Hello,
I am attempting to get started with automating FortiGate appliances with Ansible. However, I haven't gotten a single playbook to work in hours. Please see below for details.
vpseg # ansible-playbook --version
ansible-playbook [core 2.11.2]
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/vpseg/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/vpseg/.local/lib/python3.9/site-packages/ansible
ansible collection location = /home/vpseg/.ansible/collections:/usr/share/ansible/collections
executable location = /home/vpseg/.local/bin/ansible-playbook
python version = 3.9.5 (default, Jun 7 2021, 14:12:53) [GCC 8.3.0]
jinja version = 3.0.1
libyaml = True
vpseg # cat /etc/ansible/hosts
[FGT-VM]
192.168.201.12
vpseg # cat main.yml
- name: Ansible Refresh
  hosts: FGT-VM
  collections:
    - fortinet.fortios
  gather_facts: false
  connection: httpapi
  vars:
    vdom: "root"
    ansible_httpapi_use_ssl: no
    ansible_httpapi_validate_certs: no
    ansible_httpapi_port: 80
    token: "5gckH1njsmftowq4jnpgscHzGHHrsr"
    ansible_network_os: fortios
  tasks:
    - name: Get facts
      fortios_system_dns_server:
        vdom: "{{ vdom }}"
        access_token: "{{ token }}"
        state: "present"
        system_dns_server:
            name: "default_name_6 (source system.interface.name)"
            doh: "enable"
The goal at this point is to make it do anything but error out.
I've created an admin profile via the CLI like so:
config system accprofile
edit "API_RW"
set secfabgrp read-write
set ftviewgrp read-write
set authgrp read-write
set sysgrp read-write
set netgrp read-write
set loggrp read-write
set fwgrp read-write
set vpngrp read-write
set utmgrp read-write
set wanoptgrp read-write
set wifi read-write
I created my API user via the CLI like so:
config system api-user
edit "provision"
set accprofile "API_RW"
set vdom "root"
And I copy-pasted the token in the following command to my playbook:
execute api-user generate-key provision
But it doesn't work:
vpseg # ansible-playbook main.yml
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
PLAY [Ansible Refresh] ********************************************************************************************************
TASK [Get facts] **************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ansible.module_utils.connection.ConnectionError: Invalid access token. Please check
[DEPRECATION WARNING]: Distribution debian 10.10 on host 192.168.201.12 should use /usr/bin/python3, but is using
/usr/bin/python for backward compatibility with prior Ansible releases. A future Ansible release will default to using the
discovered platform python for this host. See
https://docs.ansible.com/ansible/2.11/reference_appendices/interpreter_discovery.html for more information. This feature will
be removed in version 2.12. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
fatal: [192.168.201.12]: FAILED! => {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python"}, "changed": false, "module_stderr": "Traceback (most recent call last):\n File \"/home/vpseg/.ansible/tmp/ansible-local-11388hfrpgmdc/ansible-tmp-1626279999.6774726-11392-183100790235632/AnsiballZ_fortios_system_dns_server.py\", line 100, in <module>\n _ansiballz_main()\n File \"/home/vpseg/.ansible/tmp/ansible-local-11388hfrpgmdc/ansible-tmp-1626279999.6774726-11392-183100790235632/AnsiballZ_fortios_system_dns_server.py\", line 92, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/home/vpseg/.ansible/tmp/ansible-local-11388hfrpgmdc/ansible-tmp-1626279999.6774726-11392-183100790235632/AnsiballZ_fortios_system_dns_server.py\", line 41, in invoke_module\n run_name='__main__', alter_sys=True)\n File \"/usr/lib/python2.7/runpy.py\", line 188, in run_module\n fname, loader, pkg_name)\n File \"/usr/lib/python2.7/runpy.py\", line 82, in _run_module_code\n mod_name, mod_fname, mod_loader, pkg_name)\n File \"/usr/lib/python2.7/runpy.py\", line 72, in _run_code\n exec code in run_globals\n File \"/tmp/ansible_fortios_system_dns_server_payload_tfjgS3/ansible_fortios_system_dns_server_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_system_dns_server.py\", line 497, in <module>\n File \"/tmp/ansible_fortios_system_dns_server_payload_tfjgS3/ansible_fortios_system_dns_server_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_system_dns_server.py\", line 474, in main\n File \"/tmp/ansible_fortios_system_dns_server_payload
PLAY RECAP ********************************************************************************************************************
192.168.201.12 : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
Any ideas?
Hi @vpseg,
The links below may help:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Application-of-Ansible-on-FortiGate/ta-p/2...
https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/index.html
Best regards,
Hello,
did you find a solution?
I'm having the same error output :
The error was: ansible.module_utils.connection.ConnectionError: Invalid access token. Please check
I'm using the basic example in this same forum:
Technical Tip: Application of Ansible on FortiGate
... my api token has been correctly copy/pasted.
Best regards,
Just a thought, it may be a bug. I am trying to do the same thing. I can run playbooks on a FortiGate running the most current version of 7.2. If I use the exact same process for a FortiGate running the most current version of 7.4, it fails. I'm probably going to send a ticket in for it tomorrow.
Many thanks for the reply. Indeed it's the case: maybe a bug or maybe the Ansible library needs an update.
I'll keep in touch with latest news :)
Hello,
I've get rid of the token issue just by updating Ansible and the Ansible-Galaxy FortiOS collection to their latest version.
Best regards.
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2677 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.