ansible,

Ansible for FortiNet

Gini Gini Follow · 3 mins read
Ansible for FortiNet
Share this

Setup FortiNet device on GNS3

Refer : Fortinet Device Setup in GNS3

API References

$ curl -k -i -X POST http://10.1.10.70/logincheck -d "username=admin&secretkey=password" --dump-header headers.txt -c cookies.txt
$ curl -k -i -X GET http://10.1.10.70/api/v2/cmdb/router/static -b headers.txt

### logout
$ curl -k -i -X POST http://10.1.10.70/logout

Prerequisites

Install fortiosAPI

pip install fortiosapi
#or
pip3 install fortiosapi

#or
python3.6 -m pip install <module>

Ref: https://pypi.org/project/fortiosapi/

Dependancy

  • oyaml

Install FortiOS Collection from Ansible Galaxy

ansible-galaxy collection install fortinet.fortios

https://github.com/fortinet-ansible-dev/ansible-galaxy-fortios-collection/tree/fos_v6.0.0/galaxy_1.0.13

Web Rating Overrides

Ref: Overriding FortiGuard website categorization

CLI commands

In the CLI, the term is local category.

To create a local category:

config webfilter ftgd-local-cat
  edit local_category_1
    set id 140
  end

eg:

config webfilter ftgd-local-cat
  edit custom_category
    set id 150
  end

To set a rating to a Local Category:

config webfilter ftgd-local-rating
  edit <url_str>
    set rating {[<category_int>] [group_str] . . .]
    set status {enable | disable}
  end

eg:

config webfilter ftgd-local-rating
  edit testurl101.com
    set rating 150
    set status enable
  end

Using Ansible Modules

Add the new member to blacklist group

https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-firewall/Object%20Configuration/Addresses/Address%20Groups.htm?Highlight=add%20address%20to%20group

https://docs.fortinet.com/vm/cisco-aci/fortigate/5.6/sdn-connector/5.6.3/617358/configuring-the-firewall-address-and-address-group

config firewall address

  edit "test-tag"

    set type dynamic

    set sdn aci

    set tenant "TENANT-NAME"

    set epg-name "AP-NAME|EPG-NAME"

    set sdn-tag "TAG-NAME"

  next

end

config firewall addrgrp

  edit "test-group"

    set member "test-tag" "Adobe Login"

  next

end
FortiGate-VM64-KVM # show firewall addrgrp blklist1
config firewall addrgrp
    edit "blklist1"
        set uuid b257da0e-bd59-51ea-2067-4bd93d716b5f
        set member "block-10.6.10.0/24"
        set comment "Added via Ansible"
        set color 6
    next
end

Appendix

config firewall address
edit "eg  block ip1"
        set subnet 192.168.82.82 255.255.255.255
    next
    edit "eg block ip2"
        set subnet 192.168.81.81 255.255.255.255
    next
end
config firewall addrgrp
	edit "Group of block ip"
        set member "eg  block ip1" "eg block ip2"
next
end
config webfilter urlfilter
 edit 1
        set name "webfilter-url"
        config entries
	edit 1
                set url "*"
                set type wildcard
                set action block
            next
	end
	next
end
config firewall policy
edit 1
        set name "Weburl filter"
        set srcintf "lan1"
        set dstintf "wan1"
        set srcaddr "Group of block ip"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set logtraffic all
        set webfilter-profile "webfilter-url"    
        set profile-protocol-options "protocol"
        set ssl-ssh-profile "protocols"
        set nat enable
    next
end

ansible-fortios-generic module

Ref: ansible-fortios-generic

Troubleshooting

HTTPS issue

[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1076)’)))

A - Disable https and use http

References

  • GitHub : ansible-galaxy-fortios-collection https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/954635/getting-started https://ftnt-ansible-docs.readthedocs.io/en/latest/fortios_modules/fortios_webfilter_urlfilter.html https://docs.ansible.com/ansible/latest/modules/fortios_webfilter_urlfilter_module.html https://docs.ansible.com/ansible/latest/modules/fortios_firewall_policy_module.html
Gini
Written by Gini Follow
Backpacker, Foodie, Techie

Latest Stories

How to attend Red Hat Remote Exam ? Every details you need to know

In August 2020, Red Hat announced the availability of Remote exams for students and the entire Learning community were so happy, yes we can attend Red Hat exams from our home or offic...

In redhat, Nov 09, 2020
How to Import Existing VMWare VM’s into Terraform

Terraform is an amazing tool for your infrastructure automation. Everything about your infrastructure can be write as code and maintain by team; means your infrastructure is transpare...

In terraform, Nov 04, 2020
Connecting Ansible Tower to Git Server with Self Signed Certificates

So many questioned me when I mention git server in an Ansible Tower environment; and later I realized that, most of them are keeping their projects inside Ansible Tower !!!

In Ansible, Oct 12, 2020
HashiCorp Certified Terraform Associate – Learning & Exam Tips

I started using Terraform somewhere in 2018, but very limited usage as I thought it is just another tool for provisioning infrastructure and other services – or a variant of Vagrant; ...

In terraform, Sep 18, 2020
How to Pass CKA & CKAD Exams ? 10 Tips for Kubernetes Exams

Here see the best tips for Kubernetes Exams - Certified Kubernetes Administrator (CKA) & Certified Kubernetes Application Developer (CKAD).

In kubernetes, Aug 15, 2020

Featured