Fortinet - Getting rid of configuration task lists (ipspace#2864)

Author: sdargoeuves

docs/caveats.md

@@ -291,13 +291,12 @@ Netlab enables VRRPv3 by default on Dell OS10, overriding any platform defaults.
 * You have to build the *dnsmasq* container image with the **netlab clab build dnsmasq** command.
 
 (caveats-fortios)=
-## Fortinet FortiOS 6.x/7.0
+## Fortinet FortiOS 
 
-* FortiOS VM images have a default 15-day evaluation license. The VM has [limited capabilities](https://docs.fortinet.com/document/fortigate-private-cloud/7.2.0/kvm-administration-guide/504166/fortigate-vm-evaluation-license) without a license file. It will work for 15 days from the first boot, at which point you must install a license file or recreate the vagrant box completely from scratch.
-* The 15-day evaluation license only allows one single VDOM. Using the **netlab_vdom** node parameter will fail when using the built-in 15-day license.
-* _netlab_ configures Fortinet devices with API calls using username/password authentication. The last FortiGate images known to work with that restriction are software releases 7.0.x and 7.2.0. Later releases block API calls without a permanent evaluation license and require token-based authentication once API starts to work.
 * Use a recent version of Ansible and **fortinet.fortios** Ansible Galaxy collection (version 2.3.6 or later)
-* To troubleshoot API authentication, log into the FortiOS VM with **netlab connect** or **vagrant ssh** and enable HTTP debugging with the following commands:
+* _netlab_ tries to configure Fortinet devices with configuration scripts uploaded through the FortiOS Monitor API calls using username/password authentication.
+* If the API call fails, _netlab_ tries to push the configuration to a Fortinet device through a regular SSH session. Use **netlab initial -vvv --limit _fw_device_** to troubleshoot the configuration download (Ansible displays full contents of the SSH session at this level of verbosity).
+* To troubleshoot API authentication, log into the FortiOS VM with **netlab connect** and enable HTTP debugging with the following commands:
 
 ```
 diag debug enable
@@ -309,19 +308,19 @@ diag debug application httpsd -1
 * We're not testing Fortinet implementation as part of the regular integration tests; the configuration scripts might be outdated. If you encounter a problem, please open an issue.
 ```
 
-## Fortinet FortiOS 7.4.x/7.6.x
+### Fortinet FortiOS 6.x/7.0
+
+* FortiOS VM images have a default 15-day evaluation license. The VM has [limited capabilities](https://docs.fortinet.com/document/fortigate-private-cloud/7.2.0/kvm-administration-guide/504166/fortigate-vm-evaluation-license) without a license file. It will work for 15 days from the first boot, at which point you must install a license file or recreate the vagrant box completely from scratch.
+* The 15-day evaluation license only allows one single VDOM. Using the **netlab_vdom** node parameter will fail when using the built-in 15-day license.
+
+### Fortinet FortiOS 7.4.x/7.6.x
 
 * Starting from FortiOS 7.2, FortiGate devices do not come with a license out of the box. Users can link *one* device with a permanent evaluation license to an account on the Fortinet support portal.
 * The license needs to be added before creating the Vagrant box.
 * There are restrictions associated with the evaluation license, including a maximum of three interfaces, firewall policies, and routes... For more detailed information, refer to the [evaluation license restrictions](https://docs.fortinet.com/document/fortigate/7.6.3/administration-guide/441460).
 * The license is linked to the serial number of the device and the UUID. To ensure that the serial number remains consistent each time you start the lab, set the `libvirt.uuid` (or `clab.env.FORTIGATE_UUID`) node parameter to the appropriate value.
-* MTU can be defined on the interface level, default is forced to 1500 bytes due to a different behaviour between `7.4.8` and `7.6.3` releases.
-* If you want to use a multi-vdom configuration, you just need to set the `netlab_vdom: <name>` in the node data. `root` vdom will be used as the management with interface `port1`, everything else will be configured in the specified traffic vdom. Default is `netlab_vdom: root` vdom in a no-vdom configuration.
-
-### OSPF Caveats
-
-* Fortinet implementation of OSPF configuration module does not implement per-interface OSPF areas. All interfaces belong to the OSPF area defined in the node data.
-* Fortinet configuration templates set OSPF network type based on number of neighbors, not based on **ospf.network_type** link/interface parameter.
+* MTU can be defined on the interface level, the default is forced to 1500 bytes due to a different behaviour between `7.4.8` and `7.6.3` releases.
+* If you want to use a multi-vdom configuration, you just need to set the `netlab_vdom: <name>` in the node data. `root` vdom will be used as the management with interface `port1`, and everything else will be configured in the specified traffic vdom. Default is `netlab_vdom: root` vdom in a no-vdom configuration.
 
 (caveats-frr)=
 ## FRRouting

docs/platforms.md

@@ -187,7 +187,7 @@ Ansible playbooks included with **netlab** can deploy and collect device configu
 | Cisco Nexus OS        | ✅ | ✅ |
 | Cumulus Linux         | ✅ | ✅ |
 | Dell OS10             | ✅ | ✅ | ✅ |
-| Fortinet FortiOS      | ✅ | ❌  |
+| Fortinet FortiOS      | ✅ | ✅ |
 | FRR                   |  ✅[❗](caveats-frr)  | ✅[❗](caveats-frr) |
 | Generic Linux         | ✅ | ❌  |
 | Junos[^Junos]         | ✅ | ✅ |

netsim/ansible/tasks/deploy-config/fortinet.fortios.fortios.yml

@@ -0,0 +1,20 @@
+- block:
+  - name: "fortios_monitor: deploying {{ netsim_action }} from {{ config_template }}"
+    fortinet.fortios.fortios_monitor:
+      selector: upload.system.config-script
+      params:
+        filename: set_initial_config
+        file_content: "{{ lookup('template', config_template) | b64encode }}"
+    tags: [ print_action, always ]
+  rescue:
+  - name: "FortiOS CLI: deploying {{ netsim_action }} from {{ config_template }}"
+    delegate_to: localhost
+    ansible.builtin.expect:
+      command: >-
+        sshpass -p '{{ ansible_ssh_pass }}'
+        ssh -o UserKnownHostsFile=/dev/null
+            -o StrictHostKeyChecking=no
+            {{ ansible_user }}@{{ ansible_host }}
+      responses:
+        '.*#': "{{ lookup('template', config_template) }}\nexit\n"
+    tags: [ print_action, always ]

netsim/ansible/tasks/fortinet.fortios.fortios/initial.yml

@@ -51,88 +51,5 @@
       name: "{{ netlab_vdom }}"
   when: netlab_vdom_is_enabled
 
-- name: Configure global attributes
-  fortinet.fortios.fortios_system_global:
-    vdom: "{{ netlab_vdom }}"
-    system_global:
-      hostname: '{{ inventory_hostname.replace("_","-") }}'
-
-- name: Turn off LLDP on management interface
-  fortinet.fortios.fortios_system_interface:
-    vdom: "{{ vdom }}"
-    state: "present"
-    system_interface:
-      interface: "{{ mgmt_if }}"
-      lldp_reception: "disable"
-      lldp_transmission: "disable"
-      name: "{{ mgmt_if }}"
-
-- name: Configure loopback interface
-  fortinet.fortios.fortios_system_interface:
-    vdom: "{{ netlab_vdom }}"
-    state: "present"
-    system_interface:
-      interface: "loopback0"
-      ip: "{{ loopback.ipv4 | default(omit) }}"
-      name: "loopback0"
-      type: "loopback"
-      vdom: "{{ netlab_vdom }}"
-      allowaccess: "ping"
-  when: loopback is defined
-
-- name: Configure loopback ipv6 address
-  fortinet.fortios.fortios_system_interface:
-    vdom: "{{ netlab_vdom }}"
-    state: "present"
-    system_interface:
-      interface: "loopback0"
-      ipv6:
-        ip6_address: "{{ loopback.ipv6 }}"
-        ip6_mode: "static"
-      name: "loopback0"
-      vdom: "{{ netlab_vdom }}"
-  when: loopback.ipv6 is defined
-
-- name: Configure physical interfaces
-  fortinet.fortios.fortios_system_interface:
-    vdom: "{{ netlab_vdom }}"
-    state: "present"
-    system_interface:
-      alias: '{{ interface.name.replace(">","-") | default(omit) }}'
-      estimated_upstream_bandwidth: "{{ interface.bandwidth | default(omit) }}"
-      estimated_downstream_bandwidth: "{{ interface.bandwidth | default(omit) }}"
-      interface: "{{ interface.ifname }}"
-      ip: "{{ interface.ipv4 | default(omit) }}"
-      lldp_reception: "enable"
-      lldp_transmission: "enable"
-      mode: "static"
-      mtu: "{{ interface.mtu | default(mtu) }}"
-      mtu_override: "enable"
-      name: "{{ interface.ifname }}"
-      macaddr: "52:dc:ca:fe:{{ id }}:{{ interface.ifindex }}"
-      type: "physical"
-      vdom: "{{ netlab_vdom }}"
-      allowaccess: "ping"
-  with_items: "{{ interfaces }}"
-  when: interface.ifname != "{{ mgmt_if }}"
-  loop_control:
-    loop_var: interface
-
-- name: Configure interface ipv6 addresses
-  fortinet.fortios.fortios_system_interface:
-    vdom: "{{ netlab_vdom }}"
-    state: "present"
-    system_interface:
-      interface: "{{ interface.ifname }}"
-      ipv6:
-        ip6_address: "{{ interface.ipv6 }}"
-        ip6_mode: "static"
-        ip6_allowaccess: "ping"
-        ip6_send_adv: "enable"
-        ra_send_mtu: "enable"
-      name: "{{ interface.ifname }}"
-      vdom: "{{ netlab_vdom }}"
-  with_items: "{{ interfaces }}"
-  when: interface.ipv6 is defined
-  loop_control:
-    loop_var: interface
+- name: Deploy initial configuration from template
+  include_tasks: tasks/deploy-config/fortinet.fortios.fortios.yml

netsim/ansible/tasks/fortinet.fortios.fortios/ospf.yml

@@ -0,0 +1,71 @@
+{% set vdom_traffic = netlab_vdom|default(vdom) %}
+{% set multi_vdom = vdom_traffic != vdom %}
+
+{% if multi_vdom %}
+config global
+{% endif %}
+config system global
+    set hostname {{ inventory_hostname.replace("_","-") }}
+end
+
+config system interface
+    edit "{{ mgmt_if }}"
+        set vdom "{{ vdom }}"
+        set lldp-transmission disable
+        set lldp-reception disable
+        set allowaccess ping https ssh http fgfm
+    next
+{%  if loopback is defined %}
+    edit "{{ loopback.ifname }}"
+        set vdom "{{ vdom_traffic }}"
+        set status up
+        set type loopback
+{%      if loopback.ipv4 is defined %}
+        set ip {{ loopback.ipv4 }}
+        set allowaccess ping https ssh http fgfm
+{%      endif %}
+{%      if loopback.ipv6 is defined %}
+        config ipv6
+            set ip6-address {{ loopback.ipv6|upper }}
+            set ip6-mode static
+            set ip6-allowaccess ping https ssh http fgfm
+        end
+{%      endif %}
+    next
+{%  endif %}
+{%  for interface in interfaces %}
+{%  if interface.ifname != mgmt_if %}
+    edit "{{ interface.ifname }}"
+        set vdom "{{ vdom_traffic }}"
+        set status up
+        set lldp-reception enable
+        set lldp-transmission enable
+        set allowaccess ping
+#        set macaddr "52:dc:ca:fe:{{ id }}:{{ interface.ifindex }}"
+        set mode static
+{%      if interface.ipv4 is defined %}
+        set ip {{ interface.ipv4 }}
+{%      endif %}
+{%      if interface.mtu is defined %}
+        set mtu-override enable
+        set mtu {{ interface.mtu }}
+{%      elif mtu is defined %}
+        set mtu-override enable
+        set mtu {{ mtu }}
+{%      endif %}
+{%      if interface.ipv6 is defined %}
+        config ipv6
+            set ip6-address {{ interface.ipv6|upper }}
+            set ip6-mode static
+            set ip6-allowaccess ping
+            set ip6-send-adv enable
+        end
+{%      endif %}
+    next
+{%  endif %}
+{%  endfor %}
+end
+
+{% if multi_vdom %}
+end
+{% endif %}

netsim/ansible/templates/initial/fortinet.fortios.fortios.j2

@@ -1,41 +1,68 @@
-{% macro ospf_intf(intf) %}
-- name: {{ intf.ifname }}
-  interface: {{ intf.ifname }}
-{%   if intf.ospf.network_type|default('') == 'point-to-point' %}
-  network_type: "point-to-point"
-{%   endif %}
-{%   if intf.ospf.cost is defined %}
-  cost: {{ intf.ospf.cost }}
-{%   endif %}
-{% endmacro %}
----
-router_id: "{{ ospf.router_id }}"
-{% if ospf.reference_bandwidth is defined %}
-auto_cost_ref_bandwidth: "{{ ospf.reference_bandwidth }}"
+{% set vdom_traffic = netlab_vdom|default(vdom) %}
+{% set multi_vdom = vdom_traffic != vdom %}
+
+{% if multi_vdom %}
+config vdom
+    edit {{ vdom_traffic }}
 {% endif %}
 
-{% for intf in netlab_interfaces if 'ospf' in intf and not ospf.passive|default(False) %}
-{%   if loop.first %}
-ospf_interface:
-{%   endif %}
-{{     ospf_intf(intf) }}
-{% endfor %}
+config router ospf
+    set router-id {{ ospf.router_id }}
+{%  if ospf.reference_bandwidth is defined %}
+    set auto-cost-ref-bandwidth {{ ospf.reference_bandwidth }}
+{%  endif %}
+{%  set passive_intfs = netlab_interfaces|selectattr('ospf', 'defined')|selectattr('ospf.passive', 'defined')|selectattr('ospf.passive')|map(attribute='ifname')|list %}
+{%  if passive_intfs|length > 0 %}
+    set passive-interface {{ passive_intfs|join(' ') }}
+{%  endif %}
+{%  if netlab_interfaces|selectattr('ospf', 'defined')|list|length > 0 %}
+
+    config ospf-interface
+{%  for intf in netlab_interfaces if 'ospf' in intf %}
+        edit "{{ intf.ifname }}"
+            set interface "{{ intf.ifname }}"
+{%          if intf.ospf.network_type is defined %}
+            set network-type {{ intf.ospf.network_type }}
+{%          endif %}
+{%          if intf.ospf.cost is defined %}
+            set cost {{ intf.ospf.cost }}
+{%          endif %}
+{%          if intf.ospf.timers.hello is defined %}
+            set hello-interval {{ intf.ospf.timers.hello }}
+{%          endif %}
+{%          if intf.ospf.timers.dead is defined %}
+            set dead-interval {{ intf.ospf.timers.dead }}
+{%          endif %}
+{%          if intf.ospf.priority is defined %}
+            set priority {{ intf.ospf.priority }}
+{%          endif %}
+{%          if intf.ospf.password is defined %}
+            set authentication text
+            set authentication-key {{ intf.ospf.password }}
+{%          endif %}
+            set status enable
+        next
+{%  endfor %}
+    end
+{%  endif %}
 
-{% for intf in netlab_interfaces if 'ospf' in intf and ospf.passive|default(False) %}
-{%   if loop.first %}
-passive_interface:
-{%   endif %}
-{{     ospf_intf(intf) }}
-{% endfor %}
+    config area
+{%  for area in netlab_interfaces|map(attribute='ospf.area',default='')|unique if area %}
+        edit {{ area }}
+        next
+{%  endfor %}
+    end
 
-area:
-{% for area in netlab_interfaces|map(attribute='ospf.area',default='')|unique if area %}
-- id: "{{ area }}"
-{% endfor %}
+    config network
+{%  for intf in netlab_interfaces if intf.ospf.area is defined %}
+        edit {{ intf.ifindex }}
+            set prefix {{ intf.ipv4|ipaddr('subnet') }}
+            set area {{ intf.ospf.area }}
+        next
+{%  endfor %}
+    end
+end
 
-network:
-{% for intf in netlab_interfaces if intf.ospf.area is defined %}
-- area: {{ intf.ospf.area }}
-  id: {{ intf.ifindex|default(0) }}
-  prefix: {{ intf.ipv4|ipaddr('subnet') }}
-{% endfor %}
+{% if multi_vdom %}
+end
+{% endif %}

netsim/ansible/templates/ospf/fortinet.fortios.fortios.j2

@@ -32,10 +32,11 @@ group_vars:
   ansible_httpapi_validate_certs: no
   ansible_httpapi_port: 80
   netlab_console_connection: ssh
-  netlab_skip_missing_template: True
-  netlab_config_tasks: True
 external:
   image: none
 features:
-  ospf: True
+  ospf:
+    password: true
+    priority: true
+    timers: true
 graphite.icon: firewall