limited choice for monitor API

[liyihuang]

Hi,

I'm trying to use this module in ansible to do the network automation for our fortigate. I found there is monitor action chocies, and I read the source code for monitor action. it looks like it will just use fortiosAPI to do a monitor API call.

When I use the following playbook

• name: fortios license information fortiosconfig: action: "monitor" host: "{{ inventory_hostname }}" username: "{{ hostvars[inventory_hostname].remote_user }}" password: "{{ hostvars[inventory_hostname].ansible_ssh_pass }}" config: "license/status select"

it tells me that I can only use the ones in the avalible_conf. I went through the AVAL_CONF, it looks like it's more about using the some common CMDB API.

Is monitor action function unfinished? or I'm using it in the wrong way.

btw:

I used fortiOSAPI to test my code, and it works fine.

After deleting the check for the config, I can get the result from the fortigate. You might want to do the check for the other actions, at least not for monitor API

[thomnico]

Hello,

Thanks for the detailed check and report. We did this pre-check in Ansible to allow a comprehensible error message instead of a long stack trace. For the cmdb part we can generate it, monitor part is manual.

We want to support monitor calls as you can check in fortiosapi library. The fastest fix is to send us a pull request or log bugs with the missing/used monitoring calls you need.

Hope this helps,

[thomnico]

Can you check/comment on PR: https://github.com/fortinet-solutions-cse/40ansible/tree/monitorcalls which should solve your issue and show how to avoid this pb

[migumun]

Hi @caibitim , As you guessed, the monitor is partially supported. We have some developments ongoing to support both POST and GET calls for it. Our intention was to add it gradually, and of course taking into account users demands.

I think it is better if you propose/tells us the monitor calls that you need. Either with a list of those you need or with a PR containing the modifications in AVAILABLE_CONF variable.

Thanks!

[liyihuang]

Sorry for the late reply. I'm using "license/status select" to get the license info from the fortigate. However, there are tons of monitor functions that you can use, and it will still grow as the time goes by. I don't thin it's a good idea to limit the configs there to avoid the long stack trace since you will always run into the python debug when you are doing the ansible. I can essily do a PR for mine but don't think it's a good idea for this project.

btw, is there any good parser for fortigate config? I found the fortigate API is not enough for my requirement

[migumun]

No worries. Eventually we will include all the monitor functions in the module. The reason to ask for your preferences is to give priority to those needed more urgently by customers/users (we add them gradually as we test them).

Regarding a good parser for fortigate api, Can you elaborate it a bit more? not sure what you need exactly. Normally I parse the fortigate cmdb by fetching the whole schema:

http://{{fgt_ip}}/api/v2/cmdb?action=schema

Note this is only for CMDB and not Monitor

[liyihuang]

I'm trying to see if there a lib to help me parse the config file of fortigate firewall to be a python dict or json file or something like that so I don't have to write a lot of regular expression for searching the string

[thomnico]

The monitor API calls are described in the Fortinet API spec document in https://fndn.fortinet.com

Going to check if we can keep the requirements to have a comprehensible error message when trying a non-existing name/path combination in all cases..

[migumun]

While for CMDB you can infer the call info easily from the config, for Monitor it is not that easy. The only way is to get it from the documentation.

Please be aware that for full monitor support (e.g. POST), fortiosconfig module needs to be updated. I have the code ready to be merged (due to a previous request for generating CSRs) but it is waiting for a bug to be fixed in fortios REST API. I'll post is as soon as I can test it.

[mbdraks]

@caibitim I understand that you want something to parse FortiOS config file (not the API response) so maybe something like TextFSM + some templates to facilitate the parsing.

The bad news is that we don't currently have any TextFSM templates (at least not on networktocode repo) but the good news is that they look easy to create and the result is exactly what you need.

[liyihuang]

@barbosm thanks. I think I will either go with textfsm or parse it by myself.

[migumun]

Hi, a basic support for some initial monitor api calls have been included in fortiosconfig (https://github.com/fortinet-solutions-cse/40ansible/pull/42). We'll add more endpoints gradually as needed by users. Please note that most api calls are one-shot operations that make very difficult or almost impossible to keep idempotency, so please handle with care. I'll be closing this one but feel free to reopen if there are issues. If you need more endpoints supported for monitor feel free to open a new issue or PR with the endpoints desired and we will try to add them.