Coder Social home page Coder Social logo

Comments (5)

chillancezen avatar chillancezen commented on July 2, 2024

thanks @markodjukic for the issue.
Yes, this is because module fortios_system_global is to configure global attributes which have no primary object key in fortigate, that's why it was designed not to have state: present/absent(note state: can update/create or delete an object.)

we will keep this issue open util we find a fix/workaround for it.

from ansible-galaxy-fortios-collection.

markodjukic avatar markodjukic commented on July 2, 2024

I've found two workarounds...

  • Looks like the settings in system-global will disappear from the Fortigate config if they are set to the default. So a little clunky, but just ensuring that settings are set to the defaults will make them "unset".
  • The other workaround is to use the expect module and go with raw SSH + CLI commands. Really nasty horrible, but given that there's no network_cli support in Ansible for Fortios, this is a last resort workaround.

Feel free to close it, I get now the intent of the fortiosapi and why you're limited on your side.

from ansible-galaxy-fortios-collection.

chillancezen avatar chillancezen commented on July 2, 2024
  • Looks like the settings in system-global will disappear from the Fortigate config if they are set to the default. So a little clunky, but just ensuring that settings are set to the defaults will make them "unset".

thanks for the workarounds.

from ansible-galaxy-fortios-collection.

markodjukic avatar markodjukic commented on July 2, 2024

Sorry, let's reopen, it's more dangerous than I thought. We can not work around in some scenarios and some are really not obvious, which then risks taking out the whole device/network over something really trivial.
Take this example below, if there's no dns_source_ip mandated for the DNS servers, then omit. Seems simple enough, except if there was already a source IP and that conflicts with a new DNS server setting, it will break a bunch of things including webfiltering for users. Omitting won't unset what's already there.

- name: Configuring DNS
  fortios_system_dns:
    host: "{{ fg_adminhurl }}"
    username: "{{ ansible_ssh_user }}"
    password: "{{ ansible_ssh_pass }}"
    vdom: "{{ fg_vdom }}"
    https: "{{ fg_https }}"
    ssl_verify: "{{ fg_sslverf }}"
    system_dns:
      primary: "{{ dns_primary }}"
      secondary: "{{ dns_secondary }}"
      source_ip: "{{ dns_source_ip|default(omit) }}"
      domain:
        -
          domain: "{{ domain_internal }}"
      retry: "5"
      timeout: "3"

And the workaround is not obvious, not documented anywhere explicitly, and needs the source IP to be set to "0.0.0.0" to unset the old source_ip. The only clue we found what to use was buried here: https://kb.fortinet.com/kb/documentLink.do?externalID=FD43725

- name: Configuring DNS
  fortios_system_dns:
    host: "{{ fg_adminhurl }}"
    username: "{{ ansible_ssh_user }}"
    password: "{{ ansible_ssh_pass }}"
    vdom: "{{ fg_vdom }}"
    https: "{{ fg_https }}"
    ssl_verify: "{{ fg_sslverf }}"
    system_dns:
      primary: "{{ dns_primary }}"
      secondary: "{{ dns_secondary }}"
      source_ip: "{{ dns_source_ip|default('0.0.0.0') }}"
      domain:
        -
          domain: "{{ domain_internal }}"
      retry: "5"
      timeout: "3"

So suggestions for enhancements:

  • Clearer documentation on what are the defaults which need to be called for each attribute/option to unset it. It should be in the docs and not having us dig around forums/KBs.
  • A more explicit method to unset so user does not have to go digging for defaults. Some way to flag an attribute as "unset" and then the module/API takes care of looking up the defaults.

from ansible-galaxy-fortios-collection.

chillancezen avatar chillancezen commented on July 2, 2024

hi @markodjukic Marko,

thanks again for your suggestions, after several times of discussion with team and we decided not to support unsetting an attribute from Ansible, for two reasons:

  1. FortiGate currently doesn't expose any restful API to unset an attribute.
  2. we are going to secure Ansible users' credentials by migrating to token authentication in the future, so username/password is not preferred.

but you still have flexibility to unset attributes from Ansible using its native modules, but it's risky to expose username/password.

we are going to mark it closed.
thanks,
Link.

from ansible-galaxy-fortios-collection.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.