Try SpotterConfigure HA in Fortinet's FortiOS and FortiGate.
| "added in version" 2.0.0 of fortinet.fortios"
Authors: Link Zheng (@chillancezen), Jie Xue (@JieX19), Hongbin Lu (@fgtdev-hblu), Frank Shen (@frankshen01), Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico)
preview | supported by community
Install with ansible-galaxy collection install fortinet.fortios:==2.3.6
collections:
- name: fortinet.fortios
version: 2.3.6This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify system feature and ha category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
- name: Configure HA.
fortinet.fortios.fortios_system_ha:
vdom: "{{ vdom }}"
system_ha:
arps: "5"
arps_interval: "8"
authentication: "enable"
cpu_threshold: "<your_own_value>"
encryption: "enable"
evpn_ttl: "60"
failover_hold_time: "0"
ftp_proxy_threshold: "<your_own_value>"
gratuitous_arps: "enable"
group_id: "0"
group_name: "<your_own_value>"
ha_direct: "enable"
ha_eth_type: "<your_own_value>"
ha_mgmt_interfaces:
-
dst: "<your_own_value>"
gateway: "<your_own_value>"
gateway6: "<your_own_value>"
id: "20"
interface: "<your_own_value> (source system.interface.name)"
ha_mgmt_status: "enable"
ha_uptime_diff_margin: "300"
hb_interval: "2"
hb_interval_in_milliseconds: "100ms"
hb_lost_threshold: "20"
hbdev: "<your_own_value>"
hc_eth_type: "<your_own_value>"
hello_holddown: "20"
http_proxy_threshold: "<your_own_value>"
imap_proxy_threshold: "<your_own_value>"
inter_cluster_session_sync: "enable"
ipsec_phase2_proposal: "aes128-sha1"
key: "<your_own_value>"
l2ep_eth_type: "<your_own_value>"
link_failed_signal: "enable"
load_balance_all: "enable"
logical_sn: "enable"
memory_based_failover: "enable"
memory_compatible_mode: "enable"
memory_failover_flip_timeout: "6"
memory_failover_monitor_period: "60"
memory_failover_sample_rate: "1"
memory_failover_threshold: "0"
memory_threshold: "<your_own_value>"
mode: "standalone"
monitor: "<your_own_value> (source system.interface.name)"
multicast_ttl: "600"
nntp_proxy_threshold: "<your_own_value>"
override: "enable"
override_wait_time: "0"
password: "<your_own_value>"
pingserver_failover_threshold: "0"
pingserver_flip_timeout: "60"
pingserver_monitor_interface: "<your_own_value> (source system.interface.name)"
pingserver_secondary_force_reset: "enable"
pingserver_slave_force_reset: "enable"
pop3_proxy_threshold: "<your_own_value>"
priority: "128"
route_hold: "10"
route_ttl: "10"
route_wait: "0"
schedule: "none"
secondary_vcluster:
monitor: "<your_own_value> (source system.interface.name)"
override: "enable"
override_wait_time: "0"
pingserver_failover_threshold: "0"
pingserver_monitor_interface: "<your_own_value> (source system.interface.name)"
pingserver_secondary_force_reset: "enable"
pingserver_slave_force_reset: "enable"
priority: "128"
vcluster_id: "1"
vdom: "<your_own_value>"
session_pickup: "enable"
session_pickup_connectionless: "enable"
session_pickup_delay: "enable"
session_pickup_expectation: "enable"
session_pickup_nat: "enable"
session_sync_dev: "<your_own_value> (source system.interface.name)"
smtp_proxy_threshold: "<your_own_value>"
ssd_failover: "enable"
standalone_config_sync: "enable"
standalone_mgmt_vdom: "enable"
sync_config: "enable"
sync_packet_balance: "enable"
unicast_gateway: "<your_own_value>"
unicast_hb: "enable"
unicast_hb_netmask: "<your_own_value>"
unicast_hb_peerip: "<your_own_value>"
unicast_peers:
-
id: "92"
peer_ip: "<your_own_value>"
unicast_status: "enable"
uninterruptible_primary_wait: "30"
uninterruptible_upgrade: "enable"
upgrade_mode: "simultaneous"
vcluster:
-
monitor: "<your_own_value> (source system.interface.name)"
override: "enable"
override_wait_time: "0"
pingserver_failover_threshold: "0"
pingserver_flip_timeout: "60"
pingserver_monitor_interface: "<your_own_value> (source system.interface.name)"
pingserver_secondary_force_reset: "enable"
pingserver_slave_force_reset: "enable"
priority: "128"
vcluster_id: "<you_own_value>"
vdom:
-
name: "default_name_110 (source system.vdom.name)"
vcluster_id: "0"
vcluster_status: "enable"
vcluster2: "enable"
vdom: "<your_own_value>"
weight: "<your_own_value>"
vdom:
default: root
description:
- Virtual domain, among those defined previously. A vdom is a virtual instance of
the FortiGate that can be configured and used as a different unit.
type: str
system_ha:
default: null
description:
- Configure HA.
suboptions:
arps:
description:
- Number of gratuitous ARPs (1 - 60). Lower to reduce traffic. Higher to reduce
failover time.
type: int
arps_interval:
description:
- Time between gratuitous ARPs (1 - 20 sec). Lower to reduce failover time. Higher
to reduce traffic.
type: int
authentication:
choices:
- enable
- disable
description:
- Enable/disable heartbeat message authentication.
type: str
cpu_threshold:
description:
- Dynamic weighted load balancing CPU usage weight and high and low thresholds.
type: str
encryption:
choices:
- enable
- disable
description:
- Enable/disable heartbeat message encryption.
type: str
evpn_ttl:
description:
- HA EVPN FDB TTL on primary box (5 - 3600 sec).
type: int
failover_hold_time:
description:
- Time to wait before failover (0 - 300 sec), to avoid flip.
type: int
ftp_proxy_threshold:
description:
- Dynamic weighted load balancing weight and high and low number of FTP proxy
sessions.
type: str
gratuitous_arps:
choices:
- enable
- disable
description:
- Enable/disable gratuitous ARPs. Disable if link-failed-signal enabled.
type: str
group_id:
description:
- HA group ID (0 - 1023; or 0 - 7 when there are more than 2 vclusters). Must
be the same for all members.
type: int
group_name:
description:
- Cluster group name. Must be the same for all members.
type: str
ha_direct:
choices:
- enable
- disable
description:
- Enable/disable using ha-mgmt interface for syslog, remote authentication (RADIUS),
FortiAnalyzer, FortiSandbox, sFlow, and Netflow.
type: str
ha_eth_type:
description:
- HA heartbeat packet Ethertype (4-digit hex).
type: str
ha_mgmt_interfaces:
description:
- Reserve interfaces to manage individual cluster units.
elements: dict
suboptions:
dst:
description:
- Default route destination for reserved HA management interface.
type: str
gateway:
description:
- Default route gateway for reserved HA management interface.
type: str
gateway6:
description:
- Default IPv6 gateway for reserved HA management interface.
type: str
id:
description:
- Table ID. see <a href='#notes'>Notes</a>.
required: true
type: int
interface:
description:
- Interface to reserve for HA management. Source system.interface.name.
type: str
type: list
ha_mgmt_status:
choices:
- enable
- disable
description:
- Enable to reserve interfaces to manage individual cluster units.
type: str
ha_uptime_diff_margin:
description:
- Normally you would only reduce this value for failover testing.
type: int
hb_interval:
description:
- Time between sending heartbeat packets (1 - 20). Increase to reduce false positives.
type: int
hb_interval_in_milliseconds:
choices:
- 100ms
- 10ms
description:
- Units of heartbeat interval time between sending heartbeat packets. Default
is 100ms.
type: str
hb_lost_threshold:
description:
- Number of lost heartbeats to signal a failure (1 - 60). Increase to reduce false
positives.
type: int
hbdev:
description:
- Heartbeat interfaces. Must be the same for all members.
elements: str
type: list
hc_eth_type:
description:
- Transparent mode HA heartbeat packet Ethertype (4-digit hex).
type: str
hello_holddown:
description:
- Time to wait before changing from hello to work state (5 - 300 sec).
type: int
http_proxy_threshold:
description:
- Dynamic weighted load balancing weight and high and low number of HTTP proxy
sessions.
type: str
imap_proxy_threshold:
description:
- Dynamic weighted load balancing weight and high and low number of IMAP proxy
sessions.
type: str
inter_cluster_session_sync:
choices:
- enable
- disable
description:
- Enable/disable synchronization of sessions among HA clusters.
type: str
ipsec_phase2_proposal:
choices:
- aes128-sha1
- aes128-sha256
- aes128-sha384
- aes128-sha512
- aes192-sha1
- aes192-sha256
- aes192-sha384
- aes192-sha512
- aes256-sha1
- aes256-sha256
- aes256-sha384
- aes256-sha512
- aes128gcm
- aes256gcm
- chacha20poly1305
description:
- IPsec phase2 proposal.
elements: str
type: list
key:
description:
- Key.
type: str
l2ep_eth_type:
description:
- Telnet session HA heartbeat packet Ethertype (4-digit hex).
type: str
link_failed_signal:
choices:
- enable
- disable
description:
- Enable to shut down all interfaces for 1 sec after a failover. Use if gratuitous
ARPs do not update network.
type: str
load_balance_all:
choices:
- enable
- disable
description:
- Enable to load balance TCP sessions. Disable to load balance proxy sessions
only.
type: str
logical_sn:
choices:
- enable
- disable
description:
- Enable/disable usage of the logical serial number.
type: str
memory_based_failover:
choices:
- enable
- disable
description:
- Enable/disable memory based failover.
type: str
memory_compatible_mode:
choices:
- enable
- disable
description:
- Enable/disable memory compatible mode.
type: str
memory_failover_flip_timeout:
description:
- Time to wait between subsequent memory based failovers in minutes (6 - 2147483647).
type: int
memory_failover_monitor_period:
description:
- Duration of high memory usage before memory based failover is triggered in seconds
(1 - 300).
type: int
memory_failover_sample_rate:
description:
- Rate at which memory usage is sampled in order to measure memory usage in seconds
(1 - 60).
type: int
memory_failover_threshold:
description:
- Memory usage threshold to trigger memory based failover (0 means using conserve
mode threshold in system.global).
type: int
memory_threshold:
description:
- Dynamic weighted load balancing memory usage weight and high and low thresholds.
type: str
mode:
choices:
- standalone
- a-a
- a-p
description:
- HA mode. Must be the same for all members. FGSP requires standalone.
type: str
monitor:
description:
- Interfaces to check for port monitoring (or link failure). Source system.interface.name.
elements: str
type: list
multicast_ttl:
description:
- HA multicast TTL on primary (5 - 3600 sec).
type: int
nntp_proxy_threshold:
description:
- Dynamic weighted load balancing weight and high and low number of NNTP proxy
sessions.
type: str
override:
choices:
- enable
- disable
description:
- Enable and increase the priority of the unit that should always be primary (master).
type: str
override_wait_time:
description:
- Delay negotiating if override is enabled (0 - 3600 sec). Reduces how often the
cluster negotiates.
type: int
password:
description:
- Cluster password. Must be the same for all members.
type: str
pingserver_failover_threshold:
description:
- Remote IP monitoring failover threshold (0 - 50).
type: int
pingserver_flip_timeout:
description:
- Time to wait in minutes before renegotiating after a remote IP monitoring failover.
type: int
pingserver_monitor_interface:
description:
- Interfaces to check for remote IP monitoring. Source system.interface.name.
elements: str
type: list
pingserver_secondary_force_reset:
choices:
- enable
- disable
description:
- Enable to force the cluster to negotiate after a remote IP monitoring failover.
type: str
pingserver_slave_force_reset:
choices:
- enable
- disable
description:
- Enable to force the cluster to negotiate after a remote IP monitoring failover.
type: str
pop3_proxy_threshold:
description:
- Dynamic weighted load balancing weight and high and low number of POP3 proxy
sessions.
type: str
priority:
description:
- Increase the priority to select the primary unit (0 - 255).
type: int
route_hold:
description:
- Time to wait between routing table updates to the cluster (0 - 3600 sec).
type: int
route_ttl:
description:
- TTL for primary unit routes (5 - 3600 sec). Increase to maintain active routes
during failover.
type: int
route_wait:
description:
- Time to wait before sending new routes to the cluster (0 - 3600 sec).
type: int
schedule:
choices:
- none
- leastconnection
- round-robin
- weight-round-robin
- random
- ip
- ipport
- hub
description:
- Type of A-A load balancing. Use none if you have external load balancers.
type: str
secondary_vcluster:
description:
- Configure virtual cluster 2.
suboptions:
monitor:
description:
- Interfaces to check for port monitoring (or link failure). Source system.interface.name.
elements: str
type: list
override:
choices:
- enable
- disable
description:
- Enable and increase the priority of the unit that should always be primary.
type: str
override_wait_time:
description:
- Delay negotiating if override is enabled (0 - 3600 sec). Reduces how often
the cluster negotiates.
type: int
pingserver_failover_threshold:
description:
- Remote IP monitoring failover threshold (0 - 50).
type: int
pingserver_monitor_interface:
description:
- Interfaces to check for remote IP monitoring. Source system.interface.name.
elements: str
type: list
pingserver_secondary_force_reset:
choices:
- enable
- disable
description:
- Enable to force the cluster to negotiate after a remote IP monitoring failover.
type: str
pingserver_slave_force_reset:
choices:
- enable
- disable
description:
- Enable to force the cluster to negotiate after a remote IP monitoring failover.
type: str
priority:
description:
- Increase the priority to select the primary unit (0 - 255).
type: int
vcluster_id:
description:
- Cluster ID.
type: int
vdom:
description:
- VDOMs in virtual cluster 2.
type: str
type: dict
session_pickup:
choices:
- enable
- disable
description:
- Enable/disable session pickup. Enabling it can reduce session down time when
fail over happens.
type: str
session_pickup_connectionless:
choices:
- enable
- disable
description:
- Enable/disable UDP and ICMP session sync.
type: str
session_pickup_delay:
choices:
- enable
- disable
description:
- Enable to sync sessions longer than 30 sec. Only longer lived sessions need
to be synced.
type: str
session_pickup_expectation:
choices:
- enable
- disable
description:
- Enable/disable session helper expectation session sync for FGSP.
type: str
session_pickup_nat:
choices:
- enable
- disable
description:
- Enable/disable NAT session sync for FGSP.
type: str
session_sync_dev:
description:
- Offload session-sync process to kernel and sync sessions using connected interface(s)
directly. Source system.interface.name.
elements: str
type: list
smtp_proxy_threshold:
description:
- Dynamic weighted load balancing weight and high and low number of SMTP proxy
sessions.
type: str
ssd_failover:
choices:
- enable
- disable
description:
- Enable/disable automatic HA failover on SSD disk failure.
type: str
standalone_config_sync:
choices:
- enable
- disable
description:
- Enable/disable FGSP configuration synchronization.
type: str
standalone_mgmt_vdom:
choices:
- enable
- disable
description:
- Enable/disable standalone management VDOM.
type: str
sync_config:
choices:
- enable
- disable
description:
- Enable/disable configuration synchronization.
type: str
sync_packet_balance:
choices:
- enable
- disable
description:
- Enable/disable HA packet distribution to multiple CPUs.
type: str
unicast_gateway:
description:
- Default route gateway for unicast interface.
type: str
unicast_hb:
choices:
- enable
- disable
description:
- Enable/disable unicast heartbeat.
type: str
unicast_hb_netmask:
description:
- Unicast heartbeat netmask.
type: str
unicast_hb_peerip:
description:
- Unicast heartbeat peer IP.
type: str
unicast_peers:
description:
- Number of unicast peers.
elements: dict
suboptions:
id:
description:
- Table ID. see <a href='#notes'>Notes</a>.
required: true
type: int
peer_ip:
description:
- Unicast peer IP.
type: str
type: list
unicast_status:
choices:
- enable
- disable
description:
- Enable/disable unicast connection.
type: str
uninterruptible_primary_wait:
description:
- Number of minutes the primary HA unit waits before the secondary HA unit is
considered upgraded and the system is started before starting its own upgrade
(15 - 300).
type: int
uninterruptible_upgrade:
choices:
- enable
- disable
description:
- Enable to upgrade a cluster without blocking network traffic.
type: str
upgrade_mode:
choices:
- simultaneous
- uninterruptible
- local-only
- secondary-only
description:
- The mode to upgrade a cluster.
type: str
vcluster:
description:
- Virtual cluster table.
elements: dict
suboptions:
monitor:
description:
- Interfaces to check for port monitoring (or link failure). Source system.interface.name.
elements: str
type: list
override:
choices:
- enable
- disable
description:
- Enable and increase the priority of the unit that should always be primary
(master).
type: str
override_wait_time:
description:
- Delay negotiating if override is enabled (0 - 3600 sec). Reduces how often
the cluster negotiates.
type: int
pingserver_failover_threshold:
description:
- Remote IP monitoring failover threshold (0 - 50).
type: int
pingserver_flip_timeout:
description:
- Time to wait in minutes before renegotiating after a remote IP monitoring
failover.
type: int
pingserver_monitor_interface:
description:
- Interfaces to check for remote IP monitoring. Source system.interface.name.
elements: str
type: list
pingserver_secondary_force_reset:
choices:
- enable
- disable
description:
- Enable to force the cluster to negotiate after a remote IP monitoring failover.
type: str
pingserver_slave_force_reset:
choices:
- enable
- disable
description:
- Enable to force the cluster to negotiate after a remote IP monitoring failover.
type: str
priority:
description:
- Increase the priority to select the primary unit (0 - 255).
type: int
vcluster_id:
description:
- ID. see <a href='#notes'>Notes</a>.
required: true
type: int
vdom:
description:
- Virtual domain(s) in the virtual cluster.
elements: dict
suboptions:
name:
description:
- Virtual domain name. Source system.vdom.name.
required: true
type: str
type: list
type: list
vcluster2:
choices:
- enable
- disable
description:
- Enable/disable virtual cluster 2 for virtual clustering.
type: str
vcluster_id:
description:
- Cluster ID.
type: int
vcluster_status:
choices:
- enable
- disable
description:
- Enable/disable virtual cluster for virtual clustering.
type: str
vdom:
description:
- VDOMs in virtual cluster 1.
type: str
weight:
description:
- Weight-round-robin weight for each cluster unit. Syntax <priority> <weight>.
type: str
type: dict
enable_log:
default: false
description:
- Enable/Disable logging for task.
required: false
type: bool
member_path:
description:
- Member attribute path to operate on.
- Delimited by a slash character if there are more than one attribute.
- Parameter marked with member_path is legitimate for doing member operation.
type: str
access_token:
description:
- Token-based authentication. Generated from GUI of Fortigate.
required: false
type: str
member_state:
choices:
- present
- absent
description:
- Add or delete a member under specified attribute path.
- When member_state is specified, the state option is ignored.
type: str
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str