Changing firewall policy order about ansible-galaxy-fortios-collection HOT 10 CLOSED

@MilesTails sorry that current collection doesn't support policy ordering.

however we can still reorder the entries via automatic helper shell scripts(and python script) to analyze and apply reordering config. Below is an example:

#ssh [email protected] show firewall policy > firewall_policy.raw
Then apply a shell script or python(sorry I don't have a handy one, but it's supposed to be easy to do that with a script) to produce the following output:

Given a sequence[3 1 10 5 2], we are going to reorder it to [1 2 3 5 10], we can use shell or python to generate the cli config.
Having limited iterations, we have cli commands:
move 5 before 10: (3 1 5 10 2)
move 3 before 5: (1 3 5 10 2)
move 2 before 3: (1 2 3 5 10)

then the cli config will be(name it reordering.cli):
config firewall policy
move 5 before 10
move 3 before 5
move 2 before 3
end

Here we move entries in their descending order, apply the reordering cli via : ssh [email protected] < reordering.cli

this is not the first time to have policy ordering mentioned, but current mechanism doesn't support such functionality, we will try to have one in later release.

thanks,
Link

from ansible-galaxy-fortios-collection.

@MilesTails

Hello,

For info we are using fortiosconfig module and it works like a charm.
Example below where you want to move a certain policy before policy id 100.

- name: Move policy on firewall
  fortiosconfig:
   config: "firewall policy"
   action: "move"
   host:  "{{ host }}"
   username: "{{ username }}"
   password: "{{ password }}"
   vdom:  "{{  vdom }}"
   config_parameters:
     key: "{{ policy_id_number }}"
     where: "before"
     reference-key: 100

Hope it helps,

Adrien

from ansible-galaxy-fortios-collection.

leaving fix in #70.

from ansible-galaxy-fortios-collection.

in latest release, moving policy is supported.

https://ansible-galaxy-fortios-docs.readthedocs.io/en/latest/gen/fortios_firewall_policy.html#examples

from ansible-galaxy-fortios-collection.

I see the example of how to move policies around, however, whenever I try to use it, it errors out. I have made sure I am running 1.1.8 (latest).

This is my config:

• name: move firewall policy - 2 before 1
  fortios_firewall_policy:
  vdom: "{{ vdom }}"
  action: "move"
  self: "1"
  after: "2"

And this is the error:

fatal: [10.99.250.250]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"action": "move",
"after": "2",
"self": "1",
"vdom": "FG-traffic"
}
},
"msg": "Unsupported parameters for (fortios_firewall_policy) module: action, after, self Supported parameters include: firewall_policy, host, https, password, ssl_verify, state, username, vdom"
}

from ansible-galaxy-fortios-collection.

@taylorjt2 could you help provide your full inventory and playbook?

from ansible-galaxy-fortios-collection.

Sure, it's really basic as I'm just experimenting and learning at this point. I experimented with having the move code separate as well as in the policy definition. Seems like it's just not recognizing action, after, self under fortios_firewall_policy as valid.

Directory Structure:

fortinet
 group_vars
  all.yml
 roles
  policies
   tasks
    main.yml
site.yml
hosts.yml

Files:
group_vars/all.yml

---
# Variables for all
ansible_user: admin
ansible_password: password
ansible_network_os: fortinet.fortios.fortios
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 8443

roles/policies/tasks/main.yml

---
- name: Configure IPv4 policy - hosting-to-engage
  fortios_firewall_policy:
    vdom:  "FG_traffic"
    state: "present"
    firewall_policy:
      name: "hosting-to-engage_allowall"
      policyid: "1"
      status: "enable"
      srcintf:
        - name: "port1"
      srcaddr:
        - name: "1.1.1.1_32"
        - name: "2.2.2.2_32"
      dstintf:
        - name: "port2"
      dstaddr:
        - name: "3.3.3.3_32"
      service:
        - name: "TEST"
        - name: "PING"
      action: "accept"
      schedule: "always"
      logtraffic: "all"
      logtraffic_start: "enable"

- name: Configure IPv4 policy - engage-to-hosting
  fortios_firewall_policy:
    vdom:  "{{ vdom }}"
    state: "present"
    # action: move
    # self: 2
    # before: 1
    firewall_policy:
      name: "engage-to-hosting_allowall"
      policyid: "2"
      status: "enable"
      srcintf:
        - name: "port2"
      srcaddr:
        - name: "4.4.4.4_32"
      dstintf:
        - name: "port1"
      dstaddr:
        - name: "5.5.5.5_32"
      service:
        - name: "TEST"
      action: "accept"
      schedule: "always"
      logtraffic: "all"
      logtraffic_start: "enable"

- name: move firewall policy - 2 before 1
  fortios_firewall_policy:
    vdom:  "FG_traffic"
    action: "move"
    self: "1"
    after: "2"
   # before: "1"

site.yml

---
- hosts: hosting
  connection: httpapi
  collections:
    - fortinet.fortios
  roles:
    - interfaces

hosts.yml

fortigates:
  children:
    virtual_fortigates:
      children:
        hosting:
          children:
            test1:
              hosts:
                172.16.1.50:

from ansible-galaxy-fortios-collection.

Roles don't support the 'collections' keyword. Try using the full FQDN, e.g.:

fortinet.fortios.fortios_firewall_policy

ansible/ansible#68198

from ansible-galaxy-fortios-collection.

Thank you so much, that did it! Pointed me in the right direction to finding that I can also add the meta folder to each role with a file that adds the fortinet.fortios collection. I'm just learning Ansible, so trying to understand the correct structure and syntax. Appreciate the help!

from ansible-galaxy-fortios-collection.

Issue should be reopened, reordering support was only added for firewall rules in profile-based mode.

In NGFW policy-based mode we have to use fortios_firewall_security_policy (https://ansible-galaxy-fortios-docs.readthedocs.io/en/latest/gen/fortios_firewall_security_policy.html) and it still doesn't support moving policies.

Or should I create a new issue?

from ansible-galaxy-fortios-collection.