fortios_system_ha – Configure HA in Fortinet’s FortiOS and FortiGate

New in version 2.9.

Synopsis

  • This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify system feature and ha category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.5

Requirements

The below requirements are needed on the host that executes this module.

  • fortiosapi>=0.9.8

Parameters

Parameter Choices/Defaults Comments
host
string
FortiOS or FortiGate IP address.
https
boolean
    Choices:
  • no
  • yes ←
Indicates if the requests towards FortiGate must use HTTPS protocol.
password
string
Default:
""
FortiOS or FortiGate password.
ssl_verify
boolean
    Choices:
  • no
  • yes ←
Ensures FortiGate certificate must be verified by a proper CA.
system_ha
dictionary
Default:
null
Configure HA.
arps
integer
Number of gratuitous ARPs (1 - 60). Lower to reduce traffic. Higher to reduce failover time.
arps_interval
integer
Time between gratuitous ARPs (1 - 20 sec). Lower to reduce failover time. Higher to reduce traffic.
authentication
string
    Choices:
  • enable
  • disable
Enable/disable heartbeat message authentication.
cpu_threshold
string
Dynamic weighted load balancing CPU usage weight and high and low thresholds.
encryption
string
    Choices:
  • enable
  • disable
Enable/disable heartbeat message encryption.
ftp_proxy_threshold
string
Dynamic weighted load balancing weight and high and low number of FTP proxy sessions.
gratuitous_arps
string
    Choices:
  • enable
  • disable
Enable/disable gratuitous ARPs. Disable if link-failed-signal enabled.
group_id
integer
Cluster group ID (0 - 255). Must be the same for all members.
group_name
string
Cluster group name. Must be the same for all members.
ha_direct
string
    Choices:
  • enable
  • disable
Enable/disable using ha-mgmt interface for syslog, SNMP, remote authentication (RADIUS), FortiAnalyzer, and FortiSandbox.
ha_eth_type
string
HA heartbeat packet Ethertype (4-digit hex).
ha_mgmt_interfaces
list
Reserve interfaces to manage individual cluster units.
dst
string
Default route destination for reserved HA management interface.
gateway
string
Default route gateway for reserved HA management interface.
gateway6
string
Default IPv6 gateway for reserved HA management interface.
id
integer / required
Table ID.
interface
string
Interface to reserve for HA management. Source system.interface.name.
ha_mgmt_status
string
    Choices:
  • enable
  • disable
Enable to reserve interfaces to manage individual cluster units.
ha_uptime_diff_margin
integer
Normally you would only reduce this value for failover testing.
hb_interval
integer
Time between sending heartbeat packets (1 - 20 (100*ms)). Increase to reduce false positives.
hb_lost_threshold
integer
Number of lost heartbeats to signal a failure (1 - 60). Increase to reduce false positives.
hbdev
string
Heartbeat interfaces. Must be the same for all members.
hc_eth_type
string
Transparent mode HA heartbeat packet Ethertype (4-digit hex).
hello_holddown
integer
Time to wait before changing from hello to work state (5 - 300 sec).
http_proxy_threshold
string
Dynamic weighted load balancing weight and high and low number of HTTP proxy sessions.
imap_proxy_threshold
string
Dynamic weighted load balancing weight and high and low number of IMAP proxy sessions.
inter_cluster_session_sync
string
    Choices:
  • enable
  • disable
Enable/disable synchronization of sessions among HA clusters.
key
string
key
l2ep_eth_type
string
Telnet session HA heartbeat packet Ethertype (4-digit hex).
link_failed_signal
string
    Choices:
  • enable
  • disable
Enable to shut down all interfaces for 1 sec after a failover. Use if gratuitous ARPs do not update network.
load_balance_all
string
    Choices:
  • enable
  • disable
Enable to load balance TCP sessions. Disable to load balance proxy sessions only.
memory_compatible_mode
string
    Choices:
  • enable
  • disable
Enable/disable memory compatible mode.
memory_threshold
string
Dynamic weighted load balancing memory usage weight and high and low thresholds.
mode
string
    Choices:
  • standalone
  • a-a
  • a-p
HA mode. Must be the same for all members. FGSP requires standalone.
monitor
string
Interfaces to check for port monitoring (or link failure). Source system.interface.name.
multicast_ttl
integer
HA multicast TTL on master (5 - 3600 sec).
nntp_proxy_threshold
string
Dynamic weighted load balancing weight and high and low number of NNTP proxy sessions.
override
string
    Choices:
  • enable
  • disable
Enable and increase the priority of the unit that should always be primary (master).
override_wait_time
integer
Delay negotiating if override is enabled (0 - 3600 sec). Reduces how often the cluster negotiates.
password
string
Cluster password. Must be the same for all members.
pingserver_failover_threshold
integer
Remote IP monitoring failover threshold (0 - 50).
pingserver_flip_timeout
integer
Time to wait in minutes before renegotiating after a remote IP monitoring failover.
pingserver_monitor_interface
string
Interfaces to check for remote IP monitoring. Source system.interface.name.
pingserver_slave_force_reset
string
    Choices:
  • enable
  • disable
Enable to force the cluster to negotiate after a remote IP monitoring failover.
pop3_proxy_threshold
string
Dynamic weighted load balancing weight and high and low number of POP3 proxy sessions.
priority
integer
Increase the priority to select the primary unit (0 - 255).
route_hold
integer
Time to wait between routing table updates to the cluster (0 - 3600 sec).
route_ttl
integer
TTL for primary unit routes (5 - 3600 sec). Increase to maintain active routes during failover.
route_wait
integer
Time to wait before sending new routes to the cluster (0 - 3600 sec).
schedule
string
    Choices:
  • none
  • hub
  • leastconnection
  • round-robin
  • weight-round-robin
  • random
  • ip
  • ipport
Type of A-A load balancing. Use none if you have external load balancers.
secondary_vcluster
dictionary
Configure virtual cluster 2.
monitor
string
Interfaces to check for port monitoring (or link failure). Source system.interface.name.
override
string
    Choices:
  • enable
  • disable
Enable and increase the priority of the unit that should always be primary (master).
override_wait_time
integer
Delay negotiating if override is enabled (0 - 3600 sec). Reduces how often the cluster negotiates.
pingserver_failover_threshold
integer
Remote IP monitoring failover threshold (0 - 50).
pingserver_monitor_interface
string
Interfaces to check for remote IP monitoring. Source system.interface.name.
pingserver_slave_force_reset
string
    Choices:
  • enable
  • disable
Enable to force the cluster to negotiate after a remote IP monitoring failover.
priority
integer
Increase the priority to select the primary unit (0 - 255).
vcluster_id
integer
Cluster ID.
vdom
string
VDOMs in virtual cluster 2.
session_pickup
string
    Choices:
  • enable
  • disable
Enable/disable session pickup. Enabling it can reduce session down time when fail over happens.
session_pickup_connectionless
string
    Choices:
  • enable
  • disable
Enable/disable UDP and ICMP session sync for FGSP.
session_pickup_delay
string
    Choices:
  • enable
  • disable
Enable to sync sessions longer than 30 sec. Only longer lived sessions need to be synced.
session_pickup_expectation
string
    Choices:
  • enable
  • disable
Enable/disable session helper expectation session sync for FGSP.
session_pickup_nat
string
    Choices:
  • enable
  • disable
Enable/disable NAT session sync for FGSP.
session_sync_dev
string
Offload session sync to one or more interfaces to distribute traffic and prevent delays if needed. Source system.interface.name.
smtp_proxy_threshold
string
Dynamic weighted load balancing weight and high and low number of SMTP proxy sessions.
standalone_config_sync
string
    Choices:
  • enable
  • disable
Enable/disable FGSP configuration synchronization.
standalone_mgmt_vdom
string
    Choices:
  • enable
  • disable
Enable/disable standalone management VDOM.
sync_config
string
    Choices:
  • enable
  • disable
Enable/disable configuration synchronization.
sync_packet_balance
string
    Choices:
  • enable
  • disable
Enable/disable HA packet distribution to multiple CPUs.
unicast_hb
string
    Choices:
  • enable
  • disable
Enable/disable unicast heartbeat.
unicast_hb_netmask
string
Unicast heartbeat netmask.
unicast_hb_peerip
string
Unicast heartbeat peer IP.
uninterruptible_upgrade
string
    Choices:
  • enable
  • disable
Enable to upgrade a cluster without blocking network traffic.
vcluster2
string
    Choices:
  • enable
  • disable
Enable/disable virtual cluster 2 for virtual clustering.
vcluster_id
integer
Cluster ID.
vdom
string
VDOMs in virtual cluster 1.
weight
string
Weight-round-robin weight for each cluster unit. Syntax <priority> <weight>.
username
string
FortiOS or FortiGate username.
vdom
string
Default:
"root"
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.

Notes

Note

  • Requires fortiosapi library developed by Fortinet
  • Run as a local_action in your playbook

Examples

- hosts: localhost
  vars:
   host: "192.168.122.40"
   username: "admin"
   password: ""
   vdom: "root"
   ssl_verify: "False"
  tasks:
  - name: Configure HA.
    fortios_system_ha:
      host:  "{{ host }}"
      username: "{{ username }}"
      password: "{{ password }}"
      vdom:  "{{ vdom }}"
      https: "False"
      system_ha:
        arps: "3"
        arps_interval: "4"
        authentication: "enable"
        cpu_threshold: "<your_own_value>"
        encryption: "enable"
        ftp_proxy_threshold: "<your_own_value>"
        gratuitous_arps: "enable"
        group_id: "10"
        group_name: "<your_own_value>"
        ha_direct: "enable"
        ha_eth_type: "<your_own_value>"
        ha_mgmt_interfaces:
         -
            dst: "<your_own_value>"
            gateway: "<your_own_value>"
            gateway6: "<your_own_value>"
            id:  "18"
            interface: "<your_own_value> (source system.interface.name)"
        ha_mgmt_status: "enable"
        ha_uptime_diff_margin: "21"
        hb_interval: "22"
        hb_lost_threshold: "23"
        hbdev: "<your_own_value>"
        hc_eth_type: "<your_own_value>"
        hello_holddown: "26"
        http_proxy_threshold: "<your_own_value>"
        imap_proxy_threshold: "<your_own_value>"
        inter_cluster_session_sync: "enable"
        key: "<your_own_value>"
        l2ep_eth_type: "<your_own_value>"
        link_failed_signal: "enable"
        load_balance_all: "enable"
        memory_compatible_mode: "enable"
        memory_threshold: "<your_own_value>"
        mode: "standalone"
        monitor: "<your_own_value> (source system.interface.name)"
        multicast_ttl: "38"
        nntp_proxy_threshold: "<your_own_value>"
        override: "enable"
        override_wait_time: "41"
        password: "<your_own_value>"
        pingserver_failover_threshold: "43"
        pingserver_flip_timeout: "44"
        pingserver_monitor_interface: "<your_own_value> (source system.interface.name)"
        pingserver_slave_force_reset: "enable"
        pop3_proxy_threshold: "<your_own_value>"
        priority: "48"
        route_hold: "49"
        route_ttl: "50"
        route_wait: "51"
        schedule: "none"
        secondary_vcluster:
            monitor: "<your_own_value> (source system.interface.name)"
            override: "enable"
            override_wait_time: "56"
            pingserver_failover_threshold: "57"
            pingserver_monitor_interface: "<your_own_value> (source system.interface.name)"
            pingserver_slave_force_reset: "enable"
            priority: "60"
            vcluster_id: "61"
            vdom: "<your_own_value>"
        session_pickup: "enable"
        session_pickup_connectionless: "enable"
        session_pickup_delay: "enable"
        session_pickup_expectation: "enable"
        session_pickup_nat: "enable"
        session_sync_dev: "<your_own_value> (source system.interface.name)"
        smtp_proxy_threshold: "<your_own_value>"
        standalone_config_sync: "enable"
        standalone_mgmt_vdom: "enable"
        sync_config: "enable"
        sync_packet_balance: "enable"
        unicast_hb: "enable"
        unicast_hb_netmask: "<your_own_value>"
        unicast_hb_peerip: "<your_own_value>"
        uninterruptible_upgrade: "enable"
        vcluster_id: "78"
        vcluster2: "enable"
        vdom: "<your_own_value>"
        weight: "<your_own_value>"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
build
string
always
Build number of the fortigate image

Sample:
1547
http_method
string
always
Last method used to provision the content into FortiGate

Sample:
PUT
http_status
string
always
Last result given by FortiGate on last operation applied

Sample:
200
mkey
string
success
Master key (id) used in the last call to FortiGate

Sample:
id
name
string
always
Name of the table used to fulfill the request

Sample:
urlfilter
path
string
always
Path of the table used to fulfill the request

Sample:
webfilter
revision
string
always
Internal revision number

Sample:
17.0.2.10658
serial
string
always
Serial number of the unit

Sample:
FGVMEVYYQT3AB5352
status
string
always
Indication of the operation's result

Sample:
success
vdom
string
always
Virtual domain used

Sample:
root
version
string
always
Version of the FortiGate

Sample:
v5.6.3


Status

Authors

  • Miguel Angel Munoz (@mamunozgonzalez)
  • Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation, you can edit this document to improve it.