fortios_webfilter_profile – Configure Web filter profiles in Fortinet’s FortiOS and FortiGate.

New in version 2.0.0.

Synopsis

  • This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify webfilter feature and profile category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements

The below requirements are needed on the host that executes this module.

  • ansible>=2.14

Tips

Using member operation to add an element to an existing object.

FortiOS Version Compatibility


Supported Version Ranges
fortios_webfilter_profile v6.0.0 -> latest

Parameters

  • access_token - Token-based authentication. Generated from GUI of Fortigate. type: str required: false
  • enable_log - Enable/Disable logging for task. type: bool required: false default: False
  • vdom - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str default: root
  • member_path - Member attribute path to operate on. type: str
  • member_state - Add or delete a member under specified attribute path. type: str choices: present, absent
  • state - Indicates whether to create or remove the object. type: str required: true choices: present, absent
  • webfilter_profile - Configure Web filter profiles. type: dict more...
    • antiphish - AntiPhishing profile. type: dict more...
      • authentication - Authentication methods. type: str choices: domain-controller, ldap more...
      • check_basic_auth - Enable/disable checking of HTTP Basic Auth field for known credentials. type: str choices: enable, disable more...
      • check_uri - Enable/disable checking of GET URI parameters for known credentials. type: str choices: enable, disable more...
      • check_username_only - Enable/disable username only matching of credentials. Action will be taken for valid usernames regardless of password validity. type: str choices: enable, disable more...
      • custom_patterns - Custom username and password regex patterns. type: list member_path: antiphish/custom_patterns:pattern more...
        • category - Category that the pattern matches. type: str choices: username, password more...
        • pattern - Target pattern. type: str required: true more...
        • type - Pattern will be treated either as a regex pattern or literal string. type: str choices: regex, literal more...
      • default_action - Action to be taken when there is no matching rule. type: str choices: exempt, log, block more...
      • domain_controller - Domain for which to verify received credentials against. Source user.domain-controller.name credential-store.domain-controller .server-name. type: str more...
      • inspection_entries - AntiPhishing entries. type: list member_path: antiphish/inspection_entries:name more...
        • action - Action to be taken upon an AntiPhishing match. type: str choices: exempt, log, block more...
        • fortiguard_category - FortiGuard category to match. type: list
        • name - Inspection target name. type: str required: true more...
      • ldap - LDAP server for which to verify received credentials against. Source user.ldap.name. type: str more...
      • max_body_len - Maximum size of a POST body to check for credentials. type: int more...
      • status - Toggle AntiPhishing functionality. type: str choices: enable, disable more...
    • comment - Optional comments. type: str more...
    • extended_log - Enable/disable extended logging for web filtering. type: str choices: enable, disable more...
    • feature_set - Flow/proxy feature set. type: str choices: flow, proxy more...
    • file_filter - File filter. type: dict more...
      • entries - File filter entries. type: list member_path: file_filter/entries:filter more...
        • action - Action taken for matched file. type: str choices: log, block more...
        • comment - Comment. type: str more...
        • direction - Match files transmitted in the session"s originating or reply direction. type: str choices: incoming, outgoing, any more...
        • file_type - Select file type. type: list member_path: file_filter/entries:filter/file_type:name more...
          • name - File type name. Source antivirus.filetype.name. type: str required: true more...
        • filter - Add a file filter. type: str required: true more...
        • password_protected - Match password-protected files. type: str choices: yes, any more...
        • protocol - Protocols to apply with. type: list choices: http, ftp more...
      • log - Enable/disable file filter logging. type: str choices: enable, disable more...
      • scan_archive_contents - Enable/disable file filter archive contents scan. type: str choices: enable, disable more...
      • status - Enable/disable file filter. type: str choices: enable, disable more...
    • ftgd_wf - FortiGuard Web Filter settings. type: dict more...
      • exempt_quota - Do not stop quota for these categories. type: list
      • filters - FortiGuard filters. type: list member_path: ftgd_wf/filters:id more...
        • action - Action to take for matches. type: str choices: block, authenticate, monitor, warning more...
        • auth_usr_grp - Groups with permission to authenticate. type: list member_path: ftgd_wf/filters:id/auth_usr_grp:name more...
          • name - User group name. Source user.group.name. type: str required: true more...
        • category - Categories and groups the filter examines. type: int more...
        • id - ID number. see Notes. type: int required: true more...
        • log - Enable/disable logging. type: str choices: enable, disable more...
        • override_replacemsg - Override replacement message. type: str more...
        • warn_duration - Duration of warnings. type: str more...
        • warning_duration_type - Re-display warning after closing browser or after a timeout. type: str choices: session, timeout more...
        • warning_prompt - Warning prompts in each category or each domain. type: str choices: per-domain, per-category more...
      • max_quota_timeout - Maximum FortiGuard quota used by single page view in seconds (excludes streams). type: int more...
      • options - Options for FortiGuard Web Filter. type: list choices: error-allow, rate-server-ip, connect-request-bypass, ftgd-disable more...
      • ovrd - Allow web filter profile overrides. type: list
      • quota - FortiGuard traffic quota settings. type: list member_path: ftgd_wf/quota:id more...
        • category - FortiGuard categories to apply quota to (category action must be set to monitor). type: list
        • duration - Duration of quota. type: str more...
        • id - ID number. see Notes. type: int required: true more...
        • override_replacemsg - Override replacement message. type: str more...
        • type - Quota type. type: str choices: time, traffic more...
        • unit - Traffic quota unit of measurement. type: str choices: B, KB, MB, GB more...
        • value - Traffic quota value. type: int more...
      • rate_crl_urls - Enable/disable rating CRL by URL. type: str choices: disable, enable more...
      • rate_css_urls - Enable/disable rating CSS by URL. type: str choices: disable, enable more...
      • rate_image_urls - Enable/disable rating images by URL. type: str choices: disable, enable more...
      • rate_javascript_urls - Enable/disable rating JavaScript by URL. type: str choices: disable, enable more...
    • https_replacemsg - Enable replacement messages for HTTPS. type: str choices: enable, disable more...
    • inspection_mode - Web filtering inspection mode. type: str choices: proxy, flow-based more...
    • log_all_url - Enable/disable logging all URLs visited. type: str choices: enable, disable more...
    • name - Profile name. type: str required: true more...
    • options - Options. type: list choices: activexfilter, cookiefilter, javafilter, block-invalid-url, jscript, js, vbs, unknown, intrinsic, wf-referer, wf-cookie, per-user-bal, per-user-bwl more...
    • override - Web Filter override settings. type: dict more...
      • ovrd_cookie - Allow/deny browser-based (cookie) overrides. type: str choices: allow, deny more...
      • ovrd_dur - Override duration. type: str more...
      • ovrd_dur_mode - Override duration mode. type: str choices: constant, ask more...
      • ovrd_scope - Override scope. type: str choices: user, user-group, ip, browser, ask more...
      • ovrd_user_group - User groups with permission to use the override. type: list member_path: override/ovrd_user_group:name more...
        • name - User group name. Source user.group.name. type: str required: true more...
      • profile - Web filter profile with permission to create overrides. type: list member_path: override/profile:name more...
        • name - Web profile. Source webfilter.profile.name. type: str required: true more...
      • profile_attribute - Profile attribute to retrieve from the RADIUS server. type: str choices: User-Name, NAS-IP-Address, Framed-IP-Address, Framed-IP-Netmask, Filter-Id, Login-IP-Host, Reply-Message, Callback-Number, Callback-Id, Framed-Route, Framed-IPX-Network, Class, Called-Station-Id, Calling-Station-Id, NAS-Identifier, Proxy-State, Login-LAT-Service, Login-LAT-Node, Login-LAT-Group, Framed-AppleTalk-Zone, Acct-Session-Id, Acct-Multi-Session-Id more...
      • profile_type - Override profile type. type: str choices: list, radius more...
    • ovrd_perm - Permitted override types. type: list choices: bannedword-override, urlfilter-override, fortiguard-wf-override, contenttype-check-override more...
    • post_action - Action taken for HTTP POST traffic. type: str choices: normal, block more...
    • replacemsg_group - Replacement message group. Source system.replacemsg-group.name. type: str more...
    • url_extraction - Configure URL Extraction type: dict more...
      • redirect_header - HTTP header name to use for client redirect on blocked requests type: str more...
      • redirect_no_content - Enable / Disable empty message-body entity in HTTP response type: str choices: enable, disable more...
      • redirect_url - HTTP header value to use for client redirect on blocked requests type: str more...
      • server_fqdn - URL extraction server FQDN (fully qualified domain name) type: str more...
      • status - Enable URL Extraction type: str choices: enable, disable more...
    • web - Web content filtering settings. type: dict more...
      • allowlist - FortiGuard allowlist settings. type: list choices: exempt-av, exempt-webcontent, exempt-activex-java-cookie, exempt-dlp, exempt-rangeblock, extended-log-others more...
      • blacklist - Enable/disable automatic addition of URLs detected by FortiSandbox to blacklist. type: str choices: enable, disable more...
      • blocklist - Enable/disable automatic addition of URLs detected by FortiSandbox to blocklist. type: str choices: enable, disable more...
      • bword_table - Banned word table ID. Source webfilter.content.id. type: int more...
      • bword_threshold - Banned word score threshold. type: int more...
      • content_header_list - Content header list. Source webfilter.content-header.id. type: int more...
      • keyword_match - Search keywords to log when match is found. type: list member_path: web/keyword_match:pattern more...
        • pattern - Pattern/keyword to search for. type: str required: true more...
      • log_search - Enable/disable logging all search phrases. type: str choices: enable, disable more...
      • safe_search - Safe search type. type: list choices: url, header more...
      • urlfilter_table - URL filter table ID. Source webfilter.urlfilter.id. type: int more...
      • vimeo_restrict - Set Vimeo-restrict ("7" = don"t show mature content, "134" = don"t show unrated and mature content). A value of cookie "content_rating". type: str more...
      • whitelist - FortiGuard whitelist settings. type: list choices: exempt-av, exempt-webcontent, exempt-activex-java-cookie, exempt-dlp, exempt-rangeblock, extended-log-others more...
      • youtube_restrict - YouTube EDU filter level. type: str choices: none, strict, moderate more...
    • web_antiphishing_log - Enable/disable logging of AntiPhishing checks. type: str choices: enable, disable more...
    • web_content_log - Enable/disable logging logging blocked web content. type: str choices: enable, disable more...
    • web_extended_all_action_log - Enable/disable extended any filter action logging for web filtering. type: str choices: enable, disable more...
    • web_filter_activex_log - Enable/disable logging ActiveX. type: str choices: enable, disable more...
    • web_filter_applet_log - Enable/disable logging Java applets. type: str choices: enable, disable more...
    • web_filter_command_block_log - Enable/disable logging blocked commands. type: str choices: enable, disable more...
    • web_filter_cookie_log - Enable/disable logging cookie filtering. type: str choices: enable, disable more...
    • web_filter_cookie_removal_log - Enable/disable logging blocked cookies. type: str choices: enable, disable more...
    • web_filter_js_log - Enable/disable logging Java scripts. type: str choices: enable, disable more...
    • web_filter_jscript_log - Enable/disable logging JScripts. type: str choices: enable, disable more...
    • web_filter_referer_log - Enable/disable logging referrers. type: str choices: enable, disable more...
    • web_filter_unknown_log - Enable/disable logging unknown scripts. type: str choices: enable, disable more...
    • web_filter_vbs_log - Enable/disable logging VBS scripts. type: str choices: enable, disable more...
    • web_ftgd_err_log - Enable/disable logging rating errors. type: str choices: enable, disable more...
    • web_ftgd_quota_usage - Enable/disable logging daily quota usage. type: str choices: enable, disable more...
    • web_invalid_domain_log - Enable/disable logging invalid domain names. type: str choices: enable, disable more...
    • web_url_log - Enable/disable logging URL filtering. type: str choices: enable, disable more...
    • wisp - Enable/disable web proxy WISP. type: str choices: enable, disable more...
    • wisp_algorithm - WISP server selection algorithm. type: str choices: primary-secondary, round-robin, auto-learning more...
    • wisp_servers - WISP servers. type: list member_path: wisp_servers:name more...
      • name - Server name. Source web-proxy.wisp.name. type: str required: true more...
    • youtube_channel_filter - YouTube channel filter. type: list member_path: youtube_channel_filter:id more...
      • channel_id - YouTube channel ID to be filtered. type: str more...
      • comment - Comment. type: str more...
      • id - ID. see Notes. type: int required: true more...
    • youtube_channel_status - YouTube channel filter status. type: str choices: disable, blacklist, whitelist more...

Notes

Note

  • Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks

Examples

- name: Configure Web filter profiles.
  fortinet.fortios.fortios_webfilter_profile:
      vdom: "{{ vdom }}"
      state: "present"
      access_token: "<your_own_value>"
      webfilter_profile:
          antiphish:
              authentication: "domain-controller"
              check_basic_auth: "enable"
              check_uri: "enable"
              check_username_only: "enable"
              custom_patterns:
                  -
                      category: "username"
                      pattern: "<your_own_value>"
                      type: "regex"
              default_action: "exempt"
              domain_controller: "<your_own_value> (source user.domain-controller.name credential-store.domain-controller.server-name)"
              inspection_entries:
                  -
                      action: "exempt"
                      fortiguard_category: "<your_own_value>"
                      name: "default_name_17"
              ldap: "<your_own_value> (source user.ldap.name)"
              max_body_len: "65536"
              status: "enable"
          comment: "Optional comments."
          extended_log: "enable"
          feature_set: "flow"
          file_filter:
              entries:
                  -
                      action: "log"
                      comment: "Comment."
                      direction: "incoming"
                      file_type:
                          -
                              name: "default_name_30 (source antivirus.filetype.name)"
                      filter: "<your_own_value>"
                      password_protected: "yes"
                      protocol: "http"
              log: "enable"
              scan_archive_contents: "enable"
              status: "enable"
          ftgd_wf:
              exempt_quota: "<your_own_value>"
              filters:
                  -
                      action: "block"
                      auth_usr_grp:
                          -
                              name: "default_name_42 (source user.group.name)"
                      category: "0"
                      id: "44"
                      log: "enable"
                      override_replacemsg: "<your_own_value>"
                      warn_duration: "<your_own_value>"
                      warning_duration_type: "session"
                      warning_prompt: "per-domain"
              max_quota_timeout: "300"
              options: "error-allow"
              ovrd: "<your_own_value>"
              quota:
                  -
                      category: "<your_own_value>"
                      duration: "<your_own_value>"
                      id: "56"
                      override_replacemsg: "<your_own_value>"
                      type: "time"
                      unit: "B"
                      value: "1024"
              rate_crl_urls: "disable"
              rate_css_urls: "disable"
              rate_image_urls: "disable"
              rate_javascript_urls: "disable"
          https_replacemsg: "enable"
          inspection_mode: "proxy"
          log_all_url: "enable"
          name: "default_name_68"
          options: "activexfilter"
          override:
              ovrd_cookie: "allow"
              ovrd_dur: "<your_own_value>"
              ovrd_dur_mode: "constant"
              ovrd_scope: "user"
              ovrd_user_group:
                  -
                      name: "default_name_76 (source user.group.name)"
              profile:
                  -
                      name: "default_name_78 (source webfilter.profile.name)"
              profile_attribute: "User-Name"
              profile_type: "list"
          ovrd_perm: "bannedword-override"
          post_action: "normal"
          replacemsg_group: "<your_own_value> (source system.replacemsg-group.name)"
          url_extraction:
              redirect_header: "<your_own_value>"
              redirect_no_content: "enable"
              redirect_url: "<your_own_value>"
              server_fqdn: "<your_own_value>"
              status: "enable"
          web:
              allowlist: "exempt-av"
              blacklist: "enable"
              blocklist: "enable"
              bword_table: "0"
              bword_threshold: "10"
              content_header_list: "0"
              keyword_match:
                  -
                      pattern: "<your_own_value>"
              log_search: "enable"
              safe_search: "url"
              urlfilter_table: "0"
              vimeo_restrict: "<your_own_value>"
              whitelist: "exempt-av"
              youtube_restrict: "none"
          web_antiphishing_log: "enable"
          web_content_log: "enable"
          web_extended_all_action_log: "enable"
          web_filter_activex_log: "enable"
          web_filter_applet_log: "enable"
          web_filter_command_block_log: "enable"
          web_filter_cookie_log: "enable"
          web_filter_cookie_removal_log: "enable"
          web_filter_js_log: "enable"
          web_filter_jscript_log: "enable"
          web_filter_referer_log: "enable"
          web_filter_unknown_log: "enable"
          web_filter_vbs_log: "enable"
          web_ftgd_err_log: "enable"
          web_ftgd_quota_usage: "enable"
          web_invalid_domain_log: "enable"
          web_url_log: "enable"
          wisp: "enable"
          wisp_algorithm: "primary-secondary"
          wisp_servers:
              -
                  name: "default_name_125 (source web-proxy.wisp.name)"
          youtube_channel_filter:
              -
                  channel_id: "<your_own_value>"
                  comment: "Comment."
                  id: "129"
          youtube_channel_status: "disable"

Return Values

Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:

  • build - Build number of the fortigate image returned: always type: str sample: 1547
  • http_method - Last method used to provision the content into FortiGate returned: always type: str sample: PUT
  • http_status - Last result given by FortiGate on last operation applied returned: always type: str sample: 200
  • mkey - Master key (id) used in the last call to FortiGate returned: success type: str sample: id
  • name - Name of the table used to fulfill the request returned: always type: str sample: urlfilter
  • path - Path of the table used to fulfill the request returned: always type: str sample: webfilter
  • revision - Internal revision number returned: always type: str sample: 17.0.2.10658
  • serial - Serial number of the unit returned: always type: str sample: FGVMEVYYQT3AB5352
  • status - Indication of the operation's result returned: always type: str sample: success
  • vdom - Virtual domain used returned: always type: str sample: root
  • version - Version of the FortiGate returned: always type: str sample: v5.6.3

Status

  • This module is not guaranteed to have a backwards compatible interface.

Authors

  • Link Zheng (@chillancezen)

  • Jie Xue (@JieX19)

  • Hongbin Lu (@fgtdev-hblu)

  • Frank Shen (@frankshen01)

  • Miguel Angel Munoz (@mamunozgonzalez)

  • Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation, you can create a pull request to improve it.