fortios_configuration_fact doesn't output in a way you can use with fortios_firewall_policy

[taruch]

I created a playbook to output the current firewall policy objects to a file. I want to be able to use that in the same way that I use other network collections to document brownfield configurations; grab current configuration, and then modify / add to it going forward. I think I "should" be able to directly use the dictionary from the "fortios_configuration_fact" module to configure with the "fortios_firewall_policy" module.

My initial attempts at this resulted in a really long error saying that it couldn't use any of the input from the firewall_policy dictionary. After grabbing a friend who looked at it with me for a while, he realized that the keys in the output from fortios_configuration_fact produces dictionary keys with dashes ( - ) but that the fortios_firewallpolicy module would only take those keys as underscores ( ).

After we fixed that, there was also a significant number of sub-key/values that were output from fortios_configuration_fact that the fortios_firewall_policy module wouldn't accept. After removing these, I was able to configure the firewall policy using what remained in the dictionary.

The question here (for me) is whether this is something that isn't intended, or if this is a bug. Ideally, to be consistent with other Ansible network collections, the output from the "fact" module would be able to be used as a source for the associated "configure" module.

ERROR WHEN I RUN THE CONFIGURE PLAYBOOK firewall_policy.anti-replay, firewall_policy.application-list, firewall_policy.auth-cert, firewall_policy.auth-path, firewall_policy.auth-redirect-addr, firewall_policy.auto-asic-offload, firewall_policy.av-profile, firewall_policy.block-notification, firewall_policy.captive-portal-exempt, firewall_policy.capture-packet, firewall_policy.cifs-profile, firewall_policy.custom-log-fields, firewall_policy.decrypted-traffic-mirror, firewall_policy.delay-tcp-npu-session, firewall_policy.diffserv-copy, firewall_policy.diffserv-forward, firewall_policy.diffserv-reverse, firewall_policy.diffservcode-forward, firewall_policy.diffservcode-rev, firewall_policy.dlp-profile, firewall_policy.dnsfilter-profile, .... Supported parameters include: action, anti_replay, app_category, app_group, application, application_list, auth_cert, auth_path, auth_redirect_addr, auto_asic_offload, av_profile, block_notification, captive_portal_exempt, capture_packet, cifs_profile, comments, custom_log_fields, decrypted_traffic_mirror, delay_tcp_npu_session, devices, diffserv_copy, diffserv_forward, diffserv_reverse, diffservcode_forward, diffservcode_rev, disclaimer, dlp_profile, dlp_sensor, dnsfilter_profile, ...

GET PLAYBOOK tasks:

• name: use fortios_configuration_fact module to get firewall_policy facts fortios_configuration_fact: vdom: "root" selectors:
  • selector: firewall_policy register: forti_firewallpolicy
• name: Write out the policy to host_vars ansible.builtin.copy: content: "firewall_policy:\n{{ forti_firewallpolicy.meta[0].results | to_nice_yaml }}" dest: "./host_vars/{{ inventory_hostname }}.yml" delegate_to: localhost

OUTPUT FROM GET PLAYBOOK: firewall_policy:

• action: accept anti-replay: enable application-list: '' auth-cert: '' auth-path: disable auth-redirect-addr: '' auto-asic-offload: enable av-profile: '' block-notification: disable captive-portal-exempt: disable capture-packet: disable cifs-profile: '' comments: '' custom-log-fields: [] decrypted-traffic-mirror: '' delay-tcp-npu-session: disable diffserv-copy: disable diffserv-forward: disable diffserv-reverse: disable diffservcode-forward: '000000' diffservcode-rev: '000000' disclaimer: disable dlp-profile: '' dnsfilter-profile: '' dsri: disable dstaddr:
  • name: webservers q_origin_key: webservers dstaddr-negate: disable dstaddr6: [] dstaddr6-negate: disable dstintf:
  • name: port2 q_origin_key: port2 dynamic-shaping: disable email-collect: disable emailfilter-profile: '' fec: disable file-filter-profile: '' firewall-session-dirty: check-all fixedport: disable fsso-agent-for-ntlm: '' fsso-groups: [] geoip-anycast: disable geoip-match: physical-location global-label: '' groups: [] http-policy-redirect: disable icap-profile: '' identity-based-route: '' inbound: disable --------------------------------------- etc...

CONFIGURE PLAYBOOK task:

• name: Create Firewall Policy fortios_firewall_policy: vdom: "root" state: "present" firewall_policy: "{{ item }}" loop: "{{ firewall_policy }}"

[taruch]

I had to remove the following lines from the fortios_configuration_fact / firewall_policy output: 30 dstaddr-negate: disable | ---------------------------------------------------------------------- 38 emailfilter-profile: '' | ---------------------------------------------------------------------- 78 ip-version-type: ipv4 | ---------------------------------------------------------------------- 106 policy-expiry-date-utc: '' | ---------------------------------------------------------------------- 122 rtp-nat: disable | ---------------------------------------------------------------------- all of the q_origin_key: | ---------------------------------------------------------------------- 133 session-ttl: '0' | ---------------------------------------------------------------------- 140 srcaddr-negate: disable | ---------------------------------------------------------------------- 148 ssl-ssh-profile: no-inspection | ---------------------------------------------------------------------- 167 voip-profile: '' | ----------------------------------------------------------------------

[JieX19]

Hi @taruch

fortios_configuration_fact module is implemented for fetching the present configurations. You should use https://ansible-galaxy-fortios-docs.readthedocs.io/en/latest/fortios_export_config_playbook.html to export a ready-to-use playbook. You need to adjust some parameters to make this playbook work for you.

Let me know if you have any other questions.

[JieX19]

Hi @taruch

We will improve the configuration_fact module in the future to make it more useful. like converting the returned values with underscore and adding an additional parameter, for example, review_all = true to display the entire configurations including parameters with a null value, or review_all = false to display all the configurations with values.

Thank you for providing us with insight.

[JieX19]

Hi @taruch

I will close the issue at this moment, marking it as resolved or completed. If you have any further questions or concerns, please feel free to reopen the ticket or create a new one.