topic Re: FTD Ansible Module in Network Security

FTD Ansible Module

Michael Keetman — Mon, 28 Sep 2020 23:58:50 GMT

Hello,

I am trying to update an StoS Connection profile using the FTD Ansible modules. I can't seem to get past the first post. When running the operation, I continually get the erorr:

fatal: [ftd]: FAILED! => {"changed": false, "msg": {"Invalid data provided": "'type'"}}

In my playbook I am retrieving the VPN settings in a task and saving the result as "stosprofile" which I then use to fill out all of the mandatory fields per the documentation: https://developer.cisco.com/site/ftd-ansible/#!editstosconnectionprofile/

 - name: edit outside stos vpn
      ftd_configuration:
        operation: editSToSConnectionProfile
        data:
          name: Name_Updated_2
          ikev1AuthMethod: "{{ stosprofile.ikev1AuthMethod }}"
          ikev2AuthMethod: "{{ stosprofile.ikev2AuthMethod }}"
          ikev1Enabled: "{{ stosprofile.ikev1Enabled }}"
          ikev2Enabled: "{{ stosprofile.ikev2Enabled }}"
          rriEnabled: "{{ stosprofile.rriEnabled }}"
          dynamicRRIEnabled: "{{ stosprofile.dynamicRRIEnabled }}"
          ipsecLifetimeInSeconds: "{{ stosprofile.ipsecLifetimeInSeconds }}"
          ipsecLifetimeInKiloBytes: "{{ stosprofile.ipsecLifetimeInKiloBytes }}"
          ipsecLifetimeUnlimited: "{{ stosprofile.ipsecLifetimeUnlimited }}"
          type: "stosconnectionprofile"
          outsideInterfaces: "{{ stosprofile.outsideInterfaces }}"
          id: "{{ stosprofile.id }}"
        path_params:
          objId: <objid>

When I run the operation with `check_mode: yes` I get a successful completion

What am I missing here?

Re: FTD Ansible Module

nstapp — Tue, 16 Mar 2021 19:57:29 GMT

Hey Michael,

Literally just found the issue and resolution. I've been troubleshooting this with a customer recently and it appears that the FTDAnsible module has some validation bugs it in (likely linked to FTD version and Spec checking done in ansible). This is an ANSIBLE / ANSIBLE MODULE issue, not an FTD issue.

I'm assuming you are running FTD 6.6 + . I assume this because this is where changes to the Spec have been made and are causing issues with the antiquated version of FTDAnsible in Ansible (even version 2.9).

Bottom line is when you try to push a change to FTD via Ansible the FTDAnsible module validates the command by pulling a syntactical schema and making sure your command matches, only then will it send the command. This validation fails in FTDAnsible with Ansible 2.9 and earlier with FTD 6.6+ because the Type field is no longer provided in the spec.

On december 15th and 16th changes were pushed to allow FTDAnsible to properly validate commands to make changes, they were incorporated into the v0.3.1 release on Apr 28th 2020.

You can either update FTDAnsible manually to v0.3.1 or make the changes manually to the module files in your version.

Changes here: https://github.com/CiscoDevNet/FTDAnsible/commit/9ce13b31337294d6aaec733a47e13a3c2d522d54

Re: FTD Ansible Module

nstapp — Thu, 18 Mar 2021 16:54:42 GMT

I wanted to make this a little easier to do so and warn/clarify about a bug currently affecting FTDAnsible module.

Even if you install the Galaxy collection community.networks (which has a more recent version of FTDAnsible) it currently imports and uses the native built in fdm_swagger_client.py
It is generally NOT recommended to modify the built-ins because an update at any time can overwrite them, however in this case there is little workaround unless you use the DOCKER container version.

Attached is the ACTUAL file you will need to replace the current fdm_swagger_client.py with and the instructions are as follows:

Based on the Linux version and the Ansible version "fdm_swagger_client" could be in different directories because of your python distro, so the below instructions account for that

DO THIS FIRST:

sudo su -
cd /
find . -name fdm_swagger_client.py

You will see something that looks like

DONT DO THIS - IT IS AN EXAMPLE

/usr/lib/python3.6/site-packages/ansible/module_utils/network/ftd/fdm_swagger_client.py

If you have installed the galaxy collections you will see others as well, but it is the one that starts with the /USR/LIB directory that is the one you ultimately need to modify till a new version gets pushed, and untill the galaxy collection bug is addressed.

DO THIS SECOND

But replace the file path with whatever was returned with your search from the FIND command:

mv <ORIGINAL FDM_SWAGGER_CLIENT PATH> <ORIGINAL FDM_SWAGGER_CLIENT PATH.BAK> nano <ORIGINAL FDM_SWAGGER_CLIENT PATH>

DONT DO THIS - IT IS AN EXAMPLE

mv /usr/lib/python3.6/site-packages/ansible/module_utils/network/ftd/fdm_swagger_client.py /usr/lib/python3.6/site-packages/ansible/module_utils/network/ftd/fdm_swagger_client.py.bak
nano /usr/lib/python3.6/site-packages/ansible/module_utils/network/ftd/fdm_swagger_client.py

Now open the file I provided with this post, copy the text and paste it into the nano editor via. Then hit CTRL+o, enter, CTRL+x.

Thats it! you are done and can now run playbooks against FTD6.6+

Re: FTD Ansible Module

mattw — Mon, 20 Sep 2021 18:48:09 GMT

Thank you @nstapp,

I'm prepping for the SAUTO exam so I've been playing with Ansible and FTD for the first time and this was doing my head in (especially as a complete Ansible n00b). Stumbled on your post and it sorted it right out. THANK YOU!!!!