global-label create new section each time a rule is created

[DenisPerricone]

Hi! I've an issue with global-label parameter of fmgr_pkg_firewall_policy

When i try to create a firewall policy passing the global-label parameter, a new section is create, even if it is alteady exist.

My expectation is that if a section already exist, the module crate the rule in that section

Consider also that in fortimanager UI is not possible to have two equals section, but via module it is.

Our scope is to create N policies in predeterminated section and then install the package.

As you can see in the image below, the result is a duplicate of section named "Sezione 1"

Thanks in advance

[dux-fortinet]

Hi @DenisPerricone,

Thanks for raising this issue. It is really weird. Could you please check whether there is extra space in the parameter "global-label"?

For example, "global-label" for policy 26 and 24 is "Sezione 1" while "global-label" for policy 45 is "Sezione 1 "(extra space)

Thanks.

[DenisPerricone]

Hi, thanks for your fast answer. Unfortunately i've already checked if there are some space or hidden characters but it's absoluteli the same.

I tried to pass the label via var (survey text box) or place "Sezione 1" directly in module.

Unfortunately we are in production and eventually upgrade of collection doesn't is our case. As you know, there is a way (maybe sole other module/param) i can use to create a rule or to move a rule in a specific section?

fmgr_pkg_firewall_policy_sectionvalue module, if understood well, produce the same issue

[dux-fortinet]

Hi @DenisPerricone,

I can reproduce this now. It seems to be GUI's problem (Or maybe they did it on purpose, because policy order matters in some cases). Policies are in the order of creation time. GUI classified the consecutive policies with the same "global-label" into the same section. So if you declare some policies in Sezione 1, then declare some policies in Sezione 2, and then declare some policies in Sezione 1 again, there will be 3 different sections.

You can directly change the section value of one policy by changing the parameter "global-label", yet since the policies are in the order of creation time by default, the two policies with the same "global-label" may not be classified into one section in the GUI if there are other policies with different "global-label" between them.

One way is to use fmgr_move. You can move one policy before/after another by using:

---
- name:  Move policy
  hosts: fortimanagers
  connection: httpapi
  vars:
    ansible_httpapi_use_ssl: true
    ansible_httpapi_validate_certs: false
    ansible_httpapi_port: 443
    adom_name: your_adom_name
    pkg_name: your_pkg_name
  tasks:
    - name: Move policy 45 after policy 24
      fortinet.fortimanager.fmgr_move:
        move:
          selector: "pkg_firewall_policy"
          target: 24
          action: "after"
          self:
            adom: "{{ adom_name }}"
            pkg: "{{ pkg_name }}"
            policy: 45

Please note, we use policy id in fmgr_move. If you move policy in GUI (by right clicking one policy and selecting "move to"), GUI will ask you to provide "#" (ID, not policy ID).

Thanks, Dux.

[DenisPerricone]

So it's a fortimanager limit and we have to move policy ony by one and by id. Okay clear, thank you.

It's a little bit hard to manage for end user because he have to know each policy ID or open FM UI, but if is not possible to add a policy on a specific section i think is the only one way.

Thank you

[dux-fortinet]

Further update: I asked the FMG development team. The policy is displayed by sequence, (if use interface pair view will do interface filter first).

FMG can't change the display order via "global-label" because the order matters (different policy order may result in different routing behavior). Therefore, best practice is to declare policies with the same "global label" consecutively.

And this is just the display issue. Even if you have two sections with the same name "Sezione 1", the "gloabl-label" values for these policies under the "Sezione 1" sections are still correct.

Thanks, Dux

[DenisPerricone]

Thank you so much, you were really kind and clear. I'll do not esitate to write you if my client will be any questions or clarification. Again, thanks!