search

fortinet-ansible-dev / ansible-galaxy-fortios-collection

GNU General Public License v3.0
84 stars 48 forks source link

Configuring Fortigate with Ansible - Error in Repo #274

Closed sueleymanaydemir closed 10 months ago

sueleymanaydemir commented 10 months ago

Hi guys,

i'm learning some ansible basics at the moment. I created some small tasks already successfully. for exmaple, i was able to change the hostname and some other global settigs on my both FortiGate VMs.

But now, i wanted to enable Port10, assign an IP & set allowaccess.

This time, i get an error:

`PLAY [fortigates] **

TASK [Gathering Facts] ***** [DEPRECATION WARNING]: Distribution ubuntu 22.04 on host FG1 should use /usr/bin/python3, but is using /usr/bin/python for backward compatibility with prior Ansible releases. A future Ansible release will default to using the discovered platform python for this host. See https://docs.ansible.com/ansible/2.10/reference_appendices/interpreter_discovery.html for more information. This feature will be removed in version 2.12. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. ok: [FG1] [DEPRECATION WARNING]: Distribution ubuntu 22.04 on host FG2 should use /usr/bin/python3, but is using /usr/bin/python for backward compatibility with prior Ansible releases. A future Ansible release will default to using the discovered platform python for this host. See https://docs.ansible.com/ansible/2.10/reference_appendices/interpreter_discovery.html for more information. This feature will be removed in version 2.12. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. ok: [FG2]

TASK [Configure global attributes.] **** ok: [FG2] ok: [FG1]

PLAY [FG1] *****

TASK [Gathering Facts] ***** ok: [FG1]

TASK [Configure Port10 on FG1] ***** fatal: [FG1]: FAILED! => {"changed": false, "meta": {"build": 304, "error": -5, "http_method": "POST", "http_status": 500, "name": "interface", "path": "system", "revision": "96528c0c5c2d57cbd51dce6b075d78be", "revision_changed": false, "serial": "FGVMEVFXB3S0Z5DA", "status": "error", "vdom": "root", "version": "v7.0.5"}, "msg": "Error in repo"}

PLAY RECAP ***** FG1 : ok=3 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
FG2 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0`

My Playbook looks like this:

`---

JieX19 commented 10 months ago

Hi @sueleymanaydemir

I reviewed your playbook and everything looks good, only one thing, ansible_httpapi_use_ssl, is your fgt device is licensed? if it's licensed, you have to change it to yes. Also, ansible_httpapi_port, https protocol transfers encrypted data to 443 (depending on your configurations). I'd like to confirm some information with you.

  1. Did the first task execute successfully? ----> name: Configure global attributes.
  2. Does port10 exist on your devices?
sueleymanaydemir commented 10 months ago

Hi @sueleymanaydemir

I reviewed your playbook and everything looks good, only one thing, ansible_httpapi_use_ssl, is your fgt device is licensed? if it's licensed, you have to change it to yes. Also, ansible_httpapi_port, https protocol transfers encrypted data to 443 (depending on your configurations). I'd like to confirm some information with you.

  1. Did the first task execute successfully? ----> name: Configure global attributes.
  2. Does port10 exist on your devices?

Hi, yes the first task executed successfully and port10 definitely exist. I tried port 2-9 too, but got the same error.

JieX19 commented 10 months ago

Thanks for the confirmation! @sueleymanaydemir

Can you please enable_log in the playbook and send me a copy of the log? Here's an example:

tasks:
- name: Configure Port10 on FG1
  fortios_system_interface:
     enable_log: True
     vdom: "{{ vdom }}"
     state: "present"
     system_interface:
        name: "port10"
        vdom: "root"
        allowaccess: [ping,http,https,ssh]
        ip: "192.168.56.111 255.255.255.0"

The log is saved in the path /tmp/fortios.ansible.log

sueleymanaydemir commented 10 months ago

Thanks for the confirmation! @sueleymanaydemir

Can you please enable_log in the playbook and send me a copy of the log? Here's an example:

tasks:
- name: Configure Port10 on FG1
  fortios_system_interface:
     enable_log: True
     vdom: "{{ vdom }}"
     state: "present"
     system_interface:
        name: "port10"
        vdom: "root"
        allowaccess: [ping,http,https,ssh]
        ip: "192.168.56.111 255.255.255.0"

The log is saved in the path /tmp/fortios.ansible.log

Here is the Log Output: 

2023-10-24 07:49:34.300413: checking system_version
2023-10-24 07:49:34.300585: perform pre request login
2023-10-24 07:49:34.300662: login with username and password, try API based auth first
2023-10-24 07:49:34.300762: Sending request: METHOD:POST URL:/api/v2/authentication DATA:{"username": "admin", "secretkey": "admin", "ack_post_disclaimer": true, "ack_pre_disclaimer": true, "request_key": true}
2023-10-24 07:49:34.300915: login with username and password, try API based auth first
2023-10-24 07:49:34.300973: Sending request: METHOD:POST URL:/api/v2/authentication DATA:{"username": "admin", "secretkey": "admin", "ack_post_disclaimer": true, "ack_pre_disclaimer": true, "request_key": true}
2023-10-24 07:49:34.344497: updated auth headers: dict_items([('Accept', 'application/json')])
2023-10-24 07:49:34.344533: response data: {
  "status_code":5,
  "status_message":"LOGIN_SUCCESS",
  "session_key":"9wc9ywng7whjfxk9gsfdb9gf947gwx",
  "session_key_timeout":"23"
}...<truncated>
2023-10-24 07:49:34.344556: API based auth with user: admin succeeds
2023-10-24 07:49:34.344582: checking system_version
2023-10-24 07:49:34.344617: Sending request: METHOD:GET URL:/api/v2/monitor/system/status?vdom=root&access_token=9wc9ywng7whjfxk9gsfdb9gf947gwx DATA:
2023-10-24 07:49:34.353220: using access token - no auth update needed: 9wc9ywng7whjfxk9gsfdb9gf947gwx
2023-10-24 07:49:34.353259: response data: {
  "http_method":"GET",
  "results":{
    "model_name":"FortiGate",
    "model_number":"VM64-KVM",
    "model":"FGVMK6",
    "hostname":"FortiGate02",
    "log_disk_status":"available"
  },
  "vdom":...<truncated>
2023-10-24 07:49:34.353312: system version: v7.0.5
2023-10-24 07:49:34.353327: ansible version: v6.0.0
2023-10-24 07:49:34.370099: using access token - no auth update needed: 9wc9ywng7whjfxk9gsfdb9gf947gwx
2023-10-24 07:49:34.370149: response data: {
  "status_code":5,
  "status_message":"LOGIN_SUCCESS",
  "session_key":"gnHw7dttGjyy6kHbNkw18g5cwf4yw5",
  "session_key_timeout":"23"
}...<truncated>
2023-10-24 07:49:34.370179: API based auth with user: admin succeeds
2023-10-24 07:49:34.370207: checking system_version
2023-10-24 07:49:34.370227: Sending request: METHOD:GET URL:/api/v2/monitor/system/status?vdom=root&access_token=gnHw7dttGjyy6kHbNkw18g5cwf4yw5 DATA:
2023-10-24 07:49:34.375290: using access token - no auth update needed: gnHw7dttGjyy6kHbNkw18g5cwf4yw5
2023-10-24 07:49:34.375339: response data: {
  "http_method":"GET",
  "results":{
    "model_name":"FortiGate",
    "model_number":"VM64-KVM",
    "model":"FGVMK6",
    "hostname":"FortiGate02",
    "log_disk_status":"available"
  },
  "vdom":...<truncated>
2023-10-24 07:49:34.375388: system version: v7.0.5
2023-10-24 07:49:34.375401: ansible version: v6.0.0
2023-10-24 07:49:34.377040: Sending request: METHOD:PUT URL:/api/v2/cmdb/system/interface/port10?vdom=root&access_token=gnHw7dttGjyy6kHbNkw18g5cwf4yw5 DATA:{"allowaccess": "ping http https ssh", "ip": "192.168.56.111/24", "name": "port10", "vdom": "root"}
2023-10-24 07:49:34.398262: Exception thrown from handling http: HTTP Error 500: Internal Server Error
2023-10-24 07:49:34.398465: using access token - no auth update needed: gnHw7dttGjyy6kHbNkw18g5cwf4yw5
2023-10-24 07:49:34.398512: response data: {
  "http_method":"PUT",
  "revision":"bc80a10633d3d8e6871988d1e2fbbe3a",
  "revision_changed":false,
  "cli_error":"Subnets overlap between 'port10' with primary IP of 'port1'\nnode_check_object fail...<truncated>
2023-10-24 07:49:34.399233: Sending request: METHOD:POST URL:/api/v2/cmdb/system/interface?vdom=root&access_token=gnHw7dttGjyy6kHbNkw18g5cwf4yw5 DATA:{"allowaccess": "ping http https ssh", "ip": "192.168.56.111/24", "name": "port10", "vdom": "root"}
2023-10-24 07:49:34.404593: Exception thrown from handling http: HTTP Error 500: Internal Server Error
2023-10-24 07:49:34.404701: using access token - no auth update needed: gnHw7dttGjyy6kHbNkw18g5cwf4yw5
2023-10-24 07:49:34.404735: response data: {
  "http_method":"POST",
  "revision":"bc80a10633d3d8e6871988d1e2fbbe3a",
  "revision_changed":false,
  "error":-5,
  "status":"error",
  "http_status":500,
  "vdom":"root",
  "path":"system",
  "nam...<truncated>
2023-10-24 07:49:34.457573: logout
2023-10-24 07:49:34.457647: Sending request: METHOD:DELETE URL:/api/v2/authentication?access_token=gnHw7dttGjyy6kHbNkw18g5cwf4yw5 DATA:
2023-10-24 07:49:34.464980: using access token - no auth update needed: gnHw7dttGjyy6kHbNkw18g5cwf4yw5
2023-10-24 07:49:34.465073: response data: {
  "status":"API_LOGOUT_SUCCESS",
  "status_id":0
}...<truncated>
alagoutte commented 10 months ago

The issue coming from IP Address : 

...
Subnets overlap between 'port10' with primary IP of 'port1
...
sueleymanaydemir commented 10 months ago

The issue coming from IP Address :

...
Subnets overlap between 'port10' with primary IP of 'port1
...

Thank you very much, you are right! This was the problem and after editing my playbook, it now works fine. :)