community.network.fmgr_secprof_web – Manage web filter security profiles in FortiManager

Note

This plugin is part of the community.network collection (version 1.3.0).

To install it use: ansible-galaxy collection install community.network.

To use it in a playbook, specify: community.network.fmgr_secprof_web.

Synopsis
Parameters
Notes
Examples
Return Values

Synopsis

Manage web filter security profiles in FortiManager through playbooks using the FMG API

Parameters

Parameter	Choices/Defaults	Comments
adom string	Default: "root"	The ADOM the configuration should belong to.
comment string		Optional comments.
extended_log string	disable enable	Enable/disable extended logging for web filtering. choice \| disable \| Disable setting. choice \| enable \| Enable setting.
ftgd_wf string		EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED! List of multiple child objects to be added. Expects a list of dictionaries. Dictionaries must use FortiManager API parameters, not the ansible ones listed below. If submitted, all other prefixed sub-parameters ARE IGNORED. This object is MUTUALLY EXCLUSIVE with its options. We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide. WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS
ftgd_wf_exempt_quota string		Do not stop quota for these categories.
ftgd_wf_filters_action string	block monitor warning authenticate	Action to take for matches. choice \| block \| Block access. choice \| monitor \| Allow access while logging the action. choice \| warning \| Allow access after warning the user. choice \| authenticate \| Authenticate user before allowing access.
ftgd_wf_filters_auth_usr_grp string		Groups with permission to authenticate.
ftgd_wf_filters_category string		Categories and groups the filter examines.
ftgd_wf_filters_log string	disable enable	Enable/disable logging. choice \| disable \| Disable setting. choice \| enable \| Enable setting.
ftgd_wf_filters_override_replacemsg string		Override replacement message.
ftgd_wf_filters_warn_duration string		Duration of warnings.
ftgd_wf_filters_warning_duration_type string	session timeout	Re-display warning after closing browser or after a timeout. choice \| session \| After session ends. choice \| timeout \| After timeout occurs.
ftgd_wf_filters_warning_prompt string	per-domain per-category	Warning prompts in each category or each domain. choice \| per-domain \| Per-domain warnings. choice \| per-category \| Per-category warnings.
ftgd_wf_max_quota_timeout string		Maximum FortiGuard quota used by single page view in seconds (excludes streams).
ftgd_wf_options string	error-allow rate-server-ip connect-request-bypass ftgd-disable	Options for FortiGuard Web Filter. FLAG Based Options. Specify multiple in list form. flag \| error-allow \| Allow web pages with a rating error to pass through. flag \| rate-server-ip \| Rate the server IP in addition to the domain name. flag \| connect-request-bypass \| Bypass connection which has CONNECT request. flag \| ftgd-disable \| Disable FortiGuard scanning.
ftgd_wf_ovrd string		Allow web filter profile overrides.
ftgd_wf_quota_category string		FortiGuard categories to apply quota to (category action must be set to monitor).
ftgd_wf_quota_duration string		Duration of quota.
ftgd_wf_quota_override_replacemsg string		Override replacement message.
ftgd_wf_quota_type string	time traffic	Quota type. choice \| time \| Use a time-based quota. choice \| traffic \| Use a traffic-based quota.
ftgd_wf_quota_unit string	B KB MB GB	Traffic quota unit of measurement. choice \| B \| Quota in bytes. choice \| KB \| Quota in kilobytes. choice \| MB \| Quota in megabytes. choice \| GB \| Quota in gigabytes.
ftgd_wf_quota_value string		Traffic quota value.
ftgd_wf_rate_crl_urls string	disable enable	Enable/disable rating CRL by URL. choice \| disable \| Disable rating CRL by URL. choice \| enable \| Enable rating CRL by URL.
ftgd_wf_rate_css_urls string	disable enable	Enable/disable rating CSS by URL. choice \| disable \| Disable rating CSS by URL. choice \| enable \| Enable rating CSS by URL.
ftgd_wf_rate_image_urls string	disable enable	Enable/disable rating images by URL. choice \| disable \| Disable rating images by URL (blocked images are replaced with blanks). choice \| enable \| Enable rating images by URL (blocked images are replaced with blanks).
ftgd_wf_rate_javascript_urls string	disable enable	Enable/disable rating JavaScript by URL. choice \| disable \| Disable rating JavaScript by URL. choice \| enable \| Enable rating JavaScript by URL.
https_replacemsg string	disable enable	Enable replacement messages for HTTPS. choice \| disable \| Disable setting. choice \| enable \| Enable setting.
inspection_mode string	proxy flow-based	Web filtering inspection mode. choice \| proxy \| Proxy. choice \| flow-based \| Flow based.
log_all_url string	disable enable	Enable/disable logging all URLs visited. choice \| disable \| Disable setting. choice \| enable \| Enable setting.
mode string	add ← set delete update	Sets one of three modes for managing the object. Allows use of soft-adds instead of overwriting existing values
name string		Profile name.
options string	block-invalid-url jscript js vbs unknown wf-referer intrinsic wf-cookie per-user-bwl activexfilter cookiefilter javafilter	FLAG Based Options. Specify multiple in list form. flag \| block-invalid-url \| Block sessions contained an invalid domain name. flag \| jscript \| Javascript block. flag \| js \| JS block. flag \| vbs \| VB script block. flag \| unknown \| Unknown script block. flag \| wf-referer \| Referring block. flag \| intrinsic \| Intrinsic script block. flag \| wf-cookie \| Cookie block. flag \| per-user-bwl \| Per-user black/white list filter flag \| activexfilter \| ActiveX filter. flag \| cookiefilter \| Cookie filter. flag \| javafilter \| Java applet filter.
override string		EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED! List of multiple child objects to be added. Expects a list of dictionaries. Dictionaries must use FortiManager API parameters, not the ansible ones listed below. If submitted, all other prefixed sub-parameters ARE IGNORED. This object is MUTUALLY EXCLUSIVE with its options. We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide. WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS
override_ovrd_cookie string	deny allow	Allow/deny browser-based (cookie) overrides. choice \| deny \| Deny browser-based (cookie) override. choice \| allow \| Allow browser-based (cookie) override.
override_ovrd_dur string		Override duration.
override_ovrd_dur_mode string	constant ask	Override duration mode. choice \| constant \| Constant mode. choice \| ask \| Prompt for duration when initiating an override.
override_ovrd_scope string	user user-group ip ask browser	Override scope. choice \| user \| Override for the user. choice \| user-group \| Override for the user's group. choice \| ip \| Override for the initiating IP. choice \| ask \| Prompt for scope when initiating an override. choice \| browser \| Create browser-based (cookie) override.
override_ovrd_user_group string		User groups with permission to use the override.
override_profile string		Web filter profile with permission to create overrides.
override_profile_attribute string	User-Name NAS-IP-Address Framed-IP-Address Framed-IP-Netmask Filter-Id Login-IP-Host Reply-Message Callback-Number Callback-Id Framed-Route Framed-IPX-Network Class Called-Station-Id Calling-Station-Id NAS-Identifier Proxy-State Login-LAT-Service Login-LAT-Node Login-LAT-Group Framed-AppleTalk-Zone Acct-Session-Id Acct-Multi-Session-Id	Profile attribute to retrieve from the RADIUS server. choice \| User-Name \| Use this attribute. choice \| NAS-IP-Address \| Use this attribute. choice \| Framed-IP-Address \| Use this attribute. choice \| Framed-IP-Netmask \| Use this attribute. choice \| Filter-Id \| Use this attribute. choice \| Login-IP-Host \| Use this attribute. choice \| Reply-Message \| Use this attribute. choice \| Callback-Number \| Use this attribute. choice \| Callback-Id \| Use this attribute. choice \| Framed-Route \| Use this attribute. choice \| Framed-IPX-Network \| Use this attribute. choice \| Class \| Use this attribute. choice \| Called-Station-Id \| Use this attribute. choice \| Calling-Station-Id \| Use this attribute. choice \| NAS-Identifier \| Use this attribute. choice \| Proxy-State \| Use this attribute. choice \| Login-LAT-Service \| Use this attribute. choice \| Login-LAT-Node \| Use this attribute. choice \| Login-LAT-Group \| Use this attribute. choice \| Framed-AppleTalk-Zone \| Use this attribute. choice \| Acct-Session-Id \| Use this attribute. choice \| Acct-Multi-Session-Id \| Use this attribute.
override_profile_type string	list radius	Override profile type. choice \| list \| Profile chosen from list. choice \| radius \| Profile determined by RADIUS server.
ovrd_perm string	bannedword-override urlfilter-override fortiguard-wf-override contenttype-check-override	FLAG Based Options. Specify multiple in list form. flag \| bannedword-override \| Banned word override. flag \| urlfilter-override \| URL filter override. flag \| fortiguard-wf-override \| FortiGuard Web Filter override. flag \| contenttype-check-override \| Content-type header override.
post_action string	normal block	Action taken for HTTP POST traffic. choice \| normal \| Normal, POST requests are allowed. choice \| block \| POST requests are blocked.
replacemsg_group string		Replacement message group.
url_extraction string		EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED! List of multiple child objects to be added. Expects a list of dictionaries. Dictionaries must use FortiManager API parameters, not the ansible ones listed below. If submitted, all other prefixed sub-parameters ARE IGNORED. This object is MUTUALLY EXCLUSIVE with its options. We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide. WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS
url_extraction_redirect_header string		HTTP header name to use for client redirect on blocked requests
url_extraction_redirect_no_content string	disable enable	Enable / Disable empty message-body entity in HTTP response choice \| disable \| Disable setting. choice \| enable \| Enable setting.
url_extraction_redirect_url string		HTTP header value to use for client redirect on blocked requests
url_extraction_server_fqdn string		URL extraction server FQDN (fully qualified domain name)
url_extraction_status string	disable enable	Enable URL Extraction choice \| disable \| Disable setting. choice \| enable \| Enable setting.
web string		EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED! List of multiple child objects to be added. Expects a list of dictionaries. Dictionaries must use FortiManager API parameters, not the ansible ones listed below. If submitted, all other prefixed sub-parameters ARE IGNORED. This object is MUTUALLY EXCLUSIVE with its options. We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide. WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS
web_blacklist string	disable enable	Enable/disable automatic addition of URLs detected by FortiSandbox to blacklist. choice \| disable \| Disable setting. choice \| enable \| Enable setting.
web_bword_table string		Banned word table ID.
web_bword_threshold string		Banned word score threshold.
web_content_header_list string		Content header list.
web_content_log string	disable enable	Enable/disable logging logging blocked web content. choice \| disable \| Disable setting. choice \| enable \| Enable setting.
web_extended_all_action_log string	disable enable	Enable/disable extended any filter action logging for web filtering. choice \| disable \| Disable setting. choice \| enable \| Enable setting.
web_filter_activex_log string	disable enable	Enable/disable logging ActiveX. choice \| disable \| Disable setting. choice \| enable \| Enable setting.
web_filter_applet_log string	disable enable	Enable/disable logging Java applets. choice \| disable \| Disable setting. choice \| enable \| Enable setting.
web_filter_command_block_log string	disable enable	Enable/disable logging blocked commands. choice \| disable \| Disable setting. choice \| enable \| Enable setting.
web_filter_cookie_log string	disable enable	Enable/disable logging cookie filtering. choice \| disable \| Disable setting. choice \| enable \| Enable setting.
web_filter_cookie_removal_log string	disable enable	Enable/disable logging blocked cookies. choice \| disable \| Disable setting. choice \| enable \| Enable setting.
web_filter_js_log string	disable enable	Enable/disable logging Java scripts. choice \| disable \| Disable setting. choice \| enable \| Enable setting.
web_filter_jscript_log string	disable enable	Enable/disable logging JScripts. choice \| disable \| Disable setting. choice \| enable \| Enable setting.
web_filter_referer_log string	disable enable	Enable/disable logging referrers. choice \| disable \| Disable setting. choice \| enable \| Enable setting.
web_filter_unknown_log string	disable enable	Enable/disable logging unknown scripts. choice \| disable \| Disable setting. choice \| enable \| Enable setting.
web_filter_vbs_log string	disable enable	Enable/disable logging VBS scripts. choice \| disable \| Disable setting. choice \| enable \| Enable setting.
web_ftgd_err_log string	disable enable	Enable/disable logging rating errors. choice \| disable \| Disable setting. choice \| enable \| Enable setting.
web_ftgd_quota_usage string	disable enable	Enable/disable logging daily quota usage. choice \| disable \| Disable setting. choice \| enable \| Enable setting.
web_invalid_domain_log string	disable enable	Enable/disable logging invalid domain names. choice \| disable \| Disable setting. choice \| enable \| Enable setting.
web_keyword_match string		Search keywords to log when match is found.
web_log_search string	disable enable	Enable/disable logging all search phrases. choice \| disable \| Disable setting. choice \| enable \| Enable setting.
web_safe_search string	url header	Safe search type. FLAG Based Options. Specify multiple in list form. flag \| url \| Insert safe search string into URL. flag \| header \| Insert safe search header.
web_url_log string	disable enable	Enable/disable logging URL filtering. choice \| disable \| Disable setting. choice \| enable \| Enable setting.
web_urlfilter_table string		URL filter table ID.
web_whitelist string	exempt-av exempt-webcontent exempt-activex-java-cookie exempt-dlp exempt-rangeblock extended-log-others	FortiGuard whitelist settings. FLAG Based Options. Specify multiple in list form. flag \| exempt-av \| Exempt antivirus. flag \| exempt-webcontent \| Exempt web content. flag \| exempt-activex-java-cookie \| Exempt ActiveX-JAVA-Cookie. flag \| exempt-dlp \| Exempt DLP. flag \| exempt-rangeblock \| Exempt RangeBlock. flag \| extended-log-others \| Support extended log.
web_youtube_restrict string	strict none moderate	YouTube EDU filter level. choice \| strict \| Strict access for YouTube. choice \| none \| Full access for YouTube. choice \| moderate \| Moderate access for YouTube.
wisp string	disable enable	Enable/disable web proxy WISP. choice \| disable \| Disable web proxy WISP. choice \| enable \| Enable web proxy WISP.
wisp_algorithm string	auto-learning primary-secondary round-robin	WISP server selection algorithm. choice \| auto-learning \| Select the lightest loading healthy server. choice \| primary-secondary \| Select the first healthy server in order. choice \| round-robin \| Select the next healthy server.
wisp_servers string		WISP servers.
youtube_channel_filter string		EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED! List of multiple child objects to be added. Expects a list of dictionaries. Dictionaries must use FortiManager API parameters, not the ansible ones listed below. If submitted, all other prefixed sub-parameters ARE IGNORED. This object is MUTUALLY EXCLUSIVE with its options. We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide. WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS
youtube_channel_filter_channel_id string		YouTube channel ID to be filtered.
youtube_channel_filter_comment string		Comment.
youtube_channel_status string	disable blacklist whitelist	YouTube channel filter status. choice \| disable \| Disable YouTube channel filter. choice \| blacklist \| Block matches. choice \| whitelist \| Allow matches.

Notes

Note

Full Documentation at https://ftnt-ansible-docs.readthedocs.io/en/latest/.

Examples

- name: DELETE Profile
  community.network.fmgr_secprof_web:
    name: "Ansible_Web_Filter_Profile"
    mode: "delete"

- name: CREATE Profile
  community.network.fmgr_secprof_web:
    name: "Ansible_Web_Filter_Profile"
    comment: "Created by Ansible Module TEST"
    mode: "set"
    extended_log: "enable"
    inspection_mode: "proxy"
    log_all_url: "enable"
    options: "js"
    ovrd_perm: "bannedword-override"
    post_action: "block"
    web_content_log: "enable"
    web_extended_all_action_log: "enable"
    web_filter_activex_log: "enable"
    web_filter_applet_log: "enable"
    web_filter_command_block_log: "enable"
    web_filter_cookie_log: "enable"
    web_filter_cookie_removal_log: "enable"
    web_filter_js_log: "enable"
    web_filter_jscript_log: "enable"
    web_filter_referer_log: "enable"
    web_filter_unknown_log: "enable"
    web_filter_vbs_log: "enable"
    web_ftgd_err_log: "enable"
    web_ftgd_quota_usage: "enable"
    web_invalid_domain_log: "enable"
    web_url_log: "enable"
    wisp: "enable"
    wisp_algorithm: "auto-learning"
    youtube_channel_status: "blacklist"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Returned	Description
api_result string	always	full API response, includes status code and message

Authors

Luke Weighall (@lweighall)
Andrew Welsh (@Ghilli3)
Jim Huber (@p4r4n0y1ng)

© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.10/collections/community/network/fmgr_secprof_web_module.html