fortinet-ansible-dev / ansible-galaxy-fortios-collection Goto Github PK
View Code? Open in Web Editor NEWLicense: GNU General Public License v3.0
ansible-galaxy-fortios-collection's People
Contributors
Stargazers
Watchers
Forkers
fortinetps chillancezen hanybadawy80 jiex19 benohara mbdraks sheha339 venu-devannagari ry-sta jbackman thedoubl3j anirudhkamath dungzit j-lahitte satish5555555 elvis0206 willyd61 tomammon gduross jajalcoding alvistack gundalow gojong dgarros kacemch orifiel milad-mantashi glebras troy-f zachhoiberg alinroscaneanu optectom alabate emilvonck mhca99 qasemshahrour parsa97 smithtrev hvanderheide gurretp connect-cloud andrewlassansible-galaxy-fortios-collection's Issues
fortios_system_dns
Issue with the domain keyword in fortios_system_dns module when using fortinet.fortios collection
ansible version 2.9.7
fortios 6.0.9
When running this playbook an error is generated as follows
---
- name: Configure Fortinet DNS
hosts: fortinet
connection: httpapi
gather_facts: True
collections:
- fortinet.fortios
vars_files:
- ./group_vars/fortinet_vars.yml
- ./group_vars/base_vars.yml
- ./group_vars/cloud_vars.yml
tasks:
- name: Configure DNS.
fortios_system_dns:
ssl_verify: False
host: "{{ ansible_host }}"
password: "{{ ansible_password }}"
username: "{{ ansible_username }}"
vdom: "{{ vdom }}"
https: "True"
system_dns:
primary: "{{ dns[location.country[0]][0] }}"
secondary: "{{ dns[location.country[0]][1] }}"
source_ip: "192.168.127.110"
domain:
-
domain: "bbc.co.uk"
Error
TASK [Gathering Facts] *****************************************************************************************************************************
ok: [fortinet1]
TASK [Configure DNS.] ******************************************************************************************************************************
[WARNING]: The value [{'domain': 'bbc.co.uk'}] (type list) in a string field was converted to "[{'domain': 'bbc.co.uk'}]" (type string). If this
does not look like what you expect, quote the entire value to ensure it does not change.
ok: [fortinet1]
PLAY RECAP *****************************************************************************************************************************************
fortinet1 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
When the playbook is amended as follows the module operates as expected
- name: Configure Fortinet DNS
hosts: fortinet
connection: httpapi
gather_facts: True
This is the output
PLAY [Configure Fortinet DNS] **********************************************************************************************************************
TASK [Gathering Facts] *****************************************************************************************************************************
ok: [fortinet1]
TASK [Configure DNS.] ******************************************************************************************************************************
changed: [fortinet1]
PLAY RECAP *****************************************************************************************************************************************
fortinet1 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
This is the resulting configuration
fortinet3 (global) # conf system dns
fortinet3 (dns) # show
config system dns
set primary 12.1.1.1
set secondary 12.1.1.2
set domain "bbc.com"
set source-ip 192.168.127.110
end
fortinet3 (dns) #
Questions about fortios_firewall_addrgrp module
Hi, support team, I've a question when using the module "fortios_firewall_addrgrp".
First of all, my versions are:
ansible 2.9.0
config file = None
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /xxxxx/lib/python3.6/site-packages/ansible
executable location = /xxxx/bin/ansible
python version = 3.6.8 (default, Apr 2 2020, 13:34:55) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
Then,
I understand that under:
firewall_addrgrp:
name: test_group
member:
- name: testday1
- name: testday2
It will create an address group "test_group" with members "testday1" and "testday2".
However, I don't think it makes much sense not to be able to automate it with raw data input such as csv.
For example, the csv file is as follows and it means these inputs only cover A1,B1,A2,B2 in the csv (regard it as excel). "testday1,testday2" is in B2.
group_name, members
test_group, "testday1,testday2"
Suppose I create a variable called "temp" which is equal to this B2 "testday1,testday2", making "temp" to be a list type. Then in the script, I wish I could make it like the following:
firewall_addrgrp:
name: test_group
member: "{{ temp }}" ---------->>>
In this way, the whole script could automate address group creation based on a large csv input file with ansible loop such as "with_dict".
Based on the existing design of the module, it's impossible to realize the automation. You have to enter many lines of "- name: xxx" based on how many members in one address group.
At the same time,
for "fortios_ipv4_policy" module (https://docs.ansible.com/ansible/2.9/modules/fortios_ipv4_policy_module.html#fortios-ipv4-policy-module), it works pretty well.
Eg, for "service" input, it mentions "Specifies policy service(s), could be a list (ex: ['MAIL','DNS'])".
for others such as "src_addr", "src_intf" and the like, although they don't mention a list can be accepted, from my test, they all work with list input. The full automation can be achieved for firewall policy creation.
In my "with_dict" loop:
src_addr: "{{ item.value.source_address }}" -----> it corresponds to "testday1,testday2" in csv file
Could you please take a check on "fortios_firewall_addrgrp" source code and let me know if the full automation I mentioned above can be achieved?
Appreciate it!
Module fortios_vpn_ssl_settings: banned_cipher doesn't work
Hello,
I want to ban some cipher for SSL VPN. But it works only for one value, i.g.: banned_cipher: "3DES". I tried also banned_cipher: '"3DES" "SHA1" "STATIC"'. But then I get this error message:
fatal: [localhost]: FAILED! => {"changed": false, "msg": "value of banned_cipher must be one of: RSA, DH, DHE, ECDH, ECDHE, DSS, ECDSA, AES, AESGCM, CAMELLIA, 3DES, SHA1, SHA256, SHA384, STATIC, got: '3DES' 'SHA1' 'STATIC' found in vpn_ssl_settings"}
This is my playbook:
....
- name: Configure SSL VPN settings
fortios_vpn_ssl_settings:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "True"
ssl_verify: "{{ ssl_verify }}"
vpn_ssl_settings:
banned_cipher: '"3DES" "SHA1" "STATIC"'
At the cli it works with `set banned-cipher "3DES" "SHA1" "STATIC".
Ansible 2.10 support
hi @felixfontein,
I got a problem with ansible-base, i.e. 2.10.
Aug-10 04:02:56 linky@hyrule ~/workspace/Ansible/BUGTRIAGE/FMG/failed_modules
$ansible --version
ansible 2.10.0rc4
config file = None
configured module search path = ['/home/linky/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/linky/.local/lib/python3.7/site-packages/ansible
executable location = /usr/local/bin/ansible
python version = 3.7.3 (default, Oct 7 2019, 12:56:13) [GCC 8.3.0]
Aug-10 04:02:44 linky@hyrule ~/workspace/Ansible/BUGTRIAGE/FMG/failed_modules
$cat fmgr_antivirus_mmschecksum.yml
- hosts: fortimanager01
collections:
- fortinet.fortimanager
connection: httpapi
vars:
ansible_httpapi_use_ssl: True
ansible_httpapi_validate_certs: False
ansible_httpapi_port: 443
tasks:
- name: Configure MMS content checksum list.
fmgr_antivirus_mmschecksum:
adom: "root"
state: present
antivirus_mmschecksum:
comment: 'test-comment2'
entries:
-
checksum: "test_checksum2"
name: "entries-name2"
status: disable
id: 21
name: "test_checksum21"
Aug-10 04:02:54 linky@hyrule ~/workspace/Ansible/BUGTRIAGE/FMG/failed_modules
$cat host
[myfortimanagers]
fortimanager01 ansible_host=192.168.190.102 ansible_user=APIUser ansible_password=Fortinet1!
fortimanager02 ansible_host=192.168.190.103 ansible_user=APIUser ansible_password=Fortinet1!
[myfortimanagers:vars]
ansible_network_os=fortinet.fortimanager.fortimanager
but I got an error of searching plugin in our own collection:
Aug-10 03:58:00 linky@hyrule ~/workspace/Ansible/BUGTRIAGE/FMG/failed_modules
$ansible-playbook -i host -vvv fmgr_antivirus_mmschecksum.yml
ansible-playbook 2.10.0rc4
config file = None
configured module search path = ['/home/linky/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/linky/.local/lib/python3.7/site-packages/ansible
executable location = /home/linky/.local/bin/ansible-playbook
python version = 3.7.3 (default, Oct 7 2019, 12:56:13) [GCC 8.3.0]
No config file found; using defaults
host_list declined parsing /home/linky/workspace/Ansible/BUGTRIAGE/FMG/failed_modules/host as it did not pass its verify_file() method
script declined parsing /home/linky/workspace/Ansible/BUGTRIAGE/FMG/failed_modules/host as it did not pass its verify_file() method
auto declined parsing /home/linky/workspace/Ansible/BUGTRIAGE/FMG/failed_modules/host as it did not pass its verify_file() method
Parsed /home/linky/workspace/Ansible/BUGTRIAGE/FMG/failed_modules/host inventory source with ini plugin
PLAYBOOK: fmgr_antivirus_mmschecksum.yml *************************************************************************************************************************************************************************************************
1 plays in fmgr_antivirus_mmschecksum.yml
PLAY [fortimanager01] ********************************************************************************************************************************************************************************************************************
TASK [Gathering Facts] *******************************************************************************************************************************************************************************************************************
task path: /home/linky/workspace/Ansible/BUGTRIAGE/FMG/failed_modules/fmgr_antivirus_mmschecksum.yml:1
redirecting (type: connection) ansible.builtin.httpapi to ansible.netcommon.httpapi
fatal: [fortimanager01]: FAILED! => {
"msg": "the connection plugin 'httpapi' was not found"
}
PLAY RECAP *******************************************************************************************************************************************************************************************************************************
fortimanager01 : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
could you help us ?
thanks,
Check for missing commits vs devel
SUMMARY
The "Big Migration" has now taken place.
As this collection already exists, we need to carefully check to see if any further commits went into devel since this repo was created.
Please check the contents of https://github.com/ansible-collection-migration/fortinet.fortios against this repo
In particular:
- Please do a per-file level diff against every file in the ansible-collection-migration repo and this one
- Pay care to files added and removed.
- During the last two weeks there have been lots of fixes, especially around and tests, dependencies, and new collection features e.g. meta/action_groups.yml
ISSUE TYPE
- Bug Report
fortios_user_group can't configure "config match" section
Ansible Version:
ansible 2.9.9
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/home/user/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/dist-packages/ansible
executable location = /usr/bin/ansible
python version = 2.7.17 (default, Apr 15 2020, 17:20:14) [GCC 7.5.0]
Ubuntu Version:
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.4 LTS
Release: 18.04
Codename: bionic
Fortigate VM Version (Trial):
FortiGate-VM64 # get system status
Version: FortiGate-VM64 v6.2.3,build1066,191218 (GA)
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
Extreme DB: 1.00000(2018-04-09 18:07)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 0.00000(2001-01-01 00:00)
APP-DB: 6.00741(2015-12-01 02:30)
INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
Serial-Number: FGVMEVHOGQZIMMA5
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
Botnet DB: 1.00000(2012-05-28 22:51)
License Status: Valid
Evaluation License Expires: Tue Jul 14 10:27:39 2020
VM Resources: 1 CPU/1 allowed, 1002 MB RAM/2048 MB allowed
Log hard disk: Available
Hostname: FortiGate-VM64
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 1
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 1066
Release Version Information: GA
FortiOS x86-64: Yes
System time: Tue Jun 30 08:18:14 2020
I'm having issues with the fortios_user_group module. I can create a new member but I cannot create a match config. When I attempt to run the playbook I get:
fatal: [192.168.109.128]: FAILED! => {"changed": false, "meta": {"build": 1066, "error": -5, "http_method": "POST", "http_status": 500, "name": "group", "path": "user", "revision": "d2f0305ca077b2443fbea23b5f7648c4", "revision_changed": false, "serial": "FGVMEVOV0E3YRT13", "status": "error", "vdom": "root", "version": "v6.2.3"}, "msg": "Error in repo"}
The playbook is as follows:
fortios_user_group:
host: "{{ host }}:{{ portnum }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: False
ssl_verify: False
state: "present"
user_group:
name: "TACACS-admin"
member:
-
name: "ISE"
match:
-
id: "1"
server_name: "ISE"
group_name: "test"
If I create match config 1 manually on the firewall as follows:
config user group
edit "SSO_Guest_Users"
next
edit "Guest-group"
set member "guest"
next
edit "TACACS-admin"
set member "ISE"
config match
edit 1
set server-name "ISE"
set group-name "test2"
next
end
next
end
and run the playbook I do not get the error message above. However, I still cannot change values that have been manually entered for the config match section. For example, if I change the group name from "test" to "test2" it will not apply it even though the playbook shows this was changed. The group creation works fine, it's just the config match that is not working. Am I doing something wrong?
Issue on task with custom type
I'm writing a role in ansible to configure multiple fortigate from Zero Day to Production and I have create first simple task to set NTP..
My Code:
- name: Configure NTP Server fortios_system_ntp: host: '{{ ansible_host }}' username: '{{ fgt.user }}' password: '{{ ansible_password }}' ssl_verify: '{{ fgt.ssl_verify }}' https: '{{ fgt.https }}' system_ntp: ntpsync: "enable" server_mode: "enable" type: '{{ ntp.type }}' ntpserver: - id: '{{ item.id }}' server: '{{ item.server }}' loop: '{{ ntp.ntpserver }}' when: 'ansible_host in groups[item.site]'
When I execute the play on this specific task it fails with a not useful error message:
TASK [fortinet-onboard : Configure NTP Server] ********************************* failed: [host01-f22] (item={u'site': u'AAA', u'id': 1, u'server': u'2.2.2.1'}) => {"ansible_loop_var": "item", "changed": false, "item": {"id": 1, "server": "2.2.2.1", "site": "AAA"}, "meta": {"build": 335, "http_method": "POST", "http_status": 405, "name": "ntp", "path": "system", "serial": "FGVMEVIZRRPG_S45", "status": "error", "vdom": "root", "version": "v6.0.9"}, "msg": "Error in repo"} failed: [host02-f22] (item={u'site': u'AAA', u'id': 1, u'server': u'2.2.2.1'}) => {"ansible_loop_var": "item", "changed": false, "item": {"id": 1, "server": "2.2.2.1", "site": "AAA"}, "meta": {"build": 335, "http_method": "POST", "http_status": 405, "name": "ntp", "path": "system", "serial": "FGVMEVKKSUP_SCA1", "status": "error", "vdom": "root", "version": "v6.0.9"}, "msg": "Error in repo"} failed: [host01-f22] (item={u'site': u'AAA', u'id': 2, u'server': u'2.2.2.2'}) => {"ansible_loop_var": "item", "changed": false, "item": {"id": 2, "server": "2.2.2.2", "site": "AAA"}, "meta": {"build": 335, "http_method": "POST", "http_status": 405, "name": "ntp", "path": "system", "serial": "FGVMEVIZRRPG_S45", "status": "error", "vdom": "root", "version": "v6.0.9"}, "msg": "Error in repo"} failed: [host02-f22] (item={u'site': u'AAA', u'id': 2, u'server': u'2.2.2.2'}) => {"ansible_loop_var": "item", "changed": false, "item": {"id": 2, "server": "2.2.2.2", "site": "AAA"}, "meta": {"build": 335, "http_method": "POST", "http_status": 405, "name": "ntp", "path": "system", "serial": "FGVMEVKKSUP_SCA1", "status": "error", "vdom": "root", "version": "v6.0.9"}, "msg": "Error in repo"}
This message "Error in repo" what means?
Could you help me please?
Regards,
Aldo Pellini
SD-WAN changes in 6.4.1
In 6.4.1, Fortinet changed how SD-WAN is configured. There are now named SD-WAN zones instead of using a global SD-WAN 'group'.
Documentation:
https://docs.fortinet.com/document/fortigate/6.4.1/administration-guide/218559/configuring-the-sd-wan-interface
Release notes:
https://docs.fortinet.com/document/fortigate/6.4.1/fortios-release-notes/251225/sd-wan-upgrade-changes
As expected, this breaks fortios_system_virtual_wan_link since there is no field for the zone name.
Please let me know what I can do to help troubleshoot this - thanks!
Using module version 1.0.11
Configuration of the task:
- name: Configure SDWAN.
fortios_system_virtual_wan_link:
system_virtual_wan_link:
members:
-
seq-num: "1"
interface: "wan1"
status: "enable"
-
seq-num: "2"
interface: "wan2"
status: "enable"
status: "enable"
Result (-vvv):
redirecting (type: connection) ansible.builtin.httpapi to ansible.netcommon.httpapi
<10.0.30.172> ESTABLISH LOCAL CONNECTION FOR USER: root
<10.0.30.172> EXEC /bin/sh -c '( umask 77 && mkdir -p "echo /root/.ansible/tmp/ansible-local-8145u6w1fzac"&& mkdir "echo /root/.ansible/tmp/ansible-local-8145u6w1fzac/ansible-tmp-1601940262.3799806-8309-238715919498361" && echo ansible-tmp-1601940262.3799806-8309-238715919498361="echo /root/.ansible/tmp/ansible-local-8145u6w1fzac/ansible-tmp-1601940262.3799806-8309-238715919498361" ) && sleep 0'
Using module file /root/.ansible/collections/ansible_collections/fortinet/fortios/plugins/modules/fortios_system_virtual_wan_link.py
<10.0.30.172> PUT /root/.ansible/tmp/ansible-local-8145u6w1fzac/tmpc_pquyt2 TO /root/.ansible/tmp/ansible-local-8145u6w1fzac/ansible-tmp-1601940262.3799806-8309-238715919498361/AnsiballZ_fortios_system_virtual_wan_link.py
<10.0.30.172> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-local-8145u6w1fzac/ansible-tmp-1601940262.3799806-8309-238715919498361/ /root/.ansible/tmp/ansible-local-8145u6w1fzac/ansible-tmp-1601940262.3799806-8309-238715919498361/AnsiballZ_fortios_system_virtual_wan_link.py && sleep 0'
<10.0.30.172> EXEC /bin/sh -c '/usr/bin/python3 /root/.ansible/tmp/ansible-local-8145u6w1fzac/ansible-tmp-1601940262.3799806-8309-238715919498361/AnsiballZ_fortios_system_virtual_wan_link.py && sleep 0'
<10.0.30.172> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-local-8145u6w1fzac/ansible-tmp-1601940262.3799806-8309-238715919498361/ > /dev/null 2>&1 && sleep 0'
fatal: [test-fgt]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"host": null,
"https": true,
"password": "",
"ssl_verify": true,
"system_virtual_wan_link": {
"fail_alert_interfaces": null,
"fail_detect": null,
"health_check": null,
"load_balance_mode": null,
"members": [
{
"interface": "wan1",
"seq-num": "1",
"status": "enable"
},
{
"interface": "wan2",
"seq-num": "2",
"status": "enable"
}
],
"neighbor": null,
"neighbor_hold_boot_time": null,
"neighbor_hold_down": null,
"neighbor_hold_down_time": null,
"service": null,
"status": "enable"
},
"username": null,
"vdom": "root"
}
},
"meta": {
"build": 1723,
"http_method": "PUT",
"http_status": 400,
"name": "virtual-wan-link",
"path": "system",
"serial": "[REDACTED]",
"status": "error",
"vdom": "root",
"version": "v6.4.2"
},
"msg": "Error in repo"
}
fortios_router_bgp unable to pass remote as
I am unable to create a BGP neighbor. I am unable to pass remote_as attribute using the fortios_router_bgp. remote_as is not defined as required, but it should be in the docs. fortios does not accept neighbor statements without a remote_as.
- name: Configure BGP Neighbor.
fortios_router_bgp:
host: "{{ inventory_hostname }}"
https: "yes"
ssl_verify: "no"
vdom: "{{ vdom_name }}"
username: "{{ username }}"
password: "{{ password }}"
router_bgp:
neighbor:
-
ip: "192.168.1.1"
remote_as: "1111"
TASK [Configure BGP Neighbor.] *****************************************
fatal: [device]: FAILED! => {"changed": false, "meta": {"build": 1066, "http_method": "POST", "http_status": 405, "name": "bgp", "path": "router", "serial": "FGxxxxxxx", "status": "error", "vdom": "test", "version": "v6.2.3"}, "msg": "Error in repo"}
DEBUG on Fortigate
0: config vdom
2305 1 cmd =
end
0: edit test
0: config router bgp
0: config neighbor
0: edit "192.168.1.1"
1: end
2306 1 cmd =
config vdom
edit test
config router bgp
config neighbor
edit 192.168.1.1
abort
abort
fortios_router_route_map module does not attach ACL or prefix-list to it
Issue Description
I cannot pass the match_ip_address attribute using the fortios_router_route_map.
The match_ip_address is not attached to the route-map resource. Other parameters like local_preference see working fine
- name: Configure route maps.
fortios_router_route_map:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
state: "present"
router_route_map:
comments: "<your_own_value>"
name: "default_name_4"
rule:
-
action: "permit"
id: "7"
match_as_path: "<your_own_value> (source router.aspath-list.name)"
match_community: "<your_own_value> (source router.community-list.name)"
match_community_exact: "enable"
match_flags: "11"
match_interface: "<your_own_value> (source system.interface.name)"
match_ip_address: "<your_own_value> (source router.access-list.name router.prefix-list.name)"
match_ip_nexthop: "<your_own_value> (source router.access-list.name router.prefix-list.name)"
match_ip6_address: "<your_own_value> (source router.access-list6.name router.prefix-list6.name)"
match_ip6_nexthop: "<your_own_value> (source router.access-list6.name router.prefix-list6.name)"
match_metric: "17"
match_origin: "none"
match_route_type: "1"
match_tag: "20"
set_aggregator_as: "21"
set_aggregator_ip: "<your_own_value>"
set_aspath:
Steps to reproduce
route_map.yaml
---
- name: create BGP neighbor
hosts: localhost
vars_files:
- vars.yaml
tasks:
- name: Configure route_map_in_pri
fortios_router_route_map:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "yes"
ssl_verify: "no"
state: "present"
router_route_map:
comments: ""
name: "{{ provider}}-{{ item.cust_name }}-bgp-in-pri"
rule:
-
action: "permit"
id: "1"
match_ip_address: "source router.prefix-list.aws-{{ item.cust_name }}-networks"
set_local_preference:
loop: "{{ variables }}"
vars.yaml
---
host: "device_ip"
username: ""
password: ""
vdom: ""
ssl_verify: "False"
provider: "aws"
variables:
- { cust_name: test }
run the play
ansible-playbook route_map.yaml
Actual and Expected result
The playbook ends with no errors, the route-map is created without the prefix-list attached.
the prefix-list has been configured manually
config router prefix-list
edit "aws-test-networks"
config rule
edit 1
set prefix 10.10.0.0 255.255.255.0
unset ge
unset le
next
end
next
end
while the route-map does not contain the desired match_ip_address value
config router route-map
edit "aws-test-bgp-in-pri"
config rule
edit 1
next
end
next
end
fortios_address, fortios_config, fortios_ipv4_policy removed in patch release without deprecation
Hi,
In ea07b61 you deleted:
fortios_addressfortios_configfortios_ipv4_policy
Without going through any deprecation cycle, also this was done in a patch release.
As these modules were released in Ansible 2.3 & 2.4 ea07b61#diff-2fc04ddd652278d20701a1eb10e7334dL18 you've broken anyone upgrading from Ansible 2.9 to 2.10 by deleting these three modules without going via any notice period.
If there are equalivent modules with new functionality you need to add a meta/runtime.yml direct to the new file
Or if not, you need to restore the files, mark as deprecated, then removed in a later release, see ansible-collections/community.kubernetes#165 for how a deprecated redirect would look like (search for k8s_facts).
@chillancezen @frankshen01 @JieX19 @bjolivot Could you please respond to this today.
Using lists with firewall policy
Hi, In this playbook, I am making some local and remote firewall addresses which eventually will be used in the firewall policy. It seems like the addresses get created correctly but I'm having a hard time finding a way adding these 2 separate lists into the policy. I'd really appreciate your help in advanced.
- hosts: fortigates
connection: httpapi
collections:
- fortinet.fortios
vars_prompt:
- name: username
prompt: username
private: no
- name: password
prompt: password
private: yes
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
ansible_user: "{{ username }}"
ansible_password: "{{ password }}"
customer: "la"
remote_networks:
- {remote_network_subnet: "210.20.30.0/24", remote_subnet_name: "LA-IP1"}
- {remote_network_subnet: "210.20.40.100/30", remote_subnet_name: "LA-IP2"}
- {remote_network_subnet: "210.20.50.0/28", remote_subnet_name: "LA-IP3"}
- {remote_network_subnet: "210.20.60.145/32", remote_subnet_name: "LA-IP4"}
- {remote_network_subnet: "210.20.70.0/24", remote_subnet_name: "LA-IP5"}
- {remote_network_subnet: "210.20.80.16/32", remote_subnet_name: "LA-IP6"}
- {remote_network_subnet: "210.20.90.0/30", remote_subnet_name: "LA-IP7"}
- {remote_network_subnet: "210.20.140.104/32", remote_subnet_name: "LA-IP8"}
local_networks:
- {local_network_subnet: "10.20.30.0/24", local_subnet_name: "MY-IP1"}
- {local_network_subnet: "10.20.40.100/30", local_subnet_name: "MY-IP2"}
- {local_network_subnet: "10.20.50.0/28", local_subnet_name: "MY-IP3"}
- {local_network_subnet: "10.20.60.145/32", local_subnet_name: "MY-IP4"}
- {local_network_subnet: "10.20.70.0/24", local_subnet_name: "MY-IP5"}
- {local_network_subnet: "10.20.80.16/32", local_subnet_name: "MY-IP6"}
- {local_network_subnet: "10.20.90.0/30", local_subnet_name: "MY-IP7"}
- {local_network_subnet: "10.20.140.104/32", local_subnet_name: "MY-IP8"}
tasks:
- name: Configure Remote IPv4 addresses
fortios_firewall_address:
vdom: "{{ vdom }}"
state: "present"
firewall_address:
name: "{{ item.remote_subnet_name }}"
type: "ipmask"
subnet: "{{ item.remote_network_subnet}}"
with_items:
- "{{ remote_networks }}"
- name: Configure Local IPv4 addresses
fortios_firewall_address:
vdom: "{{ vdom }}"
state: "present"
firewall_address:
name: "{{ item.local_subnet_name }}"
type: "ipmask"
subnet: "{{ item.local_network_subnet}}"
with_items:
- "{{ local_networks }}"
- name: Configure IPv4 policy
fortios_firewall_policy:
vdom: "{{ vdom }}"
state: "present"
firewall_policy:
state: "present"
policyid: "2002"
name: "Policy_2002"
action: "deny"
srcintf:
- name: any
dstintf:
- name: any
srcaddr:
- name: "{{ item.local_subnet_name }}"
dstaddr:
- name: "{{ item.remote_subnet_name }}"
service:
- name: 'HTTP'
- name: 'HTTPS'
schedule: "always"
nat: "disable"
logtraffic: "all"
with_items:
- "{{ local_networks }}"
- "{{ remote_networks }}"
Why append member option missing for fortios_firewall_addrgrp
Thank you for this collection and modules.
But, it seems a major feature is missing for fortios_firewall_addrgrp.py.
We can add Address Groups but it will keep only the members we mention there.
What if there is 100 member address/groups in Address Group and we want to append 1 or 2 members ?
I can append members from console as below; means the feature is available on device but we missed to include in module.
append member test1-10.2.10.0-24
Could anyone please advise if there is an option to append with same module ?
or any other module I can use append a member to Address Group ?
Thank you.
Module Error: fortios_system_config_backup_restore (1.0.15)
Hello,
I just tried the new 1.0.15 with the module which currently doesn't seem to be documented. I'm getting a module error during the play:
Playbook:
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
tasks:
- name: backup global or a_specific_vdom settings
fortios_system_config_backup_restore:
config: "system config backup"
backup: "yes"
https: True
ssl_verify: False
scope: "vdom"
filename: "/tmp/backup_test"
register: config
- debug:
msg: "{{ config }}"
ansible version
ansible 2.9.12
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/gianni/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.8/site-packages/ansible
executable location = /usr/bin/ansible
python version = 3.8.5 (default, Jul 27 2020, 08:42:51) [GCC 10.1.0]
FortiOS Version: 6.2.3
playbook output & error:
The full traceback is:
Traceback (most recent call last):
File "/home/gianni/.ansible/tmp/ansible-local-129237exkd2aw/ansible-tmp-1598526099.8403006-12983-87780068124564/AnsiballZ_fortios_system_config_backup_restore.py", line 102, in <module>
_ansiballz_main()
File "/home/gianni/.ansible/tmp/ansible-local-129237exkd2aw/ansible-tmp-1598526099.8403006-12983-87780068124564/AnsiballZ_fortios_system_config_backup_restore.py", line 94, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/home/gianni/.ansible/tmp/ansible-local-129237exkd2aw/ansible-tmp-1598526099.8403006-12983-87780068124564/AnsiballZ_fortios_system_config_backup_restore.py", line 40, in invoke_module
runpy.run_module(mod_name='ansible_collections.fortinet.fortios.plugins.modules.fortios_system_config_backup_restore', init_globals=None, run_name='__main__', alter_sys=True)
File "/usr/lib/python3.8/runpy.py", line 207, in run_module
return _run_module_code(code, init_globals, run_name, mod_spec)
File "/usr/lib/python3.8/runpy.py", line 97, in _run_module_code
_run_code(code, mod_globals, init_globals,
File "/usr/lib/python3.8/runpy.py", line 87, in _run_code
exec(code, run_globals)
File "/tmp/ansible_fortios_system_config_backup_restore_payload_3m0h85kx/ansible_fortios_system_config_backup_restore_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_system_config_backup_restore.py", line 344, in <module>
File "/tmp/ansible_fortios_system_config_backup_restore_payload_3m0h85kx/ansible_fortios_system_config_backup_restore_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_system_config_backup_restore.py", line 329, in main
File "/tmp/ansible_fortios_system_config_backup_restore_payload_3m0h85kx/ansible_fortios_system_config_backup_restore_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_system_config_backup_restore.py", line 211, in fortigate_backup
KeyError: 'results'
fatal: [fortigate01]: FAILED! => {
"changed": false,
"module_stderr": "Traceback (most recent call last):\n File \"/home/gianni/.ansible/tmp/ansible-local-129237exkd2aw/ansible-tmp-1598526099.8403006-12983-87780068124564/AnsiballZ_fortios_system_config_backup_restore.py\", line 102, in <module>\n _ansiballz_main()\n File \"/home/gianni/.ansible/tmp/ansible-local-129237exkd2aw/ansible-tmp-1598526099.8403006-12983-87780068124564/AnsiballZ_fortios_system_config_backup_restore.py\", line 94, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/home/gianni/.ansible/tmp/ansible-local-129237exkd2aw/ansible-tmp-1598526099.8403006-12983-87780068124564/AnsiballZ_fortios_system_config_backup_restore.py\", line 40, in invoke_module\n runpy.run_module(mod_name='ansible_collections.fortinet.fortios.plugins.modules.fortios_system_config_backup_restore', init_globals=None, run_name='__main__', alter_sys=True)\n File \"/usr/lib/python3.8/runpy.py\", line 207, in run_module\n return _run_module_code(code, init_globals, run_name, mod_spec)\n File \"/usr/lib/python3.8/runpy.py\", line 97, in _run_module_code\n _run_code(code, mod_globals, init_globals,\n File \"/usr/lib/python3.8/runpy.py\", line 87, in _run_code\n exec(code, run_globals)\n File \"/tmp/ansible_fortios_system_config_backup_restore_payload_3m0h85kx/ansible_fortios_system_config_backup_restore_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_system_config_backup_restore.py\", line 344, in <module>\n File \"/tmp/ansible_fortios_system_config_backup_restore_payload_3m0h85kx/ansible_fortios_system_config_backup_restore_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_system_config_backup_restore.py\", line 329, in main\n File \"/tmp/ansible_fortios_system_config_backup_restore_payload_3m0h85kx/ansible_fortios_system_config_backup_restore_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_system_config_backup_restore.py\", line 211, in fortigate_backup\nKeyError: 'results'\n",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1
}
No able to configure new vlan with fortios_system_interface
SUMMARY
I am trying to create a new interface on FortiGate 3100D using fortios_system_interface but all I can get is:
MSG:
Error in repo
Most probably the way I am writing the playbook is wrong but the error message is not very meaningful.
This bug report might be also useful for future reference.
ISSUE TYPE
Bug Report
COMPONENT NAME
fortios_system_interface
ANSIBLE VERSION
ansible 2.9.5
config file = /etc/ansible/ansible.cfg
configured module search path = ['/usr/local/lib/python3.6/site-packages/tm_merger/modules', '/usr/local/lib/python3.6/site-packages/pyateos/modules', '/usr/local/lib/python3.6/site-packages/git_acp/modules', '/usr/local/lib/python3.6/site-packages/napalm_ansible/modules']
ansible python module location = /usr/local/lib/python3.6/site-packages/ansible
executable location = /usr/local/bin/ansible
python version = 3.6.8 (default, Apr 16 2020, 01:36:27) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
STEPS TO REPRODUCE
- hosts: localhost
tasks:- name: Configure interfaces.
fortios_system_interface:
host: '10.76.34.42'
username: 'user'
password: 'password'
vdom: 'root'
state: 'present'
ssl_verify: 'False'
system_interface:
interface: 'ag1_int'
type: 'vlan'
name: 'prod_red_tran_t10_vl1910'
alias: 'prod_red_tran_t10_vl1910'
vlanid: '1910'
vdom: 'RED'
ip: '10.76.101.26 255.255.255.248'
allowaccess: 'ping'
- name: Configure interfaces.
ACTUAL RESULTS
fatal: [localhost]: FAILED! => {
"changed": false,
"meta": {
"build": 1637,
"error": -54,
"http_method": "POST",
"http_status": 500,
"name": "interface",
"old_revision": "44c31cc52b74d74eff3002455db52070",
"path": "system",
"revision": "d80b69b42683ca6922f0466ddb46e7e9",
"revision_changed": true,
"serial": "FGT31D3Z15800162",
"status": "error",
"vdom": "root",
"version": "v6.4.1"
}
}
MSG:
Error in repo
Inconsistent use of lists/strings compared to fortiosapi
There are some small but significant differences between how the Ansible modules handle data and how the fortiosapi handles data. These can be workaround in our code, but it creates a massive overhead both traversing dict structures to fix it, tracking all the exceptions and having to create the mappings back and forth between Ansible logic and fortiosapi logic in every scenario.
Some context, we're fetching the current running config for additional information about how the systems are configured to help drive decision about how to push new ansible configuration. However we are getting different results between what the fortiosapi returns and how we need to configure ansible.
Here's an example:
- System SNMP user call (/system.snmp/user) shows the attribute events as a string in the fortiosapi:
"events": "cpu-high" - The equivalent in the ansible modules takes the input as a list and then internally converts it to a string
https://github.com/fortinet-ansible-dev/ansible-galaxy-fortios-collection/blob/master/plugins/modules/fortios_system_snmp_user.py#L358
Possible suggestions:
- Fix upstream in the api that it returns a list when queried through the get
- Accept both list and a string in the ansible module for consistency with the api, detect and deal with it in that L358 section
- Add methods to fetch data from the systems using ansible modules and then deal with the inconsistency issues internally
fortios_system_vmlicense module throwing error
[2020-06-25 02:46:13,970] {ans_handler:68} DEBUG - ansible playbook task conf_license : Wait timer for vFW instance readiness run OK: {'state': 'started', 'port': None, 'search_regex': None, 'match_groups': [], 'match_groupdict': {}, 'path': None, 'elapsed': 90, 'invocation': {'module_args': {'timeout': 90, 'host': '127.0.0.1', 'connect_timeout': 5, 'delay': 0, 'active_connection_states': ['ESTABLISHED', 'FIN_WAIT1', 'FIN_WAIT2', 'SYN_RECV', 'SYN_SENT', 'TIME_WAIT'], 'state': 'started', 'sleep': 1, 'port': None, 'path': None, 'search_regex': None, 'exclude_hosts': None, 'msg': None}}, '_ansible_no_log': False, 'changed': False}
[2020-06-25 02:46:13,979] {ans_handler:155} DEBUG - ansible playbook task Configure License started:
[2020-06-25 02:46:17,295] {ans_handler:142} ERROR - task: 'conf_license : Configure License' FAILED: MODULE FAILURE
See stdout/stderr for the exact error, [{'task': 'conf_license : Configure License', 'result': {'module_stdout': '', 'module_stderr': 'Traceback (most recent call last):\n File "/root/.ansible/tmp/ansible-local-10nuh0gds4/ansible-tmp-1593053176.7907958-124938959598587/AnsiballZ_fortios_system_vmlicense.py", line 102, in \n _ansiballz_main()\n File "/root/.ansible/tmp/ansible-local-10nuh0gds4/ansible-tmp-1593053176.7907958-124938959598587/AnsiballZ_fortios_system_vmlicense.py", line 94, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File "/root/.ansible/tmp/ansible-local-10nuh0gds4/ansible-tmp-1593053176.7907958-124938959598587/AnsiballZ_fortios_system_vmlicense.py", line 40, in invoke_module\n runpy.run_module(mod_name='ansible.modules.fortios_system_vmlicense', init_globals=None, run_name='main', alter_sys=True)\n File "/usr/local/lib/python3.6/runpy.py", line 205, in run_module\n return _run_module_code(code, init_globals, run_name, mod_spec)\n File "/usr/local/lib/python3.6/runpy.py", line 96, in _run_module_code\n mod_name, mod_spec, pkg_name, script_name)\n File "/usr/local/lib/python3.6/runpy.py", line 85, in _run_code\n exec(code, run_globals)\n File "/tmp/ansible_fortios_system_vmlicense_payload_wgqcsmws/ansible_fortios_system_vmlicense_payload.zip/ansible/modules/fortios_system_vmlicense.py", line 284, in \n File "/tmp/ansible_fortios_system_vmlicense_payload_wgqcsmws/ansible_fortios_system_vmlicense_payload.zip/ansible/modules/fortios_system_vmlicense.py", line 262, in main\n File "/tmp/ansible_fortios_system_vmlicense_payload_wgqcsmws/ansible_fortios_system_vmlicense_payload.zip/ansible/modules/fortios_system_vmlicense.py", line 225, in fortios_system\n File "/tmp/ansible_fortios_system_vmlicense_payload_wgqcsmws/ansible_fortios_system_vmlicense_payload.zip/ansible/modules/fortios_system_vmlicense.py", line 214, in system_vmlicense\n File "/tmp/ansible_fortios_system_vmlicense_payload_wgqcsmws/ansible_fortios_system_vmlicense_payload.zip/ansible_collections/fortinet/fortios/plugins/module_utils/fortios/fortios.py", line 200, in execute\n File "/tmp/ansible_fortios_system_vmlicense_payload_wgqcsmws/ansible_fortios_system_vmlicense_payload.zip/ansible/module_utils/connection.py", line 185, in rpc\nansible.module_utils.connection.ConnectionError: Expecting value: line 1 column 1 (char 0)\n', 'exception': 'Traceback (most recent call last):\n File "/root/.ansible/tmp/ansible-local-10nuh0gds4/ansible-tmp-1593053176.7907958-124938959598587/AnsiballZ_fortios_system_vmlicense.py", line 102, in \n _ansiballz_main()\n File "/root/.ansible/tmp/ansible-local-10nuh0gds4/ansible-tmp-1593053176.7907958-124938959598587/AnsiballZ_fortios_system_vmlicense.py", line 94, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File "/root/.ansible/tmp/ansible-local-10nuh0gds4/ansible-tmp-1593053176.7907958-124938959598587/AnsiballZ_fortios_system_vmlicense.py", line 40, in invoke_module\n runpy.run_module(mod_name='ansible.modules.fortios_system_vmlicense', init_globals=None, run_name='main', alter_sys=True)\n File "/usr/local/lib/python3.6/runpy.py", line 205, in run_module\n return _run_module_code(code, init_globals, run_name, mod_spec)\n File "/usr/local/lib/python3.6/runpy.py", line 96, in _run_module_code\n mod_name, mod_spec, pkg_name, script_name)\n File "/usr/local/lib/python3.6/runpy.py", line 85, in _run_code\n exec(code, run_globals)\n File "/tmp/ansible_fortios_system_vmlicense_payload_wgqcsmws/ansible_fortios_system_vmlicense_payload.zip/ansible/modules/fortios_system_vmlicense.py", line 284, in \n File "/tmp/ansible_fortios_system_vmlicense_payload_wgqcsmws/ansible_fortios_system_vmlicense_payload.zip/ansible/modules/fortios_system_vmlicense.py", line 262, in main\n File "/tmp/ansible_fortios_system_vmlicense_payload_wgqcsmws/ansible_fortios_system_vmlicense_payload.zip/ansible/modules/fortios_system_vmlicense.py", line 225, in fortios_system\n File "/tmp/ansible_fortios_system_vmlicense_payload_wgqcsmws/ansible_fortios_system_vmlicense_payload.zip/ansible/modules/fortios_system_vmlicense.py", line 214, in system_vmlicense\n File "/tmp/ansible_fortios_system_vmlicense_payload_wgqcsmws/ansible_fortios_system_vmlicense_payload.zip/ansible_collections/fortinet/fortios/plugins/module_utils/fortios/fortios.py", line 200, in execute\n File "/tmp/ansible_fortios_system_vmlicense_payload_wgqcsmws/ansible_fortios_system_vmlicense_payload.zip/ansible/module_utils/connection.py", line 185, in rpc\nansible.module_utils.connection.ConnectionError: Expecting value: line 1 column 1 (char 0)\n', 'msg': 'MODULE FAILURE\nSee stdout/stderr for the exact error', 'rc': 1, '_ansible_no_log': False, 'changed': False}}]
[2020-06-25 02:46:17,319] {ans_handler:270} DEBUG - request 5f0b15a9-bf82-4fdd-b53e-e6fff3315b84 action Configure ansible facts{"state": "started", "port": null, "search_regex": null, "match_groups": [], "match_groupdict": {}, "path": null, "elapsed": 90, "invocation": {"module_args": {"timeout": 90, "host": "127.0.0.1", "connect_timeout": 5, "delay": 0, "active_connection_states": ["ESTABLISHED", "FIN_WAIT1", "FIN_WAIT2", "SYN_RECV", "SYN_SENT", "TIME_WAIT"], "state": "started", "sleep": 1, "port": null, "path": null, "search_regex": null, "exclude_hosts": null, "msg": null}}, "_ansible_no_log": false, "changed": false}
[2020-06-25 02:46:17,320] {ans_handler:362} ERROR - request 5f0b15a9-bf82-4fdd-b53e-e6fff3315b84 action Configure FAILED:conf_license : Configure License resource tasks failed failure code:
Question about module "fortios_firewall_addrgrp"
Hi, support team, I've a question when using the module "fortios_firewall_addrgrp".
First of all, my versions are:
ansible 2.9.0
config file = None
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /xxxxx/lib/python3.6/site-packages/ansible
executable location = /xxxx/bin/ansible
python version = 3.6.8 (default, Apr 2 2020, 13:34:55) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
Then,
I understand that under:
firewall_addrgrp:
name: test_group
member:
- name: testday1
- name: testday2
It will create an address group "test_group" with members "testday1" and "testday2".
However, I don't think it makes much sense not to be able to automate it with raw data input such as csv.
For example, the csv file is as follows and it means these inputs only cover A1,B1,A2,B2 in the csv (regard it as excel). "testday1,testday2" is in B2.
group_name, members
test_group, "testday1,testday2"
Suppose I create a variable called "temp" which is equal to this B2 "testday1,testday2", making "temp" to be a list type. Then in the script, I wish I could make it like the following:
firewall_addrgrp:
name: test_group
member: "{{ temp }}" ---------->>>
In this way, the whole script could automate address group creation based on a large csv input file with ansible loop such as "with_dict".
Based on the existing design of the module, it's impossible to realize the automation. You have to enter many lines of "- name: xxx" based on how many members in one address group.
At the same time,
for "fortios_ipv4_policy" module (https://docs.ansible.com/ansible/2.9/modules/fortios_ipv4_policy_module.html#fortios-ipv4-policy-module), it works pretty well.
Eg, for "service" input, it mentions "Specifies policy service(s), could be a list (ex: ['MAIL','DNS'])".
for others such as "src_addr", "src_intf" and the like, although they don't mention a list can be accepted, from my test, they all work with list input. The full automation can be achieved for firewall policy creation.
In my "with_dict" loop:
src_addr: "{{ item.value.source_address }}" -----> it corresponds to "testday1,testday2" in csv file
Could you please take a check on "fortios_firewall_addrgrp" source code and let me know if the full automation I mentioned above can be achieved?
Appreciate it!
fortios_system_admin "403 Forbidden" on PUT and password change problem
The fortios_system_admin does not work correctly on local users, AFTER the user has been created.
Fields like password or trusthost1 can't be set after the user has been created while fields like ip6_trusthost1 can be set.
Setting a "bad" field causes the fortigate to respond with
meta:
build: 1112
error: -5
http_method: POST
http_status: 500
name: admin
path: system
revision: d9dc8f06fa8927ed36c3c9d16587ee9f
revision_changed: false
serial: FGT
status: error
vdom: global
version: v6.2.4
Further, if a password is specified the fortigate issues a 403 Forbidden which leads to
an exception:
File "/tmp/ansible_fortios_system_admin_payload_8tor90d0/ansible_fortios_system_admin_payload.zip/ansible_collections/fortinet/fortios/plugins/module_utils/fortios/fortios.py", line 182, in set
File "/tmp/ansible_fortios_system_admin_payload_8tor90d0/ansible_fortios_system_admin_payload.zip/ansible_collections/fortinet/fortios/plugins/module_utils/fortios/fortios.py", line 214, in formatresponse
IndexError: list index out of range
From what I can see the problem does not occur on remote_auth: "enable" users.
First time VPN deployment using Ansible
Hi, I'm trying to do the simplest way to implement a VPN. I have a playbook named 'test.yml' as below:
- hosts: fortigates
connection: httpapi
collections:
- fortinet.fortios
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure Phase1 Interface
fortios_vpn_ipsec_phase1_interface:
vdom: "{{ vdom }}"
vpn_ipsec_phase1_interface:
interface: 'port1'
name: 'VPN_TEST'
net_device: 'disable'
proposal: 'des-md5'
peertype: 'any'
wizard_type: 'custom'
remote_gw: '22.33.44.201'
psksecret: 'foo-password'
dhgrp: '2'
ike_version: '2'
dpd: 'on-idle'
dpd_retryinterval: '5'
comments: 'test vpn ansible'
- name: Configure Phase2 Interface
fortios_vpn_ipsec_phase2_interface:
vdom: "{{ vdom }}"
vpn_ipsec_phase2_interface:
name: 'phase2_test'
phase1name: 'VPN_TEST'
proposal: 'des-sha512'
dhgrp: '2'
auto_negotiate: 'enable'
keylife_type: 'seconds'
keylifeseconds: '28800'
dst_addr_type: 'subnet'
dst_subnet: '173.43.165.131 255.255.255.255'
src_addr_type: 'subnet'
src_subnet: '10.10.20.80 255.255.255.255'
I am running it against the 'hosts' file as below:
[fortigates]
my_dev_fw ansible_host=192.168.1.10 ansible_user="admin" ansible_password="password"
[fortigates:vars]
ansible_network_os=fortinet.fortios.fortios
and get this error message when running the playbook:
TypeError: 'NoneType' object has no attribute '__getitem__'\n"
Please kindly advise what I am doing wrong.
Thank you in advanced.
Issue on setting TACACS Server
On this task of a playbook:
`
-
name: Configure TACACS Server
fortinet.fortios.fortios_user_tacacsplus:
host: '{{ ansible_host }}'
username: '{{ fgt.user }}'
password: '{{ ansible_password }}'
ssl_verify: '{{ fgt.ssl_verify }}'
https: '{{ fgt.https }}'
user_tacacsplus:
name: '{{ item.name }}'
server: '{{ item.ip }}'
key: '{{ item.key }}'
loop: '{{ tacacs }}'
`
with following var:
`tacacs:
- name: 'TACACS1'
ip: 'A.B.C.D'
key: 'TEST' - name: 'TACACS2'
ip: 'A.B.C.E'
key: 'TEST'`
Using this module I receive following error:
, "module_stderr": "No handlers could be found for logger \"fortiosapi\"\nTraceback (most recent call last):\n File \"/root/.ansible/tmp/ansible-local-29434cU0Yv3/ansible-tmp-1592042001.96-29645-5032706405044/AnsiballZ_fortios_user_tacacsplus.py\", line 102, in <module>\n _ansiballz_main()\n File \"/root/.ansible/tmp/ansible-local-29434cU0Yv3/ansible-tmp-1592042001.96-29645-5032706405044/AnsiballZ_fortios_user_tacacsplus.py\", line 94, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/root/.ansible/tmp/ansible-local-29434cU0Yv3/ansible-tmp-1592042001.96-29645-5032706405044/AnsiballZ_fortios_user_tacacsplus.py\", line 40, in invoke_module\n runpy.run_module(mod_name='ansible_collections.fortinet.fortios.plugins.modules.fortios_user_tacacsplus', init_globals=None, run_name='__main__', alter_sys=True)\n File \"/usr/lib64/python2.7/runpy.py\", line 176, in run_module\n fname, loader, pkg_name)\n File \"/usr/lib64/python2.7/runpy.py\", line 82, in _run_module_code\n mod_name, mod_fname, mod_loader, pkg_name)\n File \"/usr/lib64/python2.7/runpy.py\", line 72, in _run_code\n exec code in run_globals\n File \"/tmp/ansible_fortinet.fortios.fortios_user_tacacsplus_payload_gmFvoF/ansible_fortinet.fortios.fortios_user_tacacsplus_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_user_tacacsplus.py\", line 412, in <module>\n File \"/tmp/ansible_fortinet.fortios.fortios_user_tacacsplus_payload_gmFvoF/ansible_fortinet.fortios.fortios_user_tacacsplus_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_user_tacacsplus.py\", line 402, in main\n File \"/tmp/ansible_fortinet.fortios.fortios_user_tacacsplus_payload_gmFvoF/ansible_fortinet.fortios.fortios_user_tacacsplus_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_user_tacacsplus.py\", line 333, in fortios_user\n File \"/tmp/ansible_fortinet.fortios.fortios_user_tacacsplus_payload_gmFvoF/ansible_fortinet.fortios.fortios_user_tacacsplus_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_user_tacacsplus.py\", line 324, in is_successful_status\nTypeError: 'NoneType' object has no attribute '__getitem__'\n"
On group_var I have defined:
`
fgt:
ssl_verify: False
https: False
user: 'xxxxx'
ansible_connection: httpapi
ansible_network_os: fortinet.fortios.fortios
`
For using with a trial fortinet api with only http.
Other modules as example 'fortinet.fortios.fortios_log_syslogd_setting' are working properly.
My env is based on:
Ansible: 2.9.9
Python: 2.7.5
Fortinet Ansible Collections: 1.0.9
I have tried to do the configuration manually and it works properly so seems something on this module.
Regards,
apellini
Cannot Use Collection (ModuleNotFoundError: No module named 'ansible_collections')
Hi folks,
I don't know if this is an issue with this specific Ansible collection, or something we are doing wrong in our playbooks. We started using this a couple months ago, and were able to get it working. I just revisited our playbooks to make some new updates and I am now unable to run the playbook with the collection. I upgraded my computer, so I figured it was something I was doing wrong, but some of my coworkers have run into the same issue and their environments have not changed.
The task that is currently failing is:
- name: fortios vpn system interface
collections:
- fortinet.fortios
fortios_system_interface:
vdom: "root"
https: "True"
ssl_verify: False
state: "present"
system_interface:
interface: "port1"
role: "dmz"
device_identification: "enable"
name: "{{ interface_name }}"
ip: "{{ vpn_interface_ip }}/32"
allowaccess: "ping,https,ssh"
type: "tunnel"
tcp_mss: 1379
remote_ip: "{{ vpn_remote_ip }}/32"
mtu: 1427
(Note: this is with httpapi but originally we were using fortiosapi and both seem to display this issue)
When I run this I end up with an error ModuleNotFoundError: No module named 'ansible_collections'. Here is the -vvv verbose log from Ansible
TASK [fortigate : fortios vpn system interface] *********************************************************************************
task path: /Users/forest.oden/Projects/fortigate-ansible/roles/fortigate/tasks/vpn.yml:36
<localhost> ESTABLISH LOCAL CONNECTION FOR USER: forest.oden
<localhost> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /Users/forest.oden/.ansible/tmp/ansible-local-22732exgb55cz `"&& mkdir /Users/forest.oden/.ansible/tmp/ansible-local-22732exgb55cz/ansible-tmp-1597090901.185857-22913-108739685461917 && echo ansible-tmp-1597090901.185857-22913-108739685461917="` echo /Users/forest.oden/.ansible/tmp/ansible-local-22732exgb55cz/ansible-tmp-1597090901.185857-22913-108739685461917 `" ) && sleep 0'
Using module file /Users/forest.oden/.ansible/collections/ansible_collections/fortinet/fortios/plugins/modules/fortios_system_interface.py
<localhost> PUT /Users/forest.oden/.ansible/tmp/ansible-local-22732exgb55cz/tmp9fh773u1 TO /Users/forest.oden/.ansible/tmp/ansible-local-22732exgb55cz/ansible-tmp-1597090901.185857-22913-108739685461917/AnsiballZ_fortios_system_interface.py
<localhost> EXEC /bin/sh -c 'chmod u+x /Users/forest.oden/.ansible/tmp/ansible-local-22732exgb55cz/ansible-tmp-1597090901.185857-22913-108739685461917/ /Users/forest.oden/.ansible/tmp/ansible-local-22732exgb55cz/ansible-tmp-1597090901.185857-22913-108739685461917/AnsiballZ_fortios_system_interface.py && sleep 0'
<localhost> EXEC /bin/sh -c '/usr/bin/python3 /Users/forest.oden/.ansible/tmp/ansible-local-22732exgb55cz/ansible-tmp-1597090901.185857-22913-108739685461917/AnsiballZ_fortios_system_interface.py && sleep 0'
<localhost> EXEC /bin/sh -c 'rm -f -r /Users/forest.oden/.ansible/tmp/ansible-local-22732exgb55cz/ansible-tmp-1597090901.185857-22913-108739685461917/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
Traceback (most recent call last):
File "/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.7/lib/python3.7/runpy.py", line 128, in _get_module_details
spec = importlib.util.find_spec(mod_name)
File "/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.7/lib/python3.7/importlib/util.py", line 94, in find_spec
parent = __import__(parent_name, fromlist=['__path__'])
ModuleNotFoundError: No module named 'ansible_collections'
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/Users/forest.oden/.ansible/tmp/ansible-local-22732exgb55cz/ansible-tmp-1597090901.185857-22913-108739685461917/AnsiballZ_fortios_system_interface.py", line 102, in <module>
_ansiballz_main()
File "/Users/forest.oden/.ansible/tmp/ansible-local-22732exgb55cz/ansible-tmp-1597090901.185857-22913-108739685461917/AnsiballZ_fortios_system_interface.py", line 94, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/Users/forest.oden/.ansible/tmp/ansible-local-22732exgb55cz/ansible-tmp-1597090901.185857-22913-108739685461917/AnsiballZ_fortios_system_interface.py", line 40, in invoke_module
runpy.run_module(mod_name='ansible_collections.fortinet.fortios.plugins.modules.fortios_system_interface', init_globals=None, run_name='__main__', alter_sys=True)
File "/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.7/lib/python3.7/runpy.py", line 201, in run_module
mod_name, mod_spec, code = _get_module_details(mod_name)
File "/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.7/lib/python3.7/runpy.py", line 134, in _get_module_details
raise error(msg.format(mod_name, type(ex).__name__, ex)) from ex
ImportError: Error while finding module specification for 'ansible_collections.fortinet.fortios.plugins.modules.fortios_system_interface' (ModuleNotFoundError: No module named 'ansible_collections')
fatal: [localhost]: FAILED! => {
"changed": false,
"module_stderr": "Traceback (most recent call last):\n File \"/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.7/lib/python3.7/runpy.py\", line 128, in _get_module_details\n spec = importlib.util.find_spec(mod_name)\n File \"/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.7/lib/python3.7/importlib/util.py\", line 94, in find_spec\n parent = __import__(parent_name, fromlist=['__path__'])\nModuleNotFoundError: No module named 'ansible_collections'\n\nThe above exception was the direct cause of the following exception:\n\nTraceback (most recent call last):\n File \"/Users/forest.oden/.ansible/tmp/ansible-local-22732exgb55cz/ansible-tmp-1597090901.185857-22913-108739685461917/AnsiballZ_fortios_system_interface.py\", line 102, in <module>\n _ansiballz_main()\n File \"/Users/forest.oden/.ansible/tmp/ansible-local-22732exgb55cz/ansible-tmp-1597090901.185857-22913-108739685461917/AnsiballZ_fortios_system_interface.py\", line 94, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/Users/forest.oden/.ansible/tmp/ansible-local-22732exgb55cz/ansible-tmp-1597090901.185857-22913-108739685461917/AnsiballZ_fortios_system_interface.py\", line 40, in invoke_module\n runpy.run_module(mod_name='ansible_collections.fortinet.fortios.plugins.modules.fortios_system_interface', init_globals=None, run_name='__main__', alter_sys=True)\n File \"/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.7/lib/python3.7/runpy.py\", line 201, in run_module\n mod_name, mod_spec, code = _get_module_details(mod_name)\n File \"/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.7/lib/python3.7/runpy.py\", line 134, in _get_module_details\n raise error(msg.format(mod_name, type(ex).__name__, ex)) from ex\nImportError: Error while finding module specification for 'ansible_collections.fortinet.fortios.plugins.modules.fortios_system_interface' (ModuleNotFoundError: No module named 'ansible_collections')\n",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1
}
I've tried all kinds of combinations of Python and fortios collection with no success. Whats very frustrating is that Ansible seems to know about this module, based on the line
Using module file /Users/forest.oden/.ansible/collections/ansible_collections/fortinet/fortios/plugins/modules/fortios_system_interface.py
I've opened this file, it exists and is seemingly correct.
I'm pretty stumped by this, so hoping somebody can point me in the right direction.
Module vpn_ssl_settings: Attribute source_address and source_interface doesn't work
Hello,
I want to set up the attributes source_address and source_interface. I defined them before. After the run of the playbook the settings are left. This is my code example:
vpn_ssl_settings:
authentication_rule:
-
groups:
-
name: "..."
portal: "full-access"
source_address:
-
name: "all"
source_interface:
-
name: "SSL_VPN"
Maybe if I understand something wrong. I am not sure is name the list or not. Then improve the example code please.
fortios_vpn_ipsec_phase1_interface and phase2 proposal artificially limited
Hello,
Trying to create VPN access with the module the proposal field is badly limited by the Ansible module (not the API).
The default when using the wizard for expl is: "aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1" the module only accept lower encryption des-XXX and only one proposal.
This prevents to properly configure VPN as expected and supported by the API.
Please allow any string and let the API handle the accepted values
fortios_facts only exposes system facts
Hello,
I would like to add policies and VIPs to my firewall but for that I need to be able to gather facts about the network configuration.
However fortios_facts only exposes system facts. Is that expected?
Unsupported parameters for (fortios_firewall_policy) module: inspection_mode found in firewall_policy
Hi,
I've got the following error:
TASK [fos_core : config firewall policy]
************************************************************************
fatal: [fg_core]: FAILED! => {"changed": false, "msg": "Unsupported
parameters for (fortios_firewall_policy) module: inspection_mode found
in firewall_policy. Supported parameters include: action, app_category,
app_group, application, application_list, auth_cert, auth_path,
auth_redirect_addr, av_profile, block_notification,
captive_portal_exempt, capture_packet, comments, custom_log_fields,
delay_tcp_npu_session, devices, diffserv_forward, diffserv_reverse,
diffservcode_forward, diffservcode_rev, disclaimer, dlp_sensor,
dnsfilter_profile, dscp_match, dscp_negate, dscp_value, dsri, dstaddr,
dstaddr_negate, dstintf, firewall_session_dirty, fixedport, fsso,
fsso_agent_for_ntlm, global_label, groups, icap_profile,
identity_based_route, inbound, internet_service,
internet_service_custom, internet_service_id, internet_service_negate,
internet_service_src, internet_service_src_custom,
internet_service_src_id, internet_service_src_negate, ippool,
ips_sensor, label, learning_mode, logtraffic, logtraffic_start,
match_vip, name, nat, natinbound, natip, natoutbound, ntlm,
ntlm_enabled_browsers, ntlm_guest, outbound, per_ip_shaper,
permit_any_host, permit_stun_host, policyid, poolname, profile_group,
profile_protocol_options, profile_type, radius_mac_auth_bypass,
redirect_url, replacemsg_override_group, rsso, rtp_addr, rtp_nat,
scan_botnet_connections, schedule, schedule_timeout, send_deny_packet,
service, service_negate, session_ttl, spamfilter_profile, srcaddr,
srcaddr_negate, srcintf, ssh_filter_profile, ssl_mirror,
ssl_mirror_intf, ssl_ssh_profile, state, status, tcp_mss_receiver,
tcp_mss_sender, tcp_session_without_syn, timeout_send_rst,
traffic_shaper, traffic_shaper_reverse, url_category, users, utm_status,
uuid, vlan_cos_fwd, vlan_cos_rev, vlan_filter, voip_profile, vpntunnel,
waf_profile, wanopt, wanopt_detection, wanopt_passive_opt, wanopt_peer,
wanopt_profile, wccp, webcache, webcache_https, webfilter_profile,
wsso"}
I investigated this module: fortios_firewall_policy.py but I was not able to discover the root cause.
The parameter exists on fields and option_list so it must be some validation before that step (but that's just my guess).
If I comment that parameter the play works fine.
Environment:
- FOS 6.2.4 b1112
root@9cec4923cc62:/ansible# ansible --version
ansible 2.9.11
config file = /ansible/ansible.cfg
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/lib/python3.7/dist-packages/ansible
executable location = /usr/local/bin/ansible
python version = 3.7.5 (default, Apr 19 2020, 20:18:17) [GCC 9.2.1 20191008]I create this environment with a Dockerfile:
FROM ubuntu:19.10
RUN set -x && \
\
echo "==> Installing python3 and dependencies..." && \
apt update && \
apt install python3-pip --yes && \
\
echo "==> Installing Ansible..." && \
pip3 install wheel setuptools && \
pip3 install pywinrm && \
pip3 install ansible && \
\
echo "==> Installing Ansible collections..." && \
echo "==> specific for FortiOS 6.2..." && \
ansible-galaxy collection install fortinet.fortios:1.0.10
WORKDIR /ansibleAnd this is the task (I'm building a role so this is only the task file):
# tasks/config_firewall_policy.yml
---
- name: config firewall policy
fortios_firewall_policy:
state: present
vdom: root
firewall_policy:
policyid: 100
name: INET
srcintf:
- name: port3
dstintf:
- name: WAN_Zone
srcaddr:
- name: all
dstaddr:
- name: all
service:
- name: ALL
action: accept
schedule: always
nat: enable
ssl_ssh_profile: certificate-inspection
inspection_mode: flow
# http_policy_redirect: 'enable'Note that the same error occurs with the parameter http_policy_redirect.
vpn_ipsec_phase1_interface does not accept listed proposal values
I have a role I've created in order to configure some VPNs and in testing the role I was met with the following error:
fatal: [hostname]: FAILED! => {"changed": false, "msg": "value of proposal must be one of: des-md5, des-sha256, des-sha384, des-sha512, got : aes256-sha1 found in vpn_ipsec_phase1_interface"}
From what I see in the documentation I should definitely be able to use this proposal. Even going through the associated .py file lists aes256-sha1 as an accepted proposal on the list.
This behavior is seen across both the 1.0.11 and 1.0.13 versions.
I have confirmed that the playbook below works outside of the role when called from a static single playbook, but when called from a role I am met with the error above.
Below is the playbook that I'm having issues with:
---
- name: configure phase1 ipsec vpn (primary)
fortios_vpn_ipsec_phase1_interface:
vdom: "{{ vdom }}"
state: "present"
vpn_ipsec_phase1_interface:
name: "phase1interface"
comments: "Phase 1 VPN Interface "
interface: "wan"
type: "ddns"
remotegw_ddns: "vpnhostname"
nattraversal: "forced"
ike_version: "2"
peertype: "any"
net_device: "disable"
proposal: "aes256-sha1"
dhgrp: "21"
psksecret: "Testpassword"
- name: configure phase2 ipsec vpn (primary) user
fortios_vpn_ipsec_phase2_interface:
vdom: "{{ vdom }}"
state: "present"
vpn_ipsec_phase2_interface:
name: "phase2name"
comments: "Attached phase2 interface"
phase1name: "phase1interface
proposal: "aes256-sha1"
auto_negotiate: "enable"
dhgrp: "20"
src_addr_type: "name"
dst_addr_type: "name"
src_name: "lan"
dst_name: "remotelan"
Issue with running playbook
Im running a very simply playbook
- hosts: localhost
collections:- fortinet.fortios
vars:
host: " (( vfw_host }} "
username: " {{ vfw_user }}"
password: " {{ vfw_password }} "
vdom: "root"
ssl_verify: "False"
tasks: - name: Configure global attributes.
fortios_system_global:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
ssl_verify: "{{ ssl_verify }}"
system_global:
admintimeout: "23"
hostname: "FortiGate02"
- fortinet.fortios
But getting error as below:
TASK [Configure global attributes.] ******************************************************************************************
task path: /home/razik/vnf-fortigate-vfw/vnf-fortigate-vfw/VNFCs/fortigate_vfw/lifecycle/TestFortinet.yml:12
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: razik
<127.0.0.1> EXEC /bin/sh -c 'echo ~razik && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "echo /home/razik/.ansible/tmp/ansible-tmp-1589016465.73833-94108597426978" && echo ansible-tmp-1589016465.73833-94108597426978="echo /home/razik/.ansible/tmp/ansible-tmp-1589016465.73833-94108597426978" ) && sleep 0'
Using module file /usr/local/lib/python3.6/site-packages/ansible/modules/network/fortios/fortios_system_global.py
<127.0.0.1> PUT /home/razik/.ansible/tmp/ansible-local-3049690bc0egz/tmpvl_qeisx TO /home/razik/.ansible/tmp/ansible-tmp-1589016465.73833-94108597426978/AnsiballZ_fortios_system_global.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /home/razik/.ansible/tmp/ansible-tmp-1589016465.73833-94108597426978/ /home/razik/.ansible/tmp/ansible-tmp-1589016465.73833-94108597426978/AnsiballZ_fortios_system_global.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/usr/bin/python3 /home/razik/.ansible/tmp/ansible-tmp-1589016465.73833-94108597426978/AnsiballZ_fortios_system_global.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /home/razik/.ansible/tmp/ansible-tmp-1589016465.73833-94108597426978/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
Traceback (most recent call last):
File "/home/razik/.ansible/tmp/ansible-tmp-1589016465.73833-94108597426978/AnsiballZ_fortios_system_global.py", line 102, in
_ansiballz_main()
File "/home/razik/.ansible/tmp/ansible-tmp-1589016465.73833-94108597426978/AnsiballZ_fortios_system_global.py", line 94, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/home/razik/.ansible/tmp/ansible-tmp-1589016465.73833-94108597426978/AnsiballZ_fortios_system_global.py", line 40, in invoke_module
runpy.run_module(mod_name='ansible.modules.network.fortios.fortios_system_global', init_globals=None, run_name='main', alter_sys=True)
File "/usr/lib64/python3.6/runpy.py", line 205, in run_module
return _run_module_code(code, init_globals, run_name, mod_spec)
File "/usr/lib64/python3.6/runpy.py", line 96, in _run_module_code
mod_name, mod_spec, pkg_name, script_name)
File "/usr/lib64/python3.6/runpy.py", line 85, in _run_code
exec(code, run_globals)
File "/tmp/ansible_fortios_system_global_payload_jx3n4gzy/ansible_fortios_system_global_payload.zip/ansible/modules/network/fortios/fortios_system_global.py", line 1994, in
File "/tmp/ansible_fortios_system_global_payload_jx3n4gzy/ansible_fortios_system_global_payload.zip/ansible/modules/network/fortios/fortios_system_global.py", line 1983, in main
File "/tmp/ansible_fortios_system_global_payload_jx3n4gzy/ansible_fortios_system_global_payload.zip/ansible/modules/network/fortios/fortios_system_global.py", line 1502, in login
File "/usr/local/lib/python3.6/site-packages/fortiosapi/fortiosapi.py", line 170, in login
data='username=' + urllib.parse.quote(username) + '&secretkey=' + urllib.parse.quote(password) + "&ajax=1", timeout=self.timeout)
File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 581, in post
return self.request('POST', url, data=data, json=json, **kwargs)
File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 533, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 668, in send
history = [resp for resp in gen] if allow_redirects else []
File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 668, in
history = [resp for resp in gen] if allow_redirects else []
File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 247, in resolve_redirects
**adapter_kwargs
File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 646, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python3.6/site-packages/requests/adapters.py", line 416, in send
self.cert_verify(conn, request.url, verify, cert)
File "/usr/local/lib/python3.6/site-packages/requests/adapters.py", line 228, in cert_verify
"invalid path: {}".format(cert_loc))
OSError: Could not find a suitable TLS CA certificate bundle, invalid path: ssl_verify
fatal: [localhost]: FAILED! => {
"changed": false,
"module_stderr": "Traceback (most recent call last):\n File "/home/razik/.ansible/tmp/ansible-tmp-1589016465.73833-94108597426978/AnsiballZ_fortios_system_global.py", line 102, in \n _ansiballz_main()\n File "/home/razik/.ansible/tmp/ansible-tmp-1589016465.73833-94108597426978/AnsiballZ_fortios_system_global.py", line 94, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File "/home/razik/.ansible/tmp/ansible-tmp-1589016465.73833-94108597426978/AnsiballZ_fortios_system_global.py", line 40, in invoke_module\n runpy.run_module(mod_name='ansible.modules.network.fortios.fortios_system_global', init_globals=None, run_name='main', alter_sys=True)\n File "/usr/lib64/python3.6/runpy.py", line 205, in run_module\n return _run_module_code(code, init_globals, run_name, mod_spec)\n File "/usr/lib64/python3.6/runpy.py", line 96, in _run_module_code\n mod_name, mod_spec, pkg_name, script_name)\n File "/usr/lib64/python3.6/runpy.py", line 85, in _run_code\n exec(code, run_globals)\n File "/tmp/ansible_fortios_system_global_payload_jx3n4gzy/ansible_fortios_system_global_payload.zip/ansible/modules/network/fortios/fortios_system_global.py", line 1994, in \n File "/tmp/ansible_fortios_system_global_payload_jx3n4gzy/ansible_fortios_system_global_payload.zip/ansible/modules/network/fortios/fortios_system_global.py", line 1983, in main\n File "/tmp/ansible_fortios_system_global_payload_jx3n4gzy/ansible_fortios_system_global_payload.zip/ansible/modules/network/fortios/fortios_system_global.py", line 1502, in login\n File "/usr/local/lib/python3.6/site-packages/fortiosapi/fortiosapi.py", line 170, in login\n data='username=' + urllib.parse.quote(username) + '&secretkey=' + urllib.parse.quote(password) + "&ajax=1", timeout=self.timeout)\n File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 581, in post\n return self.request('POST', url, data=data, json=json, **kwargs)\n File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 533, in request\n resp = self.send(prep, **send_kwargs)\n File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 668, in send\n history = [resp for resp in gen] if allow_redirects else []\n File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 668, in \n history = [resp for resp in gen] if allow_redirects else []\n File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 247, in resolve_redirects\n **adapter_kwargs\n File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 646, in send\n r = adapter.send(request, **kwargs)\n File "/usr/local/lib/python3.6/site-packages/requests/adapters.py", line 416, in send\n self.cert_verify(conn, request.url, verify, cert)\n File "/usr/local/lib/python3.6/site-packages/requests/adapters.py", line 228, in cert_verify\n "invalid path: {}".format(cert_loc))\nOSError: Could not find a suitable TLS CA certificate bundle, invalid path: ssl_verify\n",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1
}
PLAY RECAP *******************************************************************************************************************
localhost : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
Lacking ability to unset attributes in some modules
I have this example in system_global of wanting to remove an attribute from all devices. However state: absent is not available. Is there any workaround to unset attributes? Or is it an upstream lack of support for unset from Fortios API?
- name: System global attributes.
fortios_system_global:
host: "{{ fg_adminhurl }}"
username: "{{ ansible_ssh_user }}"
password: "{{ ansible_ssh_pass }}"
vdom: "{{ fg_vdom }}"
https: "{{ fg_https }}"
ssl_verify: "{{ fg_sslverf }}"
state: absent
system_global:
remoteauthtimeout:
Inclusion of fortinet.fortios in Ansible 2.10
This collection will be included in Ansible 2.10 because it contains modules and/or plugins that were included in Ansible 2.9. Please review:
- The list of requirements for inclusion in Ansible: https://github.com/ansible-collections/overview/blob/master/collection_requirements.rst
- The roadmap with all important dates for Ansible 2.10: https://github.com/ansible/ansible/blob/devel/docs/docsite/rst/roadmap/COLLECTIONS_2_10.rst
DEADLINE: 2020-08-18
The latest version of the collection available on August 18 will be included in Ansible 2.10.0, except possibly newer versions which differ only in the patch level. (For details, see the roadmap). Please release version 1.0.0 of your collection by this date! If 1.0.0 does not exist, the same 0.x.y version will be used in all of Ansible 2.10 without updates, and your 1.x.y release will not be included until Ansible 2.11 (unless you request an exception at a community working group meeting and go through a demanding manual process to vouch for backwards compatibility . . . you want to avoid this!).
Follow semantic versioning rules
Your collection versioning must follow all semver rules. This means:
- Patch level releases can only contain bugfixes;
- Minor releases can contain new features, new modules and plugins, and bugfixes, but must not break backwards compatibility;
- Major releases can break backwards compatibility.
Changelogs and Porting Guide
Your collection should provide data for the Ansible 2.10 changelog and porting guide. The changelog and porting guide are automatically generated from ansible-base, and from the changelogs of the included collections. All changes from the breaking_changes, major_changes, removed_features and deprecated_features sections will appear in both the changelog and the porting guide. You have two options for providing changelog fragments to include:
- If possible, use the antsibull-changelog tool, which uses the same changelog fragment as the ansible/ansible repository (see the documentation).
- If you cannot use antsibull-changelog, you can provide the changelog in a machine-readable format as
changelogs/changelog.yamlinside your collection (see the documentation of changelogs/changelog.yaml format).
If you cannot contribute to the integrated Ansible changelog using one of these methods, please provide a link to your collection's changelog by creating an issue in https://github.com/ansible-community/ansible-build-data/. If you do not provide changelogs/changelog.yml or a link, users will not be able to find out what changed in your collection from the Ansible changelog and porting guide.
Make sure your collection passes the sanity tests
Run ansible-test sanity --docker -v in the collection with the latest ansible-base or stable-2.10 ansible/ansible checkout.
Keep informed
Be sure you're subscribed to:
- Changes impacting Collections to track changes that Collection maintainers should be aware of;
- The Bullhorn, a newsletter for the Ansible developer community, back issues and how to add content.
Questions and Feedback
If you have questions or want to provide feedback, please see the Feedback section in the collection requirements.
(Internal link to keep track of issues: ansible-collections/overview#102)
Ansible playbook not working with groups
Hi,
When I use the "mylab-fw-dev1" as host, the vpn deployment playbook works like a charm.
As soon as I change the host to the group name "dev" (that only has "mylab-fw-dev1" as a member),
[alistair@dev-pc]$ ansible -i inventory --list-hosts dev
hosts (1):
mylab-fw-dev1
Then the same playbook that was running flawlessly, error out.
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: requests.exceptions.ConnectionError: HTTPSConnectionPool(host='dev', port=443): Max retries exceeded with url: /logincheck (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f283164e630>: Failed to establish a new connection: [Errno -2] Name or service not known',))
Please advice.
Thank you,
Connect to Fortigate via API access token
According to the FortiOS REST API reference, the session-based authentication to the API is flagged as "legacy". However, the Ansible modules still use this authentication method.
I wonder, if you will implement the token-based authentication in Ansible.
fortios_user_group fails to add an LDAP group -- CLI err -56
Trying to add a user group to match an LDAP group, and it is failing.
Task:
- name: Add Group
fortios_user_group:
vdom: "root"
state: "present"
user_group:
name: "{{ fw_ldap_group_name }}"
group_type: "firewall"
member:
- name: "{{ fw_ldap_server_name }}"
match:
- server_name: "{{ fw_ldap_server_name }}"
group_name: "{{ ldapadmin_group }}"
id: 1
CLI Debug while task was running:
0: config vdom
0: edit root
0: config user group
0: edit "<group name>"
0: set member "<member>"
0: end
0: end
0: config vdom
0: edit root
0: config user group
0: edit "<group name>"
0: config match
0: edit 1
-56: end
httpsd debug:
[httpsd 6521 - 1599853964 info] cmdb_save_with_children[269] -- appended main node (nret=0, is_new=0)
[httpsd 6521 - 1599853964 info] cmdb_save_with_children[269] -- appended main node (nret=-56, is_new=1)
[httpsd 6521 - 1599853964 error] cmdb_save_with_children[275] -- saving failed for main node: 'match' (err=-56)
[httpsd 6521 - 1599853964 error] cmdb_commit_from_json[1335] -- error saving request object to CLI (-56)
[httpsd 6521 - 1599853964 error] _api_cmdb_v2_config[1023] -- error editing object (nret=-56)
[httpsd 6521 - 1599853964 error] api_return_http_result[567] -- API error -56 raised
(cut for brevity)
[httpsd 6521 - 1599853964 info] handle_cli_req_v2_vdom[1804] -- new CMDB API request (vdom='root',user=<user>)
[httpsd 6521 - 1599853964 info] api_cmdb_request_init_by_path[1197] -- new CMDB query (path='user',name='group')
[httpsd 6521 - 1599853964 info] api_return_cmdb_revision[699] -- ETag check for user.group
[httpsd 6521 - 1599853964 info] _api_cmdb_v2_config[1009] -- editing CLI object (append=1, auto_key=0, path=user, name=group, mkey=(null), flags=0)
[httpsd 6521 - 1599853964 error] cmdb_commit_from_json[1291] -- object already exists (mkey='<group_name>')
[httpsd 6521 - 1599853964 error] _api_cmdb_v2_config[1023] -- error editing object (nret=-5)
[httpsd 6521 - 1599853964 error] api_return_http_result[567] -- API error -5 raised
[httpsd 6521 - 1599853964 info] ap_invoke_handler[606] -- request completed (handler='api_cmdb_v2-handler' result==0)
[httpsd 6134 - 1599853964 info] ap_invoke_handler[583] -- new request (handler='logout-handler', uri='/logout', method='POST')
[httpsd 6134 - 1599853964 info] ap_invoke_handler[587] -- User-Agent: Python-urllib/3.6
[httpsd 6134 - 1599853964 info] ap_invoke_handler[590] -- Source: <myip>:<port> Destination: <fw_ip:port>
[httpsd 6134 - 1599853964 info] ap_invoke_handler[606] -- request completed (handler='logout-handler' result==0)
I've attempted on FortiOS 5.6.7 and 6.0.7, both encounter the same issue. Attempted both with Galaxy Modules 1.0.9, 1.0.13, and 1.0.15. It appears that it comes down to the "end" being sent on an empty config match group.
Repeating these same commands in CLI gives the following:
cmd_clean_context 1, abort=0
Attribute 'server-name' MUST be set.
Command fail. Return code -56
FortiOS modules not working in Ansible 2.9 - JSONDecodeError
Hi,
I've tried to run a sample playbook in Ansible (2.9.10, Python 3.6.8) and I'm getting a weird Json error (see below). Even when I try to run with Python 2.7, I'm getting a similar JSON error.
Sample playbook:
- name: Playbook for FortiGate 600D
connection: httpapi
collections:
- fortinet.fortios
hosts: all
gather_facts: no
any_errors_fatal: true
vars:
vdom: "trust"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
ansible_network_os: fortios
ansible_python_interpreter: "/usr/bin/python"
tasks:
- name: Configure devices.
fortios_user_device:
vdom: "{{ vdom }}"
state: "present"
user_device:
category: "none"
alias: "myuser"
comment: "Comment."
mac: "00:01:04:03:ab:c3:32"
type: "android-phone"
user: "test"Full-trace error log:
attempting to start connection
using connection plugin httpapi
local domain socket does not exist, starting it
control socket path is /home/bparvu/.ansible/pc/9817f5f339
local domain socket listeners started successfully
loaded API plugin fortios from path /usr/local/lib/python3.6/site-packages/ansible/plugins/httpapi/fortios.py for network_os fortios
local domain socket path is /home/bparvu/.ansible/pc/9817f5f339
Using module file /usr/local/lib/python3.6/site-packages/ansible/modules/network/fortios/fortios_user_device.py
Pipelining is enabled.
ESTABLISH LOCAL CONNECTION FOR USER: bparvu
EXEC /bin/sh -c '/usr/bin/python && sleep 0'
The full traceback is:
Traceback (most recent call last):
File "", line 102, in
File "", line 94, in _ansiballz_main
File "", line 40, in invoke_module
File "/usr/lib64/python3.6/runpy.py", line 205, in run_module
return _run_module_code(code, init_globals, run_name, mod_spec)
File "/usr/lib64/python3.6/runpy.py", line 96, in _run_module_code
mod_name, mod_spec, pkg_name, script_name)
File "/usr/lib64/python3.6/runpy.py", line 85, in _run_code
exec(code, run_globals)
File "/tmp/ansible_fortios_user_device_payload_8o8g_2xp/ansible_fortios_user_device_payload.zip/ansible/modules/network/fortios/fortios_user_device.py", line 433, in
File "/tmp/ansible_fortios_user_device_payload_8o8g_2xp/ansible_fortios_user_device_payload.zip/ansible/modules/network/fortios/fortios_user_device.py", line 411, in main
File "/tmp/ansible_fortios_user_device_payload_8o8g_2xp/ansible_fortios_user_device_payload.zip/ansible/modules/network/fortios/fortios_user_device.py", line 346, in fortios_user
File "/tmp/ansible_fortios_user_device_payload_8o8g_2xp/ansible_fortios_user_device_payload.zip/ansible/modules/network/fortios/fortios_user_device.py", line 329, in user_device
File "/tmp/ansible_fortios_user_device_payload_8o8g_2xp/ansible_fortios_user_device_payload.zip/ansible/module_utils/network/fortios/fortios.py", line 163, in set
File "/tmp/ansible_fortios_user_device_payload_8o8g_2xp/ansible_fortios_user_device_payload.zip/ansible/module_utils/network/fortios/fortios.py", line 136, in get_mkey
File "/tmp/ansible_fortios_user_device_payload_8o8g_2xp/ansible_fortios_user_device_payload.zip/ansible/module_utils/network/fortios/fortios.py", line 127, in get_mkeyname
File "/tmp/ansible_fortios_user_device_payload_8o8g_2xp/ansible_fortios_user_device_payload.zip/ansible/module_utils/network/fortios/fortios.py", line 124, in schema
File "/usr/lib64/python3.6/json/init.py", line 354, in loads
return _default_decoder.decode(s)
File "/usr/lib64/python3.6/json/decoder.py", line 339, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/lib64/python3.6/json/decoder.py", line 357, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
fatal: [test-fortigate]: FAILED! => {
"changed": false,
"module_stderr": "Traceback (most recent call last):\n File "", line 102, in \n File "", line 94, in _ansiballz_main\n File "", line 40, in invoke_module\n File "/usr/lib64/python3.6/runpy.py", line 205, in run_module\n return _run_module_code(code, init_globals, run_name, mod_spec)\n File "/usr/lib64/python3.6/runpy.py", line 96, in _run_module_code\n mod_name, mod_spec, pkg_name, script_name)\n File "/usr/lib64/python3.6/runpy.py", line 85, in _run_code\n exec(code, run_globals)\n File "/tmp/ansible_fortios_user_device_payload_8o8g_2xp/ansible_fortios_user_device_payload.zip/ansible/modules/network/fortios/fortios_user_device.py", line 433, in \n File "/tmp/ansible_fortios_user_device_payload_8o8g_2xp/ansible_fortios_user_device_payload.zip/ansible/modules/network/fortios/fortios_user_device.py", line 411, in main\n File "/tmp/ansible_fortios_user_device_payload_8o8g_2xp/ansible_fortios_user_device_payload.zip/ansible/modules/network/fortios/fortios_user_device.py", line 346, in fortios_user\n File "/tmp/ansible_fortios_user_device_payload_8o8g_2xp/ansible_fortios_user_device_payload.zip/ansible/modules/network/fortios/fortios_user_device.py", line 329, in user_device\n File "/tmp/ansible_fortios_user_device_payload_8o8g_2xp/ansible_fortios_user_device_payload.zip/ansible/module_utils/network/fortios/fortios.py", line 163, in set\n File "/tmp/ansible_fortios_user_device_payload_8o8g_2xp/ansible_fortios_user_device_payload.zip/ansible/module_utils/network/fortios/fortios.py", line 136, in get_mkey\n File "/tmp/ansible_fortios_user_device_payload_8o8g_2xp/ansible_fortios_user_device_payload.zip/ansible/module_utils/network/fortios/fortios.py", line 127, in get_mkeyname\n File "/tmp/ansible_fortios_user_device_payload_8o8g_2xp/ansible_fortios_user_device_payload.zip/ansible/module_utils/network/fortios/fortios.py", line 124, in schema\n File "/usr/lib64/python3.6/json/init.py", line 354, in loads\n return _default_decoder.decode(s)\n File "/usr/lib64/python3.6/json/decoder.py", line 339, in decode\n obj, end = self.raw_decode(s, idx=_w(s, 0).end())\n File "/usr/lib64/python3.6/json/decoder.py", line 357, in raw_decode\n raise JSONDecodeError("Expecting value", s, err.value) from None\njson.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)\n",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1
}
NO MORE HOSTS LEFT ***************************************************************************************************************************************************************************************************************************
PLAY RECAP ***********************************************************************************************************************************************************************************************************************************
test-fortigate : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
Sample inventory:
[FortiGate]
test-fortigate
[FortiGate:vars]
ansible_network_os=fortinet.fortios.fortios
ansible_user=****
ansible_password=****
ansible 2.9.10
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/bparvu/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/lib/python3.6/site-packages/ansible
executable location = /usr/local/bin/ansible
python version = 3.6.8 (default, Nov 27 2019, 14:21:59) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39.0.1)]
Does anyone have any clue of what I'm doing wrong here? Thanks!
Hello, i am using fortios_system_admin, but some keys dosent work.... And some questions too :(
Hi,
Hello, very nice work.... this will be some powerfull tool.
My fist question is, after i have add some admin user, like admin2 with super_admin profile. I cannot change any item from this user ? Like password, change description...
Own my tests, i can only add and remove user. Modify users is not supported ?
My second issue today :D
How i add a ssh_public_key1, ever time, i got thi error below:
"meta": {
"build": 1723,
"error": -651,
"http_method": "POST",
"http_status": 500,
"name": "admin",
"path": "system",
"revision": "76b9c9ae90a50ed6ff965f2e432dcc62",
"revision_changed": false,
"serial": "xxxxxxxxxxx",
"status": "error",
"vdom": "root",
"version": "v6.4.2"
},
"msg": "Error in repo"
And my playbook its very simple:
tasks:
- name: Configure admin users.
fortios_system_admin:
vdom: "{{ vdom }}"
state: "present"
system_admin:
accprofile: "super_admin"
accprofile_override: "enable"
allow_remove_admin_session: "enable"
comments: "Usuario ADMIN"
force_password_change: "disable"
guest_auth: "disable"
name: "fgt_cloud_admin2"
password: "<senha_maluca>"
peer_auth: "disable"
two_factor: "disable"
ssh_public_key1: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC4CiMH/+/ZBkg7XNBr1jcmr1qypDpAeQU/6gG0cGR/K24QB/MOeyHZcHQkZXGcZoOJO27XPFF4WUzf5l1FrMUJbDn6lBtg+7yFt5iTSAnPJ63ZXHmcZN5Ie+g1bge+EonCChR2pzj4Eaho0BKTZkgViS6YBC82bLJhtW5u3ijlSigQfTyhWvxNz69R6YEBtTQdQGupE+HSbRho6LeGWvl+pu08b7DHS/VhCW0LVtFAjfyVCZvawVZcPJYp197+8NTtRjWQs/X45b039yJfCr6+Bb0q6d0WZZZpaGGZDhzI/VX+1mo+WrEhMskr2ngw9CTZ34LN7y6GDUCElXF9M8+WhMK6wp0nUiEpuhYZ2I7Duj2OLW2kfdZRs2Bu7pdLrdbwerGgnnH1dvDneXUE7KrmifnCGqXpEXa50nKAke5mQpg8IXk7eoWj3+wESawn9DxAcCR16yD9kDVVWstm8TyH5unaXpI4/8h92QYPNebVvUNF2+629T6yxZXo7B52Qx2E5m/U4OHjw/pii3EPtx6wKrEa0UVdYGBzP6lZa8bd5gPcsSuhg3hn8EtaiB5/lJCcbkdXu5OrhotxAsat5ZoNo0aL4Xj2fWXh+hjHTXEvn6a8GCWgXPp7WE/xU3iyHDzbPIGP5YrPL3u42PdFGQ=="
I wating for some help, or have some forum/reddit to make this questions ?
Bye, and have a nice day
Error when configuring source_interface in fortios_vpn_ssl_settings
Tested in 6.2.2 and 6.4.2
Modules 1.0.10 and 1.0.11 respectively
The following configuration is successful when the 'source_interface' section is commented out.
'source_address' works correctly.
Configuration of the task:
Note: "wan1" is the name of the interface in the output of the command "get system interface"
tasks:
- name: Configure SSL VPN.
fortios_vpn_ssl_settings:
vdom: "root"
vpn_ssl_settings:
port: "10443"
servercert: "Fortinet_Factory"
source_address:
-
name: "all"
source_interface:
-
name: "wan1"
Result (-vvv):
redirecting (type: connection) ansible.builtin.httpapi to ansible.netcommon.httpapi
<10.0.30.172> ESTABLISH LOCAL CONNECTION FOR USER: root
<10.0.30.172> EXEC /bin/sh -c '( umask 77 && mkdir -p "echo /root/.ansible/tmp/ansible-local-8434rxe29f3m"&& mkdir "echo /root/.ansible/tmp/ansible-local-8434rxe29f3m/ansible-tmp-1601942472.4291465-8498-206427601679184" && echo ansible-tmp-1601942472.4291465-8498-206427601679184="echo /root/.ansible/tmp/ansible-local-8434rxe29f3m/ansible-tmp-1601942472.4291465-8498-206427601679184" ) && sleep 0'
Using module file /root/.ansible/collections/ansible_collections/fortinet/fortios/plugins/modules/fortios_vpn_ssl_settings.py
<10.0.30.172> PUT /root/.ansible/tmp/ansible-local-8434rxe29f3m/tmp99vc_652 TO /root/.ansible/tmp/ansible-local-8434rxe29f3m/ansible-tmp-1601942472.4291465-8498-206427601679184/AnsiballZ_fortios_vpn_ssl_settings.py
<10.0.30.172> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-local-8434rxe29f3m/ansible-tmp-1601942472.4291465-8498-206427601679184/ /root/.ansible/tmp/ansible-local-8434rxe29f3m/ansible-tmp-1601942472.4291465-8498-206427601679184/AnsiballZ_fortios_vpn_ssl_settings.py && sleep 0'
<10.0.30.172> EXEC /bin/sh -c '/usr/bin/python3 /root/.ansible/tmp/ansible-local-8434rxe29f3m/ansible-tmp-1601942472.4291465-8498-206427601679184/AnsiballZ_fortios_vpn_ssl_settings.py && sleep 0'
<10.0.30.172> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-local-8434rxe29f3m/ansible-tmp-1601942472.4291465-8498-206427601679184/ > /dev/null 2>&1 && sleep 0'
fatal: [test-fgt]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"host": null,
"https": true,
"password": "",
"ssl_verify": true,
"username": null,
"vdom": "root",
"vpn_ssl_settings": {
"algorithm": null,
"auth_session_check_source_ip": null,
"auth_timeout": null,
"authentication_rule": null,
"auto_tunnel_static_route": null,
"banned_cipher": null,
"check_referer": null,
"default_portal": null,
"deflate_compression_level": null,
"deflate_min_data_size": null,
"dns_server1": null,
"dns_server2": null,
"dns_suffix": null,
"dtls_hello_timeout": null,
"dtls_max_proto_ver": null,
"dtls_min_proto_ver": null,
"dtls_tunnel": null,
"encode_2f_sequence": null,
"encrypt_and_store_password": null,
"force_two_factor_auth": null,
"header_x_forwarded_for": null,
"hsts_include_subdomains": null,
"http_compression": null,
"http_only_cookie": null,
"http_request_body_timeout": null,
"http_request_header_timeout": null,
"https_redirect": null,
"idle_timeout": null,
"ipv6_dns_server1": null,
"ipv6_dns_server2": null,
"ipv6_wins_server1": null,
"ipv6_wins_server2": null,
"login_attempt_limit": null,
"login_block_time": null,
"login_timeout": null,
"port": 10443,
"port_precedence": null,
"reqclientcert": null,
"route_source_interface": null,
"servercert": "Fortinet_Factory",
"source_address": [
{
"name": "all"
}
],
"source_address6": null,
"source_address6_negate": null,
"source_address_negate": null,
"source_interface": [
{
"name": "wan1"
}
],
"ssl_client_renegotiation": null,
"ssl_insert_empty_fragment": null,
"ssl_max_proto_ver": null,
"ssl_min_proto_ver": null,
"tlsv1_0": null,
"tlsv1_1": null,
"tlsv1_2": null,
"tlsv1_3": null,
"transform_backward_slashes": null,
"tunnel_connect_without_reauth": null,
"tunnel_ip_pools": null,
"tunnel_ipv6_pools": null,
"tunnel_user_session_timeout": null,
"unsafe_legacy_renegotiation": null,
"url_obscuration": null,
"user_peer": null,
"wins_server1": null,
"wins_server2": null,
"x_content_type_options": null
}
}
},
"meta": {
"build": 1723,
"http_method": "POST",
"http_status": 405,
"name": "settings",
"path": "vpn.ssl",
"serial": "[REDACTED],
"status": "error",
"vdom": "root",
"version": "v6.4.2"
},
"msg": "Error in repo"
}
Enable to specify multiple day in fortios_firewall_schedule_recurring module
SUMMARY
I cannot use multiple days in the fortios_firewall_schedule_recurring module as the documentation says.
ISSUE TYPE
- Bug Report
COMPONENT NAME
- fortios_firewall_schedule_recurring
ANSIBLE VERSION
ansible 2.9.9
config file = /tmp/cib/ansible.cfg
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.8/site-packages/ansible
executable location = /usr/bin/ansible
python version = 3.8.3 (default, May 15 2020, 01:53:50) [GCC 9.3.0]
CONFIGURATION
COLLECTIONS_PATHS(/tmp/cib/ansible.cfg) = ['/tmp/cib']
DEFAULT_ROLES_PATH(/tmp/cib/ansible.cfg) = ['/tmp/cib/roles']
GALAXY_SERVER_LIST(/tmp/cib/ansible.cfg) = ['awb_galaxy']
OS / ENVIRONMENT
- molecule docker image : quay.io/ansible/molecule:3.0.8
STEPS TO REPRODUCE
fortios_firewall_schedule_recurring:
host: "{{ provider.server }}"
username: "{{ provider.user }}"
password: "{{ provider.password }}"
vdom: "{{ provider.vdom }}"
https: "{{ provider.https }}"
ssl_verify: "{{ provider.ssl_verify }}"
state: "present"
firewall_schedule_recurring:
name: "always-TODELETE"
day: "monday tuesday wednesday thursday friday saturday sunday"
start: "00:00"
end: ""EXPECTED RESULTS
Create schedule with multiple dates
ACTUAL RESULTS
"msg": "value of day must be one of: sunday, monday, tuesday, wednesday, thursday, friday, saturday, none, got: ['monday', 'tuesday'] found in firewall_schedule_recurring"
fortios_router_route-map not passing 'match_ip_address'
This behavior was observed in fortios 6.2.5 with modules 1.0.10. Please let me know if this may have been resolved in a later release.
These match_ip_address statements correlate to the prefix-lists mentioned in a previous issue.
When executing the task, the "match-ip-address" value is not entered/passed as blank.
Example Vars:
route_map:
- name: "PEER_IN"
vdom: "data_vdom"
rule:
- id: "1"
action: "permit"
match_ip_address: "EXTERNAL_NETS"
state: "present"
- name: "PEER_OUT"
vdom: "data_vdom"
rule:
- id: "1"
action: "permit"
match_ip_address: "LOCAL_NETS"
state: "present"
Example Task:
- name: Configure Route Maps
fortios_router_route_map:
vdom: "{{ item[0].vdom }}"
state: "{{ item[1].state }}"
router_route_map:
name: "{{ item[0].name }}"
rule:
- id: "{{ item[1].id }}"
action: "{{ item[1].action }}"
match_ip_address: "{{ item[1].match_ip_address }}"
with_subelements:
- "{{ route_map }}"
- rule
when: route_map is defined
ansible-playbook -vvvv (notice inmodule_args, "match-ip-address is hyphenated, but in item, match_ip_address is underscored. Not sure if this is expected):
ok: [demo_firewall] => (item=[{'name': 'PEER_IN', 'vdom': 'data_vdom'}, {'id': '1', 'action': 'permit', 'match_ip_address': 'EXTERNAL_NETS', 'state': 'present'}]) => changed=false
ansible_loop_var: item
invocation:
module_args:
host: null
https: true
password: ''
router_route_map:
comments: null
name: PEER_IN
rule:
- action: permit
id: '1'
match-ip-address: EXTERNAL_NETS
ssl_verify: true
state: present
username: null
vdom: data_vdom
item:
- name: PEER_IN
vdom: data_vdom
- action: permit
id: '1'
match_ip_address: EXTERNAL_NETS
state: present
meta:
build: 1142
http_method: PUT
http_status: 200
mkey: PEER_IN
name: route-map
path: router
revision: e71cbf92a97143f6ca7518f6994166d9
revision_changed: false
serial: FG101FBLAHBLAHBL
status: success
vdom: data_vdom
version: v6.2.5
......
ok: [demo_firewall] => (item=[{'name': 'PEER_OUT', 'vdom': 'data_vdom'}, {'id': '1', 'action': 'permit', 'match_ip_address': 'LOCAL_NETS', 'state': 'present'}]) => changed=false
ansible_loop_var: item
invocation:
module_args:
host: null
https: true
password: ''
router_route_map:
comments: null
name: PEER_OUT
rule:
- action: permit
id: '1'
match-ip-address: LOCAL_NETS
ssl_verify: true
state: present
username: null
vdom: data_vdom
item:
- name: PEER_OUT
vdom: data_vdom
- action: permit
id: '1'
match_ip_address: LOCAL_NETS
state: present
meta:
build: 1142
http_method: PUT
http_status: 200
mkey: PEER_OUT
name: route-map
path: router
revision: e71cbf92a97143f6ca7518f6994166d9
revision_changed: false
serial: FG101FBLAHBLAHBL
status: success
vdom: data_vdom
version: v6.2.5
Fortigate diag debug cli 8:
0: config vdom
0: edit data_vdom
0: config router route-map
0: edit "PEER_IN"
0: end
0: end
0: config vdom
0: edit data_vdom
0: config router route-map
0: edit "PEER_IN"
0: config rule
0: edit 1
0: set match-ip-address ''
0: unset match-metric
0: unset match-tag
0: unset set-local-preference
0: unset set-metric
0: unset set-tag
0: unset set-weight
0: unset set-route-tag
0: end
0: end
0: end
0: config vdom
0: edit data_vdom
0: config router route-map
0: edit "PEER_OUT"
0: end
0: end
0: config vdom
0: edit data_vdom
0: config router route-map
0: edit "PEER_OUT"
0: config rule
0: edit 1
0: set match-ip-address ''
0: unset match-metric
0: unset match-tag
0: unset set-local-preference
0: unset set-metric
0: unset set-tag
0: unset set-weight
0: unset set-route-tag
0: end
0: end
0: end
Fortigate finish state:
config router route-map
edit "PEER_IN"
config rule
edit 1
next
end
next
edit "PEER_OUT"
config rule
edit 1
next
end
next
end
Fortigate desired state:
config router route-map
edit "PEER_IN"
config rule
edit 1
set match-ip-address "EXTERNAL_NETS"
next
end
next
edit "PEER_OUT"
config rule
edit 1
set match-ip-address "LOCAL_NETS"
next
end
next
end
fortios_system_ntp crushed when trying to configure new fortigate device
Bug Report
SUMMARY
When I try to apply the playbook to a new device , I get the error "Error in repo"
STEPS TO REPRODUCE
ansible 2.9.6
config file = /home/deznak/PycharmProjects/Ansible/fortios/ansible.cfg
configured module search path = ['/home/deznak/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3/dist-packages/ansible
executable location = /usr/bin/ansible
python version = 3.8.2 (default, Jul 16 2020, 14:00:26) [GCC 9.3.0]
set_ntp_global_playbook.yml
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: no
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 80
tasks:
- name: Configure system NTP information.
fortios_system_ntp:
vdom: "{{ vdom }}"
system_ntp:
ntpserver:
-
id: "0"
server: "NTP1"
-
id: "1"
server: "NTP2"
ntpsync: "enable"
type: "custom"
inventory/hosts
[fortigates]
some_ip_address
[fortigates:vars]
ansible_network_os=fortinet.fortios.fortios
ansible_user="my_username"
ansible_password="my_pass"
ansible command:
ansible-playbook forti_playbook/set_ntp_global.yml -i inventory/hosts --limit some_ip_address
EXPECTED RESULTS
fortigate_100d # show system ntp
set ntpsync enable
set type custom
config ntpserver
edit 1
set server "NTP1"
next
edit 2
set server "NTP2"
next
end
end
ACTUAL RESULTS
I enabled debug on my fortigate 100d with the following commands:
diagnose debug enable
diagnose debug cli 8
When the playbook is turned on, the fortios_system_ntp module does the following until it receives an error:
fortigate_100d # config system ntp
0: set ntpsync enable
0: set type custom
-651: end
It seems to me there is an error in the logic of the fortios_system_ntp module. Since the server ntp was not specified, but the module tries to complete the configuration with the "end" command, the fortigate does not apply the settings and returns error 651
IMPORTANT! This bug is relevant only for devices on which NTP servers have never been configured. If you configure the ntp server at least once, fortios will remember it and no error will occur.
Example for configuring ntp it's same on different fortios versions:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD40266
https://kb.fortinet.com/kb/documentLink.do?externalID=FD46280
PLAY [fortigates]
[DEPRECATION WARNING]: Distribution Ubuntu 20.04 on host ip_address should use /usr/bin/python3, but is using /usr/bin/python for backward compatibility with prior Ansible releases. A future Ansible release will default to using the discovered
platform python for this host. See https://docs.ansible.com/ansible/2.9/reference_appendices/interpreter_discovery.html for more information. This feature will be removed in version 2.12. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.
fatal: [ip_address]: FAILED! => {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python"}, "changed": false, "meta": {"build": 1064, "http_method": "PUT", "http_status": 424, "name": "ntp", "path": "system", "serial": "FG100D5D1880****", "status": "error", "vdom": "root", "version": "v5.4.1"}, "msg": "Error in repo"}
fortios_router_bgp unable to add new neighbor
it appears this ansible module is doing a PUT which works to update bgp parameters except the neighbors which must be done with a POST which doesn't currently work and you have to revert to a CURL inside a playbook to make it work.
Example of a working POST to accomplish this.
curl -X POST "https://myfirewall.com:443/api/v2/cmdb/router/bgp/neighbor?vdom=test&access_token=apikeygoeshere" -H "accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" -d "{ "ip": 9.9.9.9, "remote-as": "65000" }"
Failure to do a POST to add a neighbor will delete existing entries and you will never be able to add more than a single neighbor.
Configure system zone return error when try to attach to interface.
I am trying to configure a security zone and attach to an existing interface. I can create only the security zone successful. When I try to attach the security zone to and existing and available interface, I get Error in repo. From GUI I can successfully configure zone and attach to interface.
- name: CONFIG | Configure security zone.
fortios_system_zone:
host: "{{ inventory_hostname }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "BLUE"
state: "{{ state }}"
ssl_verify: "{{ ssl_verify }}"
system_zone:
interface:
- interface_name: "b_t666_vl1666"
name: "z_blue_t666"
return:
TASK [CONFIG | Configure security zone.] ***************************************
fatal: [fw1a_prd_r3b15_ams7.nee.tmcs]: FAILED! => {
"changed": false,
"meta": {
"build": 1637,
"error": -5,
"http_method": "POST",
"http_status": 500,
"name": "zone",
"path": "system",
"revision": "e47aa13fdc1bc94ad77fbbf3a6ed9bea",
"revision_changed": false,
"serial": "FGT31D3Z15800162",
"status": "error",
"vdom": "BLUE",
"version": "v6.4.1"
}
}
MSG:
Error in repo
How to check if user is present in a user group on Fortigate ?
Hi !
I need to create a playbook that will check if a particular user is member of a user group.
I didn't find any modules in Fortios ansible collection that can achieve this (like a search or find module).
Is the only option is to retrieve config using fortios_system_config_backup_restore module, then search into plain text config file ?
Or is there a smartest way to achieve it using another modules ?
By the way thanks a lot to Fortinet dev team for all amazing modules that have already been created ;) !!!
Have a good day !
Adrien
Running Ansible playbook against unlicensed fortigate instance
We are using ansible to create Fortigate instance in openstack. And we want to run configuration on of Fortigate instance . The instance in unlicensed during creation and we are still working on mechanism to apply license through CLI if possible.
Meanwhile we are trying to apply configuration on the incensed version. However its not working. Even setting host name under system global is failing.
It works fine after license applied.
If there are way to run playbook on unlicensed instance?
Detecting change behaviour inconsistent
Hi,
So I am just using the example in the readme fw_global_set.yml
When I run this example multiple times the output from ansible shows changed=0 this is expected as multiple runs should not result in anything changing.
However, if I move the tasks into a role and then run the playbook then ansible always say the task changed the host. In my case I have two tasks defined and so changed=2.
Why does moving the tasks into a role change ansible's behaviour?
fortios_router_prefix_list treats each rule as exclusive
This was encountered on FortiOS 6.2.5 using modules 1.0.10. Please let me know if this may have been fixed in a different release.
When looping over fortios_router_prefix_list, or when running the play multiple times against different lists, only the last rule entered gets stored. Any other rules that existed, or were added by previous plays, or previous invocations of the loop, get deleted.
This behavior was observed per prefix-list. If more than one prefix-list was stated, but they contained more than one rule, the last rule/invocation in each prefix-list would remain and the others would be deleted.
Example task:
- name: Configure Prefix Lists
fortios_router_prefix_list:
vdom: "{{ item[0].vdom }}"
state: "{{ item[1].state }}"
router_prefix_list:
name: "{{ item[0].name }}"
rule:
- action: "{{ item[1].action }}"
ge: "{{ item[1].ge }}"
le: "{{ item[1].le }}"
prefix: "{{ item[1].prefix }}"
id: "{{ item[1].id }}"
with_subelements:
- "{{ prefix_list }}"
- rule
when: prefix_list is defined
Example Vars:
prefix_list:
- name: "LOCAL_NETS"
vdom: "data_vdom"
rule:
- id: "1"
action: "permit"
prefix: "10.10.10.0/24"
ge: ""
le: ""
state: "present"
- id: "2"
action: "permit"
prefix: "10.10.255.10/32"
ge: ""
le: ""
state: "present"
- name: "EXTERNAL_NETS"
vdom: "data_vdom"
rule:
- id: "1"
action: "permit"
prefix: "0.0.0.0/0"
ge: ""
le: ""
state: "present"
Diag debug CLI loop 1 (this play had run previously and I hadn't cleaned up before running it again):
0: config vdom
0: edit data_vdom
0: config router prefix-list
0: edit "LOCAL_NETS"
0: end
0: end
0: config vdom
0: edit data_vdom
0: config router prefix-list
0: edit "LOCAL_NETS"
0: config rule
0: delete 2
0: end
0: end
0: end
0: config vdom
0: edit data_vdom
0: config router prefix-list
0: edit "LOCAL_NETS"
0: config rule
0: edit 1
0: unset prefix
0: set prefix 10.10.10.0 255.255.255.0
0: unset ge
0: unset le
0: end
0: end
0: end
Loop 2:
0: config vdom
0: edit data_vdom
0: config router prefix-list
0: edit "LOCAL_NETS"
0: end
0: end
0: config vdom
0: edit data_vdom
0: config router prefix-list
0: edit "LOCAL_NETS"
0: config rule
0: delete 1
0: end
0: end
0: end
0: config vdom
0: edit data_vdom
0: config router prefix-list
0: edit "LOCAL_NETS"
0: config rule
0: edit 2
0: unset prefix
0: set prefix 10.10.255.10 255.255.255.255
0: unset ge
0: unset le
0: end
0: end
0: end
Loop 3:
0: config vdom
0: edit data_vdom
0: config router prefix-list
0: edit "EXTERNAL_NETS"
0: end
0: end
0: config vdom
0: edit data_vdom
0: config router prefix-list
0: edit "EXTERNAL_NETS"
0: config rule
0: edit 1
0: unset prefix
0: set prefix 0.0.0.0 0.0.0.0
0: unset ge
0: unset le
0: end
0: end
0: end
Finish state:
config router prefix-list
edit "LOCAL_NETS"
config rule
edit 2
set prefix 10.10.255.10 255.255.255.255
unset ge
unset le
next
end
next
edit "EXTERNAL_NETS"
config rule
edit 1
set prefix 0.0.0.0 0.0.0.0
unset ge
unset le
next
end
next
end
Desired state:
config router prefix-list
edit "LOCAL_NETS"
config rule
edit 2
set prefix 10.10.255.10 255.255.255.255
unset ge
unset le
next
edit 1
set prefix 10.10.10.0 255.255.255.0
unset ge
unset le
next
end
next
edit "EXTERNAL_NETS"
config rule
edit 1
set prefix 0.0.0.0 0.0.0.0
unset ge
unset le
next
end
next
end
I had also run this task multiple times with different var sets and with_item but had the same results.
prefix_list01:
- name: "LOCAL_NETS"
vdom: "data_vdom"
id: "1"
action: "permit"
prefix: "10.10.10.0/24"
ge: ""
le: ""
state: "present"
prefix_list02:
- name: "LOCAL_NETS"
vdom: "data_vdom"
id: "2"
action: "permit"
prefix: "10.10.255.10/32"
ge: ""
le: ""
state: "present"
- name: Configure Prefix Lists
fortios_router_prefix_list:
vdom: "{{ item.vdom }}"
state: "{{ item.state }}"
router_prefix_list:
name: "{{ item.name }}"
rule:
- action: "{{ item.action }}"
ge: "{{ item.ge }}"
le: "{{ item.le }}"
prefix: "{{ item.prefix }}"
id: "{{ item.id }}"
with_items:
- "{{ prefix_list01 }}"
when: prefix_list01 is defined
- name: Configure Prefix Lists
fortios_router_prefix_list:
vdom: "{{ item.vdom }}"
state: "{{ item.state }}"
router_prefix_list:
name: "{{ item.name }}"
rule:
- action: "{{ item.action }}"
ge: "{{ item.ge }}"
le: "{{ item.le }}"
prefix: "{{ item.prefix }}"
id: "{{ item.id }}"
with_items:
- "{{ prefix_list02 }}"
when: prefix_list02 is defined
Changing firewall policy order
Hello,
I'm very sorry in advance if this is the wrong place to raise this. I cannot seem to find a method of managing the firewall policy order with these ansible modules. Am I overlooking something or is this a feature not yet supported?
My googling only leads me to see this was available via the 40ansible modules (fortinet-solutions-cse/ansible_fgt_modules#21), however, those modules are now archived and I presume these are the official vendor-provided ones to use moving forward?
Thanks,
Miles
Unable to Disable Certificate Check
I am attempting to connect to my Fortigate device to gather facts with the playbook below. We are using the automation hub collections from Fortinet for the modules as well as for ansible_network_os: fortinet.fortios.fortios. However we keep getting the following error when attempting to reach our device.
Additional configuration variables:
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 444
ansible_network_os: fortinet.fortios.fortios
{
"module_stdout": "",
"module_stderr": "/var/lib/awx/venv/ansible/lib/python3.6/site-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings\n InsecureRequestWarning)\n/var/lib/awx/venv/ansible/lib/python3.6/site-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings\n InsecureRequestWarning)\n/var/lib/awx/venv/ansible/lib/python3.6/site-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings\n InsecureRequestWarning)\nin formatresponse res.content does not exist, should not occur\nTraceback (most recent call last):\n File "/var/lib/awx/.ansible/tmp/ansible-local-2mz2oszqh/ansible-tmp-1592227468.6901195-160250334423800/AnsiballZ_fortios_facts.py", line 102, in \n _ansiballz_main()\n File "/var/lib/awx/.ansible/tmp/ansible-local-2mz2oszqh/ansible-tmp-1592227468.6901195-160250334423800/AnsiballZ_fortios_facts.py", line 94, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File "/var/lib/awx/.ansible/tmp/ansible-local-2mz2oszqh/ansible-tmp-1592227468.6901195-160250334423800/AnsiballZ_fortios_facts.py", line 40, in invoke_module\n runpy.run_module(mod_name='ansible_collections.fortinet.fortios.plugins.modules.fortios_facts', init_globals=None, run_name='main', alter_sys=True)\n File "/usr/lib64/python3.6/runpy.py", line 205, in run_module\n return _run_module_code(code, init_globals, run_name, mod_spec)\n File "/usr/lib64/python3.6/runpy.py", line 96, in _run_module_code\n mod_name, mod_spec, pkg_name, script_name)\n File "/usr/lib64/python3.6/runpy.py", line 85, in _run_code\n exec(code, run_globals)\n File "/tmp/ansible_fortinet.fortios.fortios_facts_payload_f4w2dvsx/ansible_fortinet.fortios.fortios_facts_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_facts.py", line 282, in \n File "/tmp/ansible_fortinet.fortios.fortios_facts_payload_f4w2dvsx/ansible_fortinet.fortios.fortios_facts_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_facts.py", line 278, in main\n File "/tmp/ansible_fortinet.fortios.fortios_facts_payload_f4w2dvsx/ansible_fortinet.fortios.fortios_facts_payload.zip/ansible/module_utils/basic.py", line 2072, in exit_json\n File "/tmp/ansible_fortinet.fortios.fortios_facts_payload_f4w2dvsx/ansible_fortinet.fortios.fortios_facts_payload.zip/ansible/module_utils/basic.py", line 2065, in _return_formatted\n File "/tmp/ansible_fortinet.fortios.fortios_facts_payload_f4w2dvsx/ansible_fortinet.fortios.fortios_facts_payload.zip/ansible/module_utils/basic.py", line 418, in remove_values\n File "/tmp/ansible_fortinet.fortios.fortios_facts_payload_f4w2dvsx/ansible_fortinet.fortios.fortios_facts_payload.zip/ansible/module_utils/basic.py", line 401, in _remove_values_conditions\nTypeError: Value of unknown type: <class 'requests.models.Response'>, <Response [404]>\n",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1,
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"_ansible_no_log": false,
"changed": false
}
Versions:
- Ansible Tower 3.6.2
- Ansible Engine 2.9.1
---
- name: Fortigate connection test
hosts: Fortigate
gather_facts: no
connection: httpapi
vars:
ansible_httpapi_password: "{{ ansible_password }}"
ansible_httpapi_user: "{{ ansible_user }}"
ansible_httpapi_validate_certs: no
tasks:
- name: gather basic system status facts
fortinet.fortios.fortios_facts:
host: "{{ ansible_host }}:444"
username: "{{ ansible_user }}"
password: "{{ ansible_password }}"
vdom: "root"
ssl_verify: false
gather_subset:
- fact: 'system_status_select'
fortios_system_interface - interface type emac-vlan is not supported
Hello,
Trying to add an interface with the type emac-vlan throws a fatal error on the task.
[...]
system_interface:
name: "port2.2999-{{ vdom }}"
type: emac-vlan
vdom: "{{ vdom }}"
role: lan
ip: "{{ mgmt_ip }}/23"
interface: "port2.2999"
alias: "mgmt-{{ vdom }}"
allowaccess: ping
fatal: [localhost]: FAILED! => {"changed": false, "msg": "value of type must be one of: physical, vlan, aggregate, redundant, tunnel, vdom-link, loopback, switch, hard-switch, vap-switch, wl-mesh, fext-wan, vxlan, hdlc, switch-vlan, got: emac-vlan found in system_interface"}
As far as I can see in the module documentation, this interface type is not supported right now.
Will this feature be soon implemented in the ansible module ?
Thank you !
fortios_facts - ConnectionError: addinfourl instance has no attribute 'getheaders'
Hi,
I am receiving the following error when trying a very basic fortios_facts task:
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ansible.module_utils.connection.ConnectionError: addinfourl instance has no attribute 'getheaders'
fatal: [fortigate.rnd.lan]: FAILED! => {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python"}, "changed": false, "module_stderr": "Traceback (most recent call last):\n File \"/home/export/gpipito/.ansible/tmp/ansible-local-27824BDPNMT/ansible-tmp-1600871047.37-27854-102669729770921/AnsiballZ_fortios_facts.py\", line 102, in <module>\n _ansiballz_main()\n File \"/home/export/gpipito/.ansible/tmp/ansible-local-27824BDPNMT/ansible-tmp-1600871047.37-27854-102669729770921/AnsiballZ_fortios_facts.py\", line 94, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/home/export/gpipito/.ansible/tmp/ansible-local-27824BDPNMT/ansible-tmp-1600871047.37-27854-102669729770921/AnsiballZ_fortios_facts.py\", line 40, in invoke_module\n runpy.run_module(mod_name='ansible_collections.fortinet.fortios.plugins.modules.fortios_facts', init_globals=None, run_name='__main__', alter_sys=True)\n File \"/usr/lib64/python2.7/runpy.py\", line 176, in run_module\n fname, loader, pkg_name)\n File \"/usr/lib64/python2.7/runpy.py\", line 82, in _run_module_code\n mod_name, mod_fname, mod_loader, pkg_name)\n File \"/usr/lib64/python2.7/runpy.py\", line 72, in _run_code\n exec code in run_globals\n File \"/tmp/ansible_fortios_facts_payload_DhkCoW/ansible_fortios_facts_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_facts.py\", line 282, in <module>\n File \"/tmp/ansible_fortios_facts_payload_DhkCoW/ansible_fortios_facts_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_facts.py\", line 253, in main\n File \"/tmp/ansible_fortios_facts_payload_DhkCoW/ansible_fortios_facts_payload.zip/ansible_collections/fortinet/fortios/plugins/module_utils/fortios/facts/facts.py\", line 90, in get_facts\n File \"/tmp/ansible_fortios_facts_payload_DhkCoW/ansible_fortios_facts_payload.zip/ansible_collections/fortinet/fortios/plugins/module_utils/fortios/facts/facts.py\", line 81, in get_network_legacy_facts\n File \"/tmp/ansible_fortios_facts_payload_DhkCoW/ansible_fortios_facts_payload.zip/ansible_collections/fortinet/fortios/plugins/module_utils/fortios/facts/system/system.py\", line 40, in populate_facts\n File \"/tmp/ansible_fortios_facts_payload_DhkCoW/ansible_fortios_facts_payload.zip/ansible_collections/fortinet/fortios/plugins/module_utils/fortios/facts/system/system.py\", line 49, in system_fact\n File \"/tmp/ansible_fortios_facts_payload_DhkCoW/ansible_fortios_facts_payload.zip/ansible_collections/fortinet/fortios/plugins/module_utils/fortios/fortios.py\", line 166, in monitor\n File \"/tmp/ansible_fortios_facts_payload_DhkCoW/ansible_fortios_facts_payload.zip/ansible/module_utils/connection.py\", line 185, in __rpc__\nansible.module_utils.connection.ConnectionError: addinfourl instance has no attribute 'getheaders'\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
here is my playbook:
- name: PLAY 1 - fortinet.fortios test
hosts: fortinet
collections:
- fortinet.fortios
connection: httpapi
gather_facts: no
tasks:
- name: Include all vars files
include_vars:
file: ../group_vars/all.yml
- name: Include fortinet vars files
include_vars:
file: ../group_vars/fortinet.yml
- name: Get Fortios device information
fortios_facts:
gather_subset:
- fact: system_status_select
register: result
- name: Print Fortios facts
debug:
msg: "{{ result }}"
and my included fortinet vars:
ansible_network_os: fortinet.fortios.fortios
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 11443
ansible_user: admin
ansible_password: *********
vdom: root
fortios_firewall_address: unabled to add name with '/'
Trying to add an address object which name includes a slash '/' character e.g. 'FOO/BAR'.
Which raises "Error in repo" in Ansible or "API error 400 raised" on Fortigate.
api debug:
[httpsd 9937 - 1588700016 info] cmdb_generate_schema[1037] -- generating schema for firewall.address
[httpsd 9937 - 1588700016 info] handle_cli_req_v2_vdom[1965] -- returning to original vdom "root"
[httpsd 9937 - 1588700016 info] ap_invoke_handler[616] -- request completed (handler='api_cmdb_v2-handler' result==0)
[httpsd 9937 - 1588700016 info] ap_invoke_handler[593] -- new request (handler='api_cmdb_v2-handler', uri='/api/v2/cmdb/firewall/address/FOO/BAR?vdom=<VD>', method='PUT')
[httpsd 9937 - 1588700016 info] ap_invoke_handler[597] -- User-Agent: python-requests/2.22.0
[httpsd 9937 - 1588700016 info] ap_invoke_handler[600] -- Source: x.x.x.x:49496 Destination: y.y.y.y:443
[httpsd 9937 - 1588700016 info] api_cmdb_v2_handler[2055] -- received api_cmdb_v2_request from 'x.x.x.x'
[httpsd 9937 - 1588700016 info] aps_init_process_vdom[1195] -- initialized process vdom to 'root' (cookie='(null)')
[httpsd 9937 - 1588700016 info] api_store_parameter[227] -- add API parameter 'vdom': '"<VD>"' (type=string)
[httpsd 9937 - 1588700016 info] api_store_parameter[227] -- add API parameter 'subnet': '"1.1.1.1 255.255.255.255"' (type=string)
[httpsd 9937 - 1588700016 info] api_store_parameter[227] -- add API parameter 'type': '"ipmask"' (type=string)
[httpsd 9937 - 1588700016 info] api_store_parameter[227] -- add API parameter 'name': '"FOO\/BAR"' (type=string)
[httpsd 9937 - 1588700016 info] handle_cli_req_v2_vdom[1954] -- attempting to change from vdom "root" to vdom "<VD>"
[httpsd 9937 - 1588700016 info] handle_cli_req_v2_vdom[1957] -- new CMDB API request (vdom='<VD>',user='admin')
[httpsd 9937 - 1588700016 info] api_cmdb_request_init_by_path[1360] -- new CMDB query (path='firewall',name='address')
[httpsd 9937 - 1588700016 info] api_cmdb_request_init_by_path[1389] -- querying CMDB entry (mkey='FOO')
[httpsd 9937 - 1588700016 info] api_cmdb_request_init_by_path[1393] -- unable to find 'FOO' in table 'firewall.address'
[httpsd 9937 - 1588700016 info] api_cmdb_request_init[1488] -- new CMDB child query for 'firewall.address:BAR'
[httpsd 9937 - 1588700016 error] api_cmdb_request_init[1494] -- unable to create child query
[httpsd 9937 - 1588700016 error] api_return_http_result[631] -- API error 400 raised
[httpsd 9937 - 1588700016 info] handle_cli_req_v2_vdom[1965] -- returning to original vdom "root"
$ansible --vers
ansible 2.9.6
$ pip freeze | grep fortios
fortiosapi==1.0.1
Thanks in advance.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.