W3cubDocs

/Ansible 2.9

fortios_waf_profile – Web application firewall configuration in Fortinet’s FortiOS and FortiGate

New in version 2.8.

Synopsis
Requirements
Parameters
Notes
Examples
Return Values
Status

Synopsis

This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify waf feature and profile category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.5

Requirements

The below requirements are needed on the host that executes this module.

fortiosapi>=0.9.8

Parameters

Parameter				Choices/Defaults	Comments
host string					FortiOS or FortiGate IP address.
https boolean				Choices: no yes ←	Indicates if the requests towards FortiGate must use HTTPS protocol.
password string				Default: ""	FortiOS or FortiGate password.
ssl_verify boolean added in 2.9				Choices: no yes ←	Ensures FortiGate certificate must be verified by a proper CA.
state string added in 2.9				Choices: present absent	Indicates whether to create or remove the object. This attribute was present already in previous version in a deeper level. It has been moved out to this outer level.
username string					FortiOS or FortiGate username.
vdom string				Default: "root"	Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
waf_profile dictionary				Default: null	Web application firewall configuration.
	address_list dictionary				Black address list and white address list.
		blocked_address list			Blocked address.
			name string / required		Address name. Source firewall.address.name firewall.addrgrp.name.
		blocked_log string		Choices: enable disable	Enable/disable logging on blocked addresses.
		severity string		Choices: high medium low	Severity.
		status string		Choices: enable disable	Status.
		trusted_address list			Trusted address.
			name string / required		Address name. Source firewall.address.name firewall.addrgrp.name.
	comment string				Comment.
	constraint dictionary				WAF HTTP protocol restrictions.
		content_length dictionary			HTTP content length in request.
			action string	Choices: allow block	Action.
			length integer		Length of HTTP content in bytes (0 to 2147483647).
			log string	Choices: enable disable	Enable/disable logging.
			severity string	Choices: high medium low	Severity.
			status string	Choices: enable disable	Enable/disable the constraint.
		exception list			HTTP constraint exception.
			address string		Host address. Source firewall.address.name firewall.addrgrp.name.
			content_length string	Choices: enable disable	HTTP content length in request.
			header_length string	Choices: enable disable	HTTP header length in request.
			hostname string	Choices: enable disable	Enable/disable hostname check.
			id integer / required		Exception ID.
			line_length string	Choices: enable disable	HTTP line length in request.
			malformed string	Choices: enable disable	Enable/disable malformed HTTP request check.
			max_cookie string	Choices: enable disable	Maximum number of cookies in HTTP request.
			max_header_line string	Choices: enable disable	Maximum number of HTTP header line.
			max_range_segment string	Choices: enable disable	Maximum number of range segments in HTTP range line.
			max_url_param string	Choices: enable disable	Maximum number of parameters in URL.
			method string	Choices: enable disable	Enable/disable HTTP method check.
			param_length string	Choices: enable disable	Maximum length of parameter in URL, HTTP POST request or HTTP body.
			pattern string		URL pattern.
			regex string	Choices: enable disable	Enable/disable regular expression based pattern match.
			url_param_length string	Choices: enable disable	Maximum length of parameter in URL.
			version string	Choices: enable disable	Enable/disable HTTP version check.
		header_length dictionary			HTTP header length in request.
			action string	Choices: allow block	Action.
			length integer		Length of HTTP header in bytes (0 to 2147483647).
			log string	Choices: enable disable	Enable/disable logging.
			severity string	Choices: high medium low	Severity.
			status string	Choices: enable disable	Enable/disable the constraint.
		hostname dictionary			Enable/disable hostname check.
			action string	Choices: allow block	Action.
			log string	Choices: enable disable	Enable/disable logging.
			severity string	Choices: high medium low	Severity.
			status string	Choices: enable disable	Enable/disable the constraint.
		line_length dictionary			HTTP line length in request.
			action string	Choices: allow block	Action.
			length integer		Length of HTTP line in bytes (0 to 2147483647).
			log string	Choices: enable disable	Enable/disable logging.
			severity string	Choices: high medium low	Severity.
			status string	Choices: enable disable	Enable/disable the constraint.
		malformed dictionary			Enable/disable malformed HTTP request check.
			action string	Choices: allow block	Action.
			log string	Choices: enable disable	Enable/disable logging.
			severity string	Choices: high medium low	Severity.
			status string	Choices: enable disable	Enable/disable the constraint.
		max_cookie dictionary			Maximum number of cookies in HTTP request.
			action string	Choices: allow block	Action.
			log string	Choices: enable disable	Enable/disable logging.
			max_cookie integer		Maximum number of cookies in HTTP request (0 to 2147483647).
			severity string	Choices: high medium low	Severity.
			status string	Choices: enable disable	Enable/disable the constraint.
		max_header_line dictionary			Maximum number of HTTP header line.
			action string	Choices: allow block	Action.
			log string	Choices: enable disable	Enable/disable logging.
			max_header_line integer		Maximum number HTTP header lines (0 to 2147483647).
			severity string	Choices: high medium low	Severity.
			status string	Choices: enable disable	Enable/disable the constraint.
		max_range_segment dictionary			Maximum number of range segments in HTTP range line.
			action string	Choices: allow block	Action.
			log string	Choices: enable disable	Enable/disable logging.
			max_range_segment integer		Maximum number of range segments in HTTP range line (0 to 2147483647).
			severity string	Choices: high medium low	Severity.
			status string	Choices: enable disable	Enable/disable the constraint.
		max_url_param dictionary			Maximum number of parameters in URL.
			action string	Choices: allow block	Action.
			log string	Choices: enable disable	Enable/disable logging.
			max_url_param integer		Maximum number of parameters in URL (0 to 2147483647).
			severity string	Choices: high medium low	Severity.
			status string	Choices: enable disable	Enable/disable the constraint.
		method dictionary			Enable/disable HTTP method check.
			action string	Choices: allow block	Action.
			log string	Choices: enable disable	Enable/disable logging.
			severity string	Choices: high medium low	Severity.
			status string	Choices: enable disable	Enable/disable the constraint.
		param_length dictionary			Maximum length of parameter in URL, HTTP POST request or HTTP body.
			action string	Choices: allow block	Action.
			length integer		Maximum length of parameter in URL, HTTP POST request or HTTP body in bytes (0 to 2147483647).
			log string	Choices: enable disable	Enable/disable logging.
			severity string	Choices: high medium low	Severity.
			status string	Choices: enable disable	Enable/disable the constraint.
		url_param_length dictionary			Maximum length of parameter in URL.
			action string	Choices: allow block	Action.
			length integer		Maximum length of URL parameter in bytes (0 to 2147483647).
			log string	Choices: enable disable	Enable/disable logging.
			severity string	Choices: high medium low	Severity.
			status string	Choices: enable disable	Enable/disable the constraint.
		version dictionary			Enable/disable HTTP version check.
			action string	Choices: allow block	Action.
			log string	Choices: enable disable	Enable/disable logging.
			severity string	Choices: high medium low	Severity.
			status string	Choices: enable disable	Enable/disable the constraint.
	extended_log string			Choices: enable disable	Enable/disable extended logging.
	external string			Choices: disable enable	Disable/Enable external HTTP Inspection.
	method dictionary				Method restriction.
		default_allowed_methods string		Choices: get post put head connect trace options delete others	Methods.
		log string		Choices: enable disable	Enable/disable logging.
		method_policy list			HTTP method policy.
			address string		Host address. Source firewall.address.name firewall.addrgrp.name.
			allowed_methods string	Choices: get post put head connect trace options delete others	Allowed Methods.
			id integer / required		HTTP method policy ID.
			pattern string		URL pattern.
			regex string	Choices: enable disable	Enable/disable regular expression based pattern match.
		severity string		Choices: high medium low	Severity.
		status string		Choices: enable disable	Status.
	name string / required				WAF Profile name.
	signature dictionary				WAF signatures.
		credit_card_detection_threshold integer			The minimum number of Credit cards to detect violation.
		custom_signature list			Custom signature.
			action string	Choices: allow block erase	Action.
			case_sensitivity string	Choices: disable enable	Case sensitivity in pattern.
			direction string	Choices: request response	Traffic direction.
			log string	Choices: enable disable	Enable/disable logging.
			name string / required		Signature name.
			pattern string		Match pattern.
			severity string	Choices: high medium low	Severity.
			status string	Choices: enable disable	Status.
			target string	Choices: arg arg-name req-body req-cookie req-cookie-name req-filename req-header req-header-name req-raw-uri req-uri resp-body resp-hdr resp-status	Match HTTP target.
		disabled_signature list			Disabled signatures
			id integer / required		Signature ID. Source waf.signature.id.
		disabled_sub_class list			Disabled signature subclasses.
			id integer / required		Signature subclass ID. Source waf.sub-class.id.
		main_class list			Main signature class.
			action string	Choices: allow block erase	Action.
			id integer / required		Main signature class ID. Source waf.main-class.id.
			log string	Choices: enable disable	Enable/disable logging.
			severity string	Choices: high medium low	Severity.
			status string	Choices: enable disable	Status.
	state string			Choices: present absent	Deprecated Starting with Ansible 2.9 we recommend using the top-level 'state' parameter. Indicates whether to create or remove the object.
	url_access list				URL access list
		access_pattern list			URL access pattern.
			id integer / required		URL access pattern ID.
			negate string	Choices: enable disable	Enable/disable match negation.
			pattern string		URL pattern.
			regex string	Choices: enable disable	Enable/disable regular expression based pattern match.
			srcaddr string		Source address. Source firewall.address.name firewall.addrgrp.name.
		action string		Choices: bypass permit block	Action.
		address string			Host address. Source firewall.address.name firewall.addrgrp.name.
		id integer / required			URL access ID.
		log string		Choices: enable disable	Enable/disable logging.
		severity string		Choices: high medium low	Severity.

Notes

Note

Requires fortiosapi library developed by Fortinet
Run as a local_action in your playbook

Examples

- hosts: localhost
  vars:
   host: "192.168.122.40"
   username: "admin"
   password: ""
   vdom: "root"
   ssl_verify: "False"
  tasks:
  - name: Web application firewall configuration.
    fortios_waf_profile:
      host:  "{{ host }}"
      username: "{{ username }}"
      password: "{{ password }}"
      vdom:  "{{ vdom }}"
      https: "False"
      state: "present"
      waf_profile:
        address_list:
            blocked_address:
             -
                name: "default_name_5 (source firewall.address.name firewall.addrgrp.name)"
            blocked_log: "enable"
            severity: "high"
            status: "enable"
            trusted_address:
             -
                name: "default_name_10 (source firewall.address.name firewall.addrgrp.name)"
        comment: "Comment."
        constraint:
            content_length:
                action: "allow"
                length: "15"
                log: "enable"
                severity: "high"
                status: "enable"
            exception:
             -
                address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
                content_length: "enable"
                header_length: "enable"
                hostname: "enable"
                id:  "24"
                line_length: "enable"
                malformed: "enable"
                max_cookie: "enable"
                max_header_line: "enable"
                max_range_segment: "enable"
                max_url_param: "enable"
                method: "enable"
                param_length: "enable"
                pattern: "<your_own_value>"
                regex: "enable"
                url_param_length: "enable"
                version: "enable"
            header_length:
                action: "allow"
                length: "39"
                log: "enable"
                severity: "high"
                status: "enable"
            hostname:
                action: "allow"
                log: "enable"
                severity: "high"
                status: "enable"
            line_length:
                action: "allow"
                length: "50"
                log: "enable"
                severity: "high"
                status: "enable"
            malformed:
                action: "allow"
                log: "enable"
                severity: "high"
                status: "enable"
            max_cookie:
                action: "allow"
                log: "enable"
                max_cookie: "62"
                severity: "high"
                status: "enable"
            max_header_line:
                action: "allow"
                log: "enable"
                max_header_line: "68"
                severity: "high"
                status: "enable"
            max_range_segment:
                action: "allow"
                log: "enable"
                max_range_segment: "74"
                severity: "high"
                status: "enable"
            max_url_param:
                action: "allow"
                log: "enable"
                max_url_param: "80"
                severity: "high"
                status: "enable"
            method:
                action: "allow"
                log: "enable"
                severity: "high"
                status: "enable"
            param_length:
                action: "allow"
                length: "90"
                log: "enable"
                severity: "high"
                status: "enable"
            url_param_length:
                action: "allow"
                length: "96"
                log: "enable"
                severity: "high"
                status: "enable"
            version:
                action: "allow"
                log: "enable"
                severity: "high"
                status: "enable"
        extended_log: "enable"
        external: "disable"
        method:
            default_allowed_methods: "get"
            log: "enable"
            method_policy:
             -
                address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
                allowed_methods: "get"
                id:  "113"
                pattern: "<your_own_value>"
                regex: "enable"
            severity: "high"
            status: "enable"
        name: "default_name_118"
        signature:
            credit_card_detection_threshold: "120"
            custom_signature:
             -
                action: "allow"
                case_sensitivity: "disable"
                direction: "request"
                log: "enable"
                name: "default_name_126"
                pattern: "<your_own_value>"
                severity: "high"
                status: "enable"
                target: "arg"
            disabled_signature:
             -
                id:  "132 (source waf.signature.id)"
            disabled_sub_class:
             -
                id:  "134 (source waf.sub-class.id)"
            main_class:
             -
                action: "allow"
                id:  "137 (source waf.main-class.id)"
                log: "enable"
                severity: "high"
                status: "enable"
        url_access:
         -
            access_pattern:
             -
                id:  "143"
                negate: "enable"
                pattern: "<your_own_value>"
                regex: "enable"
                srcaddr: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
            action: "bypass"
            address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
            id:  "150"
            log: "enable"
            severity: "high"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Returned	Description
build string	always	Build number of the fortigate image Sample: 1547
http_method string	always	Last method used to provision the content into FortiGate Sample: PUT
http_status string	always	Last result given by FortiGate on last operation applied Sample: 200
mkey string	success	Master key (id) used in the last call to FortiGate Sample: id
name string	always	Name of the table used to fulfill the request Sample: urlfilter
path string	always	Path of the table used to fulfill the request Sample: webfilter
revision string	always	Internal revision number Sample: 17.0.2.10658
serial string	always	Serial number of the unit Sample: FGVMEVYYQT3AB5352
status string	always	Indication of the operation's result Sample: success
vdom string	always	Virtual domain used Sample: root
version string	always	Version of the FortiGate Sample: v5.6.3

Status

This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community. [community]

Authors

Miguel Angel Munoz (@mamunozgonzalez)
Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation, you can edit this document to improve it.

© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.9/modules/fortios_waf_profile_module.html