Try SpotterWeb application firewall configuration.
| "added in version" 1.0.0 of drmofu.fortimanager"
Authors: Xinwei Du (@dux-fortinet), Xing Li (@lix-fortinet), Jie Xue (@JieX19), Link Zheng (@chillancezen), Frank Shen (@fshen01), Hongbin Lu (@fgtdev-hblu)
preview | supported by community
Install with ansible-galaxy collection install drmofu.fortimanager:==2.2.2
collections:
- name: drmofu.fortimanager
version: 2.2.2This module is able to configure a FortiManager device.
Examples include all parameters and values which need to be adjusted to data sources before usage.
- hosts: fortimanager-inventory
collections:
- fortinet.fortimanager
connection: httpapi
vars:
ansible_httpapi_use_ssl: True
ansible_httpapi_validate_certs: False
ansible_httpapi_port: 443
tasks:
- name: Web application firewall configuration.
fmgr_waf_profile:
bypass_validation: False
workspace_locking_adom: <value in [global, custom adom including root]>
workspace_locking_timeout: 300
rc_succeeded: [0, -2, -3, ...]
rc_failed: [-2, -3, ...]
adom: <your own value>
state: <value in [present, absent]>
waf_profile:
comment: <value of string>
extended-log: <value in [disable, enable]>
external: <value in [disable, enable]>
name: <value of string>
url-access:
-
access-pattern:
-
id: <value of integer>
negate: <value in [disable, enable]>
pattern: <value of string>
regex: <value in [disable, enable]>
srcaddr: <value of string>
action: <value in [bypass, permit, block]>
address: <value of string>
id: <value of integer>
log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
address-list:
blocked-address: <value of string>
blocked-log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
trusted-address: <value of string>
constraint:
content-length:
action: <value in [allow, block]>
length: <value of integer>
log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
exception:
-
address: <value of string>
content-length: <value in [disable, enable]>
header-length: <value in [disable, enable]>
hostname: <value in [disable, enable]>
id: <value of integer>
line-length: <value in [disable, enable]>
malformed: <value in [disable, enable]>
max-cookie: <value in [disable, enable]>
max-header-line: <value in [disable, enable]>
max-range-segment: <value in [disable, enable]>
max-url-param: <value in [disable, enable]>
method: <value in [disable, enable]>
param-length: <value in [disable, enable]>
pattern: <value of string>
regex: <value in [disable, enable]>
url-param-length: <value in [disable, enable]>
version: <value in [disable, enable]>
header-length:
action: <value in [allow, block]>
length: <value of integer>
log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
hostname:
action: <value in [allow, block]>
log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
line-length:
action: <value in [allow, block]>
length: <value of integer>
log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
malformed:
action: <value in [allow, block]>
log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
max-cookie:
action: <value in [allow, block]>
log: <value in [disable, enable]>
max-cookie: <value of integer>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
max-header-line:
action: <value in [allow, block]>
log: <value in [disable, enable]>
max-header-line: <value of integer>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
max-range-segment:
action: <value in [allow, block]>
log: <value in [disable, enable]>
max-range-segment: <value of integer>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
max-url-param:
action: <value in [allow, block]>
log: <value in [disable, enable]>
max-url-param: <value of integer>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
method:
action: <value in [allow, block]>
log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
param-length:
action: <value in [allow, block]>
length: <value of integer>
log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
url-param-length:
action: <value in [allow, block]>
length: <value of integer>
log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
version:
action: <value in [allow, block]>
log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
method:
default-allowed-methods:
- delete
- get
- head
- options
- post
- put
- trace
- others
- connect
log: <value in [disable, enable]>
method-policy:
-
address: <value of string>
allowed-methods:
- delete
- get
- head
- options
- post
- put
- trace
- others
- connect
id: <value of integer>
pattern: <value of string>
regex: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
signature:
credit-card-detection-threshold: <value of integer>
custom-signature:
-
action: <value in [allow, block, erase]>
case-sensitivity: <value in [disable, enable]>
direction: <value in [request, response]>
log: <value in [disable, enable]>
name: <value of string>
pattern: <value of string>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
target:
- arg
- arg-name
- req-body
- req-cookie
- req-cookie-name
- req-filename
- req-header
- req-header-name
- req-raw-uri
- req-uri
- resp-body
- resp-hdr
- resp-status
disabled-signature: <value of string>
disabled-sub-class: <value of string>
main-class:
action: <value in [allow, block, erase]>
id: <value of integer>
log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
adom:
description: the parameter (adom) in requested url
required: true
type: str
state:
choices:
- present
- absent
description: The directive to create, update or delete an object.
required: true
type: str
rc_failed:
description: The rc codes list with which the conditions to fail will be overriden.
elements: int
required: false
type: list
enable_log:
default: false
description: Enable/Disable logging for task.
required: false
type: bool
waf_profile:
description: the top level parameters set
required: false
suboptions:
address-list:
description: no description
required: false
suboptions:
blocked-address:
description: Blocked address.
type: str
blocked-log:
choices:
- disable
- enable
description: Enable/disable logging on blocked addresses.
type: str
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Status.
type: str
trusted-address:
description: Trusted address.
type: str
type: dict
comment:
description: Comment.
type: str
constraint:
description: no description
required: false
suboptions:
content-length:
description: no description
required: false
suboptions:
action:
choices:
- allow
- block
description: Action.
type: str
length:
description: Length of HTTP content in bytes
type: int
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Enable/disable the constraint.
type: str
type: dict
exception:
description: Exception.
elements: dict
suboptions:
address:
description: Host address.
type: str
content-length:
choices:
- disable
- enable
description: HTTP content length in request.
type: str
header-length:
choices:
- disable
- enable
description: HTTP header length in request.
type: str
hostname:
choices:
- disable
- enable
description: Enable/disable hostname check.
type: str
id:
description: Exception ID.
type: int
line-length:
choices:
- disable
- enable
description: HTTP line length in request.
type: str
malformed:
choices:
- disable
- enable
description: Enable/disable malformed HTTP request check.
type: str
max-cookie:
choices:
- disable
- enable
description: Maximum number of cookies in HTTP request.
type: str
max-header-line:
choices:
- disable
- enable
description: Maximum number of HTTP header line.
type: str
max-range-segment:
choices:
- disable
- enable
description: Maximum number of range segments in HTTP range line.
type: str
max-url-param:
choices:
- disable
- enable
description: Maximum number of parameters in URL.
type: str
method:
choices:
- disable
- enable
description: Enable/disable HTTP method check.
type: str
param-length:
choices:
- disable
- enable
description: Maximum length of parameter in URL, HTTP POST request or
HTTP body.
type: str
pattern:
description: URL pattern.
type: str
regex:
choices:
- disable
- enable
description: Enable/disable regular expression based pattern match.
type: str
url-param-length:
choices:
- disable
- enable
description: Maximum length of parameter in URL.
type: str
version:
choices:
- disable
- enable
description: Enable/disable HTTP version check.
type: str
type: list
header-length:
description: no description
required: false
suboptions:
action:
choices:
- allow
- block
description: Action.
type: str
length:
description: Length of HTTP header in bytes
type: int
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Enable/disable the constraint.
type: str
type: dict
hostname:
description: no description
required: false
suboptions:
action:
choices:
- allow
- block
description: Action.
type: str
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Enable/disable the constraint.
type: str
type: dict
line-length:
description: no description
required: false
suboptions:
action:
choices:
- allow
- block
description: Action.
type: str
length:
description: Length of HTTP line in bytes
type: int
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Enable/disable the constraint.
type: str
type: dict
malformed:
description: no description
required: false
suboptions:
action:
choices:
- allow
- block
description: Action.
type: str
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Enable/disable the constraint.
type: str
type: dict
max-cookie:
description: no description
required: false
suboptions:
action:
choices:
- allow
- block
description: Action.
type: str
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
max-cookie:
description: Maximum number of cookies in HTTP request
type: int
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Enable/disable the constraint.
type: str
type: dict
max-header-line:
description: no description
required: false
suboptions:
action:
choices:
- allow
- block
description: Action.
type: str
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
max-header-line:
description: Maximum number HTTP header lines
type: int
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Enable/disable the constraint.
type: str
type: dict
max-range-segment:
description: no description
required: false
suboptions:
action:
choices:
- allow
- block
description: Action.
type: str
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
max-range-segment:
description: Maximum number of range segments in HTTP range line
type: int
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Enable/disable the constraint.
type: str
type: dict
max-url-param:
description: no description
required: false
suboptions:
action:
choices:
- allow
- block
description: Action.
type: str
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
max-url-param:
description: Maximum number of parameters in URL
type: int
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Enable/disable the constraint.
type: str
type: dict
method:
description: no description
required: false
suboptions:
action:
choices:
- allow
- block
description: Action.
type: str
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Enable/disable the constraint.
type: str
type: dict
param-length:
description: no description
required: false
suboptions:
action:
choices:
- allow
- block
description: Action.
type: str
length:
description: Maximum length of parameter in URL, HTTP POST request or
HTTP body in bytes
type: int
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Enable/disable the constraint.
type: str
type: dict
url-param-length:
description: no description
required: false
suboptions:
action:
choices:
- allow
- block
description: Action.
type: str
length:
description: Maximum length of URL parameter in bytes
type: int
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Enable/disable the constraint.
type: str
type: dict
version:
description: no description
required: false
suboptions:
action:
choices:
- allow
- block
description: Action.
type: str
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Enable/disable the constraint.
type: str
type: dict
type: dict
extended-log:
choices:
- disable
- enable
description: Enable/disable extended logging.
type: str
external:
choices:
- disable
- enable
description: Disable/Enable external HTTP Inspection.
type: str
method:
description: no description
required: false
suboptions:
default-allowed-methods:
choices:
- delete
- get
- head
- options
- post
- put
- trace
- others
- connect
description: Methods.
elements: str
type: list
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
method-policy:
description: Method-Policy.
elements: dict
suboptions:
address:
description: Host address.
type: str
allowed-methods:
choices:
- delete
- get
- head
- options
- post
- put
- trace
- others
- connect
description: Allowed Methods.
elements: str
type: list
id:
description: HTTP method policy ID.
type: int
pattern:
description: URL pattern.
type: str
regex:
choices:
- disable
- enable
description: Enable/disable regular expression based pattern match.
type: str
type: list
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Status.
type: str
type: dict
name:
description: WAF Profile name.
type: str
signature:
description: no description
required: false
suboptions:
credit-card-detection-threshold:
description: The minimum number of Credit cards to detect violation.
type: int
custom-signature:
description: Custom-Signature.
elements: dict
suboptions:
action:
choices:
- allow
- block
- erase
description: Action.
type: str
case-sensitivity:
choices:
- disable
- enable
description: Case sensitivity in pattern.
type: str
direction:
choices:
- request
- response
description: Traffic direction.
type: str
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
name:
description: Signature name.
type: str
pattern:
description: Match pattern.
type: str
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Status.
type: str
target:
choices:
- arg
- arg-name
- req-body
- req-cookie
- req-cookie-name
- req-filename
- req-header
- req-header-name
- req-raw-uri
- req-uri
- resp-body
- resp-hdr
- resp-status
description: Match HTTP target.
elements: str
type: list
type: list
disabled-signature:
description: Disabled signatures
type: str
disabled-sub-class:
description: Disabled signature subclasses.
type: str
main-class:
description: no description
required: false
suboptions:
action:
choices:
- allow
- block
- erase
description: Action.
type: str
id:
description: Main signature class ID.
type: int
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Status.
type: str
type: dict
type: dict
url-access:
description: Url-Access.
elements: dict
suboptions:
access-pattern:
description: Access-Pattern.
elements: dict
suboptions:
id:
description: URL access pattern ID.
type: int
negate:
choices:
- disable
- enable
description: Enable/disable match negation.
type: str
pattern:
description: URL pattern.
type: str
regex:
choices:
- disable
- enable
description: Enable/disable regular expression based pattern match.
type: str
srcaddr:
description: Source address.
type: str
type: list
action:
choices:
- bypass
- permit
- block
description: Action.
type: str
address:
description: Host address.
type: str
id:
description: URL access ID.
type: int
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
type: list
type: dict
access_token:
description: The token to access FortiManager without using username and password.
required: false
type: str
rc_succeeded:
description: The rc codes list with which the conditions to succeed will be overriden.
elements: int
required: false
type: list
proposed_method:
choices:
- update
- set
- add
description: The overridden method for the underlying Json RPC request.
required: false
type: str
bypass_validation:
default: false
description: Only set to True when module schema diffs with FortiManager API structure,
module continues to execute without validating parameters.
required: false
type: bool
workspace_locking_adom:
description: The adom to lock for FortiManager running in workspace mode, the value
can be global and others including root.
required: false
type: str
forticloud_access_token:
description: Authenticate Ansible client with forticloud API access token.
required: false
type: str
workspace_locking_timeout:
default: 300
description: The maximum time in seconds to wait for other user to release the workspace
lock.
required: false
type: int
meta:
contains:
request_url:
description: The full url requested.
returned: always
sample: /sys/login/user
type: str
response_code:
description: The status of api request.
returned: always
sample: 0
type: int
response_data:
description: The api response.
returned: always
type: list
response_message:
description: The descriptive message of the api response.
returned: always
sample: OK.
type: str
system_information:
description: The information of the target system.
returned: always
type: dict
description: The result of the request.
returned: always
type: dict
rc:
description: The status the request.
returned: always
sample: 0
type: int
version_check_warning:
description: Warning if the parameters used in the playbook are not supported by
the current FortiManager version.
returned: complex
type: list