"Error in repo" using fortios_firewall_policy module

greenspartan commented 10 months ago

Hi guys,

I have recently upgraded Tower from 3.8.4 to AAP 2.4 (Ansible 2.15.5) and I have now an issue running a playbook while it was working just fine on Tower 3.8.4 (Ansible 2.9).

I am using fortinet.fortios ansible galaxy collection v2.3.4.

My Fortigate is running on v7.0.12

This playbook ends with following error :

TASK [fortios_tasks : Configure IPv4 policy on AMS firewall from vessel to internet] ***
fatal: [ams_fortigate]: FAILED! => {"changed": false, "meta": {"build": 523, "http_method": "PUT", "http_status": 405, "name": "policy", "path": "firewall", "serial": "FG100FTK20042072", "status": "error", "vdom": "root", "version": "v7.0.12"}, "msg": "Error in repo"}

Here's below the associated Ansible task code :

---

- name: Configure IPv4 addresses on firewall                                   
  fortios_firewall_address:
    vdom: "root"
    state: "present"
    firewall_address:
      name: "FX-{{ vessel_name }}-{{ vessel_internal_ip }}"
      subnet: "{{ vessel_internal_ip }} 255.255.255.255"
- name: Configure IPv4 IP pools on AMS firewall
  fortios_firewall_ippool:
    vdom: "root"
    state: "present"
    firewall_ippool:
      name: "FX-{{ vessel_name }}-PUBLIC-POOL"
      endip: "{{ ams_ip_address_reserved }}"
      startip: "{{ ams_ip_address_reserved }}"
      type: "overload"
- name: Configure virtual IP for IPv4 on firewall
  fortios_firewall_vip:
    vdom: "root"
    state: "present"
    firewall_vip:
      extintf: "WAN1.111.INTRNT"
      extip: "{{ ams_ip_address_reserved }}"
      mappedip:
       - range: "{{ vessel_internal_ip }}"
      name: "VIP-NAT-FX-{{ vessel_name }}"
- name: Configure IPv4 policy on firewall from vessel to internet
  fortios_firewall_policy: 
    vdom: "root"
    state: "present"
    firewall_policy:
      action: "accept"
      name: "NAT {{ vessel_name }} to Internet"
      dstaddr:
       - name: "all"
      dstintf:                    
       - name: "WAN1.111.INTRNT"
      ippool: "enable"
      nat: "enable"
      policyid: "0"
      poolname:
       - name: "FX-{{ vessel_name }}-PUBLIC-POOL"
      schedule: "always"
      service:
       - name: "ALL"
      srcaddr:
       - name: "FX-{{ vessel_name }}-{{ vessel_internal_ip }}"
      srcintf:
       - name: "port1"
  register: return1

What is strange is that fortios_firewall_address, fortios_firewall_ippool and fortios_firewall_vip modules are working perfectly and are able to create related config on the Fortigate.

Issue is happening for fortios_firewall_policy module only.

I have activated some https debug on the Fortigate and I can see the following error message :

[httpsd 830 - 1705492545     info] fweb_debug_init[417] -- New PUT request for "/api/v2/cmdb/firewall/policy" from "xx.xx.xx.xx:60330"
[httpsd 830 - 1705492545     info] fweb_debug_init[419] -- User-Agent: "Python-urllib/3.9"
[httpsd 830 - 1705492545     info] fweb_debug_init[421] -- Handler "api_cmdb_v2-handler" assigned to request
[httpsd 830 - 1705492545     info] api_access_check_for_session_key[735] -- Session key found in active admin sessions (CID: 597).
[httpsd 830 - 1705492545     info] api_access_check_for_session_key[746] -- Login status OK.
[httpsd 830 - 1705492545     info] api_store_parameter[320] -- add API parameter 'vdom' (type=string)
[httpsd 830 - 1705492545     info] api_store_parameter[320] -- add API parameter 'access_token' (type=string)
[httpsd 830 - 1705492545     info] api_store_parameter[320] -- add API parameter 'action' (type=string)
[httpsd 830 - 1705492545     info] api_store_parameter[320] -- add API parameter 'dstaddr' (type=array)
[httpsd 830 - 1705492545     info] api_store_parameter[320] -- add API parameter 'dstintf' (type=array)
[httpsd 830 - 1705492545     info] api_store_parameter[320] -- add API parameter 'ippool' (type=string)
[httpsd 830 - 1705492545     info] api_store_parameter[320] -- add API parameter 'name' (type=string)
[httpsd 830 - 1705492545     info] api_store_parameter[320] -- add API parameter 'nat' (type=string)
[httpsd 830 - 1705492545     info] api_store_parameter[320] -- add API parameter 'policyid' (type=int)
[httpsd 830 - 1705492545     info] api_store_parameter[320] -- add API parameter 'poolname' (type=array)
[httpsd 830 - 1705492545     info] api_store_parameter[320] -- add API parameter 'schedule' (type=string)
[httpsd 830 - 1705492545     info] api_store_parameter[320] -- add API parameter 'service' (type=array)
[httpsd 830 - 1705492545     info] api_store_parameter[320] -- add API parameter 'srcaddr' (type=array)
[httpsd 830 - 1705492545     info] api_store_parameter[320] -- add API parameter 'srcintf' (type=array)
[httpsd 830 - 1705492545     info] api_cmdb_request_init_by_path[1651] -- new CMDB query (path='firewall',name='policy')
[httpsd 830 - 1705492545     info] handle_cli_req_v2[3006] -- no method found for requested action: (null)
[httpsd 830 - 1705492545     info] handle_cli_req_v2[3124] -- returning to original vdom "root"
[httpsd 830 - 1705492545  warning] api_return_http_result[1272] -- API error 405 raised

Why I have this error message no method found for requested action: (null) while other modules works perfectly ?

Thanks in advance for your help and don't hesitate if you need additional infos ;) !

Best Regards,

Adrien

alagoutte commented 10 months ago

Hi Adrien,

The policyid: "0" is not longer supported with ansible module, you need to specify an id

greenspartan commented 10 months ago

Hi Alexis,

Thanks a lot for your feedback ! I confirm i don't have any error when using a real policyid (I mean different from 0).

Indeed in notes section of latest documentation it's advised to not use anymore policyid: "0"

But as it was not clearly said it was no longer supported, I didn't think my issue was coming from this.

By the way do you know where we can find Q&A mentionned in notes section ?

I would like to know how I can automatically use the latest available policy ID, without having fear to overlap/shadow existing policies ? Does it mean only option is to parse all policies and then find first available ID by sorting all that list ?

Thanks and have a great day !

Best Regards,

Adrien

alagoutte commented 10 months ago

Hi Adrien,

the solution will be to get/set a fact with the highest policyid configured actually

greenspartan commented 10 months ago

Hi Alexis,

Thanks for your feedback. Indeed I made additional tasks in order to fetch all policy and then find the first available ID.

Here it is if it can help someone :

- name: Retrieve policies
  fortinet.fortios.fortios_configuration_fact:
    vdom: "root"  
    selector: firewall_policy
  register: r

- name: Set fw policy config list
  set_fact:
    fw_policy_config_list: "{{ r.meta.results  | map(attribute='policyid') | list }}"

- name: Find first available policyID
  set_fact:
    first_available_id: "{{ (range(1, range_limit + 1) | difference(fw_policy_config_list) | first) }}"

where range_limit is a playbook variable.

So all is good for me now, I will close the issue ;).

Thanks again for the help !

Adrien

fortinet-ansible-dev / ansible-galaxy-fortios-collection

"Error in repo" using fortios_firewall_policy module #289