firewall policy always shows changes

Question

firewall policy always shows changes

Opened this issue 2 months ago · 6 comments

I am using the firewall policy module to configure my Fortigate device and have encountered two issues with this module.

- Duplicate Entries in Source and Destination Addresses:

When there are duplicate entries in the policy addresses, the module always indicates changes, even though no actual changes are made on the Fortigate device. I am unsure if this behavior is a bug, but it consistently shows changes in the presence of duplicate entries.

--check Option:
When I run my playbook with the --check option, it always reports changes for the firewall policies. However, when I run the playbook without the --check option, no changes are applied, and everything shows as green.

Answer 1 · 2024-07-19T10:07:18.000Z

@milad-24 What release ? beccause there is some change/fix with last release ? (for --check)

Why do you have duplicate entries on source/destination (i think there is some same issue with interface...)

Answer 2 · 2024-07-19T10:47:09.000Z

@alagoutte I used fortinet.fortios version 2.3.7.

One of my tasks in the Ansible playbook aggregates different addresses for various environments and teams to be used in a policy, making it challenging to identify the root cause of this issue. I discovered that my Fortigate repository contained a duplicate entry for an address. After removing the duplicate entry, the problem was solved. However, I believe the module should at least throw an error instead of indicating state changes every time.

Answer 3 · 2024-07-29T08:43:31.000Z

For all firewall policies that include multiple addresses (for both source and destination), the --check option indicates changes.
I encountered a similar issue with IP pools.

Answer 4 · 2024-07-29T12:41:23.000Z

Do you have look to use | unique on your play book ?

https://docs.ansible.com/ansible/latest/collections/ansible/builtin/unique_filter.html

Answer 5 · 2024-07-29T16:32:10.000Z

It's the latest version (2.3.7).
yes, I used unique to make sure that the address is unique but what about the IP pool? I have only one IP:

ippool:
  - name: POOL_TEST
    startip: 172.16.1.100
    endip: 172.16.1.100

when I run it without --check there are no changes and everything is green.
I ran it without using variable too:

- name: Configure IPv4 IP pools.
  fortinet.fortios.fortios_firewall_ippool:
    state: "present"
    access_token: "{{ fortios_access_token }}"
    firewall_ippool:
      name: "POOL_TEST"
      add_nat64_route: "disable"
      arp_reply: "enable"
      endip: "172.16.1.100"
      startip: "172.16.1.100"
      nat64: "disable"
      type: "overload"

Answer 6 · 2024-08-01T23:23:57.000Z

Hi @milad-24 ,

Thank you for raising these two issues. I can reproduce them. The reason for this issue is that Ansible treats them as a list and strictly compares it with the data returned by the API. I have reported this to the development team for fixing. Thank you for your valuable suggestion.

Thanks,
Maxx