New in version 2.8.
The below requirements are needed on the host that executes this module.
Parameter | Choices/Defaults | Comments | |||
---|---|---|---|---|---|
host
-
/ required
|
FortiOS or FortiGate ip address.
|
||||
https
boolean
|
|
Indicates if the requests towards FortiGate must use HTTPS protocol
|
|||
password
-
|
Default: ""
|
FortiOS or FortiGate password.
|
|||
username
-
/ required
|
FortiOS or FortiGate username.
|
||||
vdom
-
|
Default: "root"
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
|
|||
waf_profile
-
|
Default: null
|
Web application firewall configuration.
|
|||
address-list
-
|
Black address list and white address list.
|
||||
blocked-address
-
|
Blocked address.
|
||||
name
-
/ required
|
Address name. Source firewall.address.name firewall.addrgrp.name.
|
||||
blocked-log
-
|
|
Enable/disable logging on blocked addresses.
|
|||
severity
-
|
|
Severity.
|
|||
status
-
|
|
Status.
|
|||
trusted-address
-
|
Trusted address.
|
||||
name
-
/ required
|
Address name. Source firewall.address.name firewall.addrgrp.name.
|
||||
comment
-
|
Comment.
|
||||
constraint
-
|
WAF HTTP protocol restrictions.
|
||||
content-length
-
|
HTTP content length in request.
|
||||
action
-
|
|
Action.
|
|||
length
-
|
Length of HTTP content in bytes (0 to 2147483647).
|
||||
log
-
|
|
Enable/disable logging.
|
|||
severity
-
|
|
Severity.
|
|||
status
-
|
|
Enable/disable the constraint.
|
|||
exception
-
|
HTTP constraint exception.
|
||||
address
-
|
Host address. Source firewall.address.name firewall.addrgrp.name.
|
||||
content-length
-
|
|
HTTP content length in request.
|
|||
header-length
-
|
|
HTTP header length in request.
|
|||
hostname
-
|
|
Enable/disable hostname check.
|
|||
id
-
/ required
|
Exception ID.
|
||||
line-length
-
|
|
HTTP line length in request.
|
|||
malformed
-
|
|
Enable/disable malformed HTTP request check.
|
|||
max-cookie
-
|
|
Maximum number of cookies in HTTP request.
|
|||
max-header-line
-
|
|
Maximum number of HTTP header line.
|
|||
max-range-segment
-
|
|
Maximum number of range segments in HTTP range line.
|
|||
max-url-param
-
|
|
Maximum number of parameters in URL.
|
|||
method
-
|
|
Enable/disable HTTP method check.
|
|||
param-length
-
|
|
Maximum length of parameter in URL, HTTP POST request or HTTP body.
|
|||
pattern
-
|
URL pattern.
|
||||
regex
-
|
|
Enable/disable regular expression based pattern match.
|
|||
url-param-length
-
|
|
Maximum length of parameter in URL.
|
|||
version
-
|
|
Enable/disable HTTP version check.
|
|||
header-length
-
|
HTTP header length in request.
|
||||
action
-
|
|
Action.
|
|||
length
-
|
Length of HTTP header in bytes (0 to 2147483647).
|
||||
log
-
|
|
Enable/disable logging.
|
|||
severity
-
|
|
Severity.
|
|||
status
-
|
|
Enable/disable the constraint.
|
|||
hostname
-
|
Enable/disable hostname check.
|
||||
action
-
|
|
Action.
|
|||
log
-
|
|
Enable/disable logging.
|
|||
severity
-
|
|
Severity.
|
|||
status
-
|
|
Enable/disable the constraint.
|
|||
line-length
-
|
HTTP line length in request.
|
||||
action
-
|
|
Action.
|
|||
length
-
|
Length of HTTP line in bytes (0 to 2147483647).
|
||||
log
-
|
|
Enable/disable logging.
|
|||
severity
-
|
|
Severity.
|
|||
status
-
|
|
Enable/disable the constraint.
|
|||
malformed
-
|
Enable/disable malformed HTTP request check.
|
||||
action
-
|
|
Action.
|
|||
log
-
|
|
Enable/disable logging.
|
|||
severity
-
|
|
Severity.
|
|||
status
-
|
|
Enable/disable the constraint.
|
|||
max-cookie
-
|
Maximum number of cookies in HTTP request.
|
||||
action
-
|
|
Action.
|
|||
log
-
|
|
Enable/disable logging.
|
|||
max-cookie
-
|
Maximum number of cookies in HTTP request (0 to 2147483647).
|
||||
severity
-
|
|
Severity.
|
|||
status
-
|
|
Enable/disable the constraint.
|
|||
max-header-line
-
|
Maximum number of HTTP header line.
|
||||
action
-
|
|
Action.
|
|||
log
-
|
|
Enable/disable logging.
|
|||
max-header-line
-
|
Maximum number HTTP header lines (0 to 2147483647).
|
||||
severity
-
|
|
Severity.
|
|||
status
-
|
|
Enable/disable the constraint.
|
|||
max-range-segment
-
|
Maximum number of range segments in HTTP range line.
|
||||
action
-
|
|
Action.
|
|||
log
-
|
|
Enable/disable logging.
|
|||
max-range-segment
-
|
Maximum number of range segments in HTTP range line (0 to 2147483647).
|
||||
severity
-
|
|
Severity.
|
|||
status
-
|
|
Enable/disable the constraint.
|
|||
max-url-param
-
|
Maximum number of parameters in URL.
|
||||
action
-
|
|
Action.
|
|||
log
-
|
|
Enable/disable logging.
|
|||
max-url-param
-
|
Maximum number of parameters in URL (0 to 2147483647).
|
||||
severity
-
|
|
Severity.
|
|||
status
-
|
|
Enable/disable the constraint.
|
|||
method
-
|
Enable/disable HTTP method check.
|
||||
action
-
|
|
Action.
|
|||
log
-
|
|
Enable/disable logging.
|
|||
severity
-
|
|
Severity.
|
|||
status
-
|
|
Enable/disable the constraint.
|
|||
param-length
-
|
Maximum length of parameter in URL, HTTP POST request or HTTP body.
|
||||
action
-
|
|
Action.
|
|||
length
-
|
Maximum length of parameter in URL, HTTP POST request or HTTP body in bytes (0 to 2147483647).
|
||||
log
-
|
|
Enable/disable logging.
|
|||
severity
-
|
|
Severity.
|
|||
status
-
|
|
Enable/disable the constraint.
|
|||
url-param-length
-
|
Maximum length of parameter in URL.
|
||||
action
-
|
|
Action.
|
|||
length
-
|
Maximum length of URL parameter in bytes (0 to 2147483647).
|
||||
log
-
|
|
Enable/disable logging.
|
|||
severity
-
|
|
Severity.
|
|||
status
-
|
|
Enable/disable the constraint.
|
|||
version
-
|
Enable/disable HTTP version check.
|
||||
action
-
|
|
Action.
|
|||
log
-
|
|
Enable/disable logging.
|
|||
severity
-
|
|
Severity.
|
|||
status
-
|
|
Enable/disable the constraint.
|
|||
extended-log
-
|
|
Enable/disable extended logging.
|
|||
external
-
|
|
Disable/Enable external HTTP Inspection.
|
|||
method
-
|
Method restriction.
|
||||
default-allowed-methods
-
|
|
Methods.
|
|||
log
-
|
|
Enable/disable logging.
|
|||
method-policy
-
|
HTTP method policy.
|
||||
address
-
|
Host address. Source firewall.address.name firewall.addrgrp.name.
|
||||
allowed-methods
-
|
|
Allowed Methods.
|
|||
id
-
/ required
|
HTTP method policy ID.
|
||||
pattern
-
|
URL pattern.
|
||||
regex
-
|
|
Enable/disable regular expression based pattern match.
|
|||
severity
-
|
|
Severity.
|
|||
status
-
|
|
Status.
|
|||
name
-
/ required
|
WAF Profile name.
|
||||
signature
-
|
WAF signatures.
|
||||
credit-card-detection-threshold
-
|
The minimum number of Credit cards to detect violation.
|
||||
custom-signature
-
|
Custom signature.
|
||||
action
-
|
|
Action.
|
|||
case-sensitivity
-
|
|
Case sensitivity in pattern.
|
|||
direction
-
|
|
Traffic direction.
|
|||
log
-
|
|
Enable/disable logging.
|
|||
name
-
/ required
|
Signature name.
|
||||
pattern
-
|
Match pattern.
|
||||
severity
-
|
|
Severity.
|
|||
status
-
|
|
Status.
|
|||
target
-
|
|
Match HTTP target.
|
|||
disabled-signature
-
|
Disabled signatures
|
||||
id
-
/ required
|
Signature ID. Source waf.signature.id.
|
||||
disabled-sub-class
-
|
Disabled signature subclasses.
|
||||
id
-
/ required
|
Signature subclass ID. Source waf.sub-class.id.
|
||||
main-class
-
|
Main signature class.
|
||||
action
-
|
|
Action.
|
|||
id
-
/ required
|
Main signature class ID. Source waf.main-class.id.
|
||||
log
-
|
|
Enable/disable logging.
|
|||
severity
-
|
|
Severity.
|
|||
status
-
|
|
Status.
|
|||
state
-
|
|
Indicates whether to create or remove the object
|
|||
url-access
-
|
URL access list
|
||||
access-pattern
-
|
URL access pattern.
|
||||
id
-
/ required
|
URL access pattern ID.
|
||||
negate
-
|
|
Enable/disable match negation.
|
|||
pattern
-
|
URL pattern.
|
||||
regex
-
|
|
Enable/disable regular expression based pattern match.
|
|||
srcaddr
-
|
Source address. Source firewall.address.name firewall.addrgrp.name.
|
||||
action
-
|
|
Action.
|
|||
address
-
|
Host address. Source firewall.address.name firewall.addrgrp.name.
|
||||
id
-
/ required
|
URL access ID.
|
||||
log
-
|
|
Enable/disable logging.
|
|||
severity
-
|
|
Severity.
|
Note
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
tasks:
- name: Web application firewall configuration.
fortios_waf_profile:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
waf_profile:
state: "present"
address-list:
blocked-address:
-
name: "default_name_5 (source firewall.address.name firewall.addrgrp.name)"
blocked-log: "enable"
severity: "high"
status: "enable"
trusted-address:
-
name: "default_name_10 (source firewall.address.name firewall.addrgrp.name)"
comment: "Comment."
constraint:
content-length:
action: "allow"
length: "15"
log: "enable"
severity: "high"
status: "enable"
exception:
-
address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
content-length: "enable"
header-length: "enable"
hostname: "enable"
id: "24"
line-length: "enable"
malformed: "enable"
max-cookie: "enable"
max-header-line: "enable"
max-range-segment: "enable"
max-url-param: "enable"
method: "enable"
param-length: "enable"
pattern: "<your_own_value>"
regex: "enable"
url-param-length: "enable"
version: "enable"
header-length:
action: "allow"
length: "39"
log: "enable"
severity: "high"
status: "enable"
hostname:
action: "allow"
log: "enable"
severity: "high"
status: "enable"
line-length:
action: "allow"
length: "50"
log: "enable"
severity: "high"
status: "enable"
malformed:
action: "allow"
log: "enable"
severity: "high"
status: "enable"
max-cookie:
action: "allow"
log: "enable"
max-cookie: "62"
severity: "high"
status: "enable"
max-header-line:
action: "allow"
log: "enable"
max-header-line: "68"
severity: "high"
status: "enable"
max-range-segment:
action: "allow"
log: "enable"
max-range-segment: "74"
severity: "high"
status: "enable"
max-url-param:
action: "allow"
log: "enable"
max-url-param: "80"
severity: "high"
status: "enable"
method:
action: "allow"
log: "enable"
severity: "high"
status: "enable"
param-length:
action: "allow"
length: "90"
log: "enable"
severity: "high"
status: "enable"
url-param-length:
action: "allow"
length: "96"
log: "enable"
severity: "high"
status: "enable"
version:
action: "allow"
log: "enable"
severity: "high"
status: "enable"
extended-log: "enable"
external: "disable"
method:
default-allowed-methods: "get"
log: "enable"
method-policy:
-
address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
allowed-methods: "get"
id: "113"
pattern: "<your_own_value>"
regex: "enable"
severity: "high"
status: "enable"
name: "default_name_118"
signature:
credit-card-detection-threshold: "120"
custom-signature:
-
action: "allow"
case-sensitivity: "disable"
direction: "request"
log: "enable"
name: "default_name_126"
pattern: "<your_own_value>"
severity: "high"
status: "enable"
target: "arg"
disabled-signature:
-
id: "132 (source waf.signature.id)"
disabled-sub-class:
-
id: "134 (source waf.sub-class.id)"
main-class:
-
action: "allow"
id: "137 (source waf.main-class.id)"
log: "enable"
severity: "high"
status: "enable"
url-access:
-
access-pattern:
-
id: "143"
negate: "enable"
pattern: "<your_own_value>"
regex: "enable"
srcaddr: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
action: "bypass"
address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
id: "150"
log: "enable"
severity: "high"
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
build
string
|
always |
Build number of the fortigate image
Sample:
1547
|
http_method
string
|
always |
Last method used to provision the content into FortiGate
Sample:
PUT
|
http_status
string
|
always |
Last result given by FortiGate on last operation applied
Sample:
200
|
mkey
string
|
success |
Master key (id) used in the last call to FortiGate
Sample:
id
|
name
string
|
always |
Name of the table used to fulfill the request
Sample:
urlfilter
|
path
string
|
always |
Path of the table used to fulfill the request
Sample:
webfilter
|
revision
string
|
always |
Internal revision number
Sample:
17.0.2.10658
|
serial
string
|
always |
Serial number of the unit
Sample:
FGVMEVYYQT3AB5352
|
status
string
|
always |
Indication of the operation's result
Sample:
success
|
vdom
string
|
always |
Virtual domain used
Sample:
root
|
version
string
|
always |
Version of the FortiGate
Sample:
v5.6.3
|
Hint
If you notice any issues in this documentation you can edit this document to improve it.