sophos.sophos_firewall.sfos_web_policy module – Manage Web Filter Policies (Protect > Web > Policies)

Note

This module is part of the sophos.sophos_firewall collection (version 2.5.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install sophos.sophos_firewall. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: sophos.sophos_firewall.sfos_web_policy.

New in sophos.sophos_firewall 2.3.0

Synopsis

• Manage Web Filter Policies (Protect > Web > Policies) on Sophos Firewall

Requirements

The below requirements are needed on the host that executes this module.

• sophosfirewall-python

• Beginning in version 2.0.0, this module requires use of an httpapi connection plugin. See the HTTPAPI example for details.

Parameters

Parameter	Comments
default_action string / required	Default action of the policy. Choices: "Allow" "Deny"
description string	Specify Policy description. Max 255 chars.
download_file_size_restriction integer	Specify maximum allowed file download size in MB (0-1536). Default: 0
download_file_size_restriction_enabled boolean	Enable or disable checking for maximum allowed file download size. Choices: false true
enable_reporting string	Select to enable reporting of policy. Choices: "Enable" ← (default) "Disable"
enforce_image_licensing boolean	Enable or disable limiting search results to Creative Commons licensed images. Choices: false true
enforce_safe_search boolean	Enable or disable blocking of pornography and explicit content in search results. Choices: false true
goog_app_domain_list string	Comma-separated list of domains allowed to access Google services. Max 256 chars.
goog_app_domain_list_enabled boolean	Enable or disable specifying domains for Google services. Choices: false true
name string / required	Specify a name for the Web Filter Policy.
office_365_directory_id string	Domain ID allowed to access the Microsoft 365 service. Max 50 chars.
office_365_enabled boolean	Turn on or off specifying domains/IDs for Microsoft 365. Choices: false true
office_365_tenants_list string	Comma-separated list of domain names and domain IDs allowed to access Microsoft 365. Max 4096 chars.
quota_limit integer	Maximum allowed time (1-1440 minutes) for browsing restricted web content under quota policy action. Default: 60
rule_action string	Action for rules when updating policies (‘add’ or ‘replace’). To remove rules, use ‘replace’ with the new complete list. Choices: "add" ← (default) "replace"
rules list / elements=dictionary	Specify the rules contained in this policy.
categories list / elements=dictionary / required	List of rule categories.
id string / required	Category Name.
type string / required	Category type. Choices: "WebCategory" "FileType" "URLGroup" "UserActivity"
ccl_rule_enabled boolean	Enable or disable CCL rule. Choices: false ← (default) true
follow_http_action boolean	Enable or disable following HTTP action. Choices: false true ← (default)
http_action string	HTTP action. Choices: "Allow" "Deny" ← (default)
https_action string	HTTPS action. Choices: "Allow" "Deny" ← (default)
policy_rule_enabled boolean	Enable or disable the policy rule. Choices: false true ← (default)
schedule string	Schedule name. Default: "All The Time"
user_list list / elements=string	List of users to which the policy applies. Default: []
state string / required	Use query to retrieve, present to create, updated to modify, or absent to remove Choices: "present" "updated" "query" "absent"
xff_enabled boolean	Enable or disable X-Forwarded-For header. Choices: false true
youtube_filter_enabled boolean	Enable or disable YouTube Restricted Mode. Choices: false true
youtube_filter_is_strict boolean	Adjust the policy used for YouTube Restricted Mode (true for strict, false for moderate). Choices: false true

Examples

- name: Create Web Filter Policy with basic settings
  sophos.sophos_firewall.sfos_web_policy:
    name: "Corporate Policy"
    default_action: "Allow"
    enable_reporting: "Enable"
    description: "Corporate web filtering policy"
    state: present

- name: Create Web Filter Policy with file size restriction
  sophos.sophos_firewall.sfos_web_policy:
    name: "Corporate Policy with Size Limit"
    default_action: "Allow"
    download_file_size_restriction: 100
    enable_reporting: "Enable"
    description: "Corporate web filtering policy with 100MB file size limit"
    state: present

- name: Create Web Filter Policy with advanced settings
  sophos.sophos_firewall.sfos_web_policy:
    name: "Strict Policy"
    default_action: "Deny"
    download_file_size_restriction: 50
    enable_reporting: "Enable"
    download_file_size_restriction_enabled: true
    youtube_filter_enabled: true
    youtube_filter_is_strict: true
    enforce_safe_search: true
    enforce_image_licensing: true
    quota_limit: 30
    description: "Strict web filtering policy with content restrictions"
    state: present

- name: Create Web Filter Policy with rules
  sophos.sophos_firewall.sfos_web_policy:
    name: "Business Policy"
    default_action: "Allow"
    download_file_size_restriction: 200
    enable_reporting: "Enable"
    description: "Business policy with category rules"
    rules:
      - categories:
          - id: "Social Networking"
            type: "WebCategory"
          - id: "Gaming"
            type: "WebCategory"
        http_action: "Deny"
        https_action: "Deny"
        schedule: "Business Hours"
        policy_rule_enabled: true
        user_list:
          - "Guest Group"
          - "Unknown Users"
      - categories:
          - id: "Document Files"
            type: "FileType"
        http_action: "Allow"
        https_action: "Allow"
        policy_rule_enabled: true
    state: present

- name: Create Web Filter Policy with Office 365 and Google settings
  sophos.sophos_firewall.sfos_web_policy:
    name: "Cloud Services Policy"
    default_action: "Allow"
    download_file_size_restriction: 500
    enable_reporting: "Enable"
    goog_app_domain_list: "example.com,test.org"
    goog_app_domain_list_enabled: true
    office_365_tenants_list: "tenant1.onmicrosoft.com,tenant2.onmicrosoft.com"
    office_365_directory_id: "12345678-1234-1234-1234-123456789012"
    office_365_enabled: true
    xff_enabled: true
    description: "Policy for cloud services access"
    state: present

- name: Query Web Filter Policy
  sophos.sophos_firewall.sfos_web_policy:
    name: "Corporate Policy"
    state: query

- name: Update Web Filter Policy
  sophos.sophos_firewall.sfos_web_policy:
    name: "Corporate Policy"
    default_action: "Deny"
    download_file_size_restriction: 75
    description: "Updated corporate policy"
    state: updated

- name: Update Web Filter Policy and replace all rules
  sophos.sophos_firewall.sfos_web_policy:
    name: "Business Policy"
    description: "Updated business policy with new rules"
    rules:
      - categories:
          - id: "Entertainment"
            type: "WebCategory"
        http_action: "Deny"
        https_action: "Deny"
        policy_rule_enabled: true
    rule_action: "replace"
    state: updated

- name: Update Web Filter Policy and add additional rules
  sophos.sophos_firewall.sfos_web_policy:
    name: "Business Policy"
    description: "Business policy with additional rules"
    rules:
      - categories:
          - id: "Video Files"
            type: "FileType"
        http_action: "Allow"
        https_action: "Allow"
        policy_rule_enabled: true
    rule_action: "add"
    state: updated

- name: Remove Web Filter Policy
  sophos.sophos_firewall.sfos_web_policy:
    name: "Corporate Policy"
    state: absent

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Description
api_response dictionary	Serialized object containing the API response. Returned: always

Authors

• Matt Mullen (@mamullen13316)

Collection links

• Issue Tracker
• Repository (Sources)

Warning

If the firewall is a member of a group in Central, the changes made by Ansible will override the settings of the group. The actual configuration on the firewall may then differ from what is displayed for the same setting in the Central group.