fortinet.fortios.fortios_system_npu module – Configure NPU attributes in Fortinet’s FortiOS and FortiGate.
Note
This module is part of the fortinet.fortios collection (version 2.3.4).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install fortinet.fortios.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: fortinet.fortios.fortios_system_npu.
New in fortinet.fortios 2.0.0
Synopsis
This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify system feature and npu category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
The below requirements are needed on the host that executes this module.
ansible>=2.14
Parameters
Parameter |
Comments |
|---|---|
Token-based authentication. Generated from GUI of Fortigate. |
|
Enable/Disable logging for task. Choices:
|
|
Member attribute path to operate on. Delimited by a slash character if there are more than one attribute. Parameter marked with member_path is legitimate for doing member operation. |
|
Add or delete a member under specified attribute path. When member_state is specified, the state option is ignored. Choices:
|
|
Configure NPU attributes. |
|
Enable/disable offloading managed FortiAP and FortiLink CAPWAP sessions. Choices:
|
|
Affinity setting for management daemons (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx). |
|
Enable to dedicate one CPU for GUI and CLI connections when NPs are busy. Choices:
|
|
Enable/disable NP6 offloading (also called fast path). Choices:
|
|
GTP enhanced CPU range option. Choices:
|
|
Enable/disable GTP enhanced mode. Choices:
|
|
Enable/disable NPU offload when doing interface-based traffic shaping according to the egress-shaping-profile. Choices:
|
|
IPsec decryption subengine mask (0x1 - 0xff). |
|
IPsec encryption subengine mask (0x1 - 0xff). |
|
Enable/disable IPsec inbound cache for anti-replay. Choices:
|
|
Enable/disable NP6 IPsec MTU override. Choices:
|
|
Enable/disable IPsec over vlink. Choices:
|
|
Configure queues of switch port connected to NP6 XAUI on ingress path. |
|
CoS profile name for CoS 0. Source system.isf-queue-profile.name. |
|
CoS profile name for CoS 1. Source system.isf-queue-profile.name. |
|
CoS profile name for CoS 2. Source system.isf-queue-profile.name. |
|
CoS profile name for CoS 3. Source system.isf-queue-profile.name. |
|
CoS profile name for CoS 4. Source system.isf-queue-profile.name. |
|
CoS profile name for CoS 5. Source system.isf-queue-profile.name. |
|
CoS profile name for CoS 6. Source system.isf-queue-profile.name. |
|
CoS profile name for CoS 7. Source system.isf-queue-profile.name. |
|
Enable/disable LAG outgoing port selection based on incoming traffic port. Choices:
|
|
Enable/disable traffic accounting for each multicast session through TAE counter. Choices:
|
|
Configure NPU interface to CPU core mapping. |
|
The CPU core to map to an interface. |
|
The interface to map to a CPU core. |
|
Configure port to NPU group mapping. |
|
Set NPU interface port for NPU group mapping. |
|
Mapping NPU group index. |
|
Configure NPU priority protocol. |
|
Enable/disable NPU BFD priority protocol. Choices:
|
|
Enable/disable NPU BGP priority protocol. Choices:
|
|
Enable/disable NPU SLBC priority protocol. Choices:
|
|
QoS mode on switch and NP. Choices:
|
|
Enable/disable RDP offload. Choices:
|
|
Enable/disable offloading of denied sessions. Requires ses-denied-traffic to be set. Choices:
|
|
Enable/disable SSE backpressure. Choices:
|
|
Enable/disable stripping clear text padding. Choices:
|
|
Enable/disable stripping ESP padding. Choices:
|
|
Configure switch enhanced hashing. |
|
Set hashing computation. Choices:
|
|
Include/exclude destination IP address lower 16 bits. Choices:
|
|
Include/exclude destination IP address upper 16 bits. Choices:
|
|
Include/exclude destination port if TCP/UDP. Choices:
|
|
Include/exclude IP protocol. Choices:
|
|
Network mask length. |
|
Include/exclude source IP address lower 16 bits. Choices:
|
|
Include/exclude source IP address upper 16 bits. Choices:
|
|
Include/exclude source port if TCP/UDP. Choices:
|
|
Bandwidth from switch to NP. Choices:
|
|
Configure switch traditional hashing. |
|
Enable/disable DRACO15 hashing. Choices:
|
|
Include/exclude TCP/UDP source and destination port for unicast trunk traffic. Choices:
|
|
Enable/disable UDP-encapsulated ESP offload . Choices:
|
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. Default: |
Notes
Note
Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks
Examples
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure NPU attributes.
fortios_system_npu:
vdom: "{{ vdom }}"
system_npu:
capwap_offload: "enable"
dedicated_management_affinity: "<your_own_value>"
dedicated_management_cpu: "enable"
fastpath: "disable"
gtp_enhanced_cpu_range: "0"
gtp_enhanced_mode: "enable"
intf_shaping_offload: "enable"
ipsec_dec_subengine_mask: "<your_own_value>"
ipsec_enc_subengine_mask: "<your_own_value>"
ipsec_inbound_cache: "enable"
ipsec_mtu_override: "disable"
ipsec_over_vlink: "enable"
isf_np_queues:
cos0: "<your_own_value> (source system.isf-queue-profile.name)"
cos1: "<your_own_value> (source system.isf-queue-profile.name)"
cos2: "<your_own_value> (source system.isf-queue-profile.name)"
cos3: "<your_own_value> (source system.isf-queue-profile.name)"
cos4: "<your_own_value> (source system.isf-queue-profile.name)"
cos5: "<your_own_value> (source system.isf-queue-profile.name)"
cos6: "<your_own_value> (source system.isf-queue-profile.name)"
cos7: "<your_own_value> (source system.isf-queue-profile.name)"
lag_out_port_select: "disable"
mcast_session_accounting: "tpe-based"
port_cpu_map:
-
cpu_core: "<your_own_value>"
interface: "<your_own_value>"
port_npu_map:
-
interface: "<your_own_value>"
npu_group_index: "0"
priority_protocol:
bfd: "enable"
bgp: "enable"
slbc: "enable"
qos_mode: "disable"
rdp_offload: "enable"
session_denied_offload: "disable"
sse_backpressure: "enable"
strip_clear_text_padding: "enable"
strip_esp_padding: "enable"
sw_eh_hash:
computation: "xor16"
destination_ip_lower_16: "include"
destination_ip_upper_16: "include"
destination_port: "include"
ip_protocol: "include"
netmask_length: "32"
source_ip_lower_16: "include"
source_ip_upper_16: "include"
source_port: "include"
sw_np_bandwidth: "0G"
sw_tr_hash:
draco15: "enable"
tcp_udp_port: "include"
uesp_offload: "enable"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
Build number of the fortigate image Returned: always Sample: |
|
Last method used to provision the content into FortiGate Returned: always Sample: |
|
Last result given by FortiGate on last operation applied Returned: always Sample: |
|
Master key (id) used in the last call to FortiGate Returned: success Sample: |
|
Name of the table used to fulfill the request Returned: always Sample: |
|
Path of the table used to fulfill the request Returned: always Sample: |
|
Internal revision number Returned: always Sample: |
|
Serial number of the unit Returned: always Sample: |
|
Indication of the operation’s result Returned: always Sample: |
|
Virtual domain used Returned: always Sample: |
|
Version of the FortiGate Returned: always Sample: |