ansible,

Ansible for FortiNet

Gini Gini Follow · 3 mins read
Ansible for FortiNet
Share this

Setup FortiNet device on GNS3

Refer : Fortinet Device Setup in GNS3

API References

$ curl -k -i -X POST http://10.1.10.70/logincheck -d "username=admin&secretkey=password" --dump-header headers.txt -c cookies.txt
$ curl -k -i -X GET http://10.1.10.70/api/v2/cmdb/router/static -b headers.txt

### logout
$ curl -k -i -X POST http://10.1.10.70/logout

Prerequisites

Install fortiosAPI

pip install fortiosapi
#or
pip3 install fortiosapi

#or
python3.6 -m pip install <module>

Ref: https://pypi.org/project/fortiosapi/

Dependancy

  • oyaml

Install FortiOS Collection from Ansible Galaxy

ansible-galaxy collection install fortinet.fortios

https://github.com/fortinet-ansible-dev/ansible-galaxy-fortios-collection/tree/fos_v6.0.0/galaxy_1.0.13

Web Rating Overrides

Ref: Overriding FortiGuard website categorization

CLI commands

In the CLI, the term is local category.

To create a local category:

config webfilter ftgd-local-cat
  edit local_category_1
    set id 140
  end

eg:

config webfilter ftgd-local-cat
  edit custom_category
    set id 150
  end

To set a rating to a Local Category:

config webfilter ftgd-local-rating
  edit <url_str>
    set rating {[<category_int>] [group_str] . . .]
    set status {enable | disable}
  end

eg:

config webfilter ftgd-local-rating
  edit testurl101.com
    set rating 150
    set status enable
  end

Using Ansible Modules

Add the new member to blacklist group

https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-firewall/Object%20Configuration/Addresses/Address%20Groups.htm?Highlight=add%20address%20to%20group

https://docs.fortinet.com/vm/cisco-aci/fortigate/5.6/sdn-connector/5.6.3/617358/configuring-the-firewall-address-and-address-group

config firewall address

  edit "test-tag"

    set type dynamic

    set sdn aci

    set tenant "TENANT-NAME"

    set epg-name "AP-NAME|EPG-NAME"

    set sdn-tag "TAG-NAME"

  next

end

config firewall addrgrp

  edit "test-group"

    set member "test-tag" "Adobe Login"

  next

end
FortiGate-VM64-KVM # show firewall addrgrp blklist1
config firewall addrgrp
    edit "blklist1"
        set uuid b257da0e-bd59-51ea-2067-4bd93d716b5f
        set member "block-10.6.10.0/24"
        set comment "Added via Ansible"
        set color 6
    next
end

Appendix

config firewall address
edit "eg  block ip1"
        set subnet 192.168.82.82 255.255.255.255
    next
    edit "eg block ip2"
        set subnet 192.168.81.81 255.255.255.255
    next
end
config firewall addrgrp
	edit "Group of block ip"
        set member "eg  block ip1" "eg block ip2"
next
end
config webfilter urlfilter
 edit 1
        set name "webfilter-url"
        config entries
	edit 1
                set url "*"
                set type wildcard
                set action block
            next
	end
	next
end
config firewall policy
edit 1
        set name "Weburl filter"
        set srcintf "lan1"
        set dstintf "wan1"
        set srcaddr "Group of block ip"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set logtraffic all
        set webfilter-profile "webfilter-url"    
        set profile-protocol-options "protocol"
        set ssl-ssh-profile "protocols"
        set nat enable
    next
end

ansible-fortios-generic module

Ref: ansible-fortios-generic

Troubleshooting

HTTPS issue

[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1076)’)))

A - Disable https and use http

References

  • GitHub : ansible-galaxy-fortios-collection https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/954635/getting-started https://ftnt-ansible-docs.readthedocs.io/en/latest/fortios_modules/fortios_webfilter_urlfilter.html https://docs.ansible.com/ansible/latest/modules/fortios_webfilter_urlfilter_module.html https://docs.ansible.com/ansible/latest/modules/fortios_firewall_policy_module.html
Gini
Written by Gini Follow
Backpacker, Foodie, Techie

Latest Stories

HashiCorp Certified Terraform Associate – Learning & Exam Tips

I started using Terraform somewhere in 2018, but very limited usage as I thought it is just another tool for provisioning infrastructure and other services – or a variant of Vagrant; ...

In terraform, Sep 18, 2020
Deploy Minikube Using Vagrant and Ansible on VirtualBox – Infrastructure as Code

Minikube is a tool to run a kubernetes cluster locally, that means on your laptop or inside a virtual machine. Minikube will run a single node kubernetes cluster on your machine with ...

In kubernetes, Aug 11, 2020
How to Pass CKA & CKAD Exams ? 10 Tips for Kubernetes Exams

Here see the best tips for Kubernetes Exams - Certified Kubernetes Administrator (CKA) & Certified Kubernetes Application Developer (CKAD).

In kubernetes, Jul 08, 2020
CKA & CKAD - Kubernetes Exam Tips, Learning Path and Certification

Since kubernetes is getting wide acceptance, Kubernetes Certification is the most trending one in IT circle now. I have completed both recently (March – April 2020) and I started gett...

In kubernetes, May 03, 2020

Featured