I have just finished an Ansible class for my job (switches and such) and was trying to connect with my Fortigate. No Bueno! Anyone have any luck using Ansible to connect to their Fortigate?
Thanks in advance.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Yes, Have you confirm that ssh & https access is available from the managed node to the fortigate? I would pull up a cli and do a test run.
e.g
curl -v -k https::<fgt address>
Ensure if trusthost is being used that this is not blocking the access.
Ken Felix
PCNSE
NSE
StrongSwan
Been there, done that. I can get in from the CLI. Maybe I just can't write a proper playbook. Do you have an example that would say get me the contents of the 'system' 'interfaces' area?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
basic play book for status collecting against my hosts in fgtwest . You need to ensure the creds are correct which I assume you did .
=====ensure you have the proper indexing ======
- hosts: localhost vars: host: "fgtwest username: "fgtadmin" password: "fgtpassword1234" vdom: "root" ssl_verify: "no"
tasks: - name: basic system status f fortios_facts: host: "{{ host }}" username: "{{ username }}" password: "{{ password }}" vdom: "{{ vdom }}" gather_subset: - fact: 'system_status_select'
Ken Felix
PCNSE
NSE
StrongSwan
OK. There is something missing in my install...
TASK [basic system status f] ******************************************************************************** fatal: [localhost]: FAILED! => {"changed": false, "msg": "fortiosapi module is required"}
I updated the latest from the Galaxy.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
So after you updated ansible-galaxy what error are you getting?
You might also need to modify your host entry with the following ;
e.g
[fgt]
x.x.x.x ansible_user=<ansible-username-account-on-fgt>
I would also enable set admin-scp enable on the fortigate global and copy the ssh-key to that name account also. To confirm ansible has hit the fgt do a
"get system admin list " you should have a ssh login from the control_node and via ssh. Dump your playbook here when you get a chance.
Ken Felix
PCNSE
NSE
StrongSwan
---
- name: Get Fortinet 'system' ' Interface' information >hosts: localhost >vars: >>host: "192.168.xx.xx" >>username: "xxxxx" >>password: "xxxxx" >>vdom: "root" >>ssl_verify: "no" >tasks: >- name: basic system status f >>fortios_facts: >>>host: "{{ host }}" >>>username: "{{ username }}" >>>password: "{{ password }}" >>>vdom: "{{ vdom }}" >>>gather_subset: >>>- fact: 'system_status_select'
Not sure how to move the SSL cert over. That may be most of the issue.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
OK, after running 'show full sys adm <admin>', I see where to add the key, now how do I get it from CentOS?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
OK, Dr. Google helped me out in getting the key moved over. Still the same error. I'm done for today. A full week of 8 hour days learning this. My brain needs a break.
*** Addition. I created a new key without a passphrase and now the login is seamless (no password required). Error persists. Tomorrow is another day. Damn CentOS 7.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
What I do is go to my ansible account dir and cd to .ssh
you should have a pub key that ends in id_rsa.pub . copy that pub key and paste it in with " " strings for the ansible user.
e.g
config system admin edit "ansible" set accprofile "super_admin" set vdom "root" set ssh-public-key1 "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDgqzF+K7qevH8xe9LQyiuSD794R1mmzVNAe8BfiREx3MXYgR+6gbskKwgQ7SoyS66Zw32qoojasFVwPipmU1j3NYch8ErCa3n2EgO4LLw8Y08aG8RdOhz0ZEa0NetjS7C7vScEBRmVPQitF0TpYaYVGpCirsPLHMZl9zfMMDDYzlA+PiuENUULY0wEKAH0xD1zLRWNtdAI/nFzEeOIUBCQNkbmNhip4d5FGiDMzbWof522hA3WG9IzS8XLm85H48it3NwgwK6g8vzSw1sAbxriQDn5N3tfG8+c3LukZzXJZ086TQuRCh28tnPH1FCWcgHsR3eiDgOi6UcSbNOsYbOj ansible@socpuppets.com" set password ENC SH23eab+MFSXJSuzKbTOGTRppllTNqklpULhers2FWVWbGXZ99vXQv1kyKIA1E= next end
Now if you ssh from the control_node you should gain access.
now run your playbook but callout debug
e.g
ansible-playbook --syntax <youplaybooknamed.yml>
ansible-playbook --check <youplaybooknamed.yml>
ANSIBLE_DEBUG=1 ansible-playbook <youplaybooknamed.yml>
If you are a success, the "get system admin list" will show your control_node logged in. Another trick that we do which simple is to make API calls but we use ansible plays to gather status. We run this off a linux host in the org that grab the status. This is how we test ansible using the uri module, check that the fortigate is up, and connectivity to the fgt.
I would do something like that if you want to test ansible before calling up the fortios specific modules.
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
229 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.