Try SpotterConfigure redundant internet connections using SD-WAN (formerly virtual WAN link) in Fortinet's FortiOS and FortiGate.
| "added in version" 2.8 of ansible.builtin"
Authors: Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico)
preview | supported by community
pipInstall with pip install ansible==2.8.20
This module is able to configure a FortiGate or FortiOS by allowing the user to set and modify system feature and virtual_wan_link category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.2
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
tasks:
- name: Configure redundant internet connections using SD-WAN (formerly virtual WAN link).
fortios_system_virtual_wan_link:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
system_virtual_wan_link:
fail-alert-interfaces:
-
name: "default_name_4 (source system.interface.name)"
fail-detect: "enable"
health-check:
-
addr-mode: "ipv4"
failtime: "8"
http-get: "<your_own_value>"
http-match: "<your_own_value>"
interval: "11"
members:
-
seq-num: "13 (source system.virtual-wan-link.members.seq-num)"
name: "default_name_14"
packet-size: "15"
password: "<your_own_value>"
port: "17"
protocol: "ping"
recoverytime: "19"
security-mode: "none"
server: "192.168.100.40"
sla:
-
id: "23"
jitter-threshold: "24"
latency-threshold: "25"
link-cost-factor: "latency"
packetloss-threshold: "27"
threshold-alert-jitter: "28"
threshold-alert-latency: "29"
threshold-alert-packetloss: "30"
threshold-warning-jitter: "31"
threshold-warning-latency: "32"
threshold-warning-packetloss: "33"
update-cascade-interface: "enable"
update-static-route: "enable"
load-balance-mode: "source-ip-based"
members:
-
comment: "Comments."
gateway: "<your_own_value>"
gateway6: "<your_own_value>"
ingress-spillover-threshold: "41"
interface: "<your_own_value> (source system.interface.name)"
priority: "43"
seq-num: "44"
source: "<your_own_value>"
source6: "<your_own_value>"
spillover-threshold: "47"
status: "disable"
volume-ratio: "49"
weight: "50"
service:
-
addr-mode: "ipv4"
bandwidth-weight: "53"
dscp-forward: "enable"
dscp-forward-tag: "<your_own_value>"
dscp-reverse: "enable"
dscp-reverse-tag: "<your_own_value>"
dst:
-
name: "default_name_59 (source firewall.address.name firewall.addrgrp.name)"
dst-negate: "enable"
dst6:
-
name: "default_name_62 (source firewall.address6.name firewall.addrgrp6.name)"
end-port: "63"
gateway: "enable"
groups:
-
name: "default_name_66 (source user.group.name)"
health-check: "<your_own_value> (source system.virtual-wan-link.health-check.name)"
hold-down-time: "68"
id: "69"
input-device:
-
name: "default_name_71 (source system.interface.name)"
internet-service: "enable"
internet-service-ctrl:
-
id: "74"
internet-service-ctrl-group:
-
name: "default_name_76 (source application.group.name)"
internet-service-custom:
-
name: "default_name_78 (source firewall.internet-service-custom.name)"
internet-service-custom-group:
-
name: "default_name_80 (source firewall.internet-service-custom-group.name)"
internet-service-group:
-
name: "default_name_82 (source firewall.internet-service-group.name)"
internet-service-id:
-
id: "84 (source firewall.internet-service.id)"
jitter-weight: "85"
latency-weight: "86"
link-cost-factor: "latency"
link-cost-threshold: "88"
member: "89"
mode: "auto"
name: "default_name_91"
packet-loss-weight: "92"
priority-members:
-
seq-num: "94 (source system.virtual-wan-link.members.seq-num)"
protocol: "95"
quality-link: "96"
route-tag: "97"
sla:
-
health-check: "<your_own_value> (source system.virtual-wan-link.health-check.name)"
id: "100"
src:
-
name: "default_name_102 (source firewall.address.name firewall.addrgrp.name)"
src-negate: "enable"
src6:
-
name: "default_name_105 (source firewall.address6.name firewall.addrgrp6.name)"
start-port: "106"
status: "enable"
tos: "<your_own_value>"
tos-mask: "<your_own_value>"
users:
-
name: "default_name_111 (source user.local.name)"
status: "disable"
host:
description:
- FortiOS or FortiGate ip address.
required: true
vdom:
default: root
description:
- Virtual domain, among those defined previously. A vdom is a virtual instance of
the FortiGate that can be configured and used as a different unit.
https:
default: true
description:
- Indicates if the requests towards FortiGate must use HTTPS protocol
type: bool
password:
default: ''
description:
- FortiOS or FortiGate password.
username:
description:
- FortiOS or FortiGate username.
required: true
system_virtual_wan_link:
default: null
description:
- Configure redundant internet connections using SD-WAN (formerly virtual WAN link).
suboptions:
fail-alert-interfaces:
description:
- Physical interfaces that will be alerted.
suboptions:
name:
description:
- Physical interface name. Source system.interface.name.
required: true
fail-detect:
choices:
- enable
- disable
description:
- Enable/disable SD-WAN Internet connection status checking (failure detection).
health-check:
description:
- SD-WAN status checking or health checking. Identify a server on the Internet
and determine how SD-WAN verifies that the FortiGate can communicate with it.
suboptions:
addr-mode:
choices:
- ipv4
- ipv6
description:
- Address mode (IPv4 or IPv6).
failtime:
description:
- Number of failures before server is considered lost (1 - 10, default = 5).
http-get:
description:
- URL used to communicate with the server if the protocol if the protocol
is HTTP.
http-match:
description:
- Response string expected from the server if the protocol is HTTP.
interval:
description:
- Status check interval, or the time between attempting to connect to the
server (1 - 3600 sec, default = 5).
members:
description:
- Member sequence number list.
suboptions:
seq-num:
description:
- Member sequence number. Source system.virtual-wan-link.members.seq-num.
required: true
name:
description:
- Status check or health check name.
required: true
packet-size:
description:
- Packet size of a twamp test session,
password:
description:
- Twamp controller password in authentication mode
port:
description:
- Port number used to communicate with the server over the selected protocol.
protocol:
choices:
- ping
- tcp-echo
- udp-echo
- http
- twamp
- ping6
description:
- Protocol used to determine if the FortiGate can communicate with the server.
recoverytime:
description:
- Number of successful responses received before server is considered recovered
(1 - 10, default = 5).
security-mode:
choices:
- none
- authentication
description:
- Twamp controller security mode.
server:
description:
- IP address or FQDN name of the server.
sla:
description:
- Service level agreement (SLA).
suboptions:
id:
description:
- SLA ID.
required: true
jitter-threshold:
description:
- Jitter for SLA to make decision in milliseconds. (0 - 10000000, default
= 5).
latency-threshold:
description:
- Latency for SLA to make decision in milliseconds. (0 - 10000000, default
= 5).
link-cost-factor:
choices:
- latency
- jitter
- packet-loss
description:
- Criteria on which to base link selection.
packetloss-threshold:
description:
- Packet loss for SLA to make decision in percentage. (0 - 100, default
= 0).
threshold-alert-jitter:
description:
- Alert threshold for jitter (ms, default = 0).
threshold-alert-latency:
description:
- Alert threshold for latency (ms, default = 0).
threshold-alert-packetloss:
description:
- Alert threshold for packet loss (percentage, default = 0).
threshold-warning-jitter:
description:
- Warning threshold for jitter (ms, default = 0).
threshold-warning-latency:
description:
- Warning threshold for latency (ms, default = 0).
threshold-warning-packetloss:
description:
- Warning threshold for packet loss (percentage, default = 0).
update-cascade-interface:
choices:
- enable
- disable
description:
- Enable/disable update cascade interface.
update-static-route:
choices:
- enable
- disable
description:
- Enable/disable updating the static route.
load-balance-mode:
choices:
- source-ip-based
- weight-based
- usage-based
- source-dest-ip-based
- measured-volume-based
description:
- Algorithm or mode to use for load balancing Internet traffic to SD-WAN members.
members:
description:
- Physical FortiGate interfaces added to the virtual-wan-link.
suboptions:
comment:
description:
- Comments.
gateway:
description:
- The default gateway for this interface. Usually the default gateway of the
Internet service provider that this interface is connected to.
gateway6:
description:
- IPv6 gateway.
ingress-spillover-threshold:
description:
- Ingress spillover threshold for this interface (0 - 16776000 kbit/s). When
this traffic volume threshold is reached, new sessions spill over to other
interfaces in the SD-WAN.
interface:
description:
- Interface name. Source system.interface.name.
priority:
description:
- Priority of the interface (0 - 4294967295). Used for SD-WAN rules or priority
rules.
seq-num:
description:
- Sequence number(1-255).
required: true
source:
description:
- Source IP address used in the health-check packet to the server.
source6:
description:
- Source IPv6 address used in the health-check packet to the server.
spillover-threshold:
description:
- Egress spillover threshold for this interface (0 - 16776000 kbit/s). When
this traffic volume threshold is reached, new sessions spill over to other
interfaces in the SD-WAN.
status:
choices:
- disable
- enable
description:
- Enable/disable this interface in the SD-WAN.
volume-ratio:
description:
- Measured volume ratio (this value / sum of all values = percentage of link
volume, 0 - 255).
weight:
description:
- Weight of this interface for weighted load balancing. (0 - 255) More traffic
is directed to interfaces with higher weights.
service:
description:
- Create SD-WAN rules or priority rules (also called services) to control how
sessions are distributed to physical interfaces in the SD-WAN.
suboptions:
addr-mode:
choices:
- ipv4
- ipv6
description:
- Address mode (IPv4 or IPv6).
bandwidth-weight:
description:
- Coefficient of reciprocal of available bidirectional bandwidth in the formula
of custom-profile-1.
dscp-forward:
choices:
- enable
- disable
description:
- Enable/disable forward traffic DSCP tag.
dscp-forward-tag:
description:
- Forward traffic DSCP tag.
dscp-reverse:
choices:
- enable
- disable
description:
- Enable/disable reverse traffic DSCP tag.
dscp-reverse-tag:
description:
- Reverse traffic DSCP tag.
dst:
description:
- Destination address name.
suboptions:
name:
description:
- Address or address group name. Source firewall.address.name firewall.addrgrp.name.
required: true
dst-negate:
choices:
- enable
- disable
description:
- Enable/disable negation of destination address match.
dst6:
description:
- Destination address6 name.
suboptions:
name:
description:
- Address6 or address6 group name. Source firewall.address6.name firewall.addrgrp6.name.
required: true
end-port:
description:
- End destination port number.
gateway:
choices:
- enable
- disable
description:
- Enable/disable SD-WAN service gateway.
groups:
description:
- User groups.
suboptions:
name:
description:
- Group name. Source user.group.name.
required: true
health-check:
description:
- Health check. Source system.virtual-wan-link.health-check.name.
hold-down-time:
description:
- Waiting period in seconds when switching from the back-up member to the
primary member (0 - 10000000, default = 0).
id:
description:
- Priority rule ID (1 - 4000).
required: true
input-device:
description:
- Source interface name.
suboptions:
name:
description:
- Interface name. Source system.interface.name.
required: true
internet-service:
choices:
- enable
- disable
description:
- Enable/disable use of Internet service for application-based load balancing.
internet-service-ctrl:
description:
- Control-based Internet Service ID list.
suboptions:
id:
description:
- Control-based Internet Service ID.
required: true
internet-service-ctrl-group:
description:
- Control-based Internet Service group list.
suboptions:
name:
description:
- Control-based Internet Service group name. Source application.group.name.
required: true
internet-service-custom:
description:
- Custom Internet service name list.
suboptions:
name:
description:
- Custom Internet service name. Source firewall.internet-service-custom.name.
required: true
internet-service-custom-group:
description:
- Custom Internet Service group list.
suboptions:
name:
description:
- Custom Internet Service group name. Source firewall.internet-service-custom-group.name.
required: true
internet-service-group:
description:
- Internet Service group list.
suboptions:
name:
description:
- Internet Service group name. Source firewall.internet-service-group.name.
required: true
internet-service-id:
description:
- Internet service ID list.
suboptions:
id:
description:
- Internet service ID. Source firewall.internet-service.id.
required: true
jitter-weight:
description:
- Coefficient of jitter in the formula of custom-profile-1.
latency-weight:
description:
- Coefficient of latency in the formula of custom-profile-1.
link-cost-factor:
choices:
- latency
- jitter
- packet-loss
- inbandwidth
- outbandwidth
- bibandwidth
- custom-profile-1
description:
- Link cost factor.
link-cost-threshold:
description:
- Percentage threshold change of link cost values that will result in policy
route regeneration (0 - 10000000, default = 10).
member:
description:
- Member sequence number.
mode:
choices:
- auto
- manual
- priority
- sla
description:
- Control how the priority rule sets the priority of interfaces in the SD-WAN.
name:
description:
- Priority rule name.
packet-loss-weight:
description:
- Coefficient of packet-loss in the formula of custom-profile-1.
priority-members:
description:
- Member sequence number list.
suboptions:
seq-num:
description:
- Member sequence number. Source system.virtual-wan-link.members.seq-num.
required: true
protocol:
description:
- Protocol number.
quality-link:
description:
- Quality grade.
route-tag:
description:
- IPv4 route map route-tag.
sla:
description:
- Service level agreement (SLA).
suboptions:
health-check:
description:
- Virtual WAN Link health-check. Source system.virtual-wan-link.health-check.name.
required: true
id:
description:
- SLA ID.
src:
description:
- Source address name.
suboptions:
name:
description:
- Address or address group name. Source firewall.address.name firewall.addrgrp.name.
required: true
src-negate:
choices:
- enable
- disable
description:
- Enable/disable negation of source address match.
src6:
description:
- Source address6 name.
suboptions:
name:
description:
- Address6 or address6 group name. Source firewall.address6.name firewall.addrgrp6.name.
required: true
start-port:
description:
- Start destination port number.
status:
choices:
- enable
- disable
description:
- Enable/disable SD-WAN service.
tos:
description:
- Type of service bit pattern.
tos-mask:
description:
- Type of service evaluated bits.
users:
description:
- User name.
suboptions:
name:
description:
- User name. Source user.local.name.
required: true
status:
choices:
- disable
- enable
description:
- Enable/disable SD-WAN.
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str