fmgr_secprof_waf – FortiManager web application firewall security profile

From Get docs
Ansible/docs/2.8/modules/fmgr secprof waf module


fmgr_secprof_waf – FortiManager web application firewall security profile

New in version 2.8.


Synopsis

  • Manage web application firewall security profiles for FGTs via FMG

Parameters

Parameter Choices/Defaults Comments

address_list

-

EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!

List of multiple child objects to be added. Expects a list of dictionaries.

Dictionaries must use FortiManager API parameters, not the ansible ones listed below.

If submitted, all other prefixed sub-parameters ARE IGNORED.

This object is MUTUALLY EXCLUSIVE with its options.

We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.

WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS

address_list_blocked_address

-

Blocked address.

address_list_blocked_log

-

  • disable
  • enable

Enable/disable logging on blocked addresses.

choice | disable | Disable setting.

choice | enable | Enable setting.

address_list_severity

-

  • low
  • medium
  • high

Severity.

choice | low | Low severity.

choice | medium | Medium severity.

choice | high | High severity.

address_list_status

-

  • disable
  • enable

Status.

choice | disable | Disable setting.

choice | enable | Enable setting.

address_list_trusted_address

-

Trusted address.

adom

-

Default:

"root"

The ADOM the configuration should belong to.

comment

-

Comment.

constraint

-

EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!

List of multiple child objects to be added. Expects a list of dictionaries.

Dictionaries must use FortiManager API parameters, not the ansible ones listed below.

If submitted, all other prefixed sub-parameters ARE IGNORED.

This object is MUTUALLY EXCLUSIVE with its options.

We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.

WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS

constraint_content_length_action

-

  • allow
  • block

Action.

choice | allow | Allow.

choice | block | Block.

constraint_content_length_length

-

Length of HTTP content in bytes (0 to 2147483647).

constraint_content_length_log

-

  • disable
  • enable

Enable/disable logging.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_content_length_severity

-

  • low
  • medium
  • high

Severity.

choice | low | Low severity.

choice | medium | Medium severity.

choice | high | High severity.

constraint_content_length_status

-

  • disable
  • enable

Enable/disable the constraint.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_exception_address

-

Host address.

constraint_exception_content_length

-

  • disable
  • enable

HTTP content length in request.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_exception_header_length

-

  • disable
  • enable

HTTP header length in request.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_exception_hostname

-

  • disable
  • enable

Enable/disable hostname check.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_exception_line_length

-

  • disable
  • enable

HTTP line length in request.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_exception_malformed

-

  • disable
  • enable

Enable/disable malformed HTTP request check.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_exception_max_cookie

-

  • disable
  • enable

Maximum number of cookies in HTTP request.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_exception_max_header_line

-

  • disable
  • enable

Maximum number of HTTP header line.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_exception_max_range_segment

-

  • disable
  • enable

Maximum number of range segments in HTTP range line.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_exception_max_url_param

-

  • disable
  • enable

Maximum number of parameters in URL.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_exception_method

-

  • disable
  • enable

Enable/disable HTTP method check.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_exception_param_length

-

  • disable
  • enable

Maximum length of parameter in URL, HTTP POST request or HTTP body.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_exception_pattern

-

URL pattern.

constraint_exception_regex

-

  • disable
  • enable

Enable/disable regular expression based pattern match.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_exception_url_param_length

-

  • disable
  • enable

Maximum length of parameter in URL.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_exception_version

-

  • disable
  • enable

Enable/disable HTTP version check.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_header_length_action

-

  • allow
  • block

Action.

choice | allow | Allow.

choice | block | Block.

constraint_header_length_length

-

Length of HTTP header in bytes (0 to 2147483647).

constraint_header_length_log

-

  • disable
  • enable

Enable/disable logging.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_header_length_severity

-

  • low
  • medium
  • high

Severity.

choice | low | Low severity.

choice | medium | Medium severity.

choice | high | High severity.

constraint_header_length_status

-

  • disable
  • enable

Enable/disable the constraint.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_hostname_action

-

  • allow
  • block

Action for a hostname constraint.

choice | allow | Allow.

choice | block | Block.

constraint_hostname_log

-

  • disable
  • enable

Enable/disable logging.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_hostname_severity

-

  • low
  • medium
  • high

Severity.

choice | low | Low severity.

choice | medium | Medium severity.

choice | high | High severity.

constraint_hostname_status

-

  • disable
  • enable

Enable/disable the constraint.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_line_length_action

-

  • allow
  • block

Action.

choice | allow | Allow.

choice | block | Block.

constraint_line_length_length

-

Length of HTTP line in bytes (0 to 2147483647).

constraint_line_length_log

-

  • disable
  • enable

Enable/disable logging.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_line_length_severity

-

  • low
  • medium
  • high

Severity.

choice | low | Low severity.

choice | medium | Medium severity.

choice | high | High severity.

constraint_line_length_status

-

  • disable
  • enable

Enable/disable the constraint.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_malformed_action

-

  • allow
  • block

Action.

choice | allow | Allow.

choice | block | Block.

constraint_malformed_log

-

  • disable
  • enable

Enable/disable logging.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_malformed_severity

-

  • low
  • medium
  • high

Severity.

choice | low | Low severity.

choice | medium | Medium severity.

choice | high | High severity.

constraint_malformed_status

-

  • disable
  • enable

Enable/disable the constraint.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_max_cookie_action

-

  • allow
  • block

Action.

choice | allow | Allow.

choice | block | Block.

constraint_max_cookie_log

-

  • disable
  • enable

Enable/disable logging.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_max_cookie_max_cookie

-

Maximum number of cookies in HTTP request (0 to 2147483647).

constraint_max_cookie_severity

-

  • low
  • medium
  • high

Severity.

choice | low | Low severity.

choice | medium | Medium severity.

choice | high | High severity.

constraint_max_cookie_status

-

  • disable
  • enable

Enable/disable the constraint.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_max_header_line_action

-

  • allow
  • block

Action.

choice | allow | Allow.

choice | block | Block.

constraint_max_header_line_log

-

  • disable
  • enable

Enable/disable logging.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_max_header_line_max_header_line

-

Maximum number HTTP header lines (0 to 2147483647).

constraint_max_header_line_severity

-

  • low
  • medium
  • high

Severity.

choice | low | Low severity.

choice | medium | Medium severity.

choice | high | High severity.

constraint_max_header_line_status

-

  • disable
  • enable

Enable/disable the constraint.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_max_range_segment_action

-

  • allow
  • block

Action.

choice | allow | Allow.

choice | block | Block.

constraint_max_range_segment_log

-

  • disable
  • enable

Enable/disable logging.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_max_range_segment_max_range_segment

-

Maximum number of range segments in HTTP range line (0 to 2147483647).

constraint_max_range_segment_severity

-

  • low
  • medium
  • high

Severity.

choice | low | Low severity.

choice | medium | Medium severity.

choice | high | High severity.

constraint_max_range_segment_status

-

  • disable
  • enable

Enable/disable the constraint.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_max_url_param_action

-

  • allow
  • block

Action.

choice | allow | Allow.

choice | block | Block.

constraint_max_url_param_log

-

  • disable
  • enable

Enable/disable logging.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_max_url_param_max_url_param

-

Maximum number of parameters in URL (0 to 2147483647).

constraint_max_url_param_severity

-

  • low
  • medium
  • high

Severity.

choice | low | Low severity.

choice | medium | Medium severity.

choice | high | High severity.

constraint_max_url_param_status

-

  • disable
  • enable

Enable/disable the constraint.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_method_action

-

  • allow
  • block

Action.

choice | allow | Allow.

choice | block | Block.

constraint_method_log

-

  • disable
  • enable

Enable/disable logging.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_method_severity

-

  • low
  • medium
  • high

Severity.

choice | low | Low severity.

choice | medium | Medium severity.

choice | high | High severity.

constraint_method_status

-

  • disable
  • enable

Enable/disable the constraint.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_param_length_action

-

  • allow
  • block

Action.

choice | allow | Allow.

choice | block | Block.

constraint_param_length_length

-

Maximum length of parameter in URL, HTTP POST request or HTTP body in bytes (0 to 2147483647).

constraint_param_length_log

-

  • disable
  • enable

Enable/disable logging.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_param_length_severity

-

  • low
  • medium
  • high

Severity.

choice | low | Low severity.

choice | medium | Medium severity.

choice | high | High severity.

constraint_param_length_status

-

  • disable
  • enable

Enable/disable the constraint.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_url_param_length_action

-

  • allow
  • block

Action.

choice | allow | Allow.

choice | block | Block.

constraint_url_param_length_length

-

Maximum length of URL parameter in bytes (0 to 2147483647).

constraint_url_param_length_log

-

  • disable
  • enable

Enable/disable logging.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_url_param_length_severity

-

  • low
  • medium
  • high

Severity.

choice | low | Low severity.

choice | medium | Medium severity.

choice | high | High severity.

constraint_url_param_length_status

-

  • disable
  • enable

Enable/disable the constraint.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_version_action

-

  • allow
  • block

Action.

choice | allow | Allow.

choice | block | Block.

constraint_version_log

-

  • disable
  • enable

Enable/disable logging.

choice | disable | Disable setting.

choice | enable | Enable setting.

constraint_version_severity

-

  • low
  • medium
  • high

Severity.

choice | low | Low severity.

choice | medium | Medium severity.

choice | high | High severity.

constraint_version_status

-

  • disable
  • enable

Enable/disable the constraint.

choice | disable | Disable setting.

choice | enable | Enable setting.

extended_log

-

  • disable
  • enable

Enable/disable extended logging.

choice | disable | Disable setting.

choice | enable | Enable setting.

external

-

  • disable
  • enable

Disable/Enable external HTTP Inspection.

choice | disable | Disable external inspection.

choice | enable | Enable external inspection.

method

-

EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!

List of multiple child objects to be added. Expects a list of dictionaries.

Dictionaries must use FortiManager API parameters, not the ansible ones listed below.

If submitted, all other prefixed sub-parameters ARE IGNORED.

This object is MUTUALLY EXCLUSIVE with its options.

We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.

WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS

method_default_allowed_methods

-

  • delete
  • get
  • head
  • options
  • post
  • put
  • trace
  • others
  • connect

Methods.

FLAG Based Options. Specify multiple in list form.

flag | delete | HTTP DELETE method.

flag | get | HTTP GET method.

flag | head | HTTP HEAD method.

flag | options | HTTP OPTIONS method.

flag | post | HTTP POST method.

flag | put | HTTP PUT method.

flag | trace | HTTP TRACE method.

flag | others | Other HTTP methods.

flag | connect | HTTP CONNECT method.

method_log

-

  • disable
  • enable

Enable/disable logging.

choice | disable | Disable setting.

choice | enable | Enable setting.

method_method_policy_address

-

Host address.

method_method_policy_allowed_methods

-

  • delete
  • get
  • head
  • options
  • post
  • put
  • trace
  • others
  • connect

Allowed Methods.

FLAG Based Options. Specify multiple in list form.

flag | delete | HTTP DELETE method.

flag | get | HTTP GET method.

flag | head | HTTP HEAD method.

flag | options | HTTP OPTIONS method.

flag | post | HTTP POST method.

flag | put | HTTP PUT method.

flag | trace | HTTP TRACE method.

flag | others | Other HTTP methods.

flag | connect | HTTP CONNECT method.

method_method_policy_pattern

-

URL pattern.

method_method_policy_regex

-

  • disable
  • enable

Enable/disable regular expression based pattern match.

choice | disable | Disable setting.

choice | enable | Enable setting.

method_severity

-

  • low
  • medium
  • high

Severity.

choice | low | low severity

choice | medium | medium severity

choice | high | High severity

method_status

-

  • disable
  • enable

Status.

choice | disable | Disable setting.

choice | enable | Enable setting.

mode

-

  • add

  • set
  • delete
  • update

Sets one of three modes for managing the object.

Allows use of soft-adds instead of overwriting existing values

name

-

WAF Profile name.

signature

-

EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!

List of multiple child objects to be added. Expects a list of dictionaries.

Dictionaries must use FortiManager API parameters, not the ansible ones listed below.

If submitted, all other prefixed sub-parameters ARE IGNORED.

This object is MUTUALLY EXCLUSIVE with its options.

We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.

WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS

signature_credit_card_detection_threshold

-

The minimum number of Credit cards to detect violation.

signature_custom_signature_action

-

  • allow
  • block
  • erase

Action.

choice | allow | Allow.

choice | block | Block.

choice | erase | Erase credit card numbers.

signature_custom_signature_case_sensitivity

-

  • disable
  • enable

Case sensitivity in pattern.

choice | disable | Case insensitive in pattern.

choice | enable | Case sensitive in pattern.

signature_custom_signature_direction

-

  • request
  • response

Traffic direction.

choice | request | Match HTTP request.

choice | response | Match HTTP response.

signature_custom_signature_log

-

  • disable
  • enable

Enable/disable logging.

choice | disable | Disable setting.

choice | enable | Enable setting.

signature_custom_signature_name

-

Signature name.

signature_custom_signature_pattern

-

Match pattern.

signature_custom_signature_severity

-

  • low
  • medium
  • high

Severity.

choice | low | Low severity.

choice | medium | Medium severity.

choice | high | High severity.

signature_custom_signature_status

-

  • disable
  • enable

Status.

choice | disable | Disable setting.

choice | enable | Enable setting.

signature_custom_signature_target

-

  • arg
  • arg-name
  • req-body
  • req-cookie
  • req-cookie-name
  • req-filename
  • req-header
  • req-header-name
  • req-raw-uri
  • req-uri
  • resp-body
  • resp-hdr
  • resp-status

Match HTTP target.

FLAG Based Options. Specify multiple in list form.

flag | arg | HTTP arguments.

flag | arg-name | Names of HTTP arguments.

flag | req-body | HTTP request body.

flag | req-cookie | HTTP request cookies.

flag | req-cookie-name | HTTP request cookie names.

flag | req-filename | HTTP request file name.

flag | req-header | HTTP request headers.

flag | req-header-name | HTTP request header names.

flag | req-raw-uri | Raw URI of HTTP request.

flag | req-uri | URI of HTTP request.

flag | resp-body | HTTP response body.

flag | resp-hdr | HTTP response headers.

flag | resp-status | HTTP response status.

signature_disabled_signature

-

Disabled signatures

signature_disabled_sub_class

-

Disabled signature subclasses.

signature_main_class_action

-

  • allow
  • block
  • erase

Action.

choice | allow | Allow.

choice | block | Block.

choice | erase | Erase credit card numbers.

signature_main_class_log

-

  • disable
  • enable

Enable/disable logging.

choice | disable | Disable setting.

choice | enable | Enable setting.

signature_main_class_severity

-

  • low
  • medium
  • high

Severity.

choice | low | Low severity.

choice | medium | Medium severity.

choice | high | High severity.

signature_main_class_status

-

  • disable
  • enable

Status.

choice | disable | Disable setting.

choice | enable | Enable setting.

url_access

-

EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!

List of multiple child objects to be added. Expects a list of dictionaries.

Dictionaries must use FortiManager API parameters, not the ansible ones listed below.

If submitted, all other prefixed sub-parameters ARE IGNORED.

This object is MUTUALLY EXCLUSIVE with its options.

We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.

WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS

url_access_access_pattern_negate

-

  • disable
  • enable

Enable/disable match negation.

choice | disable | Disable setting.

choice | enable | Enable setting.

url_access_access_pattern_pattern

-

URL pattern.

url_access_access_pattern_regex

-

  • disable
  • enable

Enable/disable regular expression based pattern match.

choice | disable | Disable setting.

choice | enable | Enable setting.

url_access_access_pattern_srcaddr

-

Source address.

url_access_action

-

  • bypass
  • permit
  • block

Action.

choice | bypass | Allow the HTTP request, also bypass further WAF scanning.

choice | permit | Allow the HTTP request, and continue further WAF scanning.

choice | block | Block HTTP request.

url_access_address

-

Host address.

url_access_log

-

  • disable
  • enable

Enable/disable logging.

choice | disable | Disable setting.

choice | enable | Enable setting.

url_access_severity

-

  • low
  • medium
  • high

Severity.

choice | low | Low severity.

choice | medium | Medium severity.

choice | high | High severity.



Notes

Examples

- name: DELETE Profile
  fmgr_secprof_waf:
    name: "Ansible_WAF_Profile"
    comment: "Created by Ansible Module TEST"
    mode: "delete"

- name: CREATE Profile
  fmgr_secprof_waf:
    name: "Ansible_WAF_Profile"
    comment: "Created by Ansible Module TEST"
    mode: "set"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description

api_result

string

always

full API response, includes status code and message





Status

Authors

  • Luke Weighall (@lweighall)
  • Andrew Welsh (@Ghilli3)
  • Jim Huber (@p4r4n0y1ng)

Hint

If you notice any issues in this documentation you can edit this document to improve it.


© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.8/modules/fmgr_secprof_waf_module.html