Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rwpatterson
Valued Contributor III

Has anyone successfully used Ansible with their Fortigates?

I have just finished an Ansible class for my job (switches and such) and was trying to connect with my Fortigate. No Bueno! Anyone have any luck using Ansible to connect to their Fortigate?

 

Thanks in advance.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

12 REPLIES 12
emnoc
Esteemed Contributor III

Yes, Have you confirm that ssh & https access is available from the managed node to the fortigate? I would pull up a cli and do a test run.

e.g 

 

ssh username@fgt.ipv4

curl -v -k https::<fgt address>

 

 

Ensure if trusthost is being used that this is not blocking the access.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

rwpatterson
Valued Contributor III

Been there, done that. I can get in from the CLI. Maybe I just can't write a proper playbook. Do you have  an example that would say get me the contents of the 'system' 'interfaces' area?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

emnoc
Esteemed Contributor III

basic play book for status collecting against my hosts in fgtwest . You need to ensure the creds are correct which I assume you did .

 

 

=====ensure you have the proper indexing ======

- hosts: localhost vars: host: "fgtwest username: "fgtadmin" password: "fgtpassword1234" vdom: "root" ssl_verify: "no"

tasks: - name:  basic system status f  fortios_facts: host: "{{ host }}" username: "{{ username }}" password: "{{ password }}" vdom: "{{ vdom }}" gather_subset: - fact: 'system_status_select'

 

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

rwpatterson
Valued Contributor III

OK. There is something missing in my install...

 

TASK [basic system status f] ******************************************************************************** fatal: [localhost]: FAILED! => {"changed": false, "msg": "fortiosapi module is required"}

 

I updated the latest from the Galaxy.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

emnoc
Esteemed Contributor III

So after you updated ansible-galaxy what error are you getting?

 

You might also need to modify your host entry with the following ;

 

e.g

 

[fgt]

x.x.x.x    ansible_user=<ansible-username-account-on-fgt>

 

I would also enable set admin-scp enable on the fortigate global  and copy the ssh-key to that name account also. To confirm ansible has hit the fgt do a 

 

"get system admin list " you should have a ssh login from the control_node and via ssh. Dump your playbook here when you get a chance.

 

 

Ken Felix

 

 

PCNSE 

NSE 

StrongSwan  

rwpatterson
Valued Contributor III

---

- name: Get Fortinet 'system' ' Interface' information >hosts: localhost >vars: >>host: "192.168.xx.xx" >>username: "xxxxx" >>password: "xxxxx" >>vdom: "root" >>ssl_verify: "no" >tasks: >- name: basic system status f >>fortios_facts: >>>host: "{{ host }}" >>>username: "{{ username }}" >>>password: "{{ password }}" >>>vdom: "{{ vdom }}" >>>gather_subset: >>>- fact: 'system_status_select'

 

Not sure how to move the SSL cert over.  That may be most of the issue.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

rwpatterson
Valued Contributor III

OK, after running 'show full sys adm <admin>', I see where to add the key, now how do I get it from CentOS?

 

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

rwpatterson
Valued Contributor III

OK, Dr. Google helped me out in getting the key moved over. Still the same error. I'm done for today. A full week of 8 hour days learning this. My brain needs a break.

 

*** Addition. I created a new key without a passphrase and now the login is seamless (no password required). Error persists.  Tomorrow is another day. Damn CentOS 7.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

emnoc
Esteemed Contributor III

What I do is go to my ansible account dir and cd to .ssh 

 

you should have a pub key that ends in  id_rsa.pub . copy that pub key and paste it in with " " strings for the ansible user.

 

e.g

 

config system admin edit "ansible" set accprofile "super_admin" set vdom "root" set ssh-public-key1 "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDgqzF+K7qevH8xe9LQyiuSD794R1mmzVNAe8BfiREx3MXYgR+6gbskKwgQ7SoyS66Zw32qoojasFVwPipmU1j3NYch8ErCa3n2EgO4LLw8Y08aG8RdOhz0ZEa0NetjS7C7vScEBRmVPQitF0TpYaYVGpCirsPLHMZl9zfMMDDYzlA+PiuENUULY0wEKAH0xD1zLRWNtdAI/nFzEeOIUBCQNkbmNhip4d5FGiDMzbWof522hA3WG9IzS8XLm85H48it3NwgwK6g8vzSw1sAbxriQDn5N3tfG8+c3LukZzXJZ086TQuRCh28tnPH1FCWcgHsR3eiDgOi6UcSbNOsYbOj ansible@socpuppets.com" set password ENC SH23eab+MFSXJSuzKbTOGTRppllTNqklpULhers2FWVWbGXZ99vXQv1kyKIA1E= next end

 

Now if you ssh from the control_node you should gain access. 

 

now run your playbook but callout debug 

 

e.g

  ansible-playbook  --syntax <youplaybooknamed.yml>

  ansible-playbook   --check <youplaybooknamed.yml>

 

 ANSIBLE_DEBUG=1 ansible-playbook <youplaybooknamed.yml>

 

If you are a success, the "get system admin list" will show your control_node logged in. Another trick  that we do which simple is to make API calls but we use ansible plays to gather status. We run this off a linux host in the org that grab the status. This is how we test ansible using the uri module, check that the fortigate is up, and connectivity to the fgt.

 

 

 I would do something like that if you want to test ansible before calling up the fortios specific modules.

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan