Hello,
I am attempting to get started with automating FortiGate appliances with Ansible. However, I haven't gotten a single playbook to work in hours. Please see below for details.
vpseg # ansible-playbook --version
ansible-playbook [core 2.11.2]
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/vpseg/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/vpseg/.local/lib/python3.9/site-packages/ansible
ansible collection location = /home/vpseg/.ansible/collections:/usr/share/ansible/collections
executable location = /home/vpseg/.local/bin/ansible-playbook
python version = 3.9.5 (default, Jun 7 2021, 14:12:53) [GCC 8.3.0]
jinja version = 3.0.1
libyaml = True
vpseg # cat /etc/ansible/hosts
[FGT-VM]
192.168.201.12
vpseg # cat main.yml
- name: Ansible Refresh
hosts: FGT-VM
collections:
- fortinet.fortios
gather_facts: false
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: no
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 80
token: "5gckH1njsmftowq4jnpgscHzGHHrsr"
ansible_network_os: fortios
tasks:
- name: Get facts
fortios_system_dns_server:
vdom: "{{ vdom }}"
access_token: "{{ token }}"
state: "present"
system_dns_server:
name: "default_name_6 (source system.interface.name)"
doh: "enable"
The goal at this point is to make it do anything but error out.
I've created an admin profile via the CLI like so:
config system accprofile
edit "API_RW"
set secfabgrp read-write
set ftviewgrp read-write
set authgrp read-write
set sysgrp read-write
set netgrp read-write
set loggrp read-write
set fwgrp read-write
set vpngrp read-write
set utmgrp read-write
set wanoptgrp read-write
set wifi read-write
I created my API user via the CLI like so:
config system api-user
edit "provision"
set accprofile "API_RW"
set vdom "root"
And I copy-pasted the token in the following command to my playbook:
execute api-user generate-key provision
But it doesn't work:
vpseg # ansible-playbook main.yml
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
PLAY [Ansible Refresh] ********************************************************************************************************
TASK [Get facts] **************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ansible.module_utils.connection.ConnectionError: Invalid access token. Please check
[DEPRECATION WARNING]: Distribution debian 10.10 on host 192.168.201.12 should use /usr/bin/python3, but is using
/usr/bin/python for backward compatibility with prior Ansible releases. A future Ansible release will default to using the
discovered platform python for this host. See
https://docs.ansible.com/ansible/2.11/reference_appendices/interpreter_discovery.html for more information. This feature will
be removed in version 2.12. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
fatal: [192.168.201.12]: FAILED! => {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python"}, "changed": false, "module_stderr": "Traceback (most recent call last):\n File \"/home/vpseg/.ansible/tmp/ansible-local-11388hfrpgmdc/ansible-tmp-1626279999.6774726-11392-183100790235632/AnsiballZ_fortios_system_dns_server.py\", line 100, in <module>\n _ansiballz_main()\n File \"/home/vpseg/.ansible/tmp/ansible-local-11388hfrpgmdc/ansible-tmp-1626279999.6774726-11392-183100790235632/AnsiballZ_fortios_system_dns_server.py\", line 92, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/home/vpseg/.ansible/tmp/ansible-local-11388hfrpgmdc/ansible-tmp-1626279999.6774726-11392-183100790235632/AnsiballZ_fortios_system_dns_server.py\", line 41, in invoke_module\n run_name='__main__', alter_sys=True)\n File \"/usr/lib/python2.7/runpy.py\", line 188, in run_module\n fname, loader, pkg_name)\n File \"/usr/lib/python2.7/runpy.py\", line 82, in _run_module_code\n mod_name, mod_fname, mod_loader, pkg_name)\n File \"/usr/lib/python2.7/runpy.py\", line 72, in _run_code\n exec code in run_globals\n File \"/tmp/ansible_fortios_system_dns_server_payload_tfjgS3/ansible_fortios_system_dns_server_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_system_dns_server.py\", line 497, in <module>\n File \"/tmp/ansible_fortios_system_dns_server_payload_tfjgS3/ansible_fortios_system_dns_server_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_system_dns_server.py\", line 474, in main\n File \"/tmp/ansible_fortios_system_dns_server_payload
PLAY RECAP ********************************************************************************************************************
192.168.201.12 : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
Any ideas?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @vpseg,
The links below may help:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Application-of-Ansible-on-FortiGate/ta-p/2...
https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/index.html
Best regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.