Giters

ftntcorecse / fndn_ansible

DEPRECATED - See New Ansible Galaxy Collections: https://galaxy.ansible.com/fortinet

Home Page:https://galaxy.ansible.com/fortinet

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

fmgr_fwpol_ipv4 dstaddr is not being updated.

kevin-dfo opened this issue · comments

commented

Hi,

I'm testing out the ansible module fmgr_fwpol_ipv4. Using mode "set" I can create a policy with dstaddr: "test1-vip, test2-vip".

On subsequent runs dstaddr to add or remove a virtual ip. Ansible gives a green OK. and doesn't update the policy. I've tried with mode add,update and set.

using mode: set gives status OK output > duplicate object
using mode: update gives status Skipped > Object doesn't exist.


- name: Set Fortimanager policy
      fmgr_fwpol_ipv4:
        name: "{{ item.name }}"
        comments: "{{ item.comments }}"
        mode: "set"
        adom: "root"
        package_name: "{{ item.package }}"
        action: "accept"
        srcaddr: "{{ item.source_address }}"
        dstaddr: "{{ vip_inventory | json_query('[?contains(policy, `'+ item.name +'`)].name') | join(',') }}"
        srcintf: "{{ item.source }}"
        dstintf: "{{ item.dest }}"
        logtraffic: "utm"
        service: "ALL"
        schedule: "always"
      with_items: "{{ policy_inventory }}"
      register: add_policy_status

My variable file.


---
policy_inventory:
  - { package: FG-CAC, name: Public-CAC, source: Azure Central Front, dest: Azure Central Back, source_address: all, comments: Open to the public }
  - { package: FG-CAC, name: DFO-Only-CAC, source: Azure Central Front, dest: Azure Central Back, source_address: DFO Internet Gateways, comments: Open only to DFO gateways }
  - { package: FG-CAE, name: Public-CAE, source:  Azure East External, dest: Azure East Internal, source_address: all, comments: Open to the public }
  - { package: FG-CAE, name: DFO-Only-CAE, source:  Azure East External, dest: Azure East Internal, source_address: DFO Internet Gateways, comments: Open only to DFO gateways }

vip_inventory:
  - { policy: [Public-CAC], name: modip-data-acquisition, ext: 52.139.1.162, map: 10.176.0.4, portforward: enable, ext_port: 10800, map_port: 10800, protocol: tcp, comments: MODIP Data Acquisition }
  - { policy: [DFO-Only-CAE], name: vip-linux-jumphost, ext: 100.96.81.5, map: 100.96.80.69, portforward: disable, ext_port: 0, map_port: 0, protocol: tcp, comments: Linux Jumphost }