Giters

fortinet-ansible-dev / ansible-galaxy-fortios-collection

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Need help with fortios_ips_sensor

chr00ted opened this issue · comments

commented

Hello all, our team has been setting up firewalls by using backups from other firewalls and restoring them to new firewalls. I'd really prefer to script it instead. We have some Server Side and client side custom IPS sensors we use and I'm having issues getting the script to apply correctly. For example in an existing Firewall config we have the following IPS sensor filter:

edit "Custom - Server"
set comment "Protect against HTTP server-side vulnerabilities."
set block-malicious-url enable
set scan-botnet-connections block
config entries
edit 1
set location server
set protocol Other UDP HTTP HTTPS
set os Windows
set application Other
next

I've tried the following to script it, but its not coming over correctly:

  • name: Configure IPS custom sensor
    fortinet.fortios.fortios_ips_sensor:
    vdom: "root"
    state: "present"
    ips_sensor:
    block_malicious_url: "enable"
    scan_botnet_connections: "block"
    comment: "Protect against HTTP server-side vulnerabilities."
    name: "Custom - Server"
    filter:
    -
    location: "server"
    protocol: "HTTP HTTPS"
    os: "Windows"
    application: "other"
    action: "default"
    name: "Custom - Server"

The play completes successfully, and I when I logon to the new firewall I can see the entry with comments, but the OS and Protocols are all blank.

This is what I see in the JSON output:
"mismatches": [
"option filter Supported version ranges are v6.0.0 -> v6.2.7, v6.4.1",
"option filter.location(server) Supported version ranges are v6.0.0 -> v6.2.7, v6.4.1",
"option filter.protocol(HTTP HTTPS) Supported version ranges are v6.0.0 -> v6.2.7, v6.4.1",
"option filter.os(Windows) Supported version ranges are v6.0.0 -> v6.2.7, v6.4.1",
"option filter.application(other) Supported version ranges are v6.0.0 -> v6.2.7, v6.4.1",
"option filter.action(default) Supported version ranges are v6.0.0 -> v6.2.7, v6.4.1",
"option filter.name(Custom - Server) Supported version ranges are v6.0.0 -> v6.2.7, v6.4.1"

If any of you have any suggestions as to what I may be doing wrong it would be appreciated.

commented

Got it working with:

  • name: Configure IPS custom sensor
    fortinet.fortios.fortios_ips_sensor:
    vdom: "{{ vdom }}"
    state: "present"
    ips_sensor:
    block_malicious_url: "enable"
    scan_botnet_connections: "block"
    comment: "Protect against HTTP server-side vulnerabilities."
    name: "Custom - Server"
    entries:
    -
    action: "default"
    location: "server"
    protocol: "Other UDP HTTP HTTPS"
    os: "Windows"
    application: "Other"
    id: "1"