Try SpotterConfigure Web filter profiles in Fortinet's FortiOS and FortiGate.
| "added in version" 2.0.0 of fortinet.fortios"
Authors: Link Zheng (@chillancezen), Jie Xue (@JieX19), Hongbin Lu (@fgtdev-hblu), Frank Shen (@frankshen01), Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico)
preview | supported by community
Install with ansible-galaxy collection install fortinet.fortios:==2.3.6
collections:
- name: fortinet.fortios
version: 2.3.6This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify webfilter feature and profile category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
- name: Configure Web filter profiles.
fortinet.fortios.fortios_webfilter_profile:
vdom: "{{ vdom }}"
state: "present"
access_token: "<your_own_value>"
webfilter_profile:
antiphish:
authentication: "domain-controller"
check_basic_auth: "enable"
check_uri: "enable"
check_username_only: "enable"
custom_patterns:
-
category: "username"
pattern: "<your_own_value>"
type: "regex"
default_action: "exempt"
domain_controller: "<your_own_value> (source user.domain-controller.name credential-store.domain-controller.server-name)"
inspection_entries:
-
action: "exempt"
fortiguard_category: "<your_own_value>"
name: "default_name_17"
ldap: "<your_own_value> (source user.ldap.name)"
max_body_len: "65536"
status: "enable"
comment: "Optional comments."
extended_log: "enable"
feature_set: "flow"
file_filter:
entries:
-
action: "log"
comment: "Comment."
direction: "incoming"
file_type:
-
name: "default_name_30 (source antivirus.filetype.name)"
filter: "<your_own_value>"
password_protected: "yes"
protocol: "http"
log: "enable"
scan_archive_contents: "enable"
status: "enable"
ftgd_wf:
exempt_quota: "<your_own_value>"
filters:
-
action: "block"
auth_usr_grp:
-
name: "default_name_42 (source user.group.name)"
category: "0"
id: "44"
log: "enable"
override_replacemsg: "<your_own_value>"
warn_duration: "<your_own_value>"
warning_duration_type: "session"
warning_prompt: "per-domain"
max_quota_timeout: "300"
options: "error-allow"
ovrd: "<your_own_value>"
quota:
-
category: "<your_own_value>"
duration: "<your_own_value>"
id: "56"
override_replacemsg: "<your_own_value>"
type: "time"
unit: "B"
value: "1024"
rate_crl_urls: "disable"
rate_css_urls: "disable"
rate_image_urls: "disable"
rate_javascript_urls: "disable"
https_replacemsg: "enable"
inspection_mode: "proxy"
log_all_url: "enable"
name: "default_name_68"
options: "activexfilter"
override:
ovrd_cookie: "allow"
ovrd_dur: "<your_own_value>"
ovrd_dur_mode: "constant"
ovrd_scope: "user"
ovrd_user_group:
-
name: "default_name_76 (source user.group.name)"
profile:
-
name: "default_name_78 (source webfilter.profile.name)"
profile_attribute: "User-Name"
profile_type: "list"
ovrd_perm: "bannedword-override"
post_action: "normal"
replacemsg_group: "<your_own_value> (source system.replacemsg-group.name)"
url_extraction:
redirect_header: "<your_own_value>"
redirect_no_content: "enable"
redirect_url: "<your_own_value>"
server_fqdn: "<your_own_value>"
status: "enable"
web:
allowlist: "exempt-av"
blacklist: "enable"
blocklist: "enable"
bword_table: "0"
bword_threshold: "10"
content_header_list: "0"
keyword_match:
-
pattern: "<your_own_value>"
log_search: "enable"
safe_search: "url"
urlfilter_table: "0"
vimeo_restrict: "<your_own_value>"
whitelist: "exempt-av"
youtube_restrict: "none"
web_antiphishing_log: "enable"
web_content_log: "enable"
web_extended_all_action_log: "enable"
web_filter_activex_log: "enable"
web_filter_applet_log: "enable"
web_filter_command_block_log: "enable"
web_filter_cookie_log: "enable"
web_filter_cookie_removal_log: "enable"
web_filter_js_log: "enable"
web_filter_jscript_log: "enable"
web_filter_referer_log: "enable"
web_filter_unknown_log: "enable"
web_filter_vbs_log: "enable"
web_flow_log_encoding: "utf-8"
web_ftgd_err_log: "enable"
web_ftgd_quota_usage: "enable"
web_invalid_domain_log: "enable"
web_url_log: "enable"
wisp: "enable"
wisp_algorithm: "primary-secondary"
wisp_servers:
-
name: "default_name_126 (source web-proxy.wisp.name)"
youtube_channel_filter:
-
channel_id: "<your_own_value>"
comment: "Comment."
id: "130"
youtube_channel_status: "disable"
vdom:
default: root
description:
- Virtual domain, among those defined previously. A vdom is a virtual instance of
the FortiGate that can be configured and used as a different unit.
type: str
state:
choices:
- present
- absent
description:
- Indicates whether to create or remove the object.
required: true
type: str
enable_log:
default: false
description:
- Enable/Disable logging for task.
required: false
type: bool
member_path:
description:
- Member attribute path to operate on.
- Delimited by a slash character if there are more than one attribute.
- Parameter marked with member_path is legitimate for doing member operation.
type: str
access_token:
description:
- Token-based authentication. Generated from GUI of Fortigate.
required: false
type: str
member_state:
choices:
- present
- absent
description:
- Add or delete a member under specified attribute path.
- When member_state is specified, the state option is ignored.
type: str
webfilter_profile:
default: null
description:
- Configure Web filter profiles.
suboptions:
antiphish:
description:
- AntiPhishing profile.
suboptions:
authentication:
choices:
- domain-controller
- ldap
description:
- Authentication methods.
type: str
check_basic_auth:
choices:
- enable
- disable
description:
- Enable/disable checking of HTTP Basic Auth field for known credentials.
type: str
check_uri:
choices:
- enable
- disable
description:
- Enable/disable checking of GET URI parameters for known credentials.
type: str
check_username_only:
choices:
- enable
- disable
description:
- Enable/disable username only matching of credentials. Action will be taken
for valid usernames regardless of password validity.
type: str
custom_patterns:
description:
- Custom username and password regex patterns.
elements: dict
suboptions:
category:
choices:
- username
- password
description:
- Category that the pattern matches.
type: str
pattern:
description:
- Target pattern.
required: true
type: str
type:
choices:
- regex
- literal
description:
- Pattern will be treated either as a regex pattern or literal string.
type: str
type: list
default_action:
choices:
- exempt
- log
- block
description:
- Action to be taken when there is no matching rule.
type: str
domain_controller:
description:
- Domain for which to verify received credentials against. Source user.domain-controller.name
credential-store.domain-controller .server-name.
type: str
inspection_entries:
description:
- AntiPhishing entries.
elements: dict
suboptions:
action:
choices:
- exempt
- log
- block
description:
- Action to be taken upon an AntiPhishing match.
type: str
fortiguard_category:
description:
- FortiGuard category to match.
elements: str
type: list
name:
description:
- Inspection target name.
required: true
type: str
type: list
ldap:
description:
- LDAP server for which to verify received credentials against. Source user.ldap.name.
type: str
max_body_len:
description:
- Maximum size of a POST body to check for credentials.
type: int
status:
choices:
- enable
- disable
description:
- Toggle AntiPhishing functionality.
type: str
type: dict
comment:
description:
- Optional comments.
type: str
extended_log:
choices:
- enable
- disable
description:
- Enable/disable extended logging for web filtering.
type: str
feature_set:
choices:
- flow
- proxy
description:
- Flow/proxy feature set.
type: str
file_filter:
description:
- File filter.
suboptions:
entries:
description:
- File filter entries.
elements: dict
suboptions:
action:
choices:
- log
- block
description:
- Action taken for matched file.
type: str
comment:
description:
- Comment.
type: str
direction:
choices:
- incoming
- outgoing
- any
description:
- Match files transmitted in the session"s originating or reply direction.
type: str
file_type:
description:
- Select file type.
elements: dict
suboptions:
name:
description:
- File type name. Source antivirus.filetype.name.
required: true
type: str
type: list
filter:
description:
- Add a file filter.
required: true
type: str
password_protected:
choices:
- 'yes'
- any
description:
- Match password-protected files.
type: str
protocol:
choices:
- http
- ftp
description:
- Protocols to apply with.
elements: str
type: list
type: list
log:
choices:
- enable
- disable
description:
- Enable/disable file filter logging.
type: str
scan_archive_contents:
choices:
- enable
- disable
description:
- Enable/disable file filter archive contents scan.
type: str
status:
choices:
- enable
- disable
description:
- Enable/disable file filter.
type: str
type: dict
ftgd_wf:
description:
- FortiGuard Web Filter settings.
suboptions:
exempt_quota:
description:
- Do not stop quota for these categories.
elements: str
type: list
filters:
description:
- FortiGuard filters.
elements: dict
suboptions:
action:
choices:
- block
- authenticate
- monitor
- warning
description:
- Action to take for matches.
type: str
auth_usr_grp:
description:
- Groups with permission to authenticate.
elements: dict
suboptions:
name:
description:
- User group name. Source user.group.name.
required: true
type: str
type: list
category:
description:
- Categories and groups the filter examines.
type: int
id:
description:
- ID number. see <a href='#notes'>Notes</a>.
required: true
type: int
log:
choices:
- enable
- disable
description:
- Enable/disable logging.
type: str
override_replacemsg:
description:
- Override replacement message.
type: str
warn_duration:
description:
- Duration of warnings.
type: str
warning_duration_type:
choices:
- session
- timeout
description:
- Re-display warning after closing browser or after a timeout.
type: str
warning_prompt:
choices:
- per-domain
- per-category
description:
- Warning prompts in each category or each domain.
type: str
type: list
max_quota_timeout:
description:
- Maximum FortiGuard quota used by single page view in seconds (excludes streams).
type: int
options:
choices:
- error-allow
- rate-server-ip
- connect-request-bypass
- ftgd-disable
description:
- Options for FortiGuard Web Filter.
elements: str
type: list
ovrd:
description:
- Allow web filter profile overrides.
elements: str
type: list
quota:
description:
- FortiGuard traffic quota settings.
elements: dict
suboptions:
category:
description:
- FortiGuard categories to apply quota to (category action must be set
to monitor).
elements: str
type: list
duration:
description:
- Duration of quota.
type: str
id:
description:
- ID number. see <a href='#notes'>Notes</a>.
required: true
type: int
override_replacemsg:
description:
- Override replacement message.
type: str
type:
choices:
- time
- traffic
description:
- Quota type.
type: str
unit:
choices:
- B
- KB
- MB
- GB
description:
- Traffic quota unit of measurement.
type: str
value:
description:
- Traffic quota value.
type: int
type: list
rate_crl_urls:
choices:
- disable
- enable
description:
- Enable/disable rating CRL by URL.
type: str
rate_css_urls:
choices:
- disable
- enable
description:
- Enable/disable rating CSS by URL.
type: str
rate_image_urls:
choices:
- disable
- enable
description:
- Enable/disable rating images by URL.
type: str
rate_javascript_urls:
choices:
- disable
- enable
description:
- Enable/disable rating JavaScript by URL.
type: str
type: dict
https_replacemsg:
choices:
- enable
- disable
description:
- Enable replacement messages for HTTPS.
type: str
inspection_mode:
choices:
- proxy
- flow-based
description:
- Web filtering inspection mode.
type: str
log_all_url:
choices:
- enable
- disable
description:
- Enable/disable logging all URLs visited.
type: str
name:
description:
- Profile name.
required: true
type: str
options:
choices:
- activexfilter
- cookiefilter
- javafilter
- block-invalid-url
- jscript
- js
- vbs
- unknown
- intrinsic
- wf-referer
- wf-cookie
- per-user-bal
- per-user-bwl
description:
- Options.
elements: str
type: list
override:
description:
- Web Filter override settings.
suboptions:
ovrd_cookie:
choices:
- allow
- deny
description:
- Allow/deny browser-based (cookie) overrides.
type: str
ovrd_dur:
description:
- Override duration.
type: str
ovrd_dur_mode:
choices:
- constant
- ask
description:
- Override duration mode.
type: str
ovrd_scope:
choices:
- user
- user-group
- ip
- browser
- ask
description:
- Override scope.
type: str
ovrd_user_group:
description:
- User groups with permission to use the override.
elements: dict
suboptions:
name:
description:
- User group name. Source user.group.name.
required: true
type: str
type: list
profile:
description:
- Web filter profile with permission to create overrides.
elements: dict
suboptions:
name:
description:
- Web profile. Source webfilter.profile.name.
required: true
type: str
type: list
profile_attribute:
choices:
- User-Name
- NAS-IP-Address
- Framed-IP-Address
- Framed-IP-Netmask
- Filter-Id
- Login-IP-Host
- Reply-Message
- Callback-Number
- Callback-Id
- Framed-Route
- Framed-IPX-Network
- Class
- Called-Station-Id
- Calling-Station-Id
- NAS-Identifier
- Proxy-State
- Login-LAT-Service
- Login-LAT-Node
- Login-LAT-Group
- Framed-AppleTalk-Zone
- Acct-Session-Id
- Acct-Multi-Session-Id
description:
- Profile attribute to retrieve from the RADIUS server.
type: str
profile_type:
choices:
- list
- radius
description:
- Override profile type.
type: str
type: dict
ovrd_perm:
choices:
- bannedword-override
- urlfilter-override
- fortiguard-wf-override
- contenttype-check-override
description:
- Permitted override types.
elements: str
type: list
post_action:
choices:
- normal
- block
description:
- Action taken for HTTP POST traffic.
type: str
replacemsg_group:
description:
- Replacement message group. Source system.replacemsg-group.name.
type: str
url_extraction:
description:
- Configure URL Extraction
suboptions:
redirect_header:
description:
- HTTP header name to use for client redirect on blocked requests
type: str
redirect_no_content:
choices:
- enable
- disable
description:
- Enable / Disable empty message-body entity in HTTP response
type: str
redirect_url:
description:
- HTTP header value to use for client redirect on blocked requests
type: str
server_fqdn:
description:
- URL extraction server FQDN (fully qualified domain name)
type: str
status:
choices:
- enable
- disable
description:
- Enable URL Extraction
type: str
type: dict
web:
description:
- Web content filtering settings.
suboptions:
allowlist:
choices:
- exempt-av
- exempt-webcontent
- exempt-activex-java-cookie
- exempt-dlp
- exempt-rangeblock
- extended-log-others
description:
- FortiGuard allowlist settings.
elements: str
type: list
blacklist:
choices:
- enable
- disable
description:
- Enable/disable automatic addition of URLs detected by FortiSandbox to blacklist.
type: str
blocklist:
choices:
- enable
- disable
description:
- Enable/disable automatic addition of URLs detected by FortiSandbox to blocklist.
type: str
bword_table:
description:
- Banned word table ID. Source webfilter.content.id.
type: int
bword_threshold:
description:
- Banned word score threshold.
type: int
content_header_list:
description:
- Content header list. Source webfilter.content-header.id.
type: int
keyword_match:
description:
- Search keywords to log when match is found.
elements: dict
suboptions:
pattern:
description:
- Pattern/keyword to search for.
required: true
type: str
type: list
log_search:
choices:
- enable
- disable
description:
- Enable/disable logging all search phrases.
type: str
safe_search:
choices:
- url
- header
description:
- Safe search type.
elements: str
type: list
urlfilter_table:
description:
- URL filter table ID. Source webfilter.urlfilter.id.
type: int
vimeo_restrict:
description:
- Set Vimeo-restrict ("7" = don"t show mature content, "134" = don"t show
unrated and mature content). A value of cookie "content_rating".
type: str
whitelist:
choices:
- exempt-av
- exempt-webcontent
- exempt-activex-java-cookie
- exempt-dlp
- exempt-rangeblock
- extended-log-others
description:
- FortiGuard whitelist settings.
elements: str
type: list
youtube_restrict:
choices:
- none
- strict
- moderate
description:
- YouTube EDU filter level.
type: str
type: dict
web_antiphishing_log:
choices:
- enable
- disable
description:
- Enable/disable logging of AntiPhishing checks.
type: str
web_content_log:
choices:
- enable
- disable
description:
- Enable/disable logging logging blocked web content.
type: str
web_extended_all_action_log:
choices:
- enable
- disable
description:
- Enable/disable extended any filter action logging for web filtering.
type: str
web_filter_activex_log:
choices:
- enable
- disable
description:
- Enable/disable logging ActiveX.
type: str
web_filter_applet_log:
choices:
- enable
- disable
description:
- Enable/disable logging Java applets.
type: str
web_filter_command_block_log:
choices:
- enable
- disable
description:
- Enable/disable logging blocked commands.
type: str
web_filter_cookie_log:
choices:
- enable
- disable
description:
- Enable/disable logging cookie filtering.
type: str
web_filter_cookie_removal_log:
choices:
- enable
- disable
description:
- Enable/disable logging blocked cookies.
type: str
web_filter_js_log:
choices:
- enable
- disable
description:
- Enable/disable logging Java scripts.
type: str
web_filter_jscript_log:
choices:
- enable
- disable
description:
- Enable/disable logging JScripts.
type: str
web_filter_referer_log:
choices:
- enable
- disable
description:
- Enable/disable logging referrers.
type: str
web_filter_unknown_log:
choices:
- enable
- disable
description:
- Enable/disable logging unknown scripts.
type: str
web_filter_vbs_log:
choices:
- enable
- disable
description:
- Enable/disable logging VBS scripts.
type: str
web_flow_log_encoding:
choices:
- utf-8
- punycode
description:
- Log encoding in flow mode.
type: str
web_ftgd_err_log:
choices:
- enable
- disable
description:
- Enable/disable logging rating errors.
type: str
web_ftgd_quota_usage:
choices:
- enable
- disable
description:
- Enable/disable logging daily quota usage.
type: str
web_invalid_domain_log:
choices:
- enable
- disable
description:
- Enable/disable logging invalid domain names.
type: str
web_url_log:
choices:
- enable
- disable
description:
- Enable/disable logging URL filtering.
type: str
wisp:
choices:
- enable
- disable
description:
- Enable/disable web proxy WISP.
type: str
wisp_algorithm:
choices:
- primary-secondary
- round-robin
- auto-learning
description:
- WISP server selection algorithm.
type: str
wisp_servers:
description:
- WISP servers.
elements: dict
suboptions:
name:
description:
- Server name. Source web-proxy.wisp.name.
required: true
type: str
type: list
youtube_channel_filter:
description:
- YouTube channel filter.
elements: dict
suboptions:
channel_id:
description:
- YouTube channel ID to be filtered.
type: str
comment:
description:
- Comment.
type: str
id:
description:
- ID. see <a href='#notes'>Notes</a>.
required: true
type: int
type: list
youtube_channel_status:
choices:
- disable
- blacklist
- whitelist
description:
- YouTube channel filter status.
type: str
type: dict
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str