fortinet.fortios.fortios_webfilter_profile – Configure Web filter profiles in Fortinet’s FortiOS and FortiGate.

Note

This plugin is part of the fortinet.fortios collection (version 2.1.2).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install fortinet.fortios.

To use it in a playbook, specify: fortinet.fortios.fortios_webfilter_profile.

New in version 2.10: of fortinet.fortios

Synopsis
Requirements
Parameters
Notes
Examples
Return Values

Synopsis

This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify webfilter feature and profile category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements

The below requirements are needed on the host that executes this module.

ansible>=2.9.0

Parameters

Parameter					Choices/Defaults	Comments
access_token string						Token-based authentication. Generated from GUI of Fortigate.
enable_log boolean					Choices: no ← yes	Enable/Disable logging for task.
state string / required					Choices: present absent	Indicates whether to create or remove the object.
vdom string					Default: "root"	Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
webfilter_profile dictionary						Configure Web filter profiles.
	antiphish dictionary					AntiPhishing profile.
		authentication string			Choices: domain-controller ldap	Authentication methods.
		check_basic_auth string			Choices: enable disable	Enable/disable checking of HTTP Basic Auth field for known credentials.
		check_uri string			Choices: enable disable	Enable/disable checking of GET URI parameters for known credentials.
		check_username_only string			Choices: enable disable	Enable/disable acting only on valid username credentials. Action will be taken for valid usernames regardless of password validity.
		custom_patterns list / elements=string				Custom username and password regex patterns.
			category string		Choices: username password	Category that the pattern matches.
			pattern string / required			Target pattern.
			type string		Choices: regex literal	Pattern will be treated either as a regex pattern or literal string.
		default_action string			Choices: exempt log block	Action to be taken when there is no matching rule.
		domain_controller string				Domain for which to verify received credentials against. Source credential-store.domain-controller.server-name.
		inspection_entries list / elements=string				AntiPhishing entries.
			action string		Choices: exempt log block	Action to be taken upon an AntiPhishing match.
			fortiguard_category string			FortiGuard category to match.
			name string / required			Inspection target name.
		ldap string				LDAP server for which to verify received credentials against. Source user.ldap.name.
		max_body_len integer				Maximum size of a POST body to check for credentials.
		status string			Choices: enable disable	Toggle AntiPhishing functionality.
	comment string					Optional comments.
	extended_log string				Choices: enable disable	Enable/disable extended logging for web filtering.
	feature_set string				Choices: flow proxy	Flow/proxy feature set.
	file_filter dictionary					File filter.
		entries list / elements=string				File filter entries.
			action string		Choices: log block	Action taken for matched file.
			comment string			Comment.
			direction string		Choices: incoming outgoing any	Match files transmitted in the session"s originating or reply direction.
			file_type list / elements=string			Select file type.
				name string / required		File type name. Source antivirus.filetype.name.
			filter string / required			Add a file filter.
			password_protected string		Choices: True any	Match password-protected files.
			protocol string		Choices: http ftp	Protocols to apply with.
		log string			Choices: enable disable	Enable/disable file filter logging.
		scan_archive_contents string			Choices: enable disable	Enable/disable file filter archive contents scan.
		status string			Choices: enable disable	Enable/disable file filter.
	ftgd_wf dictionary					FortiGuard Web Filter settings.
		exempt_quota string				Do not stop quota for these categories.
		filters list / elements=string				FortiGuard filters.
			action string		Choices: block authenticate monitor warning	Action to take for matches.
			auth_usr_grp string			Groups with permission to authenticate.
				name string / required		User group name. Source user.group.name.
			category integer			Categories and groups the filter examines.
			id integer / required			ID number.
			log string		Choices: enable disable	Enable/disable logging.
			override_replacemsg string			Override replacement message.
			warn_duration string			Duration of warnings.
			warning_duration_type string		Choices: session timeout	Re-display warning after closing browser or after a timeout.
			warning_prompt string		Choices: per-domain per-category	Warning prompts in each category or each domain.
		max_quota_timeout integer				Maximum FortiGuard quota used by single page view in seconds (excludes streams).
		options string			Choices: error-allow rate-server-ip connect-request-bypass ftgd-disable	Options for FortiGuard Web Filter.
		ovrd string				Allow web filter profile overrides.
		quota list / elements=string				FortiGuard traffic quota settings.
			category string			FortiGuard categories to apply quota to (category action must be set to monitor).
			duration string			Duration of quota.
			id integer / required			ID number.
			override_replacemsg string			Override replacement message.
			type string		Choices: time traffic	Quota type.
			unit string		Choices: B KB MB GB	Traffic quota unit of measurement.
			value integer			Traffic quota value.
		rate_crl_urls string			Choices: disable enable	Enable/disable rating CRL by URL.
		rate_css_urls string			Choices: disable enable	Enable/disable rating CSS by URL.
		rate_image_urls string			Choices: disable enable	Enable/disable rating images by URL.
		rate_javascript_urls string			Choices: disable enable	Enable/disable rating JavaScript by URL.
	https_replacemsg string				Choices: enable disable	Enable replacement messages for HTTPS.
	inspection_mode string				Choices: proxy flow-based	Web filtering inspection mode.
	log_all_url string				Choices: enable disable	Enable/disable logging all URLs visited.
	name string / required					Profile name.
	options list / elements=string				Choices: activexfilter cookiefilter javafilter block-invalid-url jscript js vbs unknown intrinsic wf-referer wf-cookie per-user-bwl per-user-bal	Options.
	override dictionary					Web Filter override settings.
		ovrd_cookie string			Choices: allow deny	Allow/deny browser-based (cookie) overrides.
		ovrd_dur string				Override duration.
		ovrd_dur_mode string			Choices: constant ask	Override duration mode.
		ovrd_scope string			Choices: user user-group ip browser ask	Override scope.
		ovrd_user_group string				User groups with permission to use the override.
			name string / required			User group name. Source user.group.name.
		profile list / elements=string				Web filter profile with permission to create overrides.
			name string / required			Web profile. Source webfilter.profile.name.
		profile_attribute string			Choices: User-Name NAS-IP-Address Framed-IP-Address Framed-IP-Netmask Filter-Id Login-IP-Host Reply-Message Callback-Number Callback-Id Framed-Route Framed-IPX-Network Class Called-Station-Id Calling-Station-Id NAS-Identifier Proxy-State Login-LAT-Service Login-LAT-Node Login-LAT-Group Framed-AppleTalk-Zone Acct-Session-Id Acct-Multi-Session-Id	Profile attribute to retrieve from the RADIUS server.
		profile_type string			Choices: list radius	Override profile type.
	ovrd_perm list / elements=string				Choices: bannedword-override urlfilter-override fortiguard-wf-override contenttype-check-override	Permitted override types.
	post_action string				Choices: normal block	Action taken for HTTP POST traffic.
	replacemsg_group string					Replacement message group. Source system.replacemsg-group.name.
	url_extraction dictionary					Configure URL Extraction
		redirect_header string				HTTP header name to use for client redirect on blocked requests
		redirect_no_content string			Choices: enable disable	Enable / Disable empty message-body entity in HTTP response
		redirect_url string				HTTP header value to use for client redirect on blocked requests
		server_fqdn string				URL extraction server FQDN (fully qualified domain name)
		status string			Choices: enable disable	Enable URL Extraction
	web dictionary					Web content filtering settings.
		allowlist list / elements=string			Choices: exempt-av exempt-webcontent exempt-activex-java-cookie exempt-dlp exempt-rangeblock extended-log-others	FortiGuard allowlist settings.
		blacklist string			Choices: enable disable	Enable/disable automatic addition of URLs detected by FortiSandbox to blacklist.
		blocklist string			Choices: enable disable	Enable/disable automatic addition of URLs detected by FortiSandbox to blocklist.
		bword_table integer				Banned word table ID. Source webfilter.content.id.
		bword_threshold integer				Banned word score threshold.
		content_header_list integer				Content header list. Source webfilter.content-header.id.
		keyword_match string				Search keywords to log when match is found.
			pattern string / required			Pattern/keyword to search for.
		log_search string			Choices: enable disable	Enable/disable logging all search phrases.
		safe_search list / elements=string			Choices: url header	Safe search type.
		urlfilter_table integer				URL filter table ID. Source webfilter.urlfilter.id.
		whitelist list / elements=string			Choices: exempt-av exempt-webcontent exempt-activex-java-cookie exempt-dlp exempt-rangeblock extended-log-others	FortiGuard whitelist settings.
		youtube_restrict string			Choices: none strict moderate	YouTube EDU filter level.
	web_antiphishing_log string				Choices: enable disable	Enable/disable logging of AntiPhishing checks.
	web_content_log string				Choices: enable disable	Enable/disable logging logging blocked web content.
	web_extended_all_action_log string				Choices: enable disable	Enable/disable extended any filter action logging for web filtering.
	web_filter_activex_log string				Choices: enable disable	Enable/disable logging ActiveX.
	web_filter_applet_log string				Choices: enable disable	Enable/disable logging Java applets.
	web_filter_command_block_log string				Choices: enable disable	Enable/disable logging blocked commands.
	web_filter_cookie_log string				Choices: enable disable	Enable/disable logging cookie filtering.
	web_filter_cookie_removal_log string				Choices: enable disable	Enable/disable logging blocked cookies.
	web_filter_js_log string				Choices: enable disable	Enable/disable logging Java scripts.
	web_filter_jscript_log string				Choices: enable disable	Enable/disable logging JScripts.
	web_filter_referer_log string				Choices: enable disable	Enable/disable logging referrers.
	web_filter_unknown_log string				Choices: enable disable	Enable/disable logging unknown scripts.
	web_filter_vbs_log string				Choices: enable disable	Enable/disable logging VBS scripts.
	web_ftgd_err_log string				Choices: enable disable	Enable/disable logging rating errors.
	web_ftgd_quota_usage string				Choices: enable disable	Enable/disable logging daily quota usage.
	web_invalid_domain_log string				Choices: enable disable	Enable/disable logging invalid domain names.
	web_url_log string				Choices: enable disable	Enable/disable logging URL filtering.
	wisp string				Choices: enable disable	Enable/disable web proxy WISP.
	wisp_algorithm string				Choices: primary-secondary round-robin auto-learning	WISP server selection algorithm.
	wisp_servers list / elements=string					WISP servers.
		name string / required				Server name. Source web-proxy.wisp.name.
	youtube_channel_filter list / elements=string					YouTube channel filter.
		channel_id string				YouTube channel ID to be filtered.
		comment string				Comment.
		id integer / required				ID.
	youtube_channel_status string				Choices: disable blacklist whitelist	YouTube channel filter status.

Notes

Note

Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks

Examples

- hosts: fortigates
  collections:
    - fortinet.fortios
  connection: httpapi
  vars:
   vdom: "root"
   ansible_httpapi_use_ssl: yes
   ansible_httpapi_validate_certs: no
   ansible_httpapi_port: 443
  tasks:
  - name: Configure Web filter profiles.
    fortios_webfilter_profile:
      vdom:  "{{ vdom }}"
      state: "present"
      access_token: "<your_own_value>"
      webfilter_profile:
        antiphish:
            authentication: "domain-controller"
            check_basic_auth: "enable"
            check_uri: "enable"
            check_username_only: "enable"
            custom_patterns:
             -
                category: "username"
                pattern: "<your_own_value>"
                type: "regex"
            default_action: "exempt"
            domain_controller: "<your_own_value> (source credential-store.domain-controller.server-name)"
            inspection_entries:
             -
                action: "exempt"
                fortiguard_category: "<your_own_value>"
                name: "default_name_17"
            ldap: "<your_own_value> (source user.ldap.name)"
            max_body_len: "19"
            status: "enable"
        comment: "Optional comments."
        extended_log: "enable"
        feature_set: "flow"
        file_filter:
            entries:
             -
                action: "log"
                comment: "Comment."
                direction: "incoming"
                file_type:
                 -
                    name: "default_name_30 (source antivirus.filetype.name)"
                filter: "<your_own_value>"
                password_protected: "yes"
                protocol: "http"
            log: "enable"
            scan_archive_contents: "enable"
            status: "enable"
        ftgd_wf:
            exempt_quota: "<your_own_value>"
            filters:
             -
                action: "block"
                auth_usr_grp:
                 -
                    name: "default_name_42 (source user.group.name)"
                category: "43"
                id:  "44"
                log: "enable"
                override_replacemsg: "<your_own_value>"
                warn_duration: "<your_own_value>"
                warning_duration_type: "session"
                warning_prompt: "per-domain"
            max_quota_timeout: "50"
            options: "error-allow"
            ovrd: "<your_own_value>"
            quota:
             -
                category: "<your_own_value>"
                duration: "<your_own_value>"
                id:  "56"
                override_replacemsg: "<your_own_value>"
                type: "time"
                unit: "B"
                value: "60"
            rate_crl_urls: "disable"
            rate_css_urls: "disable"
            rate_image_urls: "disable"
            rate_javascript_urls: "disable"
        https_replacemsg: "enable"
        inspection_mode: "proxy"
        log_all_url: "enable"
        name: "default_name_68"
        options: "activexfilter"
        override:
            ovrd_cookie: "allow"
            ovrd_dur: "<your_own_value>"
            ovrd_dur_mode: "constant"
            ovrd_scope: "user"
            ovrd_user_group:
             -
                name: "default_name_76 (source user.group.name)"
            profile:
             -
                name: "default_name_78 (source webfilter.profile.name)"
            profile_attribute: "User-Name"
            profile_type: "list"
        ovrd_perm: "bannedword-override"
        post_action: "normal"
        replacemsg_group: "<your_own_value> (source system.replacemsg-group.name)"
        url_extraction:
            redirect_header: "<your_own_value>"
            redirect_no_content: "enable"
            redirect_url: "<your_own_value>"
            server_fqdn: "<your_own_value>"
            status: "enable"
        web:
            allowlist: "exempt-av"
            blacklist: "enable"
            blocklist: "enable"
            bword_table: "94 (source webfilter.content.id)"
            bword_threshold: "95"
            content_header_list: "96 (source webfilter.content-header.id)"
            keyword_match:
             -
                pattern: "<your_own_value>"
            log_search: "enable"
            safe_search: "url"
            urlfilter_table: "101 (source webfilter.urlfilter.id)"
            whitelist: "exempt-av"
            youtube_restrict: "none"
        web_antiphishing_log: "enable"
        web_content_log: "enable"
        web_extended_all_action_log: "enable"
        web_filter_activex_log: "enable"
        web_filter_applet_log: "enable"
        web_filter_command_block_log: "enable"
        web_filter_cookie_log: "enable"
        web_filter_cookie_removal_log: "enable"
        web_filter_js_log: "enable"
        web_filter_jscript_log: "enable"
        web_filter_referer_log: "enable"
        web_filter_unknown_log: "enable"
        web_filter_vbs_log: "enable"
        web_ftgd_err_log: "enable"
        web_ftgd_quota_usage: "enable"
        web_invalid_domain_log: "enable"
        web_url_log: "enable"
        wisp: "enable"
        wisp_algorithm: "primary-secondary"
        wisp_servers:
         -
            name: "default_name_124 (source web-proxy.wisp.name)"
        youtube_channel_filter:
         -
            channel_id: "<your_own_value>"
            comment: "Comment."
            id:  "128"
        youtube_channel_status: "disable"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Returned	Description
build string	always	Build number of the fortigate image Sample: 1547
http_method string	always	Last method used to provision the content into FortiGate Sample: PUT
http_status string	always	Last result given by FortiGate on last operation applied Sample: 200
mkey string	success	Master key (id) used in the last call to FortiGate Sample: id
name string	always	Name of the table used to fulfill the request Sample: urlfilter
path string	always	Path of the table used to fulfill the request Sample: webfilter
revision string	always	Internal revision number Sample: 17.0.2.10658
serial string	always	Serial number of the unit Sample: FGVMEVYYQT3AB5352
status string	always	Indication of the operation's result Sample: success
vdom string	always	Virtual domain used Sample: root
version string	always	Version of the FortiGate Sample: v5.6.3

Authors

Link Zheng (@chillancezen)
Jie Xue (@JieX19)
Hongbin Lu (@fgtdev-hblu)
Frank Shen (@frankshen01)
Miguel Angel Munoz (@mamunozgonzalez)
Nicolas Thomas (@thomnico)

© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/fortios_webfilter_profile_module.html