Fortigate+Semaphore-Ansible - Error connection

Kirinzo · ‎06-06-2023

Hello,

I try to connect to my Fortigate with Ansible to do somes simple actions like change the hostname of my Firewall with REST API :

I execute my playbook with Semaphore-Ansible.

Semaphore : v2.8.68

Semaphore use : ansible-core : ansible-playbook [core 2.11.12]

My Fortigate is on v7.0.4build0301

My Collection (i try different version of collection):

- name: community.network # https://docs.ansible.com/ansible/latest/collections/community/network/index.html

version: 3.3.0

- name: ansible.utils # https://docs.ansible.com/ansible/latest/collections/ansible/utils/index.html

version: 2.6.1

#- name: ansible.utils # https://docs.ansible.com/ansible/latest/collections/ansible/utils/index.html

# version: 2.10.3

#- name: fortinet.fortios # https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/index.html

# version: 2.1.5

- name: fortinet.fortios # https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/index.html

version: 2.3.0

My playbook :

---

- name: "Rename du Firewall"

hosts: firewall_fortigate_Europlaza_UAT

gather_facts: false

collections:

- fortinet.fortios.fortios

connection: httpapi

vars:

vdom: "root"

ansible_connection: ansible.netcommon.httpapi

ansible_network_os: fortinet.fortios.fortios

ansible_httpapi_use_ssl: yes

ansible_httpapi_validate_certs: no

ansible_httpapi_port: 443

tasks:

- name: Rename Firewall

fortios_system_global:

vdom: "{{ vdom }}"

access_token: "{{ fortios_access_token }}"

system_global:

hostname: 'MyfrNFPaUATEur01-test'

-----------

My Inventory :

[firewall_fortigate_Europlaza_UAT]
MyfrNFPaUATEur01 ansible_host=172.31.0.7 fortios_access_token=*MyAccessToken*

*I hide my connection's token with the value *MyAccessToken* in the topic :)

--------

Result of the playbook playing :

Started: 1419
5:05:40 PM
Run TaskRunner with template: Deploy Policy IPv4
5:05:40 PM
/home/mmgbastion/venv/lib64/python3.6/site-packages/ansible/parsing/vault/__init__.py:44: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography and will be removed in a future release.
5:05:40 PM
from cryptography.exceptions import InvalidSignature
5:05:40 PM
ansible-playbook [core 2.11.12]
5:05:40 PM
config file = /home/semaphore/playbook/repository_1_30/ansible.cfg
5:05:40 PM
configured module search path = ['/home/semaphore/playbook/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
5:05:40 PM
ansible python module location = /home/mmgbastion/venv/lib64/python3.6/site-packages/ansible
5:05:40 PM
ansible collection location = /home/semaphore/playbook/.ansible/collections:/usr/share/ansible/collections
5:05:40 PM
executable location = /home/mmgbastion/venv/bin/ansible-playbook
5:05:40 PM
python version = 3.6.8 (default, Jan 23 2023, 22:31:05) [GCC 8.5.0 20210514 (Red Hat 8.5.0-18)]
5:05:40 PM
jinja version = 3.0.3
5:05:40 PM
libyaml = True
5:05:40 PM
Using /home/semaphore/playbook/repository_1_30/ansible.cfg as config file
5:05:40 PM
setting up inventory plugins
5:05:40 PM
host_list declined parsing /home/semaphore/playbook/repository_1_30/inventory/UAT/Fortigate_UAT as it did not pass its verify_file() method
5:05:40 PM
script declined parsing /home/semaphore/playbook/repository_1_30/inventory/UAT/Fortigate_UAT as it did not pass its verify_file() method
5:05:40 PM
auto declined parsing /home/semaphore/playbook/repository_1_30/inventory/UAT/Fortigate_UAT as it did not pass its verify_file() method
5:05:40 PM
Trying secret FileVaultSecret(filename='/home/semaphore/playbook/access_key_822458460') for vault_id=default
5:05:40 PM
Trying secret FileVaultSecret(filename='/home/semaphore/playbook/access_key_822458460') for vault_id=default
5:05:40 PM
Parsed /home/semaphore/playbook/repository_1_30/inventory/UAT/Fortigate_UAT inventory source with ini plugin
5:05:40 PM
Loading collection fortinet.fortios from /home/semaphore/playbook/.ansible/collections/ansible_collections/fortinet/fortios
5:05:40 PM
redirecting (type: modules) ansible.builtin.fortios_firewall_policy to fortinet.fortios.fortios_firewall_policy
5:05:40 PM
Loading callback plugin default of type stdout, v2.0 from /home/mmgbastion/venv/lib64/python3.6/site-packages/ansible/plugins/callback/default.py
5:05:40 PM
Skipping callback 'default', as we already have a stdout callback.
5:05:40 PM
Skipping callback 'minimal', as we already have a stdout callback.
5:05:40 PM
Skipping callback 'oneline', as we already have a stdout callback.
5:05:40 PM
5:05:40 PM
PLAYBOOK: Fortigate_UAT_PolicyV4.yml *******************************************
5:05:40 PM
Positional arguments: playbook/UAT/Fortigate_UAT_PolicyV4.yml
5:05:40 PM
verbosity: 4
5:05:40 PM
private_key_file: /home/semaphore/playbook/access_key_752580758
5:05:40 PM
connection: smart
5:05:40 PM
timeout: 10
5:05:40 PM
become_method: sudo
5:05:40 PM
tags: ('all',)
5:05:40 PM
inventory: ('/home/semaphore/playbook/repository_1_30/inventory/UAT/Fortigate_UAT',)
5:05:40 PM
extra_vars: ('{"semaphore_vars":{"task_details":{"username":"admin"}}}',)
5:05:40 PM
vault_password_files: ('/home/semaphore/playbook/access_key_822458460',)
5:05:40 PM
forks: 5
5:05:40 PM
1 plays in playbook/UAT/Fortigate_UAT_PolicyV4.yml
5:05:40 PM
5:05:40 PM
PLAY [Creation d'une regle IP V4] **********************************************
5:05:40 PM
META: ran handlers
5:05:40 PM
5:05:40 PM
TASK [Fortigate-Deploy_IPv4_Policy] ********************************************
5:05:40 PM
task path: /home/semaphore/playbook/repository_1_30/playbook/UAT/Fortigate_UAT_PolicyV4.yml:22
5:05:40 PM
Loading collection ansible.netcommon from /home/semaphore/playbook/.ansible/collections/ansible_collections/ansible/netcommon
5:05:40 PM
<172.31.0.7> attempting to start connection
5:05:40 PM
<172.31.0.7> using connection plugin ansible.netcommon.httpapi
5:05:40 PM
Found ansible-connection at path /home/mmgbastion/venv/bin/ansible-connection
5:05:41 PM
<172.31.0.7> local domain socket does not exist, starting it
5:05:41 PM
<172.31.0.7> control socket path is /home/semaphore/playbook/.ansible/pc/edc0f1e0ad
5:05:41 PM
<172.31.0.7> Loading collection ansible.netcommon from /home/semaphore/playbook/.ansible/collections/ansible_collections/ansible/netcommon
5:05:41 PM
<172.31.0.7> Loading collection fortinet.fortios from /home/semaphore/playbook/.ansible/collections/ansible_collections/fortinet/fortios
5:05:41 PM
<172.31.0.7> local domain socket listeners started successfully
5:05:41 PM
<172.31.0.7> loaded API plugin ansible_collections.fortinet.fortios.plugins.httpapi.fortios from path /home/semaphore/playbook/.ansible/collections/ansible_collections/fortinet/fortios/plugins/httpapi/fortios.py for platform type fortinet.fortios.fortios
5:05:41 PM
<172.31.0.7>
5:05:41 PM
<172.31.0.7> local domain socket path is /home/semaphore/playbook/.ansible/pc/edc0f1e0ad
5:05:41 PM
<172.31.0.7> ESTABLISH LOCAL CONNECTION FOR USER: root
5:05:41 PM
<172.31.0.7> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/semaphore/playbook/.ansible/tmp/ansible-local-1112090pbm6ul_h `"&& mkdir "` echo /home/semaphore/playbook/.ansible/tmp/ansible-local-1112090pbm6ul_h/ansible-tmp-1686063941.4473476-1112097-145445221127229 `" && echo ansible-tmp-1686063941.4473476-1112097-145445221127229="` echo /home/semaphore/playbook/.ansible/tmp/ansible-local-1112090pbm6ul_h/ansible-tmp-1686063941.4473476-1112097-145445221127229 `" ) && sleep 0'
5:05:41 PM
redirecting (type: modules) ansible.builtin.fortios_firewall_policy to fortinet.fortios.fortios_firewall_policy
5:05:41 PM
Using module file /home/semaphore/playbook/.ansible/collections/ansible_collections/fortinet/fortios/plugins/modules/fortios_firewall_policy.py
5:05:41 PM
<172.31.0.7> PUT /home/semaphore/playbook/.ansible/tmp/ansible-local-1112090pbm6ul_h/tmp45rbdjf7 TO /home/semaphore/playbook/.ansible/tmp/ansible-local-1112090pbm6ul_h/ansible-tmp-1686063941.4473476-1112097-145445221127229/AnsiballZ_fortios_firewall_policy.py
5:05:41 PM
<172.31.0.7> EXEC /bin/sh -c 'chmod u+x /home/semaphore/playbook/.ansible/tmp/ansible-local-1112090pbm6ul_h/ansible-tmp-1686063941.4473476-1112097-145445221127229/ /home/semaphore/playbook/.ansible/tmp/ansible-local-1112090pbm6ul_h/ansible-tmp-1686063941.4473476-1112097-145445221127229/AnsiballZ_fortios_firewall_policy.py && sleep 0'
5:05:41 PM
<172.31.0.7> EXEC /bin/sh -c '/home/mmgbastion/venv/bin/python3 /home/semaphore/playbook/.ansible/tmp/ansible-local-1112090pbm6ul_h/ansible-tmp-1686063941.4473476-1112097-145445221127229/AnsiballZ_fortios_firewall_policy.py && sleep 0'
5:05:41 PM
<172.31.0.7> EXEC /bin/sh -c 'rm -f -r /home/semaphore/playbook/.ansible/tmp/ansible-local-1112090pbm6ul_h/ansible-tmp-1686063941.4473476-1112097-145445221127229/ > /dev/null 2>&1 && sleep 0'
5:05:41 PM
The full traceback is:
5:05:41 PM
Traceback (most recent call last):
5:05:41 PM
File "/home/semaphore/playbook/.ansible/tmp/ansible-local-1112090pbm6ul_h/ansible-tmp-1686063941.4473476-1112097-145445221127229/AnsiballZ_fortios_firewall_policy.py", line 100, in
5:05:41 PM
_ansiballz_main()
5:05:41 PM
File "/home/semaphore/playbook/.ansible/tmp/ansible-local-1112090pbm6ul_h/ansible-tmp-1686063941.4473476-1112097-145445221127229/AnsiballZ_fortios_firewall_policy.py", line 92, in _ansiballz_main
5:05:41 PM
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
5:05:41 PM
File "/home/semaphore/playbook/.ansible/tmp/ansible-local-1112090pbm6ul_h/ansible-tmp-1686063941.4473476-1112097-145445221127229/AnsiballZ_fortios_firewall_policy.py", line 41, in invoke_module
5:05:41 PM
run_name='__main__', alter_sys=True)
5:05:41 PM
File "/usr/lib64/python3.6/runpy.py", line 205, in run_module
5:05:41 PM
return _run_module_code(code, init_globals, run_name, mod_spec)
5:05:41 PM
File "/usr/lib64/python3.6/runpy.py", line 96, in _run_module_code
5:05:41 PM
mod_name, mod_spec, pkg_name, script_name)
5:05:41 PM
File "/usr/lib64/python3.6/runpy.py", line 85, in _run_code
5:05:41 PM
exec(code, run_globals)
5:05:41 PM
File "/tmp/ansible_fortios_firewall_policy_payload_dtcau9k5/ansible_fortios_firewall_policy_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_firewall_policy.py", line 12975, in
5:05:41 PM
File "/tmp/ansible_fortios_firewall_policy_payload_dtcau9k5/ansible_fortios_firewall_policy_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_firewall_policy.py", line 12938, in main
5:05:41 PM
File "/tmp/ansible_fortios_firewall_policy_payload_dtcau9k5/ansible_fortios_firewall_policy_payload.zip/ansible_collections/fortinet/fortios/plugins/module_utils/fortios/fortios.py", line 220, in check_schema_versioning
5:05:41 PM
File "/tmp/ansible_fortios_firewall_policy_payload_dtcau9k5/ansible_fortios_firewall_policy_payload.zip/ansible/module_utils/connection.py", line 200, in __rpc__
5:05:41 PM
ansible.module_utils.connection.ConnectionError: Could not connect to https://172.31.0.7:443/logincheck?access_token=*MyAccessToken*: [Errno 0] Error
5:05:41 PM
fatal: [MyfrNFPaUATEur01]: FAILED! => {
5:05:41 PM
"changed": false,
5:05:41 PM
"module_stderr": "Traceback (most recent call last):\n File \"/home/semaphore/playbook/.ansible/tmp/ansible-local-1112090pbm6ul_h/ansible-tmp-1686063941.4473476-1112097-145445221127229/AnsiballZ_fortios_firewall_policy.py\", line 100, in \n _ansiballz_main()\n File \"/home/semaphore/playbook/.ansible/tmp/ansible-local-1112090pbm6ul_h/ansible-tmp-1686063941.4473476-1112097-145445221127229/AnsiballZ_fortios_firewall_policy.py\", line 92, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/home/semaphore/playbook/.ansible/tmp/ansible-local-1112090pbm6ul_h/ansible-tmp-1686063941.4473476-1112097-145445221127229/AnsiballZ_fortios_firewall_policy.py\", line 41, in invoke_module\n run_name='__main__', alter_sys=True)\n File \"/usr/lib64/python3.6/runpy.py\", line 205, in run_module\n return _run_module_code(code, init_globals, run_name, mod_spec)\n File \"/usr/lib64/python3.6/runpy.py\", line 96, in _run_module_code\n mod_name, mod_spec, pkg_name, script_name)\n File \"/usr/lib64/python3.6/runpy.py\", line 85, in _run_code\n exec(code, run_globals)\n File \"/tmp/ansible_fortios_firewall_policy_payload_dtcau9k5/ansible_fortios_firewall_policy_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_firewall_policy.py\", line 12975, in \n File \"/tmp/ansible_fortios_firewall_policy_payload_dtcau9k5/ansible_fortios_firewall_policy_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_firewall_policy.py\", line 12938, in main\n File \"/tmp/ansible_fortios_firewall_policy_payload_dtcau9k5/ansible_fortios_firewall_policy_payload.zip/ansible_collections/fortinet/fortios/plugins/module_utils/fortios/fortios.py\", line 220, in check_schema_versioning\n File \"/tmp/ansible_fortios_firewall_policy_payload_dtcau9k5/ansible_fortios_firewall_policy_payload.zip/ansible/module_utils/connection.py\", line 200, in __rpc__\nansible.module_utils.connection.ConnectionError: Could not connect to https://172.31.0.7:443/logincheck?access_token=*MyAccessToken*: [Errno 0] Error\n",
5:05:41 PM
"module_stdout": "",
5:05:41 PM
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
5:05:41 PM
"rc": 1
5:05:41 PM
}
5:05:41 PM
5:05:41 PM
PLAY RECAP *********************************************************************
5:05:41 PM
MyfrNFPaUATEur01 : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
5:05:41 PM
5:05:41 PM
Running playbook failed: exit status 2

If anybody can help me ? i didin't find any solution after many test :(

kgeorge · ‎06-07-2023

Hello Kirinzo,

The REST API configuration and assistance is exclusively provided by our Fortinet Developer Team.

To get in touch with them, you need to have a Fortinet Developer Account access where you can access numerous tools and resources pertaining to REST API.

In order to sign up for Fortinet Developer Account, two Sponsors are required from Fortinet for which, you can get in touch with your Local Fortinet vendor or your regional Fortinet Sales Engineer.

Here are few docs and articles that might help you,

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Use-REST-API-Access-FortiGate/ta-p/196540

https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/940602/using-apis

Regards,

Klint George

Regards,
Klint George

ManyStone · ‎07-30-2023

Audiologists at Hearwell play a crucial role in the journey to better hearing. They conduct comprehensive assessments to determine the degree and type of loss, enabling them to recommend the most suitable lyrics hearing aids solutions.