During an ansible play which references the fortiosconfig module in Ansible 2.7, I get a message indicating that the "no_log" option has not been set on a password field.

Could it be worth looking at using the native fortios modules in core Ansible to reduce your requirement to specify things like this: (e.g. https://github.com/ansible/ansible/blob/devel/lib/ansible/module_utils/network/fortios/fortios.py#L45-L56) ?

ISSUE TYPE

Hello,

Using Ansible via Tower, we are not able to create an object on Fortigate 240D firewall using fortios_firewall_adress module.
Playbook ends each time with same error (see below).

COMPONENT NAME
Ansible: 2.9.6
Python 3.6
FortiosAPI: 1.0.1
Ansible module : fortios_firewall_adress
Fortigate firewall is 240D running on 6.0.6
ANSIBLE VERSION

Ansible version is 2.9.6

OS / ENVIRONMENT

Tower is running on CentOS Linux release 7.7.1908
STEPS TO REPRODUCE

To reproduce you can play playbook below

• hosts: localhost
  gather_facts: False
  vars:
  host: "10.109.109.1"
  username: "fakeusername"
  password: "fakepassword"
  vdom: "root"
  tasks:
  • name: Configure IPv4 addresses.
    fortios_firewall_address:
    host: "{{ host }}"
    username: "{{ username }}"
    password: "{{ password }}"
    vdom: "{{ vdom }}"
    state: "present"
    firewall_address:
    name: "TOWER_TEST"
    subnet: "1.2.3.4 255.255.255.255"
    comment: "TOWER_TEST_COMMENT"

EXPECTED RESULTS

Object to be created in the firewall.
ACTUAL RESULTS

PLAY [localhost] ***************************************************************

TASK [fortios_tasks : CREATE OBJECT ON FORTIGATE] ******************************
fatal: [localhost]: FAILED! => {"changed": false, "module_stderr": "/opt/my-envs/Ansible2.9P3/lib/python3.6/site-packages/urllib3/connectionpool.py:1004: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.109.109.1'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings\\n InsecureRequestWarning,\nTraceback (most recent call last):\n File \"/var/lib/awx/.ansible/tmp/ansible-tmp-1586426295.6123304-22106732036127/AnsiballZ_fortios_firewall_address.py\", line 102, in \n _ansiballz_main()\n File \"/var/lib/awx/.ansible/tmp/ansible-tmp-1586426295.6123304-22106732036127/AnsiballZ_fortios_firewall_address.py\", line 94, in ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/var/lib/awx/.ansible/tmp/ansible-tmp-1586426295.6123304-22106732036127/AnsiballZ_fortios_firewall_address.py\", line 40, in invoke_module\n runpy.run_module(mod_name='ansible.modules.network.fortios.fortios_firewall_address', init_globals=None, run_name='main', alter_sys=True)\n File \"/usr/lib64/python3.6/runpy.py\", line 205, in run_module\n return run_module_code(code, init_globals, run_name, mod_spec)\n File \"/usr/lib64/python3.6/runpy.py\", line 96, in run_module_code\n mod_name, mod_spec, pkg_name, script_name)\n File \"/usr/lib64/python3.6/runpy.py\", line 85, in run_code\n exec(code, run_globals)\n File \"/tmp/ansible_fortios_firewall_address_payload_o04mvvs/ansible_fortios_firewall_address_payload.zip/ansible/modules/network/fortios/fortios_firewall_address.py\", line 570, in \n File \"/tmp/ansible_fortios_firewall_address_payload_o04mvvs/ansible_fortios_firewall_address_payload.zip/ansible/modules/network/fortios/fortios_firewall_address.py\", line 560, in main\n File \"/tmp/ansible_fortios_firewall_address_payload_o04mvvs/ansible_fortios_firewall_address_payload.zip/ansible/modules/network/fortios/fortios_firewall_address.py\", line 462, in fortios_firewall\n File \"/tmp/ansible_fortios_firewall_address_payload_o04mvvs/ansible_fortios_firewall_address_payload.zip/ansible/modules/network/fortios/fortios_firewall_address.py\", line 445, in firewall_address\n File \"/opt/my-envs/Ansible2.9P3/lib/python3.6/site-packages/fortiosapi/fortiosapi/fortiosapi.py\", line 422, in set\n mkey = self.get_mkey(path, name, data, vdom=vdom)\n File \"/opt/my-envs/Ansible2.9P3/lib/python3.6/site-packages/fortiosapi/fortiosapi/fortiosapi.py\", line 233, in get_mkey\n keyname = self.get_mkeyname(path, name, vdom)\n File \"/opt/my-envs/Ansible2.9P3/lib/python3.6/site-packages/fortiosapi/fortiosapi/fortiosapi.py\", line 222, in get_mkeyname\n schema = self.schema(path, name, vdom=vdom)\n File \"/opt/my-envs/Ansible2.9P3/lib/python3.6/site-packages/fortiosapi/fortiosapi/fortiosapi.py\", line 322, in schema\n url = self.cmdb_url(path, name, vdom=vdom) + \"&action=schema\"\n File \"/opt/my-envs/Ansible2.9P3/lib/python3.6/site-packages/fortiosapi/fortiosapi/fortiosapi.py\", line 257, in cmdb_url\n self.check_session()\n File \"/opt/my-envs/Ansible2.9P3/lib/python3.6/site-packages/fortiosapi/fortiosapi/fortiosapi.py\", line 131, in check_session\n raise NotLogged()\nfortiosapi.fortiosapi.exceptions.NotLogged: Not logged on a session, please login.\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
[

PLAY RECAP *********************************************************************
localhost : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0

Hi,

I am having the exact same issue as #26. So please forgive me that I am not pasting in the output I am getting as it is the same.

My steps to reproduce:

1. Spin up a new PAYG VM on Azure and expose SSH/HTTP/HTTPS ports to outside on public IP.

2. Login to HTTPS interface and set admin-https-redirect to disable and enable port1 for http management traffic.

3. Use playbook in mamunozgonzalez's reponse. Replacing host, username and password with my values.

I still get login failed. If I log into the appliance on the web interface I can call the api via the browser successfully so I know it is working.

Is there something I am missing in my configuration of the firewall? I've also tried the ansible fgt generator modules and they also give me login failed.

I tried packet capturing the http transmission and I can see my username and password in cleartext being sent over, so it isn't because I have put in the wrong credentials either.

When trying to delete an existing object I get an error saying:

File "/Users/damani/.pyenv/versions/3.6.5/lib/python3.6/site-packages/fortiosapi/fortiosapi.py", line 329, in schema\n url = self.cmdb_url(path, name) + "?action=schema"\nTypeError: cmdb_url() missing 1 required positional argument: 'vdom'\n"

I'm running FortiOS v6.0.3

Code:

- hosts: localhost
 # strategy: debug
  vars:
   host:                      "{{ lookup ('env', 'FORTIGATE_IP') }}"
   username:                  "{{ lookup ('env', 'FORTIGATE_USER') }}"
   password:                  "{{ lookup ('env', 'FORTIGATE_PASS') }}"
   vdom:                      "root"
   gaia_vpn_name:             "{{ lookup ('env', 'GAIA_VPN_NAME') }}"
   gaia_wan_interface:        "{{ lookup ('env', 'GAIA_WAN_INTERFACE') }}"
   gaia_local_gw:             "{{ lookup ('env', 'GAIA_LOCAL_GW') }}"
   gaia_remote_gw:            "{{ lookup ('env', 'GAIA_REMOTE_GW') }}"
   gaia_vpn_shared_secret:    "{{ lookup ('env', 'GAIA_VPN_SHARED_SECRET') }}"
   gaia_src_subnet:           "{{ lookup ('env', 'GAIA_SRC_SUBNET') }}"
   gaia_dst_subnet:           "{{ lookup ('env', 'GAIA_DST_SUBNET') }}"
   gaia_vpn_route_num_0:      "{{ lookup ('env', 'GAIA_VPN_ROUTE_NUM_0') }}"
   gaia_vpn_inbound_fw_id_0:  "{{ lookup ('env', 'GAIA_INBOUND_FW_ID_0') }}"
   gaia_vpn_outbound_fw_id_0: "{{ lookup ('env', 'GAIA_OUTBOUND_FW_ID_0') }}"
   gaia_lan_interface:        "{{ lookup ('env', 'GAIA_LAN_INTERFACE') }}"

  tasks:
  - name: Show Var(s) 
    debug:
      msg: 
        - "host is: {{ host }}" 
        - "vdom is: {{ vdom }}"

  - name: Remove Gaia outbound firewall policy
    fortiosconfig:
     config: "firewall policy"
     action: "delete"
     host:  "{{ host }}"  
     username: "{{ username }}"  
     password: "{{ password }}"  
     vdom:  "{{ vdom }}"
     config_parameters:
        policyid: "{{ gaia_vpn_outbound_fw_id_0 }}"
        name: "{{ gaia_vpn_name }}_0_out"
        action: "accept"
        srcintf: [ {"name": "{{ gaia_lan_interface }}"} ] 
        dstintf: [ {"name": "{{ gaia_vpn_name }}"} ] 
        srcaddr: [ {"name": "all"} ] 
        dstaddr: [ {"name": "all"} ] 
        schedule: "always" 
        service:  [ {"name":"ALL"} ]
        tcp-mss-sender: "1350"
        tcp-mss-receiver: "1350" 

Error:

fatal: [localhost]: FAILED! => {"changed": false, "module_stderr": "/Users/user1/.pyenv/versions/3.6.5/lib/python3.6/site-packages/urllib3/connectionpool.py:858: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is stronglyadvised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings\n  InsecureRequestWarning)\n/Users/user1/.pyenv/versions/3.6.5/lib/python3.6/site-packages/urllib3/connectionpool.py:858: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings\n  InsecureRequestWarning)\nTraceback (most recent call last):\n  File \"/Users/user1/.ansible/tmp/ansible-tmp-1546309813.406816-137183293061395/AnsiballZ_fortiosconfig.py\", line 113, in <module>\n    _ansiballz_main()\n  File \"/Users/user1/.ansible/tmp/ansible-tmp-1546309813.406816-137183293061395/AnsiballZ_fortiosconfig.py\", line 105, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/Users/user1/.ansible/tmp/ansible-tmp-1546309813.406816-137183293061395/AnsiballZ_fortiosconfig.py\", line 48, in invoke_module\n    imp.load_module('__main__', mod, module, MOD_DESC)\n  File \"/Users/user1/.pyenv/versions/3.6.5/lib/python3.6/imp.py\", line 235, in load_module\n    return load_source(name, filename, file)\n  File \"/Users/user1/.pyenv/versions/3.6.5/lib/python3.6/imp.py\", line 170, in load_source\n    module = _exec(spec, sys.modules[name])\n  File \"<frozen importlib._bootstrap>\", line 618, in _exec\n  File \"<frozen importlib._bootstrap_external>\", line 678, in exec_module\n  File \"<frozen importlib._bootstrap>\", line 219, in _call_with_frames_removed\n  File \"/var/folders/6k/19krd1hx19x54m6s_6d3v51r0000gq/T/ansible_fortiosconfig_payload_sglg06m3/__main__.py\", line 845, in <module>\n  File \"/var/folders/6k/19krd1hx19x54m6s_6d3v51r0000gq/T/ansible_fortiosconfig_payload_sglg06m3/__main__.py\", line 833, in main\n  File \"/var/folders/6k/19krd1hx19x54m6s_6d3v51r0000gq/T/ansible_fortiosconfig_payload_sglg06m3/__main__.py\", line 587, in fortigate_config_del\n  File \"/Users/user1/.pyenv/versions/3.6.5/lib/python3.6/site-packages/fortiosapi/fortiosapi.py\", line 329, in schema\n    url = self.cmdb_url(path, name) + \"?action=schema\"\nTypeError: cmdb_url() missing 1 required positional argument: 'vdom'\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
        to retry, use: --limit @/Users/user1/Google Drive/Scripts/Gaia/gaia-util-Azure-Sandbox/gaia-util/tf-azure/40ansible/fortigate_remove_gaia_vpn_azure.retry

I'm trying to run some command through ssh, and It looks like I get the correct result. However, when I turn on the debug from ansible it says:

err": "<paramiko.ChannelFile from <paramiko.Channel 0 (closed) -> <paramiko.Transport at 0xb89cd860 (unconnected)>>>

is this err is expeteced since it's just the paramiko saying the connection is closed or it's a bug?

I've reviewed the code of fortiosconfig.py and the ansible_fgt_modules and I can't find an example of a rename action.

From the CLI you can do

configure firewall address
rename hosta to hostb
end

Is it possible to so something like this with the API?

Hi,

Would it be possible for you to separate the library into a git sub-module, so I can just consume the submodule in my roles and playbooks, without needing the examples?

Here's an example of where I've done the same thing in another project:

https://github.com/e-and-cs/k5-skeleton-infrastructure has a submodule for the library to https://github.com/mohclips/k5-ansible-modules/tree/5cf49d5ad9f73f412ca6d7cc78596573167cc087

Happy to advise if further advice is required!

The character forward slash '/' cannot be used in object names, for example:

address_subnet:
  - name: 'test-10.0.0.1/32'
    subnet: '10.0.0.1 255.255.255.255'

When using the literal '/' this is regarded as an URL separator which makes the API PUT request fail with HTTP 400. See also httpsd debug log and packet capture:
slash-literal.txt
slash-literal.zip

When encoding the '/' as '%2F' the API PUT and POST requests actually go through, but the object is created with '%2F' in its name instead of '/'. See also httpsd debug log and packet capture:
slash-encoded.txt
slash-encoded.zip

Potentially this may be a bug at fortiosapi-level, I may raise there if you can confirm that this lies with that project.

Guys, thank you very much for the libs!
I have not found any info about webfilter_profile feature in fortios_webfilter.
Would you add this feature to master?

Hey man! thanks for the great work to compile the ansible module for Fortigate FW!

I tried to run fortigate_mix.yml and met with the following errors:
"msg": "Unsupported parameters for (fortios_config) module: action,config,config_parameters,https Supported parameters include: backup,backup_filename,backup_path,config_file,file_mode,filter,host,password,src,timeout,username,vdom"
}
Please advise on how can I resolve this errors as im new to ansible.
Thank you in advance!
Cheers!

Working with @JonTheNiceGuy on Fortigate Playbooks:

I have built a FortiGate NGFW - Single VM on Azure using the marketplace and selecting the "BYOL 6.0.3" model.

I then execute the following playbook:
`

RESTful API to Azure

• hosts: localhost
  gather_facts: true

Global Vars declaration

vars:

  host1: "<removed>:8443" 
  username: "<removed>"
  password: "<removed>"
  vdom: "root"
  https: "true"

tasks:

This module was developed by Fortinet to configure all aspects of all aspects of fortinet pro$

https://github.com/fortinet-solutions-cse/40ansible

Here, it configures the local memory and local disk logging of the firewallit similar to exis$

• name: configures local memory logging
  fortiosconfig:
  action: "set"
  host: "{{ host1 }}"
  username: "{{ username }}"
  password: "{{ password }}"
  vdom: "{{vdom}}"

  action: "set"

  config: "log.memory setting"
  config_parameters:
  status: "disable"
  The verbose output from the failure step is as follows:TASK [configures local memory logging] **************************************************************************************************************************************************************************************************************************************************************************************
  task path: /home/tohillm/playbooks/AF-1137-FW-locallog-Mgmt/AF-1137-FW-locallog-Mgmt-part1.yml:49
  <127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: tohillm
  <127.0.0.1> EXEC /bin/sh -c 'echo ~tohillm && sleep 0'
  <127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "echo /home/tohillm/.ansible/tmp/ansible-tmp-1549365329.73-215581636446446" && echo ansible-tmp-1549365329.73-215581636446446="echo /home/tohillm/.ansible/tmp/ansible-tmp-1549365329.73-215581636446446" ) && sleep 0'
  Using module file /home/tohillm/playbooks/AF-1137-FW-locallog-Mgmt/library/fortiosconfig.py
  <127.0.0.1> PUT /home/tohillm/.ansible/tmp/ansible-local-535168S05J/tmpXp4CD9 TO /home/tohillm/.ansible/tmp/ansible-tmp-1549365329.73-215581636446446/AnsiballZ_fortiosconfig.py
  <127.0.0.1> EXEC /bin/sh -c 'chmod u+x /home/tohillm/.ansible/tmp/ansible-tmp-1549365329.73-215581636446446/ /home/tohillm/.ansible/tmp/ansible-tmp-1549365329.73-215581636446446/AnsiballZ_fortiosconfig.py && sleep 0'
  <127.0.0.1> EXEC /bin/sh -c '/usr/bin/python2 /home/tohillm/.ansible/tmp/ansible-tmp-1549365329.73-215581636446446/AnsiballZ_fortiosconfig.py && sleep 0'
  <127.0.0.1> EXEC /bin/sh -c 'rm -f -r /home/tohillm/.ansible/tmp/ansible-tmp-1549365329.73-215581636446446/ > /dev/null 2>&1 && sleep 0'
  The full traceback is:
  Traceback (most recent call last):
  File "/home/tohillm/.ansible/tmp/ansible-tmp-1549365329.73-215581636446446/AnsiballZ_fortiosconfig.py", line 113, in
  _ansiballz_main()
  File "/home/tohillm/.ansible/tmp/ansible-tmp-1549365329.73-215581636446446/AnsiballZ_fortiosconfig.py", line 105, in _ansiballz_main
  invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/home/tohillm/.ansible/tmp/ansible-tmp-1549365329.73-215581636446446/AnsiballZ_fortiosconfig.py", line 48, in invoke_module
  imp.load_module('main', mod, module, MOD_DESC)
  File "/tmp/ansible_fortiosconfig_payload_CUwU8c/main.py", line 859, in
  File "/tmp/ansible_fortiosconfig_payload_CUwU8c/main.py", line 847, in main
  File "/tmp/ansible_fortiosconfig_payload_CUwU8c/main.py", line 519, in fortigate_config_set
  File "/tmp/ansible_fortiosconfig_payload_CUwU8c/main.py", line 469, in login
  File "/usr/lib/python2.7/site-packages/fortiosapi/fortiosapi.py", line 118, in login
  data='username=' + username + '&secretkey=' + password + "&ajax=1")
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 507, in post
  return self.request('POST', url, data=data, json=json, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 464, in request
  resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 576, in send
  r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 415, in send
  raise ConnectionError(err, request=request)
  requests.exceptions.ConnectionError: ('Connection aborted.', error(101, 'Network is unreachable'))

fatal: [localhost]: FAILED! => {
"changed": false,
"module_stderr": "Traceback (most recent call last):\n File "/home/tohillm/.ansible/tmp/ansible-tmp-1549365329.73-215581636446446/AnsiballZ_fortiosconfig.py", line 113, in \n _ansiballz_main()\n File "/home/tohillm/.ansible/tmp/ansible-tmp-1549365329.73-215581636446446/AnsiballZ_fortiosconfig.py", line 105, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File "/home/tohillm/.ansible/tmp/ansible-tmp-1549365329.73-215581636446446/AnsiballZ_fortiosconfig.py", line 48, in invoke_module\n imp.load_module('main', mod, module, MOD_DESC)\n File "/tmp/ansible_fortiosconfig_payload_CUwU8c/main.py", line 859, in \n File "/tmp/ansible_fortiosconfig_payload_CUwU8c/main.py", line 847, in main\n File "/tmp/ansible_fortiosconfig_payload_CUwU8c/main.py", line 519, in fortigate_config_set\n File "/tmp/ansible_fortiosconfig_payload_CUwU8c/main.py", line 469, in login\n File "/usr/lib/python2.7/site-packages/fortiosapi/fortiosapi.py", line 118, in login\n data='username=' + username + '&secretkey=' + password + "&ajax=1")\n File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 507, in post\n return self.request('POST', url, data=data, json=json, **kwargs)\n File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 464, in request\n resp = self.send(prep, **send_kwargs)\n File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 576, in send\n r = adapter.send(request, **kwargs)\n File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 415, in send\n raise ConnectionError(err, request=request)\nrequests.exceptions.ConnectionError: ('Connection aborted.', error(101, 'Network is unreachable'))\n",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1
}
to retry, use: --limit @/home/tohillm/playbooks/AF-1137-FW-locallog-Mgmt/AF-1137-FW-locallog-Mgmt-part1.retry

PLAY RECAP ******************************************************************************************************************************************************************************************************************************************************************************************************************
localhost : ok=1 changed=0 unreachable=0 failed=1 `

Can anyone give me advice as to what I am doing wrong?
Thanks, Mark

I am using the following tasks to configure snmp communities on a virtual fortigate appliance:

---
- name: Get community
  connection: local
  fortiosconfig:
    https: False
    action: "get"
    host:  "{{ fw_vars['ip'] }}"
    username: "{{ fw_username }}"
    password: "{{ fw_password }}"
    config: "system.snmp community"
    https: False
  register: config

- debug:
    var: config

- name: Edit community 1
  connection: local
  fortiosconfig:
    https: False
    action: "set"
    host:  "{{ fw_vars['ip'] }}"
    username: "{{ fw_username }}"
    password: "{{ fw_password }}"
    config: "system.snmp community"
    https: False
    mkey: 1
    config_parameters:
      name: "{{ fw_vars['ans_snmp_ro'] }}"

I have manually created two entries in the snmp community table. On the appliance side of things I can see the following:

config system snmp community
    edit 1
        set name "test"
    next
    edit 2
        set name "number 2"
    next
end

And from the Ansible debug statement I see:

ok: [localhost] => {
    "config": {
        "changed": false,
        "failed": false,
        "meta": {
            "results": [
                {
                    "events": "cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change bgp-established bgp-backward-transition ha-member-up ha-member-down ent-conf-change av-conserve av-bypass av-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-open faz-disconnect wc-ap-up wc-ap-down fswctl-session-up fswctl-session-down load-balance-real-server-down per-cpu-high",
                    "hosts": [],
                    "hosts6": [],
                    "id": 1,
                    "name": "test",
                    "q_origin_key": 1,
                    "query-v1-port": 161,
                    "query-v1-status": "enable",
                    "query-v2c-port": 161,
                    "query-v2c-status": "enable",
                    "status": "enable",
                    "trap-v1-lport": 162,
                    "trap-v1-rport": 162,
                    "trap-v1-status": "enable",
                    "trap-v2c-lport": 162,
                    "trap-v2c-rport": 162,
                    "trap-v2c-status": "enable"
                },
                {
                    "events": "cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change bgp-established bgp-backward-transition ha-member-up ha-member-down ent-conf-change av-conserve av-bypass av-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-open faz-disconnect wc-ap-up wc-ap-down fswctl-session-up fswctl-session-down load-balance-real-server-down per-cpu-high",
                    "hosts": [],
                    "hosts6": [],
                    "id": 2,
                    "name": "number 2",
                    "q_origin_key": 2,
                    "query-v1-port": 161,
                    "query-v1-status": "enable",
                    "query-v2c-port": 161,
                    "query-v2c-status": "enable",
                    "status": "enable",
                    "trap-v1-lport": 162,
                    "trap-v1-rport": 162,
                    "trap-v1-status": "enable",
                    "trap-v2c-lport": 162,
                    "trap-v2c-rport": 162,
                    "trap-v2c-status": "enable"
                }
            ],
            "status": "success",
            "version": "v6.0.3"
        }
    }
}

I would ideally like to edit one of the entries and based on fortios api reference doc I read, I figured that specifying the mkey would be the same as referencing the id. Here I'm trying to change the name of the first entry from "test" to the variable fw_vars['ans_snmp_ro'] however I get the following error on the Edit Community 1 task:
File \"/usr/local/lib/python2.7/dist-packages/fortiosapi/fortiosapi.py\", line 440, in set\n mkey = self.get_mkey(path, name, data, vdom=vdom)\n File \"/usr/local/lib/python2.7/dist-packages/fortiosapi/fortiosapi.py\", line 259, in get_mkey\n LOG.warning(\"mkey %s not set in the data\", mkey)\nUnboundLocalError: local variable 'mkey' referenced before assignment\n"

However, when I do not try to use the mkey and instead add the line id: 1 under the config_parameters section the module does what I expect it to (change the name of the entry).

I'm not sure what the mkey value is functionally used for. I tried looking through the examples but I do not see any that use that parameter. If someone could add an example on how to use that parameter that would probably clear up my confusion on what it actually does. Thanks!

Hi,

I'm trying to use this module in ansible to do the network automation for our fortigate. I found there is monitor action chocies, and I read the source code for monitor action. it looks like it will just use fortiosAPI to do a monitor API call.

When I use the following playbook

• name: fortios license information
  fortiosconfig:
  action: "monitor"
  host: "{{ inventory_hostname }}"
  username: "{{ hostvars[inventory_hostname].remote_user }}"
  password: "{{ hostvars[inventory_hostname].ansible_ssh_pass }}"
  config: "license/status select"

it tells me that I can only use the ones in the avalible_conf. I went through the AVAL_CONF, it looks like it's more about using the some common CMDB API.

Is monitor action function unfinished? or I'm using it in the wrong way.

btw:

I used fortiOSAPI to test my code, and it works fine.

After deleting the check for the config, I can get the result from the fortigate. You might want to do the check for the other actions, at least not for monitor API

- hosts: localhost
  vars_files:
   - /home/centos/ansible/40ansible/vars/main.yml
  gather_facts: no
  tasks:
   - name: backup system config
     fortiosconfig:
       config: "system config backup"
       action: "backup"
       host:  "{{ host }}"
       username: "{{ username }}"
       password: "{{ password }}"
       vdom: "global"
       config_parameters:
        filename: "backup_config_001"

Error:

<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: root
<127.0.0.1> EXEC /bin/sh -c 'echo ~root && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp/ansible-tmp-1544694017.59-81219007331767 `" && echo ansible-tmp-1544694017.59-81219007331767="` echo /root/.ansible/tmp/ansible-tmp-1544694017.59-81219007331767 `" ) && sleep 0'
Using module file /home/centos/ansible/40ansible/library/fortiosconfig.py
<127.0.0.1> PUT /root/.ansible/tmp/ansible-local-4545fKpH0J/tmpWKs7jH TO /root/.ansible/tmp/ansible-tmp-1544694017.59-81219007331767/AnsiballZ_fortiosconfig.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1544694017.59-81219007331767/ /root/.ansible/tmp/ansible-tmp-1544694017.59-81219007331767/AnsiballZ_fortiosconfig.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/usr/bin/python2 /root/.ansible/tmp/ansible-tmp-1544694017.59-81219007331767/AnsiballZ_fortiosconfig.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1544694017.59-81219007331767/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
Traceback (most recent call last):
  File "/root/.ansible/tmp/ansible-tmp-1544694017.59-81219007331767/AnsiballZ_fortiosconfig.py", line 113, in <module>
    _ansiballz_main()
  File "/root/.ansible/tmp/ansible-tmp-1544694017.59-81219007331767/AnsiballZ_fortiosconfig.py", line 105, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/root/.ansible/tmp/ansible-tmp-1544694017.59-81219007331767/AnsiballZ_fortiosconfig.py", line 48, in invoke_module
    imp.load_module('__main__', mod, module, MOD_DESC)
  File "/tmp/ansible_fortiosconfig_payload_417Zzw/__main__.py", line 845, in <module>
  File "/tmp/ansible_fortiosconfig_payload_417Zzw/__main__.py", line 833, in main
  File "/tmp/ansible_fortiosconfig_payload_417Zzw/__main__.py", line 720, in fortigate_config_backup
  File "/usr/lib/python2.7/site-packages/fortiosapi/fortiosapi.py", line 191, in monitor
    return self.formatresponse(res, vdom=vdom)
  File "/usr/lib/python2.7/site-packages/fortiosapi/fortiosapi.py", line 87, in formatresponse
    resp = json.loads(res.content.decode('utf-8'))[0]
  File "/usr/lib64/python2.7/json/__init__.py", line 338, in loads
    return _default_decoder.decode(s)
  File "/usr/lib64/python2.7/json/decoder.py", line 366, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "/usr/lib64/python2.7/json/decoder.py", line 384, in raw_decode
    raise ValueError("No JSON object could be decoded")
ValueError: No JSON object could be decoded

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ValueError: No JSON object could be decoded
fatal: [localhost]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"/root/.ansible/tmp/ansible-tmp-1544692684.03-2  7946625238735/AnsiballZ_fortiosconfig.py\", line 113, in <module>\n    _ansiballz_main()\n  File \"/root/.ansible/tmp/ansible-tmp-1544692684.03-27946625238735/  AnsiballZ_fortiosconfig.py\", line 105, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/root/.ansible/tmp/ansible-tmp  -1544692684.03-27946625238735/AnsiballZ_fortiosconfig.py\", line 48, in invoke_module\n    imp.load_module('__main__', mod, module, MOD_DESC)\n  File \"/tmp/an  sible_fortiosconfig_payload_WnNTvM/__main__.py\", line 845, in <module>\n  File \"/tmp/ansible_fortiosconfig_payload_WnNTvM/__main__.py\", line 833, in main\n    File \"/tmp/ansible_fortiosconfig_payload_WnNTvM/__main__.py\", line 720, in fortigate_config_backup\n  File \"/usr/lib/python2.7/site-packages/fortiosapi/for  tiosapi.py\", line 191, in monitor\n    return self.formatresponse(res, vdom=vdom)\n  File \"/usr/lib/python2.7/site-packages/fortiosapi/fortiosapi.py\", line   91, in formatresponse\n    resp = json.loads(res.content.decode('utf-8'))\n  File \"/usr/lib64/python2.7/json/__init__.py\", line 338, in loads\n    return _de  fault_decoder.decode(s)\n  File \"/usr/lib64/python2.7/json/decoder.py\", line 366, in decode\n    obj, end = self.raw_decode(s, idx=_w(s, 0).end())\n  File \"  /usr/lib64/python2.7/json/decoder.py\", line 384, in raw_decode\n    raise ValueError(\"No JSON object could be decoded\")\nValueError: No JSON object could be   decoded\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

Hello,

Wanted to know if it is possible to load multiple licenses to multiple fortigates using the fortigate_upload_license.yml playbook?

Say I have a folder of licenses and wanted to deploy the licenses across multiple VMs.

Any ideas would be great.

Thanks

In mutli vdom need to change the url with ?global=1 when global is the target ...

vdom=global can be used as naming a vdom global is forbiden

Is it possible to specify what directory is used for the log, the system's /var/tmp wouldn't be allowed from my venv.

I tried setting no_log: true but that did not help.

Duplicate of:
"Unsupported parameters for (fortios_config) module: #43

using example playbook https://github.com/fortinet-solutions-cse/40ansible/blob/master/examples/fortigate_backup_config.yml, receive this error.

Ansible 2.9.1. I ran declare -x ANSIBLE_LIBRARY=/etc/ansible/library (all files from the 40ansible/library folder were copied into it).

I'm also not entirely clear where this backup config would be placed if this worked, does it store it locally on the fortigate? our goal is to copy it to the ansible host (and then store in a bitbucket repo)

Hello,

I am receiving the following error when running a playbook to create a VIP on an FG-VM-64.

fatal: [th-lab-fgvm64]: FAILED! => {"changed": false, "meta": {"http_status": 500, "status": "error"}, "msg": "Error in repo"}

The playbook is as follows:

-  name: Set vip on the fortigate
   gather_facts: false
   connection: local
   hosts: all   
   tasks:
     - fortiosconfig:
         action: "set"
         host:  "172.16.31.254"
         username: "admin"
         password: ""
         config: "firewall vip"
         config_parameters:
           name: "vip-1"
           extip: "1.1.1.1"
           mappedip: "10.10.10.10"
           type: "static"
           extintf: "any"

I have confirmed that the firewall is reachable from my Ansible machine, and that the credentials are correct. My pip list is below.

ansible (2.5.0)
asn1crypto (0.24.0)
bcrypt (3.1.4)
certifi (2018.1.18)
cffi (1.11.5)
chardet (3.0.4)
cryptography (2.2.2)
enum34 (1.1.6)
fortiosapi (0.9.91)
idna (2.6)
ipaddress (1.0.19)
Jinja2 (2.10)
MarkupSafe (1.0)
ntlm-auth (1.1.0)
paramiko (2.4.1)
pip (9.0.3)
pyasn1 (0.4.2)
pycparser (2.18)
pyfg (0.50)
PyNaCl (1.2.1)
pywinrm (0.3.0)
PyYAML (3.12)
requests (2.18.4)
requests-ntlm (1.1.0)
setuptools (33.1.1.post20170517)
six (1.11.0)
urllib3 (1.22)
xmltodict (0.11.0)

Thank you very much for your assistance.

Hello,

Thanks for fortiosconfig module !

I am using fortigate_ssh.yml and I wonder if it is possible with fortiosconfig:

• to authenticate with ssh key instead of password ?
• to specify a ssh port number( for example 12345) when it is not running on standard port 22 ?

Regards

Nicolas

Hello,
Good job about this helpful module.
Nevertheless, I get the error below while a backup task. (Fortigate 3000D in v6.0.2).
"UnicodeEncodeError: 'ascii' codec can't encode character u'\xe9' in position 690830: ordinal not in range(128)".
I can see the "Config system file has been downloaded by xxxx" event on the FGT. So the problem seems occuring during the file transfert or its writing.
Thank for your help.
Regards
Patrice

Hello,

I have ssh customized ports for my Fortigates, im wondering if i could change that. On the playbooks examples doesnt specify.

Thanks you.
FS

The module fortios_router_prefix_list does not actually add or modify router prefixes to FortiGate.
The underlying API call requires the parameter 'plugin : 1' for the changes to be accepted.

This is also reported in the Developer Network https://fndn.fortinet.net/index.php?/forums/topic/1995-fortios-rest-api-config-router-prefix-list-issuebug/

Hi all,

is there a way to define the path where ansible is storing the Fortigate Configuration files?

best Regards,

I have built a FortiGate NGFW - Single VM on Azure using the marketplace and selecting the "BYOL 6.0.3" model. Following the build, I SSH in, and issue:

config system global
set admin-sport 443
end
exit

I then execute the following playbook:

---
- hosts: localhost
  vars:
    host_ip_address: 192.0.2.1
    host_user: someuser
    host_pass: 123_Somepass

  tasks:
  - name: Issue license
    fortiosconfig:
      host: "{{ host_ip_address }}"
      username: "{{ host_user }}"
      password: "{{ host_pass }}"
      vdom: "{{ host_vdom | default('root') }}"
      https: true
      config: system vmlicense upload
      action: upload
      config_parameters:
        filename: "./somefile.lic"

I get this as output:

(azure) vagrant@ubuntu:/HostHome/Documents/01 Projects - Ansible on Azure/Azure/2018-12-14_FGT_License$ ansible-playbook test.yml 
 [WARNING]: Unable to parse /etc/ansible/hosts as an inventory source

 [WARNING]: No inventory was parsed, only implicit localhost is available

 [WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'


PLAY [localhost] ********************************************************************************************************************************************************

TASK [Gathering Facts] **************************************************************************************************************************************************
ok: [localhost]

TASK [Issue license] ****************************************************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: Exception: can not get following login
fatal: [localhost]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"/home/vagrant/.ansible/tmp/ansible-tmp-1545039137.76-129793567464365/AnsiballZ_fortiosconfig.py\", line 113, in <module>\n    _ansiballz_main()\n  File \"/home/vagrant/.ansible/tmp/ansible-tmp-1545039137.76-129793567464365/AnsiballZ_fortiosconfig.py\", line 105, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/home/vagrant/.ansible/tmp/ansible-tmp-1545039137.76-129793567464365/AnsiballZ_fortiosconfig.py\", line 48, in invoke_module\n    imp.load_module('__main__', mod, module, MOD_DESC)\n  File \"/tmp/ansible_fortiosconfig_payload_nSoxNj/__main__.py\", line 845, in <module>\n  File \"/tmp/ansible_fortiosconfig_payload_nSoxNj/__main__.py\", line 833, in main\n  File \"/tmp/ansible_fortiosconfig_payload_nSoxNj/__main__.py\", line 756, in fortigate_config_upload\n  File \"/tmp/ansible_fortiosconfig_payload_nSoxNj/__main__.py\", line 469, in login\n  File \"/home/spriggsj/azure/local/lib/python2.7/site-packages/fortiosapi/fortiosapi.py\", line 130, in login\n    raise Exception('can not get following login')\nException: can not get following login\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

PLAY RECAP **************************************************************************************************************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=1

The verbose output from the failure step is as follows:

TASK [Issue license] ****************************************************************************************************************************************************
task path: /HostHome/Documents/01 Projects - Ansible on Azure/Azure/2018-12-14_FGT_License/test.yml:9
The full traceback is:
Traceback (most recent call last):
  File "/home/vagrant/.ansible/tmp/ansible-tmp-1545041674.57-132789405945393/AnsiballZ_fortiosconfig.py", line 113, in <module>
    _ansiballz_main()
  File "/home/vagrant/.ansible/tmp/ansible-tmp-1545041674.57-132789405945393/AnsiballZ_fortiosconfig.py", line 105, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/home/vagrant/.ansible/tmp/ansible-tmp-1545041674.57-132789405945393/AnsiballZ_fortiosconfig.py", line 48, in invoke_module
    imp.load_module('__main__', mod, module, MOD_DESC)
  File "/tmp/ansible_fortiosconfig_payload_nLR_hv/__main__.py", line 845, in <module>
  File "/tmp/ansible_fortiosconfig_payload_nLR_hv/__main__.py", line 833, in main
  File "/tmp/ansible_fortiosconfig_payload_nLR_hv/__main__.py", line 756, in fortigate_config_upload
  File "/tmp/ansible_fortiosconfig_payload_nLR_hv/__main__.py", line 469, in login
  File "/home/spriggsj/azure/local/lib/python2.7/site-packages/fortiosapi/fortiosapi.py", line 130, in login
    raise Exception('can not get following login')
Exception: can not get following login

fatal: [localhost]: FAILED! => {
    "changed": false, 
    "module_stderr": "Traceback (most recent call last):\n  File \"/home/vagrant/.ansible/tmp/ansible-tmp-1545041674.57-132789405945393/AnsiballZ_fortiosconfig.py\", line 113, in <module>\n    _ansiballz_main()\n  File \"/home/vagrant/.ansible/tmp/ansible-tmp-1545041674.57-132789405945393/AnsiballZ_fortiosconfig.py\", line 105, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/home/vagrant/.ansible/tmp/ansible-tmp-1545041674.57-132789405945393/AnsiballZ_fortiosconfig.py\", line 48, in invoke_module\n    imp.load_module('__main__', mod, module, MOD_DESC)\n  File \"/tmp/ansible_fortiosconfig_payload_nLR_hv/__main__.py\", line 845, in <module>\n  File \"/tmp/ansible_fortiosconfig_payload_nLR_hv/__main__.py\", line 833, in main\n  File \"/tmp/ansible_fortiosconfig_payload_nLR_hv/__main__.py\", line 756, in fortigate_config_upload\n  File \"/tmp/ansible_fortiosconfig_payload_nLR_hv/__main__.py\", line 469, in login\n  File \"/home/spriggsj/azure/local/lib/python2.7/site-packages/fortiosapi/fortiosapi.py\", line 130, in login\n    raise Exception('can not get following login')\nException: can not get following login\n", 
    "module_stdout": "", 
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", 
    "rc": 1
}

Does this mean that because the license isn't valid at the time we try to make the API call, we're unable to use the API to deploy a license? Thanks!

Hi,

When trying to run this playbook:

• name: Backup current config
  hosts: all

  tasks:

  • name: backup system config
    fortiosconfig:
    config: "system config backup"
    action: "backup"
    config_parameters:
    filename: "backup_config_001"

The error below is shown:
ERROR! no action detected in task. This often indicates a misspelled module name, or incorrect module path.

The error appears to have been in '/etc/ansible/clients/firewalls/fortigate-firewall.yml': line 6, column 5, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

tasks:

• name: backup system config
  ^ here

Hi, All
Could you please add support custom API ports. In many production cases, admin API port is changed, due to not override SSL VPN port.

Better handling of return errors is needed here ..

To reproduce try to perform action on non existing vdom for expl

Hi
I need help with this playbook

• hosts: localhost
  gather_facts: "false"
  connection: local
  vars:
  tasks:
  • name: system config restore
    fortiosconfig:
    config: "system config restore"
    action: "restore"
    host: "{{ host_master_config }}"
    username: "{{ username }}"
    password: "{{ password }}"
    vdom: "{{ vdom }}"
    https: True
    ssl_verify: False
    config_parameters:
    filename: "backup/backup_config_001"

---------------------------------------results ----------------------
[root@aut-server ansible-fortinet]# ansible-playbook test-main.yml -vvv
ansible-playbook 2.9.7
config file = /etc/ansible/ansible.cfg
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/lib/python3.6/site-packages/ansible
executable location = /usr/local/bin/ansible-playbook
python version = 3.6.8 (default, Aug 7 2019, 17:28:10) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
Using /etc/ansible/ansible.cfg as config file
host_list declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
script declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
auto declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Parsed /etc/ansible/hosts inventory source with ini plugin

PLAYBOOK: test-main.yml ***********************************************************************************************************************************************************************************************
1 plays in test-main.yml

PLAY [localhost] ******************************************************************************************************************************************************************************************************
META: ran handlers

TASK [system config restore] ******************************************************************************************************************************************************************************************
task path: /root/ansible-fortinet/test-main.yml:6
<192.168.88.133> ESTABLISH LOCAL CONNECTION FOR USER: root
<192.168.88.133> EXEC /bin/sh -c 'echo ~root && sleep 0'
<192.168.88.133> EXEC /bin/sh -c '( umask 77 && mkdir -p "echo /root/.ansible/tmp"&& mkdir /root/.ansible/tmp/ansible-tmp-1587985203.5996234-114393-164317949494124 && echo ansible-tmp-1587985203.5996234-114393-164317949494124="echo /root/.ansible/tmp/ansible-tmp-1587985203.5996234-114393-164317949494124" ) && sleep 0'
Using module file /root/ansible-fortinet/library/fortiosconfig.py
<192.168.88.133> PUT /root/.ansible/tmp/ansible-local-11438557ynznlj/tmpjmnfz2eq TO /root/.ansible/tmp/ansible-tmp-1587985203.5996234-114393-164317949494124/AnsiballZ_fortiosconfig.py
<192.168.88.133> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1587985203.5996234-114393-164317949494124/ /root/.ansible/tmp/ansible-tmp-1587985203.5996234-114393-164317949494124/AnsiballZ_fortiosconfig.py && sleep 0'
<192.168.88.133> EXEC /bin/sh -c '/usr/bin/python3 /root/.ansible/tmp/ansible-tmp-1587985203.5996234-114393-164317949494124/AnsiballZ_fortiosconfig.py && sleep 0'
<192.168.88.133> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1587985203.5996234-114393-164317949494124/ > /dev/null 2>&1 && sleep 0'
changed: [localhost] => {
"changed": true,
"invocation": {
"module_args": {
"action": "restore",
"commands": null,
"config": "system config restore",
"config_parameters": {
"filename": "backup/backup_config_001"
},
"description": null,
"diff": false,
"host": "10.21.0.254",
"https": true,
"mkey": null,
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"ssl_verify": false,
"username": "ansible",
"vdom": "root"
}
},
"meta": {
"result": "[\n {\n "http_method":"POST",\n "results":{\n "error":"config_invalid_file",\n "config_restored":false\n },\n "vdom":"root",\n "path":"system",\n "name":"config",\n "action":"restore",\n "status":"success",\n "serial":"FG100ETK18010651",\n "version":"v6.0.7",\n "build":302\n }\n]",
"status": 200,
"version": "v6.0.7"
}
}
META: ran handlers
META: ran handlers

PLAY RECAP ************************************************************************************************************************************************************************************************************
localhost : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

[root@aut-server ansible-fortinet]#

I need to explicitly enable HTTP on fortigate interface in order to avoid "Connection timed out" error

- hosts: localhost
  vars_files:
   - /home/centos/ansible/40ansible/vars/main.yml

  gather_facts: no
  tasks:
   - name: Configure web content filtering in fortigate
     fortios_webfilter:
       host:  "{{  host }}"
       username: "{{  username}}"
       password: "{{ password }}"
       vdom:  "{{  vdom }}"
       webfilter_content:
         id: "1"
         name: "default"
         comment: ""
         entries:
           - name: "bet-online"
             pattern-type: "wildcard"
             status: "enable"
             lang: "western"
             score: 40
             action: "block"
           - name: "tv-.*online"
             pattern-type: "regexp"
             status: "enable"
             lang: "western"
             score: 42
             action: "block"
         state: "present"

Errors:

The full traceback is:
Traceback (most recent call last):
File "/root/.ansible/tmp/ansible-tmp-1544708418.34-194837611454630/AnsiballZ_fortios_webfilter.py", line 113, in
_ansiballz_main()
File "/root/.ansible/tmp/ansible-tmp-1544708418.34-194837611454630/AnsiballZ_fortios_webfilter.py", line 105, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/root/.ansible/tmp/ansible-tmp-1544708418.34-194837611454630/AnsiballZ_fortios_webfilter.py", line 48, in invoke_module
imp.load_module('main', mod, module, MOD_DESC)
File "/tmp/ansible_fortios_webfilter_payload_QeJMZJ/main.py", line 548, in
File "/tmp/ansible_fortios_webfilter_payload_QeJMZJ/main.py", line 539, in main
File "/tmp/ansible_fortios_webfilter_payload_QeJMZJ/main.py", line 459, in fortios_webfilter
File "/usr/lib/python2.7/site-packages/fortiosapi/fortiosapi.py", line 127, in login
raise Exception('login failed')
Exception: login failed

fatal: [localhost]: FAILED! => {
"changed": false,
"module_stderr": "Traceback (most recent call last):\n File "/root/.ansible/tmp/ansible-tmp-1544708418.34-194837611454630/AnsiballZ_fortios_webfilter.py", line 113, in \n _ansiballz_main()\n File "/root/.ansible/tmp/ansible-tmp-1544708418.34-194837611454630/AnsiballZ_fortios_webfilter.py", line 105, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File "/root/.ansible/tmp/ansible-tmp-1544708418.34-194837611454630/AnsiballZ_fortios_webfilter.py", line 48, in invoke_module\n imp.load_module('main', mod, module, MOD_DESC)\n File "/tmp/ansible_fortios_webfilter_payload_QeJMZJ/main.py", line 548, in \n File "/tmp/ansible_fortios_webfilter_payload_QeJMZJ/main.py", line 539, in main\n File "/tmp/ansible_fortios_webfilter_payload_QeJMZJ/main.py", line 459, in fortios_webfilter\n File "/usr/lib/python2.7/site-packages/fortiosapi/fortiosapi.py", line 127, in login\n raise Exception('login failed')\nException: login failed\n",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1
}

CentOS 7

ansible 2.7.4
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /bin/ansible
python version = 2.7.5 (default, Oct 30 2018, 23:45:53) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]

hi there

so I'm trying to backup the fortigate configuration per vdom according your example here:
fortios backup

however, the configuration backed up is always the full configuration of the firewall and not the one of the corresponding vdom.
On the other hand if I set the vdom parameter to some non existing the playbook fails. so it looks like the parameter is checked but does not invoke the correct backup command.

Am I doing something wrong?

Thanks.

Hi,
Great module, i'm really enjoying it!
Would it be possible to add support for custom SSH ports (non 22)?

Hello, I'm having trouble to make this module working.
I've tried the fortigate_ssh.yml and it works like a charm.
But if I try another playbook it fails with this error.

ansible-playbook -vvv fortigate_backup_config.yml -i hosts
ansible-playbook 2.9.1
config file = /Users/user.name/Documents/Work/Network/ansible/ansible.cfg
configured module search path = ['/Users/user.name/Documents/Work/Network/ansible/ntc-ansible/library', '/Users/user.name/.ansible/plugins/modules', '/Users/user.name/Documents/Work/Dev/Ansible/textfsm/textfsm']
ansible python module location = /Users/user.name/anaconda2/envs/Ansible/lib/python3.7/site-packages/ansible
executable location = /Users/user.name/anaconda2/envs/Ansible/bin/ansible-playbook
python version = 3.7.4 (default, Aug 13 2019, 15:17:50) [Clang 4.0.1 (tags/RELEASE_401/final)]
Using /Users/user.name/Documents/Work/Network/ansible/ansible.cfg as config file
host_list declined parsing /Users/user.name/Documents/Work/Dev/Ansible/40ansible/hosts as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
script declined parsing /Users/user.name/Documents/Work/Dev/Ansible/40ansible/hosts as it did not pass its verify_file() method
auto declined parsing /Users/user.name/Documents/Work/Dev/Ansible/40ansible/hosts as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
yaml declined parsing /Users/user.name/Documents/Work/Dev/Ansible/40ansible/hosts as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
ini declined parsing /Users/user.name/Documents/Work/Dev/Ansible/40ansible/hosts as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
toml declined parsing /Users/user.name/Documents/Work/Dev/Ansible/40ansible/hosts as it did not pass its verify_file() method
[WARNING]: Unable to parse /Users/user.name/Documents/Work/Dev/Ansible/40ansible/hosts as an inventory source

[WARNING]: No inventory was parsed, only implicit localhost is available

[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'

PLAYBOOK: fortigate_backup_config.yml *********************************************************************************************************************************************************************
1 plays in fortigate_backup_config.yml

PLAY [localhost] ******************************************************************************************************************************************************************************************
META: ran handlers

TASK [Set static route on the fortigate] ******************************************************************************************************************************************************************
task path: /Users/user.name/Documents/Work/Dev/Ansible/40ansible/fortigate_backup_config.yml:40
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: user.name
<127.0.0.1> EXEC /bin/sh -c 'echo ~user.name && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "echo /Users/user.name/.ansible/tmp/ansible-tmp-1578998634.726859-108948252877310" && echo ansible-tmp-1578998634.726859-108948252877310="echo /Users/user.name/.ansible/tmp/ansible-tmp-1578998634.726859-108948252877310" ) && sleep 0'
Using module file /Users/user.name/Documents/Work/Dev/Ansible/40ansible/library/fortiosconfig.py
<127.0.0.1> PUT /Users/user.name/.ansible/tmp/ansible-local-58103cafufrkx/tmp97p0_yhg TO /Users/user.name/.ansible/tmp/ansible-tmp-1578998634.726859-108948252877310/AnsiballZ_fortiosconfig.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /Users/user.name/.ansible/tmp/ansible-tmp-1578998634.726859-108948252877310/ /Users/user.name/.ansible/tmp/ansible-tmp-1578998634.726859-108948252877310/AnsiballZ_fortiosconfig.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/Users/user.name/anaconda2/envs/Ansible/bin/python /Users/user.name/.ansible/tmp/ansible-tmp-1578998634.726859-108948252877310/AnsiballZ_fortiosconfig.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /Users/user.name/.ansible/tmp/ansible-tmp-1578998634.726859-108948252877310/ > /dev/null 2>&1 && sleep 0'
fatal: [localhost]: FAILED! => {
"changed": false,
"module_stderr": "/Users/user.name/anaconda2/envs/Ansible/lib/python3.7/site-packages/urllib3/connectionpool.py:1004: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings\n InsecureRequestWarning,\n/Users/user.name/anaconda2/envs/Ansible/lib/python3.7/site-packages/urllib3/connectionpool.py:1004: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings\n InsecureRequestWarning,\n/Users/user.name/anaconda2/envs/Ansible/lib/python3.7/site-packages/urllib3/connectionpool.py:1004: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings\n InsecureRequestWarning,\nTraceback (most recent call last):\n File "/Users/user.name/.ansible/tmp/ansible-tmp-1578998634.726859-108948252877310/AnsiballZ_fortiosconfig.py", line 102, in \n _ansiballz_main()\n File "/Users/user.name/.ansible/tmp/ansible-tmp-1578998634.726859-108948252877310/AnsiballZ_fortiosconfig.py", line 94, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File "/Users/user.name/.ansible/tmp/ansible-tmp-1578998634.726859-108948252877310/AnsiballZ_fortiosconfig.py", line 40, in invoke_module\n runpy.run_module(mod_name='ansible.modules.fortiosconfig', init_globals=None, run_name='main', alter_sys=True)\n File "/Users/user.name/anaconda2/envs/Ansible/lib/python3.7/runpy.py", line 205, in run_module\n return run_module_code(code, init_globals, run_name, mod_spec)\n File "/Users/user.name/anaconda2/envs/Ansible/lib/python3.7/runpy.py", line 96, in run_module_code\n mod_name, mod_spec, pkg_name, script_name)\n File "/Users/user.name/anaconda2/envs/Ansible/lib/python3.7/runpy.py", line 85, in run_code\n exec(code, run_globals)\n File "/var/folders/2/05fdldc10392hfr9f__zlrdh000_y7/T/ansible_fortiosconfig_payload_e_ehzfk0/ansible_fortiosconfig_payload.zip/ansible/modules/fortiosconfig.py", line 948, in \n File "/var/folders/2/05fdldc10392hfr9f__zlrdh000_y7/T/ansible_fortiosconfig_payload_e_ehzfk0/ansible_fortiosconfig_payload.zip/ansible/modules/fortiosconfig.py", line 936, in main\n File "/var/folders/2/05fdldc10392hfr9f__zlrdh000_y7/T/ansible_fortiosconfig_payload_e_ehzfk0/ansible_fortiosconfig_payload.zip/ansible/modules/fortiosconfig.py", line 575, in fortigate_set\n File "/Users/user.name/anaconda2/envs/Ansible/lib/python3.7/site-packages/fortiosapi/fortiosapi.py", line 417, in set\n mkey = self.get_mkey(path, name, data, vdom=vdom)\n File "/Users/user.name/anaconda2/envs/Ansible/lib/python3.7/site-packages/fortiosapi/fortiosapi.py", line 228, in get_mkey\n keyname = self.get_mkeyname(path, name, vdom)\n File "/Users/user.name/anaconda2/envs/Ansible/lib/python3.7/site-packages/fortiosapi/fortiosapi.py", line 217, in get_mkeyname\n schema = self.schema(path, name, vdom=vdom)\n File "/Users/user.name/anaconda2/envs/Ansible/lib/python3.7/site-packages/fortiosapi/fortiosapi.py", line 317, in schema\n url = self.cmdb_url(path, name, vdom=vdom) + "&action=schema"\n File "/Users/user.name/anaconda2/envs/Ansible/lib/python3.7/site-packages/fortiosapi/fortiosapi.py", line 252, in cmdb_url\n self.check_session()\n File "/Users/user.name/anaconda2/envs/Ansible/lib/python3.7/site-packages/fortiosapi/fortiosapi.py", line 126, in check_session\n raise NotLogged()\nfortiosapi.exceptions.NotLogged: Not logged on a session, please login.\n",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1
}

PLAY RECAP ************************************************************************************************************************************************************************************************
localhost : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0

A better handling of the json: format for policy rules (i.e. not visible from the user) can be done with a couple of cases switches..

ERROR-Fortigate.pdf
playbook.pdf