lix_fortinet / lix_fortinet.fortios / 102.2.120 / module / fortios_waf_profile Configure Web application firewall configuration in Fortinet's FortiOS and FortiGate. | "added in version" 2.0.0 of lix_fortinet.fortios" Authors: Link Zheng (@chillancezen), Jie Xue (@JieX19), Hongbin Lu (@fgtdev-hblu), Frank Shen (@frankshen01), Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico) preview | supported by communitylix_fortinet.fortios.fortios_waf_profile (102.2.120) — module
Install with ansible-galaxy collection install lix_fortinet.fortios:==102.2.120
collections: - name: lix_fortinet.fortios version: 102.2.120
This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify waf feature and profile category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
- hosts: fortigates collections: - fortinet.fortios connection: httpapi vars: vdom: "root" ansible_httpapi_use_ssl: yes ansible_httpapi_validate_certs: no ansible_httpapi_port: 443 tasks: - name: Configure Web application firewall configuration. fortios_waf_profile: vdom: "{{ vdom }}" state: "present" access_token: "<your_own_value>" waf_profile: address_list: blocked_address: - name: "default_name_5 (source firewall.address.name firewall.addrgrp.name)" blocked_log: "enable" severity: "high" status: "enable" trusted_address: - name: "default_name_10 (source firewall.address.name firewall.addrgrp.name)" comment: "Comment." constraint: content_length: action: "allow" length: "67108864" log: "enable" severity: "high" status: "enable" exception: - address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)" content_length: "enable" header_length: "enable" hostname: "enable" id: "24" line_length: "enable" malformed: "enable" max_cookie: "enable" max_header_line: "enable" max_range_segment: "enable" max_url_param: "enable" method: "enable" param_length: "enable" pattern: "<your_own_value>" regex: "enable" url_param_length: "enable" version: "enable" header_length: action: "allow" length: "8192" log: "enable" severity: "high" status: "enable" hostname: action: "allow" log: "enable" severity: "high" status: "enable" line_length: action: "allow" length: "1024" log: "enable" severity: "high" status: "enable" malformed: action: "allow" log: "enable" severity: "high" status: "enable" max_cookie: action: "allow" log: "enable" max_cookie: "16" severity: "high" status: "enable" max_header_line: action: "allow" log: "enable" max_header_line: "32" severity: "high" status: "enable" max_range_segment: action: "allow" log: "enable" max_range_segment: "5" severity: "high" status: "enable" max_url_param: action: "allow" log: "enable" max_url_param: "16" severity: "high" status: "enable" method: action: "allow" log: "enable" severity: "high" status: "enable" param_length: action: "allow" length: "8192" log: "enable" severity: "high" status: "enable" url_param_length: action: "allow" length: "8192" log: "enable" severity: "high" status: "enable" version: action: "allow" log: "enable" severity: "high" status: "enable" extended_log: "enable" external: "disable" method: default_allowed_methods: "get" log: "enable" method_policy: - address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)" allowed_methods: "get" id: "113" pattern: "<your_own_value>" regex: "enable" severity: "high" status: "enable" name: "default_name_118" signature: credit_card_detection_threshold: "3" custom_signature: - action: "allow" case_sensitivity: "disable" direction: "request" log: "enable" name: "default_name_126" pattern: "<your_own_value>" severity: "high" status: "enable" target: "arg" disabled_signature: - id: "132 (source waf.signature.id)" disabled_sub_class: - id: "134 (source waf.sub-class.id)" main_class: - action: "allow" id: "137 (source waf.main-class.id)" log: "enable" severity: "high" status: "enable" url_access: - access_pattern: - id: "143" negate: "enable" pattern: "<your_own_value>" regex: "enable" srcaddr: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)" action: "bypass" address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)" id: "150" log: "enable" severity: "high"
vdom: default: root description: - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str state: choices: - present - absent description: - Indicates whether to create or remove the object. required: true type: str enable_log: default: false description: - Enable/Disable logging for task. required: false type: bool member_path: description: - Member attribute path to operate on. - Delimited by a slash character if there are more than one attribute. - Parameter marked with member_path is legitimate for doing member operation. type: str waf_profile: default: null description: - Configure Web application firewall configuration. suboptions: address_list: description: - Address block and allow lists. suboptions: blocked_address: description: - Blocked address. elements: dict suboptions: name: description: - Address name. Source firewall.address.name firewall.addrgrp.name. type: str type: list blocked_log: choices: - enable - disable description: - Enable/disable logging on blocked addresses. type: str severity: choices: - high - medium - low description: - Severity. type: str status: choices: - enable - disable description: - Status. type: str trusted_address: description: - Trusted address. elements: dict suboptions: name: description: - Address name. Source firewall.address.name firewall.addrgrp.name. type: str type: list type: dict comment: description: - Comment. type: str constraint: description: - WAF HTTP protocol restrictions. suboptions: content_length: description: - HTTP content length in request. suboptions: action: choices: - allow - block description: - Action. type: str length: description: - Length of HTTP content in bytes (0 to 2147483647). type: int log: choices: - enable - disable description: - Enable/disable logging. type: str severity: choices: - high - medium - low description: - Severity. type: str status: choices: - enable - disable description: - Enable/disable the constraint. type: str type: dict exception: description: - HTTP constraint exception. elements: dict suboptions: address: description: - Host address. Source firewall.address.name firewall.addrgrp.name. type: str content_length: choices: - enable - disable description: - HTTP content length in request. type: str header_length: choices: - enable - disable description: - HTTP header length in request. type: str hostname: choices: - enable - disable description: - Enable/disable hostname check. type: str id: description: - Exception ID. type: int line_length: choices: - enable - disable description: - HTTP line length in request. type: str malformed: choices: - enable - disable description: - Enable/disable malformed HTTP request check. type: str max_cookie: choices: - enable - disable description: - Maximum number of cookies in HTTP request. type: str max_header_line: choices: - enable - disable description: - Maximum number of HTTP header line. type: str max_range_segment: choices: - enable - disable description: - Maximum number of range segments in HTTP range line. type: str max_url_param: choices: - enable - disable description: - Maximum number of parameters in URL. type: str method: choices: - enable - disable description: - Enable/disable HTTP method check. type: str param_length: choices: - enable - disable description: - Maximum length of parameter in URL, HTTP POST request or HTTP body. type: str pattern: description: - URL pattern. type: str regex: choices: - enable - disable description: - Enable/disable regular expression based pattern match. type: str url_param_length: choices: - enable - disable description: - Maximum length of parameter in URL. type: str version: choices: - enable - disable description: - Enable/disable HTTP version check. type: str type: list header_length: description: - HTTP header length in request. suboptions: action: choices: - allow - block description: - Action. type: str length: description: - Length of HTTP header in bytes (0 to 2147483647). type: int log: choices: - enable - disable description: - Enable/disable logging. type: str severity: choices: - high - medium - low description: - Severity. type: str status: choices: - enable - disable description: - Enable/disable the constraint. type: str type: dict hostname: description: - Enable/disable hostname check. suboptions: action: choices: - allow - block description: - Action. type: str log: choices: - enable - disable description: - Enable/disable logging. type: str severity: choices: - high - medium - low description: - Severity. type: str status: choices: - enable - disable description: - Enable/disable the constraint. type: str type: dict line_length: description: - HTTP line length in request. suboptions: action: choices: - allow - block description: - Action. type: str length: description: - Length of HTTP line in bytes (0 to 2147483647). type: int log: choices: - enable - disable description: - Enable/disable logging. type: str severity: choices: - high - medium - low description: - Severity. type: str status: choices: - enable - disable description: - Enable/disable the constraint. type: str type: dict malformed: description: - Enable/disable malformed HTTP request check. suboptions: action: choices: - allow - block description: - Action. type: str log: choices: - enable - disable description: - Enable/disable logging. type: str severity: choices: - high - medium - low description: - Severity. type: str status: choices: - enable - disable description: - Enable/disable the constraint. type: str type: dict max_cookie: description: - Maximum number of cookies in HTTP request. suboptions: action: choices: - allow - block description: - Action. type: str log: choices: - enable - disable description: - Enable/disable logging. type: str max_cookie: description: - Maximum number of cookies in HTTP request (0 to 2147483647). type: int severity: choices: - high - medium - low description: - Severity. type: str status: choices: - enable - disable description: - Enable/disable the constraint. type: str type: dict max_header_line: description: - Maximum number of HTTP header line. suboptions: action: choices: - allow - block description: - Action. type: str log: choices: - enable - disable description: - Enable/disable logging. type: str max_header_line: description: - Maximum number HTTP header lines (0 to 2147483647). type: int severity: choices: - high - medium - low description: - Severity. type: str status: choices: - enable - disable description: - Enable/disable the constraint. type: str type: dict max_range_segment: description: - Maximum number of range segments in HTTP range line. suboptions: action: choices: - allow - block description: - Action. type: str log: choices: - enable - disable description: - Enable/disable logging. type: str max_range_segment: description: - Maximum number of range segments in HTTP range line (0 to 2147483647). type: int severity: choices: - high - medium - low description: - Severity. type: str status: choices: - enable - disable description: - Enable/disable the constraint. type: str type: dict max_url_param: description: - Maximum number of parameters in URL. suboptions: action: choices: - allow - block description: - Action. type: str log: choices: - enable - disable description: - Enable/disable logging. type: str max_url_param: description: - Maximum number of parameters in URL (0 to 2147483647). type: int severity: choices: - high - medium - low description: - Severity. type: str status: choices: - enable - disable description: - Enable/disable the constraint. type: str type: dict method: description: - Enable/disable HTTP method check. suboptions: action: choices: - allow - block description: - Action. type: str log: choices: - enable - disable description: - Enable/disable logging. type: str severity: choices: - high - medium - low description: - Severity. type: str status: choices: - enable - disable description: - Enable/disable the constraint. type: str type: dict param_length: description: - Maximum length of parameter in URL, HTTP POST request or HTTP body. suboptions: action: choices: - allow - block description: - Action. type: str length: description: - Maximum length of parameter in URL, HTTP POST request or HTTP body in bytes (0 to 2147483647). type: int log: choices: - enable - disable description: - Enable/disable logging. type: str severity: choices: - high - medium - low description: - Severity. type: str status: choices: - enable - disable description: - Enable/disable the constraint. type: str type: dict url_param_length: description: - Maximum length of parameter in URL. suboptions: action: choices: - allow - block description: - Action. type: str length: description: - Maximum length of URL parameter in bytes (0 to 2147483647). type: int log: choices: - enable - disable description: - Enable/disable logging. type: str severity: choices: - high - medium - low description: - Severity. type: str status: choices: - enable - disable description: - Enable/disable the constraint. type: str type: dict version: description: - Enable/disable HTTP version check. suboptions: action: choices: - allow - block description: - Action. type: str log: choices: - enable - disable description: - Enable/disable logging. type: str severity: choices: - high - medium - low description: - Severity. type: str status: choices: - enable - disable description: - Enable/disable the constraint. type: str type: dict type: dict extended_log: choices: - enable - disable description: - Enable/disable extended logging. type: str external: choices: - disable - enable description: - Disable/Enable external HTTP Inspection. type: str method: description: - Method restriction. suboptions: default_allowed_methods: choices: - get - post - put - head - connect - trace - options - delete - others description: - Methods. elements: str type: list log: choices: - enable - disable description: - Enable/disable logging. type: str method_policy: description: - HTTP method policy. elements: dict suboptions: address: description: - Host address. Source firewall.address.name firewall.addrgrp.name. type: str allowed_methods: choices: - get - post - put - head - connect - trace - options - delete - others description: - Allowed Methods. elements: str type: list id: description: - HTTP method policy ID. type: int pattern: description: - URL pattern. type: str regex: choices: - enable - disable description: - Enable/disable regular expression based pattern match. type: str type: list severity: choices: - high - medium - low description: - Severity. type: str status: choices: - enable - disable description: - Status. type: str type: dict name: description: - WAF Profile name. required: true type: str signature: description: - WAF signatures. suboptions: credit_card_detection_threshold: description: - The minimum number of Credit cards to detect violation. type: int custom_signature: description: - Custom signature. elements: dict suboptions: action: choices: - allow - block - erase description: - Action. type: str case_sensitivity: choices: - disable - enable description: - Case sensitivity in pattern. type: str direction: choices: - request - response description: - Traffic direction. type: str log: choices: - enable - disable description: - Enable/disable logging. type: str name: description: - Signature name. type: str pattern: description: - Match pattern. type: str severity: choices: - high - medium - low description: - Severity. type: str status: choices: - enable - disable description: - Status. type: str target: choices: - arg - arg-name - req-body - req-cookie - req-cookie-name - req-filename - req-header - req-header-name - req-raw-uri - req-uri - resp-body - resp-hdr - resp-status description: - Match HTTP target. elements: str type: list type: list disabled_signature: description: - Disabled signatures. elements: dict suboptions: id: description: - Signature ID. Source waf.signature.id. type: int type: list disabled_sub_class: description: - Disabled signature subclasses. elements: dict suboptions: id: description: - Signature subclass ID. Source waf.sub-class.id. type: int type: list main_class: description: - Main signature class. elements: dict suboptions: action: choices: - allow - block - erase description: - Action. type: str id: description: - Main signature class ID. Source waf.main-class.id. type: int log: choices: - enable - disable description: - Enable/disable logging. type: str severity: choices: - high - medium - low description: - Severity. type: str status: choices: - enable - disable description: - Status. type: str type: list type: dict url_access: description: - URL access list. elements: dict suboptions: access_pattern: description: - URL access pattern. elements: dict suboptions: id: description: - URL access pattern ID. type: int negate: choices: - enable - disable description: - Enable/disable match negation. type: str pattern: description: - URL pattern. type: str regex: choices: - enable - disable description: - Enable/disable regular expression based pattern match. type: str srcaddr: description: - Source address. Source firewall.address.name firewall.addrgrp.name. type: str type: list action: choices: - bypass - permit - block description: - Action. type: str address: description: - Host address. Source firewall.address.name firewall.addrgrp.name. type: str id: description: - URL access ID. type: int log: choices: - enable - disable description: - Enable/disable logging. type: str severity: choices: - high - medium - low description: - Severity. type: str type: list type: dict access_token: description: - Token-based authentication. Generated from GUI of Fortigate. required: false type: str member_state: choices: - present - absent description: - Add or delete a member under specified attribute path. - When member_state is specified, the state option is ignored. type: str
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str