fortios_system_ha – Configure HA in Fortinet’s FortiOS and FortiGate
New in version 2.9.
Synopsis
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify system feature and ha category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.5
Requirements
The below requirements are needed on the host that executes this module.
- fortiosapi>=0.9.8
Parameters
Parameter | Choices/Defaults | Comments | ||
---|---|---|---|---|
host string | FortiOS or FortiGate IP address. | |||
https boolean |
| Indicates if the requests towards FortiGate must use HTTPS protocol. | ||
password string | Default: "" | FortiOS or FortiGate password. | ||
ssl_verify boolean |
| Ensures FortiGate certificate must be verified by a proper CA. | ||
system_ha dictionary | Default: null | Configure HA. | ||
arps integer | Number of gratuitous ARPs (1 - 60). Lower to reduce traffic. Higher to reduce failover time. | |||
arps_interval integer | Time between gratuitous ARPs (1 - 20 sec). Lower to reduce failover time. Higher to reduce traffic. | |||
authentication string |
| Enable/disable heartbeat message authentication. | ||
cpu_threshold string | Dynamic weighted load balancing CPU usage weight and high and low thresholds. | |||
encryption string |
| Enable/disable heartbeat message encryption. | ||
ftp_proxy_threshold string | Dynamic weighted load balancing weight and high and low number of FTP proxy sessions. | |||
gratuitous_arps string |
| Enable/disable gratuitous ARPs. Disable if link-failed-signal enabled. | ||
group_id integer | Cluster group ID (0 - 255). Must be the same for all members. | |||
group_name string | Cluster group name. Must be the same for all members. | |||
ha_direct string |
| Enable/disable using ha-mgmt interface for syslog, SNMP, remote authentication (RADIUS), FortiAnalyzer, and FortiSandbox. | ||
ha_eth_type string | HA heartbeat packet Ethertype (4-digit hex). | |||
ha_mgmt_interfaces list | Reserve interfaces to manage individual cluster units. | |||
dst string | Default route destination for reserved HA management interface. | |||
gateway string | Default route gateway for reserved HA management interface. | |||
gateway6 string | Default IPv6 gateway for reserved HA management interface. | |||
id integer / required | Table ID. | |||
interface string | Interface to reserve for HA management. Source system.interface.name. | |||
ha_mgmt_status string |
| Enable to reserve interfaces to manage individual cluster units. | ||
ha_uptime_diff_margin integer | Normally you would only reduce this value for failover testing. | |||
hb_interval integer | Time between sending heartbeat packets (1 - 20 (100*ms)). Increase to reduce false positives. | |||
hb_lost_threshold integer | Number of lost heartbeats to signal a failure (1 - 60). Increase to reduce false positives. | |||
hbdev string | Heartbeat interfaces. Must be the same for all members. | |||
hc_eth_type string | Transparent mode HA heartbeat packet Ethertype (4-digit hex). | |||
hello_holddown integer | Time to wait before changing from hello to work state (5 - 300 sec). | |||
http_proxy_threshold string | Dynamic weighted load balancing weight and high and low number of HTTP proxy sessions. | |||
imap_proxy_threshold string | Dynamic weighted load balancing weight and high and low number of IMAP proxy sessions. | |||
inter_cluster_session_sync string |
| Enable/disable synchronization of sessions among HA clusters. | ||
key string | key | |||
l2ep_eth_type string | Telnet session HA heartbeat packet Ethertype (4-digit hex). | |||
link_failed_signal string |
| Enable to shut down all interfaces for 1 sec after a failover. Use if gratuitous ARPs do not update network. | ||
load_balance_all string |
| Enable to load balance TCP sessions. Disable to load balance proxy sessions only. | ||
memory_compatible_mode string |
| Enable/disable memory compatible mode. | ||
memory_threshold string | Dynamic weighted load balancing memory usage weight and high and low thresholds. | |||
mode string |
| HA mode. Must be the same for all members. FGSP requires standalone. | ||
monitor string | Interfaces to check for port monitoring (or link failure). Source system.interface.name. | |||
multicast_ttl integer | HA multicast TTL on master (5 - 3600 sec). | |||
nntp_proxy_threshold string | Dynamic weighted load balancing weight and high and low number of NNTP proxy sessions. | |||
override string |
| Enable and increase the priority of the unit that should always be primary (master). | ||
override_wait_time integer | Delay negotiating if override is enabled (0 - 3600 sec). Reduces how often the cluster negotiates. | |||
password string | Cluster password. Must be the same for all members. | |||
pingserver_failover_threshold integer | Remote IP monitoring failover threshold (0 - 50). | |||
pingserver_flip_timeout integer | Time to wait in minutes before renegotiating after a remote IP monitoring failover. | |||
pingserver_monitor_interface string | Interfaces to check for remote IP monitoring. Source system.interface.name. | |||
pingserver_slave_force_reset string |
| Enable to force the cluster to negotiate after a remote IP monitoring failover. | ||
pop3_proxy_threshold string | Dynamic weighted load balancing weight and high and low number of POP3 proxy sessions. | |||
priority integer | Increase the priority to select the primary unit (0 - 255). | |||
route_hold integer | Time to wait between routing table updates to the cluster (0 - 3600 sec). | |||
route_ttl integer | TTL for primary unit routes (5 - 3600 sec). Increase to maintain active routes during failover. | |||
route_wait integer | Time to wait before sending new routes to the cluster (0 - 3600 sec). | |||
schedule string |
| Type of A-A load balancing. Use none if you have external load balancers. | ||
secondary_vcluster dictionary | Configure virtual cluster 2. | |||
monitor string | Interfaces to check for port monitoring (or link failure). Source system.interface.name. | |||
override string |
| Enable and increase the priority of the unit that should always be primary (master). | ||
override_wait_time integer | Delay negotiating if override is enabled (0 - 3600 sec). Reduces how often the cluster negotiates. | |||
pingserver_failover_threshold integer | Remote IP monitoring failover threshold (0 - 50). | |||
pingserver_monitor_interface string | Interfaces to check for remote IP monitoring. Source system.interface.name. | |||
pingserver_slave_force_reset string |
| Enable to force the cluster to negotiate after a remote IP monitoring failover. | ||
priority integer | Increase the priority to select the primary unit (0 - 255). | |||
vcluster_id integer | Cluster ID. | |||
vdom string | VDOMs in virtual cluster 2. | |||
session_pickup string |
| Enable/disable session pickup. Enabling it can reduce session down time when fail over happens. | ||
session_pickup_connectionless string |
| Enable/disable UDP and ICMP session sync for FGSP. | ||
session_pickup_delay string |
| Enable to sync sessions longer than 30 sec. Only longer lived sessions need to be synced. | ||
session_pickup_expectation string |
| Enable/disable session helper expectation session sync for FGSP. | ||
session_pickup_nat string |
| Enable/disable NAT session sync for FGSP. | ||
session_sync_dev string | Offload session sync to one or more interfaces to distribute traffic and prevent delays if needed. Source system.interface.name. | |||
smtp_proxy_threshold string | Dynamic weighted load balancing weight and high and low number of SMTP proxy sessions. | |||
standalone_config_sync string |
| Enable/disable FGSP configuration synchronization. | ||
standalone_mgmt_vdom string |
| Enable/disable standalone management VDOM. | ||
sync_config string |
| Enable/disable configuration synchronization. | ||
sync_packet_balance string |
| Enable/disable HA packet distribution to multiple CPUs. | ||
unicast_hb string |
| Enable/disable unicast heartbeat. | ||
unicast_hb_netmask string | Unicast heartbeat netmask. | |||
unicast_hb_peerip string | Unicast heartbeat peer IP. | |||
uninterruptible_upgrade string |
| Enable to upgrade a cluster without blocking network traffic. | ||
vcluster2 string |
| Enable/disable virtual cluster 2 for virtual clustering. | ||
vcluster_id integer | Cluster ID. | |||
vdom string | VDOMs in virtual cluster 1. | |||
weight string | Weight-round-robin weight for each cluster unit. Syntax <priority> <weight>. | |||
username string | FortiOS or FortiGate username. | |||
vdom string | Default: "root" | Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. |
Notes
Note
- Requires fortiosapi library developed by Fortinet
- Run as a local_action in your playbook
Examples
- hosts: localhost vars: host: "192.168.122.40" username: "admin" password: "" vdom: "root" ssl_verify: "False" tasks: - name: Configure HA. fortios_system_ha: host: "{{ host }}" username: "{{ username }}" password: "{{ password }}" vdom: "{{ vdom }}" https: "False" system_ha: arps: "3" arps_interval: "4" authentication: "enable" cpu_threshold: "<your_own_value>" encryption: "enable" ftp_proxy_threshold: "<your_own_value>" gratuitous_arps: "enable" group_id: "10" group_name: "<your_own_value>" ha_direct: "enable" ha_eth_type: "<your_own_value>" ha_mgmt_interfaces: - dst: "<your_own_value>" gateway: "<your_own_value>" gateway6: "<your_own_value>" id: "18" interface: "<your_own_value> (source system.interface.name)" ha_mgmt_status: "enable" ha_uptime_diff_margin: "21" hb_interval: "22" hb_lost_threshold: "23" hbdev: "<your_own_value>" hc_eth_type: "<your_own_value>" hello_holddown: "26" http_proxy_threshold: "<your_own_value>" imap_proxy_threshold: "<your_own_value>" inter_cluster_session_sync: "enable" key: "<your_own_value>" l2ep_eth_type: "<your_own_value>" link_failed_signal: "enable" load_balance_all: "enable" memory_compatible_mode: "enable" memory_threshold: "<your_own_value>" mode: "standalone" monitor: "<your_own_value> (source system.interface.name)" multicast_ttl: "38" nntp_proxy_threshold: "<your_own_value>" override: "enable" override_wait_time: "41" password: "<your_own_value>" pingserver_failover_threshold: "43" pingserver_flip_timeout: "44" pingserver_monitor_interface: "<your_own_value> (source system.interface.name)" pingserver_slave_force_reset: "enable" pop3_proxy_threshold: "<your_own_value>" priority: "48" route_hold: "49" route_ttl: "50" route_wait: "51" schedule: "none" secondary_vcluster: monitor: "<your_own_value> (source system.interface.name)" override: "enable" override_wait_time: "56" pingserver_failover_threshold: "57" pingserver_monitor_interface: "<your_own_value> (source system.interface.name)" pingserver_slave_force_reset: "enable" priority: "60" vcluster_id: "61" vdom: "<your_own_value>" session_pickup: "enable" session_pickup_connectionless: "enable" session_pickup_delay: "enable" session_pickup_expectation: "enable" session_pickup_nat: "enable" session_sync_dev: "<your_own_value> (source system.interface.name)" smtp_proxy_threshold: "<your_own_value>" standalone_config_sync: "enable" standalone_mgmt_vdom: "enable" sync_config: "enable" sync_packet_balance: "enable" unicast_hb: "enable" unicast_hb_netmask: "<your_own_value>" unicast_hb_peerip: "<your_own_value>" uninterruptible_upgrade: "enable" vcluster_id: "78" vcluster2: "enable" vdom: "<your_own_value>" weight: "<your_own_value>"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
build string | always | Build number of the fortigate image Sample: 1547 |
http_method string | always | Last method used to provision the content into FortiGate Sample: PUT |
http_status string | always | Last result given by FortiGate on last operation applied Sample: 200 |
mkey string | success | Master key (id) used in the last call to FortiGate Sample: id |
name string | always | Name of the table used to fulfill the request Sample: urlfilter |
path string | always | Path of the table used to fulfill the request Sample: webfilter |
revision string | always | Internal revision number Sample: 17.0.2.10658 |
serial string | always | Serial number of the unit Sample: FGVMEVYYQT3AB5352 |
status string | always | Indication of the operation's result Sample: success |
vdom string | always | Virtual domain used Sample: root |
version string | always | Version of the FortiGate Sample: v5.6.3 |
Status
- This module is not guaranteed to have a backwards compatible interface. [preview]
- This module is maintained by the Ansible Community. [community]
Authors
- Miguel Angel Munoz (@mamunozgonzalez)
- Nicolas Thomas (@thomnico)
Hint
If you notice any issues in this documentation, you can edit this document to improve it.
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.9/modules/fortios_system_ha_module.html