fmgr_secprof_waf – FortiManager web application firewall security profile

New in version 2.8.

Synopsis

  • Manage web application firewall security profiles for FGTs via FMG

Parameters

Parameter Choices/Defaults Comments
address_list
-
EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
List of multiple child objects to be added. Expects a list of dictionaries.
Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
If submitted, all other prefixed sub-parameters ARE IGNORED.
This object is MUTUALLY EXCLUSIVE with its options.
We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.
WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS
address_list_blocked_address
-
Blocked address.
address_list_blocked_log
-
    Choices:
  • disable
  • enable
Enable/disable logging on blocked addresses.
choice | disable | Disable setting.
choice | enable | Enable setting.
address_list_severity
-
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.
address_list_status
-
    Choices:
  • disable
  • enable
Status.
choice | disable | Disable setting.
choice | enable | Enable setting.
address_list_trusted_address
-
Trusted address.
adom
-
Default:
"root"
The ADOM the configuration should belong to.
comment
-
Comment.
constraint
-
EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
List of multiple child objects to be added. Expects a list of dictionaries.
Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
If submitted, all other prefixed sub-parameters ARE IGNORED.
This object is MUTUALLY EXCLUSIVE with its options.
We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.
WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS
constraint_content_length_action
-
    Choices:
  • allow
  • block
Action.
choice | allow | Allow.
choice | block | Block.
constraint_content_length_length
-
Length of HTTP content in bytes (0 to 2147483647).
constraint_content_length_log
-
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_content_length_severity
-
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.
constraint_content_length_status
-
    Choices:
  • disable
  • enable
Enable/disable the constraint.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_exception_address
-
Host address.
constraint_exception_content_length
-
    Choices:
  • disable
  • enable
HTTP content length in request.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_exception_header_length
-
    Choices:
  • disable
  • enable
HTTP header length in request.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_exception_hostname
-
    Choices:
  • disable
  • enable
Enable/disable hostname check.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_exception_line_length
-
    Choices:
  • disable
  • enable
HTTP line length in request.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_exception_malformed
-
    Choices:
  • disable
  • enable
Enable/disable malformed HTTP request check.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_exception_max_cookie
-
    Choices:
  • disable
  • enable
Maximum number of cookies in HTTP request.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_exception_max_header_line
-
    Choices:
  • disable
  • enable
Maximum number of HTTP header line.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_exception_max_range_segment
-
    Choices:
  • disable
  • enable
Maximum number of range segments in HTTP range line.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_exception_max_url_param
-
    Choices:
  • disable
  • enable
Maximum number of parameters in URL.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_exception_method
-
    Choices:
  • disable
  • enable
Enable/disable HTTP method check.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_exception_param_length
-
    Choices:
  • disable
  • enable
Maximum length of parameter in URL, HTTP POST request or HTTP body.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_exception_pattern
-
URL pattern.
constraint_exception_regex
-
    Choices:
  • disable
  • enable
Enable/disable regular expression based pattern match.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_exception_url_param_length
-
    Choices:
  • disable
  • enable
Maximum length of parameter in URL.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_exception_version
-
    Choices:
  • disable
  • enable
Enable/disable HTTP version check.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_header_length_action
-
    Choices:
  • allow
  • block
Action.
choice | allow | Allow.
choice | block | Block.
constraint_header_length_length
-
Length of HTTP header in bytes (0 to 2147483647).
constraint_header_length_log
-
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_header_length_severity
-
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.
constraint_header_length_status
-
    Choices:
  • disable
  • enable
Enable/disable the constraint.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_hostname_action
-
    Choices:
  • allow
  • block
Action for a hostname constraint.
choice | allow | Allow.
choice | block | Block.
constraint_hostname_log
-
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_hostname_severity
-
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.
constraint_hostname_status
-
    Choices:
  • disable
  • enable
Enable/disable the constraint.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_line_length_action
-
    Choices:
  • allow
  • block
Action.
choice | allow | Allow.
choice | block | Block.
constraint_line_length_length
-
Length of HTTP line in bytes (0 to 2147483647).
constraint_line_length_log
-
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_line_length_severity
-
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.
constraint_line_length_status
-
    Choices:
  • disable
  • enable
Enable/disable the constraint.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_malformed_action
-
    Choices:
  • allow
  • block
Action.
choice | allow | Allow.
choice | block | Block.
constraint_malformed_log
-
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_malformed_severity
-
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.
constraint_malformed_status
-
    Choices:
  • disable
  • enable
Enable/disable the constraint.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_max_cookie_action
-
    Choices:
  • allow
  • block
Action.
choice | allow | Allow.
choice | block | Block.
constraint_max_cookie_log
-
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_max_cookie_max_cookie
-
Maximum number of cookies in HTTP request (0 to 2147483647).
constraint_max_cookie_severity
-
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.
constraint_max_cookie_status
-
    Choices:
  • disable
  • enable
Enable/disable the constraint.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_max_header_line_action
-
    Choices:
  • allow
  • block
Action.
choice | allow | Allow.
choice | block | Block.
constraint_max_header_line_log
-
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_max_header_line_max_header_line
-
Maximum number HTTP header lines (0 to 2147483647).
constraint_max_header_line_severity
-
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.
constraint_max_header_line_status
-
    Choices:
  • disable
  • enable
Enable/disable the constraint.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_max_range_segment_action
-
    Choices:
  • allow
  • block
Action.
choice | allow | Allow.
choice | block | Block.
constraint_max_range_segment_log
-
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_max_range_segment_max_range_segment
-
Maximum number of range segments in HTTP range line (0 to 2147483647).
constraint_max_range_segment_severity
-
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.
constraint_max_range_segment_status
-
    Choices:
  • disable
  • enable
Enable/disable the constraint.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_max_url_param_action
-
    Choices:
  • allow
  • block
Action.
choice | allow | Allow.
choice | block | Block.
constraint_max_url_param_log
-
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_max_url_param_max_url_param
-
Maximum number of parameters in URL (0 to 2147483647).
constraint_max_url_param_severity
-
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.
constraint_max_url_param_status
-
    Choices:
  • disable
  • enable
Enable/disable the constraint.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_method_action
-
    Choices:
  • allow
  • block
Action.
choice | allow | Allow.
choice | block | Block.
constraint_method_log
-
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_method_severity
-
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.
constraint_method_status
-
    Choices:
  • disable
  • enable
Enable/disable the constraint.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_param_length_action
-
    Choices:
  • allow
  • block
Action.
choice | allow | Allow.
choice | block | Block.
constraint_param_length_length
-
Maximum length of parameter in URL, HTTP POST request or HTTP body in bytes (0 to 2147483647).
constraint_param_length_log
-
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_param_length_severity
-
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.
constraint_param_length_status
-
    Choices:
  • disable
  • enable
Enable/disable the constraint.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_url_param_length_action
-
    Choices:
  • allow
  • block
Action.
choice | allow | Allow.
choice | block | Block.
constraint_url_param_length_length
-
Maximum length of URL parameter in bytes (0 to 2147483647).
constraint_url_param_length_log
-
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_url_param_length_severity
-
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.
constraint_url_param_length_status
-
    Choices:
  • disable
  • enable
Enable/disable the constraint.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_version_action
-
    Choices:
  • allow
  • block
Action.
choice | allow | Allow.
choice | block | Block.
constraint_version_log
-
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
constraint_version_severity
-
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.
constraint_version_status
-
    Choices:
  • disable
  • enable
Enable/disable the constraint.
choice | disable | Disable setting.
choice | enable | Enable setting.
extended_log
-
    Choices:
  • disable
  • enable
Enable/disable extended logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
external
-
    Choices:
  • disable
  • enable
Disable/Enable external HTTP Inspection.
choice | disable | Disable external inspection.
choice | enable | Enable external inspection.
method
-
EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
List of multiple child objects to be added. Expects a list of dictionaries.
Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
If submitted, all other prefixed sub-parameters ARE IGNORED.
This object is MUTUALLY EXCLUSIVE with its options.
We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.
WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS
method_default_allowed_methods
-
    Choices:
  • delete
  • get
  • head
  • options
  • post
  • put
  • trace
  • others
  • connect
Methods.
FLAG Based Options. Specify multiple in list form.
flag | delete | HTTP DELETE method.
flag | get | HTTP GET method.
flag | head | HTTP HEAD method.
flag | options | HTTP OPTIONS method.
flag | post | HTTP POST method.
flag | put | HTTP PUT method.
flag | trace | HTTP TRACE method.
flag | others | Other HTTP methods.
flag | connect | HTTP CONNECT method.
method_log
-
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
method_method_policy_address
-
Host address.
method_method_policy_allowed_methods
-
    Choices:
  • delete
  • get
  • head
  • options
  • post
  • put
  • trace
  • others
  • connect
Allowed Methods.
FLAG Based Options. Specify multiple in list form.
flag | delete | HTTP DELETE method.
flag | get | HTTP GET method.
flag | head | HTTP HEAD method.
flag | options | HTTP OPTIONS method.
flag | post | HTTP POST method.
flag | put | HTTP PUT method.
flag | trace | HTTP TRACE method.
flag | others | Other HTTP methods.
flag | connect | HTTP CONNECT method.
method_method_policy_pattern
-
URL pattern.
method_method_policy_regex
-
    Choices:
  • disable
  • enable
Enable/disable regular expression based pattern match.
choice | disable | Disable setting.
choice | enable | Enable setting.
method_severity
-
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | low severity
choice | medium | medium severity
choice | high | High severity
method_status
-
    Choices:
  • disable
  • enable
Status.
choice | disable | Disable setting.
choice | enable | Enable setting.
mode
-
    Choices:
  • add ←
  • set
  • delete
  • update
Sets one of three modes for managing the object.
Allows use of soft-adds instead of overwriting existing values
name
-
WAF Profile name.
signature
-
EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
List of multiple child objects to be added. Expects a list of dictionaries.
Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
If submitted, all other prefixed sub-parameters ARE IGNORED.
This object is MUTUALLY EXCLUSIVE with its options.
We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.
WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS
signature_credit_card_detection_threshold
-
The minimum number of Credit cards to detect violation.
signature_custom_signature_action
-
    Choices:
  • allow
  • block
  • erase
Action.
choice | allow | Allow.
choice | block | Block.
choice | erase | Erase credit card numbers.
signature_custom_signature_case_sensitivity
-
    Choices:
  • disable
  • enable
Case sensitivity in pattern.
choice | disable | Case insensitive in pattern.
choice | enable | Case sensitive in pattern.
signature_custom_signature_direction
-
    Choices:
  • request
  • response
Traffic direction.
choice | request | Match HTTP request.
choice | response | Match HTTP response.
signature_custom_signature_log
-
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
signature_custom_signature_name
-
Signature name.
signature_custom_signature_pattern
-
Match pattern.
signature_custom_signature_severity
-
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.
signature_custom_signature_status
-
    Choices:
  • disable
  • enable
Status.
choice | disable | Disable setting.
choice | enable | Enable setting.
signature_custom_signature_target
-
    Choices:
  • arg
  • arg-name
  • req-body
  • req-cookie
  • req-cookie-name
  • req-filename
  • req-header
  • req-header-name
  • req-raw-uri
  • req-uri
  • resp-body
  • resp-hdr
  • resp-status
Match HTTP target.
FLAG Based Options. Specify multiple in list form.
flag | arg | HTTP arguments.
flag | arg-name | Names of HTTP arguments.
flag | req-body | HTTP request body.
flag | req-cookie | HTTP request cookies.
flag | req-cookie-name | HTTP request cookie names.
flag | req-filename | HTTP request file name.
flag | req-header | HTTP request headers.
flag | req-header-name | HTTP request header names.
flag | req-raw-uri | Raw URI of HTTP request.
flag | req-uri | URI of HTTP request.
flag | resp-body | HTTP response body.
flag | resp-hdr | HTTP response headers.
flag | resp-status | HTTP response status.
signature_disabled_signature
-
Disabled signatures
signature_disabled_sub_class
-
Disabled signature subclasses.
signature_main_class_action
-
    Choices:
  • allow
  • block
  • erase
Action.
choice | allow | Allow.
choice | block | Block.
choice | erase | Erase credit card numbers.
signature_main_class_log
-
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
signature_main_class_severity
-
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.
signature_main_class_status
-
    Choices:
  • disable
  • enable
Status.
choice | disable | Disable setting.
choice | enable | Enable setting.
url_access
-
EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
List of multiple child objects to be added. Expects a list of dictionaries.
Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
If submitted, all other prefixed sub-parameters ARE IGNORED.
This object is MUTUALLY EXCLUSIVE with its options.
We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.
WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS
url_access_access_pattern_negate
-
    Choices:
  • disable
  • enable
Enable/disable match negation.
choice | disable | Disable setting.
choice | enable | Enable setting.
url_access_access_pattern_pattern
-
URL pattern.
url_access_access_pattern_regex
-
    Choices:
  • disable
  • enable
Enable/disable regular expression based pattern match.
choice | disable | Disable setting.
choice | enable | Enable setting.
url_access_access_pattern_srcaddr
-
Source address.
url_access_action
-
    Choices:
  • bypass
  • permit
  • block
Action.
choice | bypass | Allow the HTTP request, also bypass further WAF scanning.
choice | permit | Allow the HTTP request, and continue further WAF scanning.
choice | block | Block HTTP request.
url_access_address
-
Host address.
url_access_log
-
    Choices:
  • disable
  • enable
Enable/disable logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
url_access_severity
-
    Choices:
  • low
  • medium
  • high
Severity.
choice | low | Low severity.
choice | medium | Medium severity.
choice | high | High severity.

Examples

- name: DELETE Profile
  fmgr_secprof_waf:
    name: "Ansible_WAF_Profile"
    comment: "Created by Ansible Module TEST"
    mode: "delete"

- name: CREATE Profile
  fmgr_secprof_waf:
    name: "Ansible_WAF_Profile"
    comment: "Created by Ansible Module TEST"
    mode: "set"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
api_result
string
always
full API response, includes status code and message



Status

Authors

  • Luke Weighall (@lweighall)
  • Andrew Welsh (@Ghilli3)
  • Jim Huber (@p4r4n0y1ng)

Hint

If you notice any issues in this documentation, you can edit this document to improve it.