fortios_waf_profile – Web application firewall configuration in Fortinet’s FortiOS and FortiGate.¶
New in version 2.8.
Synopsis¶
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify waf feature and profile category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements¶
The below requirements are needed on the host that executes this module.
- ansible>=2.9.0
Parameters¶
- access_token - Token-based authentication. Generated from GUI of Fortigate. type: str required: False
- vdom - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str default: root
- state - Indicates whether to create or remove the object. This attribute was present already in previous version in a deeper level. It has been moved out to this outer level. type: str required: False choices: present, absent
- waf_profile - Web application firewall configuration. type: dict
- state - B(Deprecated) type: str required: False choices: present, absent
- address_list - Black address list and white address list. type: dict
- blocked_address - Blocked address. type: list
- name - Address name. Source firewall.address.name firewall.addrgrp.name. type: str required: True
- blocked_log - Enable/disable logging on blocked addresses. type: str choices: enable, disable
- severity - Severity. type: str choices: high, medium, low
- status - Status. type: str choices: enable, disable
- trusted_address - Trusted address. type: list
- name - Address name. Source firewall.address.name firewall.addrgrp.name. type: str required: True
- comment - Comment. type: str
- constraint - WAF HTTP protocol restrictions. type: dict
- content_length - HTTP content length in request. type: dict
- action - Action. type: str choices: allow, block
- length - Length of HTTP content in bytes (0 to 2147483647). type: int
- log - Enable/disable logging. type: str choices: enable, disable
- severity - Severity. type: str choices: high, medium, low
- status - Enable/disable the constraint. type: str choices: enable, disable
- exception - HTTP constraint exception. type: list
- address - Host address. Source firewall.address.name firewall.addrgrp.name. type: str
- content_length - HTTP content length in request. type: str choices: enable, disable
- header_length - HTTP header length in request. type: str choices: enable, disable
- hostname - Enable/disable hostname check. type: str choices: enable, disable
- id - Exception ID. type: int required: True
- line_length - HTTP line length in request. type: str choices: enable, disable
- malformed - Enable/disable malformed HTTP request check. type: str choices: enable, disable
- max_cookie - Maximum number of cookies in HTTP request. type: str choices: enable, disable
- max_header_line - Maximum number of HTTP header line. type: str choices: enable, disable
- max_range_segment - Maximum number of range segments in HTTP range line. type: str choices: enable, disable
- max_url_param - Maximum number of parameters in URL. type: str choices: enable, disable
- method - Enable/disable HTTP method check. type: str choices: enable, disable
- param_length - Maximum length of parameter in URL, HTTP POST request or HTTP body. type: str choices: enable, disable
- pattern - URL pattern. type: str
- regex - Enable/disable regular expression based pattern match. type: str choices: enable, disable
- url_param_length - Maximum length of parameter in URL. type: str choices: enable, disable
- version - Enable/disable HTTP version check. type: str choices: enable, disable
- header_length - HTTP header length in request. type: dict
- action - Action. type: str choices: allow, block
- length - Length of HTTP header in bytes (0 to 2147483647). type: int
- log - Enable/disable logging. type: str choices: enable, disable
- severity - Severity. type: str choices: high, medium, low
- status - Enable/disable the constraint. type: str choices: enable, disable
- hostname - Enable/disable hostname check. type: dict
- action - Action. type: str choices: allow, block
- log - Enable/disable logging. type: str choices: enable, disable
- severity - Severity. type: str choices: high, medium, low
- status - Enable/disable the constraint. type: str choices: enable, disable
- line_length - HTTP line length in request. type: dict
- action - Action. type: str choices: allow, block
- length - Length of HTTP line in bytes (0 to 2147483647). type: int
- log - Enable/disable logging. type: str choices: enable, disable
- severity - Severity. type: str choices: high, medium, low
- status - Enable/disable the constraint. type: str choices: enable, disable
- malformed - Enable/disable malformed HTTP request check. type: dict
- action - Action. type: str choices: allow, block
- log - Enable/disable logging. type: str choices: enable, disable
- severity - Severity. type: str choices: high, medium, low
- status - Enable/disable the constraint. type: str choices: enable, disable
- max_cookie - Maximum number of cookies in HTTP request. type: dict
- action - Action. type: str choices: allow, block
- log - Enable/disable logging. type: str choices: enable, disable
- max_cookie - Maximum number of cookies in HTTP request (0 to 2147483647). type: int
- severity - Severity. type: str choices: high, medium, low
- status - Enable/disable the constraint. type: str choices: enable, disable
- max_header_line - Maximum number of HTTP header line. type: dict
- action - Action. type: str choices: allow, block
- log - Enable/disable logging. type: str choices: enable, disable
- max_header_line - Maximum number HTTP header lines (0 to 2147483647). type: int
- severity - Severity. type: str choices: high, medium, low
- status - Enable/disable the constraint. type: str choices: enable, disable
- max_range_segment - Maximum number of range segments in HTTP range line. type: dict
- action - Action. type: str choices: allow, block
- log - Enable/disable logging. type: str choices: enable, disable
- max_range_segment - Maximum number of range segments in HTTP range line (0 to 2147483647). type: int
- severity - Severity. type: str choices: high, medium, low
- status - Enable/disable the constraint. type: str choices: enable, disable
- max_url_param - Maximum number of parameters in URL. type: dict
- action - Action. type: str choices: allow, block
- log - Enable/disable logging. type: str choices: enable, disable
- max_url_param - Maximum number of parameters in URL (0 to 2147483647). type: int
- severity - Severity. type: str choices: high, medium, low
- status - Enable/disable the constraint. type: str choices: enable, disable
- method - Enable/disable HTTP method check. type: dict
- action - Action. type: str choices: allow, block
- log - Enable/disable logging. type: str choices: enable, disable
- severity - Severity. type: str choices: high, medium, low
- status - Enable/disable the constraint. type: str choices: enable, disable
- param_length - Maximum length of parameter in URL, HTTP POST request or HTTP body. type: dict
- action - Action. type: str choices: allow, block
- length - Maximum length of parameter in URL, HTTP POST request or HTTP body in bytes (0 to 2147483647). type: int
- log - Enable/disable logging. type: str choices: enable, disable
- severity - Severity. type: str choices: high, medium, low
- status - Enable/disable the constraint. type: str choices: enable, disable
- url_param_length - Maximum length of parameter in URL. type: dict
- action - Action. type: str choices: allow, block
- length - Maximum length of URL parameter in bytes (0 to 2147483647). type: int
- log - Enable/disable logging. type: str choices: enable, disable
- severity - Severity. type: str choices: high, medium, low
- status - Enable/disable the constraint. type: str choices: enable, disable
- version - Enable/disable HTTP version check. type: dict
- action - Action. type: str choices: allow, block
- log - Enable/disable logging. type: str choices: enable, disable
- severity - Severity. type: str choices: high, medium, low
- status - Enable/disable the constraint. type: str choices: enable, disable
- extended_log - Enable/disable extended logging. type: str choices: enable, disable
- external - Disable/Enable external HTTP Inspection. type: str choices: disable, enable
- method - Method restriction. type: dict
- default_allowed_methods - Methods. type: str choices: get, post, put, head, connect, trace, options, delete, others
- log - Enable/disable logging. type: str choices: enable, disable
- method_policy - HTTP method policy. type: list
- address - Host address. Source firewall.address.name firewall.addrgrp.name. type: str
- allowed_methods - Allowed Methods. type: str choices: get, post, put, head, connect, trace, options, delete, others
- id - HTTP method policy ID. type: int required: True
- pattern - URL pattern. type: str
- regex - Enable/disable regular expression based pattern match. type: str choices: enable, disable
- severity - Severity. type: str choices: high, medium, low
- status - Status. type: str choices: enable, disable
- name - WAF Profile name. type: str required: True
- signature - WAF signatures. type: dict
- credit_card_detection_threshold - The minimum number of Credit cards to detect violation. type: int
- custom_signature - Custom signature. type: list
- action - Action. type: str choices: allow, block, erase
- case_sensitivity - Case sensitivity in pattern. type: str choices: disable, enable
- direction - Traffic direction. type: str choices: request, response
- log - Enable/disable logging. type: str choices: enable, disable
- name - Signature name. type: str required: True
- pattern - Match pattern. type: str
- severity - Severity. type: str choices: high, medium, low
- status - Status. type: str choices: enable, disable
- target - Match HTTP target. type: str choices: arg, arg-name, req-body, req-cookie, req-cookie-name, req-filename, req-header, req-header-name, req-raw-uri, req-uri, resp-body, resp-hdr, resp-status
- disabled_signature - Disabled signatures type: list
- id - Signature ID. Source waf.signature.id. type: int required: True
- disabled_sub_class - Disabled signature subclasses. type: list
- id - Signature subclass ID. Source waf.sub-class.id. type: int required: True
- main_class - Main signature class. type: list
- action - Action. type: str choices: allow, block, erase
- id - Main signature class ID. Source waf.main-class.id. type: int required: True
- log - Enable/disable logging. type: str choices: enable, disable
- severity - Severity. type: str choices: high, medium, low
- status - Status. type: str choices: enable, disable
- url_access - URL access list type: list
- access_pattern - URL access pattern. type: list
- id - URL access pattern ID. type: int required: True
- negate - Enable/disable match negation. type: str choices: enable, disable
- pattern - URL pattern. type: str
- regex - Enable/disable regular expression based pattern match. type: str choices: enable, disable
- srcaddr - Source address. Source firewall.address.name firewall.addrgrp.name. type: str
- action - Action. type: str choices: bypass, permit, block
- address - Host address. Source firewall.address.name firewall.addrgrp.name. type: str
- id - URL access ID. type: int required: True
- log - Enable/disable logging. type: str choices: enable, disable
- severity - Severity. type: str choices: high, medium, low
Examples¶
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Web application firewall configuration.
fortios_waf_profile:
vdom: "{{ vdom }}"
state: "present"
access_token: "<your_own_value>"
waf_profile:
address_list:
blocked_address:
-
name: "default_name_5 (source firewall.address.name firewall.addrgrp.name)"
blocked_log: "enable"
severity: "high"
status: "enable"
trusted_address:
-
name: "default_name_10 (source firewall.address.name firewall.addrgrp.name)"
comment: "Comment."
constraint:
content_length:
action: "allow"
length: "15"
log: "enable"
severity: "high"
status: "enable"
exception:
-
address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
content_length: "enable"
header_length: "enable"
hostname: "enable"
id: "24"
line_length: "enable"
malformed: "enable"
max_cookie: "enable"
max_header_line: "enable"
max_range_segment: "enable"
max_url_param: "enable"
method: "enable"
param_length: "enable"
pattern: "<your_own_value>"
regex: "enable"
url_param_length: "enable"
version: "enable"
header_length:
action: "allow"
length: "39"
log: "enable"
severity: "high"
status: "enable"
hostname:
action: "allow"
log: "enable"
severity: "high"
status: "enable"
line_length:
action: "allow"
length: "50"
log: "enable"
severity: "high"
status: "enable"
malformed:
action: "allow"
log: "enable"
severity: "high"
status: "enable"
max_cookie:
action: "allow"
log: "enable"
max_cookie: "62"
severity: "high"
status: "enable"
max_header_line:
action: "allow"
log: "enable"
max_header_line: "68"
severity: "high"
status: "enable"
max_range_segment:
action: "allow"
log: "enable"
max_range_segment: "74"
severity: "high"
status: "enable"
max_url_param:
action: "allow"
log: "enable"
max_url_param: "80"
severity: "high"
status: "enable"
method:
action: "allow"
log: "enable"
severity: "high"
status: "enable"
param_length:
action: "allow"
length: "90"
log: "enable"
severity: "high"
status: "enable"
url_param_length:
action: "allow"
length: "96"
log: "enable"
severity: "high"
status: "enable"
version:
action: "allow"
log: "enable"
severity: "high"
status: "enable"
extended_log: "enable"
external: "disable"
method:
default_allowed_methods: "get"
log: "enable"
method_policy:
-
address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
allowed_methods: "get"
id: "113"
pattern: "<your_own_value>"
regex: "enable"
severity: "high"
status: "enable"
name: "default_name_118"
signature:
credit_card_detection_threshold: "120"
custom_signature:
-
action: "allow"
case_sensitivity: "disable"
direction: "request"
log: "enable"
name: "default_name_126"
pattern: "<your_own_value>"
severity: "high"
status: "enable"
target: "arg"
disabled_signature:
-
id: "132 (source waf.signature.id)"
disabled_sub_class:
-
id: "134 (source waf.sub-class.id)"
main_class:
-
action: "allow"
id: "137 (source waf.main-class.id)"
log: "enable"
severity: "high"
status: "enable"
url_access:
-
access_pattern:
-
id: "143"
negate: "enable"
pattern: "<your_own_value>"
regex: "enable"
srcaddr: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
action: "bypass"
address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
id: "150"
log: "enable"
severity: "high"
Return Values¶
Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:
- build - Build number of the fortigate image returned: always type: str sample: 1547
- http_method - Last method used to provision the content into FortiGate returned: always type: str sample: PUT
- http_status - Last result given by FortiGate on last operation applied returned: always type: str sample: 200
- mkey - Master key (id) used in the last call to FortiGate returned: success type: str sample: id
- name - Name of the table used to fulfill the request returned: always type: str sample: urlfilter
- path - Path of the table used to fulfill the request returned: always type: str sample: webfilter
- revision - Internal revision number returned: always type: str sample: 17.0.2.10658
- serial - Serial number of the unit returned: always type: str sample: FGVMEVYYQT3AB5352
- status - Indication of the operation's result returned: always type: str sample: success
- vdom - Virtual domain used returned: always type: str sample: root
- version - Version of the FortiGate returned: always type: str sample: v5.6.3