Backup system config on Fortigate 6.4.7 : error in repo

R1sCh0 commented 2 years ago

Hi, I'm trying to perform a system configuration backup of my fortinet fortigate 6.4.7 firewall using your fortinet.fortios module but it doesn't seem to work as I keep getting the message "error in repo" and i don't understand why.

fortinet.fortios version: 2.1.6
fortigate version: 6.4.7 build 1911
ansible version: core 2.13.3
python version: 3.10.5

first heres an extract of my inventory file:

    Fortinet:
      hosts:
        FORTINET-HOST1:
          ansible_host: 10.X.X.X
          ansible_connection: httpapi
          ansible_httpapi_port: 443
          ansible_network_os: fortinet.fortios.fortios
          fortios_access_token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
          vars:
            - classification: "UNCLA"

heres my executed playbook that is basically a copy/paste of the one provided here: https://ansible-galaxy-fortios-docs.readthedocs.io/en/latest/faq.html#restore-settings-from-local-file I had to edit this playbook to use the "fortios_monitor" instead of "fortios_monitor_fact" and use the selector "backup.system.config" instead of "system_config_backup" because if i use the values provided in your docs, ansible returns an error that says that the selector is not valid.

- name: Backup Fortinet Firewalls
  hosts: Fortinet
  connection: httpapi
  collections:
    - fortinet.fortios
  vars:
    vdom: "root"
    ansible_httpapi_use_ssl: yes
    ansible_httpapi_validate_certs: no
    ansible_httpapi_port: 443
    ansible_os_network: fortinet.fortios.fortios
    fortios_access_token: XXXXXXXXXXXXXXXXXXXXXXXXX

  tasks:
    - name: Backup a virtual domain.
      fortios_monitor:
        access_token: '{{ fortios_access_token }}'
        enable_log: yes
        selector: 'backup.system.config'
        vdom: 'root'
        params:
          scope: 'global'
      register: backupinfo

    - debug:
        var: backupinfo

    - name: Save the backup information.
      copy:
        content: '{{ backupinfo.meta.raw }}'
        dest: './local.backup'

heres the ansible command that i run:

ansible-playbook -i inventory.yaml backup_forti.yaml

And heres the output with verbose option:

PLAYBOOK: backup_cla_forti.yaml ****************************************************************************************************************************************************
1 plays in backup_cla_forti.yaml

PLAY [Backup Fortinet Firewalls] ***************************************************************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************************************************************************
task path: /root/Documents/ansible/backup_cla_forti.yaml:2
redirecting (type: connection) ansible.builtin.httpapi to ansible.netcommon.httpapi
<10.X.X.X> ESTABLISH LOCAL CONNECTION FOR USER: root
<10.X.X.X> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp/ansible-local-5127014izm7x7 `"&& mkdir "` echo /root/.ansible/tmp/ansible-local-5127014izm7x7/ansible-tmp-1661421464.0044568-51275-190261520072339 `" && echo ansible-tmp-1661421464.0044568-51275-190261520072339="` echo /root/.ansible/tmp/ansible-local-5127014izm7x7/ansible-tmp-1661421464.0044568-51275-190261520072339 `" ) && sleep 0'
Using module file /usr/local/python/lib/python3.10/site-packages/ansible/modules/setup.py
<10.X.X.X> PUT /root/.ansible/tmp/ansible-local-5127014izm7x7/tmp4n4ob9mu TO /root/.ansible/tmp/ansible-local-5127014izm7x7/ansible-tmp-1661421464.0044568-51275-190261520072339/AnsiballZ_setup.py
<10.X.X.X> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-local-5127014izm7x7/ansible-tmp-1661421464.0044568-51275-190261520072339/ /root/.ansible/tmp/ansible-local-5127014izm7x7/ansible-tmp-1661421464.0044568-51275-190261520072339/AnsiballZ_setup.py && sleep 0'
<10.X.X.X> EXEC /bin/sh -c '/usr/local/python/bin/python3.10 /root/.ansible/tmp/ansible-local-5127014izm7x7/ansible-tmp-1661421464.0044568-51275-190261520072339/AnsiballZ_setup.py && sleep 0'
<10.X.X.X> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-local-5127014izm7x7/ansible-tmp-1661421464.0044568-51275-190261520072339/ > /dev/null 2>&1 && sleep 0'
ok: [FORTINET-HOST1]
META: ran handlers

TASK [Backup a virtual domain.] ****************************************************************************************************************************************************
task path: /root/Documents/ansible/backup_cla_forti.yaml:16
redirecting (type: connection) ansible.builtin.httpapi to ansible.netcommon.httpapi
<10.X.X.X> ESTABLISH LOCAL CONNECTION FOR USER: root
<10.X.X.X> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp/ansible-local-5127014izm7x7 `"&& mkdir "` echo /root/.ansible/tmp/ansible-local-5127014izm7x7/ansible-tmp-1661421465.4549465-51377-280965009050298 `" && echo ansible-tmp-1661421465.4549465-51377-280965009050298="` echo /root/.ansible/tmp/ansible-local-5127014izm7x7/ansible-tmp-1661421465.4549465-51377-280965009050298 `" ) && sleep 0'
Using module file /usr/local/python/lib/python3.10/site-packages/ansible_collections/fortinet/fortios/plugins/modules/fortios_monitor.py
<10.X.X.X> PUT /root/.ansible/tmp/ansible-local-5127014izm7x7/tmpodkbsve7 TO /root/.ansible/tmp/ansible-local-5127014izm7x7/ansible-tmp-1661421465.4549465-51377-280965009050298/AnsiballZ_fortios_monitor.py
<10.X.X.X> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-local-5127014izm7x7/ansible-tmp-1661421465.4549465-51377-280965009050298/ /root/.ansible/tmp/ansible-local-5127014izm7x7/ansible-tmp-1661421465.4549465-51377-280965009050298/AnsiballZ_fortios_monitor.py && sleep 0'
<10.X.X.X> EXEC /bin/sh -c '/usr/local/python/bin/python3.10 /root/.ansible/tmp/ansible-local-5127014izm7x7/ansible-tmp-1661421465.4549465-51377-280965009050298/AnsiballZ_fortios_monitor.py && sleep 0'
<10.X.X.X> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-local-5127014izm7x7/ansible-tmp-1661421465.4549465-51377-280965009050298/ > /dev/null 2>&1 && sleep 0'
fatal: [FORTINET-HOST1]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "access_token": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "enable_log": true,
            "params": {
                "scope": "global"
            },
            "selector": "backup.system.config",
            "vdom": "root"
        }
    },
    "meta": {
        "action": "backup",
        "build": 1911,
        "http_status": 405,
        "name": "config",
        "path": "system",
        "serial": "FG101FXXXXXXXXXX",
        "status": "error",
        "version": "v6.4.7"
    },
    "msg": "Error in repo"
}

PLAY RECAP *************************************************************************************************************************************************************************
FORTINET-HOST1                    : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

I tried to enable "diagnose debug enable" with "diagnose application httpsd -1" to see if i had more information but i get this:

 [httpsd 385 - 1661417616  warning] api_access_check_for_api_key[955] -- API Key request authorized for lch_api from 172.X.X.X.
[httpsd 385 - 1661417616     info] api_store_parameter[248] -- add API parameter 'vdom' (type=string)
[httpsd 385 - 1661417616     info] api_store_parameter[248] -- add API parameter 'action' (type=string)
[httpsd 385 - 1661417616     info] api_store_parameter[248] -- add API parameter 'access_token' (type=string)
[httpsd 385 - 1661417616     info] handle_cli_req_v2_vdom[2399] -- new CMDB API request (vdom='root',user='lch_api')
[httpsd 385 - 1661417616     info] api_cmdb_request_init_by_path[1563] -- new CMDB query (path='system',name='interface')
[httpsd 385 - 1661417616     info] api_cmdb_guino_etag[2602] -- Static ETag check for system.interface
[httpsd 385 - 1661417616     info] cmdb_generate_schema[1199] -- generating schema for system.interface
[httpsd 385 - 1661417616     info] fweb_debug_final[248] -- Completed GET request for "/api/v2/cmdb/system/interface" (HTTP 200 OK)
[httpsd 407 - 1661417616     info] fweb_debug_init[343] -- New POST request for "/api/v2/monitor/system/config/backup" from "172.X.X.X:31460"
[httpsd 407 - 1661417616     info] fweb_debug_init[344] -- User-Agent: "Python-urllib/3.10"
[httpsd 407 - 1661417616     info] fweb_debug_init[346] -- Handler "api_monitor_v2-handler" assigned to request
[httpsd 407 - 1661417616  warning] api_access_check_for_api_key[955] -- API Key request authorized for lch_api from 172.X.X.X.
[httpsd 407 - 1661417616  warning] get_endpoint_v2[259] -- no matching method found
[httpsd 407 - 1661417616  warning] api_return_http_result[757] -- API error 405 raised
[httpsd 407 - 1661417616     info] fweb_debug_final[248] -- Completed POST request for "/api/v2/monitor/system/config/backup" (HTTP 405)
[httpsd 380 - 1661417616     info] fweb_debug_init[343] -- New POST request for "/logout" from "172.X.X.X:31972"
[httpsd 380 - 1661417616     info] fweb_debug_init[344] -- User-Agent: "Python-urllib/3.10"
[httpsd 380 - 1661417616     info] fweb_debug_init[346] -- Handler "logout-handler" assigned to request
[httpsd 380 - 1661417616     info] fweb_debug_final[248] -- Completed POST request for "/logout" (HTTP 200)

The important part of this last log is: get_endpoint_v2[259] -- no matching method found. It's just like the api doesn't have a method for config backup.

I'am able to do a config backup from GUI and it works perfectly. I am also able to perform other actions with ansible like the "save.system.config" but the backup.system.config is not working at all.

Can you help ?

Thanks,

R1sCh0

slazer2au commented 2 years ago

Because you are running a FortiOS version before 6.4.9 you need to downgrade your Ansible FortiOS Galaxy package to 2.1.4.

Then change fortios_monitor to fortios_monitor_fact and change your selector from backup.system.config to system_config_backup

everything else should be fine.

Alternatively, your playbook is correct and will start working if you upgrade your FortiGate to anything later then 6.4.9 or 7.0.2

lix-fortinet commented 2 years ago

Hi @slazer2au,

Thank you for your comment.

Thanks, Xing

lix-fortinet commented 2 years ago

Hi @R1sCh0,

Thank you for raising this issue. Team are working on this issue. We will fix it on next release.

REST API for back up configuration of FortiOS changed from GET to POST since FortiOS v7.0.2. So, fortios_monitor will not work on FortiOS v6.4.7. But Ansible FortiOS Galaxy collection removed system_config_backup on fortios_monitor_fact by mistake since v2.1.5. The solutions for this issue before next release are:

Downgrade the Ansible FortiOS Galaxy collection to v2.1.4, and using fortios_monitor_fact;
Upgrade FortiOS to v7.0.2+, and using fortios_monitor.

Please let me know if you have any questions.

Thanks, Xing

otxi commented 2 years ago

Hi @R1sCh0,

I got the same issue and when I downgraded collection to 2.1.4 version in a virtual environment via Ansible AWX, it's working pretty-well. Unfortunately, if I have several vdom, scope global doesn't seem worked, only vdom.

Do you got the same or everything's working for you ?

R1sCh0 commented 2 years ago

Hi txk3n,

I forgot to answer this thread, but for me the easier solution was to downgrade the collection to v2.1.4 and it's working on my root vdom (because it's my only one for the moment). I think the reason it's not working for you is that this playbook is about "vdom backuping". So if you have several vdoms you should execute this task for each vdom.

lix-fortinet commented 2 years ago

Hi @R1sCh0,

We tested in our side. FortiOS Ansible collection v2.1.4 has some issue to get the configuration file with scope global. v2.1.2 works with scope global. Could you downgrade the FortiOS Ansible collection to v2.1.2 and try it again? We will fix this issue in the next release.

Thanks, Xing

lix-fortinet commented 1 year ago

Hi @R1sCh0, @txk3n,

This issue is fixed on the latest release of FortiOS Ansible collection v2.2.0. Please switch to v2.2.0 and try it again.

Please let me know if you have any questions.

Thanks, Xing

foxpatil commented 1 year ago

@lix-fortinet i did upgrade to the v2.0.0 still i m facing the same issue. Can you help

lix-fortinet commented 1 year ago

Hi @foxpatil,

The latest version is v2.2.0. Could you try switch to v2.2.0 and try it again? Please let me know if you have any questions.

Thanks, Xing

foxpatil commented 1 year ago

Thank you for quick response lix-fortinet,

Issue is resolved using scope as my single vdom (root in my case) . but when i set scope as global it fails. any further modifications needed ? below is my playbook. if i want to take global backup will it be possible ?

hosts: fortigate connection: httpapi collections:
- fortinet.fortios vars:
vdom: "root" ansible_httpapi_use_ssl: yes ansible_httpapi_validate_certs: no ansible_httpapi_port: 443 ansible_command_timeout: 60

tasks:
- fortios_monitor_fact:
```
     access_token: "***********************"
     selector: "system_config_backup"
      vdom: root
     params:
              scope: vdom

 register: backup
```
- name: Save the backup information. copy: content: '{{ backup.meta.raw }}' dest: '/home/*/**/upload.txt'

JieX19 commented 1 year ago

Hi @R1sCh0

We've fixed the issue in version 2.2.0. Let us know if you have any questions.

Thanks, Jie

fortinet-ansible-dev / ansible-galaxy-fortios-collection

Backup system config on Fortigate 6.4.7 : error in repo #196