fortios_system_virtual_wan_link – Configure redundant internet connections using SD-WAN (formerly virtual WAN link) in Fortinet’s FortiOS and FortiGate
New in version 2.8.
Synopsis
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify system feature and virtual_wan_link category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.5
Requirements
The below requirements are needed on the host that executes this module.
- fortiosapi>=0.9.8
Parameters
Parameter | Choices/Defaults | Comments | |||
---|---|---|---|---|---|
host string | FortiOS or FortiGate IP address. | ||||
https boolean |
| Indicates if the requests towards FortiGate must use HTTPS protocol. | |||
password string | Default: "" | FortiOS or FortiGate password. | |||
ssl_verify boolean added in 2.9 |
| Ensures FortiGate certificate must be verified by a proper CA. | |||
system_virtual_wan_link dictionary | Default: null | Configure redundant internet connections using SD-WAN (formerly virtual WAN link). | |||
fail_alert_interfaces list | Physical interfaces that will be alerted. | ||||
name string / required | Physical interface name. Source system.interface.name. | ||||
fail_detect string |
| Enable/disable SD-WAN Internet connection status checking (failure detection). | |||
health_check list | SD-WAN status checking or health checking. Identify a server on the Internet and determine how SD-WAN verifies that the FortiGate can communicate with it. | ||||
addr_mode string |
| Address mode (IPv4 or IPv6). | |||
failtime integer | Number of failures before server is considered lost (1 - 3600). | ||||
http_agent string | String in the http-agent field in the HTTP header. | ||||
http_get string | URL used to communicate with the server if the protocol if the protocol is HTTP. | ||||
http_match string | Response string expected from the server if the protocol is HTTP. | ||||
interval integer | Status check interval, or the time between attempting to connect to the server (1 - 3600 sec). | ||||
members list | Member sequence number list. | ||||
seq_num integer | Member sequence number. Source system.virtual-wan-link.members.seq-num. | ||||
name string / required | Status check or health check name. | ||||
packet_size integer | Packet size of a twamp test session, | ||||
password string | Twamp controller password in authentication mode | ||||
port integer | Port number used to communicate with the server over the selected protocol. | ||||
protocol string |
| Protocol used to determine if the FortiGate can communicate with the server. | |||
recoverytime integer | Number of successful responses received before server is considered recovered (1 - 3600). | ||||
security_mode string |
| Twamp controller security mode. | |||
server string | IP address or FQDN name of the server. | ||||
sla list | Service level agreement (SLA). | ||||
id integer / required | SLA ID. | ||||
jitter_threshold integer | Jitter for SLA to make decision in milliseconds. (0 - 10000000). | ||||
latency_threshold integer | Latency for SLA to make decision in milliseconds. (0 - 10000000). | ||||
link_cost_factor string |
| Criteria on which to base link selection. | |||
packetloss_threshold integer | Packet loss for SLA to make decision in percentage. (0 - 100). | ||||
threshold_alert_jitter integer | Alert threshold for jitter (ms). | ||||
threshold_alert_latency integer | Alert threshold for latency (ms). | ||||
threshold_alert_packetloss integer | Alert threshold for packet loss (percentage). | ||||
threshold_warning_jitter integer | Warning threshold for jitter (ms). | ||||
threshold_warning_latency integer | Warning threshold for latency (ms). | ||||
threshold_warning_packetloss integer | Warning threshold for packet loss (percentage). | ||||
update_cascade_interface string |
| Enable/disable update cascade interface. | |||
update_static_route string |
| Enable/disable updating the static route. | |||
load_balance_mode string |
| Algorithm or mode to use for load balancing Internet traffic to SD-WAN members. | |||
members list | Physical FortiGate interfaces added to the virtual-wan-link. | ||||
comment string | Comments. | ||||
gateway string | The default gateway for this interface. Usually the default gateway of the Internet service provider that this interface is connected to. | ||||
gateway6 string | IPv6 gateway. | ||||
ingress_spillover_threshold integer | Ingress spillover threshold for this interface (0 - 16776000 kbit/s). When this traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN. | ||||
interface string | Interface name. Source system.interface.name. | ||||
priority integer | Priority of the interface (0 - 4294967295). Used for SD-WAN rules or priority rules. | ||||
seq_num integer | Sequence number(1-255). | ||||
source string | Source IP address used in the health-check packet to the server. | ||||
source6 string | Source IPv6 address used in the health-check packet to the server. | ||||
spillover_threshold integer | Egress spillover threshold for this interface (0 - 16776000 kbit/s). When this traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN. | ||||
status string |
| Enable/disable this interface in the SD-WAN. | |||
volume_ratio integer | Measured volume ratio (this value / sum of all values = percentage of link volume, 0 - 255). | ||||
weight integer | Weight of this interface for weighted load balancing. (0 - 255) More traffic is directed to interfaces with higher weights. | ||||
service list | Create SD-WAN rules or priority rules (also called services) to control how sessions are distributed to physical interfaces in the SD-WAN. | ||||
addr_mode string |
| Address mode (IPv4 or IPv6). | |||
bandwidth_weight integer | Coefficient of reciprocal of available bidirectional bandwidth in the formula of custom-profile-1. | ||||
default string |
| Enable/disable use of SD-WAN as default service. | |||
dscp_forward string |
| Enable/disable forward traffic DSCP tag. | |||
dscp_forward_tag string | Forward traffic DSCP tag. | ||||
dscp_reverse string |
| Enable/disable reverse traffic DSCP tag. | |||
dscp_reverse_tag string | Reverse traffic DSCP tag. | ||||
dst list | Destination address name. | ||||
name string / required | Address or address group name. Source firewall.address.name firewall.addrgrp.name. | ||||
dst6 list | Destination address6 name. | ||||
name string / required | Address6 or address6 group name. Source firewall.address6.name firewall.addrgrp6.name. | ||||
dst_negate string |
| Enable/disable negation of destination address match. | |||
end_port integer | End destination port number. | ||||
gateway string |
| Enable/disable SD-WAN service gateway. | |||
groups list | User groups. | ||||
name string / required | Group name. Source user.group.name. | ||||
health_check string | Health check. Source system.virtual-wan-link.health-check.name. | ||||
hold_down_time integer | Waiting period in seconds when switching from the back-up member to the primary member (0 - 10000000). | ||||
id integer / required | Priority rule ID (1 - 4000). | ||||
input_device list | Source interface name. | ||||
name string / required | Interface name. Source system.interface.name. | ||||
internet_service string |
| Enable/disable use of Internet service for application-based load balancing. | |||
internet_service_ctrl list | Control-based Internet Service ID list. | ||||
id integer / required | Control-based Internet Service ID. | ||||
internet_service_ctrl_group list | Control-based Internet Service group list. | ||||
name string / required | Control-based Internet Service group name. Source application.group.name. | ||||
internet_service_custom list | Custom Internet service name list. | ||||
name string / required | Custom Internet service name. Source firewall.internet-service-custom.name. | ||||
internet_service_custom_group list | Custom Internet Service group list. | ||||
name string / required | Custom Internet Service group name. Source firewall.internet-service-custom-group.name. | ||||
internet_service_group list | Internet Service group list. | ||||
name string / required | Internet Service group name. Source firewall.internet-service-group.name. | ||||
internet_service_id list | Internet service ID list. | ||||
id integer / required | Internet service ID. Source firewall.internet-service.id. | ||||
jitter_weight integer | Coefficient of jitter in the formula of custom-profile-1. | ||||
latency_weight integer | Coefficient of latency in the formula of custom-profile-1. | ||||
link_cost_factor string |
| Link cost factor. | |||
link_cost_threshold integer | Percentage threshold change of link cost values that will result in policy route regeneration (0 - 10000000). | ||||
member integer | Member sequence number. | ||||
mode string |
| Control how the priority rule sets the priority of interfaces in the SD-WAN. | |||
name string | Priority rule name. | ||||
packet_loss_weight integer | Coefficient of packet-loss in the formula of custom-profile-1. | ||||
priority_members list | Member sequence number list. | ||||
seq_num integer | Member sequence number. Source system.virtual-wan-link.members.seq-num. | ||||
protocol integer | Protocol number. | ||||
quality_link integer | Quality grade. | ||||
route_tag integer | IPv4 route map route-tag. | ||||
sla list | Service level agreement (SLA). | ||||
health_check string | Virtual WAN Link health-check. Source system.virtual-wan-link.health-check.name. | ||||
id integer | SLA ID. | ||||
src list | Source address name. | ||||
name string / required | Address or address group name. Source firewall.address.name firewall.addrgrp.name. | ||||
src6 list | Source address6 name. | ||||
name string / required | Address6 or address6 group name. Source firewall.address6.name firewall.addrgrp6.name. | ||||
src_negate string |
| Enable/disable negation of source address match. | |||
start_port integer | Start destination port number. | ||||
status string |
| Enable/disable SD-WAN service. | |||
tos string | Type of service bit pattern. | ||||
tos_mask string | Type of service evaluated bits. | ||||
users list | User name. | ||||
name string / required | User name. Source user.local.name. | ||||
status string |
| Enable/disable SD-WAN. | |||
username string | FortiOS or FortiGate username. | ||||
vdom string | Default: "root" | Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. |
Notes
Note
- Requires fortiosapi library developed by Fortinet
- Run as a local_action in your playbook
Examples
- hosts: localhost vars: host: "192.168.122.40" username: "admin" password: "" vdom: "root" ssl_verify: "False" tasks: - name: Configure redundant internet connections using SD-WAN (formerly virtual WAN link). fortios_system_virtual_wan_link: host: "{{ host }}" username: "{{ username }}" password: "{{ password }}" vdom: "{{ vdom }}" https: "False" system_virtual_wan_link: fail_alert_interfaces: - name: "default_name_4 (source system.interface.name)" fail_detect: "enable" health_check: - addr_mode: "ipv4" failtime: "8" http_agent: "<your_own_value>" http_get: "<your_own_value>" http_match: "<your_own_value>" interval: "12" members: - seq_num: "14 (source system.virtual-wan-link.members.seq-num)" name: "default_name_15" packet_size: "16" password: "<your_own_value>" port: "18" protocol: "ping" recoverytime: "20" security_mode: "none" server: "192.168.100.40" sla: - id: "24" jitter_threshold: "25" latency_threshold: "26" link_cost_factor: "latency" packetloss_threshold: "28" threshold_alert_jitter: "29" threshold_alert_latency: "30" threshold_alert_packetloss: "31" threshold_warning_jitter: "32" threshold_warning_latency: "33" threshold_warning_packetloss: "34" update_cascade_interface: "enable" update_static_route: "enable" load_balance_mode: "source-ip-based" members: - comment: "Comments." gateway: "<your_own_value>" gateway6: "<your_own_value>" ingress_spillover_threshold: "42" interface: "<your_own_value> (source system.interface.name)" priority: "44" seq_num: "45" source: "<your_own_value>" source6: "<your_own_value>" spillover_threshold: "48" status: "disable" volume_ratio: "50" weight: "51" service: - addr_mode: "ipv4" bandwidth_weight: "54" default: "enable" dscp_forward: "enable" dscp_forward_tag: "<your_own_value>" dscp_reverse: "enable" dscp_reverse_tag: "<your_own_value>" dst: - name: "default_name_61 (source firewall.address.name firewall.addrgrp.name)" dst_negate: "enable" dst6: - name: "default_name_64 (source firewall.address6.name firewall.addrgrp6.name)" end_port: "65" gateway: "enable" groups: - name: "default_name_68 (source user.group.name)" health_check: "<your_own_value> (source system.virtual-wan-link.health-check.name)" hold_down_time: "70" id: "71" input_device: - name: "default_name_73 (source system.interface.name)" internet_service: "enable" internet_service_ctrl: - id: "76" internet_service_ctrl_group: - name: "default_name_78 (source application.group.name)" internet_service_custom: - name: "default_name_80 (source firewall.internet-service-custom.name)" internet_service_custom_group: - name: "default_name_82 (source firewall.internet-service-custom-group.name)" internet_service_group: - name: "default_name_84 (source firewall.internet-service-group.name)" internet_service_id: - id: "86 (source firewall.internet-service.id)" jitter_weight: "87" latency_weight: "88" link_cost_factor: "latency" link_cost_threshold: "90" member: "91" mode: "auto" name: "default_name_93" packet_loss_weight: "94" priority_members: - seq_num: "96 (source system.virtual-wan-link.members.seq-num)" protocol: "97" quality_link: "98" route_tag: "99" sla: - health_check: "<your_own_value> (source system.virtual-wan-link.health-check.name)" id: "102" src: - name: "default_name_104 (source firewall.address.name firewall.addrgrp.name)" src_negate: "enable" src6: - name: "default_name_107 (source firewall.address6.name firewall.addrgrp6.name)" start_port: "108" status: "enable" tos: "<your_own_value>" tos_mask: "<your_own_value>" users: - name: "default_name_113 (source user.local.name)" status: "disable"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
build string | always | Build number of the fortigate image Sample: 1547 |
http_method string | always | Last method used to provision the content into FortiGate Sample: PUT |
http_status string | always | Last result given by FortiGate on last operation applied Sample: 200 |
mkey string | success | Master key (id) used in the last call to FortiGate Sample: id |
name string | always | Name of the table used to fulfill the request Sample: urlfilter |
path string | always | Path of the table used to fulfill the request Sample: webfilter |
revision string | always | Internal revision number Sample: 17.0.2.10658 |
serial string | always | Serial number of the unit Sample: FGVMEVYYQT3AB5352 |
status string | always | Indication of the operation's result Sample: success |
vdom string | always | Virtual domain used Sample: root |
version string | always | Version of the FortiGate Sample: v5.6.3 |
Status
- This module is not guaranteed to have a backwards compatible interface. [preview]
- This module is maintained by the Ansible Community. [community]
Authors
- Miguel Angel Munoz (@mamunozgonzalez)
- Nicolas Thomas (@thomnico)
Hint
If you notice any issues in this documentation, you can edit this document to improve it.
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.9/modules/fortios_system_virtual_wan_link_module.html