fortinet.fortios.fortios_system_sdwan module – Configure redundant Internet connections with multiple outbound links and health-check profiles in Fortinet’s FortiOS and FortiGate.
Note
This module is part of the fortinet.fortios collection (version 2.3.4).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install fortinet.fortios
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: fortinet.fortios.fortios_system_sdwan
.
New in fortinet.fortios 2.0.0
Synopsis
This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify system feature and sdwan category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
The below requirements are needed on the host that executes this module.
ansible>=2.14
Parameters
Parameter |
Comments |
---|---|
Token-based authentication. Generated from GUI of Fortigate. |
|
Enable/Disable logging for task. Choices:
|
|
Member attribute path to operate on. Delimited by a slash character if there are more than one attribute. Parameter marked with member_path is legitimate for doing member operation. |
|
Add or delete a member under specified attribute path. When member_state is specified, the state option is ignored. Choices:
|
|
Configure redundant Internet connections with multiple outbound links and health-check profiles. |
|
Time interval in seconds that application performance logs are generated (0 - 3600). |
|
Create SD-WAN duplication rule. |
|
Destination address or address group names. |
|
Address or address group name. Source firewall.address.name firewall.addrgrp.name. |
|
Destination address6 or address6 group names. |
|
Address6 or address6 group name. Source firewall.address6.name firewall.addrgrp6.name. |
|
Outgoing (egress) interfaces or zones. |
|
Interface, zone or SDWAN zone name. Source system.interface.name system.zone.name system.sdwan.zone.name. |
|
Duplication rule ID (1 - 255). see <a href=’#notes’>Notes</a>. |
|
Enable/disable discarding of packets that have been duplicated. Choices:
|
|
Configure packet duplication method. Choices:
|
|
Service and service group name. |
|
Service and service group name. Source firewall.service.custom.name firewall.service.group.name. |
|
SD-WAN service rule ID list. |
|
SD-WAN service rule ID. see <a href=’#notes’>Notes</a>. Source system.sdwan.service.id. |
|
Enable/disable packet duplication matching health-check SLAs in service rule. Choices:
|
|
Source address or address group names. |
|
Address or address group name. Source firewall.address.name firewall.addrgrp.name. |
|
Source address6 or address6 group names. |
|
Address6 or address6 group name. Source firewall.address6.name firewall.addrgrp6.name. |
|
Incoming (ingress) interfaces or zones. |
|
Interface, zone or SDWAN zone name. Source system.interface.name system.zone.name system.sdwan.zone.name. |
|
Maximum number of interface members a packet is duplicated in the SD-WAN zone (2 - 4). |
|
Physical interfaces that will be alerted. |
|
Physical interface name. Source system.interface.name. |
|
Enable/disable SD-WAN Internet connection status checking (failure detection). Choices:
|
|
SD-WAN status checking or health checking. Identify a server on the Internet and determine how SD-WAN verifies that the FortiGate can communicate with it. |
|
Address mode (IPv4 or IPv6). Choices:
|
|
Traffic class ID. Source firewall.traffic-class.class-id. |
|
The mode determining how to detect the server. Choices:
|
|
Differentiated services code point (DSCP) in the IP header of the probe packet. |
|
Response IP expected from DNS server if the protocol is DNS. |
|
Fully qualified domain name to resolve for the DNS probe. |
|
Enable/disable embedding measured health information. Choices:
|
|
Number of failures before server is considered lost (1 - 3600). |
|
Full path and file name on the FTP server to download for FTP health-check to probe. |
|
FTP mode. Choices:
|
|
HA election priority (1 - 50). |
|
String in the http-agent field in the HTTP header. |
|
URL used to communicate with the server if the protocol if the protocol is HTTP. |
|
Response string expected from the server if the protocol is HTTP. |
|
Status check interval in milliseconds, or the time between attempting to connect to the server (20 - 3600*1000 msec). |
|
Member sequence number list. |
|
Member sequence number. see <a href=’#notes’>Notes</a>. Source system.sdwan.members.seq-num. |
|
Codec to use for MOS calculation . Choices:
|
|
Status check or health check name. |
|
Packet size of a TWAMP test session. (124/158 - 1024) |
|
TWAMP controller password in authentication mode. |
|
Port number used to communicate with the server over the selected protocol (0 - 65535). |
|
Number of most recent probes that should be used to calculate latency and jitter (5 - 30). |
|
Enable/disable transmission of probe packets. Choices:
|
|
Time to wait before a probe packet is considered lost (20 - 3600*1000 msec). |
|
Protocol used to determine if the FortiGate can communicate with the server. Choices:
|
|
Method to measure the quality of tcp-connect. Choices:
|
|
Number of successful responses received before server is considered recovered (1 - 3600). |
|
Twamp controller security mode. Choices:
|
|
IP address or FQDN name of the server. |
|
Service level agreement (SLA). |
|
SLA ID. see <a href=’#notes’>Notes</a>. |
|
Jitter for SLA to make decision in milliseconds. (0 - 10000000). |
|
Latency for SLA to make decision in milliseconds. (0 - 10000000). |
|
Criteria on which to base link selection. Choices:
|
|
Minimum Mean Opinion Score for SLA to be marked as pass. (1.0 - 5.0). |
|
Packet loss for SLA to make decision in percentage. (0 - 100). |
|
Value to be distributed into routing table when in-sla (0 - 65535). |
|
Value to be distributed into routing table when out-sla (0 - 65535). |
|
Time interval in seconds that SLA fail log messages will be generated (0 - 3600). |
|
Select the ID from the SLA sub-table. The selected SLA”s priority value will be distributed into the routing table (0 - 32). |
|
Time interval in seconds that SLA pass log messages will be generated (0 - 3600). |
|
Source IP address used in the health-check packet to the server. |
|
Source IPv6 address used in the health-check packet to server. |
|
Enable/disable system DNS as the probe server. Choices:
|
|
Alert threshold for jitter (ms). |
|
Alert threshold for latency (ms). |
|
Alert threshold for packet loss (percentage). |
|
Warning threshold for jitter (ms). |
|
Warning threshold for latency (ms). |
|
Warning threshold for packet loss (percentage). |
|
Enable/disable update cascade interface. Choices:
|
|
Enable/disable updating the static route. Choices:
|
|
The user name to access probe server. |
|
Virtual Routing Forwarding ID. |
|
Algorithm or mode to use for load balancing Internet traffic to SD-WAN members. Choices:
|
|
FortiGate interfaces added to the SD-WAN. |
|
Comments. |
|
Cost of this interface for services in SLA mode (0 - 4294967295). |
|
The default gateway for this interface. Usually the default gateway of the Internet service provider that this interface is connected to. |
|
IPv6 gateway. |
|
Ingress spillover threshold for this interface (0 - 16776000 kbit/s). When this traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN. |
|
Interface name. Source system.interface.name. |
|
Preferred source of route for this member. |
|
Priority of the interface for IPv4 (1 - 65535). Used for SD-WAN rules or priority rules. |
|
Priority of the interface for IPv6 (1 - 65535). Used for SD-WAN rules or priority rules. |
|
Sequence number(1-512). see <a href=’#notes’>Notes</a>. |
|
Source IP address used in the health-check packet to the server. |
|
Source IPv6 address used in the health-check packet to the server. |
|
Egress spillover threshold for this interface (0 - 16776000 kbit/s). When this traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN. |
|
Enable/disable this interface in the SD-WAN. Choices:
|
|
Measured volume ratio (this value / sum of all values = percentage of link volume, 1 - 255). |
|
Weight of this interface for weighted load balancing. (1 - 255) More traffic is directed to interfaces with higher weights. |
|
Zone name. Source system.sdwan.zone.name. |
|
Create SD-WAN neighbor from BGP neighbor table to control route advertisements according to SLA status. |
|
SD-WAN health-check name. Source system.sdwan.health-check.name. |
|
IP/IPv6 address of neighbor or neighbor-group name. Source router.bgp.neighbor-group.name router.bgp.neighbor.ip. |
|
Member sequence number list. Source system.sdwan.members.seq-num. |
|
Member sequence number. see <a href=’#notes’>Notes</a>. Source system.sdwan.members.seq-num. |
|
Minimum number of members which meet SLA when the neighbor is preferred. |
|
What metric to select the neighbor. Choices:
|
|
Role of neighbor. Choices:
|
|
SD-WAN service ID to work with the neighbor. Source system.sdwan.service.id. |
|
SLA ID. |
|
Waiting period in seconds when switching from the primary neighbor to the secondary neighbor from the neighbor start. (0 - 10000000). |
|
Enable/disable hold switching from the secondary neighbor to the primary neighbor. Choices:
|
|
Waiting period in seconds when switching from the secondary neighbor to the primary neighbor when hold-down is disabled. (0 - 10000000). |
|
Create SD-WAN rules (also called services) to control how sessions are distributed to interfaces in the SD-WAN. |
|
Address mode (IPv4 or IPv6). Choices:
|
|
Set/unset the service as agent use exclusively. Choices:
|
|
Coefficient of reciprocal of available bidirectional bandwidth in the formula of custom-profile-1. |
|
Enable/disable use of SD-WAN as default service. Choices:
|
|
Enable/disable forward traffic DSCP tag. Choices:
|
|
Forward traffic DSCP tag. |
|
Enable/disable reverse traffic DSCP tag. Choices:
|
|
Reverse traffic DSCP tag. |
|
Destination address name. |
|
Address or address group name. Source firewall.address.name firewall.addrgrp.name. |
|
Destination address6 name. |
|
Address6 or address6 group name. Source firewall.address6.name firewall.addrgrp6.name. |
|
Enable/disable negation of destination address match. Choices:
|
|
End destination port number. |
|
End source port number. |
|
Enable/disable SD-WAN service gateway. Choices:
|
|
User groups. |
|
Group name. Source user.group.name. |
|
Hash algorithm for selected priority members for load balance mode. Choices:
|
|
Health check list. |
|
Health check name. Source system.sdwan.health-check.name. |
|
Waiting period in seconds when switching from the back-up member to the primary member (0 - 10000000). |
|
SD-WAN rule ID (1 - 4000). see <a href=’#notes’>Notes</a>. |
|
Source interface name. |
|
Interface name. Source system.interface.name. |
|
Enable/disable negation of input device match. Choices:
|
|
Source input-zone name. |
|
Zone. Source system.sdwan.zone.name. |
|
Enable/disable use of Internet service for application-based load balancing. Choices:
|
|
Application control based Internet Service ID list. |
|
Application control based Internet Service ID. see <a href=’#notes’>Notes</a>. |
|
IDs of one or more application control categories. |
|
Application control category ID. see <a href=’#notes’>Notes</a>. |
|
Application control based Internet Service group list. |
|
Application control based Internet Service group name. Source application.group.name. |
|
Custom Internet service name list. |
|
Custom Internet service name. Source firewall.internet-service-custom.name. |
|
Custom Internet Service group list. |
|
Custom Internet Service group name. Source firewall.internet-service-custom-group.name. |
|
Internet Service group list. |
|
Internet Service group name. Source firewall.internet-service-group.name. |
|
Internet service name list. |
|
Internet service name. Source firewall.internet-service-name.name. |
|
Coefficient of jitter in the formula of custom-profile-1. |
|
Coefficient of latency in the formula of custom-profile-1. |
|
Link cost factor. Choices:
|
|
Percentage threshold change of link cost values that will result in policy route regeneration (0 - 10000000). |
|
Enable/disable load-balance. Choices:
|
|
Minimum number of members which meet SLA. |
|
Control how the SD-WAN rule sets the priority of interfaces in the SD-WAN. Choices:
|
|
SD-WAN rule name. |
|
Coefficient of packet-loss in the formula of custom-profile-1. |
|
Enable/disable passive measurement based on the service criteria. Choices:
|
|
Member sequence number list. |
|
Member sequence number. see <a href=’#notes’>Notes</a>. Source system.sdwan.members.seq-num. |
|
Priority zone name list. |
|
Priority zone name. Source system.sdwan.zone.name. |
|
Protocol number. |
|
Quality grade. |
|
Service role to work with neighbor. Choices:
|
|
IPv4 route map route-tag. |
|
Enable/disable shortcut for this service. Choices:
|
|
Enable/disable shortcut-stickiness of ADVPN. Choices:
|
|
Service level agreement (SLA). |
|
SD-WAN health-check. Source system.sdwan.health-check.name. |
|
SLA ID. |
|
Method to compare SLA value for SLA mode. Choices:
|
|
Enable/disable SLA stickiness . Choices:
|
|
Source address name. |
|
Address or address group name. Source firewall.address.name firewall.addrgrp.name. |
|
Source address6 name. |
|
Address6 or address6 group name. Source firewall.address6.name firewall.addrgrp6.name. |
|
Enable/disable negation of source address match. Choices:
|
|
Enable/disable service when selected neighbor role is standalone while service role is not standalone. Choices:
|
|
Start destination port number. |
|
Start source port number. |
|
Enable/disable SD-WAN service. Choices:
|
|
Method of selecting member if more than one meets the SLA. Choices:
|
|
Type of service bit pattern. |
|
Type of service evaluated bits. |
|
Enable/disable use of ADVPN shortcut for quality comparison. Choices:
|
|
User name. |
|
User name. Source user.local.name. |
|
Enable/disable zone mode. Choices:
|
|
Enable/disable bypass routing when speedtest on a SD-WAN member. Choices:
|
|
Enable/disable SD-WAN. Choices:
|
|
Configure SD-WAN zones. |
|
Minimum number of members which meet SLA when the neighbor is preferred. |
|
Zone name. |
|
Method of selecting member if more than one meets the SLA. Choices:
|
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. Default: |
Notes
Note
Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks
Examples
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure redundant Internet connections with multiple outbound links and health-check profiles.
fortios_system_sdwan:
vdom: "{{ vdom }}"
system_sdwan:
app_perf_log_period: "0"
duplication:
-
dstaddr:
-
name: "default_name_6 (source firewall.address.name firewall.addrgrp.name)"
dstaddr6:
-
name: "default_name_8 (source firewall.address6.name firewall.addrgrp6.name)"
dstintf:
-
name: "default_name_10 (source system.interface.name system.zone.name system.sdwan.zone.name)"
id: "11"
packet_de_duplication: "enable"
packet_duplication: "disable"
service:
-
name: "default_name_15 (source firewall.service.custom.name firewall.service.group.name)"
service_id:
-
id: "17 (source system.sdwan.service.id)"
sla_match_service: "enable"
srcaddr:
-
name: "default_name_20 (source firewall.address.name firewall.addrgrp.name)"
srcaddr6:
-
name: "default_name_22 (source firewall.address6.name firewall.addrgrp6.name)"
srcintf:
-
name: "default_name_24 (source system.interface.name system.zone.name system.sdwan.zone.name)"
duplication_max_num: "2"
fail_alert_interfaces:
-
name: "default_name_27 (source system.interface.name)"
fail_detect: "enable"
health_check:
-
addr_mode: "ipv4"
class_id: "0"
detect_mode: "active"
diffservcode: "<your_own_value>"
dns_match_ip: "<your_own_value>"
dns_request_domain: "<your_own_value>"
embed_measured_health: "enable"
failtime: "5"
ftp_file: "<your_own_value>"
ftp_mode: "passive"
ha_priority: "1"
http_agent: "<your_own_value>"
http_get: "<your_own_value>"
http_match: "<your_own_value>"
interval: "500"
members:
-
seq_num: "<you_own_value>"
mos_codec: "g711"
name: "default_name_48"
packet_size: "124"
password: "<your_own_value>"
port: "0"
probe_count: "30"
probe_packets: "disable"
probe_timeout: "500"
protocol: "ping"
quality_measured_method: "half-open"
recoverytime: "5"
security_mode: "none"
server: "192.168.100.40"
sla:
-
id: "61"
jitter_threshold: "5"
latency_threshold: "5"
link_cost_factor: "latency"
mos_threshold: "<your_own_value>"
packetloss_threshold: "0"
priority_in_sla: "0"
priority_out_sla: "0"
sla_fail_log_period: "0"
sla_id_redistribute: "0"
sla_pass_log_period: "0"
source: "<your_own_value>"
source6: "<your_own_value>"
system_dns: "disable"
threshold_alert_jitter: "0"
threshold_alert_latency: "0"
threshold_alert_packetloss: "0"
threshold_warning_jitter: "0"
threshold_warning_latency: "0"
threshold_warning_packetloss: "0"
update_cascade_interface: "enable"
update_static_route: "enable"
user: "<your_own_value>"
vrf: "0"
load_balance_mode: "source-ip-based"
members:
-
comment: "Comments."
cost: "0"
gateway: "<your_own_value>"
gateway6: "<your_own_value>"
ingress_spillover_threshold: "0"
interface: "<your_own_value> (source system.interface.name)"
preferred_source: "<your_own_value>"
priority: "1"
priority6: "1024"
seq_num: "<you_own_value>"
source: "<your_own_value>"
source6: "<your_own_value>"
spillover_threshold: "0"
status: "disable"
volume_ratio: "1"
weight: "1"
zone: "<your_own_value> (source system.sdwan.zone.name)"
neighbor:
-
health_check: "<your_own_value> (source system.sdwan.health-check.name)"
ip: "<your_own_value> (source router.bgp.neighbor-group.name router.bgp.neighbor.ip)"
member:
-
seq_num: "<you_own_value>"
minimum_sla_meet_members: "1"
mode: "sla"
role: "standalone"
service_id: "0"
sla_id: "0"
neighbor_hold_boot_time: "0"
neighbor_hold_down: "enable"
neighbor_hold_down_time: "0"
service:
-
addr_mode: "ipv4"
agent_exclusive: "enable"
bandwidth_weight: "0"
default: "enable"
dscp_forward: "enable"
dscp_forward_tag: "<your_own_value>"
dscp_reverse: "enable"
dscp_reverse_tag: "<your_own_value>"
dst:
-
name: "default_name_127 (source firewall.address.name firewall.addrgrp.name)"
dst_negate: "enable"
dst6:
-
name: "default_name_130 (source firewall.address6.name firewall.addrgrp6.name)"
end_port: "65535"
end_src_port: "65535"
gateway: "enable"
groups:
-
name: "default_name_135 (source user.group.name)"
hash_mode: "round-robin"
health_check:
-
name: "default_name_138 (source system.sdwan.health-check.name)"
hold_down_time: "0"
id: "140"
input_device:
-
name: "default_name_142 (source system.interface.name)"
input_device_negate: "enable"
input_zone:
-
name: "default_name_145 (source system.sdwan.zone.name)"
internet_service: "enable"
internet_service_app_ctrl:
-
id: "148"
internet_service_app_ctrl_category:
-
id: "150"
internet_service_app_ctrl_group:
-
name: "default_name_152 (source application.group.name)"
internet_service_custom:
-
name: "default_name_154 (source firewall.internet-service-custom.name)"
internet_service_custom_group:
-
name: "default_name_156 (source firewall.internet-service-custom-group.name)"
internet_service_group:
-
name: "default_name_158 (source firewall.internet-service-group.name)"
internet_service_name:
-
name: "default_name_160 (source firewall.internet-service-name.name)"
jitter_weight: "0"
latency_weight: "0"
link_cost_factor: "latency"
link_cost_threshold: "10"
load_balance: "enable"
minimum_sla_meet_members: "0"
mode: "auto"
name: "default_name_168"
packet_loss_weight: "0"
passive_measurement: "enable"
priority_members:
-
seq_num: "<you_own_value>"
priority_zone:
-
name: "default_name_174 (source system.sdwan.zone.name)"
protocol: "0"
quality_link: "0"
role: "standalone"
route_tag: "0"
shortcut: "enable"
shortcut_stickiness: "enable"
sla:
-
health_check: "<your_own_value> (source system.sdwan.health-check.name)"
id: "183"
sla_compare_method: "order"
sla_stickiness: "enable"
src:
-
name: "default_name_187 (source firewall.address.name firewall.addrgrp.name)"
src_negate: "enable"
src6:
-
name: "default_name_190 (source firewall.address6.name firewall.addrgrp6.name)"
standalone_action: "enable"
start_port: "1"
start_src_port: "1"
status: "enable"
tie_break: "zone"
tos: "<your_own_value>"
tos_mask: "<your_own_value>"
use_shortcut_sla: "enable"
users:
-
name: "default_name_200 (source user.local.name)"
zone_mode: "enable"
speedtest_bypass_routing: "disable"
status: "disable"
zone:
-
minimum_sla_meet_members: "1"
name: "default_name_206"
service_sla_tie_break: "cfg-order"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
Build number of the fortigate image Returned: always Sample: |
|
Last method used to provision the content into FortiGate Returned: always Sample: |
|
Last result given by FortiGate on last operation applied Returned: always Sample: |
|
Master key (id) used in the last call to FortiGate Returned: success Sample: |
|
Name of the table used to fulfill the request Returned: always Sample: |
|
Path of the table used to fulfill the request Returned: always Sample: |
|
Internal revision number Returned: always Sample: |
|
Serial number of the unit Returned: always Sample: |
|
Indication of the operation’s result Returned: always Sample: |
|
Virtual domain used Returned: always Sample: |
|
Version of the FortiGate Returned: always Sample: |