:source: fortios_system_ha.py
:orphan:
.. fortios_system_ha:
fortios_system_ha -- Configure HA in Fortinet's FortiOS and FortiGate.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.. versionadded:: 2.0.0
.. contents::
:local:
:depth: 1
Synopsis
--------
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify system feature and ha category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
------------
The below requirements are needed on the host that executes this module.
- ansible>=2.16
Tips
----
Using member operation to add an element to an existing object.
FortiOS Version Compatibility
-----------------------------
Supported Version Ranges: v6.0.0 -> v7.6.6
Parameters
----------
.. raw:: html
access_token - Token-based authentication. Generated from GUI of Fortigate. type: strrequired: false
enable_log - Enable/Disable logging for task. type: boolrequired: falsedefault: False
vdom - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: strdefault: root
member_path - Member attribute path to operate on. type: str
member_state - Add or delete a member under specified attribute path. type: strchoices: present, absent
auto_virtual_mac_interface - The physical interface that will be assigned an auto-generated virtual MAC address. type: listmember_path: auto_virtual_mac_interface:interface_name more...
backup_hbdev - Backup heartbeat interfaces. Must be the same for all members. type: listmember_path: backup_hbdev:name more...
Supported Version Ranges
backup_hbdev
v7.6.0 -> 7.6.6
name - Interface name. Source system.interface.name. type: strrequired: true more...
Supported Version Ranges
name
v7.6.0 -> 7.6.6
bounce_intf_upon_failover - Enable/disable notification of kernel to bring down and up all monitored interfaces. The setting is used during failovers if gratuitous ARPs do not update the network. type: strchoices: enable, disable more...
Supported Version Ranges
bounce_intf_upon_failover
v7.6.4 -> 7.6.6
[enable]
v7.6.4 -> 7.6.6
[disable]
v7.6.4 -> 7.6.6
check_secondary_dev_health - Enable/disable secondary dev health check for session load-balance in HA A-A mode. type: strchoices: enable, disable more...
Supported Version Ranges
check_secondary_dev_health
v7.6.0 -> 7.6.6
[enable]
v7.6.0 -> 7.6.6
[disable]
v7.6.0 -> 7.6.6
cpu_threshold - Dynamic weighted load balancing CPU usage weight and high and low thresholds. type: str more...
dst - Default route destination for reserved HA management interface. type: str more...
Supported Version Ranges
dst
v6.0.0 -> 7.6.6
dst6 - Default IPv6 destination for reserved HA management interface. type: str more...
Supported Version Ranges
dst6
v7.6.3 -> 7.6.6
gateway - Default route gateway for reserved HA management interface. type: str more...
Supported Version Ranges
gateway
v6.0.0 -> 7.6.6
gateway6 - Default IPv6 gateway for reserved HA management interface. type: str more...
Supported Version Ranges
gateway6
v6.0.0 -> 7.6.6
id - Table ID. see Notes. type: intrequired: true more...
Supported Version Ranges
id
v6.0.0 -> 7.6.6
interface - Interface to reserve for HA management. Source system.interface.name. type: str more...
Supported Version Ranges
interface
v6.0.0 -> 7.6.6
ha_mgmt_status - Enable to reserve interfaces to manage individual cluster units. type: strchoices: enable, disable more...
Supported Version Ranges
ha_mgmt_status
v6.0.0 -> 7.6.6
[enable]
v6.0.0 -> 7.6.6
[disable]
v6.0.0 -> 7.6.6
ha_uptime_diff_margin - Normally you would only reduce this value for failover testing. type: int more...
Supported Version Ranges
ha_uptime_diff_margin
v6.0.0 -> 7.6.6
hb_interval - Time between sending heartbeat packets (1 - 20). Increase to reduce false positives. type: int more...
Supported Version Ranges
hb_interval
v6.0.0 -> 7.6.6
hb_interval_in_milliseconds - Units of heartbeat interval time between sending heartbeat packets. Default is 100ms. type: strchoices: 100ms, 10ms more...
Supported Version Ranges
hb_interval_in_milliseconds
v7.0.0 -> 7.6.6
[100ms]
v7.0.0 -> 7.6.6
[10ms]
v7.0.0 -> 7.6.6
hb_lost_threshold - Number of lost heartbeats to signal a failure (1 - 60). Increase to reduce false positives. type: int more...
Supported Version Ranges
hb_lost_threshold
v6.0.0 -> 7.6.6
hbdev - Heartbeat interfaces. Must be the same for all members. type: list
link_failed_signal - Enable to shut down all interfaces for 1 sec after a failover. Use if gratuitous ARPs do not update network. type: strchoices: enable, disable more...
Supported Version Ranges
link_failed_signal
v6.0.0 -> 7.6.6
[enable]
v6.0.0 -> 7.6.6
[disable]
v6.0.0 -> 7.6.6
load_balance_all - Enable to load balance TCP sessions. Disable to load balance proxy sessions only. type: strchoices: enable, disable more...
Supported Version Ranges
load_balance_all
v6.0.0 -> 7.6.6
[enable]
v6.0.0 -> 7.6.6
[disable]
v6.0.0 -> 7.6.6
logical_sn - Enable/disable usage of the logical serial number. type: strchoices: enable, disable more...
memory_failover_flip_timeout - Time to wait between subsequent memory based failovers in minutes (6 - 2147483647). type: int more...
Supported Version Ranges
memory_failover_flip_timeout
v7.0.0 -> 7.6.6
memory_failover_monitor_period - Duration of high memory usage before memory based failover is triggered in seconds (1 - 300). type: int more...
Supported Version Ranges
memory_failover_monitor_period
v7.0.0 -> 7.6.6
memory_failover_sample_rate - Rate at which memory usage is sampled in order to measure memory usage in seconds (1 - 60). type: int more...
Supported Version Ranges
memory_failover_sample_rate
v7.0.0 -> 7.6.6
memory_failover_threshold - Memory usage threshold to trigger memory based failover (0 means using conserve mode threshold in system.global). type: int more...
Supported Version Ranges
memory_failover_threshold
v7.0.0 -> 7.6.6
memory_threshold - Dynamic weighted load balancing memory usage weight and high and low thresholds. type: str more...
Supported Version Ranges
memory_threshold
v6.0.0 -> 7.6.6
mode - HA mode. Must be the same for all members. FGSP requires standalone. type: strchoices: standalone, a-a, a-p more...
Supported Version Ranges
mode
v6.0.0 -> 7.6.6
[standalone]
v6.0.0 -> 7.6.6
[a-a]
v6.0.0 -> 7.6.6
[a-p]
v6.0.0 -> 7.6.6
monitor - Interfaces to check for port monitoring (or link failure). Source system.interface.name. type: list
multicast_ttl - HA multicast TTL on primary (5 - 3600 sec). type: int more...
Supported Version Ranges
multicast_ttl
v6.0.0 -> 7.6.6
nntp_proxy_threshold - Dynamic weighted load balancing weight and high and low number of NNTP proxy sessions. type: str more...
Supported Version Ranges
nntp_proxy_threshold
v6.0.0 -> 7.6.6
override - Enable and increase the priority of the unit that should always be primary (master). type: strchoices: enable, disable more...
Supported Version Ranges
override
v6.0.0 -> 7.6.6
[enable]
v6.0.0 -> 7.6.6
[disable]
v6.0.0 -> 7.6.6
override_wait_time - Delay negotiating if override is enabled (0 - 3600 sec). Reduces how often the cluster negotiates. type: int more...
Supported Version Ranges
override_wait_time
v6.0.0 -> 7.6.6
password - Cluster password. Must be the same for all members. type: str more...
Supported Version Ranges
password
v6.0.0 -> 7.6.6
pingserver_failover_threshold - Remote IP monitoring failover threshold (0 - 50). type: int more...
Supported Version Ranges
pingserver_failover_threshold
v6.0.0 -> 7.6.6
pingserver_flip_timeout - Time to wait in minutes before renegotiating after a remote IP monitoring failover. type: int more...
Supported Version Ranges
pingserver_flip_timeout
v6.0.0 -> 7.6.6
pingserver_monitor_interface - Interfaces to check for remote IP monitoring. Source system.interface.name. type: list
pingserver_secondary_force_reset - Enable to force the cluster to negotiate after a remote IP monitoring failover. type: strchoices: enable, disable more...
Supported Version Ranges
pingserver_secondary_force_reset
v6.4.4 -> v7.0.12
v7.2.1 -> 7.6.6
[enable]
v6.4.4 -> v7.0.12
[disable]
v6.4.4 -> v7.0.12
pingserver_slave_force_reset - Enable to force the cluster to negotiate after a remote IP monitoring failover. type: strchoices: enable, disable more...
Supported Version Ranges
pingserver_slave_force_reset
v6.0.0 -> v6.4.1
v7.2.0 -> v7.2.0
[enable]
v6.0.0 -> v6.4.1
[disable]
v6.0.0 -> v6.4.1
pop3_proxy_threshold - Dynamic weighted load balancing weight and high and low number of POP3 proxy sessions. type: str more...
Supported Version Ranges
pop3_proxy_threshold
v6.0.0 -> 7.6.6
priority - Increase the priority to select the primary unit (0 - 255). type: int more...
Supported Version Ranges
priority
v6.0.0 -> 7.6.6
route_hold - Time to wait between routing table updates to the cluster (0 - 3600 sec). type: int more...
Supported Version Ranges
route_hold
v6.0.0 -> 7.6.6
route_ttl - TTL for primary unit routes (5 - 3600 sec). Increase to maintain active routes during failover. type: int more...
Supported Version Ranges
route_ttl
v6.0.0 -> 7.6.6
route_wait - Time to wait before sending new routes to the cluster (0 - 3600 sec). type: int more...
Supported Version Ranges
route_wait
v6.0.0 -> 7.6.6
schedule - Type of A-A load balancing. Use none if you have external load balancers. type: strchoices: none, leastconnection, round-robin, weight-round-robin, random, ip, ipport, hub more...
monitor - Interfaces to check for port monitoring (or link failure). Source system.interface.name. type: list
override - Enable and increase the priority of the unit that should always be primary. type: strchoices: enable, disable more...
Supported Version Ranges
override
v6.0.0 -> v7.0.12
[enable]
v6.0.0 -> v7.0.12
[disable]
v6.0.0 -> v7.0.12
override_wait_time - Delay negotiating if override is enabled (0 - 3600 sec). Reduces how often the cluster negotiates. type: int more...
Supported Version Ranges
override_wait_time
v6.0.0 -> v7.0.12
pingserver_failover_threshold - Remote IP monitoring failover threshold (0 - 50). type: int more...
Supported Version Ranges
pingserver_failover_threshold
v6.0.0 -> v7.0.12
pingserver_monitor_interface - Interfaces to check for remote IP monitoring. Source system.interface.name. type: list
pingserver_secondary_force_reset - Enable to force the cluster to negotiate after a remote IP monitoring failover. type: strchoices: enable, disable more...
Supported Version Ranges
pingserver_secondary_force_reset
v6.4.4 -> v7.0.12
[enable]
v6.4.4 -> v7.0.12
[disable]
v6.4.4 -> v7.0.12
pingserver_slave_force_reset - Enable to force the cluster to negotiate after a remote IP monitoring failover. type: strchoices: enable, disable more...
Supported Version Ranges
pingserver_slave_force_reset
v6.0.0 -> v6.4.1
[enable]
v6.0.0 -> v6.4.1
[disable]
v6.0.0 -> v6.4.1
priority - Increase the priority to select the primary unit (0 - 255). type: int more...
vdom - VDOMs in virtual cluster 2. type: str more...
Supported Version Ranges
vdom
v6.0.0 -> v7.0.12
session_pickup - Enable/disable session pickup. Enabling it can reduce session down time when fail over happens. type: strchoices: enable, disable more...
session_pickup_delay - Enable to sync sessions longer than 30 sec. Only longer lived sessions need to be synced. type: strchoices: enable, disable more...
session_sync_dev - Offload session-sync process to kernel and sync sessions using connected interface(s) directly. Source system.interface.name. type: list
smtp_proxy_threshold - Dynamic weighted load balancing weight and high and low number of SMTP proxy sessions. type: str more...
Supported Version Ranges
smtp_proxy_threshold
v6.0.0 -> 7.6.6
ssd_failover - Enable/disable automatic HA failover on SSD disk failure. type: strchoices: enable, disable more...
uninterruptible_primary_wait - Number of minutes the primary HA unit waits before the secondary HA unit is considered upgraded and the system is started before starting its own upgrade (15 - 300). type: int more...
Supported Version Ranges
uninterruptible_primary_wait
v7.0.2 -> 7.6.6
uninterruptible_upgrade - Enable to upgrade a cluster without blocking network traffic. type: strchoices: enable, disable more...
Supported Version Ranges
uninterruptible_upgrade
v6.0.0 -> v7.4.0
[enable]
v6.0.0 -> v7.4.0
[disable]
v6.0.0 -> v7.4.0
upgrade_mode - The mode to upgrade a cluster. type: strchoices: simultaneous, uninterruptible, local-only, secondary-only more...
monitor - Interfaces to check for port monitoring (or link failure). Source system.interface.name. type: list
override - Enable and increase the priority of the unit that should always be primary (master). type: strchoices: enable, disable more...
Supported Version Ranges
override
v7.2.0 -> 7.6.6
[enable]
v7.2.0 -> 7.6.6
[disable]
v7.2.0 -> 7.6.6
override_wait_time - Delay negotiating if override is enabled (0 - 3600 sec). Reduces how often the cluster negotiates. type: int more...
Supported Version Ranges
override_wait_time
v7.2.0 -> 7.6.6
pingserver_failover_threshold - Remote IP monitoring failover threshold (0 - 50). type: int more...
Supported Version Ranges
pingserver_failover_threshold
v7.2.0 -> 7.6.6
pingserver_flip_timeout - Time to wait in minutes before renegotiating after a remote IP monitoring failover. type: int more...
Supported Version Ranges
pingserver_flip_timeout
v7.4.2 -> 7.6.6
pingserver_monitor_interface - Interfaces to check for remote IP monitoring. Source system.interface.name. type: list
pingserver_secondary_force_reset - Enable to force the cluster to negotiate after a remote IP monitoring failover. type: strchoices: enable, disable more...
Supported Version Ranges
pingserver_secondary_force_reset
v7.2.1 -> 7.6.6
[enable]
v7.2.1 -> 7.6.6
[disable]
v7.2.1 -> 7.6.6
pingserver_slave_force_reset - Enable to force the cluster to negotiate after a remote IP monitoring failover. type: strchoices: enable, disable more...
Supported Version Ranges
pingserver_slave_force_reset
v7.2.0 -> v7.2.0
[enable]
v7.2.0 -> v7.2.0
[disable]
v7.2.0 -> v7.2.0
priority - Increase the priority to select the primary unit (0 - 255). type: int more...
Supported Version Ranges
priority
v7.2.0 -> 7.6.6
vcluster_id - ID. see Notes. type: intrequired: true more...
Supported Version Ranges
vcluster_id
v7.2.0 -> 7.6.6
vdom - Virtual domain(s) in the virtual cluster. type: listmember_path: vcluster:vcluster_id/vdom:name more...
build - Build number of the fortigate image returned: alwaystype: strsample: 1547
http_method - Last method used to provision the content into FortiGate returned: alwaystype: strsample: PUT
http_status - Last result given by FortiGate on last operation applied returned: alwaystype: strsample: 200
mkey - Master key (id) used in the last call to FortiGate returned: successtype: strsample: id
name - Name of the table used to fulfill the request returned: alwaystype: strsample: urlfilter
path - Path of the table used to fulfill the request returned: alwaystype: strsample: webfilter
revision - Internal revision number returned: alwaystype: strsample: 17.0.2.10658
serial - Serial number of the unit returned: alwaystype: strsample: FGVMEVYYQT3AB5352
status - Indication of the operation's result returned: alwaystype: strsample: success
vdom - Virtual domain used returned: alwaystype: strsample: root
version - Version of the FortiGate returned: alwaystype: strsample: v5.6.3
Status
------
- This module is not guaranteed to have a backwards compatible interface.
Authors
-------
- Link Zheng (@chillancezen)
- Jie Xue (@JieX19)
- Hongbin Lu (@fgtdev-hblu)
- Frank Shen (@frankshen01)
- Miguel Angel Munoz (@mamunozgonzalez)
- Nicolas Thomas (@thomnico)
.. hint::
If you notice any issues in this documentation, you can create a pull request to improve it.