY EXCLUSIVE with its options.
- We expect that you know what you are doing with these list parameters, and are leveraging
the JSON API Guide.
- WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE
TASKS
required: false
ovrd_perm:
choices:
- bannedword-override
- urlfilter-override
- fortiguard-wf-override
- contenttype-check-override
description:
- FLAG Based Options. Specify multiple in list form.
- flag | bannedword-override | Banned word override.
- flag | urlfilter-override | URL filter override.
- flag | fortiguard-wf-override | FortiGuard Web Filter override.
- flag | contenttype-check-override | Content-type header override.
required: false
log_all_url:
choices:
- disable
- enable
description:
- Enable/disable logging all URLs visited.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
post_action:
choices:
- normal
- block
description:
- Action taken for HTTP POST traffic.
- choice | normal | Normal, POST requests are allowed.
- choice | block | POST requests are blocked.
required: false
web_url_log:
choices:
- disable
- enable
description:
- Enable/disable logging URL filtering.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
extended_log:
choices:
- disable
- enable
description:
- Enable/disable extended logging for web filtering.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
ftgd_wf_ovrd:
description:
- Allow web filter profile overrides.
required: false
wisp_servers:
description:
- WISP servers.
required: false
web_blacklist:
choices:
- disable
- enable
description:
- Enable/disable automatic addition of URLs detected by FortiSandbox to blacklist.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
web_whitelist:
choices:
- exempt-av
- exempt-webcontent
- exempt-activex-java-cookie
- exempt-dlp
- exempt-rangeblock
- extended-log-others
description:
- FortiGuard whitelist settings.
- FLAG Based Options. Specify multiple in list form.
- flag | exempt-av | Exempt antivirus.
- flag | exempt-webcontent | Exempt web content.
- flag | exempt-activex-java-cookie | Exempt ActiveX-JAVA-Cookie.
- flag | exempt-dlp | Exempt DLP.
- flag | exempt-rangeblock | Exempt RangeBlock.
- flag | extended-log-others | Support extended log.
required: false
url_extraction:
description:
- EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
- List of multiple child objects to be added. Expects a list of dictionaries.
- Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
- If submitted, all other prefixed sub-parameters ARE IGNORED.
- This object is MUTUALLY EXCLUSIVE with its options.
- We expect that you know what you are doing with these list parameters, and are leveraging
the JSON API Guide.
- WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE
TASKS
required: false
web_log_search:
choices:
- disable
- enable
description:
- Enable/disable logging all search phrases.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
wisp_algorithm:
choices:
- auto-learning
- primary-secondary
- round-robin
description:
- WISP server selection algorithm.
- choice | auto-learning | Select the lightest loading healthy server.
- choice | primary-secondary | Select the first healthy server in order.
- choice | round-robin | Select the next healthy server.
required: false
ftgd_wf_options:
choices:
- error-allow
- rate-server-ip
- connect-request-bypass
- ftgd-disable
description:
- Options for FortiGuard Web Filter.
- FLAG Based Options. Specify multiple in list form.
- flag | error-allow | Allow web pages with a rating error to pass through.
- flag | rate-server-ip | Rate the server IP in addition to the domain name.
- flag | connect-request-bypass | Bypass connection which has CONNECT request.
- flag | ftgd-disable | Disable FortiGuard scanning.
required: false
inspection_mode:
choices:
- proxy
- flow-based
description:
- Web filtering inspection mode.
- choice | proxy | Proxy.
- choice | flow-based | Flow based.
required: false
web_bword_table:
description:
- Banned word table ID.
required: false
web_content_log:
choices:
- disable
- enable
description:
- Enable/disable logging logging blocked web content.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
web_safe_search:
choices:
- url
- header
description:
- Safe search type.
- FLAG Based Options. Specify multiple in list form.
- flag | url | Insert safe search string into URL.
- flag | header | Insert safe search header.
required: false
https_replacemsg:
choices:
- disable
- enable
description:
- Enable replacement messages for HTTPS.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
override_profile:
description:
- Web filter profile with permission to create overrides.
required: false
replacemsg_group:
description:
- Replacement message group.
required: false
web_ftgd_err_log:
choices:
- disable
- enable
description:
- Enable/disable logging rating errors.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
override_ovrd_dur:
description:
- Override duration.
required: false
web_filter_js_log:
choices:
- disable
- enable
description:
- Enable/disable logging Java scripts.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
web_keyword_match:
description:
- Search keywords to log when match is found.
required: false
ftgd_wf_quota_type:
choices:
- time
- traffic
description:
- Quota type.
- choice | time | Use a time-based quota.
- choice | traffic | Use a traffic-based quota.
required: false
ftgd_wf_quota_unit:
choices:
- B
- KB
- MB
- GB
description:
- Traffic quota unit of measurement.
- choice | B | Quota in bytes.
- choice | KB | Quota in kilobytes.
- choice | MB | Quota in megabytes.
- choice | GB | Quota in gigabytes.
required: false
web_filter_vbs_log:
choices:
- disable
- enable
description:
- Enable/disable logging VBS scripts.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
ftgd_wf_filters_log:
choices:
- disable
- enable
description:
- Enable/disable logging.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
ftgd_wf_quota_value:
description:
- Traffic quota value.
required: false
override_ovrd_scope:
choices:
- user
- user-group
- ip
- ask
- browser
description:
- Override scope.
- choice | user | Override for the user.
- choice | user-group | Override for the user's group.
- choice | ip | Override for the initiating IP.
- choice | ask | Prompt for scope when initiating an override.
- choice | browser | Create browser-based (cookie) override.
required: false
web_bword_threshold:
description:
- Banned word score threshold.
required: false
web_urlfilter_table:
description:
- URL filter table ID.
required: false
ftgd_wf_exempt_quota:
description:
- Do not stop quota for these categories.
required: false
override_ovrd_cookie:
choices:
- deny
- allow
description:
- Allow/deny browser-based (cookie) overrides.
- choice | deny | Deny browser-based (cookie) override.
- choice | allow | Allow browser-based (cookie) override.
required: false
web_ftgd_quota_usage:
choices:
- disable
- enable
description:
- Enable/disable logging daily quota usage.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
web_youtube_restrict:
choices:
- strict
- none
- moderate
description:
- YouTube EDU filter level.
- choice | strict | Strict access for YouTube.
- choice | none | Full access for YouTube.
- choice | moderate | Moderate access for YouTube.
required: false
ftgd_wf_rate_crl_urls:
choices:
- disable
- enable
description:
- Enable/disable rating CRL by URL.
- choice | disable | Disable rating CRL by URL.
- choice | enable | Enable rating CRL by URL.
required: false
ftgd_wf_rate_css_urls:
choices:
- disable
- enable
description:
- Enable/disable rating CSS by URL.
- choice | disable | Disable rating CSS by URL.
- choice | enable | Enable rating CSS by URL.
required: false
override_profile_type:
choices:
- list
- radius
description:
- Override profile type.
- choice | list | Profile chosen from list.
- choice | radius | Profile determined by RADIUS server.
required: false
url_extraction_status:
choices:
- disable
- enable
description:
- Enable URL Extraction
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
web_filter_applet_log:
choices:
- disable
- enable
description:
- Enable/disable logging Java applets.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
web_filter_cookie_log:
choices:
- disable
- enable
description:
- Enable/disable logging cookie filtering.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
ftgd_wf_filters_action:
choices:
- block
- monitor
- warning
- authenticate
description:
- Action to take for matches.
- choice | block | Block access.
- choice | monitor | Allow access while logging the action.
- choice | warning | Allow access after warning the user.
- choice | authenticate | Authenticate user before allowing access.
required: false
ftgd_wf_quota_category:
description:
- FortiGuard categories to apply quota to (category action must be set to monitor).
required: false
ftgd_wf_quota_duration:
description:
- Duration of quota.
required: false
override_ovrd_dur_mode:
choices:
- constant
- ask
description:
- Override duration mode.
- choice | constant | Constant mode.
- choice | ask | Prompt for duration when initiating an override.
required: false
web_filter_activex_log:
choices:
- disable
- enable
description:
- Enable/disable logging ActiveX.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
web_filter_jscript_log:
choices:
- disable
- enable
description:
- Enable/disable logging JScripts.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
web_filter_referer_log:
choices:
- disable
- enable
description:
- Enable/disable logging referrers.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
web_filter_unknown_log:
choices:
- disable
- enable
description:
- Enable/disable logging unknown scripts.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
web_invalid_domain_log:
choices:
- disable
- enable
description:
- Enable/disable logging invalid domain names.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
youtube_channel_filter:
description:
- EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
- List of multiple child objects to be added. Expects a list of dictionaries.
- Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
- If submitted, all other prefixed sub-parameters ARE IGNORED.
- This object is MUTUALLY EXCLUSIVE with its options.
- We expect that you know what you are doing with these list parameters, and are leveraging
the JSON API Guide.
- WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE
TASKS
required: false
youtube_channel_status:
choices:
- disable
- blacklist
- whitelist
description:
- YouTube channel filter status.
- choice | disable | Disable YouTube channel filter.
- choice | blacklist | Block matches.
- choice | whitelist | Allow matches.
required: false
ftgd_wf_rate_image_urls:
choices:
- disable
- enable
description:
- Enable/disable rating images by URL.
- choice | disable | Disable rating images by URL (blocked images are replaced with
blanks).
- choice | enable | Enable rating images by URL (blocked images are replaced with
blanks).
required: false
web_content_header_list:
description:
- Content header list.
required: false
ftgd_wf_filters_category:
description:
- Categories and groups the filter examines.
required: false
override_ovrd_user_group:
description:
- User groups with permission to use the override.
required: false
ftgd_wf_max_quota_timeout:
description:
- Maximum FortiGuard quota used by single page view in seconds (excludes streams).
required: false
override_profile_attribute:
choices:
- User-Name
- NAS-IP-Address
- Framed-IP-Address
- Framed-IP-Netmask
- Filter-Id
- Login-IP-Host
- Reply-Message
- Callback-Number
- Callback-Id
- Framed-Route
- Framed-IPX-Network
- Class
- Called-Station-Id
- Calling-Station-Id
- NAS-Identifier
- Proxy-State
- Login-LAT-Service
- Login-LAT-Node
- Login-LAT-Group
- Framed-AppleTalk-Zone
- Acct-Session-Id
- Acct-Multi-Session-Id
description:
- Profile attribute to retrieve from the RADIUS server.
- choice | User-Name | Use this attribute.
- choice | NAS-IP-Address | Use this attribute.
- choice | Framed-IP-Address | Use this attribute.
- choice | Framed-IP-Netmask | Use this attribute.
- choice | Filter-Id | Use this attribute.
- choice | Login-IP-Host | Use this attribute.
- choice | Reply-Message | Use this attribute.
- choice | Callback-Number | Use this attribute.
- choice | Callback-Id | Use this attribute.
- choice | Framed-Route | Use this attribute.
- choice | Framed-IPX-Network | Use this attribute.
- choice | Class | Use this attribute.
- choice | Called-Station-Id | Use this attribute.
- choice | Calling-Station-Id | Use this attribute.
- choice | NAS-Identifier | Use this attribute.
- choice | Proxy-State | Use this attribute.
- choice | Login-LAT-Service | Use this attribute.
- choice | Login-LAT-Node | Use this attribute.
- choice | Login-LAT-Group | Use this attribute.
- choice | Framed-AppleTalk-Zone | Use this attribute.
- choice | Acct-Session-Id | Use this attribute.
- choice | Acct-Multi-Session-Id | Use this attribute.
required: false
url_extraction_server_fqdn:
description:
- URL extraction server FQDN (fully qualified domain name)
required: false
url_extraction_redirect_url:
description:
- HTTP header value to use for client redirect on blocked requests
required: false
web_extended_all_action_log:
choices:
- disable
- enable
description:
- Enable/disable extended any filter action logging for web filtering.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
ftgd_wf_filters_auth_usr_grp:
description:
- Groups with permission to authenticate.
required: false
ftgd_wf_rate_javascript_urls:
choices:
- disable
- enable
description:
- Enable/disable rating JavaScript by URL.
- choice | disable | Disable rating JavaScript by URL.
- choice | enable | Enable rating JavaScript by URL.
required: false
web_filter_command_block_log:
choices:
- disable
- enable
description:
- Enable/disable logging blocked commands.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
ftgd_wf_filters_warn_duration:
description:
- Duration of warnings.
required: false
web_filter_cookie_removal_log:
choices:
- disable
- enable
description:
- Enable/disable logging blocked cookies.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
ftgd_wf_filters_warning_prompt:
choices:
- per-domain
- per-category
description:
- Warning prompts in each category or each domain.
- choice | per-domain | Per-domain warnings.
- choice | per-category | Per-category warnings.
required: false
url_extraction_redirect_header:
description:
- HTTP header name to use for client redirect on blocked requests
required: false
youtube_channel_filter_comment:
description:
- Comment.
required: false
ftgd_wf_quota_override_replacemsg:
description:
- Override replacement message.
required: false
youtube_channel_filter_channel_id:
description:
- YouTube channel ID to be filtered.
required: false
url_extraction_redirect_no_content:
choices:
- disable
- enable
description:
- Enable / Disable empty message-body entity in HTTP response
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
ftgd_wf_filters_override_replacemsg:
description:
- Override replacement message.
required: false
ftgd_wf_filters_warning_duration_type:
choices:
- session
- timeout
description:
- Re-display warning after closing browser or after a timeout.
- choice | session | After session ends.
- choice | timeout | After timeout occurs.
required: false
api_result: description: full API response, includes status code and message returned: always type: str