Try SpotterConfigure redundant internet connections using SD-WAN (formerly virtual WAN link) in Fortinet's FortiOS and FortiGate.
| "added in version" 2.0.0 of lix_fortinet.fortios"
Authors: Link Zheng (@chillancezen), Jie Xue (@JieX19), Hongbin Lu (@fgtdev-hblu), Frank Shen (@frankshen01), Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico)
preview | supported by community
Install with ansible-galaxy collection install lix_fortinet.fortios:==102.2.120
collections:
- name: lix_fortinet.fortios
version: 102.2.120This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify system feature and virtual_wan_link category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure redundant internet connections using SD-WAN (formerly virtual WAN link).
fortios_system_virtual_wan_link:
vdom: "{{ vdom }}"
system_virtual_wan_link:
fail_alert_interfaces:
-
name: "default_name_4 (source system.interface.name)"
fail_detect: "enable"
health_check:
-
addr_mode: "ipv4"
diffservcode: "<your_own_value>"
failtime: "1800"
ha_priority: "25"
http_agent: "<your_own_value>"
http_get: "<your_own_value>"
http_match: "<your_own_value>"
interval: "1800000"
members:
-
seq_num: "2147483647"
name: "default_name_17"
packet_size: "512"
password: "<your_own_value>"
port: "32767"
probe_packets: "disable"
probe_timeout: "2500"
protocol: "ping"
recoverytime: "1800"
security_mode: "none"
server: "192.168.100.40"
sla:
-
id: "28"
jitter_threshold: "5000000"
latency_threshold: "5000000"
link_cost_factor: "latency"
packetloss_threshold: "50"
sla_fail_log_period: "1800"
sla_pass_log_period: "1800"
threshold_alert_jitter: "2147483647"
threshold_alert_latency: "2147483647"
threshold_alert_packetloss: "50"
threshold_warning_jitter: "2147483647"
threshold_warning_latency: "2147483647"
threshold_warning_packetloss: "50"
update_cascade_interface: "enable"
update_static_route: "enable"
load_balance_mode: "source-ip-based"
members:
-
comment: "Comments."
cost: "2147483647"
gateway: "<your_own_value>"
gateway6: "<your_own_value>"
ingress_spillover_threshold: "8388000"
interface: "<your_own_value> (source system.interface.name)"
priority: "2147483647"
seq_num: "127"
source: "<your_own_value>"
source6: "<your_own_value>"
spillover_threshold: "8388000"
status: "disable"
volume_ratio: "127"
weight: "127"
neighbor:
-
health_check: "<your_own_value> (source system.virtual-wan-link.health-check.name)"
ip: "<your_own_value> (source router.bgp.neighbor.ip)"
member: "2147483647"
role: "standalone"
sla_id: "2147483647"
neighbor_hold_boot_time: "5000000"
neighbor_hold_down: "enable"
neighbor_hold_down_time: "5000000"
service:
-
addr_mode: "ipv4"
bandwidth_weight: "5000000"
default: "enable"
dscp_forward: "enable"
dscp_forward_tag: "<your_own_value>"
dscp_reverse: "enable"
dscp_reverse_tag: "<your_own_value>"
dst:
-
name: "default_name_77 (source firewall.address.name firewall.addrgrp.name)"
dst_negate: "enable"
dst6:
-
name: "default_name_80 (source firewall.address6.name firewall.addrgrp6.name)"
end_port: "32767"
gateway: "enable"
groups:
-
name: "default_name_84 (source user.group.name)"
health_check: "<your_own_value> (source system.virtual-wan-link.health-check.name)"
hold_down_time: "5000000"
id: "87"
input_device:
-
name: "default_name_89 (source system.interface.name)"
input_device_negate: "enable"
internet_service: "enable"
internet_service_app_ctrl:
-
id: "93"
internet_service_app_ctrl_group:
-
name: "default_name_95 (source application.group.name)"
internet_service_ctrl:
-
id: "97"
internet_service_ctrl_group:
-
name: "default_name_99 (source application.group.name)"
internet_service_custom:
-
name: "default_name_101 (source firewall.internet-service-custom.name)"
internet_service_custom_group:
-
name: "default_name_103 (source firewall.internet-service-custom-group.name)"
internet_service_group:
-
name: "default_name_105 (source firewall.internet-service-group.name)"
internet_service_id:
-
id: "107 (source firewall.internet-service.id)"
jitter_weight: "5000000"
latency_weight: "5000000"
link_cost_factor: "latency"
link_cost_threshold: "5000000"
member: "2147483647"
mode: "auto"
name: "default_name_114"
packet_loss_weight: "5000000"
priority_members:
-
seq_num: "2147483647"
protocol: "127"
quality_link: "127"
role: "standalone"
route_tag: "2147483647"
sla:
-
health_check: "<your_own_value> (source system.virtual-wan-link.health-check.name)"
id: "124"
sla_compare_method: "order"
src:
-
name: "default_name_127 (source firewall.address.name firewall.addrgrp.name)"
src_negate: "enable"
src6:
-
name: "default_name_130 (source firewall.address6.name firewall.addrgrp6.name)"
standalone_action: "enable"
start_port: "32767"
status: "enable"
tos: "<your_own_value>"
tos_mask: "<your_own_value>"
users:
-
name: "default_name_137 (source user.local.name)"
status: "disable"
zone:
-
name: "default_name_140"
vdom:
default: root
description:
- Virtual domain, among those defined previously. A vdom is a virtual instance of
the FortiGate that can be configured and used as a different unit.
type: str
enable_log:
default: false
description:
- Enable/Disable logging for task.
required: false
type: bool
member_path:
description:
- Member attribute path to operate on.
- Delimited by a slash character if there are more than one attribute.
- Parameter marked with member_path is legitimate for doing member operation.
type: str
access_token:
description:
- Token-based authentication. Generated from GUI of Fortigate.
required: false
type: str
member_state:
choices:
- present
- absent
description:
- Add or delete a member under specified attribute path.
- When member_state is specified, the state option is ignored.
type: str
system_virtual_wan_link:
default: null
description:
- Configure redundant internet connections using SD-WAN (formerly virtual WAN link).
suboptions:
fail_alert_interfaces:
description:
- Physical interfaces that will be alerted.
elements: dict
suboptions:
name:
description:
- Physical interface name. Source system.interface.name.
type: str
type: list
fail_detect:
choices:
- enable
- disable
description:
- Enable/disable SD-WAN Internet connection status checking (failure detection).
type: str
health_check:
description:
- SD-WAN status checking or health checking. Identify a server on the Internet
and determine how SD-WAN verifies that the FortiGate can communicate with it.
elements: dict
suboptions:
addr_mode:
choices:
- ipv4
- ipv6
description:
- Address mode (IPv4 or IPv6).
type: str
diffservcode:
description:
- Differentiated services code point (DSCP) in the IP header of the probe
packet.
type: str
failtime:
description:
- Number of failures before server is considered lost (1 - 3600).
type: int
ha_priority:
description:
- HA election priority (1 - 50).
type: int
http_agent:
description:
- String in the http-agent field in the HTTP header.
type: str
http_get:
description:
- URL used to communicate with the server if the protocol if the protocol
is HTTP.
type: str
http_match:
description:
- Response string expected from the server if the protocol is HTTP.
type: str
interval:
description:
- Status check interval in milliseconds, or the time between attempting to
connect to the server (500 - 3600*1000 msec).
type: int
members:
description:
- Member sequence number list.
elements: dict
suboptions:
seq_num:
description:
- Member sequence number. Source system.virtual-wan-link.members.seq-num.
type: int
type: list
name:
description:
- Status check or health check name.
type: str
packet_size:
description:
- Packet size of a twamp test session,
type: int
password:
description:
- Twamp controller password in authentication mode
type: str
port:
description:
- Port number used to communicate with the server over the selected protocol.
type: int
probe_packets:
choices:
- disable
- enable
description:
- Enable/disable transmission of probe packets.
type: str
probe_timeout:
description:
- Time to wait before a probe packet is considered lost (500 - 5000 msec).
type: int
protocol:
choices:
- ping
- tcp-echo
- udp-echo
- http
- twamp
- ping6
description:
- Protocol used to determine if the FortiGate can communicate with the server.
type: str
recoverytime:
description:
- Number of successful responses received before server is considered recovered
(1 - 3600).
type: int
security_mode:
choices:
- none
- authentication
description:
- Twamp controller security mode.
type: str
server:
description:
- IP address or FQDN name of the server.
type: str
sla:
description:
- Service level agreement (SLA).
elements: dict
suboptions:
id:
description:
- SLA ID.
type: int
jitter_threshold:
description:
- Jitter for SLA to make decision in milliseconds. (0 - 10000000).
type: int
latency_threshold:
description:
- Latency for SLA to make decision in milliseconds. (0 - 10000000).
type: int
link_cost_factor:
choices:
- latency
- jitter
- packet-loss
description:
- Criteria on which to base link selection.
elements: str
type: list
packetloss_threshold:
description:
- Packet loss for SLA to make decision in percentage. (0 - 100).
type: int
type: list
sla_fail_log_period:
description:
- Time interval in seconds that SLA fail log messages will be generated (0
- 3600).
type: int
sla_pass_log_period:
description:
- Time interval in seconds that SLA pass log messages will be generated (0
- 3600).
type: int
threshold_alert_jitter:
description:
- Alert threshold for jitter (ms).
type: int
threshold_alert_latency:
description:
- Alert threshold for latency (ms).
type: int
threshold_alert_packetloss:
description:
- Alert threshold for packet loss (percentage).
type: int
threshold_warning_jitter:
description:
- Warning threshold for jitter (ms).
type: int
threshold_warning_latency:
description:
- Warning threshold for latency (ms).
type: int
threshold_warning_packetloss:
description:
- Warning threshold for packet loss (percentage).
type: int
update_cascade_interface:
choices:
- enable
- disable
description:
- Enable/disable update cascade interface.
type: str
update_static_route:
choices:
- enable
- disable
description:
- Enable/disable updating the static route.
type: str
type: list
load_balance_mode:
choices:
- source-ip-based
- weight-based
- usage-based
- source-dest-ip-based
- measured-volume-based
description:
- Algorithm or mode to use for load balancing Internet traffic to SD-WAN members.
type: str
members:
description:
- FortiGate interfaces added to the virtual-wan-link.
elements: dict
suboptions:
comment:
description:
- Comments.
type: str
cost:
description:
- Cost of this interface for services in SLA mode (0 - 4294967295).
type: int
gateway:
description:
- The default gateway for this interface. Usually the default gateway of the
Internet service provider that this interface is connected to.
type: str
gateway6:
description:
- IPv6 gateway.
type: str
ingress_spillover_threshold:
description:
- Ingress spillover threshold for this interface (0 - 16776000 kbit/s). When
this traffic volume threshold is reached, new sessions spill over to other
interfaces in the SD-WAN.
type: int
interface:
description:
- Interface name. Source system.interface.name.
type: str
priority:
description:
- Priority of the interface (0 - 4294967295). Used for SD-WAN rules or priority
rules.
type: int
seq_num:
description:
- Sequence number(1-255).
type: int
source:
description:
- Source IP address used in the health-check packet to the server.
type: str
source6:
description:
- Source IPv6 address used in the health-check packet to the server.
type: str
spillover_threshold:
description:
- Egress spillover threshold for this interface (0 - 16776000 kbit/s). When
this traffic volume threshold is reached, new sessions spill over to other
interfaces in the SD-WAN.
type: int
status:
choices:
- disable
- enable
description:
- Enable/disable this interface in the SD-WAN.
type: str
volume_ratio:
description:
- Measured volume ratio (this value / sum of all values = percentage of link
volume, 1 - 255).
type: int
weight:
description:
- Weight of this interface for weighted load balancing. (1 - 255) More traffic
is directed to interfaces with higher weights.
type: int
type: list
neighbor:
description:
- Create SD-WAN neighbor from BGP neighbor table to control route advertisements
according to SLA status.
elements: dict
suboptions:
health_check:
description:
- SD-WAN health-check name. Source system.virtual-wan-link.health-check.name.
type: str
ip:
description:
- IP address of neighbor. Source router.bgp.neighbor.ip.
type: str
member:
description:
- Member sequence number. Source system.virtual-wan-link.members.seq-num.
type: int
role:
choices:
- standalone
- primary
- secondary
description:
- Role of neighbor.
type: str
sla_id:
description:
- SLA ID.
type: int
type: list
neighbor_hold_boot_time:
description:
- Waiting period in seconds when switching from the primary neighbor to the secondary
neighbor from the neighbor start. (0 - 10000000).
type: int
neighbor_hold_down:
choices:
- enable
- disable
description:
- Enable/disable hold switching from the secondary neighbor to the primary neighbor.
type: str
neighbor_hold_down_time:
description:
- Waiting period in seconds when switching from the secondary neighbor to the
primary neighbor when hold-down is disabled. (0 - 10000000).
type: int
service:
description:
- Create SD-WAN rules (also called services) to control how sessions are distributed
to interfaces in the SD-WAN.
elements: dict
suboptions:
addr_mode:
choices:
- ipv4
- ipv6
description:
- Address mode (IPv4 or IPv6).
type: str
bandwidth_weight:
description:
- Coefficient of reciprocal of available bidirectional bandwidth in the formula
of custom-profile-1.
type: int
default:
choices:
- enable
- disable
description:
- Enable/disable use of SD-WAN as default service.
type: str
dscp_forward:
choices:
- enable
- disable
description:
- Enable/disable forward traffic DSCP tag.
type: str
dscp_forward_tag:
description:
- Forward traffic DSCP tag.
type: str
dscp_reverse:
choices:
- enable
- disable
description:
- Enable/disable reverse traffic DSCP tag.
type: str
dscp_reverse_tag:
description:
- Reverse traffic DSCP tag.
type: str
dst:
description:
- Destination address name.
elements: dict
suboptions:
name:
description:
- Address or address group name. Source firewall.address.name firewall.addrgrp.name.
type: str
type: list
dst6:
description:
- Destination address6 name.
elements: dict
suboptions:
name:
description:
- Address6 or address6 group name. Source firewall.address6.name firewall.addrgrp6.name.
type: str
type: list
dst_negate:
choices:
- enable
- disable
description:
- Enable/disable negation of destination address match.
type: str
end_port:
description:
- End destination port number.
type: int
gateway:
choices:
- enable
- disable
description:
- Enable/disable SD-WAN service gateway.
type: str
groups:
description:
- User groups.
elements: dict
suboptions:
name:
description:
- Group name. Source user.group.name.
type: str
type: list
health_check:
description:
- Health check. Source system.virtual-wan-link.health-check.name.
type: str
hold_down_time:
description:
- Waiting period in seconds when switching from the back-up member to the
primary member (0 - 10000000).
type: int
id:
description:
- Priority rule ID (1 - 4000).
type: int
input_device:
description:
- Source interface name.
elements: dict
suboptions:
name:
description:
- Interface name. Source system.interface.name.
type: str
type: list
input_device_negate:
choices:
- enable
- disable
description:
- Enable/disable negation of input device match.
type: str
internet_service:
choices:
- enable
- disable
description:
- Enable/disable use of Internet service for application-based load balancing.
type: str
internet_service_app_ctrl:
description:
- Application control based Internet Service ID list.
elements: dict
suboptions:
id:
description:
- Application control based Internet Service ID.
type: int
type: list
internet_service_app_ctrl_group:
description:
- Application control based Internet Service group list.
elements: dict
suboptions:
name:
description:
- Application control based Internet Service group name. Source application.group.name.
type: str
type: list
internet_service_ctrl:
description:
- Control-based Internet Service ID list.
elements: dict
suboptions:
id:
description:
- Control-based Internet Service ID.
type: int
type: list
internet_service_ctrl_group:
description:
- Control-based Internet Service group list.
elements: dict
suboptions:
name:
description:
- Control-based Internet Service group name. Source application.group.name.
type: str
type: list
internet_service_custom:
description:
- Custom Internet service name list.
elements: dict
suboptions:
name:
description:
- Custom Internet service name. Source firewall.internet-service-custom.name.
type: str
type: list
internet_service_custom_group:
description:
- Custom Internet Service group list.
elements: dict
suboptions:
name:
description:
- Custom Internet Service group name. Source firewall.internet-service-custom-group.name.
type: str
type: list
internet_service_group:
description:
- Internet Service group list.
elements: dict
suboptions:
name:
description:
- Internet Service group name. Source firewall.internet-service-group.name.
type: str
type: list
internet_service_id:
description:
- Internet service ID list.
elements: dict
suboptions:
id:
description:
- Internet service ID. Source firewall.internet-service.id.
type: int
type: list
jitter_weight:
description:
- Coefficient of jitter in the formula of custom-profile-1.
type: int
latency_weight:
description:
- Coefficient of latency in the formula of custom-profile-1.
type: int
link_cost_factor:
choices:
- latency
- jitter
- packet-loss
- inbandwidth
- outbandwidth
- bibandwidth
- custom-profile-1
description:
- Link cost factor.
type: str
link_cost_threshold:
description:
- Percentage threshold change of link cost values that will result in policy
route regeneration (0 - 10000000).
type: int
member:
description:
- Member sequence number. Source system.virtual-wan-link.members.seq-num.
type: int
mode:
choices:
- auto
- manual
- priority
- sla
- load-balance
description:
- Control how the priority rule sets the priority of interfaces in the SD-WAN.
type: str
name:
description:
- Priority rule name.
type: str
packet_loss_weight:
description:
- Coefficient of packet-loss in the formula of custom-profile-1.
type: int
priority_members:
description:
- Member sequence number list.
elements: dict
suboptions:
seq_num:
description:
- Member sequence number. Source system.virtual-wan-link.members.seq-num.
type: int
type: list
protocol:
description:
- Protocol number.
type: int
quality_link:
description:
- Quality grade.
type: int
role:
choices:
- standalone
- primary
- secondary
description:
- Service role to work with neighbor.
type: str
route_tag:
description:
- IPv4 route map route-tag.
type: int
sla:
description:
- Service level agreement (SLA).
elements: dict
suboptions:
health_check:
description:
- Virtual WAN Link health-check. Source system.virtual-wan-link.health-check.name.
type: str
id:
description:
- SLA ID.
type: int
type: list
sla_compare_method:
choices:
- order
- number
description:
- Method to compare SLA value for sla and load balance mode.
type: str
src:
description:
- Source address name.
elements: dict
suboptions:
name:
description:
- Address or address group name. Source firewall.address.name firewall.addrgrp.name.
type: str
type: list
src6:
description:
- Source address6 name.
elements: dict
suboptions:
name:
description:
- Address6 or address6 group name. Source firewall.address6.name firewall.addrgrp6.name.
type: str
type: list
src_negate:
choices:
- enable
- disable
description:
- Enable/disable negation of source address match.
type: str
standalone_action:
choices:
- enable
- disable
description:
- Enable/disable service when selected neighbor role is standalone while service
role is not standalone.
type: str
start_port:
description:
- Start destination port number.
type: int
status:
choices:
- enable
- disable
description:
- Enable/disable SD-WAN service.
type: str
tos:
description:
- Type of service bit pattern.
type: str
tos_mask:
description:
- Type of service evaluated bits.
type: str
users:
description:
- User name.
elements: dict
suboptions:
name:
description:
- User name. Source user.local.name.
type: str
type: list
type: list
status:
choices:
- disable
- enable
description:
- Enable/disable SD-WAN.
type: str
zone:
description:
- Configure SD-WAN zones.
elements: dict
suboptions:
name:
description:
- Zone name.
type: str
type: list
type: dict
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str