Try SpotterConfigure Web filter profiles.
| "added in version" 1.0.0 of drmofu.fortimanager"
Authors: Xinwei Du (@dux-fortinet), Xing Li (@lix-fortinet), Jie Xue (@JieX19), Link Zheng (@chillancezen), Frank Shen (@fshen01), Hongbin Lu (@fgtdev-hblu)
preview | supported by community
Install with ansible-galaxy collection install drmofu.fortimanager:==2.2.2
collections:
- name: drmofu.fortimanager
version: 2.2.2This module is able to configure a FortiManager device.
Examples include all parameters and values which need to be adjusted to data sources before usage.
- hosts: fortimanager-inventory
collections:
- fortinet.fortimanager
connection: httpapi
vars:
ansible_httpapi_use_ssl: True
ansible_httpapi_validate_certs: False
ansible_httpapi_port: 443
tasks:
- name: Configure Web filter profiles.
fmgr_webfilter_profile:
bypass_validation: False
workspace_locking_adom: <value in [global, custom adom including root]>
workspace_locking_timeout: 300
rc_succeeded: [0, -2, -3, ...]
rc_failed: [-2, -3, ...]
adom: <your own value>
state: <value in [present, absent]>
webfilter_profile:
comment: <value of string>
extended-log: <value in [disable, enable]>
https-replacemsg: <value in [disable, enable]>
inspection-mode: <value in [proxy, flow-based, dns]>
log-all-url: <value in [disable, enable]>
name: <value of string>
options:
- block-invalid-url
- jscript
- js
- vbs
- unknown
- wf-referer
- https-scan
- intrinsic
- wf-cookie
- per-user-bwl
- activexfilter
- cookiefilter
- https-url-scan
- javafilter
- rangeblock
- contenttype-check
- per-user-bal
ovrd-perm:
- bannedword-override
- urlfilter-override
- fortiguard-wf-override
- contenttype-check-override
post-action: <value in [normal, comfort, block]>
replacemsg-group: <value of string>
web-content-log: <value in [disable, enable]>
web-extended-all-action-log: <value in [disable, enable]>
web-filter-activex-log: <value in [disable, enable]>
web-filter-applet-log: <value in [disable, enable]>
web-filter-command-block-log: <value in [disable, enable]>
web-filter-cookie-log: <value in [disable, enable]>
web-filter-cookie-removal-log: <value in [disable, enable]>
web-filter-js-log: <value in [disable, enable]>
web-filter-jscript-log: <value in [disable, enable]>
web-filter-referer-log: <value in [disable, enable]>
web-filter-unknown-log: <value in [disable, enable]>
web-filter-vbs-log: <value in [disable, enable]>
web-ftgd-err-log: <value in [disable, enable]>
web-ftgd-quota-usage: <value in [disable, enable]>
web-invalid-domain-log: <value in [disable, enable]>
web-url-log: <value in [disable, enable]>
wisp: <value in [disable, enable]>
wisp-algorithm: <value in [auto-learning, primary-secondary, round-robin]>
wisp-servers: <value of string>
youtube-channel-filter:
-
channel-id: <value of string>
comment: <value of string>
id: <value of integer>
youtube-channel-status: <value in [disable, blacklist, whitelist]>
feature-set: <value in [proxy, flow]>
web-antiphishing-log: <value in [disable, enable]>
antiphish:
check-basic-auth: <value in [disable, enable]>
check-uri: <value in [disable, enable]>
check-username-only: <value in [disable, enable]>
custom-patterns:
-
category: <value in [username, password]>
pattern: <value of string>
type: <value in [regex, literal]>
default-action: <value in [log, block, exempt]>
domain-controller: <value of string>
inspection-entries:
-
action: <value in [log, block, exempt]>
fortiguard-category: <value of string>
name: <value of string>
max-body-len: <value of integer>
status: <value in [disable, enable]>
authentication: <value in [domain-controller, ldap]>
ldap: <value of string>
ftgd-wf:
exempt-quota: <value of string>
filters:
-
action: <value in [block, monitor, warning, ...]>
auth-usr-grp: <value of string>
category: <value of string>
id: <value of integer>
log: <value in [disable, enable]>
override-replacemsg: <value of string>
warn-duration: <value of string>
warning-duration-type: <value in [session, timeout]>
warning-prompt: <value in [per-domain, per-category]>
max-quota-timeout: <value of integer>
options:
- error-allow
- http-err-detail
- rate-image-urls
- strict-blocking
- rate-server-ip
- redir-block
- connect-request-bypass
- log-all-url
- ftgd-disable
ovrd: <value of string>
quota:
-
category: <value of string>
duration: <value of string>
id: <value of integer>
override-replacemsg: <value of string>
type: <value in [time, traffic]>
unit: <value in [B, KB, MB, ...]>
value: <value of integer>
rate-crl-urls: <value in [disable, enable]>
rate-css-urls: <value in [disable, enable]>
rate-image-urls: <value in [disable, enable]>
rate-javascript-urls: <value in [disable, enable]>
category-override: <value of string>
override:
ovrd-cookie: <value in [deny, allow]>
ovrd-dur: <value of string>
ovrd-dur-mode: <value in [constant, ask]>
ovrd-scope: <value in [user, user-group, ip, ...]>
ovrd-user-group: <value of string>
profile: <value of string>
profile-attribute: <value in [User-Name, User-Password, CHAP-Password, ...]>
profile-type: <value in [list, radius]>
url-extraction:
redirect-header: <value of string>
redirect-no-content: <value in [disable, enable]>
redirect-url: <value of string>
server-fqdn: <value of string>
status: <value in [disable, enable]>
web:
blacklist: <value in [disable, enable]>
bword-table: <value of string>
bword-threshold: <value of integer>
content-header-list: <value of string>
keyword-match: <value of string>
log-search: <value in [disable, enable]>
safe-search:
- google
- yahoo
- bing
- url
- header
urlfilter-table: <value of string>
whitelist:
- exempt-av
- exempt-webcontent
- exempt-activex-java-cookie
- exempt-dlp
- exempt-rangeblock
- extended-log-others
youtube-restrict: <value in [strict, none, moderate]>
allowlist:
- exempt-av
- exempt-webcontent
- exempt-activex-java-cookie
- exempt-dlp
- exempt-rangeblock
- extended-log-others
blocklist: <value in [disable, enable]>
vimeo-restrict: <value of string>
file-filter:
entries:
-
action: <value in [log, block]>
comment: <value of string>
direction: <value in [any, incoming, outgoing]>
encryption: <value in [any, yes]>
file-type: <value of string>
filter: <value of string>
password-protected: <value in [any, yes]>
protocol:
- http
- ftp
log: <value in [disable, enable]>
scan-archive-contents: <value in [disable, enable]>
status: <value in [disable, enable]>
adom:
description: the parameter (adom) in requested url
required: true
type: str
state:
choices:
- present
- absent
description: The directive to create, update or delete an object.
required: true
type: str
rc_failed:
description: The rc codes list with which the conditions to fail will be overriden.
elements: int
required: false
type: list
enable_log:
default: false
description: Enable/Disable logging for task.
required: false
type: bool
access_token:
description: The token to access FortiManager without using username and password.
required: false
type: str
rc_succeeded:
description: The rc codes list with which the conditions to succeed will be overriden.
elements: int
required: false
type: list
proposed_method:
choices:
- update
- set
- add
description: The overridden method for the underlying Json RPC request.
required: false
type: str
bypass_validation:
default: false
description: Only set to True when module schema diffs with FortiManager API structure,
module continues to execute without validating parameters.
required: false
type: bool
webfilter_profile:
description: the top level parameters set
required: false
suboptions:
antiphish:
description: no description
required: false
suboptions:
authentication:
choices:
- domain-controller
- ldap
description: Authentication methods.
type: str
check-basic-auth:
choices:
- disable
- enable
description: Enable/disable checking of HTTP Basic Auth field for known credentials.
type: str
check-uri:
choices:
- disable
- enable
description: Enable/disable checking of GET URI parameters for known credentials.
type: str
check-username-only:
choices:
- disable
- enable
description: Enable/disable acting only on valid username credentials.
type: str
custom-patterns:
description: Custom-Patterns.
elements: dict
suboptions:
category:
choices:
- username
- password
description: Category that the pattern matches.
type: str
pattern:
description: Target pattern.
type: str
type:
choices:
- regex
- literal
description: Pattern will be treated either as a regex pattern or literal
string.
type: str
type: list
default-action:
choices:
- log
- block
- exempt
description: Action to be taken when there is no matching rule.
type: str
domain-controller:
description: Domain for which to verify received credentials against.
type: str
inspection-entries:
description: Inspection-Entries.
elements: dict
suboptions:
action:
choices:
- log
- block
- exempt
description: Action to be taken upon an AntiPhishing match.
type: str
fortiguard-category:
description: FortiGuard category to match.
type: str
name:
description: Inspection target name.
type: str
type: list
ldap:
description: LDAP server for which to verify received credentials against.
type: str
max-body-len:
description: Maximum size of a POST body to check for credentials.
type: int
status:
choices:
- disable
- enable
description: Toggle AntiPhishing functionality.
type: str
type: dict
comment:
description: Optional comments.
type: str
extended-log:
choices:
- disable
- enable
description: Enable/disable extended logging for web filtering.
type: str
feature-set:
choices:
- proxy
- flow
description: Flow/proxy feature set.
type: str
file-filter:
description: no description
required: false
suboptions:
entries:
description: description
elements: dict
suboptions:
action:
choices:
- log
- block
description: Action taken for matched file.
type: str
comment:
description: Comment.
type: str
direction:
choices:
- any
- incoming
- outgoing
description: Match files transmitted in the sessions originating or reply
direction.
type: str
encryption:
choices:
- any
- 'yes'
description: no description
type: str
file-type:
description: description
type: str
filter:
description: Add a file filter.
type: str
password-protected:
choices:
- any
- 'yes'
description: Match password-protected files.
type: str
protocol:
choices:
- http
- ftp
description: description
elements: str
type: list
type: list
log:
choices:
- disable
- enable
description: Enable/disable file filter logging.
type: str
scan-archive-contents:
choices:
- disable
- enable
description: Enable/disable file filter archive contents scan.
type: str
status:
choices:
- disable
- enable
description: Enable/disable file filter.
type: str
type: dict
ftgd-wf:
description: no description
required: false
suboptions:
category-override:
description: Local categories take precedence over FortiGuard categories.
type: str
exempt-quota:
description: Do not stop quota for these categories.
type: str
filters:
description: Filters.
elements: dict
suboptions:
action:
choices:
- block
- monitor
- warning
- authenticate
description: Action to take for matches.
type: str
auth-usr-grp:
description: Groups with permission to authenticate.
type: str
category:
description: Categories and groups the filter examines.
type: str
id:
description: ID number.
type: int
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
override-replacemsg:
description: Override replacement message.
type: str
warn-duration:
description: Duration of warnings.
type: str
warning-duration-type:
choices:
- session
- timeout
description: Re-display warning after closing browser or after a timeout.
type: str
warning-prompt:
choices:
- per-domain
- per-category
description: Warning prompts in each category or each domain.
type: str
type: list
max-quota-timeout:
description: Maximum FortiGuard quota used by single page view in seconds
type: int
options:
choices:
- error-allow
- http-err-detail
- rate-image-urls
- strict-blocking
- rate-server-ip
- redir-block
- connect-request-bypass
- log-all-url
- ftgd-disable
description: Options for FortiGuard Web Filter.
elements: str
type: list
ovrd:
description: Allow web filter profile overrides.
type: str
quota:
description: Quota.
elements: dict
suboptions:
category:
description: FortiGuard categories to apply quota to
type: str
duration:
description: Duration of quota.
type: str
id:
description: ID number.
type: int
override-replacemsg:
description: Override replacement message.
type: str
type:
choices:
- time
- traffic
description: Quota type.
type: str
unit:
choices:
- B
- KB
- MB
- GB
description: Traffic quota unit of measurement.
type: str
value:
description: Traffic quota value.
type: int
type: list
rate-crl-urls:
choices:
- disable
- enable
description: Enable/disable rating CRL by URL.
type: str
rate-css-urls:
choices:
- disable
- enable
description: Enable/disable rating CSS by URL.
type: str
rate-image-urls:
choices:
- disable
- enable
description: Enable/disable rating images by URL.
type: str
rate-javascript-urls:
choices:
- disable
- enable
description: Enable/disable rating JavaScript by URL.
type: str
type: dict
https-replacemsg:
choices:
- disable
- enable
description: Enable replacement messages for HTTPS.
type: str
inspection-mode:
choices:
- proxy
- flow-based
- dns
description: Web filtering inspection mode.
type: str
log-all-url:
choices:
- disable
- enable
description: Enable/disable logging all URLs visited.
type: str
name:
description: Profile name.
type: str
options:
choices:
- block-invalid-url
- jscript
- js
- vbs
- unknown
- wf-referer
- https-scan
- intrinsic
- wf-cookie
- per-user-bwl
- activexfilter
- cookiefilter
- https-url-scan
- javafilter
- rangeblock
- contenttype-check
- per-user-bal
description: Options.
elements: str
type: list
override:
description: no description
required: false
suboptions:
ovrd-cookie:
choices:
- deny
- allow
description: Allow/deny browser-based
type: str
ovrd-dur:
description: Override duration.
type: str
ovrd-dur-mode:
choices:
- constant
- ask
description: Override duration mode.
type: str
ovrd-scope:
choices:
- user
- user-group
- ip
- ask
- browser
description: Override scope.
type: str
ovrd-user-group:
description: User groups with permission to use the override.
type: str
profile:
description: Web filter profile with permission to create overrides.
type: str
profile-attribute:
choices:
- User-Name
- User-Password
- CHAP-Password
- NAS-IP-Address
- NAS-Port
- Service-Type
- Framed-Protocol
- Framed-IP-Address
- Framed-IP-Netmask
- Framed-Routing
- Filter-Id
- Framed-MTU
- Framed-Compression
- Login-IP-Host
- Login-Service
- Login-TCP-Port
- Reply-Message
- Callback-Number
- Callback-Id
- Framed-Route
- Framed-IPX-Network
- State
- Class
- Vendor-Specific
- Session-Timeout
- Idle-Timeout
- Termination-Action
- Called-Station-Id
- Calling-Station-Id
- NAS-Identifier
- Proxy-State
- Login-LAT-Service
- Login-LAT-Node
- Login-LAT-Group
- Framed-AppleTalk-Link
- Framed-AppleTalk-Network
- Framed-AppleTalk-Zone
- Acct-Status-Type
- Acct-Delay-Time
- Acct-Input-Octets
- Acct-Output-Octets
- Acct-Session-Id
- Acct-Authentic
- Acct-Session-Time
- Acct-Input-Packets
- Acct-Output-Packets
- Acct-Terminate-Cause
- Acct-Multi-Session-Id
- Acct-Link-Count
- CHAP-Challenge
- NAS-Port-Type
- Port-Limit
- Login-LAT-Port
description: Profile attribute to retrieve from the RADIUS server.
type: str
profile-type:
choices:
- list
- radius
description: Override profile type.
type: str
type: dict
ovrd-perm:
choices:
- bannedword-override
- urlfilter-override
- fortiguard-wf-override
- contenttype-check-override
description: Permitted override types.
elements: str
type: list
post-action:
choices:
- normal
- comfort
- block
description: Action taken for HTTP POST traffic.
type: str
replacemsg-group:
description: Replacement message group.
type: str
url-extraction:
description: no description
required: false
suboptions:
redirect-header:
description: HTTP header name to use for client redirect on blocked requests
type: str
redirect-no-content:
choices:
- disable
- enable
description: Enable / Disable empty message-body entity in HTTP response
type: str
redirect-url:
description: HTTP header value to use for client redirect on blocked requests
type: str
server-fqdn:
description: URL extraction server FQDN
type: str
status:
choices:
- disable
- enable
description: Enable URL Extraction
type: str
type: dict
web:
description: no description
required: false
suboptions:
allowlist:
choices:
- exempt-av
- exempt-webcontent
- exempt-activex-java-cookie
- exempt-dlp
- exempt-rangeblock
- extended-log-others
description: FortiGuard allowlist settings.
elements: str
type: list
blacklist:
choices:
- disable
- enable
description: Enable/disable automatic addition of URLs detected by FortiSandbox
to blacklist.
type: str
blocklist:
choices:
- disable
- enable
description: Enable/disable automatic addition of URLs detected by FortiSandbox
to blocklist.
type: str
bword-table:
description: Banned word table ID.
type: str
bword-threshold:
description: Banned word score threshold.
type: int
content-header-list:
description: Content header list.
type: str
keyword-match:
description: Search keywords to log when match is found.
type: str
log-search:
choices:
- disable
- enable
description: Enable/disable logging all search phrases.
type: str
safe-search:
choices:
- google
- yahoo
- bing
- url
- header
description: Safe search type.
elements: str
type: list
urlfilter-table:
description: URL filter table ID.
type: str
vimeo-restrict:
description: Set Vimeo-restrict
type: str
whitelist:
choices:
- exempt-av
- exempt-webcontent
- exempt-activex-java-cookie
- exempt-dlp
- exempt-rangeblock
- extended-log-others
description: FortiGuard whitelist settings.
elements: str
type: list
youtube-restrict:
choices:
- strict
- none
- moderate
description: YouTube EDU filter level.
type: str
type: dict
web-antiphishing-log:
choices:
- disable
- enable
description: Enable/disable logging of AntiPhishing checks.
type: str
web-content-log:
choices:
- disable
- enable
description: Enable/disable logging logging blocked web content.
type: str
web-extended-all-action-log:
choices:
- disable
- enable
description: Enable/disable extended any filter action logging for web filtering.
type: str
web-filter-activex-log:
choices:
- disable
- enable
description: Enable/disable logging ActiveX.
type: str
web-filter-applet-log:
choices:
- disable
- enable
description: Enable/disable logging Java applets.
type: str
web-filter-command-block-log:
choices:
- disable
- enable
description: Enable/disable logging blocked commands.
type: str
web-filter-cookie-log:
choices:
- disable
- enable
description: Enable/disable logging cookie filtering.
type: str
web-filter-cookie-removal-log:
choices:
- disable
- enable
description: Enable/disable logging blocked cookies.
type: str
web-filter-js-log:
choices:
- disable
- enable
description: Enable/disable logging Java scripts.
type: str
web-filter-jscript-log:
choices:
- disable
- enable
description: Enable/disable logging JScripts.
type: str
web-filter-referer-log:
choices:
- disable
- enable
description: Enable/disable logging referrers.
type: str
web-filter-unknown-log:
choices:
- disable
- enable
description: Enable/disable logging unknown scripts.
type: str
web-filter-vbs-log:
choices:
- disable
- enable
description: Enable/disable logging VBS scripts.
type: str
web-ftgd-err-log:
choices:
- disable
- enable
description: Enable/disable logging rating errors.
type: str
web-ftgd-quota-usage:
choices:
- disable
- enable
description: Enable/disable logging daily quota usage.
type: str
web-invalid-domain-log:
choices:
- disable
- enable
description: Enable/disable logging invalid domain names.
type: str
web-url-log:
choices:
- disable
- enable
description: Enable/disable logging URL filtering.
type: str
wisp:
choices:
- disable
- enable
description: Enable/disable web proxy WISP.
type: str
wisp-algorithm:
choices:
- auto-learning
- primary-secondary
- round-robin
description: WISP server selection algorithm.
type: str
wisp-servers:
description: WISP servers.
type: str
youtube-channel-filter:
description: Youtube-Channel-Filter.
elements: dict
suboptions:
channel-id:
description: YouTube channel ID to be filtered.
type: str
comment:
description: Comment.
type: str
id:
description: ID.
type: int
type: list
youtube-channel-status:
choices:
- disable
- blacklist
- whitelist
description: YouTube channel filter status.
type: str
type: dict
workspace_locking_adom:
description: The adom to lock for FortiManager running in workspace mode, the value
can be global and others including root.
required: false
type: str
forticloud_access_token:
description: Authenticate Ansible client with forticloud API access token.
required: false
type: str
workspace_locking_timeout:
default: 300
description: The maximum time in seconds to wait for other user to release the workspace
lock.
required: false
type: int
meta:
contains:
request_url:
description: The full url requested.
returned: always
sample: /sys/login/user
type: str
response_code:
description: The status of api request.
returned: always
sample: 0
type: int
response_data:
description: The api response.
returned: always
type: list
response_message:
description: The descriptive message of the api response.
returned: always
sample: OK.
type: str
system_information:
description: The information of the target system.
returned: always
type: dict
description: The result of the request.
returned: always
type: dict
rc:
description: The status the request.
returned: always
sample: 0
type: int
version_check_warning:
description: Warning if the parameters used in the playbook are not supported by
the current FortiManager version.
returned: complex
type: list