Note
This plugin is part of the fortinet.fortios collection (version 2.1.2).
You might already have this collection installed if you are using the ansible
package. It is not included in ansible-core
. To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install fortinet.fortios
.
To use it in a playbook, specify: fortinet.fortios.fortios_system_sdwan
.
New in version 2.10: of fortinet.fortios
The below requirements are needed on the host that executes this module.
Parameter | Choices/Defaults | Comments | |||
---|---|---|---|---|---|
access_token string | Token-based authentication. Generated from GUI of Fortigate. | ||||
enable_log boolean |
| Enable/Disable logging for task. | |||
system_sdwan dictionary | Configure redundant internet connections using SD-WAN (formerly virtual WAN link). | ||||
duplication list / elements=string | Create SD-WAN duplication rule. | ||||
dstaddr list / elements=string | Destination address or address group names. | ||||
name string / required | Address or address group name. Source firewall.address.name firewall.addrgrp.name. | ||||
dstaddr6 list / elements=string | Destination address6 or address6 group names. | ||||
name string / required | Address6 or address6 group name. Source firewall.address6.name firewall.addrgrp6.name. | ||||
dstintf list / elements=string | Outgoing (egress) interfaces or zones. | ||||
name string / required | Interface, zone or SDWAN zone name. Source system.interface.name system.zone.name system.sdwan.zone.name. | ||||
id integer / required | Duplication rule ID (1 - 255). | ||||
packet_de_duplication string |
| Enable/disable discarding of packets that have been duplicated. | |||
packet_duplication string |
| Configure packet duplication method. | |||
service list / elements=string | Service and service group name. | ||||
name string / required | Service and service group name. Source firewall.service.custom.name firewall.service.group.name. | ||||
service_id list / elements=string | SD-WAN service rule ID list. | ||||
id integer / required | SD-WAN service rule ID. Source system.sdwan.service.id. | ||||
srcaddr list / elements=string | Source address or address group names. | ||||
name string / required | Address or address group name. Source firewall.address.name firewall.addrgrp.name. | ||||
srcaddr6 list / elements=string | Source address6 or address6 group names. | ||||
name string / required | Address6 or address6 group name. Source firewall.address6.name firewall.addrgrp6.name. | ||||
srcintf list / elements=string | Incoming (ingress) interfaces or zones. | ||||
name string / required | Interface, zone or SDWAN zone name. Source system.interface.name system.zone.name system.sdwan.zone.name. | ||||
duplication_max_num integer | Maximum number of interface members a packet is duplicated in the SD-WAN zone (2 - 4). | ||||
fail_alert_interfaces list / elements=string | Physical interfaces that will be alerted. | ||||
name string / required | Physical interface name. Source system.interface.name. | ||||
fail_detect string |
| Enable/disable SD-WAN Internet connection status checking (failure detection). | |||
health_check list / elements=string | SD-WAN status checking or health checking. Identify a server on the Internet and determine how SD-WAN verifies that the FortiGate can communicate with it. | ||||
addr_mode string |
| Address mode (IPv4 or IPv6). | |||
detect_mode string |
| The mode determining how to detect the server. | |||
diffservcode string | Differentiated services code point (DSCP) in the IP header of the probe packet. | ||||
dns_match_ip string | Response IP expected from DNS server if the protocol is DNS. | ||||
dns_request_domain string | Fully qualified domain name to resolve for the DNS probe. | ||||
failtime integer | Number of failures before server is considered lost (1 - 3600). | ||||
ftp_file string | Full path and file name on the FTP server to download for FTP health-check to probe. | ||||
ftp_mode string |
| FTP mode. | |||
ha_priority integer | HA election priority (1 - 50). | ||||
http_agent string | String in the http-agent field in the HTTP header. | ||||
http_get string | URL used to communicate with the server if the protocol if the protocol is HTTP. | ||||
http_match string | Response string expected from the server if the protocol is HTTP. | ||||
interval integer | Status check interval in milliseconds, or the time between attempting to connect to the server (500 - 3600*1000 msec). | ||||
members list / elements=string | Member sequence number list. | ||||
seq_num integer | Member sequence number. Source system.sdwan.members.seq-num. | ||||
name string / required | Status check or health check name. | ||||
packet_size integer | Packet size of a twamp test session, | ||||
password string | Twamp controller password in authentication mode | ||||
port integer | Port number used to communicate with the server over the selected protocol (0-65535). | ||||
probe_count integer | Number of most recent probes that should be used to calculate latency and jitter (5 - 30). | ||||
probe_packets string |
| Enable/disable transmission of probe packets. | |||
probe_timeout integer | Time to wait before a probe packet is considered lost (500 - 3600*1000 msec). | ||||
protocol string |
| Protocol used to determine if the FortiGate can communicate with the server. | |||
quality_measured_method string |
| Method to measure the quality of tcp-connect. | |||
recoverytime integer | Number of successful responses received before server is considered recovered (1 - 3600). | ||||
security_mode string |
| Twamp controller security mode. | |||
server string | IP address or FQDN name of the server. | ||||
sla list / elements=string | Service level agreement (SLA). | ||||
id integer / required | SLA ID. | ||||
jitter_threshold integer | Jitter for SLA to make decision in milliseconds. (0 - 10000000). | ||||
latency_threshold integer | Latency for SLA to make decision in milliseconds. (0 - 10000000). | ||||
link_cost_factor string |
| Criteria on which to base link selection. | |||
packetloss_threshold integer | Packet loss for SLA to make decision in percentage. (0 - 100). | ||||
sla_fail_log_period integer | Time interval in seconds that SLA fail log messages will be generated (0 - 3600). | ||||
sla_pass_log_period integer | Time interval in seconds that SLA pass log messages will be generated (0 - 3600). | ||||
system_dns string |
| Enable/disable system DNS as the probe server. | |||
threshold_alert_jitter integer | Alert threshold for jitter (ms). | ||||
threshold_alert_latency integer | Alert threshold for latency (ms). | ||||
threshold_alert_packetloss integer | Alert threshold for packet loss (percentage). | ||||
threshold_warning_jitter integer | Warning threshold for jitter (ms). | ||||
threshold_warning_latency integer | Warning threshold for latency (ms). | ||||
threshold_warning_packetloss integer | Warning threshold for packet loss (percentage). | ||||
update_cascade_interface string |
| Enable/disable update cascade interface. | |||
update_static_route string |
| Enable/disable updating the static route. | |||
user string | The user name to access probe server. | ||||
load_balance_mode string |
| Algorithm or mode to use for load balancing Internet traffic to SD-WAN members. | |||
members list / elements=string | FortiGate interfaces added to the SD-WAN. | ||||
comment string | Comments. | ||||
cost integer | Cost of this interface for services in SLA mode (0 - 4294967295). | ||||
gateway string | The default gateway for this interface. Usually the default gateway of the Internet service provider that this interface is connected to. | ||||
gateway6 string | IPv6 gateway. | ||||
ingress_spillover_threshold integer | Ingress spillover threshold for this interface (0 - 16776000 kbit/s). When this traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN. | ||||
interface string | Interface name. Source system.interface.name. | ||||
priority integer | Priority of the interface (0 - 65535). Used for SD-WAN rules or priority rules. | ||||
priority6 integer | Priority of the interface for IPv6 (1 - 65535). Used for SD-WAN rules or priority rules. | ||||
seq_num integer | Sequence number(1-512). | ||||
source string | Source IP address used in the health-check packet to the server. | ||||
source6 string | Source IPv6 address used in the health-check packet to the server. | ||||
spillover_threshold integer | Egress spillover threshold for this interface (0 - 16776000 kbit/s). When this traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN. | ||||
status string |
| Enable/disable this interface in the SD-WAN. | |||
volume_ratio integer | Measured volume ratio (this value / sum of all values = percentage of link volume, 1 - 255). | ||||
weight integer | Weight of this interface for weighted load balancing. (1 - 255) More traffic is directed to interfaces with higher weights. | ||||
zone string | Zone name. Source system.sdwan.zone.name. | ||||
neighbor list / elements=string | Create SD-WAN neighbor from BGP neighbor table to control route advertisements according to SLA status. | ||||
health_check string | SD-WAN health-check name. Source system.sdwan.health-check.name. | ||||
ip string / required | IP/IPv6 address of neighbor. Source router.bgp.neighbor.ip. | ||||
member integer | Member sequence number. Source system.sdwan.members.seq-num. | ||||
role string |
| Role of neighbor. | |||
sla_id integer | SLA ID. | ||||
neighbor_hold_boot_time integer | Waiting period in seconds when switching from the primary neighbor to the secondary neighbor from the neighbor start. (0 - 10000000). | ||||
neighbor_hold_down string |
| Enable/disable hold switching from the secondary neighbor to the primary neighbor. | |||
neighbor_hold_down_time integer | Waiting period in seconds when switching from the secondary neighbor to the primary neighbor when hold-down is disabled. (0 - 10000000). | ||||
service list / elements=string | Create SD-WAN rules (also called services) to control how sessions are distributed to interfaces in the SD-WAN. | ||||
addr_mode string |
| Address mode (IPv4 or IPv6). | |||
bandwidth_weight integer | Coefficient of reciprocal of available bidirectional bandwidth in the formula of custom-profile-1. | ||||
default string |
| Enable/disable use of SD-WAN as default service. | |||
dscp_forward string |
| Enable/disable forward traffic DSCP tag. | |||
dscp_forward_tag string | Forward traffic DSCP tag. | ||||
dscp_reverse string |
| Enable/disable reverse traffic DSCP tag. | |||
dscp_reverse_tag string | Reverse traffic DSCP tag. | ||||
dst list / elements=string | Destination address name. | ||||
name string / required | Address or address group name. Source firewall.address.name firewall.addrgrp.name. | ||||
dst6 list / elements=string | Destination address6 name. | ||||
name string / required | Address6 or address6 group name. Source firewall.address6.name firewall.addrgrp6.name. | ||||
dst_negate string |
| Enable/disable negation of destination address match. | |||
end_port integer | End destination port number. | ||||
gateway string |
| Enable/disable SD-WAN service gateway. | |||
groups list / elements=string | User groups. | ||||
name string / required | Group name. Source user.group.name. | ||||
hash_mode string |
| Hash algorithm for selected priority members for load balance mode. | |||
health_check list / elements=string | Health check list. | ||||
name string / required | Health check name. Source system.sdwan.health-check.name. | ||||
hold_down_time integer | Waiting period in seconds when switching from the back-up member to the primary member (0 - 10000000). | ||||
id integer / required | SD-WAN rule ID (1 - 4000). | ||||
input_device list / elements=string | Source interface name. | ||||
name string / required | Interface name. Source system.interface.name. | ||||
input_device_negate string |
| Enable/disable negation of input device match. | |||
internet_service string |
| Enable/disable use of Internet service for application-based load balancing. | |||
internet_service_app_ctrl list / elements=string | Application control based Internet Service ID list. | ||||
id integer / required | Application control based Internet Service ID. | ||||
internet_service_app_ctrl_group list / elements=string | Application control based Internet Service group list. | ||||
name string / required | Application control based Internet Service group name. Source application.group.name. | ||||
internet_service_custom list / elements=string | Custom Internet service name list. | ||||
name string / required | Custom Internet service name. Source firewall.internet-service-custom.name. | ||||
internet_service_custom_group list / elements=string | Custom Internet Service group list. | ||||
name string / required | Custom Internet Service group name. Source firewall.internet-service-custom-group.name. | ||||
internet_service_group list / elements=string | Internet Service group list. | ||||
name string / required | Internet Service group name. Source firewall.internet-service-group.name. | ||||
internet_service_name list / elements=string | Internet service name list. | ||||
name string / required | Internet service name. Source firewall.internet-service-name.name. | ||||
jitter_weight integer | Coefficient of jitter in the formula of custom-profile-1. | ||||
latency_weight integer | Coefficient of latency in the formula of custom-profile-1. | ||||
link_cost_factor string |
| Link cost factor. | |||
link_cost_threshold integer | Percentage threshold change of link cost values that will result in policy route regeneration (0 - 10000000). | ||||
minimum_sla_meet_members integer | Minimum number of members which meet SLA. | ||||
mode string |
| Control how the SD-WAN rule sets the priority of interfaces in the SD-WAN. | |||
name string | SD-WAN rule name. | ||||
packet_loss_weight integer | Coefficient of packet-loss in the formula of custom-profile-1. | ||||
priority_members list / elements=string | Member sequence number list. | ||||
seq_num integer | Member sequence number. Source system.sdwan.members.seq-num. | ||||
protocol integer | Protocol number. | ||||
quality_link integer | Quality grade. | ||||
role string |
| Service role to work with neighbor. | |||
route_tag integer | IPv4 route map route-tag. | ||||
sla list / elements=string | Service level agreement (SLA). | ||||
health_check string | SD-WAN health-check. Source system.sdwan.health-check.name. | ||||
id integer | SLA ID. | ||||
sla_compare_method string |
| Method to compare SLA value for SLA mode. | |||
src list / elements=string | Source address name. | ||||
name string / required | Address or address group name. Source firewall.address.name firewall.addrgrp.name. | ||||
src6 list / elements=string | Source address6 name. | ||||
name string / required | Address6 or address6 group name. Source firewall.address6.name firewall.addrgrp6.name. | ||||
src_negate string |
| Enable/disable negation of source address match. | |||
standalone_action string |
| Enable/disable service when selected neighbor role is standalone while service role is not standalone. | |||
start_port integer | Start destination port number. | ||||
status string |
| Enable/disable SD-WAN service. | |||
tie_break string |
| Method of selecting member if more than one meets the SLA. | |||
tos string | Type of service bit pattern. | ||||
tos_mask string | Type of service evaluated bits. | ||||
use_shortcut_sla string |
| Enable/disable use of ADVPN shortcut for quality comparison. | |||
users list / elements=string | User name. | ||||
name string / required | User name. Source user.local.name. | ||||
status string |
| Enable/disable SD-WAN. | |||
zone list / elements=string | Configure SD-WAN zones. | ||||
name string / required | Zone name. | ||||
service_sla_tie_break string |
| Method of selecting member if more than one meets the SLA. | |||
vdom string | Default: "root" | Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. |
Note
- hosts: fortigates collections: - fortinet.fortios connection: httpapi vars: vdom: "root" ansible_httpapi_use_ssl: yes ansible_httpapi_validate_certs: no ansible_httpapi_port: 443 tasks: - name: Configure redundant internet connections using SD-WAN (formerly virtual WAN link). fortios_system_sdwan: vdom: "{{ vdom }}" system_sdwan: duplication: - dstaddr: - name: "default_name_5 (source firewall.address.name firewall.addrgrp.name)" dstaddr6: - name: "default_name_7 (source firewall.address6.name firewall.addrgrp6.name)" dstintf: - name: "default_name_9 (source system.interface.name system.zone.name system.sdwan.zone.name)" id: "10" packet_de_duplication: "enable" packet_duplication: "disable" service: - name: "default_name_14 (source firewall.service.custom.name firewall.service.group.name)" service_id: - id: "16 (source system.sdwan.service.id)" srcaddr: - name: "default_name_18 (source firewall.address.name firewall.addrgrp.name)" srcaddr6: - name: "default_name_20 (source firewall.address6.name firewall.addrgrp6.name)" srcintf: - name: "default_name_22 (source system.interface.name system.zone.name system.sdwan.zone.name)" duplication_max_num: "23" fail_alert_interfaces: - name: "default_name_25 (source system.interface.name)" fail_detect: "enable" health_check: - addr_mode: "ipv4" detect_mode: "active" diffservcode: "<your_own_value>" dns_match_ip: "<your_own_value>" dns_request_domain: "<your_own_value>" failtime: "33" ftp_file: "<your_own_value>" ftp_mode: "passive" ha_priority: "36" http_agent: "<your_own_value>" http_get: "<your_own_value>" http_match: "<your_own_value>" interval: "40" members: - seq_num: "42 (source system.sdwan.members.seq-num)" name: "default_name_43" packet_size: "44" password: "<your_own_value>" port: "46" probe_count: "47" probe_packets: "disable" probe_timeout: "49" protocol: "ping" quality_measured_method: "half-open" recoverytime: "52" security_mode: "none" server: "192.168.100.40" sla: - id: "56" jitter_threshold: "57" latency_threshold: "58" link_cost_factor: "latency" packetloss_threshold: "60" sla_fail_log_period: "61" sla_pass_log_period: "62" system_dns: "disable" threshold_alert_jitter: "64" threshold_alert_latency: "65" threshold_alert_packetloss: "66" threshold_warning_jitter: "67" threshold_warning_latency: "68" threshold_warning_packetloss: "69" update_cascade_interface: "enable" update_static_route: "enable" user: "<your_own_value>" load_balance_mode: "source-ip-based" members: - comment: "Comments." cost: "76" gateway: "<your_own_value>" gateway6: "<your_own_value>" ingress_spillover_threshold: "79" interface: "<your_own_value> (source system.interface.name)" priority: "81" priority6: "82" seq_num: "83" source: "<your_own_value>" source6: "<your_own_value>" spillover_threshold: "86" status: "disable" volume_ratio: "88" weight: "89" zone: "<your_own_value> (source system.sdwan.zone.name)" neighbor: - health_check: "<your_own_value> (source system.sdwan.health-check.name)" ip: "<your_own_value> (source router.bgp.neighbor.ip)" member: "94 (source system.sdwan.members.seq-num)" role: "standalone" sla_id: "96" neighbor_hold_boot_time: "97" neighbor_hold_down: "enable" neighbor_hold_down_time: "99" service: - addr_mode: "ipv4" bandwidth_weight: "102" default: "enable" dscp_forward: "enable" dscp_forward_tag: "<your_own_value>" dscp_reverse: "enable" dscp_reverse_tag: "<your_own_value>" dst: - name: "default_name_109 (source firewall.address.name firewall.addrgrp.name)" dst_negate: "enable" dst6: - name: "default_name_112 (source firewall.address6.name firewall.addrgrp6.name)" end_port: "113" gateway: "enable" groups: - name: "default_name_116 (source user.group.name)" hash_mode: "round-robin" health_check: - name: "default_name_119 (source system.sdwan.health-check.name)" hold_down_time: "120" id: "121" input_device: - name: "default_name_123 (source system.interface.name)" input_device_negate: "enable" internet_service: "enable" internet_service_app_ctrl: - id: "127" internet_service_app_ctrl_group: - name: "default_name_129 (source application.group.name)" internet_service_custom: - name: "default_name_131 (source firewall.internet-service-custom.name)" internet_service_custom_group: - name: "default_name_133 (source firewall.internet-service-custom-group.name)" internet_service_group: - name: "default_name_135 (source firewall.internet-service-group.name)" internet_service_name: - name: "default_name_137 (source firewall.internet-service-name.name)" jitter_weight: "138" latency_weight: "139" link_cost_factor: "latency" link_cost_threshold: "141" minimum_sla_meet_members: "142" mode: "auto" name: "default_name_144" packet_loss_weight: "145" priority_members: - seq_num: "147 (source system.sdwan.members.seq-num)" protocol: "148" quality_link: "149" role: "standalone" route_tag: "151" sla: - health_check: "<your_own_value> (source system.sdwan.health-check.name)" id: "154" sla_compare_method: "order" src: - name: "default_name_157 (source firewall.address.name firewall.addrgrp.name)" src_negate: "enable" src6: - name: "default_name_160 (source firewall.address6.name firewall.addrgrp6.name)" standalone_action: "enable" start_port: "162" status: "enable" tie_break: "zone" tos: "<your_own_value>" tos_mask: "<your_own_value>" use_shortcut_sla: "enable" users: - name: "default_name_169 (source user.local.name)" status: "disable" zone: - name: "default_name_172" service_sla_tie_break: "cfg-order"
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
build string | always | Build number of the fortigate image Sample: 1547 |
http_method string | always | Last method used to provision the content into FortiGate Sample: PUT |
http_status string | always | Last result given by FortiGate on last operation applied Sample: 200 |
mkey string | success | Master key (id) used in the last call to FortiGate Sample: id |
name string | always | Name of the table used to fulfill the request Sample: urlfilter |
path string | always | Path of the table used to fulfill the request Sample: webfilter |
revision string | always | Internal revision number Sample: 17.0.2.10658 |
serial string | always | Serial number of the unit Sample: FGVMEVYYQT3AB5352 |
status string | always | Indication of the operation's result Sample: success |
vdom string | always | Virtual domain used Sample: root |
version string | always | Version of the FortiGate Sample: v5.6.3 |
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/fortios_system_sdwan_module.html