tmorris-ftnt
commented
2 years ago I'll need to add support for that. When i first created this FortiManager didn't support it well but it does now so it should be doable. I'll look into it soon.
Open zzbbaqe opened 2 years ago
tmorris-ftnt
commented
2 years ago I'll need to add support for that. When i first created this FortiManager didn't support it well but it does now so it should be doable. I'll look into it soon.
zzbbaqe
commented
2 years ago Hi, to add this feature I think you have to change the codes, is it take so much time to have the new version? Thank you in advance.
tmorris-ftnt
commented
2 years ago I'm not sure how much time it will take.
There is also now a feature in FMG 7.2 which will make this tool redundant.
https://docs.fortinet.com/document/fortimanager/7.2.0/new-features/673597/device-blueprints
Unfortunately this doesn't support HA model or some existing features of ZTP tool such as populating dynamic address object mappings.
When would you need an update for your project?
zzbbaqe
commented
2 years ago Hi, my project starts next week and I would really appreciate it if you could give me an update.
tmorris-ftnt
commented
2 years ago I've done the initial implementation but with very limited testing at this point. You can get the build here https://tmorris-ftnt.github.io/ztptool-v1.0.15ha-preview-win.zip
Are you able to run from the source code? this will just make it easier/quicker to fix anything if something doesn't quite work right.
There is an example xlsx included in the build for an HA device.
There are a few new columns you can add for an HA device now.
Notes: This should be the same as creating an HA model cluster as per https://docs.fortinet.com/document/fortimanager/7.0.3/administration-guide/334482/adding-a-model-fortigate-ha-cluster
Currently the Priority is hard coded to 255 for the primary and 128 for the secondary... I'll make options for this in a future build.
I've only tested it in FMG 7.0.3 and only to the point of creating the model device with the HA members as per the link above.
Let me know if you have any issues with it. I'll try to do some more testing on this over the weekend.
kevingufler
commented
2 years ago Hello, i just wanted to test the new functionallity, but i somehow cant seem to find the source code. Would it be possible to release the source code too, please ?
Thank you very much for this nice tool ❤️
tmorris-ftnt
commented
2 years ago sure, i've made a branch for it here (https://github.com/tmorris-ftnt/ztptool/tree/hamodel)
kevingufler
commented
2 years ago So i might have found some bugs: on line 622: %s does not get resolved and i think you might want to put the device name there, its strange that the api call still returns with 200 OK ... i.e.: "url": "/pm/config/device/"+devicename+"/global/system/ha", on line 1673: "HA_SN" is allways in the dict since it is in the xlsx, there should be a check if its length is greater then 0 i.e.: 'and len(devicedata["HA_SN"]) > 0' otherwise it will always try to run add_ha_model_device. At the moment this leads for non HA devices to not set up correctly
tmorris-ftnt
commented
2 years ago Thanks for the feedback, the %s is a bit weird, its not supposed to be a replacement - when you do the action on the GUI the API call it has that %s -- i had just copied what it did and it worked so didn't look at it any more.
you're right about the HA_SN needing to check if its actually filled in - i mentioned above that i need to fix this.
In some more testing and research the 7.0 HA model device is a little troublesome - in FMG 7.2 this process has been completely changed. I think i will have to target 7.2 for this feature.
Also planning to support template groups as well.
kevingufler
commented
2 years ago In my expercience the API itself often gives a response 200 OK even if nothing really is ok ... so you think the %s should stay ?
tmorris-ftnt
commented
2 years ago Yes, I believe its correct. I've checked another example and it has the same %s used in the URL.
kevingufler
commented
2 years ago Okay, it does seem a little strange ... In the meantime i found something else, on line 604, you try to change the name of the primary, but somehow the name for the primary does not get set but it works for the secondary. i.e.: the "-0" as a postfix is not getting set.
tmorris-ftnt
commented
2 years ago Hi, it does the same thing if you do it via the GUI. I think its just how FortiManager works. I'll hopefully get some time to test this more soon.
kevingufler
commented
2 years ago Hello, were you able to do some testing ? We are observing some strange behaviour when deploying the machines. The HA-machines are registering themselfs but are not able to retrieve the configuration and show instead Config-State:Conflict inside the fortimanager. Upon reboot of the firewall, inside the fortimgr when observing the config of said HA-machine the ha configuration gets doubled on shows twice the primary and secondary.
tmorris-ftnt
commented
2 years ago Hi Kevin,
are you able to successfully deploy the HA cluster when configuring it from the FortiManager GUI?
I now have two of the same FortiGate units here now so I can test them. I was trying with VM's before but that introduced some extra complications.
zzbbaqe
commented
2 years ago Hi, Me and Kevin,we have tried to deploy two FortiGate VM. We have the following issue: The Firewalls register to the FortiManager but cannot download the config. When I reboot the Firewall in the cluster member we see duplicated Entry. For example, we see the Primary Firewall and secondary twice with the same Serial,Priority, rule . I have the Demo and if you would like we can have a quick remote session in order to share our ideas?
zzbbaqe
commented
2 years ago here is the example: https://prnt.sc/pHKxPK9WPk1r
Hi, firstly I would like to thank you for this tool. This tool works fine with a single Firewall. How can I make it work with the Firewall in the Cluster(HA)?
Thank you in advance,