fortios_webfilter_profile – Configure Web filter profiles

New in version 2.8.

Synopsis
Requirements
Parameters
Notes
Examples
Return Values
Status

Synopsis

This module is able to configure a FortiGate or FortiOS by allowing the user to configure webfilter feature and profile category. Examples includes all options and need to be adjusted to datasources before usage. Tested with FOS v6.0.2

Requirements

The below requirements are needed on the host that executes this module.

fortiosapi>=0.9.8

Parameters

Parameter					Choices/Defaults	Comments
host - / required						FortiOS or FortiGate ip address.
https boolean					Choices: no ← yes	Indicates if the requests towards FortiGate must use HTTPS protocol
password -					Default: ""	FortiOS or FortiGate password.
username - / required						FortiOS or FortiGate username.
vdom -					Default: "root"	Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
webfilter_profile -					Default: null	Configure Web filter profiles.
	comment -					Optional comments.
	extended-log -				Choices: enable disable	Enable/disable extended logging for web filtering.
	ftgd-wf -					FortiGuard Web Filter settings.
		exempt-quota -				Do not stop quota for these categories.
		filters -				FortiGuard filters.
			action -		Choices: block authenticate monitor warning	Action to take for matches.
			auth-usr-grp -			Groups with permission to authenticate.
				name - / required		User group name. Source user.group.name.
			category -			Categories and groups the filter examines.
			id - / required			ID number.
			log -		Choices: enable disable	Enable/disable logging.
			override-replacemsg -			Override replacement message.
			warn-duration -			Duration of warnings.
			warning-duration-type -		Choices: session timeout	Re-display warning after closing browser or after a timeout.
			warning-prompt -		Choices: per-domain per-category	Warning prompts in each category or each domain.
		max-quota-timeout -				Maximum FortiGuard quota used by single page view in seconds (excludes streams).
		options -			Choices: error-allow rate-server-ip connect-request-bypass ftgd-disable	Options for FortiGuard Web Filter.
		ovrd -				Allow web filter profile overrides.
		quota -				FortiGuard traffic quota settings.
			category -			FortiGuard categories to apply quota to (category action must be set to monitor).
			duration -			Duration of quota.
			id - / required			ID number.
			override-replacemsg -			Override replacement message.
			type -		Choices: time traffic	Quota type.
			unit -		Choices: B KB MB GB	Traffic quota unit of measurement.
			value -			Traffic quota value.
		rate-crl-urls -			Choices: disable enable	Enable/disable rating CRL by URL.
		rate-css-urls -			Choices: disable enable	Enable/disable rating CSS by URL.
		rate-image-urls -			Choices: disable enable	Enable/disable rating images by URL.
		rate-javascript-urls -			Choices: disable enable	Enable/disable rating JavaScript by URL.
	https-replacemsg -				Choices: enable disable	Enable replacement messages for HTTPS.
	inspection-mode -				Choices: proxy flow-based	Web filtering inspection mode.
	log-all-url -				Choices: enable disable	Enable/disable logging all URLs visited.
	name - / required					Profile name.
	options -				Choices: activexfilter cookiefilter javafilter block-invalid-url jscript js vbs unknown intrinsic wf-referer wf-cookie per-user-bwl	Options.
	override -					Web Filter override settings.
		ovrd-cookie -			Choices: allow deny	Allow/deny browser-based (cookie) overrides.
		ovrd-dur -				Override duration.
		ovrd-dur-mode -			Choices: constant ask	Override duration mode.
		ovrd-scope -			Choices: user user-group ip browser ask	Override scope.
		ovrd-user-group -				User groups with permission to use the override.
			name - / required			User group name. Source user.group.name.
		profile -				Web filter profile with permission to create overrides.
			name - / required			Web profile. Source webfilter.profile.name.
		profile-attribute -			Choices: User-Name NAS-IP-Address Framed-IP-Address Framed-IP-Netmask Filter-Id Login-IP-Host Reply-Message Callback-Number Callback-Id Framed-Route Framed-IPX-Network Class Called-Station-Id Calling-Station-Id NAS-Identifier Proxy-State Login-LAT-Service Login-LAT-Node Login-LAT-Group Framed-AppleTalk-Zone Acct-Session-Id Acct-Multi-Session-Id	Profile attribute to retrieve from the RADIUS server.
		profile-type -			Choices: list radius	Override profile type.
	ovrd-perm -				Choices: bannedword-override urlfilter-override fortiguard-wf-override contenttype-check-override	Permitted override types.
	post-action -				Choices: normal block	Action taken for HTTP POST traffic.
	replacemsg-group -					Replacement message group. Source system.replacemsg-group.name.
	state -				Choices: present absent	Indicates whether to create or remove the object
	web -					Web content filtering settings.
		blacklist -			Choices: enable disable	Enable/disable automatic addition of URLs detected by FortiSandbox to blacklist.
		bword-table -				Banned word table ID. Source webfilter.content.id.
		bword-threshold -				Banned word score threshold.
		content-header-list -				Content header list. Source webfilter.content-header.id.
		keyword-match -				Search keywords to log when match is found.
			pattern - / required			Pattern/keyword to search for.
		log-search -			Choices: enable disable	Enable/disable logging all search phrases.
		safe-search -			Choices: url header	Safe search type.
		urlfilter-table -				URL filter table ID. Source webfilter.urlfilter.id.
		whitelist -			Choices: exempt-av exempt-webcontent exempt-activex-java-cookie exempt-dlp exempt-rangeblock extended-log-others	FortiGuard whitelist settings.
		youtube-restrict -			Choices: none strict moderate	YouTube EDU filter level.
	web-content-log -				Choices: enable disable	Enable/disable logging logging blocked web content.
	web-extended-all-action-log -				Choices: enable disable	Enable/disable extended any filter action logging for web filtering.
	web-filter-activex-log -				Choices: enable disable	Enable/disable logging ActiveX.
	web-filter-applet-log -				Choices: enable disable	Enable/disable logging Java applets.
	web-filter-command-block-log -				Choices: enable disable	Enable/disable logging blocked commands.
	web-filter-cookie-log -				Choices: enable disable	Enable/disable logging cookie filtering.
	web-filter-cookie-removal-log -				Choices: enable disable	Enable/disable logging blocked cookies.
	web-filter-js-log -				Choices: enable disable	Enable/disable logging Java scripts.
	web-filter-jscript-log -				Choices: enable disable	Enable/disable logging JScripts.
	web-filter-referer-log -				Choices: enable disable	Enable/disable logging referrers.
	web-filter-unknown-log -				Choices: enable disable	Enable/disable logging unknown scripts.
	web-filter-vbs-log -				Choices: enable disable	Enable/disable logging VBS scripts.
	web-ftgd-err-log -				Choices: enable disable	Enable/disable logging rating errors.
	web-ftgd-quota-usage -				Choices: enable disable	Enable/disable logging daily quota usage.
	web-invalid-domain-log -				Choices: enable disable	Enable/disable logging invalid domain names.
	web-url-log -				Choices: enable disable	Enable/disable logging URL filtering.
	wisp -				Choices: enable disable	Enable/disable web proxy WISP.
	wisp-algorithm -				Choices: primary-secondary round-robin auto-learning	WISP server selection algorithm.
	wisp-servers -					WISP servers.
		name - / required				Server name. Source web-proxy.wisp.name.
	youtube-channel-filter -					YouTube channel filter.
		channel-id -				YouTube channel ID to be filtered.
		comment -				Comment.
		id - / required				ID.
	youtube-channel-status -				Choices: disable blacklist whitelist	YouTube channel filter status.

Notes

Note

Requires fortiosapi library developed by Fortinet
Run as a local_action in your playbook

Examples

- hosts: localhost
  vars:
   host: "192.168.122.40"
   username: "admin"
   password: ""
   vdom: "root"
  tasks:
  - name: Configure Web filter profiles.
    fortios_webfilter_profile:
      host:  "{{ host }}"
      username: "{{ username }}"
      password: "{{ password }}"
      vdom:  "{{ vdom }}"
      webfilter_profile:
        state: "present"
        comment: "Optional comments."
        extended-log: "enable"
        ftgd-wf:
            exempt-quota: "<your_own_value>"
            filters:
             -
                action: "block"
                auth-usr-grp:
                 -
                    name: "default_name_10 (source user.group.name)"
                category: "11"
                id:  "12"
                log: "enable"
                override-replacemsg: "<your_own_value>"
                warn-duration: "<your_own_value>"
                warning-duration-type: "session"
                warning-prompt: "per-domain"
            max-quota-timeout: "18"
            options: "error-allow"
            ovrd: "<your_own_value>"
            quota:
             -
                category: "<your_own_value>"
                duration: "<your_own_value>"
                id:  "24"
                override-replacemsg: "<your_own_value>"
                type: "time"
                unit: "B"
                value: "28"
            rate-crl-urls: "disable"
            rate-css-urls: "disable"
            rate-image-urls: "disable"
            rate-javascript-urls: "disable"
        https-replacemsg: "enable"
        inspection-mode: "proxy"
        log-all-url: "enable"
        name: "default_name_36"
        options: "activexfilter"
        override:
            ovrd-cookie: "allow"
            ovrd-dur: "<your_own_value>"
            ovrd-dur-mode: "constant"
            ovrd-scope: "user"
            ovrd-user-group:
             -
                name: "default_name_44 (source user.group.name)"
            profile:
             -
                name: "default_name_46 (source webfilter.profile.name)"
            profile-attribute: "User-Name"
            profile-type: "list"
        ovrd-perm: "bannedword-override"
        post-action: "normal"
        replacemsg-group: "<your_own_value> (source system.replacemsg-group.name)"
        web:
            blacklist: "enable"
            bword-table: "54 (source webfilter.content.id)"
            bword-threshold: "55"
            content-header-list: "56 (source webfilter.content-header.id)"
            keyword-match:
             -
                pattern: "<your_own_value>"
            log-search: "enable"
            safe-search: "url"
            urlfilter-table: "61 (source webfilter.urlfilter.id)"
            whitelist: "exempt-av"
            youtube-restrict: "none"
        web-content-log: "enable"
        web-extended-all-action-log: "enable"
        web-filter-activex-log: "enable"
        web-filter-applet-log: "enable"
        web-filter-command-block-log: "enable"
        web-filter-cookie-log: "enable"
        web-filter-cookie-removal-log: "enable"
        web-filter-js-log: "enable"
        web-filter-jscript-log: "enable"
        web-filter-referer-log: "enable"
        web-filter-unknown-log: "enable"
        web-filter-vbs-log: "enable"
        web-ftgd-err-log: "enable"
        web-ftgd-quota-usage: "enable"
        web-invalid-domain-log: "enable"
        web-url-log: "enable"
        wisp: "enable"
        wisp-algorithm: "primary-secondary"
        wisp-servers:
         -
            name: "default_name_83 (source web-proxy.wisp.name)"
        youtube-channel-filter:
         -
            channel-id: "<your_own_value>"
            comment: "Comment."
            id:  "87"
        youtube-channel-status: "disable"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Returned	Description
build string	always	Build number of the fortigate image Sample: 1547
http_method string	always	Last method used to provision the content into FortiGate Sample: PUT
http_status string	always	Last result given by FortiGate on last operation applied Sample: 200
mkey string	success	Master key (id) used in the last call to FortiGate Sample: key1
name string	always	Name of the table used to fulfill the request Sample: urlfilter
path string	always	Path of the table used to fulfill the request Sample: webfilter
revision string	always	Internal revision number Sample: 17.0.2.10658
serial string	always	Serial number of the unit Sample: FGVMEVYYQT3AB5352
status string	always	Indication of the operation's result Sample: success
vdom string	always	Virtual domain used Sample: root
version string	always	Version of the FortiGate Sample: v5.6.3

Status

This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community. [community]

Authors

Miguel Angel Munoz (@mamunozgonzalez)
Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation you can edit this document to improve it.

© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.8/modules/fortios_webfilter_profile_module.html