fortios_webfilter_profile – Configure Web filter profiles in Fortinet’s FortiOS and FortiGate.¶

New in version 2.8.

Synopsis
Requirements
Parameters
Notes
Examples
Return Values
Status
Authors

Synopsis ¶

This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify webfilter feature and profile category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements ¶

The below requirements are needed on the host that executes this module.

ansible>=2.9.0

Parameters ¶

access_token - Token-based authentication. Generated from GUI of Fortigate. type: str required: False
vdom - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str default: root
state - Indicates whether to create or remove the object. This attribute was present already in previous version in a deeper level. It has been moved out to this outer level. type: str required: False choices: present, absent
webfilter_profile - Configure Web filter profiles. type: dict

state - B(Deprecated) type: str required: False choices: present, absent
comment - Optional comments. type: str
extended_log - Enable/disable extended logging for web filtering. type: str choices: enable, disable
ftgd_wf - FortiGuard Web Filter settings. type: dict

exempt_quota - Do not stop quota for these categories. type: str
filters - FortiGuard filters. type: list

action - Action to take for matches. type: str choices: block, authenticate, monitor, warning
auth_usr_grp - Groups with permission to authenticate. type: str
category - Categories and groups the filter examines. type: int
id - ID number. type: int required: True
log - Enable/disable logging. type: str choices: enable, disable
override_replacemsg - Override replacement message. type: str
warn_duration - Duration of warnings. type: str
warning_duration_type - Re-display warning after closing browser or after a timeout. type: str choices: session, timeout
warning_prompt - Warning prompts in each category or each domain. type: str choices: per-domain, per-category

max_quota_timeout - Maximum FortiGuard quota used by single page view in seconds (excludes streams). type: int
options - Options for FortiGuard Web Filter. type: str choices: error-allow, rate-server-ip, connect-request-bypass, ftgd-disable
ovrd - Allow web filter profile overrides. type: str
quota - FortiGuard traffic quota settings. type: list

category - FortiGuard categories to apply quota to (category action must be set to monitor). type: str
duration - Duration of quota. type: str
id - ID number. type: int required: True
override_replacemsg - Override replacement message. type: str
type - Quota type. type: str choices: time, traffic
unit - Traffic quota unit of measurement. type: str choices: B, KB, MB, GB
value - Traffic quota value. type: int

rate_crl_urls - Enable/disable rating CRL by URL. type: str choices: disable, enable
rate_css_urls - Enable/disable rating CSS by URL. type: str choices: disable, enable
rate_image_urls - Enable/disable rating images by URL. type: str choices: disable, enable
rate_javascript_urls - Enable/disable rating JavaScript by URL. type: str choices: disable, enable

https_replacemsg - Enable replacement messages for HTTPS. type: str choices: enable, disable
inspection_mode - Web filtering inspection mode. type: str choices: proxy, flow-based
log_all_url - Enable/disable logging all URLs visited. type: str choices: enable, disable
name - Profile name. type: str required: True
options - Options. type: str choices: activexfilter, cookiefilter, javafilter, block-invalid-url, jscript, js, vbs, unknown, intrinsic, wf-referer, wf-cookie, per-user-bwl
override - Web Filter override settings. type: dict

ovrd_cookie - Allow/deny browser-based (cookie) overrides. type: str choices: allow, deny
ovrd_dur - Override duration. type: str
ovrd_dur_mode - Override duration mode. type: str choices: constant, ask
ovrd_scope - Override scope. type: str choices: user, user-group, ip, browser, ask
ovrd_user_group - User groups with permission to use the override. type: str
profile - Web filter profile with permission to create overrides. type: list

name - Web profile. Source webfilter.profile.name. type: str required: True

profile_attribute - Profile attribute to retrieve from the RADIUS server. type: str choices: User-Name, NAS-IP-Address, Framed-IP-Address, Framed-IP-Netmask, Filter-Id, Login-IP-Host, Reply-Message, Callback-Number, Callback-Id, Framed-Route, Framed-IPX-Network, Class, Called-Station-Id, Calling-Station-Id, NAS-Identifier, Proxy-State, Login-LAT-Service, Login-LAT-Node, Login-LAT-Group, Framed-AppleTalk-Zone, Acct-Session-Id, Acct-Multi-Session-Id
profile_type - Override profile type. type: str choices: list, radius

ovrd_perm - Permitted override types. type: str choices: bannedword-override, urlfilter-override, fortiguard-wf-override, contenttype-check-override
post_action - Action taken for HTTP POST traffic. type: str choices: normal, block
replacemsg_group - Replacement message group. Source system.replacemsg-group.name. type: str
web - Web content filtering settings. type: dict

blacklist - Enable/disable automatic addition of URLs detected by FortiSandbox to blacklist. type: str choices: enable, disable
bword_table - Banned word table ID. Source webfilter.content.id. type: int
bword_threshold - Banned word score threshold. type: int
content_header_list - Content header list. Source webfilter.content-header.id. type: int
keyword_match - Search keywords to log when match is found. type: str
log_search - Enable/disable logging all search phrases. type: str choices: enable, disable
safe_search - Safe search type. type: str choices: url, header
urlfilter_table - URL filter table ID. Source webfilter.urlfilter.id. type: int
whitelist - FortiGuard whitelist settings. type: str choices: exempt-av, exempt-webcontent, exempt-activex-java-cookie, exempt-dlp, exempt-rangeblock, extended-log-others
youtube_restrict - YouTube EDU filter level. type: str choices: none, strict, moderate

web_content_log - Enable/disable logging logging blocked web content. type: str choices: enable, disable
web_extended_all_action_log - Enable/disable extended any filter action logging for web filtering. type: str choices: enable, disable
web_filter_activex_log - Enable/disable logging ActiveX. type: str choices: enable, disable
web_filter_applet_log - Enable/disable logging Java applets. type: str choices: enable, disable
web_filter_command_block_log - Enable/disable logging blocked commands. type: str choices: enable, disable
web_filter_cookie_log - Enable/disable logging cookie filtering. type: str choices: enable, disable
web_filter_cookie_removal_log - Enable/disable logging blocked cookies. type: str choices: enable, disable
web_filter_js_log - Enable/disable logging Java scripts. type: str choices: enable, disable
web_filter_jscript_log - Enable/disable logging JScripts. type: str choices: enable, disable
web_filter_referer_log - Enable/disable logging referrers. type: str choices: enable, disable
web_filter_unknown_log - Enable/disable logging unknown scripts. type: str choices: enable, disable
web_filter_vbs_log - Enable/disable logging VBS scripts. type: str choices: enable, disable
web_ftgd_err_log - Enable/disable logging rating errors. type: str choices: enable, disable
web_ftgd_quota_usage - Enable/disable logging daily quota usage. type: str choices: enable, disable
web_invalid_domain_log - Enable/disable logging invalid domain names. type: str choices: enable, disable
web_url_log - Enable/disable logging URL filtering. type: str choices: enable, disable
wisp - Enable/disable web proxy WISP. type: str choices: enable, disable
wisp_algorithm - WISP server selection algorithm. type: str choices: primary-secondary, round-robin, auto-learning
wisp_servers - WISP servers. type: list

name - Server name. Source web-proxy.wisp.name. type: str required: True

youtube_channel_filter - YouTube channel filter. type: list

channel_id - YouTube channel ID to be filtered. type: str
comment - Comment. type: str
id - ID. type: int required: True

youtube_channel_status - YouTube channel filter status. type: str choices: disable, blacklist, whitelist

Notes ¶

Note

Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks

Examples ¶

- hosts: fortigates
  collections:
    - fortinet.fortios
  connection: httpapi
  vars:
   vdom: "root"
   ansible_httpapi_use_ssl: yes
   ansible_httpapi_validate_certs: no
   ansible_httpapi_port: 443
  tasks:
  - name: Configure Web filter profiles.
    fortios_webfilter_profile:
      vdom:  "{{ vdom }}"
      state: "present"
      access_token: "<your_own_value>"
      webfilter_profile:
        comment: "Optional comments."
        extended_log: "enable"
        ftgd_wf:
            exempt_quota: "<your_own_value>"
            filters:
             -
                action: "block"
                auth_usr_grp:
                 -
                    name: "default_name_10 (source user.group.name)"
                category: "11"
                id:  "12"
                log: "enable"
                override_replacemsg: "<your_own_value>"
                warn_duration: "<your_own_value>"
                warning_duration_type: "session"
                warning_prompt: "per-domain"
            max_quota_timeout: "18"
            options: "error-allow"
            ovrd: "<your_own_value>"
            quota:
             -
                category: "<your_own_value>"
                duration: "<your_own_value>"
                id:  "24"
                override_replacemsg: "<your_own_value>"
                type: "time"
                unit: "B"
                value: "28"
            rate_crl_urls: "disable"
            rate_css_urls: "disable"
            rate_image_urls: "disable"
            rate_javascript_urls: "disable"
        https_replacemsg: "enable"
        inspection_mode: "proxy"
        log_all_url: "enable"
        name: "default_name_36"
        options: "activexfilter"
        override:
            ovrd_cookie: "allow"
            ovrd_dur: "<your_own_value>"
            ovrd_dur_mode: "constant"
            ovrd_scope: "user"
            ovrd_user_group:
             -
                name: "default_name_44 (source user.group.name)"
            profile:
             -
                name: "default_name_46 (source webfilter.profile.name)"
            profile_attribute: "User-Name"
            profile_type: "list"
        ovrd_perm: "bannedword-override"
        post_action: "normal"
        replacemsg_group: "<your_own_value> (source system.replacemsg-group.name)"
        web:
            blacklist: "enable"
            bword_table: "54 (source webfilter.content.id)"
            bword_threshold: "55"
            content_header_list: "56 (source webfilter.content-header.id)"
            keyword_match:
             -
                pattern: "<your_own_value>"
            log_search: "enable"
            safe_search: "url"
            urlfilter_table: "61 (source webfilter.urlfilter.id)"
            whitelist: "exempt-av"
            youtube_restrict: "none"
        web_content_log: "enable"
        web_extended_all_action_log: "enable"
        web_filter_activex_log: "enable"
        web_filter_applet_log: "enable"
        web_filter_command_block_log: "enable"
        web_filter_cookie_log: "enable"
        web_filter_cookie_removal_log: "enable"
        web_filter_js_log: "enable"
        web_filter_jscript_log: "enable"
        web_filter_referer_log: "enable"
        web_filter_unknown_log: "enable"
        web_filter_vbs_log: "enable"
        web_ftgd_err_log: "enable"
        web_ftgd_quota_usage: "enable"
        web_invalid_domain_log: "enable"
        web_url_log: "enable"
        wisp: "enable"
        wisp_algorithm: "primary-secondary"
        wisp_servers:
         -
            name: "default_name_83 (source web-proxy.wisp.name)"
        youtube_channel_filter:
         -
            channel_id: "<your_own_value>"
            comment: "Comment."
            id:  "87"
        youtube_channel_status: "disable"

Return Values ¶

Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:

build - Build number of the fortigate image returned: always type: str sample: 1547
http_method - Last method used to provision the content into FortiGate returned: always type: str sample: PUT
http_status - Last result given by FortiGate on last operation applied returned: always type: str sample: 200
mkey - Master key (id) used in the last call to FortiGate returned: success type: str sample: id
name - Name of the table used to fulfill the request returned: always type: str sample: urlfilter
path - Path of the table used to fulfill the request returned: always type: str sample: webfilter
revision - Internal revision number returned: always type: str sample: 17.0.2.10658
serial - Serial number of the unit returned: always type: str sample: FGVMEVYYQT3AB5352
status - Indication of the operation's result returned: always type: str sample: success
vdom - Virtual domain used returned: always type: str sample: root
version - Version of the FortiGate returned: always type: str sample: v5.6.3

Status ¶

This module is not guaranteed to have a backwards compatible interface.

Authors ¶

Link Zheng (@chillancezen)
Jie Xue (@JieX19)
Hongbin Lu (@fgtdev-hblu)
Frank Shen (@frankshen01)
Miguel Angel Munoz (@mamunozgonzalez)
Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation, you can create a pull request to improve it.