fortios_system_ha – Configure HA in Fortinet’s FortiOS and FortiGate.

New in version 2.9.

Synopsis

  • This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify system feature and ha category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements

The below requirements are needed on the host that executes this module.

  • ansible>=2.9.0

Parameters

  • access_token - Token-based authentication. Generated from GUI of Fortigate. type: str required: False
  • vdom - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str default: root
  • system_ha - Configure HA. type: dict
    • arps - Number of gratuitous ARPs (1 - 60). Lower to reduce traffic. Higher to reduce failover time. type: int
    • arps_interval - Time between gratuitous ARPs (1 - 20 sec). Lower to reduce failover time. Higher to reduce traffic. type: int
    • authentication - Enable/disable heartbeat message authentication. type: str choices: enable, disable
    • cpu_threshold - Dynamic weighted load balancing CPU usage weight and high and low thresholds. type: str
    • encryption - Enable/disable heartbeat message encryption. type: str choices: enable, disable
    • ftp_proxy_threshold - Dynamic weighted load balancing weight and high and low number of FTP proxy sessions. type: str
    • gratuitous_arps - Enable/disable gratuitous ARPs. Disable if link-failed-signal enabled. type: str choices: enable, disable
    • group_id - Cluster group ID (0 - 255). Must be the same for all members. type: int
    • group_name - Cluster group name. Must be the same for all members. type: str
    • ha_direct - Enable/disable using ha-mgmt interface for syslog, SNMP, remote authentication (RADIUS), FortiAnalyzer, FortiManager and FortiSandbox. type: str choices: enable, disable
    • ha_eth_type - HA heartbeat packet Ethertype (4-digit hex). type: str
    • ha_mgmt_interfaces - Reserve interfaces to manage individual cluster units. type: list
      • dst - Default route destination for reserved HA management interface. type: str
      • gateway - Default route gateway for reserved HA management interface. type: str
      • gateway6 - Default IPv6 gateway for reserved HA management interface. type: str
      • id - Table ID. type: int required: True
      • interface - Interface to reserve for HA management. Source system.interface.name. type: str
    • ha_mgmt_status - Enable to reserve interfaces to manage individual cluster units. type: str choices: enable, disable
    • ha_uptime_diff_margin - Normally you would only reduce this value for failover testing. type: int
    • hb_interval - Time between sending heartbeat packets (1 - 20 (100*ms)). Increase to reduce false positives. type: int
    • hb_lost_threshold - Number of lost heartbeats to signal a failure (1 - 60). Increase to reduce false positives. type: int
    • hbdev - Heartbeat interfaces. Must be the same for all members. type: str
    • hc_eth_type - Transparent mode HA heartbeat packet Ethertype (4-digit hex). type: str
    • hello_holddown - Time to wait before changing from hello to work state (5 - 300 sec). type: int
    • http_proxy_threshold - Dynamic weighted load balancing weight and high and low number of HTTP proxy sessions. type: str
    • imap_proxy_threshold - Dynamic weighted load balancing weight and high and low number of IMAP proxy sessions. type: str
    • inter_cluster_session_sync - Enable/disable synchronization of sessions among HA clusters. type: str choices: enable, disable
    • key - key type: str
    • l2ep_eth_type - Telnet session HA heartbeat packet Ethertype (4-digit hex). type: str
    • link_failed_signal - Enable to shut down all interfaces for 1 sec after a failover. Use if gratuitous ARPs do not update network. type: str choices: enable, disable
    • load_balance_all - Enable to load balance TCP sessions. Disable to load balance proxy sessions only. type: str choices: enable, disable
    • memory_compatible_mode - Enable/disable memory compatible mode. type: str choices: enable, disable
    • memory_threshold - Dynamic weighted load balancing memory usage weight and high and low thresholds. type: str
    • mode - HA mode. Must be the same for all members. FGSP requires standalone. type: str choices: standalone, a-a, a-p
    • monitor - Interfaces to check for port monitoring (or link failure). Source system.interface.name. type: str
    • multicast_ttl - HA multicast TTL on master (5 - 3600 sec). type: int
    • nntp_proxy_threshold - Dynamic weighted load balancing weight and high and low number of NNTP proxy sessions. type: str
    • override - Enable and increase the priority of the unit that should always be primary (master). type: str choices: enable, disable
    • override_wait_time - Delay negotiating if override is enabled (0 - 3600 sec). Reduces how often the cluster negotiates. type: int
    • password - Cluster password. Must be the same for all members. type: str
    • pingserver_failover_threshold - Remote IP monitoring failover threshold (0 - 50). type: int
    • pingserver_flip_timeout - Time to wait in minutes before renegotiating after a remote IP monitoring failover. type: int
    • pingserver_monitor_interface - Interfaces to check for remote IP monitoring. Source system.interface.name. type: str
    • pingserver_slave_force_reset - Enable to force the cluster to negotiate after a remote IP monitoring failover. type: str choices: enable, disable
    • pop3_proxy_threshold - Dynamic weighted load balancing weight and high and low number of POP3 proxy sessions. type: str
    • priority - Increase the priority to select the primary unit (0 - 255). type: int
    • route_hold - Time to wait between routing table updates to the cluster (0 - 3600 sec). type: int
    • route_ttl - TTL for primary unit routes (5 - 3600 sec). Increase to maintain active routes during failover. type: int
    • route_wait - Time to wait before sending new routes to the cluster (0 - 3600 sec). type: int
    • schedule - Type of A-A load balancing. Use none if you have external load balancers. type: str choices: none, hub, leastconnection, round-robin, weight-round-robin, random, ip, ipport
    • secondary_vcluster - Configure virtual cluster 2. type: dict
      • monitor - Interfaces to check for port monitoring (or link failure). Source system.interface.name. type: str
      • override - Enable and increase the priority of the unit that should always be primary (master). type: str choices: enable, disable
      • override_wait_time - Delay negotiating if override is enabled (0 - 3600 sec). Reduces how often the cluster negotiates. type: int
      • pingserver_failover_threshold - Remote IP monitoring failover threshold (0 - 50). type: int
      • pingserver_monitor_interface - Interfaces to check for remote IP monitoring. Source system.interface.name. type: str
      • pingserver_slave_force_reset - Enable to force the cluster to negotiate after a remote IP monitoring failover. type: str choices: enable, disable
      • priority - Increase the priority to select the primary unit (0 - 255). type: int
      • vcluster_id - Cluster ID. type: int
      • vdom - VDOMs in virtual cluster 2. type: str
    • session_pickup - Enable/disable session pickup. Enabling it can reduce session down time when fail over happens. type: str choices: enable, disable
    • session_pickup_connectionless - Enable/disable UDP and ICMP session sync for FGSP. type: str choices: enable, disable
    • session_pickup_delay - Enable to sync sessions longer than 30 sec. Only longer lived sessions need to be synced. type: str choices: enable, disable
    • session_pickup_expectation - Enable/disable session helper expectation session sync for FGSP. type: str choices: enable, disable
    • session_pickup_nat - Enable/disable NAT session sync for FGSP. type: str choices: enable, disable
    • session_sync_dev - Offload session sync to one or more interfaces to distribute traffic and prevent delays if needed. Source system.interface.name. type: str
    • smtp_proxy_threshold - Dynamic weighted load balancing weight and high and low number of SMTP proxy sessions. type: str
    • standalone_config_sync - Enable/disable FGSP configuration synchronization. type: str choices: enable, disable
    • standalone_mgmt_vdom - Enable/disable standalone management VDOM. type: str choices: enable, disable
    • sync_config - Enable/disable configuration synchronization. type: str choices: enable, disable
    • sync_packet_balance - Enable/disable HA packet distribution to multiple CPUs. type: str choices: enable, disable
    • unicast_hb - Enable/disable unicast heartbeat. type: str choices: enable, disable
    • unicast_hb_netmask - Unicast heartbeat netmask. type: str
    • unicast_hb_peerip - Unicast heartbeat peer IP. type: str
    • uninterruptible_upgrade - Enable to upgrade a cluster without blocking network traffic. type: str choices: enable, disable
    • vcluster_id - Cluster ID. type: int
    • vcluster2 - Enable/disable virtual cluster 2 for virtual clustering. type: str choices: enable, disable
    • vdom - VDOMs in virtual cluster 1. type: str
    • weight - Weight-round-robin weight for each cluster unit. Syntax . type: str

Notes

Note

  • Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks

Examples

- hosts: fortigates
  collections:
    - fortinet.fortios
  connection: httpapi
  vars:
   vdom: "root"
   ansible_httpapi_use_ssl: yes
   ansible_httpapi_validate_certs: no
   ansible_httpapi_port: 443
  tasks:
  - name: Configure HA.
    fortios_system_ha:
      vdom:  "{{ vdom }}"
      system_ha:
        arps: "3"
        arps_interval: "4"
        authentication: "enable"
        cpu_threshold: "<your_own_value>"
        encryption: "enable"
        ftp_proxy_threshold: "<your_own_value>"
        gratuitous_arps: "enable"
        group_id: "10"
        group_name: "<your_own_value>"
        ha_direct: "enable"
        ha_eth_type: "<your_own_value>"
        ha_mgmt_interfaces:
         -
            dst: "<your_own_value>"
            gateway: "<your_own_value>"
            gateway6: "<your_own_value>"
            id:  "18"
            interface: "<your_own_value> (source system.interface.name)"
        ha_mgmt_status: "enable"
        ha_uptime_diff_margin: "21"
        hb_interval: "22"
        hb_lost_threshold: "23"
        hbdev: "<your_own_value>"
        hc_eth_type: "<your_own_value>"
        hello_holddown: "26"
        http_proxy_threshold: "<your_own_value>"
        imap_proxy_threshold: "<your_own_value>"
        inter_cluster_session_sync: "enable"
        key: "<your_own_value>"
        l2ep_eth_type: "<your_own_value>"
        link_failed_signal: "enable"
        load_balance_all: "enable"
        memory_compatible_mode: "enable"
        memory_threshold: "<your_own_value>"
        mode: "standalone"
        monitor: "<your_own_value> (source system.interface.name)"
        multicast_ttl: "38"
        nntp_proxy_threshold: "<your_own_value>"
        override: "enable"
        override_wait_time: "41"
        password: "<your_own_value>"
        pingserver_failover_threshold: "43"
        pingserver_flip_timeout: "44"
        pingserver_monitor_interface: "<your_own_value> (source system.interface.name)"
        pingserver_slave_force_reset: "enable"
        pop3_proxy_threshold: "<your_own_value>"
        priority: "48"
        route_hold: "49"
        route_ttl: "50"
        route_wait: "51"
        schedule: "none"
        secondary_vcluster:
            monitor: "<your_own_value> (source system.interface.name)"
            override: "enable"
            override_wait_time: "56"
            pingserver_failover_threshold: "57"
            pingserver_monitor_interface: "<your_own_value> (source system.interface.name)"
            pingserver_slave_force_reset: "enable"
            priority: "60"
            vcluster_id: "61"
            vdom: "<your_own_value>"
        session_pickup: "enable"
        session_pickup_connectionless: "enable"
        session_pickup_delay: "enable"
        session_pickup_expectation: "enable"
        session_pickup_nat: "enable"
        session_sync_dev: "<your_own_value> (source system.interface.name)"
        smtp_proxy_threshold: "<your_own_value>"
        standalone_config_sync: "enable"
        standalone_mgmt_vdom: "enable"
        sync_config: "enable"
        sync_packet_balance: "enable"
        unicast_hb: "enable"
        unicast_hb_netmask: "<your_own_value>"
        unicast_hb_peerip: "<your_own_value>"
        uninterruptible_upgrade: "enable"
        vcluster_id: "78"
        vcluster2: "enable"
        vdom: "<your_own_value>"
        weight: "<your_own_value>"

Return Values

Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:

  • build - Build number of the fortigate image returned: always type: str sample: 1547
  • http_method - Last method used to provision the content into FortiGate returned: always type: str sample: PUT
  • http_status - Last result given by FortiGate on last operation applied returned: always type: str sample: 200
  • mkey - Master key (id) used in the last call to FortiGate returned: success type: str sample: id
  • name - Name of the table used to fulfill the request returned: always type: str sample: urlfilter
  • path - Path of the table used to fulfill the request returned: always type: str sample: webfilter
  • revision - Internal revision number returned: always type: str sample: 17.0.2.10658
  • serial - Serial number of the unit returned: always type: str sample: FGVMEVYYQT3AB5352
  • status - Indication of the operation's result returned: always type: str sample: success
  • vdom - Virtual domain used returned: always type: str sample: root
  • version - Version of the FortiGate returned: always type: str sample: v5.6.3

Status

  • This module is not guaranteed to have a backwards compatible interface.

Authors

  • Link Zheng (@chillancezen)
  • Jie Xue (@JieX19)
  • Hongbin Lu (@fgtdev-hblu)
  • Frank Shen (@frankshen01)
  • Miguel Angel Munoz (@mamunozgonzalez)
  • Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation, you can create a pull request to improve it.