W3cubDocs

/Ansible

fortinet.fortios.fortios_system_sdwan – Configure redundant internet connections using SD-WAN (formerly virtual WAN link) in Fortinet’s FortiOS and FortiGate.

Note

This plugin is part of the fortinet.fortios collection (version 2.1.2).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install fortinet.fortios.

To use it in a playbook, specify: fortinet.fortios.fortios_system_sdwan.

New in version 2.10: of fortinet.fortios

Synopsis

  • This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify system feature and sdwan category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements

The below requirements are needed on the host that executes this module.

  • ansible>=2.9.0

Parameters

Parameter Choices/Defaults Comments
access_token
string
Token-based authentication. Generated from GUI of Fortigate.
enable_log
boolean
    Choices:
  • no
  • yes
Enable/Disable logging for task.
system_sdwan
dictionary
Configure redundant internet connections using SD-WAN (formerly virtual WAN link).
duplication
list / elements=string
Create SD-WAN duplication rule.
dstaddr
list / elements=string
Destination address or address group names.
name
string / required
Address or address group name. Source firewall.address.name firewall.addrgrp.name.
dstaddr6
list / elements=string
Destination address6 or address6 group names.
name
string / required
Address6 or address6 group name. Source firewall.address6.name firewall.addrgrp6.name.
dstintf
list / elements=string
Outgoing (egress) interfaces or zones.
name
string / required
Interface, zone or SDWAN zone name. Source system.interface.name system.zone.name system.sdwan.zone.name.
id
integer / required
Duplication rule ID (1 - 255).
packet_de_duplication
string
    Choices:
  • enable
  • disable
Enable/disable discarding of packets that have been duplicated.
packet_duplication
string
    Choices:
  • disable
  • force
  • on-demand
Configure packet duplication method.
service
list / elements=string
Service and service group name.
name
string / required
Service and service group name. Source firewall.service.custom.name firewall.service.group.name.
service_id
list / elements=string
SD-WAN service rule ID list.
id
integer / required
SD-WAN service rule ID. Source system.sdwan.service.id.
srcaddr
list / elements=string
Source address or address group names.
name
string / required
Address or address group name. Source firewall.address.name firewall.addrgrp.name.
srcaddr6
list / elements=string
Source address6 or address6 group names.
name
string / required
Address6 or address6 group name. Source firewall.address6.name firewall.addrgrp6.name.
srcintf
list / elements=string
Incoming (ingress) interfaces or zones.
name
string / required
Interface, zone or SDWAN zone name. Source system.interface.name system.zone.name system.sdwan.zone.name.
duplication_max_num
integer
Maximum number of interface members a packet is duplicated in the SD-WAN zone (2 - 4).
fail_alert_interfaces
list / elements=string
Physical interfaces that will be alerted.
name
string / required
Physical interface name. Source system.interface.name.
fail_detect
string
    Choices:
  • enable
  • disable
Enable/disable SD-WAN Internet connection status checking (failure detection).
health_check
list / elements=string
SD-WAN status checking or health checking. Identify a server on the Internet and determine how SD-WAN verifies that the FortiGate can communicate with it.
addr_mode
string
    Choices:
  • ipv4
  • ipv6
Address mode (IPv4 or IPv6).
detect_mode
string
    Choices:
  • active
  • passive
  • prefer-passive
The mode determining how to detect the server.
diffservcode
string
Differentiated services code point (DSCP) in the IP header of the probe packet.
dns_match_ip
string
Response IP expected from DNS server if the protocol is DNS.
dns_request_domain
string
Fully qualified domain name to resolve for the DNS probe.
failtime
integer
Number of failures before server is considered lost (1 - 3600).
ftp_file
string
Full path and file name on the FTP server to download for FTP health-check to probe.
ftp_mode
string
    Choices:
  • passive
  • port
FTP mode.
ha_priority
integer
HA election priority (1 - 50).
http_agent
string
String in the http-agent field in the HTTP header.
http_get
string
URL used to communicate with the server if the protocol if the protocol is HTTP.
http_match
string
Response string expected from the server if the protocol is HTTP.
interval
integer
Status check interval in milliseconds, or the time between attempting to connect to the server (500 - 3600*1000 msec).
members
list / elements=string
Member sequence number list.
seq_num
integer
Member sequence number. Source system.sdwan.members.seq-num.
name
string / required
Status check or health check name.
packet_size
integer
Packet size of a twamp test session,
password
string
Twamp controller password in authentication mode
port
integer
Port number used to communicate with the server over the selected protocol (0-65535).
probe_count
integer
Number of most recent probes that should be used to calculate latency and jitter (5 - 30).
probe_packets
string
    Choices:
  • disable
  • enable
Enable/disable transmission of probe packets.
probe_timeout
integer
Time to wait before a probe packet is considered lost (500 - 3600*1000 msec).
protocol
string
    Choices:
  • ping
  • tcp-echo
  • udp-echo
  • http
  • twamp
  • dns
  • tcp-connect
  • ftp
  • ping6
Protocol used to determine if the FortiGate can communicate with the server.
quality_measured_method
string
    Choices:
  • half-open
  • half-close
Method to measure the quality of tcp-connect.
recoverytime
integer
Number of successful responses received before server is considered recovered (1 - 3600).
security_mode
string
    Choices:
  • none
  • authentication
Twamp controller security mode.
server
string
IP address or FQDN name of the server.
sla
list / elements=string
Service level agreement (SLA).
id
integer / required
SLA ID.
jitter_threshold
integer
Jitter for SLA to make decision in milliseconds. (0 - 10000000).
latency_threshold
integer
Latency for SLA to make decision in milliseconds. (0 - 10000000).
link_cost_factor
string
    Choices:
  • latency
  • jitter
  • packet-loss
Criteria on which to base link selection.
packetloss_threshold
integer
Packet loss for SLA to make decision in percentage. (0 - 100).
sla_fail_log_period
integer
Time interval in seconds that SLA fail log messages will be generated (0 - 3600).
sla_pass_log_period
integer
Time interval in seconds that SLA pass log messages will be generated (0 - 3600).
system_dns
string
    Choices:
  • disable
  • enable
Enable/disable system DNS as the probe server.
threshold_alert_jitter
integer
Alert threshold for jitter (ms).
threshold_alert_latency
integer
Alert threshold for latency (ms).
threshold_alert_packetloss
integer
Alert threshold for packet loss (percentage).
threshold_warning_jitter
integer
Warning threshold for jitter (ms).
threshold_warning_latency
integer
Warning threshold for latency (ms).
threshold_warning_packetloss
integer
Warning threshold for packet loss (percentage).
update_cascade_interface
string
    Choices:
  • enable
  • disable
Enable/disable update cascade interface.
update_static_route
string
    Choices:
  • enable
  • disable
Enable/disable updating the static route.
user
string
The user name to access probe server.
load_balance_mode
string
    Choices:
  • source-ip-based
  • weight-based
  • usage-based
  • source-dest-ip-based
  • measured-volume-based
Algorithm or mode to use for load balancing Internet traffic to SD-WAN members.
members
list / elements=string
FortiGate interfaces added to the SD-WAN.
comment
string
Comments.
cost
integer
Cost of this interface for services in SLA mode (0 - 4294967295).
gateway
string
The default gateway for this interface. Usually the default gateway of the Internet service provider that this interface is connected to.
gateway6
string
IPv6 gateway.
ingress_spillover_threshold
integer
Ingress spillover threshold for this interface (0 - 16776000 kbit/s). When this traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN.
interface
string
Interface name. Source system.interface.name.
priority
integer
Priority of the interface (0 - 65535). Used for SD-WAN rules or priority rules.
priority6
integer
Priority of the interface for IPv6 (1 - 65535). Used for SD-WAN rules or priority rules.
seq_num
integer
Sequence number(1-512).
source
string
Source IP address used in the health-check packet to the server.
source6
string
Source IPv6 address used in the health-check packet to the server.
spillover_threshold
integer
Egress spillover threshold for this interface (0 - 16776000 kbit/s). When this traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN.
status
string
    Choices:
  • disable
  • enable
Enable/disable this interface in the SD-WAN.
volume_ratio
integer
Measured volume ratio (this value / sum of all values = percentage of link volume, 1 - 255).
weight
integer
Weight of this interface for weighted load balancing. (1 - 255) More traffic is directed to interfaces with higher weights.
zone
string
Zone name. Source system.sdwan.zone.name.
neighbor
list / elements=string
Create SD-WAN neighbor from BGP neighbor table to control route advertisements according to SLA status.
health_check
string
SD-WAN health-check name. Source system.sdwan.health-check.name.
ip
string / required
IP/IPv6 address of neighbor. Source router.bgp.neighbor.ip.
member
integer
Member sequence number. Source system.sdwan.members.seq-num.
role
string
    Choices:
  • standalone
  • primary
  • secondary
Role of neighbor.
sla_id
integer
SLA ID.
neighbor_hold_boot_time
integer
Waiting period in seconds when switching from the primary neighbor to the secondary neighbor from the neighbor start. (0 - 10000000).
neighbor_hold_down
string
    Choices:
  • enable
  • disable
Enable/disable hold switching from the secondary neighbor to the primary neighbor.
neighbor_hold_down_time
integer
Waiting period in seconds when switching from the secondary neighbor to the primary neighbor when hold-down is disabled. (0 - 10000000).
service
list / elements=string
Create SD-WAN rules (also called services) to control how sessions are distributed to interfaces in the SD-WAN.
addr_mode
string
    Choices:
  • ipv4
  • ipv6
Address mode (IPv4 or IPv6).
bandwidth_weight
integer
Coefficient of reciprocal of available bidirectional bandwidth in the formula of custom-profile-1.
default
string
    Choices:
  • enable
  • disable
Enable/disable use of SD-WAN as default service.
dscp_forward
string
    Choices:
  • enable
  • disable
Enable/disable forward traffic DSCP tag.
dscp_forward_tag
string
Forward traffic DSCP tag.
dscp_reverse
string
    Choices:
  • enable
  • disable
Enable/disable reverse traffic DSCP tag.
dscp_reverse_tag
string
Reverse traffic DSCP tag.
dst
list / elements=string
Destination address name.
name
string / required
Address or address group name. Source firewall.address.name firewall.addrgrp.name.
dst6
list / elements=string
Destination address6 name.
name
string / required
Address6 or address6 group name. Source firewall.address6.name firewall.addrgrp6.name.
dst_negate
string
    Choices:
  • enable
  • disable
Enable/disable negation of destination address match.
end_port
integer
End destination port number.
gateway
string
    Choices:
  • enable
  • disable
Enable/disable SD-WAN service gateway.
groups
list / elements=string
User groups.
name
string / required
Group name. Source user.group.name.
hash_mode
string
    Choices:
  • round-robin
  • source-ip-based
  • source-dest-ip-based
  • inbandwidth
  • outbandwidth
  • bibandwidth
Hash algorithm for selected priority members for load balance mode.
health_check
list / elements=string
Health check list.
name
string / required
Health check name. Source system.sdwan.health-check.name.
hold_down_time
integer
Waiting period in seconds when switching from the back-up member to the primary member (0 - 10000000).
id
integer / required
SD-WAN rule ID (1 - 4000).
input_device
list / elements=string
Source interface name.
name
string / required
Interface name. Source system.interface.name.
input_device_negate
string
    Choices:
  • enable
  • disable
Enable/disable negation of input device match.
internet_service
string
    Choices:
  • enable
  • disable
Enable/disable use of Internet service for application-based load balancing.
internet_service_app_ctrl
list / elements=string
Application control based Internet Service ID list.
id
integer / required
Application control based Internet Service ID.
internet_service_app_ctrl_group
list / elements=string
Application control based Internet Service group list.
name
string / required
Application control based Internet Service group name. Source application.group.name.
internet_service_custom
list / elements=string
Custom Internet service name list.
name
string / required
Custom Internet service name. Source firewall.internet-service-custom.name.
internet_service_custom_group
list / elements=string
Custom Internet Service group list.
name
string / required
Custom Internet Service group name. Source firewall.internet-service-custom-group.name.
internet_service_group
list / elements=string
Internet Service group list.
name
string / required
Internet Service group name. Source firewall.internet-service-group.name.
internet_service_name
list / elements=string
Internet service name list.
name
string / required
Internet service name. Source firewall.internet-service-name.name.
jitter_weight
integer
Coefficient of jitter in the formula of custom-profile-1.
latency_weight
integer
Coefficient of latency in the formula of custom-profile-1.
link_cost_factor
string
    Choices:
  • latency
  • jitter
  • packet-loss
  • inbandwidth
  • outbandwidth
  • bibandwidth
  • custom-profile-1
Link cost factor.
link_cost_threshold
integer
Percentage threshold change of link cost values that will result in policy route regeneration (0 - 10000000).
minimum_sla_meet_members
integer
Minimum number of members which meet SLA.
mode
string
    Choices:
  • auto
  • manual
  • priority
  • sla
  • load-balance
Control how the SD-WAN rule sets the priority of interfaces in the SD-WAN.
name
string
SD-WAN rule name.
packet_loss_weight
integer
Coefficient of packet-loss in the formula of custom-profile-1.
priority_members
list / elements=string
Member sequence number list.
seq_num
integer
Member sequence number. Source system.sdwan.members.seq-num.
protocol
integer
Protocol number.
quality_link
integer
Quality grade.
role
string
    Choices:
  • standalone
  • primary
  • secondary
Service role to work with neighbor.
route_tag
integer
IPv4 route map route-tag.
sla
list / elements=string
Service level agreement (SLA).
health_check
string
SD-WAN health-check. Source system.sdwan.health-check.name.
id
integer
SLA ID.
sla_compare_method
string
    Choices:
  • order
  • number
Method to compare SLA value for SLA mode.
src
list / elements=string
Source address name.
name
string / required
Address or address group name. Source firewall.address.name firewall.addrgrp.name.
src6
list / elements=string
Source address6 name.
name
string / required
Address6 or address6 group name. Source firewall.address6.name firewall.addrgrp6.name.
src_negate
string
    Choices:
  • enable
  • disable
Enable/disable negation of source address match.
standalone_action
string
    Choices:
  • enable
  • disable
Enable/disable service when selected neighbor role is standalone while service role is not standalone.
start_port
integer
Start destination port number.
status
string
    Choices:
  • enable
  • disable
Enable/disable SD-WAN service.
tie_break
string
    Choices:
  • zone
  • cfg-order
  • fib-best-match
Method of selecting member if more than one meets the SLA.
tos
string
Type of service bit pattern.
tos_mask
string
Type of service evaluated bits.
use_shortcut_sla
string
    Choices:
  • enable
  • disable
Enable/disable use of ADVPN shortcut for quality comparison.
users
list / elements=string
User name.
name
string / required
User name. Source user.local.name.
status
string
    Choices:
  • disable
  • enable
Enable/disable SD-WAN.
zone
list / elements=string
Configure SD-WAN zones.
name
string / required
Zone name.
service_sla_tie_break
string
    Choices:
  • cfg-order
  • fib-best-match
Method of selecting member if more than one meets the SLA.
vdom
string
Default:
"root"
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.

Notes

Note

  • Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks

Examples

- hosts: fortigates
  collections:
    - fortinet.fortios
  connection: httpapi
  vars:
   vdom: "root"
   ansible_httpapi_use_ssl: yes
   ansible_httpapi_validate_certs: no
   ansible_httpapi_port: 443
  tasks:
  - name: Configure redundant internet connections using SD-WAN (formerly virtual WAN link).
    fortios_system_sdwan:
      vdom:  "{{ vdom }}"
      system_sdwan:
        duplication:
         -
            dstaddr:
             -
                name: "default_name_5 (source firewall.address.name firewall.addrgrp.name)"
            dstaddr6:
             -
                name: "default_name_7 (source firewall.address6.name firewall.addrgrp6.name)"
            dstintf:
             -
                name: "default_name_9 (source system.interface.name system.zone.name system.sdwan.zone.name)"
            id:  "10"
            packet_de_duplication: "enable"
            packet_duplication: "disable"
            service:
             -
                name: "default_name_14 (source firewall.service.custom.name firewall.service.group.name)"
            service_id:
             -
                id:  "16 (source system.sdwan.service.id)"
            srcaddr:
             -
                name: "default_name_18 (source firewall.address.name firewall.addrgrp.name)"
            srcaddr6:
             -
                name: "default_name_20 (source firewall.address6.name firewall.addrgrp6.name)"
            srcintf:
             -
                name: "default_name_22 (source system.interface.name system.zone.name system.sdwan.zone.name)"
        duplication_max_num: "23"
        fail_alert_interfaces:
         -
            name: "default_name_25 (source system.interface.name)"
        fail_detect: "enable"
        health_check:
         -
            addr_mode: "ipv4"
            detect_mode: "active"
            diffservcode: "<your_own_value>"
            dns_match_ip: "<your_own_value>"
            dns_request_domain: "<your_own_value>"
            failtime: "33"
            ftp_file: "<your_own_value>"
            ftp_mode: "passive"
            ha_priority: "36"
            http_agent: "<your_own_value>"
            http_get: "<your_own_value>"
            http_match: "<your_own_value>"
            interval: "40"
            members:
             -
                seq_num: "42 (source system.sdwan.members.seq-num)"
            name: "default_name_43"
            packet_size: "44"
            password: "<your_own_value>"
            port: "46"
            probe_count: "47"
            probe_packets: "disable"
            probe_timeout: "49"
            protocol: "ping"
            quality_measured_method: "half-open"
            recoverytime: "52"
            security_mode: "none"
            server: "192.168.100.40"
            sla:
             -
                id:  "56"
                jitter_threshold: "57"
                latency_threshold: "58"
                link_cost_factor: "latency"
                packetloss_threshold: "60"
            sla_fail_log_period: "61"
            sla_pass_log_period: "62"
            system_dns: "disable"
            threshold_alert_jitter: "64"
            threshold_alert_latency: "65"
            threshold_alert_packetloss: "66"
            threshold_warning_jitter: "67"
            threshold_warning_latency: "68"
            threshold_warning_packetloss: "69"
            update_cascade_interface: "enable"
            update_static_route: "enable"
            user: "<your_own_value>"
        load_balance_mode: "source-ip-based"
        members:
         -
            comment: "Comments."
            cost: "76"
            gateway: "<your_own_value>"
            gateway6: "<your_own_value>"
            ingress_spillover_threshold: "79"
            interface: "<your_own_value> (source system.interface.name)"
            priority: "81"
            priority6: "82"
            seq_num: "83"
            source: "<your_own_value>"
            source6: "<your_own_value>"
            spillover_threshold: "86"
            status: "disable"
            volume_ratio: "88"
            weight: "89"
            zone: "<your_own_value> (source system.sdwan.zone.name)"
        neighbor:
         -
            health_check: "<your_own_value> (source system.sdwan.health-check.name)"
            ip: "<your_own_value> (source router.bgp.neighbor.ip)"
            member: "94 (source system.sdwan.members.seq-num)"
            role: "standalone"
            sla_id: "96"
        neighbor_hold_boot_time: "97"
        neighbor_hold_down: "enable"
        neighbor_hold_down_time: "99"
        service:
         -
            addr_mode: "ipv4"
            bandwidth_weight: "102"
            default: "enable"
            dscp_forward: "enable"
            dscp_forward_tag: "<your_own_value>"
            dscp_reverse: "enable"
            dscp_reverse_tag: "<your_own_value>"
            dst:
             -
                name: "default_name_109 (source firewall.address.name firewall.addrgrp.name)"
            dst_negate: "enable"
            dst6:
             -
                name: "default_name_112 (source firewall.address6.name firewall.addrgrp6.name)"
            end_port: "113"
            gateway: "enable"
            groups:
             -
                name: "default_name_116 (source user.group.name)"
            hash_mode: "round-robin"
            health_check:
             -
                name: "default_name_119 (source system.sdwan.health-check.name)"
            hold_down_time: "120"
            id:  "121"
            input_device:
             -
                name: "default_name_123 (source system.interface.name)"
            input_device_negate: "enable"
            internet_service: "enable"
            internet_service_app_ctrl:
             -
                id:  "127"
            internet_service_app_ctrl_group:
             -
                name: "default_name_129 (source application.group.name)"
            internet_service_custom:
             -
                name: "default_name_131 (source firewall.internet-service-custom.name)"
            internet_service_custom_group:
             -
                name: "default_name_133 (source firewall.internet-service-custom-group.name)"
            internet_service_group:
             -
                name: "default_name_135 (source firewall.internet-service-group.name)"
            internet_service_name:
             -
                name: "default_name_137 (source firewall.internet-service-name.name)"
            jitter_weight: "138"
            latency_weight: "139"
            link_cost_factor: "latency"
            link_cost_threshold: "141"
            minimum_sla_meet_members: "142"
            mode: "auto"
            name: "default_name_144"
            packet_loss_weight: "145"
            priority_members:
             -
                seq_num: "147 (source system.sdwan.members.seq-num)"
            protocol: "148"
            quality_link: "149"
            role: "standalone"
            route_tag: "151"
            sla:
             -
                health_check: "<your_own_value> (source system.sdwan.health-check.name)"
                id:  "154"
            sla_compare_method: "order"
            src:
             -
                name: "default_name_157 (source firewall.address.name firewall.addrgrp.name)"
            src_negate: "enable"
            src6:
             -
                name: "default_name_160 (source firewall.address6.name firewall.addrgrp6.name)"
            standalone_action: "enable"
            start_port: "162"
            status: "enable"
            tie_break: "zone"
            tos: "<your_own_value>"
            tos_mask: "<your_own_value>"
            use_shortcut_sla: "enable"
            users:
             -
                name: "default_name_169 (source user.local.name)"
        status: "disable"
        zone:
         -
            name: "default_name_172"
            service_sla_tie_break: "cfg-order"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
build
string
always
Build number of the fortigate image

Sample:
1547
http_method
string
always
Last method used to provision the content into FortiGate

Sample:
PUT
http_status
string
always
Last result given by FortiGate on last operation applied

Sample:
200
mkey
string
success
Master key (id) used in the last call to FortiGate

Sample:
id
name
string
always
Name of the table used to fulfill the request

Sample:
urlfilter
path
string
always
Path of the table used to fulfill the request

Sample:
webfilter
revision
string
always
Internal revision number

Sample:
17.0.2.10658
serial
string
always
Serial number of the unit

Sample:
FGVMEVYYQT3AB5352
status
string
always
Indication of the operation's result

Sample:
success
vdom
string
always
Virtual domain used

Sample:
root
version
string
always
Version of the FortiGate

Sample:
v5.6.3


Authors

  • Link Zheng (@chillancezen)
  • Jie Xue (@JieX19)
  • Hongbin Lu (@fgtdev-hblu)
  • Frank Shen (@frankshen01)
  • Miguel Angel Munoz (@mamunozgonzalez)
  • Nicolas Thomas (@thomnico)

© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/fortios_system_sdwan_module.html