Ansible fortios_config backups not working

0
votes

I use Fortinet for firewall automation, but i get the error "Error reading running config" . I already followed this website: https://github.com/ansible/ansible/issues/33392

But do not find any solution. Please tell me what am I doing wrong ?

  • Ansible version: 2.7.0
  • Python version: 2.7.5
  • Fortinet: 60E
  • FortiOS version: 6.0.2

Here is what I am trying: FortiOS.yml playbook:

---
- name: FortiOS Firewall Settings
  hosts: fortiFW
  connection: local
  vars_files:
  - /etc/ansible/vars/FortiOS_Settings_vars.yml
  tasks:
    - name: Backup current config
      fortios_config:
        host: 192.168.1.99
        username: admin
        password: Password@123
        backup: yes
        backup_path: /etc/ansible/forti_backup

Here is what I get as error:

ok: [192.168.1.99] META: ran handlers Read vars_file '/etc/ansible/vars/FortiOS_Settings_vars.yml'

TASK [Backup current config] **************************************************************************************************************************************************************************************************************** task path: /etc/ansible/FortiOS_Settings_test.yml:8 <192.168.1.99> ESTABLISH LOCAL CONNECTION FOR USER: root <192.168.1.99> EXEC /bin/sh -c 'echo ~root && sleep 0' <192.168.1.99> EXEC /bin/sh -c '( umask 77 && mkdir -p "echo /root/.ansible/tmp/ansible-tmp-1539674386.05-16470854685226" && echo ansible-tmp-1539674386.05-16470854685226="echo /root/.ansible/tmp/ansible-tmp-1539674386.05-16470854685226" ) && sleep 0' Using module file /usr/lib/python2.7/site-packages/ansible/modules/network/fortios/fortios_config.py <192.168.1.99> PUT /root/.ansible/tmp/ansible-local-6154Uq5Dmw/tmpt6JukB TO /root/.ansible/tmp/ansible-tmp-1539674386.05-16470854685226/AnsiballZ_fortios_config.py <192.168.1.99> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1539674386.05-16470854685226/ /root/.ansible/tmp/ansible-tmp-1539674386.05-16470854685226/AnsiballZ_fortios_config.py && sleep 0' <192.168.1.99> EXEC /bin/sh -c '/usr/bin/python /root/.ansible/tmp/ansible-tmp-1539674386.05-16470854685226/AnsiballZ_fortios_config.py && sleep 0' <192.168.1.99> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1539674386.05-16470854685226/ > /dev/null 2>&1 && sleep 0' The full traceback is: WARNING: The below traceback may not be related to the actual failure. File "/tmp/ansible_fortios_config_payload_b6IQmy/main.py", line 132, in main f.load_config(path=module.params['filter']) File "/usr/lib/python2.7/site-packages/pyFG/fortios.py", line 212, in load_config config_text = self.execute_command(command) File "/usr/lib/python2.7/site-packages/pyFG/fortios.py", line 154, in execute_command output = output + self._read_wrapper(o) File "/usr/lib/python2.7/site-packages/pyFG/fortios.py", line 120, in _read_wrapper return py23_compat.text_type(data)

fatal: [192.168.1.99]: FAILED! => { "changed": false, "invocation": { "module_args": { "backup": true, "backup_filename": null, "backup_path": "/etc/ansible/forti_backup", "config_file": null, "file_mode": false, "filter": "", "host": "192.168.1.99", "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "src": null, "timeout": 60, "username": "admin", "vdom": null } }, "msg": "Error reading running config" }

1
ansiblefirewall

1 Answers

1
votes

When working with this module, I had the same issue. I looked into the source code of the module, and found that this error occurs when filter is set to "" -> empty string. You can get facts about the device when changing filter to something like "firewall address". But then you will only get back the options from exactly that, like if you would've typed "show firewall address" on the CLI of the device. I'm currently working on a solution to use Ansible for FortiGate automation, but it's not looking good. E.g. FortiGates additionally do not support Netconf, so you can't use Netconf to send commands to the device. So therefore, you're not doing anything wrong, but the modules is either not optimized, or I guessed that maybe the full-configuration is too big to be read by the module, so that you have to use the filter option to shrink it.