Try SpotterWeb application firewall configuration.
| "added in version" 1.0.0 of fortinet.fortimanager"
Authors: Xinwei Du (@dux-fortinet), Xing Li (@lix-fortinet), Jie Xue (@JieX19), Link Zheng (@chillancezen), Frank Shen (@fshen01), Hongbin Lu (@fgtdev-hblu)
preview | supported by community
Install with ansible-galaxy collection install fortinet.fortimanager:==2.4.0
collections:
- name: fortinet.fortimanager
version: 2.4.0This module is able to configure a FortiManager device.
Examples include all parameters and values which need to be adjusted to data sources before usage.
- name: Example playbook (generated based on argument schema)
hosts: fortimanagers
connection: httpapi
vars:
ansible_httpapi_use_ssl: true
ansible_httpapi_validate_certs: false
ansible_httpapi_port: 443
tasks:
- name: Web application firewall configuration.
fortinet.fortimanager.fmgr_waf_profile:
# bypass_validation: false
workspace_locking_adom: <value in [global, custom adom including root]>
workspace_locking_timeout: 300
# rc_succeeded: [0, -2, -3, ...]
# rc_failed: [-2, -3, ...]
adom: <your own value>
state: present # <value in [present, absent]>
waf_profile:
comment: <string>
extended_log: <value in [disable, enable]>
external: <value in [disable, enable]>
name: <string>
url_access:
-
access_pattern:
-
id: <integer>
negate: <value in [disable, enable]>
pattern: <string>
regex: <value in [disable, enable]>
srcaddr: <string>
action: <value in [bypass, permit, block]>
address: <string>
id: <integer>
log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
address_list:
blocked_address: <list or string>
blocked_log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
trusted_address: <list or string>
constraint:
content_length:
action: <value in [allow, block]>
length: <integer>
log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
exception:
-
address: <string>
content_length: <value in [disable, enable]>
header_length: <value in [disable, enable]>
hostname: <value in [disable, enable]>
id: <integer>
line_length: <value in [disable, enable]>
malformed: <value in [disable, enable]>
max_cookie: <value in [disable, enable]>
max_header_line: <value in [disable, enable]>
max_range_segment: <value in [disable, enable]>
max_url_param: <value in [disable, enable]>
method: <value in [disable, enable]>
param_length: <value in [disable, enable]>
pattern: <string>
regex: <value in [disable, enable]>
url_param_length: <value in [disable, enable]>
version: <value in [disable, enable]>
header_length:
action: <value in [allow, block]>
length: <integer>
log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
hostname:
action: <value in [allow, block]>
log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
line_length:
action: <value in [allow, block]>
length: <integer>
log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
malformed:
action: <value in [allow, block]>
log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
max_cookie:
action: <value in [allow, block]>
log: <value in [disable, enable]>
max_cookie: <integer>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
max_header_line:
action: <value in [allow, block]>
log: <value in [disable, enable]>
max_header_line: <integer>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
max_range_segment:
action: <value in [allow, block]>
log: <value in [disable, enable]>
max_range_segment: <integer>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
max_url_param:
action: <value in [allow, block]>
log: <value in [disable, enable]>
max_url_param: <integer>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
method:
action: <value in [allow, block]>
log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
param_length:
action: <value in [allow, block]>
length: <integer>
log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
url_param_length:
action: <value in [allow, block]>
length: <integer>
log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
version:
action: <value in [allow, block]>
log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
method:
default_allowed_methods:
- delete
- get
- head
- options
- post
- put
- trace
- others
- connect
log: <value in [disable, enable]>
method_policy:
-
address: <string>
allowed_methods:
- delete
- get
- head
- options
- post
- put
- trace
- others
- connect
id: <integer>
pattern: <string>
regex: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
signature:
credit_card_detection_threshold: <integer>
custom_signature:
-
action: <value in [allow, block, erase]>
case_sensitivity: <value in [disable, enable]>
direction: <value in [request, response]>
log: <value in [disable, enable]>
name: <string>
pattern: <string>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
target:
- arg
- arg-name
- req-body
- req-cookie
- req-cookie-name
- req-filename
- req-header
- req-header-name
- req-raw-uri
- req-uri
- resp-body
- resp-hdr
- resp-status
disabled_signature: <list or string>
disabled_sub_class: <list or string>
main_class:
action: <value in [allow, block, erase]>
id: <integer>
log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
adom:
description: The parameter (adom) in requested url.
required: true
type: str
state:
choices:
- present
- absent
description: The directive to create, update or delete an object.
required: true
type: str
rc_failed:
description: The rc codes list with which the conditions to fail will be overriden.
elements: int
type: list
enable_log:
default: false
description: Enable/Disable logging for task.
type: bool
waf_profile:
description: The top level parameters set.
required: false
suboptions:
address-list:
description: Deprecated, please rename it to address_list.
suboptions:
blocked-address:
description: (list or str) Deprecated, please rename it to blocked_address.
Blocked address.
type: raw
blocked-log:
choices:
- disable
- enable
description: Deprecated, please rename it to blocked_log. Enable/disable logging
on blocked addresses.
type: str
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Status.
type: str
trusted-address:
description: (list or str) Deprecated, please rename it to trusted_address.
Trusted address.
type: raw
type: dict
comment:
description: Comment.
type: str
constraint:
description: No description.
suboptions:
content-length:
description: Deprecated, please rename it to content_length.
suboptions:
action:
choices:
- allow
- block
description: Action.
type: str
length:
description: Length of HTTP content in bytes
type: int
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Enable/disable the constraint.
type: str
type: dict
exception:
description: Exception.
elements: dict
suboptions:
address:
description: Host address.
type: str
content-length:
choices:
- disable
- enable
description: Deprecated, please rename it to content_length. HTTP content
length in request.
type: str
header-length:
choices:
- disable
- enable
description: Deprecated, please rename it to header_length. HTTP header
length in request.
type: str
hostname:
choices:
- disable
- enable
description: Enable/disable hostname check.
type: str
id:
description: Exception ID.
type: int
line-length:
choices:
- disable
- enable
description: Deprecated, please rename it to line_length. HTTP line length
in request.
type: str
malformed:
choices:
- disable
- enable
description: Enable/disable malformed HTTP request check.
type: str
max-cookie:
choices:
- disable
- enable
description: Deprecated, please rename it to max_cookie. Maximum number
of cookies in HTTP request.
type: str
max-header-line:
choices:
- disable
- enable
description: Deprecated, please rename it to max_header_line. Maximum
number of HTTP header line.
type: str
max-range-segment:
choices:
- disable
- enable
description: Deprecated, please rename it to max_range_segment. Maximum
number of range segments in HTTP range line.
type: str
max-url-param:
choices:
- disable
- enable
description: Deprecated, please rename it to max_url_param. Maximum number
of parameters in URL.
type: str
method:
choices:
- disable
- enable
description: Enable/disable HTTP method check.
type: str
param-length:
choices:
- disable
- enable
description: Deprecated, please rename it to param_length. Maximum length
of parameter in URL, HTTP POST request or HTT...
type: str
pattern:
description: URL pattern.
type: str
regex:
choices:
- disable
- enable
description: Enable/disable regular expression based pattern match.
type: str
url-param-length:
choices:
- disable
- enable
description: Deprecated, please rename it to url_param_length. Maximum
length of parameter in URL.
type: str
version:
choices:
- disable
- enable
description: Enable/disable HTTP version check.
type: str
type: list
header-length:
description: Deprecated, please rename it to header_length.
suboptions:
action:
choices:
- allow
- block
description: Action.
type: str
length:
description: Length of HTTP header in bytes
type: int
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Enable/disable the constraint.
type: str
type: dict
hostname:
description: No description.
suboptions:
action:
choices:
- allow
- block
description: Action.
type: str
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Enable/disable the constraint.
type: str
type: dict
line-length:
description: Deprecated, please rename it to line_length.
suboptions:
action:
choices:
- allow
- block
description: Action.
type: str
length:
description: Length of HTTP line in bytes
type: int
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Enable/disable the constraint.
type: str
type: dict
malformed:
description: No description.
suboptions:
action:
choices:
- allow
- block
description: Action.
type: str
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Enable/disable the constraint.
type: str
type: dict
max-cookie:
description: Deprecated, please rename it to max_cookie.
suboptions:
action:
choices:
- allow
- block
description: Action.
type: str
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
max-cookie:
description: Deprecated, please rename it to max_cookie. Maximum number
of cookies in HTTP request
type: int
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Enable/disable the constraint.
type: str
type: dict
max-header-line:
description: Deprecated, please rename it to max_header_line.
suboptions:
action:
choices:
- allow
- block
description: Action.
type: str
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
max-header-line:
description: Deprecated, please rename it to max_header_line. Maximum
number HTTP header lines
type: int
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Enable/disable the constraint.
type: str
type: dict
max-range-segment:
description: Deprecated, please rename it to max_range_segment.
suboptions:
action:
choices:
- allow
- block
description: Action.
type: str
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
max-range-segment:
description: Deprecated, please rename it to max_range_segment. Maximum
number of range segments in HTTP range line
type: int
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Enable/disable the constraint.
type: str
type: dict
max-url-param:
description: Deprecated, please rename it to max_url_param.
suboptions:
action:
choices:
- allow
- block
description: Action.
type: str
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
max-url-param:
description: Deprecated, please rename it to max_url_param. Maximum number
of parameters in URL
type: int
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Enable/disable the constraint.
type: str
type: dict
method:
description: No description.
suboptions:
action:
choices:
- allow
- block
description: Action.
type: str
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Enable/disable the constraint.
type: str
type: dict
param-length:
description: Deprecated, please rename it to param_length.
suboptions:
action:
choices:
- allow
- block
description: Action.
type: str
length:
description: Maximum length of parameter in URL, HTTP POST request or
HTTP body in bytes
type: int
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Enable/disable the constraint.
type: str
type: dict
url-param-length:
description: Deprecated, please rename it to url_param_length.
suboptions:
action:
choices:
- allow
- block
description: Action.
type: str
length:
description: Maximum length of URL parameter in bytes
type: int
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Enable/disable the constraint.
type: str
type: dict
version:
description: No description.
suboptions:
action:
choices:
- allow
- block
description: Action.
type: str
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Enable/disable the constraint.
type: str
type: dict
type: dict
extended-log:
choices:
- disable
- enable
description: Deprecated, please rename it to extended_log. Enable/disable extended
logging.
type: str
external:
choices:
- disable
- enable
description: Disable/Enable external HTTP Inspection.
type: str
method:
description: No description.
suboptions:
default-allowed-methods:
choices:
- delete
- get
- head
- options
- post
- put
- trace
- others
- connect
description: Deprecated, please rename it to default_allowed_methods. Methods.
elements: str
type: list
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
method-policy:
description: Deprecated, please rename it to method_policy. Method-Policy.
elements: dict
suboptions:
address:
description: Host address.
type: str
allowed-methods:
choices:
- delete
- get
- head
- options
- post
- put
- trace
- others
- connect
description: Deprecated, please rename it to allowed_methods. Allowed
Methods.
elements: str
type: list
id:
description: HTTP method policy ID.
type: int
pattern:
description: URL pattern.
type: str
regex:
choices:
- disable
- enable
description: Enable/disable regular expression based pattern match.
type: str
type: list
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Status.
type: str
type: dict
name:
description: WAF Profile name.
required: true
type: str
signature:
description: No description.
suboptions:
credit-card-detection-threshold:
description: Deprecated, please rename it to credit_card_detection_threshold.
The minimum number of Credit cards to detect viol...
type: int
custom-signature:
description: Deprecated, please rename it to custom_signature. Custom-Signature.
elements: dict
suboptions:
action:
choices:
- allow
- block
- erase
description: Action.
type: str
case-sensitivity:
choices:
- disable
- enable
description: Deprecated, please rename it to case_sensitivity. Case sensitivity
in pattern.
type: str
direction:
choices:
- request
- response
description: Traffic direction.
type: str
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
name:
description: Signature name.
type: str
pattern:
description: Match pattern.
type: str
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Status.
type: str
target:
choices:
- arg
- arg-name
- req-body
- req-cookie
- req-cookie-name
- req-filename
- req-header
- req-header-name
- req-raw-uri
- req-uri
- resp-body
- resp-hdr
- resp-status
description: Match HTTP target.
elements: str
type: list
type: list
disabled-signature:
description: (list or str) Deprecated, please rename it to disabled_signature.
Disabled signatures
type: raw
disabled-sub-class:
description: (list or str) Deprecated, please rename it to disabled_sub_class.
Disabled signature subclasses.
type: raw
main-class:
description: Deprecated, please rename it to main_class.
suboptions:
action:
choices:
- allow
- block
- erase
description: Action.
type: str
id:
description: Main signature class ID.
type: int
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
status:
choices:
- disable
- enable
description: Status.
type: str
type: dict
type: dict
url-access:
description: Deprecated, please rename it to url_access. Url-Access.
elements: dict
suboptions:
access-pattern:
description: Deprecated, please rename it to access_pattern. Access-Pattern.
elements: dict
suboptions:
id:
description: URL access pattern ID.
type: int
negate:
choices:
- disable
- enable
description: Enable/disable match negation.
type: str
pattern:
description: URL pattern.
type: str
regex:
choices:
- disable
- enable
description: Enable/disable regular expression based pattern match.
type: str
srcaddr:
description: Source address.
type: str
type: list
action:
choices:
- bypass
- permit
- block
description: Action.
type: str
address:
description: Host address.
type: str
id:
description: URL access ID.
type: int
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
severity:
choices:
- low
- medium
- high
description: Severity.
type: str
type: list
type: dict
access_token:
description: The token to access FortiManager without using username and password.
type: str
rc_succeeded:
description: The rc codes list with which the conditions to succeed will be overriden.
elements: int
type: list
proposed_method:
choices:
- update
- set
- add
description: The overridden method for the underlying Json RPC request.
type: str
bypass_validation:
default: false
description: Only set to True when module schema diffs with FortiManager API structure,
module continues to execute without validating parameters.
type: bool
workspace_locking_adom:
description: The adom to lock for FortiManager running in workspace mode, the value
can be global and others including root.
type: str
forticloud_access_token:
description: Authenticate Ansible client with forticloud API access token.
type: str
workspace_locking_timeout:
default: 300
description: The maximum time in seconds to wait for other user to release the workspace
lock.
type: int
meta:
contains:
request_url:
description: The full url requested.
returned: always
sample: /sys/login/user
type: str
response_code:
description: The status of api request.
returned: always
sample: 0
type: int
response_data:
description: The api response.
returned: always
type: list
response_message:
description: The descriptive message of the api response.
returned: always
sample: OK.
type: str
system_information:
description: The information of the target system.
returned: always
type: dict
description: The result of the request.
returned: always
type: dict
rc:
description: The status the request.
returned: always
sample: 0
type: int
version_check_warning:
description: Warning if the parameters used in the playbook are not supported by
the current FortiManager version.
returned: complex
type: list