search

fortinet-ansible-dev / ansible-galaxy-fortios-collection

GNU General Public License v3.0
84 stars 48 forks source link

module fortios_router_static bug on fortigate F100 from 6.2 to 7.2.1 #202

Closed oswinfox closed 1 year ago

oswinfox commented 1 year ago

Hello everyone,

I am using the Ansible Fortios collection (Version: fortinet.fortios:2.1.7) and used with a F100 model that is on version:

I always have the same issue when running my code to create IPv4 static rules, once my rule is created (and I can see it on the webgui after I run the Ansible playbook to add the network routes), the route is not working, I have manually to connect to the webgui, edit the created rule and save it to make it work.

Also here is how it shows after I run the code on a 7.2.1 F100:

Destination GW IP Interface Comments Status
0.0.0.0/0 (Unknown) IBA_office (ibauntrust) Default IPv4 static routing Enabled

As you can see in version 7.0 / 7.2.1 Unknown is what is placed as gateway on the webgui instead of the actual gateway IP that shoud be 10.1.1.254, this does not happen on a V6.4 but issue remain the same, the route does not work before I manually make the change!

Solution, manually in the webgui I edit the rule and press save and now I can see this:

Destination GW IP Interface Comments Status
0.0.0.0/0 10.1.1.254 IBA_office (ibauntrust) Default IPv4 static routing Enabled

And only then the route is working again and I can ping / connect with HTTPS or SSH to the fortigate.

If you need more info please let me know!

Kind regards

MaxxLiu22 commented 1 year ago

Hi @oswinfox ,

Thanks for raising this issue. I created a IPv4 static router on fortios 7.2.0, 7.0.4, everything seems good, here is my configuration for reference, if you can provide your configuration file, I'd like to figure out what is happening.

- hosts: fortigates
  collections:
    - fortinet.fortios
  connection: httpapi
  vars:
   vdom: "root"
   ansible_httpapi_use_ssl: yes
   ansible_httpapi_validate_certs: no
   ansible_httpapi_port: 443
  tasks:
  - name: Configure IPv4 static routing tables.
    fortios_router_static:
      vdom:  "root"
      state: "present"
      access_token: "token"
      router_static:
        comment: "Default IPv4 static routing"
        device: "port2"
        gateway: "10.1.1.154"
        seq_num: "2"
        status: "enable"

Thanks, Maxx

oswinfox commented 1 year ago

Hello @MaxxLiu22,

Thanks for your answer. I created a role and it looks like this: 

- name: '{{ fortigate_route_vdom }} Configure IPv4 static {{ fortigate_route_comment }} routing tables.'
  when: fresh_new_env
  fortios_router_static:
    vdom:  "{{ fortigate_route_vdom }}"
    state: "present"
    router_static:
      comment: "{{ fortigate_route_comment }}"
      device: "{{ fortigate_route_device }}"
      distance: "10"
      dst: "{{ fortigate_route_dst }}"
      dynamic_gateway: "enable"
      gateway: "{{ fortigate_route_gw }}"
      priority: "15"
      seq_num: "{{ fortigate_route_seqnum }}"
      status: "enable"

Thanks for your help!

oswinfox commented 1 year ago

Hey,

What is this option doing dynamic_gateway? Because if I deleted from my code then it is working, I guess this is not needed also to create static rules so not sure why this was added.

Thanks!

MaxxLiu22 commented 1 year ago

Hi @oswinfox ,

so glad to hear it works, I find an example that enable the "dynamic_dateway" argument, hope that is helpful. Technical-Tip-Static-route-for-DHCP-PPPoE-interfaces

Thanks, Maxx

oswinfox commented 1 year ago

Hello @MaxxLiu22,

Thanks for the link and information! I checked and indeed in my config the dynamic gateway isn't needed, I guess that was a mistake in our Ansible code!

Thanks