Issue when creating multiple address objects (loop)

[mpsikorski]

Hi,

again we tried to use the new Ansible (ansible-2.9.23-1.el7.noarch centos7) modules for creating address objects in Fortimanager v6.2.8-build1435 and after you fixed something in 2.1.4 it works for single objects.
If we try to create multiple objects with a loop the ADOM doesn't get unlocked and saved after the objects are created.

This issue exists at least with the modules:

• fmgr_firewall_address
• fmgr_firewall_address6

Example:

---
- name: Address and Address Group Creation
  hosts: FORTINET_FORTIMANAGER
  connection: httpapi
  collections:
    - fortinet.fortimanager
  gather_facts: no
  vars:
    ansible_network_os: fortinet.fortimanager.fortimanager
    ansible_httpapi_use_ssl: True
    ansible_httpapi_validate_certs: False
    ansible_httpapi_port: 443

  vars_prompt:
  - name: "ansible_user"
    prompt: "Username"
    private: no
    default: "{{ lookup('env', 'USER') }}"
  - name: "ansible_password"
    prompt: "Password"

  tasks:
    # Addresses
    - name: Create any ipv4 net/addr obj
      fmgr_firewall_address:
        workspace_locking_adom: "TESTADOM"
        workspace_locking_timeout: 300
        adom: "TESTADOM"
        state: "present"
        enable_log: yes
        bypass_validation: False
        proposed_method: "add"
        firewall_address:
          allow-routing: disable
          comment: ""
          type: "ipmask"
          subnet: "{{ item.net }}"
          name: "{{ item.name }}"
          visibility: enable
      loop:
      - name: "TestHost"
        net: "12.12.12.12/32"
      - name: "TestNet"
        net: "12.12.12.0/24"

[jpforcioli]

Hi,

Would you mind testing again with 2.1.5?
To install it in my environment, I've run this command:

ansible-galaxy collection install git+https://github.com/fortinet-ansible-dev/ansible-galaxy-fortimanager-collection.git,galaxy/2.1.5

Against my FMG 7.0.2 GA, it works as expected.

Best Regards.

[mpsikorski]

Hi,
thanks for your fast response. I think this time I am wrong. After some more testing I found out that the unlock does happen with a delay of ~one minute. Maybe it's just an issue with our fortimanager. I need to further investigate.

[mpsikorski]

At least one thing doesn't work as expected.
In the playbook we set the value for workspace_locking_timeout to 300sec but the playbook doesn't wait longer that 5-10sec.
I think if this "waiting til unlock" functionality would work we wouldn't have any issues.

Here is an example what happened after adding another task with module fmgr_firewall_address6 to our playbook:

TASK [Create any ipv6 net/addr obj] **********************************************************************************************************************************************************************************************************************
failed: [xxxxxxxx] (item={u'name': u'H_1111::1', u'network': u'1111::1'}) => changed=false 
  ansible_loop_var: item
  item:
    name: H_1111::1
    network: 1111::1
  meta:
    request_url: /pm/config/adom/TESTADOM/obj/firewall/address6/H_1111::1
    response_code: -10147
    response_data: []
    response_message: no write permission
    system_information:
      Admin Domain Configuration: Enabled
      BIOS version: '04000002'
      Branch Point: '1435'
      Build: '1435'
      Current Time: Fri Nov 05 10:04:17 CET 2021
      Daylight Time Saving: 'Yes'
      FIPS Mode: Disabled
      HA Mode: Stand Alone
      Hostname: xxxxxxxxx
      License Status: Valid
      Major: 6
      Max Number of Admin Domains: 210
      Max Number of Device Groups: 210
      Minor: 2
      Offline Mode: Disabled
      Patch: 8
      Platform Full Name: FortiManager-VM64
      Platform Type: FMG-VM64
      Release Version Information: ' (GA)'
      Serial Number: FMG-VM0A14000378
      Time Zone: (GMT+1:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna.
      Version: v6.2.8-build1435 210512 (GA)
      x86-64 Applications: 'Yes'
  rc: -10147

[DenisPerricone]

Same problem in our environment...
Someone has a solution? i have this issue in fmgr_firewall_policy module using loop to create multiple policy. ADOM stuck locked and nothing is created.

In ansible, my task state is changed and i've no errors.

UPDATE: Resolved adding fmgr_dvmdb_workspace_commit
module after
fmgr_pkg_firewall_policy

In this way chages are committed and saves and the rules are created

[dux-fortinet]

Hi @DenisPerricone,

Just FYI, even if you don't use fmgr_dvmdb_workspace_commit, FMG Ansible Collection will do fmgr_dvmdb_workspace_commit for you automatically, but this will has 1~2 minutes delay after you apply the playbook.

So if you want to commit your change as soon as you finish all ansible tasks, adding fmgr_dvmdb_workspace_commit would be a great choice.

Thanks,
Dux