Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vpseg
New Contributor

Created on ‎07-14-2021 09:50 AM

Basics of Automating FortiGate Appliance with Ansible

Hello,

I am attempting to get started with automating FortiGate appliances with Ansible. However, I haven't gotten a single playbook to work in hours. Please see below for details.

 

vpseg # ansible-playbook --version
ansible-playbook [core 2.11.2] 
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/vpseg/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/vpseg/.local/lib/python3.9/site-packages/ansible
  ansible collection location = /home/vpseg/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/vpseg/.local/bin/ansible-playbook
  python version = 3.9.5 (default, Jun 7 2021, 14:12:53) [GCC 8.3.0]
  jinja version = 3.0.1
  libyaml = True

vpseg # cat /etc/ansible/hosts

[FGT-VM]

192.168.201.12

vpseg # cat main.yml

- name: Ansible Refresh
  hosts: FGT-VM
  collections:
    - fortinet.fortios
  gather_facts: false
  connection: httpapi
  vars:
    vdom: "root"
    ansible_httpapi_use_ssl: no
    ansible_httpapi_validate_certs: no
    ansible_httpapi_port: 80
    token: "5gckH1njsmftowq4jnpgscHzGHHrsr"
    ansible_network_os: fortios

  tasks:
    - name: Get facts
      fortios_system_dns_server:
        vdom: "{{ vdom }}"
        access_token: "{{ token }}"
        state: "present"
        system_dns_server:
            name: "default_name_6 (source system.interface.name)"
            doh: "enable"

 

The goal at this point is to make it do anything but error out.

I've created an admin profile via the CLI like so:

config system accprofile
    edit "API_RW"
        set secfabgrp read-write
        set ftviewgrp read-write
        set authgrp read-write
        set sysgrp read-write
        set netgrp read-write
        set loggrp read-write
        set fwgrp read-write
        set vpngrp read-write
        set utmgrp read-write
        set wanoptgrp read-write
        set wifi read-write

 

I created my API user via the CLI like so:

config system api-user
    edit "provision"
        set accprofile "API_RW"
        set vdom "root"

 

And I copy-pasted the token in the following command to my playbook:

execute api-user generate-key provision

 

But it doesn't work:

vpseg # ansible-playbook main.yml 
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details

PLAY [Ansible Refresh] ********************************************************************************************************

TASK [Get facts] **************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ansible.module_utils.connection.ConnectionError: Invalid access token. Please check
[DEPRECATION WARNING]: Distribution debian 10.10 on host 192.168.201.12 should use /usr/bin/python3, but is using 
/usr/bin/python for backward compatibility with prior Ansible releases. A future Ansible release will default to using the 
discovered platform python for this host. See 
https://docs.ansible.com/ansible/2.11/reference_appendices/interpreter_discovery.html for more information. This feature will 
be removed in version 2.12. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
fatal: [192.168.201.12]: FAILED! => {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python"}, "changed": false, "module_stderr": "Traceback (most recent call last):\n File \"/home/vpseg/.ansible/tmp/ansible-local-11388hfrpgmdc/ansible-tmp-1626279999.6774726-11392-183100790235632/AnsiballZ_fortios_system_dns_server.py\", line 100, in <module>\n _ansiballz_main()\n File \"/home/vpseg/.ansible/tmp/ansible-local-11388hfrpgmdc/ansible-tmp-1626279999.6774726-11392-183100790235632/AnsiballZ_fortios_system_dns_server.py\", line 92, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/home/vpseg/.ansible/tmp/ansible-local-11388hfrpgmdc/ansible-tmp-1626279999.6774726-11392-183100790235632/AnsiballZ_fortios_system_dns_server.py\", line 41, in invoke_module\n run_name='__main__', alter_sys=True)\n File \"/usr/lib/python2.7/runpy.py\", line 188, in run_module\n fname, loader, pkg_name)\n File \"/usr/lib/python2.7/runpy.py\", line 82, in _run_module_code\n mod_name, mod_fname, mod_loader, pkg_name)\n File \"/usr/lib/python2.7/runpy.py\", line 72, in _run_code\n exec code in run_globals\n File \"/tmp/ansible_fortios_system_dns_server_payload_tfjgS3/ansible_fortios_system_dns_server_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_system_dns_server.py\", line 497, in <module>\n File \"/tmp/ansible_fortios_system_dns_server_payload_tfjgS3/ansible_fortios_system_dns_server_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_system_dns_server.py\", line 474, in main\n File \"/tmp/ansible_fortios_system_dns_server_payload

PLAY RECAP ********************************************************************************************************************
192.168.201.12 : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0

 

Any ideas?

6759
0 Kudos
5 REPLIES 5
fricci_FTNT
Staff
Staff

Created on ‎10-24-2023 03:06 AM

Hi @vpseg,

 

The links below may help:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Application-of-Ansible-on-FortiGate/ta-p/2...
https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/index.html

 

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
4465
INFOLogin
New Contributor

Created on ‎11-20-2024 01:05 AM

Hello,

 

did you find a solution?

 

I'm having the same error output :

The error was: ansible.module_utils.connection.ConnectionError: Invalid access token. Please check

 

I'm using the basic example in this same forum:

Technical Tip: Application of Ansible on FortiGate 

 

... my api token has been correctly copy/pasted.

 

Best regards,

 

 

 

1817
0 Kudos
Gerd
New Contributor
In response to INFOLogin

Created on ‎11-20-2024 05:36 PM

Just a thought, it may be a bug. I am trying to do the same thing. I can run playbooks on a FortiGate running the most current version of 7.2. If I use the exact same process for a FortiGate running the most current version of 7.4, it fails. I'm probably going to send a ticket in for it tomorrow. 

1795
0 Kudos
INFOLogin
New Contributor
In response to Gerd

Created on ‎11-22-2024 06:22 AM

Many thanks for the reply. Indeed it's the case: maybe a bug or maybe the Ansible library needs an update.

 

I'll keep in touch with latest news :)

1762
0 Kudos
Txalamar
New Contributor
In response to Gerd

Created on ‎01-23-2025 01:57 AM

Hello,

 

I've get rid of the token issue just by updating Ansible and the Ansible-Galaxy FortiOS collection to their latest version.

 

Best regards.

1032
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.