Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

global-label create new section each time a rule is created #83

Open
DenisPerricone opened this issue Apr 15, 2024 · 6 comments
Open

global-label create new section each time a rule is created #83

DenisPerricone opened this issue Apr 15, 2024 · 6 comments

Comments

@DenisPerricone
Copy link

DenisPerricone commented Apr 15, 2024
edited
Loading

Hi! I've an issue with global-label parameter of fmgr_pkg_firewall_policy

When i try to create a firewall policy passing the global-label parameter, a new section is create, even if it is alteady exist.

My expectation is that if a section already exist, the module crate the rule in that section

Consider also that in fortimanager UI is not possible to have two equals section, but via module it is.

Our scope is to create N policies in predeterminated section and then install the package.

IMG_20240415_131955.jpg
As you can see in the image below, the result is a duplicate of section named "Sezione 1"

Thanks in advance
@dux-fortinet
Copy link

Hi @DenisPerricone,

Thanks for raising this issue. It is really weird.
Could you please check whether there is extra space in the parameter "global-label"?

For example, "global-label" for policy 26 and 24 is "Sezione 1" while "global-label" for policy 45 is "Sezione 1 "(extra space)

Thanks.

@DenisPerricone
Copy link
Author

Hi, thanks for your fast answer. Unfortunately i've already checked if there are some space or hidden characters but it's absoluteli the same.

I tried to pass the label via var (survey text box) or place "Sezione 1" directly in module.

Unfortunately we are in production and eventually upgrade of collection doesn't is our case. As you know, there is a way (maybe sole other module/param) i can use to create a rule or to move a rule in a specific section?

fmgr_pkg_firewall_policy_sectionvalue module, if understood well, produce the same issue

@dux-fortinet
Copy link

dux-fortinet commented Apr 15, 2024
edited
Loading

Hi @DenisPerricone,

I can reproduce this now.
It seems to be GUI's problem (Or maybe they did it on purpose, because policy order matters in some cases). Policies are in the order of creation time. GUI classified the consecutive policies with the same "global-label" into the same section.
So if you declare some policies in Sezione 1, then declare some policies in Sezione 2, and then declare some policies in Sezione 1 again, there will be 3 different sections.

You can directly change the section value of one policy by changing the parameter "global-label", yet since the policies are in the order of creation time by default, the two policies with the same "global-label" may not be classified into one section in the GUI if there are other policies with different "global-label" between them.

One way is to use fmgr_move. You can move one policy before/after another by using:

---
- name:  Move policy
  hosts: fortimanagers
  connection: httpapi
  vars:
    ansible_httpapi_use_ssl: true
    ansible_httpapi_validate_certs: false
    ansible_httpapi_port: 443
    adom_name: your_adom_name
    pkg_name: your_pkg_name
  tasks:
    - name: Move policy 45 after policy 24
      fortinet.fortimanager.fmgr_move:
        move:
          selector: "pkg_firewall_policy"
          target: 24
          action: "after"
          self:
            adom: "{{ adom_name }}"
            pkg: "{{ pkg_name }}"
            policy: 45

Please note, we use policy id in fmgr_move. If you move policy in GUI (by right clicking one policy and selecting "move to"), GUI will ask you to provide "#" (ID, not policy ID).

Thanks,
Dux.

@DenisPerricone
Copy link
Author

So it's a fortimanager limit and we have to move policy ony by one and by id. Okay clear, thank you.

It's a little bit hard to manage for end user because he have to know each policy ID or open FM UI, but if is not possible to add a policy on a specific section i think is the only one way.

Thank you

@dux-fortinet
Copy link

dux-fortinet commented Apr 17, 2024
edited
Loading

Further update: I asked the FMG development team. The policy is displayed by sequence, (if use interface pair view will do interface filter first).

FMG can't change the display order via "global-label" because the order matters (different policy order may result in different routing behavior). Therefore, best practice is to declare policies with the same "global label" consecutively.

And this is just the display issue. Even if you have two sections with the same name "Sezione 1", the "gloabl-label" values for these policies under the "Sezione 1" sections are still correct.

Thanks,
Dux

@DenisPerricone
Copy link
Author

Thank you so much, you were really kind and clear. I'll do not esitate to write you if my client will be any questions or clarification.
Again, thanks!

@MaxxLiu22 MaxxLiu22 mentioned this issue Nov 26, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dux-fortinet @DenisPerricone