Quetion with ipv4 policies

fortinet-ansible-dev / ansible-galaxy-fortios-collection

GNU General Public License v3.0

84 stars 48 forks source link

Quetion with ipv4 policies #218

Closed PVD619 closed 1 year ago

PVD619 commented 1 year ago

Hello everyone: Is it possible to add two or more object networks as a src or service in fmgr_pkg_firewall_policy.yml

MaxxLiu22 commented 1 year ago

Hi @PVD619 ,

Thank you for raising this issue, this is related ansible FMG, but I can still reproduce this issue on my side, and have reported it to the development team. I will let you know once there is a fix update.

Thanks, Maxx

MaxxLiu22 commented 1 year ago

Hi @PVD619 ,

This issue caused by API schema change, we suggest to set bypass_validation: True as a temporary solution, following code is for your reference, please let me know if you still have questions.

- hosts: fortimanagers
  collections:
    - fortinet.fortimanager
  connection: httpapi
  vars:
     ansible_httpapi_use_ssl: True
     ansible_httpapi_validate_certs: False
     ansible_httpapi_port: 443
  tasks:
   - name: Configure IPv4 policies.
     fmgr_pkg_firewall_policy:
        bypass_validation: True
        adom: root
        pkg: default # package name
        state: present
        pkg_firewall_policy:
           action: accept 
           comments: ansible-comment
           dstaddr: all
           dstintf: any
           name: ansible-test-policy
           nat: disable
           policyid: 9
           schedule: always
           service:  
            - "ALL_ICMP" 
            - "ALL_TCP"
           srcaddr: 
            - "gmail.com"
            - "SSLVPN_TUNNEL_ADDR1"
           srcintf: any
           status: disable

Thanks, Maxx

JieX19 commented 1 year ago

Hi @PVD619,

FYI, I just moved the issue under the fortimanager project. You can raise and reply to any questions there.

babakb22 commented 1 year ago

Hello everyone: Is it possible to add two or more object networks as a src or service in fmgr_pkg_firewall_policy.yml

If you import the python library from the galaxy, and do some changes, you can use multiple objects. You should change the 'type' from 'str' to 'list'. For example, in the above code snippet, I did the same for service and it is working fine.:

           'service': {
                'required': False,
                'revision': {
                    '6.0.0': True,
                    '6.2.1': True,
                    '6.2.3': True,
                    '6.2.5': True,
                    '6.4.0': True,
                    '6.4.2': True,
                    '6.4.5': True,
                    '7.0.0': True
                },
                'type': 'list'                    <-----------------

Same can be done for srcaddr, dstaddr, etc.

I have raised another issue and waiting to be resolved: https://github.com/fortinet-ansible-dev/ansible-galaxy-fortimanager-collection/issues/49

HTH