Can we use ssh instead of httpapi

fortinet-ansible-dev / ansible-galaxy-fortios-collection

GNU General Public License v3.0

85 stars 49 forks source link

Can we use ssh instead of httpapi #172

Open gaetanquentin opened 2 years ago

gaetanquentin commented 2 years ago

Hi,

is httpapi the only way to use modules? Where is it wriiten in the documentation? Can we use ssh instead?

Is there a way to use network_cli+ssh with fortios?

Regards, Gaetan

JieX19 commented 2 years ago

Hi @gaetanquentin

We only support httpapi for all the Ansible projects so far. Also, we suggest using access_token instead of username+password to log in. Why do you need to use ssh with fortios?

gaetanquentin commented 2 years ago

we need to imitate L1 support with ansible.

L1 support launch commands in ssh at the console like this:

diagnose hardware info

and our security teams want us to use ssh instead of httpapi.

network_cli+ssh is clearly the solution.

gaetanquentin commented 2 years ago

so there is no support for ansible.netcommon.cli_command? we can't send classic commands to fortigates in terminal mode with ansible?

alagoutte commented 2 years ago

so there is no support for ansible.netcommon.cli_command? we can't send classic commands to fortigates in terminal mode with ansible?

What the use case for SSH and not httpapi ? because ssh it is not really API ;-) (you need to implement stuff for convert SSH output...)

JieX19 commented 2 years ago

@alagoutte

For your case, you can use Ansible 'raw' module. Here's an example https://ansible-galaxy-fortios-docs.readthedocs.io/en/galaxy-2.1.5/faq.html#how-to-work-with-raw-fotios-cli

https://docs.ansible.com/ansible/latest/collections/ansible/builtin/raw_module.html

gaetanquentin commented 2 years ago

so there is no support for ansible.netcommon.cli_command? we can't send classic commands to fortigates in terminal mode with ansible?

What the use case for SSH and not httpapi ? because ssh it is not really API ;-) (you need to implement stuff for convert SSH output...)

2 uses cases:

when api is buggy and you have to wait months, may be years for a fix. Exemple: https://github.com/fortinet-ansible-dev/ansible-galaxy-fortios-collection/issues/136
- when there is no api equivalent of what the console commands give

gaetanquentin commented 2 years ago

@alagoutte

For your case, you can use Ansible 'raw' module. Here's an example https://ansible-galaxy-fortios-docs.readthedocs.io/en/galaxy-2.1.5/faq.html#how-to-work-with-raw-fotios-cli

https://docs.ansible.com/ansible/latest/collections/ansible/builtin/raw_module.html

well so, you let us only too choices:

the buggy http api where we need to wait for months for a fix
a non-ansible solution since it is a bash solution and we need to do 'expect things ' manualy to read the screen

i think a network_cli solution would be better than the last one:
- it is more ansible
- it controls questiond/answers to terminal
- we can have access to everything the console can do.

Regards