fortios_waf_profile – Configure Web application firewall configuration in Fortinet’s FortiOS and FortiGate.

New in version 2.0.0.

Synopsis

  • This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify waf feature and profile category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements

The below requirements are needed on the host that executes this module.

  • ansible>=2.14

Tips

Using member operation to add an element to an existing object.

FortiOS Version Compatibility


Supported Version Ranges
fortios_waf_profile v6.0.0 -> latest

Parameters

  • access_token - Token-based authentication. Generated from GUI of Fortigate. type: str required: false
  • enable_log - Enable/Disable logging for task. type: bool required: false default: False
  • vdom - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str default: root
  • member_path - Member attribute path to operate on. type: str
  • member_state - Add or delete a member under specified attribute path. type: str choices: present, absent
  • state - Indicates whether to create or remove the object. type: str required: true choices: present, absent
  • waf_profile - Configure Web application firewall configuration. type: dict more...
    • address_list - Address block and allow lists. type: dict more...
      • blocked_address - Blocked address. type: list member_path: address_list/blocked_address:name more...
        • name - Address name. Source firewall.address.name firewall.addrgrp.name. type: str required: true more...
      • blocked_log - Enable/disable logging on blocked addresses. type: str choices: enable, disable more...
      • severity - Severity. type: str choices: high, medium, low more...
      • status - Status. type: str choices: enable, disable more...
      • trusted_address - Trusted address. type: list member_path: address_list/trusted_address:name more...
        • name - Address name. Source firewall.address.name firewall.addrgrp.name. type: str required: true more...
    • comment - Comment. type: str more...
    • constraint - WAF HTTP protocol restrictions. type: dict more...
      • content_length - HTTP content length in request. type: dict more...
        • action - Action. type: str choices: allow, block more...
        • length - Length of HTTP content in bytes (0 to 2147483647). type: int more...
        • log - Enable/disable logging. type: str choices: enable, disable more...
        • severity - Severity. type: str choices: high, medium, low more...
        • status - Enable/disable the constraint. type: str choices: enable, disable more...
      • exception - HTTP constraint exception. type: list member_path: constraint/exception:id more...
        • address - Host address. Source firewall.address.name firewall.addrgrp.name. type: str more...
        • content_length - HTTP content length in request. type: str choices: enable, disable more...
        • header_length - HTTP header length in request. type: str choices: enable, disable more...
        • hostname - Enable/disable hostname check. type: str choices: enable, disable more...
        • id - Exception ID. see Notes. type: int required: true more...
        • line_length - HTTP line length in request. type: str choices: enable, disable more...
        • malformed - Enable/disable malformed HTTP request check. type: str choices: enable, disable more...
        • max_cookie - Maximum number of cookies in HTTP request. type: str choices: enable, disable more...
        • max_header_line - Maximum number of HTTP header line. type: str choices: enable, disable more...
        • max_range_segment - Maximum number of range segments in HTTP range line. type: str choices: enable, disable more...
        • max_url_param - Maximum number of parameters in URL. type: str choices: enable, disable more...
        • method - Enable/disable HTTP method check. type: str choices: enable, disable more...
        • param_length - Maximum length of parameter in URL, HTTP POST request or HTTP body. type: str choices: enable, disable more...
        • pattern - URL pattern. type: str more...
        • regex - Enable/disable regular expression based pattern match. type: str choices: enable, disable more...
        • url_param_length - Maximum length of parameter in URL. type: str choices: enable, disable more...
        • version - Enable/disable HTTP version check. type: str choices: enable, disable more...
      • header_length - HTTP header length in request. type: dict more...
        • action - Action. type: str choices: allow, block more...
        • length - Length of HTTP header in bytes (0 to 2147483647). type: int more...
        • log - Enable/disable logging. type: str choices: enable, disable more...
        • severity - Severity. type: str choices: high, medium, low more...
        • status - Enable/disable the constraint. type: str choices: enable, disable more...
      • hostname - Enable/disable hostname check. type: dict more...
        • action - Action. type: str choices: allow, block more...
        • log - Enable/disable logging. type: str choices: enable, disable more...
        • severity - Severity. type: str choices: high, medium, low more...
        • status - Enable/disable the constraint. type: str choices: enable, disable more...
      • line_length - HTTP line length in request. type: dict more...
        • action - Action. type: str choices: allow, block more...
        • length - Length of HTTP line in bytes (0 to 2147483647). type: int more...
        • log - Enable/disable logging. type: str choices: enable, disable more...
        • severity - Severity. type: str choices: high, medium, low more...
        • status - Enable/disable the constraint. type: str choices: enable, disable more...
      • malformed - Enable/disable malformed HTTP request check. type: dict more...
        • action - Action. type: str choices: allow, block more...
        • log - Enable/disable logging. type: str choices: enable, disable more...
        • severity - Severity. type: str choices: high, medium, low more...
        • status - Enable/disable the constraint. type: str choices: enable, disable more...
      • max_cookie - Maximum number of cookies in HTTP request. type: dict more...
        • action - Action. type: str choices: allow, block more...
        • log - Enable/disable logging. type: str choices: enable, disable more...
        • max_cookie - Maximum number of cookies in HTTP request (0 to 2147483647). type: int more...
        • severity - Severity. type: str choices: high, medium, low more...
        • status - Enable/disable the constraint. type: str choices: enable, disable more...
      • max_header_line - Maximum number of HTTP header line. type: dict more...
        • action - Action. type: str choices: allow, block more...
        • log - Enable/disable logging. type: str choices: enable, disable more...
        • max_header_line - Maximum number HTTP header lines (0 to 2147483647). type: int more...
        • severity - Severity. type: str choices: high, medium, low more...
        • status - Enable/disable the constraint. type: str choices: enable, disable more...
      • max_range_segment - Maximum number of range segments in HTTP range line. type: dict more...
        • action - Action. type: str choices: allow, block more...
        • log - Enable/disable logging. type: str choices: enable, disable more...
        • max_range_segment - Maximum number of range segments in HTTP range line (0 to 2147483647). type: int more...
        • severity - Severity. type: str choices: high, medium, low more...
        • status - Enable/disable the constraint. type: str choices: enable, disable more...
      • max_url_param - Maximum number of parameters in URL. type: dict more...
        • action - Action. type: str choices: allow, block more...
        • log - Enable/disable logging. type: str choices: enable, disable more...
        • max_url_param - Maximum number of parameters in URL (0 to 2147483647). type: int more...
        • severity - Severity. type: str choices: high, medium, low more...
        • status - Enable/disable the constraint. type: str choices: enable, disable more...
      • method - Enable/disable HTTP method check. type: dict more...
        • action - Action. type: str choices: allow, block more...
        • log - Enable/disable logging. type: str choices: enable, disable more...
        • severity - Severity. type: str choices: high, medium, low more...
        • status - Enable/disable the constraint. type: str choices: enable, disable more...
      • param_length - Maximum length of parameter in URL, HTTP POST request or HTTP body. type: dict more...
        • action - Action. type: str choices: allow, block more...
        • length - Maximum length of parameter in URL, HTTP POST request or HTTP body in bytes (0 to 2147483647). type: int more...
        • log - Enable/disable logging. type: str choices: enable, disable more...
        • severity - Severity. type: str choices: high, medium, low more...
        • status - Enable/disable the constraint. type: str choices: enable, disable more...
      • url_param_length - Maximum length of parameter in URL. type: dict more...
        • action - Action. type: str choices: allow, block more...
        • length - Maximum length of URL parameter in bytes (0 to 2147483647). type: int more...
        • log - Enable/disable logging. type: str choices: enable, disable more...
        • severity - Severity. type: str choices: high, medium, low more...
        • status - Enable/disable the constraint. type: str choices: enable, disable more...
      • version - Enable/disable HTTP version check. type: dict more...
        • action - Action. type: str choices: allow, block more...
        • log - Enable/disable logging. type: str choices: enable, disable more...
        • severity - Severity. type: str choices: high, medium, low more...
        • status - Enable/disable the constraint. type: str choices: enable, disable more...
    • extended_log - Enable/disable extended logging. type: str choices: enable, disable more...
    • external - Disable/Enable external HTTP Inspection. type: str choices: disable, enable more...
    • method - Method restriction. type: dict more...
      • default_allowed_methods - Methods. type: list choices: get, post, put, head, connect, trace, options, delete, others more...
      • log - Enable/disable logging. type: str choices: enable, disable more...
      • method_policy - HTTP method policy. type: list member_path: method/method_policy:id more...
        • address - Host address. Source firewall.address.name firewall.addrgrp.name. type: str more...
        • allowed_methods - Allowed Methods. type: list choices: get, post, put, head, connect, trace, options, delete, others more...
        • id - HTTP method policy ID. see Notes. type: int required: true more...
        • pattern - URL pattern. type: str more...
        • regex - Enable/disable regular expression based pattern match. type: str choices: enable, disable more...
      • severity - Severity. type: str choices: high, medium, low more...
      • status - Status. type: str choices: enable, disable more...
    • name - WAF Profile name. type: str required: true more...
    • signature - WAF signatures. type: dict more...
      • credit_card_detection_threshold - The minimum number of Credit cards to detect violation. type: int more...
      • custom_signature - Custom signature. type: list member_path: signature/custom_signature:name more...
        • action - Action. type: str choices: allow, block, erase more...
        • case_sensitivity - Case sensitivity in pattern. type: str choices: disable, enable more...
        • direction - Traffic direction. type: str choices: request, response more...
        • log - Enable/disable logging. type: str choices: enable, disable more...
        • name - Signature name. type: str required: true more...
        • pattern - Match pattern. type: str more...
        • severity - Severity. type: str choices: high, medium, low more...
        • status - Status. type: str choices: enable, disable more...
        • target - Match HTTP target. type: list choices: arg, arg-name, req-body, req-cookie, req-cookie-name, req-filename, req-header, req-header-name, req-raw-uri, req-uri, resp-body, resp-hdr, resp-status more...
      • disabled_signature - Disabled signatures. type: list member_path: signature/disabled_signature:id more...
        • id - Signature ID. see Notes. Source waf.signature.id. type: int required: true more...
      • disabled_sub_class - Disabled signature subclasses. type: list member_path: signature/disabled_sub_class:id more...
        • id - Signature subclass ID. see Notes. Source waf.sub-class.id. type: int required: true more...
      • main_class - Main signature class. type: list member_path: signature/main_class:id more...
        • action - Action. type: str choices: allow, block, erase more...
        • id - Main signature class ID. see Notes. Source waf.main-class.id. type: int required: true more...
        • log - Enable/disable logging. type: str choices: enable, disable more...
        • severity - Severity. type: str choices: high, medium, low more...
        • status - Status. type: str choices: enable, disable more...
    • url_access - URL access list. type: list member_path: url_access:id more...
      • access_pattern - URL access pattern. type: list member_path: url_access:id/access_pattern:id more...
        • id - URL access pattern ID. see Notes. type: int required: true more...
        • negate - Enable/disable match negation. type: str choices: enable, disable more...
        • pattern - URL pattern. type: str more...
        • regex - Enable/disable regular expression based pattern match. type: str choices: enable, disable more...
        • srcaddr - Source address. Source firewall.address.name firewall.addrgrp.name. type: str more...
      • action - Action. type: str choices: bypass, permit, block more...
      • address - Host address. Source firewall.address.name firewall.addrgrp.name. type: str more...
      • id - URL access ID. see Notes. type: int required: true more...
      • log - Enable/disable logging. type: str choices: enable, disable more...
      • severity - Severity. type: str choices: high, medium, low more...

Notes

Note

  • Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks

Examples

- name: Configure Web application firewall configuration.
  fortinet.fortios.fortios_waf_profile:
      vdom: "{{ vdom }}"
      state: "present"
      access_token: "<your_own_value>"
      waf_profile:
          address_list:
              blocked_address:
                  -
                      name: "default_name_5 (source firewall.address.name firewall.addrgrp.name)"
              blocked_log: "enable"
              severity: "high"
              status: "enable"
              trusted_address:
                  -
                      name: "default_name_10 (source firewall.address.name firewall.addrgrp.name)"
          comment: "Comment."
          constraint:
              content_length:
                  action: "allow"
                  length: "67108864"
                  log: "enable"
                  severity: "high"
                  status: "enable"
              exception:
                  -
                      address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
                      content_length: "enable"
                      header_length: "enable"
                      hostname: "enable"
                      id: "24"
                      line_length: "enable"
                      malformed: "enable"
                      max_cookie: "enable"
                      max_header_line: "enable"
                      max_range_segment: "enable"
                      max_url_param: "enable"
                      method: "enable"
                      param_length: "enable"
                      pattern: "<your_own_value>"
                      regex: "enable"
                      url_param_length: "enable"
                      version: "enable"
              header_length:
                  action: "allow"
                  length: "8192"
                  log: "enable"
                  severity: "high"
                  status: "enable"
              hostname:
                  action: "allow"
                  log: "enable"
                  severity: "high"
                  status: "enable"
              line_length:
                  action: "allow"
                  length: "1024"
                  log: "enable"
                  severity: "high"
                  status: "enable"
              malformed:
                  action: "allow"
                  log: "enable"
                  severity: "high"
                  status: "enable"
              max_cookie:
                  action: "allow"
                  log: "enable"
                  max_cookie: "16"
                  severity: "high"
                  status: "enable"
              max_header_line:
                  action: "allow"
                  log: "enable"
                  max_header_line: "32"
                  severity: "high"
                  status: "enable"
              max_range_segment:
                  action: "allow"
                  log: "enable"
                  max_range_segment: "5"
                  severity: "high"
                  status: "enable"
              max_url_param:
                  action: "allow"
                  log: "enable"
                  max_url_param: "16"
                  severity: "high"
                  status: "enable"
              method:
                  action: "allow"
                  log: "enable"
                  severity: "high"
                  status: "enable"
              param_length:
                  action: "allow"
                  length: "8192"
                  log: "enable"
                  severity: "high"
                  status: "enable"
              url_param_length:
                  action: "allow"
                  length: "8192"
                  log: "enable"
                  severity: "high"
                  status: "enable"
              version:
                  action: "allow"
                  log: "enable"
                  severity: "high"
                  status: "enable"
          extended_log: "enable"
          external: "disable"
          method:
              default_allowed_methods: "get"
              log: "enable"
              method_policy:
                  -
                      address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
                      allowed_methods: "get"
                      id: "113"
                      pattern: "<your_own_value>"
                      regex: "enable"
              severity: "high"
              status: "enable"
          name: "default_name_118"
          signature:
              credit_card_detection_threshold: "3"
              custom_signature:
                  -
                      action: "allow"
                      case_sensitivity: "disable"
                      direction: "request"
                      log: "enable"
                      name: "default_name_126"
                      pattern: "<your_own_value>"
                      severity: "high"
                      status: "enable"
                      target: "arg"
              disabled_signature:
                  -
                      id: "132 (source waf.signature.id)"
              disabled_sub_class:
                  -
                      id: "134 (source waf.sub-class.id)"
              main_class:
                  -
                      action: "allow"
                      id: "137 (source waf.main-class.id)"
                      log: "enable"
                      severity: "high"
                      status: "enable"
          url_access:
              -
                  access_pattern:
                      -
                          id: "143"
                          negate: "enable"
                          pattern: "<your_own_value>"
                          regex: "enable"
                          srcaddr: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
                  action: "bypass"
                  address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
                  id: "150"
                  log: "enable"
                  severity: "high"

Return Values

Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:

  • build - Build number of the fortigate image returned: always type: str sample: 1547
  • http_method - Last method used to provision the content into FortiGate returned: always type: str sample: PUT
  • http_status - Last result given by FortiGate on last operation applied returned: always type: str sample: 200
  • mkey - Master key (id) used in the last call to FortiGate returned: success type: str sample: id
  • name - Name of the table used to fulfill the request returned: always type: str sample: urlfilter
  • path - Path of the table used to fulfill the request returned: always type: str sample: webfilter
  • revision - Internal revision number returned: always type: str sample: 17.0.2.10658
  • serial - Serial number of the unit returned: always type: str sample: FGVMEVYYQT3AB5352
  • status - Indication of the operation's result returned: always type: str sample: success
  • vdom - Virtual domain used returned: always type: str sample: root
  • version - Version of the FortiGate returned: always type: str sample: v5.6.3

Status

  • This module is not guaranteed to have a backwards compatible interface.

Authors

  • Link Zheng (@chillancezen)

  • Jie Xue (@JieX19)

  • Hongbin Lu (@fgtdev-hblu)

  • Frank Shen (@frankshen01)

  • Miguel Angel Munoz (@mamunozgonzalez)

  • Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation, you can create a pull request to improve it.