firewall policy always shows changes
Opened this issue · 6 comments
I am using the firewall policy module to configure my Fortigate device and have encountered two issues with this module.
- - Duplicate Entries in Source and Destination Addresses:
When there are duplicate entries in the policy addresses, the module always indicates changes, even though no actual changes are made on the Fortigate device. I am unsure if this behavior is a bug, but it consistently shows changes in the presence of duplicate entries.
- --check Option:
When I run my playbook with the --check option, it always reports changes for the firewall policies. However, when I run the playbook without the --check option, no changes are applied, and everything shows as green.
@milad-24 What release ? beccause there is some change/fix with last release ? (for --check)
Why do you have duplicate entries on source/destination (i think there is some same issue with interface...)
@alagoutte I used fortinet.fortios version 2.3.7.
One of my tasks in the Ansible playbook aggregates different addresses for various environments and teams to be used in a policy, making it challenging to identify the root cause of this issue. I discovered that my Fortigate repository contained a duplicate entry for an address. After removing the duplicate entry, the problem was solved. However, I believe the module should at least throw an error instead of indicating state changes every time.
For all firewall policies that include multiple addresses (for both source and destination), the --check option indicates changes.
I encountered a similar issue with IP pools.
Do you have look to use | unique
on your play book ?
https://docs.ansible.com/ansible/latest/collections/ansible/builtin/unique_filter.html
It's the latest version (2.3.7).
yes, I used unique
to make sure that the address is unique but what about the IP pool? I have only one IP:
ippool:
- name: POOL_TEST
startip: 172.16.1.100
endip: 172.16.1.100
when I run it without --check there are no changes and everything is green.
I ran it without using variable too:
- name: Configure IPv4 IP pools.
fortinet.fortios.fortios_firewall_ippool:
state: "present"
access_token: "{{ fortios_access_token }}"
firewall_ippool:
name: "POOL_TEST"
add_nat64_route: "disable"
arp_reply: "enable"
endip: "172.16.1.100"
startip: "172.16.1.100"
nat64: "disable"
type: "overload"
Hi @milad-24 ,
Thank you for raising these two issues. I can reproduce them. The reason for this issue is that Ansible treats them as a list and strictly compares it with the data returned by the API. I have reported this to the development team for fixing. Thank you for your valuable suggestion.
Thanks,
Maxx