fwebos_waf_xml_rule.py – Config FortiWeb API Protection XML Protection rule

New in version 1.0.1.

Synopsis

Config FortiWeb API Protection XML Protection rule

Requirements

The below requirements are needed on the host that executes this module.

  • ansible>=2.11

FortiWeb Version Compatibility


v7.0.0 v7.0.1 v7.0.2 v7.0.3
fwebos_waf_xml_rule.py yes yes yes yes

Parameters

  • body Possible parameters to go in the body for the request required: True
    • name name type:string maxLength:63
    • host host type:string maxLength:255
    • action action type:string choice: alert, deny_no_log, alert_deny, redirect, block-period, send_403_forbidden, client-id-block-period,
    • block-period action block period(1-3600) type:integer maximum:3600 minimum:1
    • severity severity:High, Medium, Low or Informative type:string choice: High, Medium, Low, Info,
    • trigger trigger type:string
    • request-type simple string or regular expression type:string choice: plain, regular,
    • request-file request file type:string maxLength:255
    • host-status enable/disable type:string choice: enable, disable,
    • data-format data format type:string choice: xml, soap,
    • schema-file schema file type:string
    • wsdl-file wsdl file type:string
    • wsdl-ip-port-override enable/disable type:string choice: enable, disable,
    • ws-security WS-Security rule type:string
    • soap-attachment allow/disallow attachment in soap message type:string choice: disallow, allow,
    • validate-soapaction enable/disable type:string choice: enable, disable,
    • validate-soap-headers enable/disable type:string choice: enable, disable,
    • allow-additional-soap-headers enable/disable type:string choice: enable, disable,
    • validate-soap-body enable/disable type:string choice: enable, disable,
    • xml-limit-check enable/disable type:string choice: enable, disable,
    • xml-limit-attr-num max xml attribute number type:integer maximum:256 minimum:0
    • xml-limit-attrname-len max xml attribute name length type:integer maximum:1024 minimum:0
    • xml-limit-attrvalue-len max xml attribute value length type:integer maximum:2048 minimum:0
    • xml-limit-cdata-len max xml cdata length type:integer maximum:8192 minimum:0
    • xml-limit-element-depth max xml element depth type:integer maximum:256 minimum:0
    • xml-limit-element-name-len max xml element name length type:integer maximum:1024 minimum:0
    • xml-attributes-check enable/disable type:string choice: enable, disable,
    • external-entity-check enable/disable type:string choice: enable, disable,
    • expansion-entity-check enable/disable type:string choice: enable, disable,
    • x-include-check enable/disable type:string choice: enable, disable,
    • schema-location-check enable/disable type:string choice: enable, disable,
    • schema-location-exempted-urls enable/disable type:string
    • ws-i-basic-profile-assertion packet log setting type:string choice: WSI1001, WSI1002, WSI1003, WSI1004, WSI1006, WSI1007, WSI1032, WSI1033, WSI1109, WSI1110, WSI1111, WSI1201, WSI1202, WSI1204, WSI1208, WSI1301, WSI1307, WSI1308, WSI1309, WSI1318, WSI1601, WSI1701,
    • ws-i-basic-profile-wsdl-assertion packet log setting type:string choice: WSI1008, WSI1116, WSI1211,
    • mkey If present, objects will be filtered on property with this name type:string
    • vdom Specify the Virtual Domain(s) from which results are returned or changes are applied to. If this parameter is not provided, the management VDOM will be used. If the admin does not have access to the VDOM, a permission error will be returned. The URL parameter is one of: vdom=root (Single VDOM) vdom=vdom1,vdom2 (Multiple VDOMs) vdom=* (All VDOMs) type:array
    • clone_mkey Use *clone_mkey* to specify the ID for the new resource to be cloned. If *clone_mkey* is set, *mkey* must be provided which is cloned from. type:string

Examples

- name:
hosts: all
vars:
connection: httpapi
gather_facts: false
tasks:
  - name: delete
    fwebos_waf_xml_rule:
     action: delete
     name: 12313
     vdom: root

  - name: Create
    fwebos_waf_xml_rule:
     action: add
     vdom: root
     xml_limit_attrvalue_len: 1024
     soap_attachment: allow
     xml_limit_element_depth: 20
     xml_limit_element_name_len: 64
     ws_i_basic_profile_wsdl_assertion:
     validate_soapaction_val: 0
     severity: Low
     expansion_entity_check: disable
     schema_location_exempted_urls:
     xml_limit_attrname_len: 64
     wsdl_file:
     trigger:
     validate_soap_body: disable
     x_include_check: disable
     xml_limit_attr_num: 32
     data_format: xml
     request_type: plain
     ws_security:
     external_entity_check: disable
     host:
     allow_additional_soap_headers: disable
     validate_soapaction: disable
     schema_location_check: disable
     validate_soap_headers_val: 0
     block_period: 600
     xml_limit_cdata_len: 4096
     name: test4
     host_status: disable
     allow_additional_soap_headers_val: 0
     request_file: /test_string
     xml_limit_check: disable
     trigger_val: 0
     validate_soap_headers: disable
     schema_file:
     xml_action: alert
     xml_attributes_check: disable
     ws_i_basic_profile_assertion:

  - name: edit
    fwebos_waf_xml_rule:
     action: edit
     vdom: root
     xml_limit_attrvalue_len: 1024
     soap_attachment: allow
     xml_limit_element_depth: 20
     xml_limit_element_name_len: 64
     ws_i_basic_profile_wsdl_assertion:
     validate_soapaction_val: 0
     severity: Low
     expansion_entity_check: disable
     schema_location_exempted_urls:
     xml_limit_attrname_len: 64
     wsdl_file:
     trigger:
     validate_soap_body: disable
     x_include_check: disable
     xml_limit_attr_num: 32
     data_format: xml
     request_type: plain
     ws_security:
     external_entity_check: disable
     host:
     allow_additional_soap_headers: disable
     validate_soapaction: disable
     schema_location_check: disable
     validate_soap_headers_val: 0
     block_period: 600
     xml_limit_cdata_len: 4096
     name: test4
     host_status: disable
     allow_additional_soap_headers_val: 0
     request_file: /test_string
     xml_limit_check: disable
     trigger_val: 0
     validate_soap_headers: disable
     schema_file:
     xml_action: alert
     xml_attributes_check: disable
     ws_i_basic_profile_assertion:

Return Values

Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:

  • 200 : OK: Request returns successful
  • 400 : Bad Request: Request cannot be processed by the API
  • 401 : Not Authorized: Request without successful login session
  • 403 : Forbidden: Request is missing CSRF token or administrator is missing access profile permissions.
  • 404 : Resource Not Found: Unable to find the specified resource.
  • 405 : Method Not Allowed: Specified HTTP method is not allowed for this resource.
  • 413 : Request Entity Too Large: Request cannot be processed due to large entity
  • 424 : Failed Dependency: Fail dependency can be duplicate resource, missing required parameter, missing required attribute, invalid attribute value
  • 429 : Access temporarily blocked: Maximum failed authentications reached. The offended source is temporarily blocked for certain amount of time.
  • 500 : Internal Server Error: Internal error when processing the request

For errorcode please check FortiWeb API errorcode at : https://documenter.getpostman.com/view/11233300/TVetbkaK#887b9eb4-7c13-4338-a8db-16cc117f0119

Status

  • This module is not guaranteed to have a backwards compatible interface.

Authors

  • Jie Li
  • Brad Zhang

Hint

If you notice any issues in this documentation, you can create a pull request to improve it.