fortios_webfilter_profile – Configure Web filter profiles in Fortinet’s FortiOS and FortiGate

New in version 2.8.

Synopsis
Requirements
Parameters
Notes
Examples
Return Values
Status

Synopsis

This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify webfilter feature and profile category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.5

Requirements

The below requirements are needed on the host that executes this module.

fortiosapi>=0.9.8

Parameters

Parameter					Choices/Defaults	Comments
host string						FortiOS or FortiGate IP address.
https boolean					no yes ←	Indicates if the requests towards FortiGate must use HTTPS protocol.
password string					Default: ""	FortiOS or FortiGate password.
ssl_verify boolean added in 2.9					no yes ←	Ensures FortiGate certificate must be verified by a proper CA.
state string added in 2.9					present absent	Indicates whether to create or remove the object. This attribute was present already in previous version in a deeper level. It has been moved out to this outer level.
username string						FortiOS or FortiGate username.
vdom string					Default: "root"	Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
webfilter_profile dictionary					Default: null	Configure Web filter profiles.
	comment string					Optional comments.
	extended_log string				enable disable	Enable/disable extended logging for web filtering.
	ftgd_wf dictionary					FortiGuard Web Filter settings.
		exempt_quota string				Do not stop quota for these categories.
		filters list				FortiGuard filters.
			action string		block authenticate monitor warning	Action to take for matches.
			auth_usr_grp string			Groups with permission to authenticate.
				name string / required		User group name. Source user.group.name.
			category integer			Categories and groups the filter examines.
			id integer / required			ID number.
			log string		enable disable	Enable/disable logging.
			override_replacemsg string			Override replacement message.
			warn_duration string			Duration of warnings.
			warning_duration_type string		session timeout	Re-display warning after closing browser or after a timeout.
			warning_prompt string		per-domain per-category	Warning prompts in each category or each domain.
		max_quota_timeout integer				Maximum FortiGuard quota used by single page view in seconds (excludes streams).
		options string			error-allow rate-server-ip connect-request-bypass ftgd-disable	Options for FortiGuard Web Filter.
		ovrd string				Allow web filter profile overrides.
		quota list				FortiGuard traffic quota settings.
			category string			FortiGuard categories to apply quota to (category action must be set to monitor).
			duration string			Duration of quota.
			id integer / required			ID number.
			override_replacemsg string			Override replacement message.
			type string		time traffic	Quota type.
			unit string		B KB MB GB	Traffic quota unit of measurement.
			value integer			Traffic quota value.
		rate_crl_urls string			disable enable	Enable/disable rating CRL by URL.
		rate_css_urls string			disable enable	Enable/disable rating CSS by URL.
		rate_image_urls string			disable enable	Enable/disable rating images by URL.
		rate_javascript_urls string			disable enable	Enable/disable rating JavaScript by URL.
	https_replacemsg string				enable disable	Enable replacement messages for HTTPS.
	inspection_mode string				proxy flow-based	Web filtering inspection mode.
	log_all_url string				enable disable	Enable/disable logging all URLs visited.
	name string / required					Profile name.
	options string				activexfilter cookiefilter javafilter block-invalid-url jscript js vbs unknown intrinsic wf-referer wf-cookie per-user-bwl	Options.
	override dictionary					Web Filter override settings.
		ovrd_cookie string			allow deny	Allow/deny browser-based (cookie) overrides.
		ovrd_dur string				Override duration.
		ovrd_dur_mode string			constant ask	Override duration mode.
		ovrd_scope string			user user-group ip browser ask	Override scope.
		ovrd_user_group string				User groups with permission to use the override.
			name string / required			User group name. Source user.group.name.
		profile list				Web filter profile with permission to create overrides.
			name string / required			Web profile. Source webfilter.profile.name.
		profile_attribute string			User-Name NAS-IP-Address Framed-IP-Address Framed-IP-Netmask Filter-Id Login-IP-Host Reply-Message Callback-Number Callback-Id Framed-Route Framed-IPX-Network Class Called-Station-Id Calling-Station-Id NAS-Identifier Proxy-State Login-LAT-Service Login-LAT-Node Login-LAT-Group Framed-AppleTalk-Zone Acct-Session-Id Acct-Multi-Session-Id	Profile attribute to retrieve from the RADIUS server.
		profile_type string			list radius	Override profile type.
	ovrd_perm string				bannedword-override urlfilter-override fortiguard-wf-override contenttype-check-override	Permitted override types.
	post_action string				normal block	Action taken for HTTP POST traffic.
	replacemsg_group string					Replacement message group. Source system.replacemsg-group.name.
	state string				present absent	Deprecated Starting with Ansible 2.9 we recommend using the top-level 'state' parameter. Indicates whether to create or remove the object.
	web dictionary					Web content filtering settings.
		blacklist string			enable disable	Enable/disable automatic addition of URLs detected by FortiSandbox to blacklist.
		bword_table integer				Banned word table ID. Source webfilter.content.id.
		bword_threshold integer				Banned word score threshold.
		content_header_list integer				Content header list. Source webfilter.content-header.id.
		keyword_match string				Search keywords to log when match is found.
			pattern string / required			Pattern/keyword to search for.
		log_search string			enable disable	Enable/disable logging all search phrases.
		safe_search string			url header	Safe search type.
		urlfilter_table integer				URL filter table ID. Source webfilter.urlfilter.id.
		whitelist string			exempt-av exempt-webcontent exempt-activex-java-cookie exempt-dlp exempt-rangeblock extended-log-others	FortiGuard whitelist settings.
		youtube_restrict string			none strict moderate	YouTube EDU filter level.
	web_content_log string				enable disable	Enable/disable logging logging blocked web content.
	web_extended_all_action_log string				enable disable	Enable/disable extended any filter action logging for web filtering.
	web_filter_activex_log string				enable disable	Enable/disable logging ActiveX.
	web_filter_applet_log string				enable disable	Enable/disable logging Java applets.
	web_filter_command_block_log string				enable disable	Enable/disable logging blocked commands.
	web_filter_cookie_log string				enable disable	Enable/disable logging cookie filtering.
	web_filter_cookie_removal_log string				enable disable	Enable/disable logging blocked cookies.
	web_filter_js_log string				enable disable	Enable/disable logging Java scripts.
	web_filter_jscript_log string				enable disable	Enable/disable logging JScripts.
	web_filter_referer_log string				enable disable	Enable/disable logging referrers.
	web_filter_unknown_log string				enable disable	Enable/disable logging unknown scripts.
	web_filter_vbs_log string				enable disable	Enable/disable logging VBS scripts.
	web_ftgd_err_log string				enable disable	Enable/disable logging rating errors.
	web_ftgd_quota_usage string				enable disable	Enable/disable logging daily quota usage.
	web_invalid_domain_log string				enable disable	Enable/disable logging invalid domain names.
	web_url_log string				enable disable	Enable/disable logging URL filtering.
	wisp string				enable disable	Enable/disable web proxy WISP.
	wisp_algorithm string				primary-secondary round-robin auto-learning	WISP server selection algorithm.
	wisp_servers list					WISP servers.
		name string / required				Server name. Source web-proxy.wisp.name.
	youtube_channel_filter list					YouTube channel filter.
		channel_id string				YouTube channel ID to be filtered.
		comment string				Comment.
		id integer / required				ID.
	youtube_channel_status string				disable blacklist whitelist	YouTube channel filter status.

Notes

Note

Requires fortiosapi library developed by Fortinet
Run as a local_action in your playbook

Examples

- hosts: localhost
  vars:
   host: "192.168.122.40"
   username: "admin"
   password: ""
   vdom: "root"
   ssl_verify: "False"
  tasks:
  - name: Configure Web filter profiles.
    fortios_webfilter_profile:
      host:  "{{ host }}"
      username: "{{ username }}"
      password: "{{ password }}"
      vdom:  "{{ vdom }}"
      https: "False"
      state: "present"
      webfilter_profile:
        comment: "Optional comments."
        extended_log: "enable"
        ftgd_wf:
            exempt_quota: "<your_own_value>"
            filters:
             -
                action: "block"
                auth_usr_grp:
                 -
                    name: "default_name_10 (source user.group.name)"
                category: "11"
                id:  "12"
                log: "enable"
                override_replacemsg: "<your_own_value>"
                warn_duration: "<your_own_value>"
                warning_duration_type: "session"
                warning_prompt: "per-domain"
            max_quota_timeout: "18"
            options: "error-allow"
            ovrd: "<your_own_value>"
            quota:
             -
                category: "<your_own_value>"
                duration: "<your_own_value>"
                id:  "24"
                override_replacemsg: "<your_own_value>"
                type: "time"
                unit: "B"
                value: "28"
            rate_crl_urls: "disable"
            rate_css_urls: "disable"
            rate_image_urls: "disable"
            rate_javascript_urls: "disable"
        https_replacemsg: "enable"
        inspection_mode: "proxy"
        log_all_url: "enable"
        name: "default_name_36"
        options: "activexfilter"
        override:
            ovrd_cookie: "allow"
            ovrd_dur: "<your_own_value>"
            ovrd_dur_mode: "constant"
            ovrd_scope: "user"
            ovrd_user_group:
             -
                name: "default_name_44 (source user.group.name)"
            profile:
             -
                name: "default_name_46 (source webfilter.profile.name)"
            profile_attribute: "User-Name"
            profile_type: "list"
        ovrd_perm: "bannedword-override"
        post_action: "normal"
        replacemsg_group: "<your_own_value> (source system.replacemsg-group.name)"
        web:
            blacklist: "enable"
            bword_table: "54 (source webfilter.content.id)"
            bword_threshold: "55"
            content_header_list: "56 (source webfilter.content-header.id)"
            keyword_match:
             -
                pattern: "<your_own_value>"
            log_search: "enable"
            safe_search: "url"
            urlfilter_table: "61 (source webfilter.urlfilter.id)"
            whitelist: "exempt-av"
            youtube_restrict: "none"
        web_content_log: "enable"
        web_extended_all_action_log: "enable"
        web_filter_activex_log: "enable"
        web_filter_applet_log: "enable"
        web_filter_command_block_log: "enable"
        web_filter_cookie_log: "enable"
        web_filter_cookie_removal_log: "enable"
        web_filter_js_log: "enable"
        web_filter_jscript_log: "enable"
        web_filter_referer_log: "enable"
        web_filter_unknown_log: "enable"
        web_filter_vbs_log: "enable"
        web_ftgd_err_log: "enable"
        web_ftgd_quota_usage: "enable"
        web_invalid_domain_log: "enable"
        web_url_log: "enable"
        wisp: "enable"
        wisp_algorithm: "primary-secondary"
        wisp_servers:
         -
            name: "default_name_83 (source web-proxy.wisp.name)"
        youtube_channel_filter:
         -
            channel_id: "<your_own_value>"
            comment: "Comment."
            id:  "87"
        youtube_channel_status: "disable"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Returned	Description
build string	always	Build number of the fortigate image Sample: 1547
http_method string	always	Last method used to provision the content into FortiGate Sample: PUT
http_status string	always	Last result given by FortiGate on last operation applied Sample: 200
mkey string	success	Master key (id) used in the last call to FortiGate Sample: id
name string	always	Name of the table used to fulfill the request Sample: urlfilter
path string	always	Path of the table used to fulfill the request Sample: webfilter
revision string	always	Internal revision number Sample: 17.0.2.10658
serial string	always	Serial number of the unit Sample: FGVMEVYYQT3AB5352
status string	always	Indication of the operation's result Sample: success
vdom string	always	Virtual domain used Sample: root
version string	always	Version of the FortiGate Sample: v5.6.3

Status

This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community. [community]

Authors

Miguel Angel Munoz (@mamunozgonzalez)
Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation, you can edit this document to improve it.

© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.9/modules/fortios_webfilter_profile_module.html