fortinet.fortimanager.fmgr_switchcontroller_managedswitch – Configure FortiSwitch devices that are managed by this FortiGate.

Note

This plugin is part of the fortinet.fortimanager collection (version 2.1.3).

To install it use: ansible-galaxy collection install fortinet.fortimanager.

To use it in a playbook, specify: fortinet.fortimanager.fmgr_switchcontroller_managedswitch.

New in version 2.10: of fortinet.fortimanager

Synopsis

  • This module is able to configure a FortiManager device.

  • Examples include all parameters and values which need to be adjusted to data sources before usage.

Parameters

Parameter Choices/Defaults Comments
adom
string / required
the parameter (adom) in requested url
bypass_validation
boolean
    Choices:
  • no ←
  • yes
only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters
enable_log
boolean
    Choices:
  • no ←
  • yes
Enable/Disable logging for task
proposed_method
string
    Choices:
  • update
  • set
  • add
The overridden method for the underlying Json RPC request
rc_failed
list / elements=string
the rc codes list with which the conditions to fail will be overriden
rc_succeeded
list / elements=string
the rc codes list with which the conditions to succeed will be overriden
state
string / required
    Choices:
  • present
  • absent
the directive to create, update or delete an object
switchcontroller_managedswitch
dictionary
the top level parameters set
_platform
string
no description
custom-command
list / elements=string
no description
command-entry
string
List of FortiSwitch commands.
command-name
string
Names of commands to be pushed to this FortiSwitch device, as configured under config switch-controller custom-command.
description
string
Description.
firmware-provision
string
    Choices:
  • disable
  • enable
Enable/disable provisioning of firmware to FortiSwitches on join connection.
firmware-provision-version
string
Firmware version to provision to this FortiSwitch on bootup (major.minor.build, i.e. 6.2.1234).
ip-source-guard
list / elements=string
no description
binding-entry
list / elements=string
no description
entry-name
string
Configure binding pair.
ip
string
Source IP for this rule.
mac
string
MAC address for this rule.
description
string
Description.
port
string
Ingress interface to which source guard is bound.
l3-discovered
integer
no description
mclag-igmp-snooping-aware
string
    Choices:
  • disable
  • enable
Enable/disable MCLAG IGMP-snooping awareness.
name
string
Managed-switch name.
override-snmp-community
string
    Choices:
  • disable
  • enable
Enable/disable overriding the global SNMP communities.
override-snmp-sysinfo
string
    Choices:
  • disable
  • enable
Enable/disable overriding the global SNMP system information.
override-snmp-trap-threshold
string
    Choices:
  • disable
  • enable
Enable/disable overriding the global SNMP trap threshold values.
override-snmp-user
string
    Choices:
  • disable
  • enable
Enable/disable overriding the global SNMP users.
poe-detection-type
integer
no description
ports
list / elements=string
no description
access-mode
string
    Choices:
  • normal
  • nac
  • dynamic
  • static
Access mode of the port.
aggregator-mode
string
    Choices:
  • bandwidth
  • count
LACP member select mode.
allowed-vlans
string
Configure switch port tagged vlans
allowed-vlans-all
string
    Choices:
  • disable
  • enable
Enable/disable all defined vlans on this port.
arp-inspection-trust
string
    Choices:
  • untrusted
  • trusted
Trusted or untrusted dynamic ARP inspection.
bundle
string
    Choices:
  • disable
  • enable
Enable/disable Link Aggregation Group (LAG) bundling for non-FortiLink interfaces.
description
string
Description for port.
dhcp-snoop-option82-trust
string
    Choices:
  • disable
  • enable
Enable/disable allowance of DHCP with option-82 on untrusted interface.
dhcp-snooping
string
    Choices:
  • trusted
  • untrusted
Trusted or untrusted DHCP-snooping interface.
discard-mode
string
    Choices:
  • none
  • all-untagged
  • all-tagged
Configure discard mode for port.
edge-port
string
    Choices:
  • disable
  • enable
Enable/disable this interface as an edge port, bridging connections between workstations and/or computers.
export-to-pool-flag
integer
Switch controller export port to pool-list.
fec-capable
integer
FEC capable.
fec-state
string
    Choices:
  • disabled
  • cl74
  • cl91
State of forward error correction.
flow-control
string
    Choices:
  • disable
  • tx
  • rx
  • both
Flow control direction.
igmp-snooping
string
    Choices:
  • disable
  • enable
Set IGMP snooping mode for the physical port interface.
igmps-flood-reports
string
    Choices:
  • disable
  • enable
Enable/disable flooding of IGMP reports to this interface when igmp-snooping enabled.
igmps-flood-traffic
string
    Choices:
  • disable
  • enable
Enable/disable flooding of IGMP snooping traffic to this interface.
ip-source-guard
string
    Choices:
  • disable
  • enable
Enable/disable IP source guard.
lacp-speed
string
    Choices:
  • slow
  • fast
end Link Aggregation Control Protocol (LACP) messages every 30 seconds (slow) or every second (fast).
learning-limit
integer
Limit the number of dynamic MAC addresses on this Port (1 - 128, 0 = no limit, default).
lldp-profile
string
LLDP port TLV profile.
lldp-status
string
    Choices:
  • disable
  • rx-only
  • tx-only
  • tx-rx
LLDP transmit and receive status.
loop-guard
string
    Choices:
  • disabled
  • enabled
Enable/disable loop-guard on this interface, an STP optimization used to prevent network loops.
loop-guard-timeout
integer
Loop-guard timeout (0 - 120 min, default = 45).
mac-addr
string
Port/Trunk MAC.
matched-dpp-intf-tags
string
Matched interface tags in the dynamic port policy.
matched-dpp-policy
string
Matched child policy in the dynamic port policy.
max-bundle
integer
Maximum size of LAG bundle (1 - 24, default = 24)
mclag
string
    Choices:
  • disable
  • enable
Enable/disable multi-chassis link aggregation (MCLAG).
mclag-icl-port
integer
no description
media-type
string
no description
member-withdrawal-behavior
string
    Choices:
  • forward
  • block
Port behavior after it withdraws because of loss of control packets.
members
string
no description
min-bundle
integer
Minimum size of LAG bundle (1 - 24, default = 1)
mode
string
    Choices:
  • static
  • lacp-passive
  • lacp-active
LACP mode: ignore and do not send control messages, or negotiate 802.3ad aggregation passively or actively.
p2p-port
integer
no description
packet-sample-rate
integer
Packet sampling rate (0 - 99999 p/sec).
packet-sampler
string
    Choices:
  • disabled
  • enabled
Enable/disable packet sampling on this interface.
pause-meter
integer
Configure ingress pause metering rate, in kbps (default = 0, disabled).
pause-meter-resume
string
    Choices:
  • 25%
  • 50%
  • 75%
Resume threshold for resuming traffic on ingress port.
poe-pre-standard-detection
string
    Choices:
  • disable
  • enable
Enable/disable PoE pre-standard detection.
poe-status
string
    Choices:
  • disable
  • enable
Enable/disable PoE status.
port-name
string
Switch port name.
port-owner
string
Switch port name.
port-policy
string
Switch controller dynamic port policy from available options.
port-security-policy
string
Switch controller authentication policy to apply to this managed switch from available options.
port-selection-criteria
string
    Choices:
  • src-mac
  • dst-mac
  • src-dst-mac
  • src-ip
  • dst-ip
  • src-dst-ip
Algorithm for aggregate port selection.
qos-policy
string
Switch controller QoS policy from available options.
rpvst-port
string
    Choices:
  • disabled
  • enabled
Enable/disable inter-operability with rapid PVST on this interface.
sample-direction
string
    Choices:
  • rx
  • tx
  • both
sFlow sample direction.
sflow-counter-interval
integer
sFlow sampler counter polling interval (1 - 255 sec).
sflow-sample-rate
integer
sFlow sampler sample rate (0 - 99999 p/sec).
sflow-sampler
string
    Choices:
  • disabled
  • enabled
Enable/disable sFlow protocol on this interface.
status
string
    Choices:
  • down
  • up
Switch port admin status: up or down.
sticky-mac
string
    Choices:
  • disable
  • enable
Enable or disable sticky-mac on the interface.
storm-control-policy
string
Switch controller storm control policy from available options.
stp-bpdu-guard
string
    Choices:
  • disabled
  • enabled
Enable/disable STP BPDU guard on this interface.
stp-bpdu-guard-timeout
integer
BPDU Guard disabling protection (0 - 120 min).
stp-root-guard
string
    Choices:
  • disabled
  • enabled
Enable/disable STP root guard on this interface.
stp-state
string
    Choices:
  • disabled
  • enabled
Enable/disable Spanning Tree Protocol (STP) on this interface.
trunk-member
integer
Trunk member.
type
string
    Choices:
  • physical
  • trunk
Interface type: physical or trunk port.
untagged-vlans
string
Configure switch port untagged vlans
vlan
string
Assign switch ports to a VLAN.
qos-drop-policy
string
    Choices:
  • taildrop
  • random-early-detection
Set QoS drop-policy.
qos-red-probability
integer
Set QoS RED/WRED drop probability.
remote-log
list / elements=string
no description
csv
string
    Choices:
  • disable
  • enable
Enable/disable comma-separated value (CSV) strings.
facility
string
    Choices:
  • kernel
  • user
  • mail
  • daemon
  • auth
  • syslog
  • lpr
  • news
  • uucp
  • cron
  • authpriv
  • ftp
  • ntp
  • audit
  • alert
  • clock
  • local0
  • local1
  • local2
  • local3
  • local4
  • local5
  • local6
  • local7
Facility to log to remote syslog server.
name
string
Remote log name.
port
integer
Remote syslog server listening port.
server
string
IPv4 address of the remote syslog server.
severity
string
    Choices:
  • emergency
  • alert
  • critical
  • error
  • warning
  • notification
  • information
  • debug
Severity of logs to be transferred to remote log server.
status
string
    Choices:
  • disable
  • enable
Enable/disable logging by FortiSwitch device to a remote syslog server.
snmp-community
list / elements=string
no description
events
list / elements=string
    Choices:
  • cpu-high
  • mem-low
  • log-full
  • intf-ip
  • ent-conf-change
no description
hosts
list / elements=string
no description
id
integer
Host entry ID.
ip
string
IPv4 address of the SNMP manager (host).
id
integer
SNMP community ID.
name
string
SNMP community name.
query-v1-port
integer
SNMP v1 query port (default = 161).
query-v1-status
string
    Choices:
  • disable
  • enable
Enable/disable SNMP v1 queries.
query-v2c-port
integer
SNMP v2c query port (default = 161).
query-v2c-status
string
    Choices:
  • disable
  • enable
Enable/disable SNMP v2c queries.
status
string
    Choices:
  • disable
  • enable
Enable/disable this SNMP community.
trap-v1-lport
integer
SNMP v2c trap local port (default = 162).
trap-v1-rport
integer
SNMP v2c trap remote port (default = 162).
trap-v1-status
string
    Choices:
  • disable
  • enable
Enable/disable SNMP v1 traps.
trap-v2c-lport
integer
SNMP v2c trap local port (default = 162).
trap-v2c-rport
integer
SNMP v2c trap remote port (default = 162).
trap-v2c-status
string
    Choices:
  • disable
  • enable
Enable/disable SNMP v2c traps.
snmp-user
list / elements=string
no description
auth-proto
string
    Choices:
  • md5
  • sha
Authentication protocol.
auth-pwd
string
no description
name
string
SNMP user name.
priv-proto
string
    Choices:
  • des
  • aes
Privacy (encryption) protocol.
priv-pwd
string
no description
queries
string
    Choices:
  • disable
  • enable
Enable/disable SNMP queries for this user.
query-port
integer
SNMPv3 query port (default = 161).
security-level
string
    Choices:
  • no-auth-no-priv
  • auth-no-priv
  • auth-priv
Security level for message authentication and encryption.
switch-dhcp_opt43_key
string
DHCP option43 key.
switch-id
string
Managed-switch id.
tdr-supported
string
no description
workspace_locking_adom
string
the adom to lock for FortiManager running in workspace mode, the value can be global and others including root
workspace_locking_timeout
integer
Default:
300
the maximum time in seconds to wait for other user to release the workspace lock

Notes

Note

  • Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.

  • To create or update an object, use state present directive.

  • To delete an object, use state absent directive.

  • Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded

Examples

- hosts: fortimanager-inventory
  collections:
    - fortinet.fortimanager
  connection: httpapi
  vars:
     ansible_httpapi_use_ssl: True
     ansible_httpapi_validate_certs: False
     ansible_httpapi_port: 443
  tasks:
   - name: Configure FortiSwitch devices that are managed by this FortiGate.
     fmgr_switchcontroller_managedswitch:
        bypass_validation: False
        workspace_locking_adom: <value in [global, custom adom including root]>
        workspace_locking_timeout: 300
        rc_succeeded: [0, -2, -3, ...]
        rc_failed: [-2, -3, ...]
        adom: <your own value>
        state: <value in [present, absent]>
        switchcontroller_managedswitch:
           _platform: <value of string>
           description: <value of string>
           name: <value of string>
           ports:
             -
                 allowed-vlans: <value of string>
                 allowed-vlans-all: <value in [disable, enable]>
                 arp-inspection-trust: <value in [untrusted, trusted]>
                 bundle: <value in [disable, enable]>
                 description: <value of string>
                 dhcp-snoop-option82-trust: <value in [disable, enable]>
                 dhcp-snooping: <value in [trusted, untrusted]>
                 discard-mode: <value in [none, all-untagged, all-tagged]>
                 edge-port: <value in [disable, enable]>
                 igmp-snooping: <value in [disable, enable]>
                 igmps-flood-reports: <value in [disable, enable]>
                 igmps-flood-traffic: <value in [disable, enable]>
                 lacp-speed: <value in [slow, fast]>
                 learning-limit: <value of integer>
                 lldp-profile: <value of string>
                 lldp-status: <value in [disable, rx-only, tx-only, ...]>
                 loop-guard: <value in [disabled, enabled]>
                 loop-guard-timeout: <value of integer>
                 max-bundle: <value of integer>
                 mclag: <value in [disable, enable]>
                 member-withdrawal-behavior: <value in [forward, block]>
                 members: <value of string>
                 min-bundle: <value of integer>
                 mode: <value in [static, lacp-passive, lacp-active]>
                 poe-pre-standard-detection: <value in [disable, enable]>
                 poe-status: <value in [disable, enable]>
                 port-name: <value of string>
                 port-owner: <value of string>
                 port-security-policy: <value of string>
                 port-selection-criteria: <value in [src-mac, dst-mac, src-dst-mac, ...]>
                 qos-policy: <value of string>
                 sample-direction: <value in [rx, tx, both]>
                 sflow-counter-interval: <value of integer>
                 sflow-sample-rate: <value of integer>
                 sflow-sampler: <value in [disabled, enabled]>
                 stp-bpdu-guard: <value in [disabled, enabled]>
                 stp-bpdu-guard-timeout: <value of integer>
                 stp-root-guard: <value in [disabled, enabled]>
                 stp-state: <value in [disabled, enabled]>
                 type: <value in [physical, trunk]>
                 untagged-vlans: <value of string>
                 vlan: <value of string>
                 export-to-pool-flag: <value of integer>
                 mac-addr: <value of string>
                 packet-sample-rate: <value of integer>
                 packet-sampler: <value in [disabled, enabled]>
                 sticky-mac: <value in [disable, enable]>
                 storm-control-policy: <value of string>
                 access-mode: <value in [normal, nac, dynamic, ...]>
                 ip-source-guard: <value in [disable, enable]>
                 mclag-icl-port: <value of integer>
                 p2p-port: <value of integer>
                 aggregator-mode: <value in [bandwidth, count]>
                 rpvst-port: <value in [disabled, enabled]>
                 flow-control: <value in [disable, tx, rx, ...]>
                 media-type: <value of string>
                 pause-meter: <value of integer>
                 pause-meter-resume: <value in [25%, 50%, 75%]>
                 trunk-member: <value of integer>
                 fec-capable: <value of integer>
                 fec-state: <value in [disabled, cl74, cl91]>
                 matched-dpp-intf-tags: <value of string>
                 matched-dpp-policy: <value of string>
                 port-policy: <value of string>
                 status: <value in [down, up]>
           switch-id: <value of string>
           override-snmp-community: <value in [disable, enable]>
           override-snmp-sysinfo: <value in [disable, enable]>
           override-snmp-trap-threshold: <value in [disable, enable]>
           override-snmp-user: <value in [disable, enable]>
           poe-detection-type: <value of integer>
           remote-log:
             -
                 csv: <value in [disable, enable]>
                 facility: <value in [kernel, user, mail, ...]>
                 name: <value of string>
                 port: <value of integer>
                 server: <value of string>
                 severity: <value in [emergency, alert, critical, ...]>
                 status: <value in [disable, enable]>
           snmp-community:
             -
                 events:
                   - cpu-high
                   - mem-low
                   - log-full
                   - intf-ip
                   - ent-conf-change
                 hosts:
                   -
                       id: <value of integer>
                       ip: <value of string>
                 id: <value of integer>
                 name: <value of string>
                 query-v1-port: <value of integer>
                 query-v1-status: <value in [disable, enable]>
                 query-v2c-port: <value of integer>
                 query-v2c-status: <value in [disable, enable]>
                 status: <value in [disable, enable]>
                 trap-v1-lport: <value of integer>
                 trap-v1-rport: <value of integer>
                 trap-v1-status: <value in [disable, enable]>
                 trap-v2c-lport: <value of integer>
                 trap-v2c-rport: <value of integer>
                 trap-v2c-status: <value in [disable, enable]>
           snmp-user:
             -
                 auth-proto: <value in [md5, sha]>
                 auth-pwd: <value of string>
                 name: <value of string>
                 priv-proto: <value in [des, aes]>
                 priv-pwd: <value of string>
                 queries: <value in [disable, enable]>
                 query-port: <value of integer>
                 security-level: <value in [no-auth-no-priv, auth-no-priv, auth-priv]>
           mclag-igmp-snooping-aware: <value in [disable, enable]>
           ip-source-guard:
             -
                 binding-entry:
                   -
                       entry-name: <value of string>
                       ip: <value of string>
                       mac: <value of string>
                 description: <value of string>
                 port: <value of string>
           l3-discovered: <value of integer>
           qos-drop-policy: <value in [taildrop, random-early-detection]>
           qos-red-probability: <value of integer>
           switch-dhcp_opt43_key: <value of string>
           tdr-supported: <value of string>
           custom-command:
             -
                 command-entry: <value of string>
                 command-name: <value of string>
           firmware-provision: <value in [disable, enable]>
           firmware-provision-version: <value of string>

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
request_url
string
always
The full url requested

Sample:
/sys/login/user
response_code
integer
always
The status of api request

response_message
string
always
The descriptive message of the api response

Sample:
OK.


Authors

  • Link Zheng (@chillancezen)

  • Jie Xue (@JieX19)

  • Frank Shen (@fshen01)

  • Hongbin Lu (@fgtdev-hblu)