search

fortinet-ansible-dev / ansible-galaxy-fortimanager-collection

GNU General Public License v3.0
16 stars 15 forks source link

The data is invalid for selected url when using fortinet.fortimanager.fmgr_dvmdb_script_execute #86

Closed riccardo-roveri-labs closed 2 months ago

riccardo-roveri-labs commented 2 months ago

When running the following playbook

- name: Forti Playbook
  hosts: fortimanagers
  connection: httpapi
  vars:
    ansible_httpapi_use_ssl: true
    ansible_httpapi_validate_certs: false
    ansible_httpapi_port: 1239
    ansible_httpapi_use_proxy: false
    adom: root
    package_name: test
    address_file: 'out/address-out.fscript'
    script_create_address: create_address
  tasks:
    - name: Read address content
      ansible.builtin.set_fact:
        addr_script_content: "{{ lookup('file', address_file) }}"
    - name: Update address script
      fortinet.fortimanager.fmgr_dvmdb_script:
        adom: "{{ adom }}"
        access_token: "{{ access_token }}"
        state: present
        dvmdb_script:
          name: "{{ script_create_address }}"
          desc: Create address and address group in adom DB
          content: "{{ addr_script_content }}"
          target: adom_database
          type: cli
      register: change_create_address
    - name: Run address script
      fortinet.fortimanager.fmgr_dvmdb_script_execute:
        adom: "{{ adom }}"
        access_token: "{{ access_token }}"
        dvmdb_script_execute:
          adom: "{{ adom }}"
          script: "{{ script_create_address }}"
          package: "{{ package_name }}"

I get the following error

PLAY [Forti Playbook] ***********************************************************************************************************************************************************************************************************

TASK [Gathering Facts] **********************************************************************************************************************************************************************************************************
ok: [labs-fortimanager]

TASK [Read address content] *****************************************************************************************************************************************************************************************************
ok: [labs-fortimanager]

TASK [Update address script] ****************************************************************************************************************************************************************************************************
changed: [labs-fortimanager]

TASK [Run address script] *******************************************************************************************************************************************************************************************************
fatal: [labs-fortimanager]: FAILED! => {"changed": false, "meta": {"request_url": "/dvmdb/adom/root/script/execute", "response_code": -10, "response_data": [], "response_message": "The data is invalid for selected url", "system_information": {"Admin Domain Configuration": "Enabled", "BIOS version": "04000002", "Branch Point": "1574", "Build": "1574", "Current Time": "Thu Jul 11 10:28:46 CEST 2024", "Daylight Time Saving": "Yes", "FIPS Mode": "Disabled", "HA Mode": "Stand Alone", "Hostname": "labs-fortimanager", "License Status": "Valid", "Major": 7, "Max Number of Admin Domains": 5, "Max Number of Device Groups": 20, "Minor": 2, "Offline Mode": "Disabled", "Patch": 5, "Platform Full Name": "FortiManager-VM64", "Platform Type": "FMG-VM64", "Release Version Information": " (GA)", "Serial Number": "<redacted>", "TZ": "Europe/Amsterdam", "Time Zone": "(GMT+1:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna.", "Version": "v7.2.5-build1574 240313 (GA)", "x86-64 Applications": "Yes"}}, "rc": -10}

When running in an earlier version of the 7.2 of fortimanager it seed to work.

Here is the versions used:

ansible [core 2.16.8]
---
ansible.netcommon     7.0.0  
ansible.utils         5.0.0  
fortinet.fortimanager 2.5.0
dux-fortinet commented 2 months ago

Hi @riccardo-roveri-labs,

Based on the error information you provided, the problem comes from fortinet.fortimanager.fmgr_dvmdb_script_execute ("/dvmdb/adom/{adom}/script/execute"), and it seems like the parameter data type is incorrect.

However, both I and my colleague can't reproduce this error. I tested it on FMG 7.2.5 and FMG 7.4.3, and I got no errors.

Please set "enable_log: true" in your playbook, and the log data will be appended to the file /tmp/fortimanager.ansible.log (Every time you log data, the log data will be appended to this file. So I suggest cleaning/deleting this file before you want to start a new log.)

    - name: Run address script
      fortinet.fortimanager.fmgr_dvmdb_script_execute:
        enable_log: true # enable debug log
        adom: "{{ adom }}"
        access_token: "{{ access_token }}"
        dvmdb_script_execute:
          adom: "{{ adom }}"
          script: "{{ script_create_address }}"
          package: "{{ package_name }}"

Please share the log data in /tmp/fortimanager.ansible.log so we can figure out what is the cause.

Thanks, Dux

riccardo-roveri-labs commented 2 months ago

Here is the log file you requested, i also added logging for the creare script part. I have verified that the policy package test does exist in that adom, and i can run on that poliy package manually without any problem. Because i am testing it the adom does not have any device assigned yet.

fortimanager.ansible.log

Let me know if you need anything else, Riccardo

MaxxLiu22 commented 2 months ago

Hi @riccardo-roveri-labs ,

Thank you for providing this information. The argument "package" is required and should be set with an existing package name. Could you please create a package before running your execute task? Here is an example of how you can do this:

    - name: Update address script
      fortinet.fortimanager.fmgr_dvmdb_script:
        access_token: efztmauih3o965c6wys8p99fgg494dpa
        adom: "root"
        state: present
        dvmdb_script:
          name: "script"
          desc: Create address and address group in adom DB
          content: "test3"
          target: "adom_database"
          type: "cli"
      register: change_create_address
    - fmgr_pm_pkg_adom:
        adom: "root"
        pm_pkg_adom:
          name: "ansible"
          type: "pkg"
    - name: Run address script
      fortinet.fortimanager.fmgr_dvmdb_script_execute:
        adom: "root"
        dvmdb_script_execute:
          adom: "root"
          script: "script"
          package: "ansible"

Thanks, Maxx

dux-fortinet commented 2 months ago

Hi @riccardo-roveri-labs,

I tried to mimic the environment you used, including using FMG 7.2.5, logging in with access_token, using the same playbook and same scripts, etc.

My log file is basically exactly like your log file, except the request: {"method": "exec", "params": [{"url": "/dvmdb/adom/root/script/execute", "data": {"adom": "root", "package": "test", "script": "create_address"}}], "session": null, "id": 8, "verbose": 1}

I got

response: {
   "result": [
      {
         "data": {
            "task": 18
         },
         "status": {
            "code": 0,
            "message": "OK"
         },
         "url": "/dvmdb/adom/root/script/execute"
      }
   ],
   "id": 8

while in your log file, it is 

response: {
   "result": [
      {
         "status": {
            "code": -10,
            "message": "The data is invalid for selected url"
         },
         "url": "/dvmdb/adom/root/script/execute"
      }
   ],
   "id": 8
}

Every JSON request in my log file is exactly like your log file. So I guess maybe there is something wrong with the "test" package, or there is some imperceptible difference between our FMGs. Will you get an error if you change the package_name from "test" to "default"?

Thanks, Dux

riccardo-roveri-labs commented 2 months ago

Hi @dux-fortinet, i already tried that and did not work, but i will retry and attach the log file. Is there any way to have more detailed logs on the actual request that is making and having more detailed log from the fortimanager side?

I can try to open a TAC to fortigate but i need more detail to demonstrate that is not an ansible related problem.

Thanks, Riccardo

dux-fortinet commented 2 months ago

Hi @riccardo-roveri-labs,

Here is my log file. github86.log

(FMG 7.2.5, logging in with access_token, using the playbook you provided, using port 1239. I even created an adom 'test' since your FMG also has an adom name 'test' according to your log file.)

For FMG Ansible, everything we need is in the log file. FMG Ansible converts the playbook into 8 JSON requests and sends them to FMG. These 8 requests in your and my log files are exactly the same, but the response of last request is different. So I think this is not an ansible related problem.

For FMG, please go to System Settings->Event Log FMG GUI

Please feel free to let us know if you have any questions.

All the best, Dux

riccardo-roveri-labs commented 2 months ago

Hi @dux-fortinet,

thanks for your help, it is evident that is not a problem in ansible. I will create a TAC with fortinet to further investigate this issue.

All the best, Riccardo