Wednesday, July 15, 2020

ANSIBLE for fortigate devices setups

 Here's a simple play that sets our org wide settings for all new fortigates. 



(virt1) [opc@ansible-cloud ~]$ cat fgtsetup.yml

---

- hosts: fgt

  collections:

  - fortinet.fortios

  gather_facts: false

  connection: httpapi


  vars:

    vdom: "root"

    ansible_httpapi_use_ssl: yes

    ansible_httpapi_validate_certs: no

    ansible_httpapi_port: 443

    ansible_python_interpreter: virt1/bin/python

  tasks:

  - name: Setup_Console

    fortios_system_console:

      vdom: "{{ vdom  }}"

      system_console:

        output: "more"

        baudrate: 19200

  - name: Setup_Global

    fortios_system_global:

       vdom:  "{{ vdom }}"

       system_global:

         hostname: "BROOKLYNCNTAL"

         admin_login_max: "6"

         login_timestamp: "enable"

         cfg_save: "automatic"

         timezone: "08"

         admin_ssh_port: "2022"

         admin_scp: "enable"

         gui_certificates: "enable"

  - name: Setup_NTP

    fortios_system_ntp:

        vdom: "{{ vdom }}"

        system_ntp:

          interface:

            - interface_name: wan2

          syncinterval: "15"

          type: "fortiguard"

          ntpsync: "enable"

  - name: Setup_AlertEmail

    fortios_alertemail_setting:

        vdom: "{{ vdom }}"

        alertemail_setting:

          mailto1: "soc@socpuppets.com"

          username: "noc@socpuppets.com"

In our inventory file we define the fortigate address and these various variables


[fgt]

192.0.2.1 ansible_user=ansible ansible_password=test1234

192.0.2.2 ansible_user=ansible ansible_password=setup

192.0.2.3 ansible_user=ansible ansible_password=password123

192.0.2.4 ansible_user=ansible ansible_password=password0987654321


[fgt:vars]

 ansible_network_os=fortinet.fortios.fortios

# ansible_httpapi_password=hhhjh05tyx5h3r15d64Gm6Nh15tjpm


To call  our setup we just run the command and let the play execute the tasks.


example;



And lastly, we install our standard admin accounts;

(virt1) [opc@ansible-cloud ~]$ cat fgtaddadmin.yml

---

- hosts: fgt

  collections:

  - fortinet.fortios

  gather_facts: false

  connection: httpapi


  vars:

    vdom: "root"

    ansible_httpapi_use_ssl: yes

    ansible_httpapi_validate_certs: no

    ansible_httpapi_port: 443

    ansible_python_interpreter: virt1/bin/python

  tasks:

  - name: Configure primary admin

    fortios_system_admin:

      vdom:  "{{ vdom }}"

      state: "present"

      system_admin:

        accprofile: "super_admin"

        vdom:

         - name: "root"

        comments: "socpuppet admin account do not delete"

        name: "socadmin2"

        password: "testing1234"


  - name: Configure primary admin

    fortios_system_admin:

      vdom:  "{{ vdom }}"

      state: "present"

      system_admin:

        accprofile: "auditor"

        vdom:

         - name: "root"

        comments: "socpuppet PCI account do not delete"

        name: "auditor"

        password: "pciblahbl"


if you loose the admin account password and still have  the "ansible user account". You can always re-add the account. This makes for a great password recovery options.




Ken Felix 
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \


No comments:

Post a Comment