fortinet-ansible-dev / ansible-galaxy-fortios-collection

GNU General Public License v3.0
85 stars 49 forks source link

fortios_configuration_fact doesn't output in a way you can use with fortios_firewall_policy #275

Closed taruch closed 10 months ago

taruch commented 1 year ago

I created a playbook to output the current firewall policy objects to a file. I want to be able to use that in the same way that I use other network collections to document brownfield configurations; grab current configuration, and then modify / add to it going forward. I think I "should" be able to directly use the dictionary from the "fortios_configuration_fact" module to configure with the "fortios_firewall_policy" module.

My initial attempts at this resulted in a really long error saying that it couldn't use any of the input from the firewall_policy dictionary. After grabbing a friend who looked at it with me for a while, he realized that the keys in the output from fortios_configuration_fact produces dictionary keys with dashes ( - ) but that the fortios_firewallpolicy module would only take those keys as underscores ( ).

After we fixed that, there was also a significant number of sub-key/values that were output from fortios_configuration_fact that the fortios_firewall_policy module wouldn't accept. After removing these, I was able to configure the firewall policy using what remained in the dictionary.

The question here (for me) is whether this is something that isn't intended, or if this is a bug. Ideally, to be consistent with other Ansible network collections, the output from the "fact" module would be able to be used as a source for the associated "configure" module.

ERROR WHEN I RUN THE CONFIGURE PLAYBOOK firewall_policy.anti-replay, firewall_policy.application-list, firewall_policy.auth-cert, firewall_policy.auth-path, firewall_policy.auth-redirect-addr, firewall_policy.auto-asic-offload, firewall_policy.av-profile, firewall_policy.block-notification, firewall_policy.captive-portal-exempt, firewall_policy.capture-packet, firewall_policy.cifs-profile, firewall_policy.custom-log-fields, firewall_policy.decrypted-traffic-mirror, firewall_policy.delay-tcp-npu-session, firewall_policy.diffserv-copy, firewall_policy.diffserv-forward, firewall_policy.diffserv-reverse, firewall_policy.diffservcode-forward, firewall_policy.diffservcode-rev, firewall_policy.dlp-profile, firewall_policy.dnsfilter-profile, .... Supported parameters include: action, anti_replay, app_category, app_group, application, application_list, auth_cert, auth_path, auth_redirect_addr, auto_asic_offload, av_profile, block_notification, captive_portal_exempt, capture_packet, cifs_profile, comments, custom_log_fields, decrypted_traffic_mirror, delay_tcp_npu_session, devices, diffserv_copy, diffserv_forward, diffserv_reverse, diffservcode_forward, diffservcode_rev, disclaimer, dlp_profile, dlp_sensor, dnsfilter_profile, ...

GET PLAYBOOK tasks:

OUTPUT FROM GET PLAYBOOK: firewall_policy:

CONFIGURE PLAYBOOK task:

taruch commented 1 year ago

I had to remove the following lines from the fortios_configuration_fact / firewall_policy output: 30 dstaddr-negate: disable | ---------------------------------------------------------------------- 38 emailfilter-profile: '' | ---------------------------------------------------------------------- 78 ip-version-type: ipv4 | ---------------------------------------------------------------------- 106 policy-expiry-date-utc: '' | ---------------------------------------------------------------------- 122 rtp-nat: disable | ---------------------------------------------------------------------- all of the q_origin_key: | ---------------------------------------------------------------------- 133 session-ttl: '0' | ---------------------------------------------------------------------- 140 srcaddr-negate: disable | ---------------------------------------------------------------------- 148 ssl-ssh-profile: no-inspection | ---------------------------------------------------------------------- 167 voip-profile: '' | ----------------------------------------------------------------------

JieX19 commented 11 months ago

Hi @taruch

fortios_configuration_fact module is implemented for fetching the present configurations. You should use https://ansible-galaxy-fortios-docs.readthedocs.io/en/latest/fortios_export_config_playbook.html to export a ready-to-use playbook. You need to adjust some parameters to make this playbook work for you.

Let me know if you have any other questions.

JieX19 commented 11 months ago

Hi @taruch

We will improve the configuration_fact module in the future to make it more useful. like converting the returned values with underscore and adding an additional parameter, for example, review_all = true to display the entire configurations including parameters with a null value, or review_all = false to display all the configurations with values.

Thank you for providing us with insight.

JieX19 commented 10 months ago

Hi @taruch

I will close the issue at this moment, marking it as resolved or completed. If you have any further questions or concerns, please feel free to reopen the ticket or create a new one.