Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

I am trying to import the configuration of a device after adding it to FortiManager, but the import is not working correctly. The interface mapping is not being applied, which results in policies not importing properly. #100

Open
theja465 opened this issue Feb 4, 2025 · 1 comment
Open

I am trying to import the configuration of a device after adding it to FortiManager, but the import is not working correctly. The interface mapping is not being applied, which results in policies not importing properly. #100

theja465 opened this issue Feb 4, 2025 · 1 comment

Comments

@theja465
Copy link

theja465 commented Feb 4, 2025
edited
Loading

@FTNT-HQCM

After manually adding the device to FortiManager and importing the configuration, I see the following tasks in the Task Monitor:

Zone mapping search
Dependent objects search
Import objects
Mapping zone mapping search

However, when I perform the import using the specified module, I see only one task: "Import objects" in the Task Monitor.

Due to this, interface mapping is missing, and the firewall policies related to those interfaces are not imported properly from FortiGate to FortiManager.

I need assistance in verifying whether I am missing any steps before the import or if any modifications are required.

Also, I need to set the mapping type as "per device" instead of "per platform".

- name: Import objects and policies for each VDOM
  fortinet.fortimanager.fmgr_securityconsole_import_dev_objs:
    workspace_locking_adom: "{{ adomain }}"
    workspace_locking_timeout: 300
    securityconsole_import_dev_objs:
      add_mappings: enable
      adom: "{{ adomain }}"
      dst_name: "{{ probed_device.meta.response_data.device.hostname }}_{{ vdom.name }}"
      dst_parent: "{{ probed_device.meta.response_data.device.hostname }}"
      if_all_objs: all
      if_all_policy: enable
      import_action: do
      name: "{{ probed_device.meta.response_data.device.hostname }}"
      position: bottom
      vdom: "{{ vdom.name }}"
@MaxxLiu22
Copy link

Hi @theja465 ,

Thank you for your question. I have found that there are three options for import_action: policy_search, obj_search, and do. These correspond to Zone Mapping Search, Dependent Objects Search, and Import Objects functions, respectively.

To fully process these actions, you may need to run fmgr_securityconsole_import_dev_objs three times. Additionally, I recommend adding a task monitor between each execution to ensure that the next action runs only after the previous one is completed. Otherwise, Ansible may attempt to execute all tasks simultaneously, which could cause conflicts.

  - name: Zone mapping search
    fortinet.fortimanager.fmgr_securityconsole_import_dev_objs:
      securityconsole_import_dev_objs:
        add_mappings: enable
        adom: "root"
        dst_name: "FGT-VM-asb"
        if_all_objs: all
        if_all_policy: enable
        import_action: policy_search
        name: "FGT-VM-103"
        position: bottom
        vdom: "root"
    register: zone_mapping
  - name: Get zone_mapping task status
    fortinet.fortimanager.fmgr_fact:
      facts:
        selector: "task_task"
        params:
          task: "{{ zone_mapping.meta.response_data.task }}"
    register: taskinfo
    until: taskinfo.meta.response_data.percent == 100
    retries: 30
    delay: 3
    failed_when: taskinfo.meta.response_data.state == 'error'
  - name: Dependent objects search
    fortinet.fortimanager.fmgr_securityconsole_import_dev_objs:
      securityconsole_import_dev_objs:
        add_mappings: enable
        adom: "root"
        dst_name: "FGT-VM-asb"
        if_all_objs: all
        if_all_policy: enable
        import_action: obj_search
        name: "FGT-VM-103"
        position: bottom
        vdom: "root"
    register: dependent_objs
  - name: Get dependent_objs task status
    fortinet.fortimanager.fmgr_fact:
      facts:
        selector: "task_task"
        params:
          task: "{{ dependent_objs.meta.response_data.task }}"
    register: taskinfo
    until: taskinfo.meta.response_data.percent == 100
    retries: 30
    delay: 3
    failed_when: taskinfo.meta.response_data.state == 'error'
  - name: Import objects
    fortinet.fortimanager.fmgr_securityconsole_import_dev_objs:
      securityconsole_import_dev_objs:
        add_mappings: enable
        adom: "root"
        dst_name: "FGT-VM-asb"
        if_all_objs: all
        if_all_policy: enable
        import_action: do
        name: "FGT-VM-103"
        position: bottom
        vdom: "root"

Let me know if that doesn't solve your question.
Thanks,
Maxx

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@theja465 @MaxxLiu22