Try SpotterConfigure HA in Fortinet's FortiOS and FortiGate.
| "added in version" 2.9 of ansible.builtin"
Authors: Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico)
preview | supported by community
pipInstall with pip install ansible==2.9.27
This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify system feature and ha category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.5
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
ssl_verify: "False"
tasks:
- name: Configure HA.
fortios_system_ha:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
system_ha:
arps: "3"
arps_interval: "4"
authentication: "enable"
cpu_threshold: "<your_own_value>"
encryption: "enable"
ftp_proxy_threshold: "<your_own_value>"
gratuitous_arps: "enable"
group_id: "10"
group_name: "<your_own_value>"
ha_direct: "enable"
ha_eth_type: "<your_own_value>"
ha_mgmt_interfaces:
-
dst: "<your_own_value>"
gateway: "<your_own_value>"
gateway6: "<your_own_value>"
id: "18"
interface: "<your_own_value> (source system.interface.name)"
ha_mgmt_status: "enable"
ha_uptime_diff_margin: "21"
hb_interval: "22"
hb_lost_threshold: "23"
hbdev: "<your_own_value>"
hc_eth_type: "<your_own_value>"
hello_holddown: "26"
http_proxy_threshold: "<your_own_value>"
imap_proxy_threshold: "<your_own_value>"
inter_cluster_session_sync: "enable"
key: "<your_own_value>"
l2ep_eth_type: "<your_own_value>"
link_failed_signal: "enable"
load_balance_all: "enable"
memory_compatible_mode: "enable"
memory_threshold: "<your_own_value>"
mode: "standalone"
monitor: "<your_own_value> (source system.interface.name)"
multicast_ttl: "38"
nntp_proxy_threshold: "<your_own_value>"
override: "enable"
override_wait_time: "41"
password: "<your_own_value>"
pingserver_failover_threshold: "43"
pingserver_flip_timeout: "44"
pingserver_monitor_interface: "<your_own_value> (source system.interface.name)"
pingserver_slave_force_reset: "enable"
pop3_proxy_threshold: "<your_own_value>"
priority: "48"
route_hold: "49"
route_ttl: "50"
route_wait: "51"
schedule: "none"
secondary_vcluster:
monitor: "<your_own_value> (source system.interface.name)"
override: "enable"
override_wait_time: "56"
pingserver_failover_threshold: "57"
pingserver_monitor_interface: "<your_own_value> (source system.interface.name)"
pingserver_slave_force_reset: "enable"
priority: "60"
vcluster_id: "61"
vdom: "<your_own_value>"
session_pickup: "enable"
session_pickup_connectionless: "enable"
session_pickup_delay: "enable"
session_pickup_expectation: "enable"
session_pickup_nat: "enable"
session_sync_dev: "<your_own_value> (source system.interface.name)"
smtp_proxy_threshold: "<your_own_value>"
standalone_config_sync: "enable"
standalone_mgmt_vdom: "enable"
sync_config: "enable"
sync_packet_balance: "enable"
unicast_hb: "enable"
unicast_hb_netmask: "<your_own_value>"
unicast_hb_peerip: "<your_own_value>"
uninterruptible_upgrade: "enable"
vcluster_id: "78"
vcluster2: "enable"
vdom: "<your_own_value>"
weight: "<your_own_value>"
host:
description:
- FortiOS or FortiGate IP address.
required: false
type: str
vdom:
default: root
description:
- Virtual domain, among those defined previously. A vdom is a virtual instance of
the FortiGate that can be configured and used as a different unit.
type: str
https:
default: true
description:
- Indicates if the requests towards FortiGate must use HTTPS protocol.
type: bool
password:
default: ''
description:
- FortiOS or FortiGate password.
type: str
username:
description:
- FortiOS or FortiGate username.
required: false
type: str
system_ha:
default: null
description:
- Configure HA.
suboptions:
arps:
description:
- Number of gratuitous ARPs (1 - 60). Lower to reduce traffic. Higher to reduce
failover time.
type: int
arps_interval:
description:
- Time between gratuitous ARPs (1 - 20 sec). Lower to reduce failover time. Higher
to reduce traffic.
type: int
authentication:
choices:
- enable
- disable
description:
- Enable/disable heartbeat message authentication.
type: str
cpu_threshold:
description:
- Dynamic weighted load balancing CPU usage weight and high and low thresholds.
type: str
encryption:
choices:
- enable
- disable
description:
- Enable/disable heartbeat message encryption.
type: str
ftp_proxy_threshold:
description:
- Dynamic weighted load balancing weight and high and low number of FTP proxy
sessions.
type: str
gratuitous_arps:
choices:
- enable
- disable
description:
- Enable/disable gratuitous ARPs. Disable if link-failed-signal enabled.
type: str
group_id:
description:
- Cluster group ID (0 - 255). Must be the same for all members.
type: int
group_name:
description:
- Cluster group name. Must be the same for all members.
type: str
ha_direct:
choices:
- enable
- disable
description:
- Enable/disable using ha-mgmt interface for syslog, SNMP, remote authentication
(RADIUS), FortiAnalyzer, and FortiSandbox.
type: str
ha_eth_type:
description:
- HA heartbeat packet Ethertype (4-digit hex).
type: str
ha_mgmt_interfaces:
description:
- Reserve interfaces to manage individual cluster units.
suboptions:
dst:
description:
- Default route destination for reserved HA management interface.
type: str
gateway:
description:
- Default route gateway for reserved HA management interface.
type: str
gateway6:
description:
- Default IPv6 gateway for reserved HA management interface.
type: str
id:
description:
- Table ID.
required: true
type: int
interface:
description:
- Interface to reserve for HA management. Source system.interface.name.
type: str
type: list
ha_mgmt_status:
choices:
- enable
- disable
description:
- Enable to reserve interfaces to manage individual cluster units.
type: str
ha_uptime_diff_margin:
description:
- Normally you would only reduce this value for failover testing.
type: int
hb_interval:
description:
- Time between sending heartbeat packets (1 - 20 (100*ms)). Increase to reduce
false positives.
type: int
hb_lost_threshold:
description:
- Number of lost heartbeats to signal a failure (1 - 60). Increase to reduce false
positives.
type: int
hbdev:
description:
- Heartbeat interfaces. Must be the same for all members.
type: str
hc_eth_type:
description:
- Transparent mode HA heartbeat packet Ethertype (4-digit hex).
type: str
hello_holddown:
description:
- Time to wait before changing from hello to work state (5 - 300 sec).
type: int
http_proxy_threshold:
description:
- Dynamic weighted load balancing weight and high and low number of HTTP proxy
sessions.
type: str
imap_proxy_threshold:
description:
- Dynamic weighted load balancing weight and high and low number of IMAP proxy
sessions.
type: str
inter_cluster_session_sync:
choices:
- enable
- disable
description:
- Enable/disable synchronization of sessions among HA clusters.
type: str
key:
description:
- key
type: str
l2ep_eth_type:
description:
- Telnet session HA heartbeat packet Ethertype (4-digit hex).
type: str
link_failed_signal:
choices:
- enable
- disable
description:
- Enable to shut down all interfaces for 1 sec after a failover. Use if gratuitous
ARPs do not update network.
type: str
load_balance_all:
choices:
- enable
- disable
description:
- Enable to load balance TCP sessions. Disable to load balance proxy sessions
only.
type: str
memory_compatible_mode:
choices:
- enable
- disable
description:
- Enable/disable memory compatible mode.
type: str
memory_threshold:
description:
- Dynamic weighted load balancing memory usage weight and high and low thresholds.
type: str
mode:
choices:
- standalone
- a-a
- a-p
description:
- HA mode. Must be the same for all members. FGSP requires standalone.
type: str
monitor:
description:
- Interfaces to check for port monitoring (or link failure). Source system.interface.name.
type: str
multicast_ttl:
description:
- HA multicast TTL on master (5 - 3600 sec).
type: int
nntp_proxy_threshold:
description:
- Dynamic weighted load balancing weight and high and low number of NNTP proxy
sessions.
type: str
override:
choices:
- enable
- disable
description:
- Enable and increase the priority of the unit that should always be primary (master).
type: str
override_wait_time:
description:
- Delay negotiating if override is enabled (0 - 3600 sec). Reduces how often the
cluster negotiates.
type: int
password:
description:
- Cluster password. Must be the same for all members.
type: str
pingserver_failover_threshold:
description:
- Remote IP monitoring failover threshold (0 - 50).
type: int
pingserver_flip_timeout:
description:
- Time to wait in minutes before renegotiating after a remote IP monitoring failover.
type: int
pingserver_monitor_interface:
description:
- Interfaces to check for remote IP monitoring. Source system.interface.name.
type: str
pingserver_slave_force_reset:
choices:
- enable
- disable
description:
- Enable to force the cluster to negotiate after a remote IP monitoring failover.
type: str
pop3_proxy_threshold:
description:
- Dynamic weighted load balancing weight and high and low number of POP3 proxy
sessions.
type: str
priority:
description:
- Increase the priority to select the primary unit (0 - 255).
type: int
route_hold:
description:
- Time to wait between routing table updates to the cluster (0 - 3600 sec).
type: int
route_ttl:
description:
- TTL for primary unit routes (5 - 3600 sec). Increase to maintain active routes
during failover.
type: int
route_wait:
description:
- Time to wait before sending new routes to the cluster (0 - 3600 sec).
type: int
schedule:
choices:
- none
- hub
- leastconnection
- round-robin
- weight-round-robin
- random
- ip
- ipport
description:
- Type of A-A load balancing. Use none if you have external load balancers.
type: str
secondary_vcluster:
description:
- Configure virtual cluster 2.
suboptions:
monitor:
description:
- Interfaces to check for port monitoring (or link failure). Source system.interface.name.
type: str
override:
choices:
- enable
- disable
description:
- Enable and increase the priority of the unit that should always be primary
(master).
type: str
override_wait_time:
description:
- Delay negotiating if override is enabled (0 - 3600 sec). Reduces how often
the cluster negotiates.
type: int
pingserver_failover_threshold:
description:
- Remote IP monitoring failover threshold (0 - 50).
type: int
pingserver_monitor_interface:
description:
- Interfaces to check for remote IP monitoring. Source system.interface.name.
type: str
pingserver_slave_force_reset:
choices:
- enable
- disable
description:
- Enable to force the cluster to negotiate after a remote IP monitoring failover.
type: str
priority:
description:
- Increase the priority to select the primary unit (0 - 255).
type: int
vcluster_id:
description:
- Cluster ID.
type: int
vdom:
description:
- VDOMs in virtual cluster 2.
type: str
type: dict
session_pickup:
choices:
- enable
- disable
description:
- Enable/disable session pickup. Enabling it can reduce session down time when
fail over happens.
type: str
session_pickup_connectionless:
choices:
- enable
- disable
description:
- Enable/disable UDP and ICMP session sync for FGSP.
type: str
session_pickup_delay:
choices:
- enable
- disable
description:
- Enable to sync sessions longer than 30 sec. Only longer lived sessions need
to be synced.
type: str
session_pickup_expectation:
choices:
- enable
- disable
description:
- Enable/disable session helper expectation session sync for FGSP.
type: str
session_pickup_nat:
choices:
- enable
- disable
description:
- Enable/disable NAT session sync for FGSP.
type: str
session_sync_dev:
description:
- Offload session sync to one or more interfaces to distribute traffic and prevent
delays if needed. Source system.interface.name.
type: str
smtp_proxy_threshold:
description:
- Dynamic weighted load balancing weight and high and low number of SMTP proxy
sessions.
type: str
standalone_config_sync:
choices:
- enable
- disable
description:
- Enable/disable FGSP configuration synchronization.
type: str
standalone_mgmt_vdom:
choices:
- enable
- disable
description:
- Enable/disable standalone management VDOM.
type: str
sync_config:
choices:
- enable
- disable
description:
- Enable/disable configuration synchronization.
type: str
sync_packet_balance:
choices:
- enable
- disable
description:
- Enable/disable HA packet distribution to multiple CPUs.
type: str
unicast_hb:
choices:
- enable
- disable
description:
- Enable/disable unicast heartbeat.
type: str
unicast_hb_netmask:
description:
- Unicast heartbeat netmask.
type: str
unicast_hb_peerip:
description:
- Unicast heartbeat peer IP.
type: str
uninterruptible_upgrade:
choices:
- enable
- disable
description:
- Enable to upgrade a cluster without blocking network traffic.
type: str
vcluster2:
choices:
- enable
- disable
description:
- Enable/disable virtual cluster 2 for virtual clustering.
type: str
vcluster_id:
description:
- Cluster ID.
type: int
vdom:
description:
- VDOMs in virtual cluster 1.
type: str
weight:
description:
- Weight-round-robin weight for each cluster unit. Syntax <priority> <weight>.
type: str
type: dict
ssl_verify:
default: true
description:
- Ensures FortiGate certificate must be verified by a proper CA.
type: bool
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str