Sunday, August 2, 2020

Ansible setup example FortiOS

 Here's a simple ansible setup playbook example


1st /etc/hosts has our address defined  these will be the address that we will configured the. dns name will be the system hostname

1.1.1.2 brooklyn

1.1.1.22 manhattan

1.1.1.32 bronx

1.1.1.9  queens

1.1.1.1 statenisland


Now we craft a inventory file that our playbook will call on;


[fgt]

manhattan ansible_user=ansible ansible_password=test1234

queens ansible_user=ansible ansible_password=test1234

statenisland ansible_user=ansible ansible_password=test1234

bronx ansible_user=ansible ansible_password=test1234

brooklyn ansible_user=ansible ansible_password=test1234


#ansible_user=ansible ansible_password=test1234 ansible_port=2022

#access_token=hnhjh05tyx5h3r15d64Gm6Nh15tjpm

#ansible_httpapi_password=hhhjh05tyx5h3r15d64Gm6Nh15tjpm


[fgt:vars]

 ansible_network_os=fortinet.fortios.fortios

# ansible_httpapi_password=hhhjh05tyx5h3r15d64Gm6Nh15tjpm


The Playbook 

---

- hosts: fgt

  collections:

  - fortinet.fortios

  gather_facts: false

  connection: httpapi


  vars:

    vdom: "root"

    ansible_httpapi_use_ssl: yes

    ansible_httpapi_validate_certs: no

    ansible_httpapi_port: 443

    ansible_python_interpreter: virt1/bin/python

  tasks:

  - name: Setup_Console

    fortios_system_console:

      vdom: "{{ vdom  }}"

      system_console:

        output: "more"

        baudrate: 19200

  - name: Setup_Global

    fortios_system_global:

       vdom:  "{{ vdom }}"

       system_global:

         hostname: "{{ ansible_host }}"

         admin_login_max: "6"

         login_timestamp: "enable"

         cfg_save: "automatic"

         timezone: "08"

         admin_ssh_port: "2022"

         admin_scp: "enable"

         gui_certificates: "enable"

  - name: Setup_NTP

    fortios_system_ntp:

        vdom: "{{ vdom }}"

        system_ntp:

          interface:

            - interface_name: wan2

          syncinterval: "15"

          type: "fortiguard"

          ntpsync: "enable"

  - name: Setup_AlertEmail

    fortios_alertemail_setting:

        vdom: "{{ vdom }}"

        alertemail_setting:

          mailto1: "soc@socpuppets.com"

          username: "noc@socpuppets.com"

  - name: Alias_Status

    fortios_system_alias:

        vdom:  "{{ vdom }}"

        state: "present"

        system_alias:

          name: "status"

          command: "get system status"

  - name: Alias_Route

    fortios_system_alias:

        vdom:  "{{ vdom }}"

        state: "present"

        system_alias:

          name: "status"

          command: "get router info routing-table  all"

  - name: Alias_Route

    fortios_system_alias:

        vdom:  "{{ vdom }}"

        state: "present"

        system_alias:

          name: "fwp"

          command: "show firewall policy"

  - name: Alias_IKE

    fortios_system_alias:

        vdom:  "{{ vdom }}"

        state: "present"

        system_alias:

          name: "ike"

          command: "diag vpn ike gateway list"

  - name: Alias_IPSEC

    fortios_system_alias:

        vdom:  "{{ vdom }}"

        state: "present"

        system_alias:

          name: "ipsec"

          command: "diag vpn tunnel list"

  - name: Syslog_Remote

    fortios_log_syslogd_setting:

        vdom:  "{{ vdom }}"

        log_syslogd_setting:

          facility: "local0"

          format: "cef"

          mode: "udp"

          port: "514"

          server: "192.168.1.199"

          status: "enable"


  - name: Wldcard FQDN1

    fortios_firewall_wildcard_fqdn_custom:

      vdom:  "{{ vdom }}"

      state: "present"

      firewall_wildcard_fqdn_custom:

        name: "example.net"

        wildcard_fqdn: "*.example.net"

  - name: Wldcard FQDN2

    fortios_firewall_wildcard_fqdn_custom:

      vdom:  "{{ vdom }}"

      state: "present"

      firewall_wildcard_fqdn_custom:

        name: "example.org"

        wildcard_fqdn: "*.example.org"

  - name: Wldcard FQDN3

    fortios_firewall_wildcard_fqdn_custom:

      vdom:  "{{ vdom }}"

      state: "present"

      firewall_wildcard_fqdn_custom:

        name: "example.com"

        wildcard_fqdn: "*.example.com"

  - name: Setup_SNMP

    fortios_system_snmp_community:

      vdom:  "{{ vdom }}"

      state: "present"

      system_snmp_community:

         name: snmp1communityRW

         id: "1"

  - name: Setup_SNMP_SYSINFO

    fortios_system_snmp_sysinfo:

      vdom:  "{{ vdom }}"

      system_snmp_sysinfo:

        contact_info: "soc@socpuppets.com"

        location: "{{ ansible_host }}"

        status: "enable"




NOTE:  fortinet dev and the community has these warnings in all documents to start using httpapi





Remember you need to upgrade your python, our cloud ansible configurator sits in OCN and runs python3 in a virtenv





So in this setup a tech will take the model fortigate, configured the WAN interface and set the ansible  user credentials into the unit.  They will call into the provisioning team to have the new name and address set into /etc/host and the ansible inventory file. Afterwards we can run the play and setup the fortigate with our basic details.


YMMV but the API interface and ansible can speed up tasks, and reduce the total amount of labor effort. It also can help you to standardize configuration values across devices.



Ken Felix 
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \