Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vpseg
New Contributor

Basics of Automating FortiGate Appliance with Ansible

Hello,

I am attempting to get started with automating FortiGate appliances with Ansible. However, I haven't gotten a single playbook to work in hours. Please see below for details.

 

vpseg # ansible-playbook --version
ansible-playbook [core 2.11.2]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/vpseg/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/vpseg/.local/lib/python3.9/site-packages/ansible
  ansible collection location = /home/vpseg/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/vpseg/.local/bin/ansible-playbook
  python version = 3.9.5 (default, Jun 7 2021, 14:12:53) [GCC 8.3.0]
  jinja version = 3.0.1
  libyaml = True

vpseg # cat /etc/ansible/hosts

[FGT-VM]

192.168.201.12

vpseg # cat main.yml

- name: Ansible Refresh
  hosts: FGT-VM
  collections:
    - fortinet.fortios
  gather_facts: false
  connection: httpapi
  vars:
    vdom: "root"
    ansible_httpapi_use_ssl: no
    ansible_httpapi_validate_certs: no
    ansible_httpapi_port: 80
    token: "5gckH1njsmftowq4jnpgscHzGHHrsr"
    ansible_network_os: fortios

  tasks:
    - name: Get facts
      fortios_system_dns_server:
        vdom: "{{ vdom }}"
        access_token: "{{ token }}"
        state: "present"
        system_dns_server:
            name: "default_name_6 (source system.interface.name)"
            doh: "enable"

 

The goal at this point is to make it do anything but error out.

I've created an admin profile via the CLI like so:

config system accprofile
    edit "API_RW"
        set secfabgrp read-write
        set ftviewgrp read-write
        set authgrp read-write
        set sysgrp read-write
        set netgrp read-write
        set loggrp read-write
        set fwgrp read-write
        set vpngrp read-write
        set utmgrp read-write
        set wanoptgrp read-write
        set wifi read-write

 

I created my API user via the CLI like so:

config system api-user
    edit "provision"
        set accprofile "API_RW"
        set vdom "root"

 

And I copy-pasted the token in the following command to my playbook:

execute api-user generate-key provision

 

But it doesn't work:

vpseg # ansible-playbook main.yml 
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details

PLAY [Ansible Refresh] ********************************************************************************************************

TASK [Get facts] **************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ansible.module_utils.connection.ConnectionError: Invalid access token. Please check
[DEPRECATION WARNING]: Distribution debian 10.10 on host 192.168.201.12 should use /usr/bin/python3, but is using
/usr/bin/python for backward compatibility with prior Ansible releases. A future Ansible release will default to using the
discovered platform python for this host. See
https://docs.ansible.com/ansible/2.11/reference_appendices/interpreter_discovery.html for more information. This feature will
be removed in version 2.12. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
fatal: [192.168.201.12]: FAILED! => {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python"}, "changed": false, "module_stderr": "Traceback (most recent call last):\n File \"/home/vpseg/.ansible/tmp/ansible-local-11388hfrpgmdc/ansible-tmp-1626279999.6774726-11392-183100790235632/AnsiballZ_fortios_system_dns_server.py\", line 100, in <module>\n _ansiballz_main()\n File \"/home/vpseg/.ansible/tmp/ansible-local-11388hfrpgmdc/ansible-tmp-1626279999.6774726-11392-183100790235632/AnsiballZ_fortios_system_dns_server.py\", line 92, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/home/vpseg/.ansible/tmp/ansible-local-11388hfrpgmdc/ansible-tmp-1626279999.6774726-11392-183100790235632/AnsiballZ_fortios_system_dns_server.py\", line 41, in invoke_module\n run_name='__main__', alter_sys=True)\n File \"/usr/lib/python2.7/runpy.py\", line 188, in run_module\n fname, loader, pkg_name)\n File \"/usr/lib/python2.7/runpy.py\", line 82, in _run_module_code\n mod_name, mod_fname, mod_loader, pkg_name)\n File \"/usr/lib/python2.7/runpy.py\", line 72, in _run_code\n exec code in run_globals\n File \"/tmp/ansible_fortios_system_dns_server_payload_tfjgS3/ansible_fortios_system_dns_server_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_system_dns_server.py\", line 497, in <module>\n File \"/tmp/ansible_fortios_system_dns_server_payload_tfjgS3/ansible_fortios_system_dns_server_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_system_dns_server.py\", line 474, in main\n File \"/tmp/ansible_fortios_system_dns_server_payload

PLAY RECAP ********************************************************************************************************************
192.168.201.12 : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0

 

Any ideas?

1 REPLY 1
fricci_FTNT
Staff
Staff

Hi @vpseg,

 

The links below may help:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Application-of-Ansible-on-FortiGate/ta-p/2...
https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/index.html

 

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
Labels
Top Kudoed Authors