Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Error in repo" using fortios_firewall_policy module #289

Closed
greenspartan opened this issue Jan 17, 2024 · 4 comments
Closed

"Error in repo" using fortios_firewall_policy module #289

greenspartan opened this issue Jan 17, 2024 · 4 comments

Comments

@greenspartan
Copy link

greenspartan commented Jan 17, 2024
edited
Loading

Hi guys,

I have recently upgraded Tower from 3.8.4 to AAP 2.4 (Ansible 2.15.5) and I have now an issue running a playbook while it was working just fine on Tower 3.8.4 (Ansible 2.9).

I am using fortinet.fortios ansible galaxy collection v2.3.4.

My Fortigate is running on v7.0.12

This playbook ends with following error :

TASK [fortios_tasks : Configure IPv4 policy on AMS firewall from vessel to internet] ***
fatal: [ams_fortigate]: FAILED! => {"changed": false, "meta": {"build": 523, "http_method": "PUT", "http_status": 405, "name": "policy", "path": "firewall", "serial": "FG100FTK20042072", "status": "error", "vdom": "root", "version": "v7.0.12"}, "msg": "Error in repo"}

Here's below the associated Ansible task code :

---

- name: Configure IPv4 addresses on firewall                                   
  fortios_firewall_address:
    vdom: "root"
    state: "present"
    firewall_address:
      name: "FX-{{ vessel_name }}-{{ vessel_internal_ip }}"
      subnet: "{{ vessel_internal_ip }} 255.255.255.255"
- name: Configure IPv4 IP pools on AMS firewall
  fortios_firewall_ippool:
    vdom: "root"
    state: "present"
    firewall_ippool:
      name: "FX-{{ vessel_name }}-PUBLIC-POOL"
      endip: "{{ ams_ip_address_reserved }}"
      startip: "{{ ams_ip_address_reserved }}"
      type: "overload"
- name: Configure virtual IP for IPv4 on firewall
  fortios_firewall_vip:
    vdom: "root"
    state: "present"
    firewall_vip:
      extintf: "WAN1.111.INTRNT"
      extip: "{{ ams_ip_address_reserved }}"
      mappedip:
       - range: "{{ vessel_internal_ip }}"
      name: "VIP-NAT-FX-{{ vessel_name }}"
- name: Configure IPv4 policy on firewall from vessel to internet
  fortios_firewall_policy: 
    vdom: "root"
    state: "present"
    firewall_policy:
      action: "accept"
      name: "NAT {{ vessel_name }} to Internet"
      dstaddr:
       - name: "all"
      dstintf:                    
       - name: "WAN1.111.INTRNT"
      ippool: "enable"
      nat: "enable"
      policyid: "0"
      poolname:
       - name: "FX-{{ vessel_name }}-PUBLIC-POOL"
      schedule: "always"
      service:
       - name: "ALL"
      srcaddr:
       - name: "FX-{{ vessel_name }}-{{ vessel_internal_ip }}"
      srcintf:
       - name: "port1"
  register: return1

What is strange is that fortios_firewall_address, fortios_firewall_ippool and fortios_firewall_vip modules are working perfectly and are able to create related config on the Fortigate.

Issue is happening for fortios_firewall_policy module only.

I have activated some https debug on the Fortigate and I can see the following error message :

[httpsd 830 - 1705492545     info] fweb_debug_init[417] -- New PUT request for "/api/v2/cmdb/firewall/policy" from "xx.xx.xx.xx:60330"
[httpsd 830 - 1705492545     info] fweb_debug_init[419] -- User-Agent: "Python-urllib/3.9"
[httpsd 830 - 1705492545     info] fweb_debug_init[421] -- Handler "api_cmdb_v2-handler" assigned to request
[httpsd 830 - 1705492545     info] api_access_check_for_session_key[735] -- Session key found in active admin sessions (CID: 597).
[httpsd 830 - 1705492545     info] api_access_check_for_session_key[746] -- Login status OK.
[httpsd 830 - 1705492545     info] api_store_parameter[320] -- add API parameter 'vdom' (type=string)
[httpsd 830 - 1705492545     info] api_store_parameter[320] -- add API parameter 'access_token' (type=string)
[httpsd 830 - 1705492545     info] api_store_parameter[320] -- add API parameter 'action' (type=string)
[httpsd 830 - 1705492545     info] api_store_parameter[320] -- add API parameter 'dstaddr' (type=array)
[httpsd 830 - 1705492545     info] api_store_parameter[320] -- add API parameter 'dstintf' (type=array)
[httpsd 830 - 1705492545     info] api_store_parameter[320] -- add API parameter 'ippool' (type=string)
[httpsd 830 - 1705492545     info] api_store_parameter[320] -- add API parameter 'name' (type=string)
[httpsd 830 - 1705492545     info] api_store_parameter[320] -- add API parameter 'nat' (type=string)
[httpsd 830 - 1705492545     info] api_store_parameter[320] -- add API parameter 'policyid' (type=int)
[httpsd 830 - 1705492545     info] api_store_parameter[320] -- add API parameter 'poolname' (type=array)
[httpsd 830 - 1705492545     info] api_store_parameter[320] -- add API parameter 'schedule' (type=string)
[httpsd 830 - 1705492545     info] api_store_parameter[320] -- add API parameter 'service' (type=array)
[httpsd 830 - 1705492545     info] api_store_parameter[320] -- add API parameter 'srcaddr' (type=array)
[httpsd 830 - 1705492545     info] api_store_parameter[320] -- add API parameter 'srcintf' (type=array)
[httpsd 830 - 1705492545     info] api_cmdb_request_init_by_path[1651] -- new CMDB query (path='firewall',name='policy')
[httpsd 830 - 1705492545     info] handle_cli_req_v2[3006] -- no method found for requested action: (null)
[httpsd 830 - 1705492545     info] handle_cli_req_v2[3124] -- returning to original vdom "root"
[httpsd 830 - 1705492545  warning] api_return_http_result[1272] -- API error 405 raised

Why I have this error message no method found for requested action: (null) while other modules works perfectly ?

Thanks in advance for your help and don't hesitate if you need additional infos ;) !

Best Regards,

Adrien
@alagoutte
Copy link

Hi Adrien,

The policyid: "0" is not longer supported with ansible module, you need to specify an id

@greenspartan
Copy link
Author

greenspartan commented Jan 18, 2024
edited
Loading

Hi Alexis,

Thanks a lot for your feedback ! I confirm i don't have any error when using a real policyid (I mean different from 0).

Indeed in notes section of latest documentation it's advised to not use anymore policyid: "0"

But as it was not clearly said it was no longer supported, I didn't think my issue was coming from this.

By the way do you know where we can find Q&A mentionned in notes section ?

image

I would like to know how I can automatically use the latest available policy ID, without having fear to overlap/shadow existing policies ? Does it mean only option is to parse all policies and then find first available ID by sorting all that list ?

Thanks and have a great day !

Best Regards,

Adrien

@alagoutte
Copy link

Hi Adrien,

the solution will be to get/set a fact with the highest policyid configured actually

@greenspartan
Copy link
Author

Hi Alexis,

Thanks for your feedback. Indeed I made additional tasks in order to fetch all policy and then find the first available ID.

Here it is if it can help someone :

- name: Retrieve policies
  fortinet.fortios.fortios_configuration_fact:
    vdom: "root"  
    selector: firewall_policy
  register: r

- name: Set fw policy config list
  set_fact:
    fw_policy_config_list: "{{ r.meta.results  | map(attribute='policyid') | list }}"

- name: Find first available policyID
  set_fact:
    first_available_id: "{{ (range(1, range_limit + 1) | difference(fw_policy_config_list) | first) }}"

where range_limit is a playbook variable.

So all is good for me now, I will close the issue ;).

Thanks again for the help !

Adrien

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alagoutte @greenspartan