Try SpotterConfigure Web filter profiles.
| "added in version" 1.0.0 of fortinet.fortimanager"
Authors: Xinwei Du (@dux-fortinet), Xing Li (@lix-fortinet), Jie Xue (@JieX19), Link Zheng (@chillancezen), Frank Shen (@fshen01), Hongbin Lu (@fgtdev-hblu)
preview | supported by community
Install with ansible-galaxy collection install fortinet.fortimanager:==2.4.0
collections:
- name: fortinet.fortimanager
version: 2.4.0This module is able to configure a FortiManager device.
Examples include all parameters and values which need to be adjusted to data sources before usage.
- name: Example playbook (generated based on argument schema)
hosts: fortimanagers
connection: httpapi
vars:
ansible_httpapi_use_ssl: true
ansible_httpapi_validate_certs: false
ansible_httpapi_port: 443
tasks:
- name: Configure Web filter profiles.
fortinet.fortimanager.fmgr_webfilter_profile:
# bypass_validation: false
workspace_locking_adom: <value in [global, custom adom including root]>
workspace_locking_timeout: 300
# rc_succeeded: [0, -2, -3, ...]
# rc_failed: [-2, -3, ...]
adom: <your own value>
state: present # <value in [present, absent]>
webfilter_profile:
comment: <string>
extended_log: <value in [disable, enable]>
https_replacemsg: <value in [disable, enable]>
inspection_mode: <value in [proxy, flow-based, dns]>
log_all_url: <value in [disable, enable]>
name: <string>
options:
- block-invalid-url
- jscript
- js
- vbs
- unknown
- wf-referer
- https-scan
- intrinsic
- wf-cookie
- per-user-bwl
- activexfilter
- cookiefilter
- https-url-scan
- javafilter
- rangeblock
- contenttype-check
- per-user-bal
ovrd_perm:
- bannedword-override
- urlfilter-override
- fortiguard-wf-override
- contenttype-check-override
post_action: <value in [normal, comfort, block]>
replacemsg_group: <string>
web_content_log: <value in [disable, enable]>
web_extended_all_action_log: <value in [disable, enable]>
web_filter_activex_log: <value in [disable, enable]>
web_filter_applet_log: <value in [disable, enable]>
web_filter_command_block_log: <value in [disable, enable]>
web_filter_cookie_log: <value in [disable, enable]>
web_filter_cookie_removal_log: <value in [disable, enable]>
web_filter_js_log: <value in [disable, enable]>
web_filter_jscript_log: <value in [disable, enable]>
web_filter_referer_log: <value in [disable, enable]>
web_filter_unknown_log: <value in [disable, enable]>
web_filter_vbs_log: <value in [disable, enable]>
web_ftgd_err_log: <value in [disable, enable]>
web_ftgd_quota_usage: <value in [disable, enable]>
web_invalid_domain_log: <value in [disable, enable]>
web_url_log: <value in [disable, enable]>
wisp: <value in [disable, enable]>
wisp_algorithm: <value in [auto-learning, primary-secondary, round-robin]>
wisp_servers: <list or string>
youtube_channel_filter:
-
channel_id: <string>
comment: <string>
id: <integer>
youtube_channel_status: <value in [disable, blacklist, whitelist]>
feature_set: <value in [proxy, flow]>
web_antiphishing_log: <value in [disable, enable]>
antiphish:
check_basic_auth: <value in [disable, enable]>
check_uri: <value in [disable, enable]>
check_username_only: <value in [disable, enable]>
custom_patterns:
-
category: <value in [username, password]>
pattern: <string>
type: <value in [regex, literal]>
default_action: <value in [log, block, exempt]>
domain_controller: <string>
inspection_entries:
-
action: <value in [log, block, exempt]>
fortiguard_category: <list or string>
name: <string>
max_body_len: <integer>
status: <value in [disable, enable]>
authentication: <value in [domain-controller, ldap]>
ldap: <string>
ftgd_wf:
exempt_quota: <list or string>
filters:
-
action: <value in [block, monitor, warning, ...]>
auth_usr_grp: <list or string>
category: <string>
id: <integer>
log: <value in [disable, enable]>
override_replacemsg: <string>
warn_duration: <string>
warning_duration_type: <value in [session, timeout]>
warning_prompt: <value in [per-domain, per-category]>
max_quota_timeout: <integer>
options:
- error-allow
- http-err-detail
- rate-image-urls
- strict-blocking
- rate-server-ip
- redir-block
- connect-request-bypass
- log-all-url
- ftgd-disable
ovrd: <list or string>
quota:
-
category: <list or string>
duration: <string>
id: <integer>
override_replacemsg: <string>
type: <value in [time, traffic]>
unit: <value in [B, KB, MB, ...]>
value: <integer>
rate_crl_urls: <value in [disable, enable]>
rate_css_urls: <value in [disable, enable]>
rate_image_urls: <value in [disable, enable]>
rate_javascript_urls: <value in [disable, enable]>
category_override: <string>
override:
ovrd_cookie: <value in [deny, allow]>
ovrd_dur: <string>
ovrd_dur_mode: <value in [constant, ask]>
ovrd_scope: <value in [user, user-group, ip, ...]>
ovrd_user_group: <list or string>
profile: <list or string>
profile_attribute: <value in [User-Name, User-Password, CHAP-Password, ...]>
profile_type: <value in [list, radius]>
url_extraction:
redirect_header: <string>
redirect_no_content: <value in [disable, enable]>
redirect_url: <string>
server_fqdn: <string>
status: <value in [disable, enable]>
web:
blacklist: <value in [disable, enable]>
bword_table: <string>
bword_threshold: <integer>
content_header_list: <string>
keyword_match: <list or string>
log_search: <value in [disable, enable]>
safe_search:
- google
- yahoo
- bing
- url
- header
urlfilter_table: <string>
whitelist:
- exempt-av
- exempt-webcontent
- exempt-activex-java-cookie
- exempt-dlp
- exempt-rangeblock
- extended-log-others
youtube_restrict: <value in [strict, none, moderate]>
allowlist:
- exempt-av
- exempt-webcontent
- exempt-activex-java-cookie
- exempt-dlp
- exempt-rangeblock
- extended-log-others
blocklist: <value in [disable, enable]>
vimeo_restrict: <string>
file_filter:
entries:
-
action: <value in [log, block]>
comment: <string>
direction: <value in [any, incoming, outgoing]>
encryption: <value in [any, yes]>
file_type: <list or string>
filter: <string>
password_protected: <value in [any, yes]>
protocol:
- http
- ftp
log: <value in [disable, enable]>
scan_archive_contents: <value in [disable, enable]>
status: <value in [disable, enable]>
web_flow_log_encoding: <value in [utf-8, punycode]>
adom:
description: The parameter (adom) in requested url.
required: true
type: str
state:
choices:
- present
- absent
description: The directive to create, update or delete an object.
required: true
type: str
rc_failed:
description: The rc codes list with which the conditions to fail will be overriden.
elements: int
type: list
enable_log:
default: false
description: Enable/Disable logging for task.
type: bool
access_token:
description: The token to access FortiManager without using username and password.
type: str
rc_succeeded:
description: The rc codes list with which the conditions to succeed will be overriden.
elements: int
type: list
proposed_method:
choices:
- update
- set
- add
description: The overridden method for the underlying Json RPC request.
type: str
bypass_validation:
default: false
description: Only set to True when module schema diffs with FortiManager API structure,
module continues to execute without validating parameters.
type: bool
webfilter_profile:
description: The top level parameters set.
required: false
suboptions:
antiphish:
description: No description.
suboptions:
authentication:
choices:
- domain-controller
- ldap
description: Authentication methods.
type: str
check-basic-auth:
choices:
- disable
- enable
description: Deprecated, please rename it to check_basic_auth. Enable/disable
checking of HTTP Basic Auth field for known crede...
type: str
check-uri:
choices:
- disable
- enable
description: Deprecated, please rename it to check_uri. Enable/disable checking
of GET URI parameters for known credentials.
type: str
check-username-only:
choices:
- disable
- enable
description: Deprecated, please rename it to check_username_only. Enable/disable
acting only on valid username credentials.
type: str
custom-patterns:
description: Deprecated, please rename it to custom_patterns. Custom-Patterns.
elements: dict
suboptions:
category:
choices:
- username
- password
description: Category that the pattern matches.
type: str
pattern:
description: Target pattern.
type: str
type:
choices:
- regex
- literal
description: Pattern will be treated either as a regex pattern or literal
string.
type: str
type: list
default-action:
choices:
- log
- block
- exempt
description: Deprecated, please rename it to default_action. Action to be
taken when there is no matching rule.
type: str
domain-controller:
description: Deprecated, please rename it to domain_controller. Domain for
which to verify received credentials against.
type: str
inspection-entries:
description: Deprecated, please rename it to inspection_entries. Inspection-Entries.
elements: dict
suboptions:
action:
choices:
- log
- block
- exempt
description: Action to be taken upon an AntiPhishing match.
type: str
fortiguard-category:
description: (list) Deprecated, please rename it to fortiguard_category.
FortiGuard category to match.
type: raw
name:
description: Inspection target name.
type: str
type: list
ldap:
description: LDAP server for which to verify received credentials against.
type: str
max-body-len:
description: Deprecated, please rename it to max_body_len. Maximum size of
a POST body to check for credentials.
type: int
status:
choices:
- disable
- enable
description: Toggle AntiPhishing functionality.
type: str
type: dict
comment:
description: Optional comments.
type: str
extended-log:
choices:
- disable
- enable
description: Deprecated, please rename it to extended_log. Enable/disable extended
logging for web filtering.
type: str
feature-set:
choices:
- proxy
- flow
description: Deprecated, please rename it to feature_set. Flow/proxy feature set.
type: str
file-filter:
description: Deprecated, please rename it to file_filter.
suboptions:
entries:
description: No description.
elements: dict
suboptions:
action:
choices:
- log
- block
description: Action taken for matched file.
type: str
comment:
description: Comment.
type: str
direction:
choices:
- any
- incoming
- outgoing
description: Match files transmitted in the sessions originating or reply
direction.
type: str
encryption:
choices:
- any
- 'yes'
description: No description.
type: str
file-type:
description: (list) Deprecated, please rename it to file_type.
type: raw
filter:
description: Add a file filter.
type: str
password-protected:
choices:
- any
- 'yes'
description: Deprecated, please rename it to password_protected. Match
password-protected files.
type: str
protocol:
choices:
- http
- ftp
description: No description.
elements: str
type: list
type: list
log:
choices:
- disable
- enable
description: Enable/disable file filter logging.
type: str
scan-archive-contents:
choices:
- disable
- enable
description: Deprecated, please rename it to scan_archive_contents. Enable/disable
file filter archive contents scan.
type: str
status:
choices:
- disable
- enable
description: Enable/disable file filter.
type: str
type: dict
ftgd-wf:
description: Deprecated, please rename it to ftgd_wf.
suboptions:
category-override:
description: Deprecated, please rename it to category_override. Local categories
take precedence over FortiGuard categories.
type: str
exempt-quota:
description: (list or str) Deprecated, please rename it to exempt_quota. Do
not stop quota for these categories.
type: raw
filters:
description: Filters.
elements: dict
suboptions:
action:
choices:
- block
- monitor
- warning
- authenticate
description: Action to take for matches.
type: str
auth-usr-grp:
description: (list or str) Deprecated, please rename it to auth_usr_grp.
Groups with permission to authenticate.
type: raw
category:
description: Categories and groups the filter examines.
type: str
id:
description: ID number.
type: int
log:
choices:
- disable
- enable
description: Enable/disable logging.
type: str
override-replacemsg:
description: Deprecated, please rename it to override_replacemsg. Override
replacement message.
type: str
warn-duration:
description: Deprecated, please rename it to warn_duration. Duration of
warnings.
type: str
warning-duration-type:
choices:
- session
- timeout
description: Deprecated, please rename it to warning_duration_type. Re-display
warning after closing browser or after a...
type: str
warning-prompt:
choices:
- per-domain
- per-category
description: Deprecated, please rename it to warning_prompt. Warning prompts
in each category or each domain.
type: str
type: list
max-quota-timeout:
description: Deprecated, please rename it to max_quota_timeout. Maximum FortiGuard
quota used by single page view in seconds
type: int
options:
choices:
- error-allow
- http-err-detail
- rate-image-urls
- strict-blocking
- rate-server-ip
- redir-block
- connect-request-bypass
- log-all-url
- ftgd-disable
description: Options for FortiGuard Web Filter.
elements: str
type: list
ovrd:
description: (list or str) Allow web filter profile overrides.
type: raw
quota:
description: Quota.
elements: dict
suboptions:
category:
description: (list or str) FortiGuard categories to apply quota to
type: raw
duration:
description: Duration of quota.
type: str
id:
description: ID number.
type: int
override-replacemsg:
description: Deprecated, please rename it to override_replacemsg. Override
replacement message.
type: str
type:
choices:
- time
- traffic
description: Quota type.
type: str
unit:
choices:
- B
- KB
- MB
- GB
description: Traffic quota unit of measurement.
type: str
value:
description: Traffic quota value.
type: int
type: list
rate-crl-urls:
choices:
- disable
- enable
description: Deprecated, please rename it to rate_crl_urls. Enable/disable
rating CRL by URL.
type: str
rate-css-urls:
choices:
- disable
- enable
description: Deprecated, please rename it to rate_css_urls. Enable/disable
rating CSS by URL.
type: str
rate-image-urls:
choices:
- disable
- enable
description: Deprecated, please rename it to rate_image_urls. Enable/disable
rating images by URL.
type: str
rate-javascript-urls:
choices:
- disable
- enable
description: Deprecated, please rename it to rate_javascript_urls. Enable/disable
rating JavaScript by URL.
type: str
type: dict
https-replacemsg:
choices:
- disable
- enable
description: Deprecated, please rename it to https_replacemsg. Enable replacement
messages for HTTPS.
type: str
inspection-mode:
choices:
- proxy
- flow-based
- dns
description: Deprecated, please rename it to inspection_mode. Web filtering inspection
mode.
type: str
log-all-url:
choices:
- disable
- enable
description: Deprecated, please rename it to log_all_url. Enable/disable logging
all URLs visited.
type: str
name:
description: Profile name.
required: true
type: str
options:
choices:
- block-invalid-url
- jscript
- js
- vbs
- unknown
- wf-referer
- https-scan
- intrinsic
- wf-cookie
- per-user-bwl
- activexfilter
- cookiefilter
- https-url-scan
- javafilter
- rangeblock
- contenttype-check
- per-user-bal
description: Options.
elements: str
type: list
override:
description: No description.
suboptions:
ovrd-cookie:
choices:
- deny
- allow
description: Deprecated, please rename it to ovrd_cookie. Allow/deny browser-based
type: str
ovrd-dur:
description: Deprecated, please rename it to ovrd_dur. Override duration.
type: str
ovrd-dur-mode:
choices:
- constant
- ask
description: Deprecated, please rename it to ovrd_dur_mode. Override duration
mode.
type: str
ovrd-scope:
choices:
- user
- user-group
- ip
- ask
- browser
description: Deprecated, please rename it to ovrd_scope. Override scope.
type: str
ovrd-user-group:
description: (list or str) Deprecated, please rename it to ovrd_user_group.
User groups with permission to use the override.
type: raw
profile:
description: (list or str) Web filter profile with permission to create overrides.
type: raw
profile-attribute:
choices:
- User-Name
- User-Password
- CHAP-Password
- NAS-IP-Address
- NAS-Port
- Service-Type
- Framed-Protocol
- Framed-IP-Address
- Framed-IP-Netmask
- Framed-Routing
- Filter-Id
- Framed-MTU
- Framed-Compression
- Login-IP-Host
- Login-Service
- Login-TCP-Port
- Reply-Message
- Callback-Number
- Callback-Id
- Framed-Route
- Framed-IPX-Network
- State
- Class
- Vendor-Specific
- Session-Timeout
- Idle-Timeout
- Termination-Action
- Called-Station-Id
- Calling-Station-Id
- NAS-Identifier
- Proxy-State
- Login-LAT-Service
- Login-LAT-Node
- Login-LAT-Group
- Framed-AppleTalk-Link
- Framed-AppleTalk-Network
- Framed-AppleTalk-Zone
- Acct-Status-Type
- Acct-Delay-Time
- Acct-Input-Octets
- Acct-Output-Octets
- Acct-Session-Id
- Acct-Authentic
- Acct-Session-Time
- Acct-Input-Packets
- Acct-Output-Packets
- Acct-Terminate-Cause
- Acct-Multi-Session-Id
- Acct-Link-Count
- CHAP-Challenge
- NAS-Port-Type
- Port-Limit
- Login-LAT-Port
description: Deprecated, please rename it to profile_attribute. Profile attribute
to retrieve from the RADIUS server.
type: str
profile-type:
choices:
- list
- radius
description: Deprecated, please rename it to profile_type. Override profile
type.
type: str
type: dict
ovrd-perm:
choices:
- bannedword-override
- urlfilter-override
- fortiguard-wf-override
- contenttype-check-override
description: Deprecated, please rename it to ovrd_perm. Permitted override types.
elements: str
type: list
post-action:
choices:
- normal
- comfort
- block
description: Deprecated, please rename it to post_action. Action taken for HTTP
POST traffic.
type: str
replacemsg-group:
description: Deprecated, please rename it to replacemsg_group. Replacement message
group.
type: str
url-extraction:
description: Deprecated, please rename it to url_extraction.
suboptions:
redirect-header:
description: Deprecated, please rename it to redirect_header. HTTP header
name to use for client redirect on blocked requests
type: str
redirect-no-content:
choices:
- disable
- enable
description: Deprecated, please rename it to redirect_no_content. Enable /
Disable empty message-body entity in HTTP response
type: str
redirect-url:
description: Deprecated, please rename it to redirect_url. HTTP header value
to use for client redirect on blocked requests
type: str
server-fqdn:
description: Deprecated, please rename it to server_fqdn. URL extraction server
FQDN
type: str
status:
choices:
- disable
- enable
description: Enable URL Extraction
type: str
type: dict
web:
description: No description.
suboptions:
allowlist:
choices:
- exempt-av
- exempt-webcontent
- exempt-activex-java-cookie
- exempt-dlp
- exempt-rangeblock
- extended-log-others
description: FortiGuard allowlist settings.
elements: str
type: list
blacklist:
choices:
- disable
- enable
description: Enable/disable automatic addition of URLs detected by FortiSandbox
to blacklist.
type: str
blocklist:
choices:
- disable
- enable
description: Enable/disable automatic addition of URLs detected by FortiSandbox
to blocklist.
type: str
bword-table:
description: Deprecated, please rename it to bword_table. Banned word table
ID.
type: str
bword-threshold:
description: Deprecated, please rename it to bword_threshold. Banned word
score threshold.
type: int
content-header-list:
description: Deprecated, please rename it to content_header_list. Content
header list.
type: str
keyword-match:
description: (list) Deprecated, please rename it to keyword_match. Search
keywords to log when match is found.
type: raw
log-search:
choices:
- disable
- enable
description: Deprecated, please rename it to log_search. Enable/disable logging
all search phrases.
type: str
safe-search:
choices:
- google
- yahoo
- bing
- url
- header
description: Deprecated, please rename it to safe_search. Safe search type.
elements: str
type: list
urlfilter-table:
description: Deprecated, please rename it to urlfilter_table. URL filter table
ID.
type: str
vimeo-restrict:
description: Deprecated, please rename it to vimeo_restrict. Set Vimeo-restrict
type: str
whitelist:
choices:
- exempt-av
- exempt-webcontent
- exempt-activex-java-cookie
- exempt-dlp
- exempt-rangeblock
- extended-log-others
description: FortiGuard whitelist settings.
elements: str
type: list
youtube-restrict:
choices:
- strict
- none
- moderate
description: Deprecated, please rename it to youtube_restrict. YouTube EDU
filter level.
type: str
type: dict
web-antiphishing-log:
choices:
- disable
- enable
description: Deprecated, please rename it to web_antiphishing_log. Enable/disable
logging of AntiPhishing checks.
type: str
web-content-log:
choices:
- disable
- enable
description: Deprecated, please rename it to web_content_log. Enable/disable logging
logging blocked web content.
type: str
web-extended-all-action-log:
choices:
- disable
- enable
description: Deprecated, please rename it to web_extended_all_action_log. Enable/disable
extended any filter action logging for web fil...
type: str
web-filter-activex-log:
choices:
- disable
- enable
description: Deprecated, please rename it to web_filter_activex_log. Enable/disable
logging ActiveX.
type: str
web-filter-applet-log:
choices:
- disable
- enable
description: Deprecated, please rename it to web_filter_applet_log. Enable/disable
logging Java applets.
type: str
web-filter-command-block-log:
choices:
- disable
- enable
description: Deprecated, please rename it to web_filter_command_block_log. Enable/disable
logging blocked commands.
type: str
web-filter-cookie-log:
choices:
- disable
- enable
description: Deprecated, please rename it to web_filter_cookie_log. Enable/disable
logging cookie filtering.
type: str
web-filter-cookie-removal-log:
choices:
- disable
- enable
description: Deprecated, please rename it to web_filter_cookie_removal_log. Enable/disable
logging blocked cookies.
type: str
web-filter-js-log:
choices:
- disable
- enable
description: Deprecated, please rename it to web_filter_js_log. Enable/disable
logging Java scripts.
type: str
web-filter-jscript-log:
choices:
- disable
- enable
description: Deprecated, please rename it to web_filter_jscript_log. Enable/disable
logging JScripts.
type: str
web-filter-referer-log:
choices:
- disable
- enable
description: Deprecated, please rename it to web_filter_referer_log. Enable/disable
logging referrers.
type: str
web-filter-unknown-log:
choices:
- disable
- enable
description: Deprecated, please rename it to web_filter_unknown_log. Enable/disable
logging unknown scripts.
type: str
web-filter-vbs-log:
choices:
- disable
- enable
description: Deprecated, please rename it to web_filter_vbs_log. Enable/disable
logging VBS scripts.
type: str
web-flow-log-encoding:
choices:
- utf-8
- punycode
description: Deprecated, please rename it to web_flow_log_encoding. Log encoding
in flow mode.
type: str
web-ftgd-err-log:
choices:
- disable
- enable
description: Deprecated, please rename it to web_ftgd_err_log. Enable/disable
logging rating errors.
type: str
web-ftgd-quota-usage:
choices:
- disable
- enable
description: Deprecated, please rename it to web_ftgd_quota_usage. Enable/disable
logging daily quota usage.
type: str
web-invalid-domain-log:
choices:
- disable
- enable
description: Deprecated, please rename it to web_invalid_domain_log. Enable/disable
logging invalid domain names.
type: str
web-url-log:
choices:
- disable
- enable
description: Deprecated, please rename it to web_url_log. Enable/disable logging
URL filtering.
type: str
wisp:
choices:
- disable
- enable
description: Enable/disable web proxy WISP.
type: str
wisp-algorithm:
choices:
- auto-learning
- primary-secondary
- round-robin
description: Deprecated, please rename it to wisp_algorithm. WISP server selection
algorithm.
type: str
wisp-servers:
description: (list or str) Deprecated, please rename it to wisp_servers. WISP
servers.
type: raw
youtube-channel-filter:
description: Deprecated, please rename it to youtube_channel_filter. Youtube-Channel-Filter.
elements: dict
suboptions:
channel-id:
description: Deprecated, please rename it to channel_id. YouTube channel ID
to be filtered.
type: str
comment:
description: Comment.
type: str
id:
description: ID.
type: int
type: list
youtube-channel-status:
choices:
- disable
- blacklist
- whitelist
description: Deprecated, please rename it to youtube_channel_status. YouTube channel
filter status.
type: str
type: dict
workspace_locking_adom:
description: The adom to lock for FortiManager running in workspace mode, the value
can be global and others including root.
type: str
forticloud_access_token:
description: Authenticate Ansible client with forticloud API access token.
type: str
workspace_locking_timeout:
default: 300
description: The maximum time in seconds to wait for other user to release the workspace
lock.
type: int
meta:
contains:
request_url:
description: The full url requested.
returned: always
sample: /sys/login/user
type: str
response_code:
description: The status of api request.
returned: always
sample: 0
type: int
response_data:
description: The api response.
returned: always
type: list
response_message:
description: The descriptive message of the api response.
returned: always
sample: OK.
type: str
system_information:
description: The information of the target system.
returned: always
type: dict
description: The result of the request.
returned: always
type: dict
rc:
description: The status the request.
returned: always
sample: 0
type: int
version_check_warning:
description: Warning if the parameters used in the playbook are not supported by
the current FortiManager version.
returned: complex
type: list