ansible,

Ansible for FortiNet

Gini Gini Follow · 3 mins read
Ansible for FortiNet
Share this

Setup FortiNet device on GNS3

Refer : Fortinet Device Setup in GNS3

API References

$ curl -k -i -X POST http://10.1.10.70/logincheck -d "username=admin&secretkey=password" --dump-header headers.txt -c cookies.txt
$ curl -k -i -X GET http://10.1.10.70/api/v2/cmdb/router/static -b headers.txt

### logout
$ curl -k -i -X POST http://10.1.10.70/logout

Prerequisites

Install fortiosAPI

pip install fortiosapi
#or
pip3 install fortiosapi

#or
python3.6 -m pip install <module>

Ref: https://pypi.org/project/fortiosapi/

Dependancy

  • oyaml

Install FortiOS Collection from Ansible Galaxy

ansible-galaxy collection install fortinet.fortios

https://github.com/fortinet-ansible-dev/ansible-galaxy-fortios-collection/tree/fos_v6.0.0/galaxy_1.0.13

Web Rating Overrides

Ref: Overriding FortiGuard website categorization

CLI commands

In the CLI, the term is local category.

To create a local category:

config webfilter ftgd-local-cat
  edit local_category_1
    set id 140
  end

eg:

config webfilter ftgd-local-cat
  edit custom_category
    set id 150
  end

To set a rating to a Local Category:

config webfilter ftgd-local-rating
  edit <url_str>
    set rating {[<category_int>] [group_str] . . .]
    set status {enable | disable}
  end

eg:

config webfilter ftgd-local-rating
  edit testurl101.com
    set rating 150
    set status enable
  end

Using Ansible Modules

Add the new member to blacklist group

https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-firewall/Object%20Configuration/Addresses/Address%20Groups.htm?Highlight=add%20address%20to%20group

https://docs.fortinet.com/vm/cisco-aci/fortigate/5.6/sdn-connector/5.6.3/617358/configuring-the-firewall-address-and-address-group

config firewall address

  edit "test-tag"

    set type dynamic

    set sdn aci

    set tenant "TENANT-NAME"

    set epg-name "AP-NAME|EPG-NAME"

    set sdn-tag "TAG-NAME"

  next

end

config firewall addrgrp

  edit "test-group"

    set member "test-tag" "Adobe Login"

  next

end
FortiGate-VM64-KVM # show firewall addrgrp blklist1
config firewall addrgrp
    edit "blklist1"
        set uuid b257da0e-bd59-51ea-2067-4bd93d716b5f
        set member "block-10.6.10.0/24"
        set comment "Added via Ansible"
        set color 6
    next
end

Appendix

config firewall address
edit "eg  block ip1"
        set subnet 192.168.82.82 255.255.255.255
    next
    edit "eg block ip2"
        set subnet 192.168.81.81 255.255.255.255
    next
end
config firewall addrgrp
	edit "Group of block ip"
        set member "eg  block ip1" "eg block ip2"
next
end
config webfilter urlfilter
 edit 1
        set name "webfilter-url"
        config entries
	edit 1
                set url "*"
                set type wildcard
                set action block
            next
	end
	next
end
config firewall policy
edit 1
        set name "Weburl filter"
        set srcintf "lan1"
        set dstintf "wan1"
        set srcaddr "Group of block ip"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set logtraffic all
        set webfilter-profile "webfilter-url"    
        set profile-protocol-options "protocol"
        set ssl-ssh-profile "protocols"
        set nat enable
    next
end

ansible-fortios-generic module

Ref: ansible-fortios-generic

Troubleshooting

HTTPS issue

[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1076)’)))

A - Disable https and use http

References

  • GitHub : ansible-galaxy-fortios-collection https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/954635/getting-started https://ftnt-ansible-docs.readthedocs.io/en/latest/fortios_modules/fortios_webfilter_urlfilter.html https://docs.ansible.com/ansible/latest/modules/fortios_webfilter_urlfilter_module.html https://docs.ansible.com/ansible/latest/modules/fortios_firewall_policy_module.html
Gini
Written by Gini Follow
Backpacker, Foodie, Techie

Latest Stories

How To Get Hands-On Experience in AWS

Every Time you have the same situation, you know the technology and maybe you are already a certified professional in that technology, but you are not getting enough hands-on on that ...

In AWS, Jan 04, 2021
Getting Started with Ansible Collections

Ansible Collection is a great way of getting content contributions from various Ansible Developers. Earlier there was a tagline for Ansible – “Batteries included”, but now the battery...

In redhat, ansible, Dec 22, 2020
Configure Your Windows Host to be Managed by Ansible

I was talking to my friend about Ansible automation and how we are implementing automated solutions for cloud and on-premise infrastructure. Then he told me that, his team is looking ...

In redhat, ansible, Dec 01, 2020
Remove nodes from Kubespray Managed Kubernetes Cluster

Kubespray is a combination of Ansible and Kubernetes and you can use Kubespray for deploying production ready Kubernetes clusters. You can manage full-lifecycle of Kubernetes clusters...

In containers, kubernetes, Nov 30, 2020
Adding new nodes to Kubespray Managed Kubernetes Cluster

Kubespray is a combination of Ansible and Kubernetes and you can use Kubespray for deploying production ready Kubernetes clusters. Learn how to add new nodes in a Kubernetes cluster u...

In containers, kubernetes, Nov 27, 2020

Featured