ansible,

Ansible for FortiNet

Gini Gini Follow · 3 mins read
Ansible for FortiNet
Share this

Setup FortiNet device on GNS3

Refer : Fortinet Device Setup in GNS3

API References

$ curl -k -i -X POST http://10.1.10.70/logincheck -d "username=admin&secretkey=password" --dump-header headers.txt -c cookies.txt
$ curl -k -i -X GET http://10.1.10.70/api/v2/cmdb/router/static -b headers.txt

### logout
$ curl -k -i -X POST http://10.1.10.70/logout

Prerequisites

Install fortiosAPI

pip install fortiosapi
#or
pip3 install fortiosapi

Ref: https://pypi.org/project/fortiosapi/

Install FortiOS Collection from Ansible Galaxy

ansible-galaxy collection install fortinet.fortios

https://github.com/fortinet-ansible-dev/ansible-galaxy-fortios-collection/tree/fos_v6.0.0/galaxy_1.0.13

Web Rating Overrides

Ref: Overriding FortiGuard website categorization

CLI commands

In the CLI, the term is local category.

To create a local category:

config webfilter ftgd-local-cat
  edit local_category_1
    set id 140
  end

eg:

config webfilter ftgd-local-cat
  edit custom_category
    set id 150
  end

To set a rating to a Local Category:

config webfilter ftgd-local-rating
  edit <url_str>
    set rating {[<category_int>] [group_str] . . .]
    set status {enable | disable}
  end

eg:

config webfilter ftgd-local-rating
  edit testurl101.com
    set rating 150
    set status enable
  end

Using Ansible Modules

Add the new member to blacklist group

https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-firewall/Object%20Configuration/Addresses/Address%20Groups.htm?Highlight=add%20address%20to%20group

https://docs.fortinet.com/vm/cisco-aci/fortigate/5.6/sdn-connector/5.6.3/617358/configuring-the-firewall-address-and-address-group

config firewall address

  edit "test-tag"

    set type dynamic

    set sdn aci

    set tenant "TENANT-NAME"

    set epg-name "AP-NAME|EPG-NAME"

    set sdn-tag "TAG-NAME"

  next

end

config firewall addrgrp

  edit "test-group"

    set member "test-tag" "Adobe Login"

  next

end
FortiGate-VM64-KVM # show firewall addrgrp blklist1
config firewall addrgrp
    edit "blklist1"
        set uuid b257da0e-bd59-51ea-2067-4bd93d716b5f
        set member "block-10.6.10.0/24"
        set comment "Added via Ansible"
        set color 6
    next
end

Appendix

config firewall address
edit "eg  block ip1"
        set subnet 192.168.82.82 255.255.255.255
    next
    edit "eg block ip2"
        set subnet 192.168.81.81 255.255.255.255
    next
end
config firewall addrgrp
	edit "Group of block ip"
        set member "eg  block ip1" "eg block ip2"
next
end
config webfilter urlfilter
 edit 1
        set name "webfilter-url"
        config entries
	edit 1
                set url "*"
                set type wildcard
                set action block
            next
	end
	next
end
config firewall policy
edit 1
        set name "Weburl filter"
        set srcintf "lan1"
        set dstintf "wan1"
        set srcaddr "Group of block ip"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set logtraffic all
        set webfilter-profile "webfilter-url"    
        set profile-protocol-options "protocol"
        set ssl-ssh-profile "protocols"
        set nat enable
    next
end

ansible-fortios-generic module

Ref: ansible-fortios-generic

Troubleshooting

HTTPS issue

[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1076)’)))

A - Disable https and use http

References

  • GitHub : ansible-galaxy-fortios-collection https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/954635/getting-started https://ftnt-ansible-docs.readthedocs.io/en/latest/fortios_modules/fortios_webfilter_urlfilter.html https://docs.ansible.com/ansible/latest/modules/fortios_webfilter_urlfilter_module.html https://docs.ansible.com/ansible/latest/modules/fortios_firewall_policy_module.html
Gini
Written by Gini Follow
Backpacker, Foodie, Techie

Latest Stories

How to Pass CKA & CKAD Exams ? 10 Tips for Kubernetes Exams

Here see the best tips for Kubernetes Exams - Certified Kubernetes Administrator (CKA) & Certified Kubernetes Application Developer (CKAD).

In kubernetes, Jul 08, 2020
CKA & CKAD - Kubernetes Exam Tips, Learning Path and Certification

Since kubernetes is getting wide acceptance, Kubernetes Certification is the most trending one in IT circle now. I have completed both recently (March – April 2020) and I started gett...

In kubernetes, May 03, 2020
Start Your OpenShift Journey with these Free Red Hat Training Programs

Red Hat OpenShift Container Platform is one of the best kubernetes platform for enterprises. As we know kubernetes and OpenShift are multi-component stack and not easy to learn withou...

In openshift, Mar 09, 2020
Installing oVirt 4 with Self-Hosted Engine on Enterprise Linux

oVirt is one of the best free and open-source virtualization solution with enterprise level features. Installing oVirt cluster is simple and straight forward and you can refer the ins...

In oVirt, Mar 05, 2020

Featured