Try SpotterConfigure FortiSwitch devices that are managed by this FortiGate in Fortinet's FortiOS and FortiGate.
| "added in version" 2.8 of ansible.builtin"
Authors: Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico)
preview | supported by community
pipInstall with pip install ansible==2.8.20
This module is able to configure a FortiGate or FortiOS by allowing the user to set and modify switch_controller feature and managed_switch category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.2
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
tasks:
- name: Configure FortiSwitch devices that are managed by this FortiGate.
fortios_switch_controller_managed_switch:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
switch_controller_managed_switch:
state: "present"
802-1X-settings:
link-down-auth: "set-unauth"
local-override: "enable"
max-reauth-attempt: "6"
reauth-period: "7"
connected: "8"
custom-command:
-
command-entry: "<your_own_value>"
command-name: "<your_own_value> (source switch-controller.custom-command.command-name)"
delayed-restart-trigger: "12"
description: "<your_own_value>"
directly-connected: "14"
dynamic-capability: "15"
dynamically-discovered: "16"
fsw-wan1-admin: "discovered"
fsw-wan1-peer: "<your_own_value>"
fsw-wan2-admin: "discovered"
fsw-wan2-peer: "<your_own_value>"
igmp-snooping:
aging-time: "22"
flood-unknown-multicast: "enable"
local-override: "enable"
max-allowed-trunk-members: "25"
mirror:
-
dst: "<your_own_value>"
name: "default_name_28"
src-egress:
-
name: "default_name_30"
src-ingress:
-
name: "default_name_32"
status: "active"
switching-packet: "enable"
name: "default_name_35"
owner-vdom: "<your_own_value>"
poe-pre-standard-detection: "enable"
ports:
-
allowed-vlans:
-
vlan-name: "<your_own_value> (source system.interface.name)"
allowed-vlans-all: "enable"
arp-inspection-trust: "untrusted"
bundle: "enable"
description: "<your_own_value>"
dhcp-snoop-option82-trust: "enable"
dhcp-snooping: "untrusted"
discard-mode: "none"
edge-port: "enable"
export-tags:
-
tag-name: "<your_own_value> (source switch-controller.switch-interface-tag.name)"
export-to: "<your_own_value> (source system.vdom.name)"
export-to-pool: "<your_own_value> (source switch-controller.virtual-port-pool.name)"
export-to-pool_flag: "53"
fgt-peer-device-name: "<your_own_value>"
fgt-peer-port-name: "<your_own_value>"
fiber-port: "56"
flags: "57"
fortilink-port: "58"
igmp-snooping: "enable"
igmps-flood-reports: "enable"
igmps-flood-traffic: "enable"
isl-local-trunk-name: "<your_own_value>"
isl-peer-device-name: "<your_own_value>"
isl-peer-port-name: "<your_own_value>"
lacp-speed: "slow"
learning-limit: "66"
lldp-profile: "<your_own_value> (source switch-controller.lldp-profile.name)"
lldp-status: "disable"
loop-guard: "enabled"
loop-guard-timeout: "70"
max-bundle: "71"
mclag: "enable"
member-withdrawal-behavior: "forward"
members:
-
member-name: "<your_own_value>"
min-bundle: "76"
mode: "static"
poe-capable: "78"
poe-pre-standard-detection: "enable"
poe-status: "enable"
port-name: "<your_own_value>"
port-number: "82"
port-owner: "<your_own_value>"
port-prefix-type: "84"
port-security-policy: "<your_own_value> (source switch-controller.security-policy.802-1X.name switch-controller.security-policy.captive-portal
.name)"
port-selection-criteria: "src-mac"
qos-policy: "<your_own_value> (source switch-controller.qos.qos-policy.name)"
sample-direction: "tx"
sflow-counter-interval: "89"
sflow-sample-rate: "90"
sflow-sampler: "enabled"
speed: "10half"
speed-mask: "93"
stacking-port: "94"
status: "up"
stp-bpdu-guard: "enabled"
stp-bpdu-guard-timeout: "97"
stp-root-guard: "enabled"
stp-state: "enabled"
switch-id: "<your_own_value>"
type: "physical"
untagged-vlans:
-
vlan-name: "<your_own_value> (source system.interface.name)"
virtual-port: "104"
vlan: "<your_own_value> (source system.interface.name)"
pre-provisioned: "106"
staged-image-version: "<your_own_value>"
storm-control:
broadcast: "enable"
local-override: "enable"
rate: "111"
unknown-multicast: "enable"
unknown-unicast: "enable"
stp-settings:
forward-time: "115"
hello-time: "116"
local-override: "enable"
max-age: "118"
max-hops: "119"
name: "default_name_120"
pending-timer: "121"
revision: "122"
status: "enable"
switch-device-tag: "<your_own_value>"
switch-id: "<your_own_value>"
switch-log:
local-override: "enable"
severity: "emergency"
status: "enable"
switch-profile: "<your_own_value> (source switch-controller.switch-profile.name)"
switch-stp-settings:
status: "enable"
type: "virtual"
version: "134"
host:
description:
- FortiOS or FortiGate ip address.
required: true
vdom:
default: root
description:
- Virtual domain, among those defined previously. A vdom is a virtual instance of
the FortiGate that can be configured and used as a different unit.
https:
default: true
description:
- Indicates if the requests towards FortiGate must use HTTPS protocol
type: bool
password:
default: ''
description:
- FortiOS or FortiGate password.
username:
description:
- FortiOS or FortiGate username.
required: true
switch_controller_managed_switch:
default: null
description:
- Configure FortiSwitch devices that are managed by this FortiGate.
suboptions:
802-1X-settings:
description:
- Configuration method to edit FortiSwitch 802.1X global settings.
suboptions:
link-down-auth:
choices:
- set-unauth
- no-action
description:
- Authentication state to set if a link is down.
local-override:
choices:
- enable
- disable
description:
- Enable to override global 802.1X settings on individual FortiSwitches.
max-reauth-attempt:
description:
- Maximum number of authentication attempts (0 - 15, default = 3).
reauth-period:
description:
- Reauthentication time interval (1 - 1440 min, default = 60, 0 = disable).
connected:
description:
- CAPWAP connection.
custom-command:
description:
- Configuration method to edit FortiSwitch commands to be pushed to this FortiSwitch
device upon rebooting the FortiGate switch controller or the FortiSwitch.
suboptions:
command-entry:
description:
- List of FortiSwitch commands.
required: true
command-name:
description:
- Names of commands to be pushed to this FortiSwitch device, as configured
under config switch-controller custom-command. Source switch-controller.custom-command.command-name.
delayed-restart-trigger:
description:
- Delayed restart triggered for this FortiSwitch.
description:
description:
- Description.
directly-connected:
description:
- Directly connected FortiSwitch.
dynamic-capability:
description:
- List of features this FortiSwitch supports (not configurable) that is sent to
the FortiGate device for subsequent configuration initiated by the FortiGate
device.
dynamically-discovered:
description:
- Dynamically discovered FortiSwitch.
fsw-wan1-admin:
choices:
- discovered
- disable
- enable
description:
- FortiSwitch WAN1 admin status; enable to authorize the FortiSwitch as a managed
switch.
fsw-wan1-peer:
description:
- Fortiswitch WAN1 peer port.
fsw-wan2-admin:
choices:
- discovered
- disable
- enable
description:
- FortiSwitch WAN2 admin status; enable to authorize the FortiSwitch as a managed
switch.
fsw-wan2-peer:
description:
- FortiSwitch WAN2 peer port.
igmp-snooping:
description:
- Configure FortiSwitch IGMP snooping global settings.
suboptions:
aging-time:
description:
- Maximum time to retain a multicast snooping entry for which no packets have
been seen (15 - 3600 sec, default = 300).
flood-unknown-multicast:
choices:
- enable
- disable
description:
- Enable/disable unknown multicast flooding.
local-override:
choices:
- enable
- disable
description:
- Enable/disable overriding the global IGMP snooping configuration.
max-allowed-trunk-members:
description:
- FortiSwitch maximum allowed trunk members.
mirror:
description:
- Configuration method to edit FortiSwitch packet mirror.
suboptions:
dst:
description:
- Destination port.
name:
description:
- Mirror name.
required: true
src-egress:
description:
- Source egress interfaces.
suboptions:
name:
description:
- Interface name.
required: true
src-ingress:
description:
- Source ingress interfaces.
suboptions:
name:
description:
- Interface name.
required: true
status:
choices:
- active
- inactive
description:
- Active/inactive mirror configuration.
switching-packet:
choices:
- enable
- disable
description:
- Enable/disable switching functionality when mirroring.
name:
description:
- Managed-switch name.
owner-vdom:
description:
- VDOM which owner of port belongs to.
poe-pre-standard-detection:
choices:
- enable
- disable
description:
- Enable/disable PoE pre-standard detection.
ports:
description:
- Managed-switch port list.
suboptions:
allowed-vlans:
description:
- Configure switch port tagged vlans
suboptions:
vlan-name:
description:
- VLAN name. Source system.interface.name.
required: true
allowed-vlans-all:
choices:
- enable
- disable
description:
- Enable/disable all defined vlans on this port.
arp-inspection-trust:
choices:
- untrusted
- trusted
description:
- Trusted or untrusted dynamic ARP inspection.
bundle:
choices:
- enable
- disable
description:
- Enable/disable Link Aggregation Group (LAG) bundling for non-FortiLink interfaces.
description:
description:
- Description for port.
dhcp-snoop-option82-trust:
choices:
- enable
- disable
description:
- Enable/disable allowance of DHCP with option-82 on untrusted interface.
dhcp-snooping:
choices:
- untrusted
- trusted
description:
- Trusted or untrusted DHCP-snooping interface.
discard-mode:
choices:
- none
- all-untagged
- all-tagged
description:
- Configure discard mode for port.
edge-port:
choices:
- enable
- disable
description:
- Enable/disable this interface as an edge port, bridging connections between
workstations and/or computers.
export-tags:
description:
- Switch controller export tag name.
suboptions:
tag-name:
description:
- Switch tag name. Source switch-controller.switch-interface-tag.name.
required: true
export-to:
description:
- Export managed-switch port to a tenant VDOM. Source system.vdom.name.
export-to-pool:
description:
- Switch controller export port to pool-list. Source switch-controller.virtual-port-pool.name.
export-to-pool_flag:
description:
- Switch controller export port to pool-list.
fgt-peer-device-name:
description:
- FGT peer device name.
fgt-peer-port-name:
description:
- FGT peer port name.
fiber-port:
description:
- Fiber-port.
flags:
description:
- Port properties flags.
fortilink-port:
description:
- FortiLink uplink port.
igmp-snooping:
choices:
- enable
- disable
description:
- Set IGMP snooping mode for the physical port interface.
igmps-flood-reports:
choices:
- enable
- disable
description:
- Enable/disable flooding of IGMP reports to this interface when igmp-snooping
enabled.
igmps-flood-traffic:
choices:
- enable
- disable
description:
- Enable/disable flooding of IGMP snooping traffic to this interface.
isl-local-trunk-name:
description:
- ISL local trunk name.
isl-peer-device-name:
description:
- ISL peer device name.
isl-peer-port-name:
description:
- ISL peer port name.
lacp-speed:
choices:
- slow
- fast
description:
- end Link Aggregation Control Protocol (LACP) messages every 30 seconds (slow)
or every second (fast).
learning-limit:
description:
- Limit the number of dynamic MAC addresses on this Port (1 - 128, 0 = no
limit, default).
lldp-profile:
description:
- LLDP port TLV profile. Source switch-controller.lldp-profile.name.
lldp-status:
choices:
- disable
- rx-only
- tx-only
- tx-rx
description:
- LLDP transmit and receive status.
loop-guard:
choices:
- enabled
- disabled
description:
- Enable/disable loop-guard on this interface, an STP optimization used to
prevent network loops.
loop-guard-timeout:
description:
- Loop-guard timeout (0 - 120 min, default = 45).
max-bundle:
description:
- Maximum size of LAG bundle (1 - 24, default = 24)
mclag:
choices:
- enable
- disable
description:
- Enable/disable multi-chassis link aggregation (MCLAG).
member-withdrawal-behavior:
choices:
- forward
- block
description:
- Port behavior after it withdraws because of loss of control packets.
members:
description:
- Aggregated LAG bundle interfaces.
suboptions:
member-name:
description:
- Interface name from available options.
required: true
min-bundle:
description:
- Minimum size of LAG bundle (1 - 24, default = 1)
mode:
choices:
- static
- lacp-passive
- lacp-active
description:
- 'LACP mode: ignore and do not send control messages, or negotiate 802.3ad
aggregation passively or actively.'
poe-capable:
description:
- PoE capable.
poe-pre-standard-detection:
choices:
- enable
- disable
description:
- Enable/disable PoE pre-standard detection.
poe-status:
choices:
- enable
- disable
description:
- Enable/disable PoE status.
port-name:
description:
- Switch port name.
required: true
port-number:
description:
- Port number.
port-owner:
description:
- Switch port name.
port-prefix-type:
description:
- Port prefix type.
port-security-policy:
description:
- Switch controller authentication policy to apply to this managed switch
from available options. Source switch-controller .security-policy.802-1X.name
switch-controller.security-policy.captive-portal.name.
port-selection-criteria:
choices:
- src-mac
- dst-mac
- src-dst-mac
- src-ip
- dst-ip
- src-dst-ip
description:
- Algorithm for aggregate port selection.
qos-policy:
description:
- Switch controller QoS policy from available options. Source switch-controller.qos.qos-policy.name.
sample-direction:
choices:
- tx
- rx
- both
description:
- sFlow sample direction.
sflow-counter-interval:
description:
- sFlow sampler counter polling interval (1 - 255 sec).
sflow-sample-rate:
description:
- sFlow sampler sample rate (0 - 99999 p/sec).
sflow-sampler:
choices:
- enabled
- disabled
description:
- Enable/disable sFlow protocol on this interface.
speed:
choices:
- 10half
- 10full
- 100half
- 100full
- 1000auto
- 1000fiber
- 1000full
- 10000
- 40000
- auto
- auto-module
- 100FX-half
- 100FX-full
- 100000full
- 2500full
- 25000full
- 50000full
description:
- Switch port speed; default and available settings depend on hardware.
speed-mask:
description:
- Switch port speed mask.
stacking-port:
description:
- Stacking port.
status:
choices:
- up
- down
description:
- 'Switch port admin status: up or down.'
stp-bpdu-guard:
choices:
- enabled
- disabled
description:
- Enable/disable STP BPDU guard on this interface.
stp-bpdu-guard-timeout:
description:
- BPDU Guard disabling protection (0 - 120 min).
stp-root-guard:
choices:
- enabled
- disabled
description:
- Enable/disable STP root guard on this interface.
stp-state:
choices:
- enabled
- disabled
description:
- Enable/disable Spanning Tree Protocol (STP) on this interface.
switch-id:
description:
- Switch id.
type:
choices:
- physical
- trunk
description:
- 'Interface type: physical or trunk port.'
untagged-vlans:
description:
- Configure switch port untagged vlans
suboptions:
vlan-name:
description:
- VLAN name. Source system.interface.name.
required: true
virtual-port:
description:
- Virtualized switch port.
vlan:
description:
- Assign switch ports to a VLAN. Source system.interface.name.
pre-provisioned:
description:
- Pre-provisioned managed switch.
staged-image-version:
description:
- Staged image version for FortiSwitch.
state:
choices:
- present
- absent
description:
- Indicates whether to create or remove the object
storm-control:
description:
- Configuration method to edit FortiSwitch storm control for measuring traffic
activity using data rates to prevent traffic disruption.
suboptions:
broadcast:
choices:
- enable
- disable
description:
- Enable/disable storm control to drop broadcast traffic.
local-override:
choices:
- enable
- disable
description:
- Enable to override global FortiSwitch storm control settings for this FortiSwitch.
rate:
description:
- Rate in packets per second at which storm traffic is controlled (1 - 10000000,
default = 500). Storm control drops excess traffic data rates beyond this
threshold.
unknown-multicast:
choices:
- enable
- disable
description:
- Enable/disable storm control to drop unknown multicast traffic.
unknown-unicast:
choices:
- enable
- disable
description:
- Enable/disable storm control to drop unknown unicast traffic.
stp-settings:
description:
- Configuration method to edit Spanning Tree Protocol (STP) settings used to prevent
bridge loops.
suboptions:
forward-time:
description:
- Period of time a port is in listening and learning state (4 - 30 sec, default
= 15).
hello-time:
description:
- Period of time between successive STP frame Bridge Protocol Data Units (BPDUs)
sent on a port (1 - 10 sec, default = 2).
local-override:
choices:
- enable
- disable
description:
- Enable to configure local STP settings that override global STP settings.
max-age:
description:
- Maximum time before a bridge port saves its configuration BPDU information
(6 - 40 sec, default = 20).
max-hops:
description:
- Maximum number of hops between the root bridge and the furthest bridge (1-
40, default = 20).
name:
description:
- Name of local STP settings configuration.
pending-timer:
description:
- Pending time (1 - 15 sec, default = 4).
revision:
description:
- STP revision number (0 - 65535).
status:
choices:
- enable
- disable
description:
- Enable/disable STP.
switch-device-tag:
description:
- User definable label/tag.
switch-id:
description:
- Managed-switch id.
required: true
switch-log:
description:
- Configuration method to edit FortiSwitch logging settings (logs are transferred
to and inserted into the FortiGate event log).
suboptions:
local-override:
choices:
- enable
- disable
description:
- Enable to configure local logging settings that override global logging
settings.
severity:
choices:
- emergency
- alert
- critical
- error
- warning
- notification
- information
- debug
description:
- Severity of FortiSwitch logs that are added to the FortiGate event log.
status:
choices:
- enable
- disable
description:
- Enable/disable adding FortiSwitch logs to the FortiGate event log.
switch-profile:
description:
- FortiSwitch profile. Source switch-controller.switch-profile.name.
switch-stp-settings:
description:
- Configure spanning tree protocol (STP).
suboptions:
status:
choices:
- enable
- disable
description:
- Enable/disable STP.
type:
choices:
- virtual
- physical
description:
- Indication of switch type, physical or virtual.
version:
description:
- FortiSwitch version.
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str