firewall policy always shows changes

fortinet-ansible-dev / ansible-galaxy-fortios-collection

GNU General Public License v3.0

84 stars 48 forks source link

firewall policy always shows changes #332

Open milad-24 opened 1 month ago

milad-24 commented 1 month ago

I am using the firewall policy module to configure my Fortigate device and have encountered two issues with this module.

- Duplicate Entries in Source and Destination Addresses:

When there are duplicate entries in the policy addresses, the module always indicates changes, even though no actual changes are made on the Fortigate device. I am unsure if this behavior is a bug, but it consistently shows changes in the presence of duplicate entries.

--check Option: When I run my playbook with the --check option, it always reports changes for the firewall policies. However, when I run the playbook without the --check option, no changes are applied, and everything shows as green.

alagoutte commented 1 month ago

@milad-24 What release ? beccause there is some change/fix with last release ? (for --check)

Why do you have duplicate entries on source/destination (i think there is some same issue with interface...)

milad-24 commented 1 month ago

@alagoutte I used fortinet.fortios version 2.3.7.

One of my tasks in the Ansible playbook aggregates different addresses for various environments and teams to be used in a policy, making it challenging to identify the root cause of this issue. I discovered that my Fortigate repository contained a duplicate entry for an address. After removing the duplicate entry, the problem was solved. However, I believe the module should at least throw an error instead of indicating state changes every time.

milad-24 commented 1 month ago

For all firewall policies that include multiple addresses (for both source and destination), the --check option indicates changes. I encountered a similar issue with IP pools.

alagoutte commented 1 month ago

Do you have look to use | unique on your play book ?

https://docs.ansible.com/ansible/latest/collections/ansible/builtin/unique_filter.html

milad-24 commented 1 month ago

It's the latest version (2.3.7). yes, I used unique to make sure that the address is unique but what about the IP pool? I have only one IP:

ippool:
  - name: POOL_TEST
    startip: 172.16.1.100
    endip: 172.16.1.100

when I run it without --check there are no changes and everything is green. I ran it without using variable too:

- name: Configure IPv4 IP pools.
  fortinet.fortios.fortios_firewall_ippool:
    state: "present"
    access_token: "{{ fortios_access_token }}"
    firewall_ippool:
      name: "POOL_TEST"
      add_nat64_route: "disable"
      arp_reply: "enable"
      endip: "172.16.1.100"
      startip: "172.16.1.100"
      nat64: "disable"
      type: "overload"

MaxxLiu22 commented 1 month ago

Hi @milad-24 ,

Thank you for raising these two issues. I can reproduce them. The reason for this issue is that Ansible treats them as a list and strictly compares it with the data returned by the API. I have reported this to the development team for fixing. Thank you for your valuable suggestion.

Thanks, Maxx