fortios_configuration_fact: selector: firewall_policy | Order of the filter objects has a dependency with the policy objects

[ronrem]

Hi,

I'm using an Ansible playbook to lookup a specific policy in a Fortigate firewall. This works well if this order of the address and/or services object is the same order as the firewall configuration.

Hereby an example for reproducing.

1) The firewall policy contains the following configuration:

my-FGvm01 # show firewall policy 7
config firewall policy
    edit 7
        set name "My first policy"
        set uuid 2a670234-31d0-51ee-835f-3ddbd0c7a1e6
        set srcintf "port1"
        set dstintf "port2"
        set srcaddr "srv1"
        set dstaddr "srv2"
        set action accept
        set schedule "always"
        set service "tcp-1234" "tcp-2345" "tcp-3456" "tcp-4567"
        set nat enable
    next
end

2) My Ansible-playbook looks like this:

    - name: Get configuration firewall_security-policy
      fortinet.fortios.fortios_configuration_fact:
        selectors:
          - selector: firewall_policy
            filters:
              - dstaddr==srv2
              - service==tcp-1234 tcp-2345 tcp-3456 tcp-4567
            formatters:
              - action
              - dstaddr
              - dstintf
              - name
              - policyid
              - service
              - srcaddr
              - srcintf
      register: config_firewall_address

3) The output of my Ansible-playbook is:

ok: [fortigate01] => {
    "changed": false,
    "invocation": {
        "module_args": {
            "access_token": null,
            "enable_log": false,
            "filters": null,
            "formatters": null,
            "params": null,
            "selector": null,
            "selectors": [
                {
                    "filters": [
                        "dstaddr==srv2",
                        "service==tcp-1234 tcp-2345 tcp-3456 tcp-4567"
                    ],
                    "formatters": [
                        "action",
                        "dstaddr",
                        "dstintf",
                        "name",
                        "policyid",
                        "service",
                        "srcaddr",
                        "srcintf"
                    ],
                    "params": null,
                    "selector": "firewall_policy",
                    "sorters": null
                }
            ],
            "sorters": null,
            "vdom": "root"
        }
    },
    "meta": [
        {
            "build": 1190,
            "http_method": "GET",
            "http_status": 200,
            "name": "policy",
            "path": "firewall",
            "results": [
                {
                    "action": "accept",
                    "dstaddr": [
                        {
                            "name": "srv2",
                            "q_origin_key": "srv2"
                        }
                    ],
                    "dstintf": [
                        {
                            "name": "port2",
                            "q_origin_key": "port2"
                        }
                    ],
                    "name": "My first policy",
                    "policyid": 7,
                    "q_origin_key": 7,
                    "service": [
                        {
                            "name": "tcp-1234",
                            "q_origin_key": "tcp-1234"
                        },
                        {
                            "name": "tcp-2345",
                            "q_origin_key": "tcp-2345"
                        },
                        {
                            "name": "tcp-3456",
                            "q_origin_key": "tcp-3456"
                        },
                        {
                            "name": "tcp-4567",
                            "q_origin_key": "tcp-4567"
                        }
                    ],
                    "srcaddr": [
                        {
                            "name": "srv1",
                            "q_origin_key": "srv1"
                        }
                    ],
                    "srcintf": [
                        {
                            "name": "port1",
                            "q_origin_key": "port1"
                        }
                    ]
                }
            ],
            "revision": "71188e0631560c3673085b1c70e9c030",
            "serial": "FGVMExxxxxxxxxxxxxx",
            "status": "success",
            "vdom": "root",
            "version": "v6.2.7"
        }
    ]
}

4) When I change the oder of the services in my Ansible-playbook:

    - name: Get configuration firewall_security-policy
      fortinet.fortios.fortios_configuration_fact:
        selectors:
          - selector: firewall_policy
            filters:
              - dstaddr==srv2
              - service==tcp-4567 tcp-1234 tcp-2345 tcp-3456
            formatters:
              - action
              - dstaddr
              - dstintf
              - name
              - policyid
              - service
              - srcaddr
              - srcintf
      register: config_firewall_address

5) The Ansible collection is not able to lookup the corresponding policy, the output is like this:

ok: [fortigate01] => {
    "changed": false,
    "invocation": {
        "module_args": {
            "access_token": null,
            "enable_log": false,
            "filters": null,
            "formatters": null,
            "params": null,
            "selector": null,
            "selectors": [
                {
                    "filters": [
                        "dstaddr==srv2",
                        "service==tcp-4567 tcp-1234 tcp-2345 tcp-3456"
                    ],
                    "formatters": [
                        "action",
                        "dstaddr",
                        "dstintf",
                        "name",
                        "policyid",
                        "service",
                        "srcaddr",
                        "srcintf"
                    ],
                    "params": null,
                    "selector": "firewall_policy",
                    "sorters": null
                }
            ],
            "sorters": null,
            "vdom": "root"
        }
    },
    "meta": [
        {
            "build": 1190,
            "http_method": "GET",
            "http_status": 200,
            "name": "policy",
            "path": "firewall",
            "results": [],
            "revision": "71188e0631560c3673085b1c70e9c030",
            "serial": "FGVMExxxxxxxxxxxxxx",
            "status": "success",
            "vdom": "root",
            "version": "v6.2.7"
        }
    ]
}

Can we please fix the Ansible collection in a way that the ordering of the object has no dependancy with the ordering is the object in the firewall configuration?

Additional information:

ansible-playbook [core 2.15.2]
  config file = /Users/my_user/Documents/Prive/Python/Gitlab OCD/Ansible/ansible.cfg
  configured module search path = ['/Users/my_user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /opt/homebrew/lib/python3.11/site-packages/ansible
  ansible collection location = /Users/my_user/.ansible/collections:/usr/share/ansible/collections
  executable location = /opt/homebrew/bin/ansible-playbook
  python version = 3.11.4 (main, Jul 25 2023, 17:36:13) [Clang 14.0.3 (clang-1403.0.22.14.1)] (/opt/homebrew/opt/python@3.11/bin/python3.11)
  jinja version = 3.1.2
  libyaml = True

/Users/my_user/.ansible/collections/ansible_collections
Collection                    Version
----------------------------- -------
fortinet.fortios              2.3.1

[JieX19]

Hi @ronrem,

I tested the filtering feature via Postman, it's the same as Ansible. I checked the doc for filtering results and found there's a strict restriction for the pattern value. In your playbook, the service object consists of four items and they're stored in a linear sequence in it. So the service object cannot be found if changing the order in the pattern, which causes the issue of empty results.

The following filter operators are supported:

Operator | Case sensitive | Description -- | -- | -- == | Yes | Pattern must be identical to the value.

[ronrem]

Thanks for your conformation, unfortunately this filtering feature doesn't fulfil my needs and I'll create my own since this is a limitation on the Fortigate (backend not frontend).