"Error in repo" using fortios_firewall_policy module
greenspartan opened this issue · comments
Hi guys,
I have recently upgraded Tower from 3.8.4 to AAP 2.4 (Ansible 2.15.5) and I have now an issue running a playbook while it was working just fine on Tower 3.8.4 (Ansible 2.9).
I am using fortinet.fortios ansible galaxy collection v2.3.4.
My Fortigate is running on v7.0.12
This playbook ends with following error :
TASK [fortios_tasks : Configure IPv4 policy on AMS firewall from vessel to internet] ***
fatal: [ams_fortigate]: FAILED! => {"changed": false, "meta": {"build": 523, "http_method": "PUT", "http_status": 405, "name": "policy", "path": "firewall", "serial": "FG100FTK20042072", "status": "error", "vdom": "root", "version": "v7.0.12"}, "msg": "Error in repo"}
Here's below the associated Ansible task code :
---
- name: Configure IPv4 addresses on firewall
fortios_firewall_address:
vdom: "root"
state: "present"
firewall_address:
name: "FX-{{ vessel_name }}-{{ vessel_internal_ip }}"
subnet: "{{ vessel_internal_ip }} 255.255.255.255"
- name: Configure IPv4 IP pools on AMS firewall
fortios_firewall_ippool:
vdom: "root"
state: "present"
firewall_ippool:
name: "FX-{{ vessel_name }}-PUBLIC-POOL"
endip: "{{ ams_ip_address_reserved }}"
startip: "{{ ams_ip_address_reserved }}"
type: "overload"
- name: Configure virtual IP for IPv4 on firewall
fortios_firewall_vip:
vdom: "root"
state: "present"
firewall_vip:
extintf: "WAN1.111.INTRNT"
extip: "{{ ams_ip_address_reserved }}"
mappedip:
- range: "{{ vessel_internal_ip }}"
name: "VIP-NAT-FX-{{ vessel_name }}"
- name: Configure IPv4 policy on firewall from vessel to internet
fortios_firewall_policy:
vdom: "root"
state: "present"
firewall_policy:
action: "accept"
name: "NAT {{ vessel_name }} to Internet"
dstaddr:
- name: "all"
dstintf:
- name: "WAN1.111.INTRNT"
ippool: "enable"
nat: "enable"
policyid: "0"
poolname:
- name: "FX-{{ vessel_name }}-PUBLIC-POOL"
schedule: "always"
service:
- name: "ALL"
srcaddr:
- name: "FX-{{ vessel_name }}-{{ vessel_internal_ip }}"
srcintf:
- name: "port1"
register: return1
What is strange is that fortios_firewall_address, fortios_firewall_ippool and fortios_firewall_vip modules are working perfectly and are able to create related config on the Fortigate.
Issue is happening for fortios_firewall_policy module only.
I have activated some https debug on the Fortigate and I can see the following error message :
[httpsd 830 - 1705492545 info] fweb_debug_init[417] -- New PUT request for "/api/v2/cmdb/firewall/policy" from "xx.xx.xx.xx:60330"
[httpsd 830 - 1705492545 info] fweb_debug_init[419] -- User-Agent: "Python-urllib/3.9"
[httpsd 830 - 1705492545 info] fweb_debug_init[421] -- Handler "api_cmdb_v2-handler" assigned to request
[httpsd 830 - 1705492545 info] api_access_check_for_session_key[735] -- Session key found in active admin sessions (CID: 597).
[httpsd 830 - 1705492545 info] api_access_check_for_session_key[746] -- Login status OK.
[httpsd 830 - 1705492545 info] api_store_parameter[320] -- add API parameter 'vdom' (type=string)
[httpsd 830 - 1705492545 info] api_store_parameter[320] -- add API parameter 'access_token' (type=string)
[httpsd 830 - 1705492545 info] api_store_parameter[320] -- add API parameter 'action' (type=string)
[httpsd 830 - 1705492545 info] api_store_parameter[320] -- add API parameter 'dstaddr' (type=array)
[httpsd 830 - 1705492545 info] api_store_parameter[320] -- add API parameter 'dstintf' (type=array)
[httpsd 830 - 1705492545 info] api_store_parameter[320] -- add API parameter 'ippool' (type=string)
[httpsd 830 - 1705492545 info] api_store_parameter[320] -- add API parameter 'name' (type=string)
[httpsd 830 - 1705492545 info] api_store_parameter[320] -- add API parameter 'nat' (type=string)
[httpsd 830 - 1705492545 info] api_store_parameter[320] -- add API parameter 'policyid' (type=int)
[httpsd 830 - 1705492545 info] api_store_parameter[320] -- add API parameter 'poolname' (type=array)
[httpsd 830 - 1705492545 info] api_store_parameter[320] -- add API parameter 'schedule' (type=string)
[httpsd 830 - 1705492545 info] api_store_parameter[320] -- add API parameter 'service' (type=array)
[httpsd 830 - 1705492545 info] api_store_parameter[320] -- add API parameter 'srcaddr' (type=array)
[httpsd 830 - 1705492545 info] api_store_parameter[320] -- add API parameter 'srcintf' (type=array)
[httpsd 830 - 1705492545 info] api_cmdb_request_init_by_path[1651] -- new CMDB query (path='firewall',name='policy')
[httpsd 830 - 1705492545 info] handle_cli_req_v2[3006] -- no method found for requested action: (null)
[httpsd 830 - 1705492545 info] handle_cli_req_v2[3124] -- returning to original vdom "root"
[httpsd 830 - 1705492545 warning] api_return_http_result[1272] -- API error 405 raised
Why I have this error message no method found for requested action: (null)
while other modules works perfectly ?
Thanks in advance for your help and don't hesitate if you need additional infos ;) !
Best Regards,
Adrien
Hi Adrien,
The policyid: "0" is not longer supported with ansible module, you need to specify an id
Hi Alexis,
Thanks a lot for your feedback ! I confirm i don't have any error when using a real policyid (I mean different from 0).
Indeed in notes section of latest documentation it's advised to not use anymore policyid: "0"
But as it was not clearly said it was no longer supported, I didn't think my issue was coming from this.
By the way do you know where we can find Q&A mentionned in notes section ?
I would like to know how I can automatically use the latest available policy ID, without having fear to overlap/shadow existing policies ? Does it mean only option is to parse all policies and then find first available ID by sorting all that list ?
Thanks and have a great day !
Best Regards,
Adrien
Hi Adrien,
the solution will be to get/set a fact with the highest policyid configured actually
Hi Alexis,
Thanks for your feedback. Indeed I made additional tasks in order to fetch all policy and then find the first available ID.
Here it is if it can help someone :
- name: Retrieve policies
fortinet.fortios.fortios_configuration_fact:
vdom: "root"
selector: firewall_policy
register: r
- name: Set fw policy config list
set_fact:
fw_policy_config_list: "{{ r.meta.results | map(attribute='policyid') | list }}"
- name: Find first available policyID
set_fact:
first_available_id: "{{ (range(1, range_limit + 1) | difference(fw_policy_config_list) | first) }}"
where range_limit is a playbook variable.
So all is good for me now, I will close the issue ;).
Thanks again for the help !
Adrien