Here's a simple ansible setup playbook example
1st /etc/hosts has our address defined these will be the address that we will configured the. dns name will be the system hostname
1.1.1.2 brooklyn
1.1.1.22 manhattan
1.1.1.32 bronx
1.1.1.9 queens
1.1.1.1 statenisland
Now we craft a inventory file that our playbook will call on;
[fgt]
manhattan ansible_user=ansible ansible_password=test1234
queens ansible_user=ansible ansible_password=test1234
statenisland ansible_user=ansible ansible_password=test1234
bronx ansible_user=ansible ansible_password=test1234
brooklyn ansible_user=ansible ansible_password=test1234
#ansible_user=ansible ansible_password=test1234 ansible_port=2022
#access_token=hnhjh05tyx5h3r15d64Gm6Nh15tjpm
#ansible_httpapi_password=hhhjh05tyx5h3r15d64Gm6Nh15tjpm
[fgt:vars]
ansible_network_os=fortinet.fortios.fortios
# ansible_httpapi_password=hhhjh05tyx5h3r15d64Gm6Nh15tjpm
The Playbook
---
- hosts: fgt
collections:
- fortinet.fortios
gather_facts: false
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
ansible_python_interpreter: virt1/bin/python
tasks:
- name: Setup_Console
fortios_system_console:
vdom: "{{ vdom }}"
system_console:
output: "more"
baudrate: 19200
- name: Setup_Global
fortios_system_global:
vdom: "{{ vdom }}"
system_global:
hostname: "{{ ansible_host }}"
admin_login_max: "6"
login_timestamp: "enable"
cfg_save: "automatic"
timezone: "08"
admin_ssh_port: "2022"
admin_scp: "enable"
gui_certificates: "enable"
- name: Setup_NTP
fortios_system_ntp:
vdom: "{{ vdom }}"
system_ntp:
interface:
- interface_name: wan2
syncinterval: "15"
type: "fortiguard"
ntpsync: "enable"
- name: Setup_AlertEmail
fortios_alertemail_setting:
vdom: "{{ vdom }}"
alertemail_setting:
mailto1: "soc@socpuppets.com"
username: "noc@socpuppets.com"
- name: Alias_Status
fortios_system_alias:
vdom: "{{ vdom }}"
state: "present"
system_alias:
name: "status"
command: "get system status"
- name: Alias_Route
fortios_system_alias:
vdom: "{{ vdom }}"
state: "present"
system_alias:
name: "status"
command: "get router info routing-table all"
- name: Alias_Route
fortios_system_alias:
vdom: "{{ vdom }}"
state: "present"
system_alias:
name: "fwp"
command: "show firewall policy"
- name: Alias_IKE
fortios_system_alias:
vdom: "{{ vdom }}"
state: "present"
system_alias:
name: "ike"
command: "diag vpn ike gateway list"
- name: Alias_IPSEC
fortios_system_alias:
vdom: "{{ vdom }}"
state: "present"
system_alias:
name: "ipsec"
command: "diag vpn tunnel list"
- name: Syslog_Remote
fortios_log_syslogd_setting:
vdom: "{{ vdom }}"
log_syslogd_setting:
facility: "local0"
format: "cef"
mode: "udp"
port: "514"
server: "192.168.1.199"
status: "enable"
- name: Wldcard FQDN1
fortios_firewall_wildcard_fqdn_custom:
vdom: "{{ vdom }}"
state: "present"
firewall_wildcard_fqdn_custom:
name: "example.net"
wildcard_fqdn: "*.example.net"
- name: Wldcard FQDN2
fortios_firewall_wildcard_fqdn_custom:
vdom: "{{ vdom }}"
state: "present"
firewall_wildcard_fqdn_custom:
name: "example.org"
wildcard_fqdn: "*.example.org"
- name: Wldcard FQDN3
fortios_firewall_wildcard_fqdn_custom:
vdom: "{{ vdom }}"
state: "present"
firewall_wildcard_fqdn_custom:
name: "example.com"
wildcard_fqdn: "*.example.com"
- name: Setup_SNMP
fortios_system_snmp_community:
vdom: "{{ vdom }}"
state: "present"
system_snmp_community:
name: snmp1communityRW
id: "1"
- name: Setup_SNMP_SYSINFO
fortios_system_snmp_sysinfo:
vdom: "{{ vdom }}"
system_snmp_sysinfo:
contact_info: "soc@socpuppets.com"
location: "{{ ansible_host }}"
status: "enable"
NOTE: fortinet dev and the community has these warnings in all documents to start using httpapi
Remember you need to upgrade your python, our cloud ansible configurator sits in OCN and runs python3 in a virtenv
So in this setup a tech will take the model fortigate, configured the WAN interface and set the ansible user credentials into the unit. They will call into the provisioning team to have the new name and address set into /etc/host and the ansible inventory file. Afterwards we can run the play and setup the fortigate with our basic details.
YMMV but the API interface and ansible can speed up tasks, and reduce the total amount of labor effort. It also can help you to standardize configuration values across devices.
Ken Felix
