Skip to main content
void
void
New Member
June 19, 2018
Solved

Fortimanager vs Ansible

  • June 19, 2018
  • 3 replies
  • 12251 views

Hello guys,

 

I was trying trying to automate some tasks with Ansible module for FortiManager (https://github.com/networktocode/fortimanager-ansible), but stucked and need your help. 

My playbook successfully gets information from FMG and locks ADOMs, but I can't perform any changes because I get this kind of error:

failed: [192.168.1.1] (item={u'bpm': u'12345', u'name': u'Customer1', u'addr': u'1.1.1.1'}) => {"changed": false, "fortimanager_response": {"result": [{"status": {"code": -10147, "message": "no write permission"}, "url": "/pm/config/adom/IBB/obj/firewall/address"}]}, "item": {"addr": "1.1.1.1", "bpm": "12345", "name": "Customer1"}, "msg": "Unable to Apply Config"}

My user has all necessary permissions:

 

FortiMgmt.dn.ukr # show system admin user ansible

config system admin user

    edit "ansible"

        set password ENC bla-bla-bla

        set profileid "Super_User"

            set adom "all_adoms"            

            set policy-package "all_policy_packages"            

        set description "Ansible"

            config meta-data

                edit "Contact Email"

                    set fieldvalue "123@abcde.com"

                next

                edit "Contact Phone"

                    set fieldvalue "+123"

                next

            end

set rpc-permit read-write

I'm on 5.4.4. Thanks for your help.

Best answer by awelsh_FTNT

Hi,

 

What are you trying to do with this Ansible module?  Are you using workspace mode?

 

Thanks,

Andrew

3 replies

awelsh_FTNT
Staff
awelsh_FTNTAnswer
Staff
June 19, 2018

Hi,

 

What are you trying to do with this Ansible module?  Are you using workspace mode?

 

Thanks,

Andrew

void
voidAuthor
New Member
June 20, 2018

I'm trying to update create New Address Object:


- name: "CREATE: New address objects"
  fortimgr_address:
    host: "{{ inventory_hostname }}"
    username: "{{ username }}"
    password: "{{ password }}"
    adom: "IBB"
    lock: False
    address_type: ipmask
    network_address: "{{ item.addr }}"
    network_mask: "255.255.255.255"
    address_name: "EXT_SIP_TLS_{{ item.name }}"
    comment: "BPM {{ item.bpm }}"
  with_items: "{{ customer }}"

 

 

void
voidAuthor
New Member
June 20, 2018

So, I've captured session_id from fortimgr_lock module and send it to the fortimgr_address module:

    

    - name: "LOCK: IBB FW"
      fortimgr_lock:
        host: "{{ inventory_hostname }}"
        username: "{{ username }}"
        password: "{{ password }}"
        lock: True
        adom: "IBB"
      register: ibb_lock_log
    - debug: var=ibb_lock_log["session_id"]

    - name: "CREATE: New address objects"
      fortimgr_address:
        host: "{{ inventory_hostname }}"
        username: "{{ username }}"
        password: "{{ password }}"
        adom: "IBB"
        lock: False
        session_id: ibb_lock_log["session_id"]
        address_type: ipmask
        network_address: "{{ item.addr }}"
        network_mask: "255.255.255.255"
        address_name: "EXT_SIP_TLS_{{ item.name }}"
        comment: "BPM {{ item.bpm }}"
      with_items: "{{ customer }}"
      register: create_address_obj_log
    - debug: var=create_address_obj_log

 

Now I'm getting another error:

TASK [CREATE: New address objects] *****************************************************************************************************************************************
failed: [192.168.21.99] (item={u'bpm': u'12345', u'name': u'Customer1', u'addr': u'1.1.1.1'}) => {"changed": false, "fortimanager_response": {"result": [{"status": {"code": -11, "message": "No permission for the resource"}, "url": "/pm/config/adom/IBB/obj/firewall/address"}]}, "item": {"addr": "1.1.1.1", "bpm": "12345", "name": "Customer1"}, "msg": "Unable to Apply Config"}

awelsh_FTNT
Staff
awelsh_FTNT
Staff
June 20, 2018

Hi Void,

 

I have run into this issue before when using workspace mode.  When you see the message "No permission for the resource", it means that the FortiManager is already locked and you can't access that object.  You first have to have the global/ADOM unlocked and then lock is for your session in Ansible.  

 

For the "fortimgr_lock" module, is it logging the user out before calling the "fortimgr_address" module?

 

Please let me know if you have any more questions.  I've wrestled with Ansible and the FortiManager before.

 

Thanks,

Andrew

void
voidAuthor
New Member
June 21, 2018

Finally I've found the solution. fortimgr_lock module locks ADOM and returns session_id, which must be used in other modules:

    - name: "LOCK: IBB FW"
      fortimgr_lock:
        host: "{{ inventory_hostname }}"
        username: "{{ username }}"
        password: "{{ password }}"
        lock: True
        adom: "IBB"
      register: ibb_lock
    - name: "SET: session ID for IBB FW"
      set_fact:
        ibb_session_id: "{{ ibb_lock.session_id }}"
    - name: "CREATE: address objects on IBB FW"
      fortimgr_address:
        host: "{{ inventory_hostname }}"
        username: "{{ username }}"
        password: "{{ password }}"
        adom: "IBB"
        session_id: "{{ ibb_session_id }}"
        state: present
        address_type: ipmask
        network_address: "{{ item.addr }}"
        network_mask: "255.255.255.255"
        address_name: "EXT_SIP_TLS_{{ item.name }}"
        comment: "BPM {{ item.bpm }}"
      with_items: "{{ customer }}"

Terms & ConditionsAccessibility statement