Hot!Has anyone successfully used Ansible with their Fortigates?

Author
rwpatterson
Expert Member
  • Total Posts : 8521
  • Scores: 207
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: online
2020/11/13 08:21:45 (permalink)
0

Has anyone successfully used Ansible with their Fortigates?

I have just finished an Ansible class for my job (switches and such) and was trying to connect with my Fortigate. No Bueno! Anyone have any luck using Ansible to connect to their Fortigate?
 
Thanks in advance.

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com


-5.0.14-b0323
FWF81CM (1)
 
-4.3.19-b0694
FWF80CM (2)
FWF81CM (2)
 
#1

11 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 5863
    • Scores: 387
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Has anyone successfully used Ansible with their Fortigates? 2020/11/13 08:52:39 (permalink)
    0
    Yes, Have you confirm that ssh & https access is available from the managed node to the fortigate? I would pull up a cli and do a test run.
    e.g 
     
    ssh [link=mailto:username@fgt.ipv4]username@fgt.ipv4[/link]
    curl -v -k https::<fgt address>
     
     
    Ensure if trusthost is being used that this is not blocking the access.
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #2
    rwpatterson
    Expert Member
    • Total Posts : 8521
    • Scores: 207
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: Has anyone successfully used Ansible with their Fortigates? 2020/11/13 09:28:22 (permalink)
    0
    Been there, done that. I can get in from the CLI. Maybe I just can't write a proper playbook. Do you have  an example that would say get me the contents of the 'system' 'interfaces' area?

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com


    -5.0.14-b0323
    FWF81CM (1)
     
    -4.3.19-b0694
    FWF80CM (2)
    FWF81CM (2)
     
    #3
    emnoc
    Expert Member
    • Total Posts : 5863
    • Scores: 387
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Has anyone successfully used Ansible with their Fortigates? 2020/11/13 10:34:38 (permalink)
    0
    basic play book for status collecting against my hosts in fgtwest . You need to ensure the creds are correct which I assume you did .
     
     
    =====ensure you have the proper indexing ======
    - hosts: localhost
    vars:
    host: "fgtwest
    username: "fgtadmin"
    password: "fgtpassword1234"
    vdom: "root"
    ssl_verify: "no"
    tasks:
    - name:  basic system status f 
    fortios_facts:
    host: "{{ host }}"
    username: "{{ username }}"
    password: "{{ password }}"
    vdom: "{{ vdom }}"
    gather_subset:
    - fact: 'system_status_select'
     
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #4
    rwpatterson
    Expert Member
    • Total Posts : 8521
    • Scores: 207
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: Has anyone successfully used Ansible with their Fortigates? 2020/11/13 11:05:57 (permalink)
    0
    OK. There is something missing in my install...
     
    TASK [basic system status f] ********************************************************************************
    fatal: [localhost]: FAILED! => {"changed": false, "msg": "fortiosapi module is required"}
     
    I updated the latest from the Galaxy.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com


    -5.0.14-b0323
    FWF81CM (1)
     
    -4.3.19-b0694
    FWF80CM (2)
    FWF81CM (2)
     
    #5
    emnoc
    Expert Member
    • Total Posts : 5863
    • Scores: 387
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Has anyone successfully used Ansible with their Fortigates? 2020/11/13 11:41:25 (permalink)
    0
    So after you updated ansible-galaxy what error are you getting?
     
    You might also need to modify your host entry with the following ;
     
    e.g
     
    [fgt]
    x.x.x.x    ansible_user=<ansible-username-account-on-fgt>
     
    I would also enable set admin-scp enable on the fortigate global  and copy the ssh-key to that name account also. To confirm ansible has hit the fgt do a 
     
    "get system admin list " you should have a ssh login from the control_node and via ssh. Dump your playbook here when you get a chance.
     
     
    Ken Felix
     
     

    PCNSE 
    NSE 
    StrongSwan  
    #6
    rwpatterson
    Expert Member
    • Total Posts : 8521
    • Scores: 207
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: Has anyone successfully used Ansible with their Fortigates? 2020/11/13 12:15:14 (permalink)
    0
    ---
    - name: Get Fortinet 'system' ' Interface' information
    >hosts: localhost
    >vars:
    >>host: "192.168.xx.xx"
    >>username: "xxxxx"
    >>password: "xxxxx"
    >>vdom: "root"
    >>ssl_verify: "no"
    >tasks:
    >- name: basic system status f
    >>fortios_facts:
    >>>host: "{{ host }}"
    >>>username: "{{ username }}"
    >>>password: "{{ password }}"
    >>>vdom: "{{ vdom }}"
    >>>gather_subset:
    >>>- fact: 'system_status_select'
     
    Not sure how to move the SSL cert over.  That may be most of the issue.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com


    -5.0.14-b0323
    FWF81CM (1)
     
    -4.3.19-b0694
    FWF80CM (2)
    FWF81CM (2)
     
    #7
    rwpatterson
    Expert Member
    • Total Posts : 8521
    • Scores: 207
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: Has anyone successfully used Ansible with their Fortigates? 2020/11/13 12:23:26 (permalink)
    0
    OK, after running 'show full sys adm <admin>', I see where to add the key, now how do I get it from CentOS?
     

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com


    -5.0.14-b0323
    FWF81CM (1)
     
    -4.3.19-b0694
    FWF80CM (2)
    FWF81CM (2)
     
    #8
    rwpatterson
    Expert Member
    • Total Posts : 8521
    • Scores: 207
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: Has anyone successfully used Ansible with their Fortigates? 2020/11/13 12:34:58 (permalink)
    0
    OK, Dr. Google helped me out in getting the key moved over. Still the same error. I'm done for today. A full week of 8 hour days learning this. My brain needs a break.
     
    *** Addition. I created a new key without a passphrase and now the login is seamless (no password required). Error persists.  Tomorrow is another day. Damn CentOS 7.
    post edited by rwpatterson - 2020/11/13 12:43:49

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com


    -5.0.14-b0323
    FWF81CM (1)
     
    -4.3.19-b0694
    FWF80CM (2)
    FWF81CM (2)
     
    #9
    emnoc
    Expert Member
    • Total Posts : 5863
    • Scores: 387
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Has anyone successfully used Ansible with their Fortigates? 2020/11/13 13:39:19 (permalink)
    0
    What I do is go to my ansible account dir and cd to .ssh 
     
    you should have a pub key that ends in  id_rsa.pub . copy that pub key and paste it in with " " strings for the ansible user.
     
    e.g
     
    config system admin
    edit "ansible"
    set accprofile "super_admin"
    set vdom "root"
    set ssh-public-key1 "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDgqzF+K7qevH8xe9LQyiuSD794R1mmzVNAe8BfiREx3MXYgR+6gbskKwgQ7SoyS66Zw32qoojasFVwPipmU1j3NYch8ErCa3n2EgO4LLw8Y08aG8RdOhz0ZEa0NetjS7C7vScEBRmVPQitF0TpYaYVGpCirsPLHMZl9zfMMDDYzlA+PiuENUULY0wEKAH0xD1zLRWNtdAI/nFzEeOIUBCQNkbmNhip4d5FGiDMzbWof522hA3WG9IzS8XLm85H48it3NwgwK6g8vzSw1sAbxriQDn5N3tfG8+c3LukZzXJZ086TQuRCh28tnPH1FCWcgHsR3eiDgOi6UcSbNOsYbOj ansible@socpuppets.com"
    set password ENC SH23eab+MFSXJSuzKbTOGTRppllTNqklpULhers2FWVWbGXZ99vXQv1kyKIA1E=
    next
    end
     
    Now if you ssh from the control_node you should gain access. 
     
    now run your playbook but callout debug 
     
    e.g
      ansible-playbook  --syntax <youplaybooknamed.yml>
      ansible-playbook   --check <youplaybooknamed.yml>
     
     ANSIBLE_DEBUG=1 ansible-playbook <youplaybooknamed.yml>
     
    If you are a success, the "get system admin list" will show your control_node logged in. Another trick  that we do which simple is to make API calls but we use ansible plays to gather status. We run this off a linux host in the org that grab the status. This is how we test ansible using the uri module, check that the fortigate is up, and connectivity to the fgt.
     
     
     I would do something like that if you want to test ansible before calling up the fortios specific modules.
     
    Ken Felix
     
    post edited by emnoc - 2020/11/13 13:40:50

    Attached Image(s)


    PCNSE 
    NSE 
    StrongSwan  
    #10
    rwpatterson
    Expert Member
    • Total Posts : 8521
    • Scores: 207
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: Has anyone successfully used Ansible with their Fortigates? 2020/11/13 14:38:39 (permalink)
    0
    I believe my firmware version is too old (because my firewall is too old). Versions less than 6 don't support this. Oh well. A few days wasted aside from the fact I did learn a bunch.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com


    -5.0.14-b0323
    FWF81CM (1)
     
    -4.3.19-b0694
    FWF80CM (2)
    FWF81CM (2)
     
    #11
    emnoc
    Expert Member
    • Total Posts : 5863
    • Scores: 387
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Has anyone successfully used Ansible with their Fortigates? 2020/11/13 17:50:45 (permalink)
    0
    IDNK about that, but  here's a blog I wrote with samples using fortiosapi a while back. 
     
    https://socpuppet.blogspot.com/2020/07/howto-user-ansible-with-fortios.html
     
    You should be able to write that as a test and then go deeper as you get past the 1st few hurdles. Github should have samples that you can pull in and modified to fit your env. I would not do a major change like policy add|delete  but would start with low hanging fruits likes add/addrgrp/admin/global settings etc.....
     
    FWIW: Operational practice you don't put the  password in the playbook but for testing and to ensure it's working I do, but that's just me. 
     
    Just ensure you run ANSIBLE_DEBUG and -vvv for more verbose details and work thru your issues. It always boils down to either;
     
    • 1: wrong credentials
    • 2: trusthost
    • 3: bad directives in the playbook
    • 4: or the host can NOT reach the fortigate
    But the samples show in the yml files is what I used for testing an verification with fortios. This works for  6.2.x and 6.4.x versions btw.
     
    YMMV but the above links in the blog-post will get you in the right direction and handing into the right port. Also call out a simple test with "curl" if you want to test the api-user. Again samples in the blog post.
     
    Ken Felix
     

    PCNSE 
    NSE 
    StrongSwan  
    #12
    Jump to:
    © 2020 APG vNext Commercial Version 5.5