fortinet.fortios.fortios_system_ha module – Configure HA in Fortinet’s FortiOS and FortiGate.
Note
This module is part of the fortinet.fortios collection (version 2.3.8).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install fortinet.fortios.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: fortinet.fortios.fortios_system_ha.
New in fortinet.fortios 2.0.0
Synopsis
This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify system feature and ha category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
The below requirements are needed on the host that executes this module.
ansible>=2.15
Parameters
Parameter |
Comments |
|---|---|
Token-based authentication. Generated from GUI of Fortigate. |
|
Enable/Disable logging for task. Choices:
|
|
Member attribute path to operate on. Delimited by a slash character if there are more than one attribute. Parameter marked with member_path is legitimate for doing member operation. |
|
Add or delete a member under specified attribute path. When member_state is specified, the state option is ignored. Choices:
|
|
Configure HA. |
|
Number of gratuitous ARPs (1 - 60). Lower to reduce traffic. Higher to reduce failover time. |
|
Time between gratuitous ARPs (1 - 20 sec). Lower to reduce failover time. Higher to reduce traffic. |
|
Enable/disable heartbeat message authentication. Choices:
|
|
The physical interface that will be assigned an auto-generated virtual MAC address. |
|
Interface name. Source system.interface.name. |
|
Backup heartbeat interfaces. Must be the same for all members. |
|
Interface name. Source system.interface.name. |
|
Enable/disable secondary dev health check for session load-balance in HA A-A mode. Choices:
|
|
Dynamic weighted load balancing CPU usage weight and high and low thresholds. |
|
Enable/disable heartbeat message encryption. Choices:
|
|
HA EVPN FDB TTL on primary box (5 - 3600 sec). |
|
Time to wait before failover (0 - 300 sec), to avoid flip. |
|
Dynamic weighted load balancing weight and high and low number of FTP proxy sessions. |
|
Enable/disable gratuitous ARPs. Disable if link-failed-signal enabled. Choices:
|
|
HA group ID (0 - 1023; or 0 - 7 when there are more than 2 vclusters). Must be the same for all members. |
|
Cluster group name. Must be the same for all members. |
|
Enable/disable using ha-mgmt interface for syslog, remote authentication (RADIUS), FortiAnalyzer, FortiSandbox, sFlow, and Netflow. Choices:
|
|
HA heartbeat packet Ethertype (4-digit hex). |
|
Reserve interfaces to manage individual cluster units. |
|
Default route destination for reserved HA management interface. |
|
Default route gateway for reserved HA management interface. |
|
Default IPv6 gateway for reserved HA management interface. |
|
Table ID. see <a href=’#notes’>Notes</a>. |
|
Interface to reserve for HA management. Source system.interface.name. |
|
Enable to reserve interfaces to manage individual cluster units. Choices:
|
|
Normally you would only reduce this value for failover testing. |
|
Time between sending heartbeat packets (1 - 20). Increase to reduce false positives. |
|
Units of heartbeat interval time between sending heartbeat packets. Default is 100ms. Choices:
|
|
Number of lost heartbeats to signal a failure (1 - 60). Increase to reduce false positives. |
|
Heartbeat interfaces. Must be the same for all members. |
|
Transparent mode HA heartbeat packet Ethertype (4-digit hex). |
|
Time to wait before changing from hello to work state (5 - 300 sec). |
|
Dynamic weighted load balancing weight and high and low number of HTTP proxy sessions. |
|
Dynamic weighted load balancing weight and high and low number of IMAP proxy sessions. |
|
Enable/disable synchronization of sessions among HA clusters. Choices:
|
|
IPsec phase2 proposal. Choices:
|
|
Key. |
|
Telnet session HA heartbeat packet Ethertype (4-digit hex). |
|
Enable to shut down all interfaces for 1 sec after a failover. Use if gratuitous ARPs do not update network. Choices:
|
|
Enable to load balance TCP sessions. Disable to load balance proxy sessions only. Choices:
|
|
Enable/disable usage of the logical serial number. Choices:
|
|
Enable/disable memory based failover. Choices:
|
|
Enable/disable memory compatible mode. Choices:
|
|
Time to wait between subsequent memory based failovers in minutes (6 - 2147483647). |
|
Duration of high memory usage before memory based failover is triggered in seconds (1 - 300). |
|
Rate at which memory usage is sampled in order to measure memory usage in seconds (1 - 60). |
|
Memory usage threshold to trigger memory based failover (0 means using conserve mode threshold in system.global). |
|
Dynamic weighted load balancing memory usage weight and high and low thresholds. |
|
HA mode. Must be the same for all members. FGSP requires standalone. Choices:
|
|
Interfaces to check for port monitoring (or link failure). Source system.interface.name. |
|
HA multicast TTL on primary (5 - 3600 sec). |
|
Dynamic weighted load balancing weight and high and low number of NNTP proxy sessions. |
|
Enable and increase the priority of the unit that should always be primary (master). Choices:
|
|
Delay negotiating if override is enabled (0 - 3600 sec). Reduces how often the cluster negotiates. |
|
Cluster password. Must be the same for all members. |
|
Remote IP monitoring failover threshold (0 - 50). |
|
Time to wait in minutes before renegotiating after a remote IP monitoring failover. |
|
Interfaces to check for remote IP monitoring. Source system.interface.name. |
|
Enable to force the cluster to negotiate after a remote IP monitoring failover. Choices:
|
|
Enable to force the cluster to negotiate after a remote IP monitoring failover. Choices:
|
|
Dynamic weighted load balancing weight and high and low number of POP3 proxy sessions. |
|
Increase the priority to select the primary unit (0 - 255). |
|
Time to wait between routing table updates to the cluster (0 - 3600 sec). |
|
TTL for primary unit routes (5 - 3600 sec). Increase to maintain active routes during failover. |
|
Time to wait before sending new routes to the cluster (0 - 3600 sec). |
|
Type of A-A load balancing. Use none if you have external load balancers. Choices:
|
|
Configure virtual cluster 2. |
|
Interfaces to check for port monitoring (or link failure). Source system.interface.name. |
|
Enable and increase the priority of the unit that should always be primary. Choices:
|
|
Delay negotiating if override is enabled (0 - 3600 sec). Reduces how often the cluster negotiates. |
|
Remote IP monitoring failover threshold (0 - 50). |
|
Interfaces to check for remote IP monitoring. Source system.interface.name. |
|
Enable to force the cluster to negotiate after a remote IP monitoring failover. Choices:
|
|
Enable to force the cluster to negotiate after a remote IP monitoring failover. Choices:
|
|
Increase the priority to select the primary unit (0 - 255). |
|
Cluster ID. |
|
VDOMs in virtual cluster 2. |
|
Enable/disable session pickup. Enabling it can reduce session down time when fail over happens. Choices:
|
|
Enable/disable UDP and ICMP session sync. Choices:
|
|
Enable to sync sessions longer than 30 sec. Only longer lived sessions need to be synced. Choices:
|
|
Enable/disable session helper expectation session sync for FGSP. Choices:
|
|
Enable/disable NAT session sync for FGSP. Choices:
|
|
Offload session-sync process to kernel and sync sessions using connected interface(s) directly. Source system.interface.name. |
|
Dynamic weighted load balancing weight and high and low number of SMTP proxy sessions. |
|
Enable/disable automatic HA failover on SSD disk failure. Choices:
|
|
Enable/disable FGSP configuration synchronization. Choices:
|
|
Enable/disable standalone management VDOM. Choices:
|
|
Enable/disable configuration synchronization. Choices:
|
|
Enable/disable HA packet distribution to multiple CPUs. Choices:
|
|
Default route gateway for unicast interface. |
|
Enable/disable unicast heartbeat. Choices:
|
|
Unicast heartbeat netmask. |
|
Unicast heartbeat peer IP. |
|
Number of unicast peers. |
|
Table ID. see <a href=’#notes’>Notes</a>. |
|
Unicast peer IP. |
|
Enable/disable unicast connection. Choices:
|
|
Number of minutes the primary HA unit waits before the secondary HA unit is considered upgraded and the system is started before starting its own upgrade (15 - 300). |
|
Enable to upgrade a cluster without blocking network traffic. Choices:
|
|
The mode to upgrade a cluster. Choices:
|
|
Virtual cluster table. |
|
Interfaces to check for port monitoring (or link failure). Source system.interface.name. |
|
Enable and increase the priority of the unit that should always be primary (master). Choices:
|
|
Delay negotiating if override is enabled (0 - 3600 sec). Reduces how often the cluster negotiates. |
|
Remote IP monitoring failover threshold (0 - 50). |
|
Time to wait in minutes before renegotiating after a remote IP monitoring failover. |
|
Interfaces to check for remote IP monitoring. Source system.interface.name. |
|
Enable to force the cluster to negotiate after a remote IP monitoring failover. Choices:
|
|
Enable to force the cluster to negotiate after a remote IP monitoring failover. Choices:
|
|
Increase the priority to select the primary unit (0 - 255). |
|
ID. see <a href=’#notes’>Notes</a>. |
|
Virtual domain(s) in the virtual cluster. |
|
Virtual domain name. Source system.vdom.name. |
|
Enable/disable virtual cluster 2 for virtual clustering. Choices:
|
|
Cluster ID. |
|
Enable/disable virtual cluster for virtual clustering. Choices:
|
|
VDOMs in virtual cluster 1. |
|
Weight-round-robin weight for each cluster unit. Syntax <priority> <weight>. |
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. Default: |
Notes
Note
Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks
Examples
- name: Configure HA.
fortinet.fortios.fortios_system_ha:
vdom: "{{ vdom }}"
system_ha:
arps: "5"
arps_interval: "8"
authentication: "enable"
auto_virtual_mac_interface:
-
interface_name: "<your_own_value> (source system.interface.name)"
backup_hbdev:
-
name: "default_name_9 (source system.interface.name)"
check_secondary_dev_health: "enable"
cpu_threshold: "<your_own_value>"
encryption: "enable"
evpn_ttl: "60"
failover_hold_time: "0"
ftp_proxy_threshold: "<your_own_value>"
gratuitous_arps: "enable"
group_id: "0"
group_name: "<your_own_value>"
ha_direct: "enable"
ha_eth_type: "<your_own_value>"
ha_mgmt_interfaces:
-
dst: "<your_own_value>"
gateway: "<your_own_value>"
gateway6: "<your_own_value>"
id: "25"
interface: "<your_own_value> (source system.interface.name)"
ha_mgmt_status: "enable"
ha_uptime_diff_margin: "300"
hb_interval: "2"
hb_interval_in_milliseconds: "100ms"
hb_lost_threshold: "20"
hbdev: "<your_own_value>"
hc_eth_type: "<your_own_value>"
hello_holddown: "20"
http_proxy_threshold: "<your_own_value>"
imap_proxy_threshold: "<your_own_value>"
inter_cluster_session_sync: "enable"
ipsec_phase2_proposal: "aes128-sha1"
key: "<your_own_value>"
l2ep_eth_type: "<your_own_value>"
link_failed_signal: "enable"
load_balance_all: "enable"
logical_sn: "enable"
memory_based_failover: "enable"
memory_compatible_mode: "enable"
memory_failover_flip_timeout: "6"
memory_failover_monitor_period: "60"
memory_failover_sample_rate: "1"
memory_failover_threshold: "0"
memory_threshold: "<your_own_value>"
mode: "standalone"
monitor: "<your_own_value> (source system.interface.name)"
multicast_ttl: "600"
nntp_proxy_threshold: "<your_own_value>"
override: "enable"
override_wait_time: "0"
password: "<your_own_value>"
pingserver_failover_threshold: "0"
pingserver_flip_timeout: "60"
pingserver_monitor_interface: "<your_own_value> (source system.interface.name)"
pingserver_secondary_force_reset: "enable"
pingserver_slave_force_reset: "enable"
pop3_proxy_threshold: "<your_own_value>"
priority: "128"
route_hold: "10"
route_ttl: "10"
route_wait: "0"
schedule: "none"
secondary_vcluster:
monitor: "<your_own_value> (source system.interface.name)"
override: "enable"
override_wait_time: "0"
pingserver_failover_threshold: "0"
pingserver_monitor_interface: "<your_own_value> (source system.interface.name)"
pingserver_secondary_force_reset: "enable"
pingserver_slave_force_reset: "enable"
priority: "128"
vcluster_id: "1"
vdom: "<your_own_value>"
session_pickup: "enable"
session_pickup_connectionless: "enable"
session_pickup_delay: "enable"
session_pickup_expectation: "enable"
session_pickup_nat: "enable"
session_sync_dev: "<your_own_value> (source system.interface.name)"
smtp_proxy_threshold: "<your_own_value>"
ssd_failover: "enable"
standalone_config_sync: "enable"
standalone_mgmt_vdom: "enable"
sync_config: "enable"
sync_packet_balance: "enable"
unicast_gateway: "<your_own_value>"
unicast_hb: "enable"
unicast_hb_netmask: "<your_own_value>"
unicast_hb_peerip: "<your_own_value>"
unicast_peers:
-
id: "97"
peer_ip: "<your_own_value>"
unicast_status: "enable"
uninterruptible_primary_wait: "30"
uninterruptible_upgrade: "enable"
upgrade_mode: "simultaneous"
vcluster:
-
monitor: "<your_own_value> (source system.interface.name)"
override: "enable"
override_wait_time: "0"
pingserver_failover_threshold: "0"
pingserver_flip_timeout: "60"
pingserver_monitor_interface: "<your_own_value> (source system.interface.name)"
pingserver_secondary_force_reset: "enable"
pingserver_slave_force_reset: "enable"
priority: "128"
vcluster_id: "<you_own_value>"
vdom:
-
name: "default_name_115 (source system.vdom.name)"
vcluster_id: "0"
vcluster_status: "enable"
vcluster2: "enable"
vdom: "<your_own_value>"
weight: "<your_own_value>"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
Build number of the fortigate image Returned: always Sample: |
|
Last method used to provision the content into FortiGate Returned: always Sample: |
|
Last result given by FortiGate on last operation applied Returned: always Sample: |
|
Master key (id) used in the last call to FortiGate Returned: success Sample: |
|
Name of the table used to fulfill the request Returned: always Sample: |
|
Path of the table used to fulfill the request Returned: always Sample: |
|
Internal revision number Returned: always Sample: |
|
Serial number of the unit Returned: always Sample: |
|
Indication of the operation’s result Returned: always Sample: |
|
Virtual domain used Returned: always Sample: |
|
Version of the FortiGate Returned: always Sample: |