:source: fwebos_server_policy.py
:orphan:
.. fwebos_server_policy.py:
fwebos_server_policy.py -- Config FortiWeb Policy Server Policy
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.. versionadded:: 1.0.1
.. contents::
:local:
:depth: 1
Synopsis
--------
Config FortiWeb Policy Server Policy
Requirements
------------
The below requirements are needed on the host that executes this module.
- ansible>=2.11
FortiWeb Version Compatibility
------------------------------
.. raw:: html
|
v7.0.x |
v7.2.x |
v7.4.x |
v7.6.x |
| fwebos_server_policy.py |
yes |
yes |
yes |
yes |
Parameters
----------
.. raw:: html
- body Possible parameters to go in the body for the request required: True
- name policy name type:string
maxLength:63
- deployment-mode deployment mode type:string choice:
server-pool,
http-content-routing,
offline-protection,
transparent-servers,
wccp-servers,
- protocol protocol type:string choice:
HTTP,
FTP,
ADFSPIP,
TCPPROXY,
- ssl ssl switch type:string choice:
enable,
disable,
- implicit_ssl implicit ssl switch type:string choice:
enable,
disable,
- vserver vserver type:string
- v-zone v-zone type:string
- service service type:string
- proxy-protocol policy proxy protocol switch type:string choice:
enable,
disable,
- use-proxy-protocol-addr use addr from proxy protocol for security checking type:string choice:
enable,
disable,
- ftp-protection-profile ftp application protection profile type:string
- web-protection-profile web application protection profile type:string
- replacemsg replacement message template type:string
- server-pool server pool type:string
- traffic-mirror traffic mirror switch type:string choice:
enable,
disable,
- traffic-mirror-profile traffic mirror profile type:string
- traffic-mirror-type traffic mirror type type:string choice:
client-side,
server-side,
both-side,
- allow_hosts allow hosts type:string
- allow_list allow list type:string
- acceleration_policy acceleration policy type:string
- https_service https service type:string
- http3_service http3 service type:string
- multi-certificate enable multi certificate type:string choice:
enable,
disable,
- adfs-certificate-service adfspip certificate service type:string
- adfs-certificate-ssl-client-verify SSL client certificate verify type:string
- send-buffers-number the number of the send buffers used for forwarding data, range 0-256, 0 means no limit, each buffer size is 4kB type:integer
maximum:256
minimum:0
- certificate-type enable letsencrypt certificate type:string choice:
enable,
disable,
- lets-certificate letsencrypt certificate type:string
- certificate certificate type:string
- certificate-group multi certificate group type:string
- intermediate-certificate-group Intermediate Certificate Group type:string
- ssl-client-verify SSL client certificate verify type:string
- use-ciphers-group use SSL ciphers group or not type:string choice:
enable,
disable,
- ssl-ciphers-group SSL ciphers group type:string
- tls-v10 TLS 1.0 protocol status type:string choice:
enable,
disable,
- tls-v11 TLS 1.1 protocol status type:string choice:
enable,
disable,
- tls-v12 TLS 1.2 protocol status type:string choice:
enable,
disable,
- tls-v13 TLS 1.3 protocol status type:string choice:
enable,
disable,
- ssl-noreg SSL no renegotiate type:string choice:
enable,
disable,
- ssl-cipher SSL cipher-suite type:string choice:
medium,
high,
custom,
- ssl-custom-cipher SSL custom cipher-suite type:string choice:
ECDHE-ECDSA-AES256-GCM-SHA384,
ECDHE-RSA-AES256-GCM-SHA384,
DHE-DSS-AES256-GCM-SHA384,
DHE-RSA-AES256-GCM-SHA384,
ECDHE-ECDSA-CHACHA20-POLY1305,
ECDHE-RSA-CHACHA20-POLY1305,
DHE-RSA-CHACHA20-POLY1305,
ECDHE-ECDSA-AES256-CCM8,
ECDHE-ECDSA-AES256-CCM,
DHE-RSA-AES256-CCM8,
DHE-RSA-AES256-CCM,
ECDHE-ECDSA-AES128-GCM-SHA256,
ECDHE-RSA-AES128-GCM-SHA256,
DHE-DSS-AES128-GCM-SHA256,
DHE-RSA-AES128-GCM-SHA256,
ECDHE-ECDSA-AES128-CCM8,
ECDHE-ECDSA-AES128-CCM,
DHE-RSA-AES128-CCM8,
DHE-RSA-AES128-CCM,
ECDHE-ECDSA-AES256-SHA384,
ECDHE-RSA-AES256-SHA384,
DHE-RSA-AES256-SHA256,
DHE-DSS-AES256-SHA256,
ECDHE-ECDSA-CAMELLIA256-SHA384,
ECDHE-RSA-CAMELLIA256-SHA384,
DHE-RSA-CAMELLIA256-SHA256,
DHE-DSS-CAMELLIA256-SHA256,
ECDHE-ECDSA-AES128-SHA256,
ECDHE-RSA-AES128-SHA256,
DHE-RSA-AES128-SHA256,
DHE-DSS-AES128-SHA256,
ECDHE-ECDSA-CAMELLIA128-SHA256,
ECDHE-RSA-CAMELLIA128-SHA256,
DHE-RSA-CAMELLIA128-SHA256,
DHE-DSS-CAMELLIA128-SHA256,
ECDHE-ECDSA-AES256-SHA,
ECDHE-RSA-AES256-SHA,
DHE-RSA-AES256-SHA,
DHE-DSS-AES256-SHA,
DHE-RSA-CAMELLIA256-SHA,
DHE-DSS-CAMELLIA256-SHA,
ECDHE-ECDSA-AES128-SHA,
ECDHE-RSA-AES128-SHA,
DHE-RSA-AES128-SHA,
DHE-DSS-AES128-SHA,
ECDHE-ARIA128-GCM-SHA256,
DHE-RSA-ARIA128-GCM-SHA256,
AES256-GCM-SHA384,
AES256-CCM8,
AES256-CCM,
AES128-GCM-SHA256,
AES128-CCM8,
AES128-CCM,
AES256-SHA256,
CAMELLIA256-SHA256,
AES128-SHA256,
CAMELLIA128-SHA256,
AES256-SHA,
DHE-RSA-ARIA256-GCM-SHA384,
AES128-SHA,
ECDHE-ARIA256-GCM-SHA384,
DHE-RSA-SEED-SHA,
ECDHE-RSA-DES-CBC3-SHA,
DES-CBC3-SHA,
- tls13-custom-cipher TLSv1.3 custom cipher-suite type:string choice:
TLS_AES_256_GCM_SHA384,
TLS_CHACHA20_POLY1305_SHA256,
TLS_AES_128_GCM_SHA256,
TLS_AES_128_CCM_SHA256,
TLS_AES_128_CCM_8_SHA256,
- sni SNI status type:string choice:
enable,
disable,
- sni-certificate SNI Certificate type:string
- sni-strict strict SNI mode type:string choice:
enable,
disable,
- urlcert URL based client certificate type:string choice:
enable,
disable,
- urlcert-group URL based client certificate group type:string
- urlcert-hlen URL based client certificate max http request length if matched(16-10240K) type:integer
maximum:10240
minimum:16
- case-sensitive case sensitive type:string choice:
enable,
disable,
- status status: enable/disable type:string choice:
enable,
disable,
- comment comment type:string
maxLength:999
- block-port block port type:string
- noparse Enable pure proxy or not: enable/disable type:string choice:
enable,
disable,
- data-capture-port Data capture port type:string
- monitor-mode Monitor mode: enable/disable type:string choice:
enable,
disable,
- web-cache WEB cache mode: enable/disable type:string choice:
enable,
disable,
- http-to-https Redirect naked domain request to "www" domain requests: enable/disable type:string choice:
enable,
disable,
- redirect_naked_domain Redirect HTTP to HTTPs: enable/disable type:string choice:
enable,
disable,
- sessioncookie-enforce Enforce session cookie per transaction type:string choice:
enable,
disable,
- syncookie syn cookie: enable/disable type:string choice:
enable,
disable,
- half-open-threshold half-open threshold (10~10000) type:integer
maximum:10000
minimum:10
- client-certificate-forwarding client certificate forwarding: enable/disable type:string choice:
enable,
disable,
- client-certificate-forwarding-sub-header custom header of client certificate forwarding subject type:string
maxLength:255
- client-certificate-forwarding-cert-header custom header of client certificate forwarding certificate type:string
maxLength:255
- http-pipeline HTTP pipeline support: enable/disable type:string choice:
enable,
disable,
- hsts-header hsts header support type:string choice:
enable,
disable,
- hsts-max-age max age value(unit: second, 1 hour-1 year) type:integer
maximum:31536000
minimum:3600
- hsts-include-subdomains hsts include subdomains type:string choice:
enable,
disable,
- hsts-preload hsts preload type:string choice:
enable,
disable,
- hpkp-header hpkp header support type:string
- prefer-current-session prefer current session type:string choice:
enable,
disable,
- policy-id policy id type:string
- http-content-routing-list http content routing policy list type:array
- id
- content-routing-policy-name content routing policy
- profile-inherit inherit policy profile flag
- web-protection-profile web application protection profile
- is-default whether default HTTP content routing rule
- status status: enable/disable
- client-real-ip keep client real ip to server type:string choice:
enable,
disable,
- real-ip-addr speify a client real ip address or range type:string
- http2 set http2 enable/disable type:string choice:
enable,
disable,
- tcp-recv-timeout max age value(unit: second) of the first http request after tcp handshake type:integer
maximum:300
minimum:0
- http-header-timeout max age value(unit: second) of receiving a successful http header type:integer
maximum:1200
minimum:0
- tcp-conn-timeout max age value(unit: second) of TCP connection timeout type:integer
maximum:600
minimum:0
- internal-cookie-httponly internal cookie http only: enable/disable type:string choice:
enable,
disable,
- internal-cookie-secure internal cookie secure: enable/disable type:string choice:
enable,
disable,
- internal-cookie-samesite internal cookie samesite: enable/disable type:string choice:
enable,
disable,
- internal-cookie-samesite-value internal cookie samesite value type:string choice:
strict,
lax,
none,
- content-security-policy-inline content security policy inline: enable/disable type:string choice:
enable,
disable,
- ssl-quiet-shutdown enable/disable SSL quiet Shutdown type:string choice:
enable,
disable,
- ssl-session-timeout ssl session timeout setting, default value 7200s, range (1, 14400) type:integer
maximum:14400
minimum:1
- client-timeout max age value(unit: second):Prevent front end connection from closing for a long time, especially when multiplexing function is turned on type:integer
maximum:1200
minimum:0
- retry-on enable/disable retry on type:string choice:
enable,
disable,
- retry-on-cache-size the http request cache size when retry on(32~2048 kB) type:integer
maximum:2048
minimum:32
- retry-on-connect-failure enable/disable retry on connect failure type:string choice:
enable,
disable,
- retry-times-on-connect-failure retry times on connect failure, range 1-5 type:integer
maximum:5
minimum:1
- retry-on-http-layer enable/disable retry on http layer, only HEAD/GET methods supported type:string choice:
enable,
disable,
- retry-times-on-http-layer retry times on http layer, range 1-5 type:integer
maximum:5
minimum:1
- retry-on-http-response-codes http response codes type:string choice:
404,
408,
500,
501,
502,
503,
504,
- replacemsg-on-connect-failure enable/disable sending replacemsg to client on connect failure type:string choice:
enable,
disable,
- chunk-encoding chunk-encoding type:string choice:
enable,
disable,
- tlog tlog: enable/disable type:string choice:
enable,
disable,
- web-cache-storage Web Cache Storage type:string choice:
redis-db,
hash-table,
- scripting enable/disable policy scripting type:string choice:
enable,
disable,
- scripting-list policy scripting list type:string
- ztna-profile ZTNA profile type:string
- mkey If present, objects will be filtered on property with this name type:string
- vdom Specify the Virtual Domain(s) from which results are returned or changes are applied to. If this parameter is not provided, the management VDOM will be used. If the admin does not have access to the VDOM, a permission error will be returned. The URL parameter is one of: vdom=root (Single VDOM) vdom=vdom1,vdom2 (Multiple VDOMs) vdom=* (All VDOMs) type:array
- clone_mkey Use *clone_mkey* to specify the ID for the new resource to be cloned. If *clone_mkey* is set, *mkey* must be provided which is cloned from. type:string
Examples
--------
.. code-block:: yaml+jinja
- name:
hosts: all
vars:
connection: httpapi
gather_facts: false
tasks:
- name: Create
fwebos_server_policy:
action: add
vdom: root
retry_on_connect_failure: disable
protocol: HTTP
client_certificate_forwarding: disable
client_real_ip: disable
urlcert_hlen: 32
hsts_max_age: 15552000
tls13_custom_cipher: TLS_AES_256_GCM_SHA384
urlcert: disable
syncookie: disable
service: HTTP
hsts_preload: disable
sni_strict: disable
client_certificate_forwarding_cert_header: X-Client-Cert
retry_times_on_connect_failure: 3
ssl_cipher: medium
traffic_mirror_type: client-side
multi_certificate: enable
hsts_header: disable
monitor_mode: disable
deployment_mode: server-pool
tls_v13: disable
tls_v10: enable
tls_v11: enable
proxy_protocol: disable
vserver: test4
real_ip_addr:
ssl_custom_cipher: ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES128-SHA256
retry_on_cache_size: 512
http_to_https: disable
hsts_include_subdomains: disable
half_open_threshold: 8192
retry_on_http_layer: disable
traffic_mirror: disable
client_certificate_forwarding_sub_header: X-Client-DN
sni: disable
ssl: enable
web_cache: disable
ssl_noreg: enable
retry_on_http_response_codes: 404 408 500 501 502 503 504
prefer_current_session: disable
retry_times_on_http_layer: 3
case_sensitive: disable
name: test4
replacemsg: Predefined
server_pool: test4
retry_on: disable
tls_v12: enable
https_service: HTTPS
http2: disable
certificate_type: disable
http2_custom_cipher: ECDHE-ECDSA-AES256-GCM-SHA384 DHE-DSS-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384
web_protection_profile: Inline Standard Protection
certificate_group: test
allow_hosts: test.com
intermediate_certificate_group: test
comment: test111
tlog: disable
chunk_encoding: enable
- name: edit
fwebos_server_policy:
action: edit
vdom: root
retry_on_connect_failure: disable
protocol: HTTP
client_certificate_forwarding: disable
client_real_ip: disable
urlcert_hlen: 32
hsts_max_age: 15552000
tls13_custom_cipher: TLS_AES_256_GCM_SHA384
urlcert: disable
syncookie: disable
service: HTTP
hsts_preload: disable
sni_strict: disable
client_certificate_forwarding_cert_header: X-Client-Cert
retry_times_on_connect_failure: 3
ssl_cipher: medium
traffic_mirror_type: client-side
multi_certificate: disable
hsts_header: disable
monitor_mode: disable
deployment_mode: server-pool
tls_v13: disable
tls_v10: enable
tls_v11: enable
proxy_protocol: disable
vserver: test4
real_ip_addr:
ssl_custom_cipher: ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES128-SHA256
retry_on_cache_size: 512
http_to_https: disable
hsts_include_subdomains: disable
half_open_threshold: 8192
retry_on_http_layer: disable
traffic_mirror: disable
client_certificate_forwarding_sub_header: X-Client-DN
sni: disable
ssl: enable
web_cache: disable
ssl_noreg: enable
retry_on_http_response_codes: 404 408 500 501 502 503 504
prefer_current_session: disable
retry_times_on_http_layer: 3
case_sensitive: disable
name: test4
replacemsg: Predefined
server_pool: test4
retry_on: disable
tls_v12: enable
https_service: HTTPS
http2: disable
certificate_type: enable
http2_custom_cipher: ECDHE-ECDSA-AES256-GCM-SHA384 DHE-DSS-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384
web_protection_profile: Inline Standard Protection
lets_certificate: test
allow_hosts: test.com
intermediate_certificate_group: test
comment: test111
tlog: enable
chunk_encoding: enable
- name: edit
fwebos_server_policy:
action: edit
vdom: root
retry_on_connect_failure: disable
protocol: HTTP
client_certificate_forwarding: disable
client_real_ip: disable
urlcert_hlen: 32
hsts_max_age: 15552000
tls13_custom_cipher: TLS_AES_256_GCM_SHA384
urlcert: disable
syncookie: disable
service: HTTP
hsts_preload: disable
sni_strict: disable
client_certificate_forwarding_cert_header: X-Client-Cert
retry_times_on_connect_failure: 3
ssl_cipher: medium
traffic_mirror_type: client-side
multi_certificate: disable
hsts_header: disable
monitor_mode: disable
deployment_mode: server-pool
tls_v13: disable
tls_v10: enable
tls_v11: enable
proxy_protocol: disable
vserver: test4
real_ip_addr:
ssl_custom_cipher: ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES128-SHA256
retry_on_cache_size: 512
http_to_https: disable
hsts_include_subdomains: disable
half_open_threshold: 8192
retry_on_http_layer: disable
traffic_mirror: disable
client_certificate_forwarding_sub_header: X-Client-DN
sni: disable
ssl: enable
web_cache: disable
ssl_noreg: enable
retry_on_http_response_codes: 404 408 500 501 502 503 504
prefer_current_session: disable
retry_times_on_http_layer: 3
case_sensitive: disable
name: test4
replacemsg: Predefined
server_pool: test4
retry_on: disable
tls_v12: enable
https_service: HTTPS
http2: disable
certificate_type: disable
http2_custom_cipher: ECDHE-ECDSA-AES256-GCM-SHA384 DHE-DSS-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384
web_protection_profile: Inline Standard Protection
certificate: aaa1
allow_hosts: test.com
intermediate_certificate_group: test
comment: test111
tlog: enable
chunk_encoding: enable
- name: delete
fwebos_server_policy:
action: delete
name: test4
vdom: root
Return Values
-------------
Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:
.. raw:: html
- 200 : OK: Request returns successful
- 400 : Bad Request: Request cannot be processed by the API
- 401 : Not Authorized: Request without successful login session
- 403 : Forbidden: Request is missing CSRF token or administrator is missing access profile permissions.
- 404 : Resource Not Found: Unable to find the specified resource.
- 405 : Method Not Allowed: Specified HTTP method is not allowed for this resource.
- 413 : Request Entity Too Large: Request cannot be processed due to large entity
- 424 : Failed Dependency: Fail dependency can be duplicate resource, missing required parameter, missing required attribute, invalid attribute value
- 429 : Access temporarily blocked: Maximum failed authentications reached. The offended source is temporarily blocked for certain amount of time.
- 500 : Internal Server Error: Internal error when processing the request
For errorcode please check FortiWeb API errorcode at : https://documenter.getpostman.com/view/11233300/TVetbkaK#887b9eb4-7c13-4338-a8db-16cc117f0119
Status
------
- This module is not guaranteed to have a backwards compatible interface.
Authors
-------
- Jie Li
- Brad Zhang
.. hint::
If you notice any issues in this documentation, you can create a pull request to improve it.