search

fortinet-ansible-dev / ansible-galaxy-fortimanager-collection

GNU General Public License v3.0
16 stars 15 forks source link

Compatibility with FortiManager 6.4 #45

Closed nukulaar closed 2 years ago

nukulaar commented 2 years ago

In FortiManager 6.4 the IPv6 and IPv4 Policies have been merged and thus the API seems to have changed. Currently the following task fails:

    - name: Create IPv6 Firewall rule
      fmgr_pkg_firewall_policy6:
        adom: root
        state: present
        bypass_validation: false
        pkg: "xxx_adc"
        pkg_firewall_policy6:
          policyid: 0
          name: "allv6 --> my rulename"
          comments: "Created by Ansible"
          action: "accept"
          dstaddr: "HOSTv6_myObj"
          srcaddr: "all"
          dstintf: "any"
          srcintf: "any"
          logtraffic: "enable"
          service: "SVC_443_TCP"
          schedule: "always"
          status: enable

This is the output:

fatal: [xxx]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "adom": "root",
            "bypass_validation": false,
            "enable_log": false,
            "forticloud_access_token": null,
            "pkg": "xxx_adc",
            "pkg_firewall_policy6": {
                "action": "accept",
                "anti-replay": null,
                "app-category": null,
                "app-group": null,
                "application": null,
                "application-list": null,
                "auto-asic-offload": null,
                "av-profile": null,
                "cifs-profile": null,
                "comments": "Created by Ansible",
                "custom-log-fields": null,
                "decrypted-traffic-mirror": null,
                "devices": null,
                "diffserv-forward": null,
                "diffserv-reverse": null,
                "diffservcode-forward": null,
                "diffservcode-rev": null,
                "dlp-sensor": null,
                "dnsfilter-profile": null,
                "dscp-match": null,
                "dscp-negate": null,
                "dscp-value": null,
                "dsri": null,
                "dstaddr": "HOSTv6_myObj",
                "dstaddr-negate": null,
                "dstintf": "any",
                "emailfilter-profile": null,
                "firewall-session-dirty": null,
                "fixedport": null,
                "fsso-groups": null,
                "global-label": null,
                "groups": null,
                "http-policy-redirect": null,
                "icap-profile": null,
                "inbound": null,
                "inspection-mode": null,
                "ippool": null,
                "ips-sensor": null,
                "label": null,
                "logtraffic": "enable",
                "logtraffic-start": null,
                "mms-profile": null,
                "name": "allv6 --> my rulename",
                "nat": null,
                "natinbound": null,
                "natoutbound": null,
                "np-accelation": null,
                "np-acceleration": null,
                "outbound": null,
                "per-ip-shaper": null,
                "policyid": 0,
                "poolname": null,
                "profile-group": null,
                "profile-protocol-options": null,
                "profile-type": null,
                "replacemsg-override-group": null,
                "rsso": null,
                "schedule": "always",
                "send-deny-packet": null,
                "service": "SVC_443_TCP",
                "service-negate": null,
                "session-ttl": null,
                "spamfilter-profile": null,
                "srcaddr": "all",
                "srcaddr-negate": null,
                "srcintf": "any",
                "ssh-filter-profile": null,
                "ssh-policy-redirect": null,
                "ssl-mirror": null,
                "ssl-mirror-intf": null,
                "ssl-ssh-profile": null,
                "status": "enable",
                "tags": null,
                "tcp-mss-receiver": null,
                "tcp-mss-sender": null,
                "tcp-session-without-syn": null,
                "timeout-send-rst": null,
                "tos": null,
                "tos-mask": null,
                "tos-negate": null,
                "traffic-shaper": null,
                "traffic-shaper-reverse": null,
                "url-category": null,
                "users": null,
                "utm-status": null,
                "uuid": null,
                "vlan-cos-fwd": null,
                "vlan-cos-rev": null,
                "vlan-filter": null,
                "voip-profile": null,
                "vpntunnel": null,
                "waf-profile": null,
                "webcache": null,
                "webcache-https": null,
                "webfilter-profile": null,
                "webproxy-forward-server": null,
                "webproxy-profile": null
            },
            "proposed_method": null,
            "rc_failed": null,
            "rc_succeeded": null,
            "state": "present",
            "workspace_locking_adom": null,
            "workspace_locking_timeout": 300
        }
    },
    "meta": {
        "request_url": "/pm/config/adom/root/pkg/xxx_adc/firewall/policy6",
        "response_code": -10131,
        "response_data": {
            "policyid": 4
        },
        "response_message": "datasrc invalid. object: Policy package \"\" - firewall policy64.4:dstaddr. detail: HOSTv6_myObj. solution: datasrc invalid",
        "system_information": {
            "Admin Domain Configuration": "Disabled",
            "BIOS version": "04000002",
            "Branch Point": "2412",
            "Build": "2412",
            "Current Time": "Tue May 17 09:59:19 CEST 2022",
            "Daylight Time Saving": "Yes",
            "FIPS Mode": "Disabled",
            "HA Mode": "Stand Alone",
            "Hostname": "xxx",
            "License Status": "Valid",
            "Major": 6,
            "Max Number of Admin Domains": 10,
            "Max Number of Device Groups": 10,
            "Minor": 4,
            "Offline Mode": "Disabled",
            "Patch": 7,
            "Platform Full Name": "FortiManager-VM64",
            "Platform Type": "FMG-VM64",
            "Release Version Information": " (GA)",
            "Serial Number": "xxx",
            "Time Zone": "(GMT+1:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna.",
            "Version": "v6.4.7-build2412 210902 (GA)",
            "x86-64 Applications": "Yes"
        }
    },
    "rc": -10131,
    "version_check_warning": {
        "mismatches": [
            "param: pkg_firewall_policy6-->status not supported since v6.4.0",
            "param: pkg_firewall_policy6-->name not supported since v6.4.0",
            "param: pkg_firewall_policy6-->service not supported since v6.4.0",
            "param: pkg_firewall_policy6-->schedule not supported since v6.4.0",
            "param: pkg_firewall_policy6-->logtraffic not supported since v6.4.0",
            "param: pkg_firewall_policy6-->comments not supported since v6.4.0",
            "param: pkg_firewall_policy6-->srcaddr not supported since v6.4.0",
            "param: pkg_firewall_policy6-->srcintf not supported since v6.4.0",
            "param: pkg_firewall_policy6-->action not supported since v6.4.0",
            "param: pkg_firewall_policy6-->dstaddr not supported since v6.4.0",
            "param: pkg_firewall_policy6-->dstintf not supported since v6.4.0"
        ],
        "system_version": "v6.4.7"
    }
}

If I set bypass_validation to true:

fatal: [xxx]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "adom": "root",
            "bypass_validation": true,
            "enable_log": false,
            "forticloud_access_token": null,
            "pkg": "xxx_adc",
            "pkg_firewall_policy6": {
                "action": "accept",
                "comments": "Created by Ansible",
                "dstaddr": "HOSTv6_MyObject",
                "dstintf": "any",
                "logtraffic": "enable",
                "name": "allv6 --> my rulename",
                "policyid": 0,
                "schedule": "always",
                "service": "SVC_443_TCP",
                "srcaddr": "all",
                "srcintf": "any",
                "status": "enable"
            },
            "proposed_method": null,
            "rc_failed": null,
            "rc_succeeded": null,
            "state": "present",
            "workspace_locking_adom": null,
            "workspace_locking_timeout": 300
        }
    },
    "meta": {
        "request_url": "/pm/config/adom/root/pkg/xxx_adc/firewall/policy6",
        "response_code": -10131,
        "response_data": {
            "policyid": 4
        },
        "response_message": "datasrc invalid. object: Policy package \"\" - firewall policy64.4:dstaddr. detail: HOSTv6_2a02:2a28:b:ff31::21-as2test-https.sw-sb.de. solution: datasrc invalid",
        "system_information": {
            "Admin Domain Configuration": "Disabled",
            "BIOS version": "04000002",
            "Branch Point": "2412",
            "Build": "2412",
            "Current Time": "Tue May 17 09:57:44 CEST 2022",
            "Daylight Time Saving": "Yes",
            "FIPS Mode": "Disabled",
            "HA Mode": "Stand Alone",
            "Hostname": "swsfm01",
            "License Status": "Valid",
            "Major": 6,
            "Max Number of Admin Domains": 10,
            "Max Number of Device Groups": 10,
            "Minor": 4,
            "Offline Mode": "Disabled",
            "Patch": 7,
            "Platform Full Name": "FortiManager-VM64",
            "Platform Type": "FMG-VM64",
            "Release Version Information": " (GA)",
            "Serial Number": "xxx",
            "Time Zone": "(GMT+1:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna.",
            "Version": "v6.4.7-build2412 210902 (GA)",
            "x86-64 Applications": "Yes"
        }
    },
    "rc": -10131
}
mpsikorski commented 2 years ago

You have to use fmgr_pkg_firewall_policy and fill in the values for srcaddr6 and dstaddr6 Kind of that

pkg_firewall_policy:
          policyid: 0
          name: "allv6 --> my rulename"
          comments: "Created by Ansible"
          action: "accept"
          dstaddr6: "HOSTv6_myObj"
          srcaddr6: "all"
          dstintf: "any"
          srcintf: "any"
          logtraffic: "enable"
          service: "SVC_443_TCP"
          schedule: "always"
          status: enable
nukulaar commented 2 years ago

Thank you, this is working!