Comments (9)
mbdraks
commented on July 21, 2024
2
Yeap, you need to reconstruct the list and post the complete object.
Here's one example with another module:
#
---
- name: initialize empty list
set_fact:
pp_install_target_list: []
- name: get current pp scope members
fortinet.fortimanager.fmgr_pm_pkg_obj:
method: get
url_params:
adom: '{{ adom }}'
pkg_path: '{{ item.policy_package }}'
register: results
- name: register list with existing pp members
set_fact:
pp_install_target_list: "{{ results.meta.data['scope member'] }}"
when: results.meta.data['scope member'] is defined
- name: append member to list
set_fact:
pp_install_target_list: "{{ pp_install_target_list + [ { 'name': item.device_name, 'vdom': vdom } ]}}"
- name: update policy package scope members
fortinet.fortimanager.fmgr_pm_pkg_adom_obj:
method: set
url_params:
adom: '{{ adom }}'
params:
- data:
- name: '{{ item.policy_package }}'
scope member: '{{ pp_install_target_list }}'
from ansible-galaxy-fortios-collection.
JieX19
commented on July 21, 2024
Hi,
Yes, with_items works correctly while creating the firewall address, you loop a list of address objects using with_items function.
For the third task, the type of local_networks and remote_networks is list, you are actually iterating a list of list, that's the reason. I think you may add a third variable in vars to join the local_network and remote_network, let's name it network_pair.
from ansible-galaxy-fortios-collection.
shariaty59
commented on July 21, 2024
@JieX19 But it's not a one to one map. As an example I may have a list of 3 firewall addresses for "srcaddr" and 20 addresses for "dstaddr". I'm not sure how to do that in a single "network_pair" var.
from ansible-galaxy-fortios-collection.
shariaty59
commented on July 21, 2024
@JieX19 Hi,
My concern of 1x1 map from previous comment still applies but I wanted to test your suggestion. assuming the number of local and remote networks are the same, I added a new var as below:
network_pair:
- {local_policy: "MY-IP1", remote_policy: "LA-IP1"}
- {local_policy: "MY-IP2", remote_policy: "LA-IP2"}
- {local_policy: "MY-IP3", remote_policy: "LA-IP3"}
- {local_policy: "MY-IP4", remote_policy: "LA-IP4"}
- {local_policy: "MY-IP5", remote_policy: "LA-IP5"}
- {local_policy: "MY-IP6", remote_policy: "LA-IP6"}
- {local_policy: "MY-IP7", remote_policy: "LA-IP7"}
- {local_policy: "MY-IP8", remote_policy: "LA-IP8"}
Then I changed my task to below:
- name: Configure IPv4 policy
fortios_firewall_policy:
vdom: "{{ vdom }}"
state: "present"
firewall_policy:
state: "present"
policyid: "2002"
name: "Policy_2002"
action: "deny"
srcintf:
- name: any
dstintf:
- name: any
srcaddr:
- name: "{{ item.local_policy }}"
dstaddr:
- name: "{{ item.remote_policy }}"
service:
- name: 'HTTP'
- name: 'HTTPS'
schedule: "always"
nat: "disable"
logtraffic: "all"
with_items:
- "{{ policy_networks }}"
So when I checked the policy on the firewall, it only had the last line in it.
- {local_policy: "MY-IP8", remote_policy: "LA-IP8"}
So apparently it loops through the list but each time the new value replaces the old one. Any thought?
Thank you,
from ansible-galaxy-fortios-collection.
mbdraks
commented on July 21, 2024
If the desired outcome is a single rule with all objects of local_networks list as source and all objects of remote_networks as dst I would change the code to create a object group for each network list and only use those groups on the rule.
This also makes maintenance easier, if you have more networks all you have to do is add to list and it would cascade to include the new network object on the proper group (which is already configured on the correct rule).
from ansible-galaxy-fortios-collection.
shariaty59
commented on July 21, 2024
@mbdraks Thank you. That actually makes sense. Let me try that quick.
from ansible-galaxy-fortios-collection.
shariaty59
commented on July 21, 2024
using the same "remote_networks" and "local_networks" vars.
remote_networks:
- {remote_network_subnet: "210.20.30.0/24", remote_subnet_name: "LA-IP1"}
- {remote_network_subnet: "210.20.40.100/30", remote_subnet_name: "LA-IP2"}
- {remote_network_subnet: "210.20.50.0/28", remote_subnet_name: "LA-IP3"}
- {remote_network_subnet: "210.20.60.145/32", remote_subnet_name: "LA-IP4"}
- {remote_network_subnet: "210.20.70.0/24", remote_subnet_name: "LA-IP5"}
- {remote_network_subnet: "210.20.80.16/32", remote_subnet_name: "LA-IP6"}
- {remote_network_subnet: "210.20.90.0/30", remote_subnet_name: "LA-IP7"}
- {remote_network_subnet: "210.20.140.104/32", remote_subnet_name: "LA-IP8"}
local_networks:
- {local_network_subnet: "10.20.30.0/24", local_subnet_name: "MY-IP1"}
- {local_network_subnet: "10.20.40.100/30", local_subnet_name: "MY-IP2"}
- {local_network_subnet: "10.20.50.0/28", local_subnet_name: "MY-IP3"}
- {local_network_subnet: "10.20.60.145/32", local_subnet_name: "MY-IP4"}
- {local_network_subnet: "10.20.70.0/24", local_subnet_name: "MY-IP5"}
- {local_network_subnet: "10.20.80.16/32", local_subnet_name: "MY-IP6"}
- {local_network_subnet: "10.20.90.0/30", local_subnet_name: "MY-IP7"}
- {local_network_subnet: "10.20.140.104/32", local_subnet_name: "MY-IP8"}
I added these tasks below to create the address groups:
- name: Configure Remote IPv4 address group
fortios_firewall_addrgrp:
vdom: "{{ vdom }}"
state: "present"
firewall_addrgrp:
name: "MY-LA-VPN-Remote-IPs"
visibility: "enable"
member:
- name: "{{ item.remote_subnet_name}}"
with_items:
- "{{ remote_networks }}"
- name: Configure Local IPv4 address group
fortios_firewall_addrgrp:
vdom: "{{ vdom }}"
state: "present"
firewall_addrgrp:
name: "MY-LA-VPN-Local-IPs"
visibility: "enable"
member:
- name: "{{ item.local_subnet_name}}"
with_items:
- "{{ local_networks }}"
apparently the loop is working fine but each time it goes over the list, the item gets "replaced" not added. Therefore at the end, I only see the last items below in the address groups. Please advise.
- {remote_network_subnet: "210.20.140.104/32", remote_subnet_name: "LA-IP8"}
- {local_network_subnet: "10.20.140.104/32", local_subnet_name: "MY-IP8"}
from ansible-galaxy-fortios-collection.
shariaty59
commented on July 21, 2024
@mbdraks Thank you so much, I will try it later and let you know.
from ansible-galaxy-fortios-collection.
chillancezen
commented on July 21, 2024
thank you Michel @mbdraks for supporting Ansible issues.
set_fact is really a good tool to process data internally. the syntax allows users to call many Python's native libraries.
@shariaty59 please let us know if your problem persists.
I mark this issue closed, feel free to reopen it if you need further help.
thanks,
Link
from ansible-galaxy-fortios-collection.
Related Issues (20)
- Can not set Admin SSH keys. "Error in Repo" HOT 4
- "Error in repo" using fortios_firewall_policy module HOT 4
- config system globals timezone not numeric in 7.4.2 HOT 3
- How to Create SDWAN Zone HOT 11
- Changing admin user password results in 403 PUT error. HOT 1
- network os fortinet.fortios.fortios is not supported HOT 1
- Is global scope security profile supported? HOT 1
- fortinet.fortios.fortios_monitor_fact filter questions HOT 4
- fortinet.fortios.fortios_monitor -selector upgrade.system.firmware possible issue? HOT 3
- Need help w/playbook to list all managed fortiap's per firewall. HOT 4
- updating policy based routing of fortigate is not working always has seq-num error HOT 2
- There must be at least 1 server certificate configured HOT 2
- Getting 404 error while trying to add IPv6 address group using fortios_firewall_addrgrp6 HOT 2
- Error in comparison/serialize HOT 4
- Question on usage - setting dhcp (v4) reservations HOT 3
- federated-upgrade 7.2.7>7.2.8 problem HOT 2
- fortios_system_global timezone not working with FortiOS 7.4.2 and higher HOT 3
- fortinet.fortios.fortios_firewall_addrgrp module question HOT 8
- fortigate firewall firmware upgrade using fortios_monitor module HOT 2
- check mode error since 2.3.5 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ansible-galaxy-fortios-collection.