fwebos_waf_xml_rule.py – Config FortiWeb API Protection XML Protection rule

New in version 1.0.1.

Synopsis

Config FortiWeb API Protection XML Protection rule

Requirements

The below requirements are needed on the host that executes this module.

  • ansible>=2.11

FortiWeb Version Compatibility


v7.0.x v7.2.x v7.4.x v7.6.x
fwebos_waf_xml_rule.py yes yes yes yes

Parameters

  • body Possible parameters to go in the body for the request required: True
    • name name type:string maxLength:63
    • host host type:string maxLength:255
    • action action type:string choice: alert, deny_no_log, alert_deny, redirect, block-period, send_403_forbidden, client-id-block-period,
    • block-period action block period(1-3600) type:integer maximum:3600 minimum:1
    • severity severity:High, Medium, Low or Informative type:string choice: High, Medium, Low, Info,
    • trigger trigger type:string
    • request-type simple string or regular expression type:string choice: plain, regular,
    • request-file request file type:string maxLength:255
    • host-status enable/disable type:string choice: enable, disable,
    • data-format data format type:string choice: xml, soap,
    • schema-file schema file type:string
    • wsdl-file wsdl file type:string
    • wsdl-ip-port-override enable/disable type:string choice: enable, disable,
    • ws-security WS-Security rule type:string
    • soap-attachment allow/disallow attachment in soap message type:string choice: disallow, allow,
    • validate-soapaction enable/disable type:string choice: enable, disable,
    • validate-soap-headers enable/disable type:string choice: enable, disable,
    • allow-additional-soap-headers enable/disable type:string choice: enable, disable,
    • validate-soap-body enable/disable type:string choice: enable, disable,
    • xml-limit-check enable/disable type:string choice: enable, disable,
    • xml-limit-attr-num max xml attribute number type:integer maximum:256 minimum:0
    • xml-limit-attrname-len max xml attribute name length type:integer maximum:1024 minimum:0
    • xml-limit-attrvalue-len max xml attribute value length type:integer maximum:2048 minimum:0
    • xml-limit-cdata-len max xml cdata length type:integer maximum:8192 minimum:0
    • xml-limit-element-depth max xml element depth type:integer maximum:256 minimum:0
    • xml-limit-element-name-len max xml element name length type:integer maximum:1024 minimum:0
    • xml-attributes-check enable/disable type:string choice: enable, disable,
    • external-entity-check enable/disable type:string choice: enable, disable,
    • expansion-entity-check enable/disable type:string choice: enable, disable,
    • x-include-check enable/disable type:string choice: enable, disable,
    • schema-location-check enable/disable type:string choice: enable, disable,
    • schema-location-exempted-urls enable/disable type:string
    • ws-i-basic-profile-assertion packet log setting type:string choice: WSI1001, WSI1002, WSI1003, WSI1004, WSI1006, WSI1007, WSI1032, WSI1033, WSI1109, WSI1110, WSI1111, WSI1201, WSI1202, WSI1204, WSI1208, WSI1301, WSI1307, WSI1308, WSI1309, WSI1318, WSI1601, WSI1701,
    • ws-i-basic-profile-wsdl-assertion packet log setting type:string choice: WSI1008, WSI1116, WSI1211,
    • mkey If present, objects will be filtered on property with this name type:string
    • vdom Specify the Virtual Domain(s) from which results are returned or changes are applied to. If this parameter is not provided, the management VDOM will be used. If the admin does not have access to the VDOM, a permission error will be returned. The URL parameter is one of: vdom=root (Single VDOM) vdom=vdom1,vdom2 (Multiple VDOMs) vdom=* (All VDOMs) type:array
    • clone_mkey Use *clone_mkey* to specify the ID for the new resource to be cloned. If *clone_mkey* is set, *mkey* must be provided which is cloned from. type:string

Examples

- name:
  hosts: all
  vars:
  connection: httpapi
  gather_facts: false
  tasks:
    - name: delete
      fwebos_waf_xml_rule:
       action: delete
       name: 12313
       vdom: root

    - name: Create
      fwebos_waf_xml_rule:
       action: add
       vdom: root
       xml_limit_attrvalue_len: 1024
       soap_attachment: allow
       xml_limit_element_depth: 20
       xml_limit_element_name_len: 64
       ws_i_basic_profile_wsdl_assertion:
       validate_soapaction_val: 0
       severity: Low
       expansion_entity_check: disable
       schema_location_exempted_urls:
       xml_limit_attrname_len: 64
       wsdl_file:
       trigger:
       validate_soap_body: disable
       x_include_check: disable
       xml_limit_attr_num: 32
       data_format: xml
       request_type: plain
       ws_security:
       external_entity_check: disable
       host:
       allow_additional_soap_headers: disable
       validate_soapaction: disable
       schema_location_check: disable
       validate_soap_headers_val: 0
       block_period: 600
       xml_limit_cdata_len: 4096
       name: test4
       host_status: disable
       allow_additional_soap_headers_val: 0
       request_file: /test_string
       xml_limit_check: disable
       trigger_val: 0
       validate_soap_headers: disable
       schema_file:
       xml_action: alert
       xml_attributes_check: disable
       ws_i_basic_profile_assertion:

    - name: edit
      fwebos_waf_xml_rule:
       action: edit
       vdom: root
       xml_limit_attrvalue_len: 1024
       soap_attachment: allow
       xml_limit_element_depth: 20
       xml_limit_element_name_len: 64
       ws_i_basic_profile_wsdl_assertion:
       validate_soapaction_val: 0
       severity: Low
       expansion_entity_check: disable
       schema_location_exempted_urls:
       xml_limit_attrname_len: 64
       wsdl_file:
       trigger:
       validate_soap_body: disable
       x_include_check: disable
       xml_limit_attr_num: 32
       data_format: xml
       request_type: plain
       ws_security:
       external_entity_check: disable
       host:
       allow_additional_soap_headers: disable
       validate_soapaction: disable
       schema_location_check: disable
       validate_soap_headers_val: 0
       block_period: 600
       xml_limit_cdata_len: 4096
       name: test4
       host_status: disable
       allow_additional_soap_headers_val: 0
       request_file: /test_string
       xml_limit_check: disable
       trigger_val: 0
       validate_soap_headers: disable
       schema_file:
       xml_action: alert
       xml_attributes_check: disable
       ws_i_basic_profile_assertion:

Return Values

Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:

  • 200 : OK: Request returns successful
  • 400 : Bad Request: Request cannot be processed by the API
  • 401 : Not Authorized: Request without successful login session
  • 403 : Forbidden: Request is missing CSRF token or administrator is missing access profile permissions.
  • 404 : Resource Not Found: Unable to find the specified resource.
  • 405 : Method Not Allowed: Specified HTTP method is not allowed for this resource.
  • 413 : Request Entity Too Large: Request cannot be processed due to large entity
  • 424 : Failed Dependency: Fail dependency can be duplicate resource, missing required parameter, missing required attribute, invalid attribute value
  • 429 : Access temporarily blocked: Maximum failed authentications reached. The offended source is temporarily blocked for certain amount of time.
  • 500 : Internal Server Error: Internal error when processing the request

For errorcode please check FortiWeb API errorcode at : https://documenter.getpostman.com/view/11233300/TVetbkaK#887b9eb4-7c13-4338-a8db-16cc117f0119

Status

  • This module is not guaranteed to have a backwards compatible interface.

Authors

  • Jie Li
  • Brad Zhang

Hint

If you notice any issues in this documentation, you can create a pull request to improve it.