fortios_waf_profile – Web application firewall configuration in Fortinet’s FortiOS and FortiGate.¶

New in version 2.10.

Synopsis
Requirements
FortiOS Version Compatibility
Parameters
Notes
Examples
Return Values
Status
Authors

Synopsis ¶

This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify waf feature and profile category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements ¶

The below requirements are needed on the host that executes this module.

ansible>=2.9.0

FortiOS Version Compatibility ¶

	`v6.0.0`	`v6.0.5`	`v6.0.11`	`v6.2.0`	`v6.2.3`	`v6.2.5`	`v6.2.7`	`v6.4.0`	`v6.4.1`	`v6.4.4`	`v7.0.0`
fortios_waf_profile	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes

Parameters ¶

access_token - Token-based authentication. Generated from GUI of Fortigate. type: str required: False
enable_log - Enable/Disable logging for task. type: bool required: False default: False
vdom - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str default: root
state - Indicates whether to create or remove the object. type: str required: True choices: present, absent
waf_profile - Web application firewall configuration. type: dict more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

waf_profile yes yes yes yes yes yes yes yes yes yes yes

address_list - Black address list and white address list. type: dict more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

address_list yes yes yes yes yes yes yes yes yes yes yes

blocked_address - Blocked address. type: list more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

blocked_address yes yes yes yes yes yes yes yes yes yes yes

name - Address name. Source firewall.address.name firewall.addrgrp.name. type: str required: True more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

name yes yes yes yes yes yes yes yes yes yes yes

blocked_log - Enable/disable logging on blocked addresses. type: str choices: enable, disable more...

severity - Severity. type: str choices: high, medium, low more...

status - Status. type: str choices: enable, disable more...

trusted_address - Trusted address. type: list more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

trusted_address yes yes yes yes yes yes yes yes yes yes yes

name - Address name. Source firewall.address.name firewall.addrgrp.name. type: str required: True more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

name yes yes yes yes yes yes yes yes yes yes yes

comment - Comment. type: str more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

comment yes yes yes yes yes yes yes yes yes yes yes
constraint - WAF HTTP protocol restrictions. type: dict more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

constraint yes yes yes yes yes yes yes yes yes yes yes

content_length - HTTP content length in request. type: dict more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

content_length yes yes yes yes yes yes yes yes yes yes yes

action - Action. type: str choices: allow, block more...

length - Length of HTTP content in bytes (0 to 2147483647). type: int more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

length yes yes yes yes yes yes yes yes yes yes yes

log - Enable/disable logging. type: str choices: enable, disable more...

severity - Severity. type: str choices: high, medium, low more...

status - Enable/disable the constraint. type: str choices: enable, disable more...

exception - HTTP constraint exception. type: list more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

exception yes yes yes yes yes yes yes yes yes yes yes

address - Host address. Source firewall.address.name firewall.addrgrp.name. type: str more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

address yes yes yes yes yes yes yes yes yes yes yes

content_length - HTTP content length in request. type: str choices: enable, disable more...

header_length - HTTP header length in request. type: str choices: enable, disable more...

hostname - Enable/disable hostname check. type: str choices: enable, disable more...

id - Exception ID. type: int required: True more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

id yes yes yes yes yes yes yes yes yes yes yes

line_length - HTTP line length in request. type: str choices: enable, disable more...

malformed - Enable/disable malformed HTTP request check. type: str choices: enable, disable more...

max_cookie - Maximum number of cookies in HTTP request. type: str choices: enable, disable more...

max_header_line - Maximum number of HTTP header line. type: str choices: enable, disable more...

max_range_segment - Maximum number of range segments in HTTP range line. type: str choices: enable, disable more...

max_url_param - Maximum number of parameters in URL. type: str choices: enable, disable more...

method - Enable/disable HTTP method check. type: str choices: enable, disable more...

param_length - Maximum length of parameter in URL, HTTP POST request or HTTP body. type: str choices: enable, disable more...

pattern - URL pattern. type: str more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

pattern yes yes yes yes yes yes yes yes yes yes yes

regex - Enable/disable regular expression based pattern match. type: str choices: enable, disable more...

url_param_length - Maximum length of parameter in URL. type: str choices: enable, disable more...

version - Enable/disable HTTP version check. type: str choices: enable, disable more...

header_length - HTTP header length in request. type: dict more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

header_length yes yes yes yes yes yes yes yes yes yes yes

action - Action. type: str choices: allow, block more...

length - Length of HTTP header in bytes (0 to 2147483647). type: int more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

length yes yes yes yes yes yes yes yes yes yes yes

log - Enable/disable logging. type: str choices: enable, disable more...

severity - Severity. type: str choices: high, medium, low more...

status - Enable/disable the constraint. type: str choices: enable, disable more...

hostname - Enable/disable hostname check. type: dict more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

hostname yes yes yes yes yes yes yes yes yes yes yes

action - Action. type: str choices: allow, block more...

log - Enable/disable logging. type: str choices: enable, disable more...

severity - Severity. type: str choices: high, medium, low more...

status - Enable/disable the constraint. type: str choices: enable, disable more...

line_length - HTTP line length in request. type: dict more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

line_length yes yes yes yes yes yes yes yes yes yes yes

action - Action. type: str choices: allow, block more...

length - Length of HTTP line in bytes (0 to 2147483647). type: int more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

length yes yes yes yes yes yes yes yes yes yes yes

log - Enable/disable logging. type: str choices: enable, disable more...

severity - Severity. type: str choices: high, medium, low more...

status - Enable/disable the constraint. type: str choices: enable, disable more...

malformed - Enable/disable malformed HTTP request check. type: dict more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

malformed yes yes yes yes yes yes yes yes yes yes yes

action - Action. type: str choices: allow, block more...

log - Enable/disable logging. type: str choices: enable, disable more...

severity - Severity. type: str choices: high, medium, low more...

status - Enable/disable the constraint. type: str choices: enable, disable more...

max_cookie - Maximum number of cookies in HTTP request. type: dict more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

max_cookie yes yes yes yes yes yes yes yes yes yes yes

action - Action. type: str choices: allow, block more...

log - Enable/disable logging. type: str choices: enable, disable more...

max_cookie - Maximum number of cookies in HTTP request (0 to 2147483647). type: int more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

max_cookie yes yes yes yes yes yes yes yes yes yes yes

severity - Severity. type: str choices: high, medium, low more...

status - Enable/disable the constraint. type: str choices: enable, disable more...

max_header_line - Maximum number of HTTP header line. type: dict more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

max_header_line yes yes yes yes yes yes yes yes yes yes yes

action - Action. type: str choices: allow, block more...

log - Enable/disable logging. type: str choices: enable, disable more...

max_header_line - Maximum number HTTP header lines (0 to 2147483647). type: int more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

max_header_line yes yes yes yes yes yes yes yes yes yes yes

severity - Severity. type: str choices: high, medium, low more...

status - Enable/disable the constraint. type: str choices: enable, disable more...

max_range_segment - Maximum number of range segments in HTTP range line. type: dict more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

max_range_segment yes yes yes yes yes yes yes yes yes yes yes

action - Action. type: str choices: allow, block more...

log - Enable/disable logging. type: str choices: enable, disable more...

max_range_segment - Maximum number of range segments in HTTP range line (0 to 2147483647). type: int more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

max_range_segment yes yes yes yes yes yes yes yes yes yes yes

severity - Severity. type: str choices: high, medium, low more...

status - Enable/disable the constraint. type: str choices: enable, disable more...

max_url_param - Maximum number of parameters in URL. type: dict more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

max_url_param yes yes yes yes yes yes yes yes yes yes yes

action - Action. type: str choices: allow, block more...

log - Enable/disable logging. type: str choices: enable, disable more...

max_url_param - Maximum number of parameters in URL (0 to 2147483647). type: int more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

max_url_param yes yes yes yes yes yes yes yes yes yes yes

severity - Severity. type: str choices: high, medium, low more...

status - Enable/disable the constraint. type: str choices: enable, disable more...

method - Enable/disable HTTP method check. type: dict more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

method yes yes yes yes yes yes yes yes yes yes yes

action - Action. type: str choices: allow, block more...

log - Enable/disable logging. type: str choices: enable, disable more...

severity - Severity. type: str choices: high, medium, low more...

status - Enable/disable the constraint. type: str choices: enable, disable more...

param_length - Maximum length of parameter in URL, HTTP POST request or HTTP body. type: dict more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

param_length yes yes yes yes yes yes yes yes yes yes yes

action - Action. type: str choices: allow, block more...

length - Maximum length of parameter in URL, HTTP POST request or HTTP body in bytes (0 to 2147483647). type: int more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

length yes yes yes yes yes yes yes yes yes yes yes

log - Enable/disable logging. type: str choices: enable, disable more...

severity - Severity. type: str choices: high, medium, low more...

status - Enable/disable the constraint. type: str choices: enable, disable more...

url_param_length - Maximum length of parameter in URL. type: dict more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

url_param_length yes yes yes yes yes yes yes yes yes yes yes

action - Action. type: str choices: allow, block more...

length - Maximum length of URL parameter in bytes (0 to 2147483647). type: int more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

length yes yes yes yes yes yes yes yes yes yes yes

log - Enable/disable logging. type: str choices: enable, disable more...

severity - Severity. type: str choices: high, medium, low more...

status - Enable/disable the constraint. type: str choices: enable, disable more...

version - Enable/disable HTTP version check. type: dict more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

version yes yes yes yes yes yes yes yes yes yes yes

action - Action. type: str choices: allow, block more...

log - Enable/disable logging. type: str choices: enable, disable more...

severity - Severity. type: str choices: high, medium, low more...

status - Enable/disable the constraint. type: str choices: enable, disable more...

extended_log - Enable/disable extended logging. type: str choices: enable, disable more...

external - Disable/Enable external HTTP Inspection. type: str choices: disable, enable more...

method - Method restriction. type: dict more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

method yes yes yes yes yes yes yes yes yes yes yes

default_allowed_methods - Methods. type: list choices: get, post, put, head, connect, trace, options, delete, others more...

log - Enable/disable logging. type: str choices: enable, disable more...

method_policy - HTTP method policy. type: list more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

method_policy yes yes yes yes yes yes yes yes yes yes yes

address - Host address. Source firewall.address.name firewall.addrgrp.name. type: str more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

address yes yes yes yes yes yes yes yes yes yes yes

allowed_methods - Allowed Methods. type: str choices: get, post, put, head, connect, trace, options, delete, others more...

id - HTTP method policy ID. type: int required: True more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

id yes yes yes yes yes yes yes yes yes yes yes
pattern - URL pattern. type: str more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

pattern yes yes yes yes yes yes yes yes yes yes yes

regex - Enable/disable regular expression based pattern match. type: str choices: enable, disable more...

severity - Severity. type: str choices: high, medium, low more...

status - Status. type: str choices: enable, disable more...

name - WAF Profile name. type: str required: True more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

name yes yes yes yes yes yes yes yes yes yes yes
signature - WAF signatures. type: dict more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

signature yes yes yes yes yes yes yes yes yes yes yes

credit_card_detection_threshold - The minimum number of Credit cards to detect violation. type: int more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

credit_card_detection_threshold yes yes yes yes yes yes yes yes yes yes yes
custom_signature - Custom signature. type: list more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

custom_signature yes yes yes yes yes yes yes yes yes yes yes

action - Action. type: str choices: allow, block, erase more...

case_sensitivity - Case sensitivity in pattern. type: str choices: disable, enable more...

direction - Traffic direction. type: str choices: request, response more...

log - Enable/disable logging. type: str choices: enable, disable more...

name - Signature name. type: str required: True more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

name yes yes yes yes yes yes yes yes yes yes yes
pattern - Match pattern. type: str more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

pattern yes yes yes yes yes yes yes yes yes yes yes

severity - Severity. type: str choices: high, medium, low more...

status - Status. type: str choices: enable, disable more...

target - Match HTTP target. type: str choices: arg, arg-name, req-body, req-cookie, req-cookie-name, req-filename, req-header, req-header-name, req-raw-uri, req-uri, resp-body, resp-hdr, resp-status more...

disabled_signature - Disabled signatures type: list more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

disabled_signature yes yes yes yes yes yes yes yes yes yes yes

id - Signature ID. Source waf.signature.id. type: int required: True more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

id yes yes yes yes yes yes yes yes yes yes yes

disabled_sub_class - Disabled signature subclasses. type: list more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

disabled_sub_class yes yes yes yes yes yes yes yes yes yes yes

id - Signature subclass ID. Source waf.sub-class.id. type: int required: True more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

id yes yes yes yes yes yes yes yes yes yes yes

main_class - Main signature class. type: list more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

main_class yes yes yes yes yes yes yes yes yes yes yes

action - Action. type: str choices: allow, block, erase more...

id - Main signature class ID. Source waf.main-class.id. type: int required: True more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

id yes yes yes yes yes yes yes yes yes yes yes

log - Enable/disable logging. type: str choices: enable, disable more...

severity - Severity. type: str choices: high, medium, low more...

status - Status. type: str choices: enable, disable more...

url_access - URL access list type: list more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

url_access yes yes yes yes yes yes yes yes yes yes yes

access_pattern - URL access pattern. type: list more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

access_pattern yes yes yes yes yes yes yes yes yes yes yes

id - URL access pattern ID. type: int required: True more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

id yes yes yes yes yes yes yes yes yes yes yes

negate - Enable/disable match negation. type: str choices: enable, disable more...

pattern - URL pattern. type: str more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

pattern yes yes yes yes yes yes yes yes yes yes yes

regex - Enable/disable regular expression based pattern match. type: str choices: enable, disable more...

srcaddr - Source address. Source firewall.address.name firewall.addrgrp.name. type: str more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

srcaddr yes yes yes yes yes yes yes yes yes yes yes

action - Action. type: str choices: bypass, permit, block more...

address - Host address. Source firewall.address.name firewall.addrgrp.name. type: str more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

address yes yes yes yes yes yes yes yes yes yes yes
id - URL access ID. type: int required: True more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

id yes yes yes yes yes yes yes yes yes yes yes

log - Enable/disable logging. type: str choices: enable, disable more...

severity - Severity. type: str choices: high, medium, low more...

Notes ¶

Note

Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks

Examples ¶

- hosts: fortigates
  collections:
    - fortinet.fortios
  connection: httpapi
  vars:
   vdom: "root"
   ansible_httpapi_use_ssl: yes
   ansible_httpapi_validate_certs: no
   ansible_httpapi_port: 443
  tasks:
  - name: Web application firewall configuration.
    fortios_waf_profile:
      vdom:  "{{ vdom }}"
      state: "present"
      access_token: "<your_own_value>"
      waf_profile:
        address_list:
            blocked_address:
             -
                name: "default_name_5 (source firewall.address.name firewall.addrgrp.name)"
            blocked_log: "enable"
            severity: "high"
            status: "enable"
            trusted_address:
             -
                name: "default_name_10 (source firewall.address.name firewall.addrgrp.name)"
        comment: "Comment."
        constraint:
            content_length:
                action: "allow"
                length: "15"
                log: "enable"
                severity: "high"
                status: "enable"
            exception:
             -
                address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
                content_length: "enable"
                header_length: "enable"
                hostname: "enable"
                id:  "24"
                line_length: "enable"
                malformed: "enable"
                max_cookie: "enable"
                max_header_line: "enable"
                max_range_segment: "enable"
                max_url_param: "enable"
                method: "enable"
                param_length: "enable"
                pattern: "<your_own_value>"
                regex: "enable"
                url_param_length: "enable"
                version: "enable"
            header_length:
                action: "allow"
                length: "39"
                log: "enable"
                severity: "high"
                status: "enable"
            hostname:
                action: "allow"
                log: "enable"
                severity: "high"
                status: "enable"
            line_length:
                action: "allow"
                length: "50"
                log: "enable"
                severity: "high"
                status: "enable"
            malformed:
                action: "allow"
                log: "enable"
                severity: "high"
                status: "enable"
            max_cookie:
                action: "allow"
                log: "enable"
                max_cookie: "62"
                severity: "high"
                status: "enable"
            max_header_line:
                action: "allow"
                log: "enable"
                max_header_line: "68"
                severity: "high"
                status: "enable"
            max_range_segment:
                action: "allow"
                log: "enable"
                max_range_segment: "74"
                severity: "high"
                status: "enable"
            max_url_param:
                action: "allow"
                log: "enable"
                max_url_param: "80"
                severity: "high"
                status: "enable"
            method:
                action: "allow"
                log: "enable"
                severity: "high"
                status: "enable"
            param_length:
                action: "allow"
                length: "90"
                log: "enable"
                severity: "high"
                status: "enable"
            url_param_length:
                action: "allow"
                length: "96"
                log: "enable"
                severity: "high"
                status: "enable"
            version:
                action: "allow"
                log: "enable"
                severity: "high"
                status: "enable"
        extended_log: "enable"
        external: "disable"
        method:
            default_allowed_methods: "get"
            log: "enable"
            method_policy:
             -
                address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
                allowed_methods: "get"
                id:  "113"
                pattern: "<your_own_value>"
                regex: "enable"
            severity: "high"
            status: "enable"
        name: "default_name_118"
        signature:
            credit_card_detection_threshold: "120"
            custom_signature:
             -
                action: "allow"
                case_sensitivity: "disable"
                direction: "request"
                log: "enable"
                name: "default_name_126"
                pattern: "<your_own_value>"
                severity: "high"
                status: "enable"
                target: "arg"
            disabled_signature:
             -
                id:  "132 (source waf.signature.id)"
            disabled_sub_class:
             -
                id:  "134 (source waf.sub-class.id)"
            main_class:
             -
                action: "allow"
                id:  "137 (source waf.main-class.id)"
                log: "enable"
                severity: "high"
                status: "enable"
        url_access:
         -
            access_pattern:
             -
                id:  "143"
                negate: "enable"
                pattern: "<your_own_value>"
                regex: "enable"
                srcaddr: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
            action: "bypass"
            address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
            id:  "150"
            log: "enable"
            severity: "high"

Return Values ¶

Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:

build - Build number of the fortigate image returned: always type: str sample: 1547
http_method - Last method used to provision the content into FortiGate returned: always type: str sample: PUT
http_status - Last result given by FortiGate on last operation applied returned: always type: str sample: 200
mkey - Master key (id) used in the last call to FortiGate returned: success type: str sample: id
name - Name of the table used to fulfill the request returned: always type: str sample: urlfilter
path - Path of the table used to fulfill the request returned: always type: str sample: webfilter
revision - Internal revision number returned: always type: str sample: 17.0.2.10658
serial - Serial number of the unit returned: always type: str sample: FGVMEVYYQT3AB5352
status - Indication of the operation's result returned: always type: str sample: success
vdom - Virtual domain used returned: always type: str sample: root
version - Version of the FortiGate returned: always type: str sample: v5.6.3

Status ¶

This module is not guaranteed to have a backwards compatible interface.

Authors ¶

Link Zheng (@chillancezen)
Jie Xue (@JieX19)
Hongbin Lu (@fgtdev-hblu)
Frank Shen (@frankshen01)
Miguel Angel Munoz (@mamunozgonzalez)
Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation, you can create a pull request to improve it.