Comments (5)
thanks @markodjukic for the issue.
Yes, this is because module fortios_system_global
is to configure global attributes which have no primary object key in fortigate, that's why it was designed not to have state: present/absent
(note state:
can update/create or delete an object.)
we will keep this issue open util we find a fix/workaround for it.
from ansible-galaxy-fortios-collection.
I've found two workarounds...
- Looks like the settings in system-global will disappear from the Fortigate config if they are set to the default. So a little clunky, but just ensuring that settings are set to the defaults will make them "unset".
- The other workaround is to use the expect module and go with raw SSH + CLI commands. Really nasty horrible, but given that there's no network_cli support in Ansible for Fortios, this is a last resort workaround.
Feel free to close it, I get now the intent of the fortiosapi and why you're limited on your side.
from ansible-galaxy-fortios-collection.
- Looks like the settings in system-global will disappear from the Fortigate config if they are set to the default. So a little clunky, but just ensuring that settings are set to the defaults will make them "unset".
thanks for the workarounds.
from ansible-galaxy-fortios-collection.
Sorry, let's reopen, it's more dangerous than I thought. We can not work around in some scenarios and some are really not obvious, which then risks taking out the whole device/network over something really trivial.
Take this example below, if there's no dns_source_ip mandated for the DNS servers, then omit. Seems simple enough, except if there was already a source IP and that conflicts with a new DNS server setting, it will break a bunch of things including webfiltering for users. Omitting won't unset what's already there.
- name: Configuring DNS
fortios_system_dns:
host: "{{ fg_adminhurl }}"
username: "{{ ansible_ssh_user }}"
password: "{{ ansible_ssh_pass }}"
vdom: "{{ fg_vdom }}"
https: "{{ fg_https }}"
ssl_verify: "{{ fg_sslverf }}"
system_dns:
primary: "{{ dns_primary }}"
secondary: "{{ dns_secondary }}"
source_ip: "{{ dns_source_ip|default(omit) }}"
domain:
-
domain: "{{ domain_internal }}"
retry: "5"
timeout: "3"
And the workaround is not obvious, not documented anywhere explicitly, and needs the source IP to be set to "0.0.0.0" to unset the old source_ip. The only clue we found what to use was buried here: https://kb.fortinet.com/kb/documentLink.do?externalID=FD43725
- name: Configuring DNS
fortios_system_dns:
host: "{{ fg_adminhurl }}"
username: "{{ ansible_ssh_user }}"
password: "{{ ansible_ssh_pass }}"
vdom: "{{ fg_vdom }}"
https: "{{ fg_https }}"
ssl_verify: "{{ fg_sslverf }}"
system_dns:
primary: "{{ dns_primary }}"
secondary: "{{ dns_secondary }}"
source_ip: "{{ dns_source_ip|default('0.0.0.0') }}"
domain:
-
domain: "{{ domain_internal }}"
retry: "5"
timeout: "3"
So suggestions for enhancements:
- Clearer documentation on what are the defaults which need to be called for each attribute/option to unset it. It should be in the docs and not having us dig around forums/KBs.
- A more explicit method to unset so user does not have to go digging for defaults. Some way to flag an attribute as "unset" and then the module/API takes care of looking up the defaults.
from ansible-galaxy-fortios-collection.
hi @markodjukic Marko,
thanks again for your suggestions, after several times of discussion with team and we decided not to support unsetting an attribute from Ansible, for two reasons:
- FortiGate currently doesn't expose any restful API to unset an attribute.
- we are going to secure Ansible users' credentials by migrating to token authentication in the future, so username/password is not preferred.
but you still have flexibility to unset attributes from Ansible using its native modules, but it's risky to expose username/password.
- https://docs.ansible.com/ansible/latest/collections/ansible/builtin/command_module.html
- https://docs.ansible.com/ansible/latest/collections/ansible/builtin/shell_module.html
- https://docs.ansible.com/ansible/latest/collections/ansible/builtin/script_module.html
we are going to mark it closed.
thanks,
Link.
from ansible-galaxy-fortios-collection.
Related Issues (20)
- Can not set Admin SSH keys. "Error in Repo" HOT 4
- "Error in repo" using fortios_firewall_policy module HOT 4
- config system globals timezone not numeric in 7.4.2 HOT 3
- How to Create SDWAN Zone HOT 11
- Changing admin user password results in 403 PUT error. HOT 1
- network os fortinet.fortios.fortios is not supported HOT 1
- Is global scope security profile supported? HOT 1
- fortinet.fortios.fortios_monitor_fact filter questions HOT 4
- fortinet.fortios.fortios_monitor -selector upgrade.system.firmware possible issue? HOT 3
- Need help w/playbook to list all managed fortiap's per firewall. HOT 4
- updating policy based routing of fortigate is not working always has seq-num error HOT 2
- There must be at least 1 server certificate configured HOT 2
- Getting 404 error while trying to add IPv6 address group using fortios_firewall_addrgrp6 HOT 2
- Error in comparison/serialize HOT 4
- Question on usage - setting dhcp (v4) reservations HOT 3
- federated-upgrade 7.2.7>7.2.8 problem HOT 2
- fortios_system_global timezone not working with FortiOS 7.4.2 and higher HOT 3
- fortinet.fortios.fortios_firewall_addrgrp module question HOT 8
- fortigate firewall firmware upgrade using fortios_monitor module HOT 2
- check mode error since 2.3.5 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ansible-galaxy-fortios-collection.