fortios_waf_profile – Web application firewall configuration in Fortinet’s FortiOS and FortiGate
New in version 2.8.
Synopsis
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify waf feature and profile category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.5
Requirements
The below requirements are needed on the host that executes this module.
- fortiosapi>=0.9.8
Parameters
| Parameter | Choices/Defaults | Comments | |||
|---|---|---|---|---|---|
| host string | FortiOS or FortiGate IP address. | ||||
| https boolean |
| Indicates if the requests towards FortiGate must use HTTPS protocol. | |||
| password string | Default: "" | FortiOS or FortiGate password. | |||
| ssl_verify boolean added in 2.9 |
| Ensures FortiGate certificate must be verified by a proper CA. | |||
| state string added in 2.9 |
| Indicates whether to create or remove the object. This attribute was present already in previous version in a deeper level. It has been moved out to this outer level. | |||
| username string | FortiOS or FortiGate username. | ||||
| vdom string | Default: "root" | Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. | |||
| waf_profile dictionary | Default: null | Web application firewall configuration. | |||
| address_list dictionary | Black address list and white address list. | ||||
| blocked_address list | Blocked address. | ||||
| name string / required | Address name. Source firewall.address.name firewall.addrgrp.name. | ||||
| blocked_log string |
| Enable/disable logging on blocked addresses. | |||
| severity string |
| Severity. | |||
| status string |
| Status. | |||
| trusted_address list | Trusted address. | ||||
| name string / required | Address name. Source firewall.address.name firewall.addrgrp.name. | ||||
| comment string | Comment. | ||||
| constraint dictionary | WAF HTTP protocol restrictions. | ||||
| content_length dictionary | HTTP content length in request. | ||||
| action string |
| Action. | |||
| length integer | Length of HTTP content in bytes (0 to 2147483647). | ||||
| log string |
| Enable/disable logging. | |||
| severity string |
| Severity. | |||
| status string |
| Enable/disable the constraint. | |||
| exception list | HTTP constraint exception. | ||||
| address string | Host address. Source firewall.address.name firewall.addrgrp.name. | ||||
| content_length string |
| HTTP content length in request. | |||
| header_length string |
| HTTP header length in request. | |||
| hostname string |
| Enable/disable hostname check. | |||
| id integer / required | Exception ID. | ||||
| line_length string |
| HTTP line length in request. | |||
| malformed string |
| Enable/disable malformed HTTP request check. | |||
| max_cookie string |
| Maximum number of cookies in HTTP request. | |||
| max_header_line string |
| Maximum number of HTTP header line. | |||
| max_range_segment string |
| Maximum number of range segments in HTTP range line. | |||
| max_url_param string |
| Maximum number of parameters in URL. | |||
| method string |
| Enable/disable HTTP method check. | |||
| param_length string |
| Maximum length of parameter in URL, HTTP POST request or HTTP body. | |||
| pattern string | URL pattern. | ||||
| regex string |
| Enable/disable regular expression based pattern match. | |||
| url_param_length string |
| Maximum length of parameter in URL. | |||
| version string |
| Enable/disable HTTP version check. | |||
| header_length dictionary | HTTP header length in request. | ||||
| action string |
| Action. | |||
| length integer | Length of HTTP header in bytes (0 to 2147483647). | ||||
| log string |
| Enable/disable logging. | |||
| severity string |
| Severity. | |||
| status string |
| Enable/disable the constraint. | |||
| hostname dictionary | Enable/disable hostname check. | ||||
| action string |
| Action. | |||
| log string |
| Enable/disable logging. | |||
| severity string |
| Severity. | |||
| status string |
| Enable/disable the constraint. | |||
| line_length dictionary | HTTP line length in request. | ||||
| action string |
| Action. | |||
| length integer | Length of HTTP line in bytes (0 to 2147483647). | ||||
| log string |
| Enable/disable logging. | |||
| severity string |
| Severity. | |||
| status string |
| Enable/disable the constraint. | |||
| malformed dictionary | Enable/disable malformed HTTP request check. | ||||
| action string |
| Action. | |||
| log string |
| Enable/disable logging. | |||
| severity string |
| Severity. | |||
| status string |
| Enable/disable the constraint. | |||
| max_cookie dictionary | Maximum number of cookies in HTTP request. | ||||
| action string |
| Action. | |||
| log string |
| Enable/disable logging. | |||
| max_cookie integer | Maximum number of cookies in HTTP request (0 to 2147483647). | ||||
| severity string |
| Severity. | |||
| status string |
| Enable/disable the constraint. | |||
| max_header_line dictionary | Maximum number of HTTP header line. | ||||
| action string |
| Action. | |||
| log string |
| Enable/disable logging. | |||
| max_header_line integer | Maximum number HTTP header lines (0 to 2147483647). | ||||
| severity string |
| Severity. | |||
| status string |
| Enable/disable the constraint. | |||
| max_range_segment dictionary | Maximum number of range segments in HTTP range line. | ||||
| action string |
| Action. | |||
| log string |
| Enable/disable logging. | |||
| max_range_segment integer | Maximum number of range segments in HTTP range line (0 to 2147483647). | ||||
| severity string |
| Severity. | |||
| status string |
| Enable/disable the constraint. | |||
| max_url_param dictionary | Maximum number of parameters in URL. | ||||
| action string |
| Action. | |||
| log string |
| Enable/disable logging. | |||
| max_url_param integer | Maximum number of parameters in URL (0 to 2147483647). | ||||
| severity string |
| Severity. | |||
| status string |
| Enable/disable the constraint. | |||
| method dictionary | Enable/disable HTTP method check. | ||||
| action string |
| Action. | |||
| log string |
| Enable/disable logging. | |||
| severity string |
| Severity. | |||
| status string |
| Enable/disable the constraint. | |||
| param_length dictionary | Maximum length of parameter in URL, HTTP POST request or HTTP body. | ||||
| action string |
| Action. | |||
| length integer | Maximum length of parameter in URL, HTTP POST request or HTTP body in bytes (0 to 2147483647). | ||||
| log string |
| Enable/disable logging. | |||
| severity string |
| Severity. | |||
| status string |
| Enable/disable the constraint. | |||
| url_param_length dictionary | Maximum length of parameter in URL. | ||||
| action string |
| Action. | |||
| length integer | Maximum length of URL parameter in bytes (0 to 2147483647). | ||||
| log string |
| Enable/disable logging. | |||
| severity string |
| Severity. | |||
| status string |
| Enable/disable the constraint. | |||
| version dictionary | Enable/disable HTTP version check. | ||||
| action string |
| Action. | |||
| log string |
| Enable/disable logging. | |||
| severity string |
| Severity. | |||
| status string |
| Enable/disable the constraint. | |||
| extended_log string |
| Enable/disable extended logging. | |||
| external string |
| Disable/Enable external HTTP Inspection. | |||
| method dictionary | Method restriction. | ||||
| default_allowed_methods string |
| Methods. | |||
| log string |
| Enable/disable logging. | |||
| method_policy list | HTTP method policy. | ||||
| address string | Host address. Source firewall.address.name firewall.addrgrp.name. | ||||
| allowed_methods string |
| Allowed Methods. | |||
| id integer / required | HTTP method policy ID. | ||||
| pattern string | URL pattern. | ||||
| regex string |
| Enable/disable regular expression based pattern match. | |||
| severity string |
| Severity. | |||
| status string |
| Status. | |||
| name string / required | WAF Profile name. | ||||
| signature dictionary | WAF signatures. | ||||
| credit_card_detection_threshold integer | The minimum number of Credit cards to detect violation. | ||||
| custom_signature list | Custom signature. | ||||
| action string |
| Action. | |||
| case_sensitivity string |
| Case sensitivity in pattern. | |||
| direction string |
| Traffic direction. | |||
| log string |
| Enable/disable logging. | |||
| name string / required | Signature name. | ||||
| pattern string | Match pattern. | ||||
| severity string |
| Severity. | |||
| status string |
| Status. | |||
| target string |
| Match HTTP target. | |||
| disabled_signature list | Disabled signatures | ||||
| id integer / required | Signature ID. Source waf.signature.id. | ||||
| disabled_sub_class list | Disabled signature subclasses. | ||||
| id integer / required | Signature subclass ID. Source waf.sub-class.id. | ||||
| main_class list | Main signature class. | ||||
| action string |
| Action. | |||
| id integer / required | Main signature class ID. Source waf.main-class.id. | ||||
| log string |
| Enable/disable logging. | |||
| severity string |
| Severity. | |||
| status string |
| Status. | |||
| state string |
| Deprecated Starting with Ansible 2.9 we recommend using the top-level 'state' parameter. Indicates whether to create or remove the object. | |||
| url_access list | URL access list | ||||
| access_pattern list | URL access pattern. | ||||
| id integer / required | URL access pattern ID. | ||||
| negate string |
| Enable/disable match negation. | |||
| pattern string | URL pattern. | ||||
| regex string |
| Enable/disable regular expression based pattern match. | |||
| srcaddr string | Source address. Source firewall.address.name firewall.addrgrp.name. | ||||
| action string |
| Action. | |||
| address string | Host address. Source firewall.address.name firewall.addrgrp.name. | ||||
| id integer / required | URL access ID. | ||||
| log string |
| Enable/disable logging. | |||
| severity string |
| Severity. | |||
Notes
Note
- Requires fortiosapi library developed by Fortinet
- Run as a local_action in your playbook
Examples
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
ssl_verify: "False"
tasks:
- name: Web application firewall configuration.
fortios_waf_profile:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
state: "present"
waf_profile:
address_list:
blocked_address:
-
name: "default_name_5 (source firewall.address.name firewall.addrgrp.name)"
blocked_log: "enable"
severity: "high"
status: "enable"
trusted_address:
-
name: "default_name_10 (source firewall.address.name firewall.addrgrp.name)"
comment: "Comment."
constraint:
content_length:
action: "allow"
length: "15"
log: "enable"
severity: "high"
status: "enable"
exception:
-
address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
content_length: "enable"
header_length: "enable"
hostname: "enable"
id: "24"
line_length: "enable"
malformed: "enable"
max_cookie: "enable"
max_header_line: "enable"
max_range_segment: "enable"
max_url_param: "enable"
method: "enable"
param_length: "enable"
pattern: "<your_own_value>"
regex: "enable"
url_param_length: "enable"
version: "enable"
header_length:
action: "allow"
length: "39"
log: "enable"
severity: "high"
status: "enable"
hostname:
action: "allow"
log: "enable"
severity: "high"
status: "enable"
line_length:
action: "allow"
length: "50"
log: "enable"
severity: "high"
status: "enable"
malformed:
action: "allow"
log: "enable"
severity: "high"
status: "enable"
max_cookie:
action: "allow"
log: "enable"
max_cookie: "62"
severity: "high"
status: "enable"
max_header_line:
action: "allow"
log: "enable"
max_header_line: "68"
severity: "high"
status: "enable"
max_range_segment:
action: "allow"
log: "enable"
max_range_segment: "74"
severity: "high"
status: "enable"
max_url_param:
action: "allow"
log: "enable"
max_url_param: "80"
severity: "high"
status: "enable"
method:
action: "allow"
log: "enable"
severity: "high"
status: "enable"
param_length:
action: "allow"
length: "90"
log: "enable"
severity: "high"
status: "enable"
url_param_length:
action: "allow"
length: "96"
log: "enable"
severity: "high"
status: "enable"
version:
action: "allow"
log: "enable"
severity: "high"
status: "enable"
extended_log: "enable"
external: "disable"
method:
default_allowed_methods: "get"
log: "enable"
method_policy:
-
address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
allowed_methods: "get"
id: "113"
pattern: "<your_own_value>"
regex: "enable"
severity: "high"
status: "enable"
name: "default_name_118"
signature:
credit_card_detection_threshold: "120"
custom_signature:
-
action: "allow"
case_sensitivity: "disable"
direction: "request"
log: "enable"
name: "default_name_126"
pattern: "<your_own_value>"
severity: "high"
status: "enable"
target: "arg"
disabled_signature:
-
id: "132 (source waf.signature.id)"
disabled_sub_class:
-
id: "134 (source waf.sub-class.id)"
main_class:
-
action: "allow"
id: "137 (source waf.main-class.id)"
log: "enable"
severity: "high"
status: "enable"
url_access:
-
access_pattern:
-
id: "143"
negate: "enable"
pattern: "<your_own_value>"
regex: "enable"
srcaddr: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
action: "bypass"
address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
id: "150"
log: "enable"
severity: "high"
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| build string | always | Build number of the fortigate image Sample: 1547 |
| http_method string | always | Last method used to provision the content into FortiGate Sample: PUT |
| http_status string | always | Last result given by FortiGate on last operation applied Sample: 200 |
| mkey string | success | Master key (id) used in the last call to FortiGate Sample: id |
| name string | always | Name of the table used to fulfill the request Sample: urlfilter |
| path string | always | Path of the table used to fulfill the request Sample: webfilter |
| revision string | always | Internal revision number Sample: 17.0.2.10658 |
| serial string | always | Serial number of the unit Sample: FGVMEVYYQT3AB5352 |
| status string | always | Indication of the operation's result Sample: success |
| vdom string | always | Virtual domain used Sample: root |
| version string | always | Version of the FortiGate Sample: v5.6.3 |
Status
- This module is not guaranteed to have a backwards compatible interface. [preview]
- This module is maintained by the Ansible Community. [community]
Authors
- Miguel Angel Munoz (@mamunozgonzalez)
- Nicolas Thomas (@thomnico)
Hint
If you notice any issues in this documentation, you can edit this document to improve it.
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.9/modules/fortios_waf_profile_module.html