topic Re: Deploy Via Ansible on FMC in Network Security

Deploy Via Ansible on FMC

fmugambi — Mon, 05 May 2025 11:08:41 GMT

Hello Team,

Been trying to use ansible on FMC 7.4.5, to update host objects and manual NATs.
1. Been able to update the host objects, but having challenges on the deployment of the same.
This is because, from the GUI, when I want to deploy, there is a prompt to ignore some warnings , not errors. How do you cater for this warnings from the ansible playbook, not to stop the playbook from running.

2. On the updating the manual NATs, i need assistance, not able to have it running.

Regards,

Re: Deploy Via Ansible on FMC

Torbjørn — Tue, 06 May 2025 07:28:12 GMT

Hello @fmugambi,

1. You need to add "ignoreWarning: True" to your createDeploymentRequest step. See the following example from the Github repository:

- name: Execute 'createDeploymentRequest' operation
  cisco.fmcansible.fmc_configuration:
    operation: "createDeploymentRequest"
    data:
        type: DeploymentRequest
        version: 1457566762351
        forceDeploy: False
        ignoreWarning: True
        deviceList: ['d94f7ada-d141-11e5-acf3-c41f7e67fb1b']
        deploymentNote: yournotescomehere
    path_params:
        domainUUID: "{{ domain_uuid }}"

2. Can you elaborate here, I am not sure that I am interpreting your issue correctly.

Re: Deploy Via Ansible on FMC

fmugambi — Tue, 06 May 2025 13:41:28 GMT

First of all, thankyou very much, problem 1 worked end-to-end.

On problem 2, i have nat config as below,with the respective objects;

nat (Inside,Outside) source static PROD-K8S-LOCAL -PROD-K8S-NAT description PROD-IPS

object-group network PROD-K8S-LOCAL
description PRODUCTION K8S NODES
network-object 192.168.45.150 255.255.255.255
network-object 192.168.45.203 255.255.255.255
network-object 192.168.45.205 255.255.255.255
network-object 192.168.45.45.207 255.255.255.255

object network PROD-K8S-NAT
host 100.169.239.177

I would like to use ansible to change the source nat pool to a different group , as below ,

nat (Inside,Outside) source static DR-PROD-K8S-LOCAL PROD-K8S-NAT description DR-PROD-IPS

object-group network DR-PROD-K8S-LOCAL
description DR-PRODUCTION K8S NODES
network-object 192.168.40.150 255.255.255.255
network-object 192.168.40.203 255.255.255.255
network-object 192.168.40.205 255.255.255.255
network-object 192.168.40.45.207 255.255.255.255

Question,
1. Is it possible to use same example as above to just change the group objects to the new source pool?
2. if we don't want to amend the objects, how can ansible change the NAT command as a whole, to change the source pool.

Thank you.

Re: Deploy Via Ansible on FMC

Torbjørn — Tue, 06 May 2025 15:31:31 GMT

1. It should be fine to just alter the NAT rule for the new object.
2. You can only have one NAT rule for a given destination object, you must hence either alter or replace the existing NAT rule fully.

Re: Deploy Via Ansible on FMC

fmugambi — Tue, 06 May 2025 16:32:36 GMT

Please help with the ansible playbook for this.

Re: Deploy Via Ansible on FMC

Torbjørn — Tue, 06 May 2025 18:38:21 GMT

There's a sample for configuring NAT in the Ansible module Github repo. It's a good place to start.
If you need further assistance with this, can you post the relevant sections of your current playbook?

Re: Deploy Via Ansible on FMC

fmugambi — Wed, 07 May 2025 12:50:24 GMT

Hi, went ahead and configured the playbook,
getting attached error,

what operation do i need to invoke, note am doing a source pool to an external ip translation, then false on the outside interface.
below is the code where the output is complaining,

- name: Get the Source Network Pool Object (Pointing-To-ADC)
cisco.fmcansible.fmc_configuration:
operation: getAllNetworkGroupObject
query_params:
filter: 'nameOrValue:PROD-K8S-LOCAL'
path_params:
domainUUID: '{{ domain[0].uuid }}'
register_as: source_network

- name: Get the translated network object
cisco.fmcansible.fmc_configuration:
operation: getAllNetworkGroupObject
query_params:
filter: 'nameOrValue:PROD-K8S-NAT'
path_params:
domainUUID: '{{ domain[0].uuid }}'
register_as: translated_network

what could I be missing?

Re: Deploy Via Ansible on FMC

Torbjørn — Thu, 08 May 2025 07:29:22 GMT

You look to be well on your way to get this working!

You should be using getAllNetworkObject here. This also encompasses group objects.

Re: Deploy Via Ansible on FMC

fmugambi — Thu, 08 May 2025 13:46:32 GMT

Thanks, passed that level, but got to a different roadblock,

Below is my code,

- name: Get the Source Network Pool Object (Pointing-To-ADC)
cisco.fmcansible.fmc_configuration:
operation: getAllNetworkObject
query_params:
filter: 'nameOrValue:EADC-PROD-K8S-LOCAL'
path_params:
domainUUID: '{{ domain[0].uuid }}'
register_as: source_network

- name: Fail if source network not found
fail:
msg: "Source network object 'EADC-PROD-K8S-LOCAL' not found."
when: source_network | length == 0

Wonder why yet from the device itself the object exists;

Thanks

Re: Deploy Via Ansible on FMC

Torbjørn — Thu, 08 May 2025 13:55:11 GMT

I'm sorry @fmugambi, I misremembered the usage of getAllNetworkObject in regards to group objects. You should use getAllNetworkGroup there instead. The parameters should be the same so you'll only have to change the operation.

Re: Deploy Via Ansible on FMC

fmugambi — Thu, 08 May 2025 13:57:35 GMT

Got it ,
wha if the object is just host, what operation do I use?

Re: Deploy Via Ansible on FMC

fmugambi — Thu, 08 May 2025 14:00:13 GMT

i think i Got it;
getAllHostObject

Re: Deploy Via Ansible on FMC

Torbjørn — Thu, 08 May 2025 14:01:49 GMT

That would be getAllHostObject, same parameters used there.
The list of all available operations can be found under the docs in the Github repository

EDIT: Wrote this before I saw the reply above. You're correct!

Re: Deploy Via Ansible on FMC

fmugambi — Thu, 08 May 2025 14:02:22 GMT

so far so good, nat seems to have worked,
allow me to include the deployment code on the playbook, to have it run end-to-end i.e work on the nat and deploy the changes,
will update here.
thankyou so much for your help to this point.

Re: Deploy Via Ansible on FMC

fmugambi — Thu, 08 May 2025 15:18:31 GMT

hello @Torbjørn ,
was able to successfully deploy the nat but sorry, run into another issue.
instead of replacing the nat 1 to nat 2, i have ended up creating nat 1 and nat 2?
what can i do just to replace not add?
thanks.

Re: Deploy Via Ansible on FMC

Torbjørn — Thu, 08 May 2025 17:35:07 GMT

I would just add a step that removes the old one, either before or after the creation of the new one.

Re: Deploy Via Ansible on FMC

fmugambi — Mon, 12 May 2025 10:49:50 GMT

Hi,
been trying this over the weekend, got very stuck > the deletion bit.
i have multiple static manual Nats, I would not wish to affect the rest , just specific one.
Been using the source and destination IP address to use to filter the nat rule to delete to no joy.
when i debug i notice the nats output in form of either, 'id' 'links' ' type' but id & links seem as the unique identifiers.
question if say the current nat rule i wish to delete is 2, and its successfully deleted, then the new added one id is 8, next time if i want to delete this new nat, i must change my playbook?
or am i missing something?

Re: Deploy Via Ansible on FMC

Torbjørn — Mon, 12 May 2025 11:01:47 GMT

You should find the correct rule by filtering for specified attributes(as you have been trying) to avoid hardcoding IDs. Can you post the relevant parts of your playbook along with the error message you are receiving?

Re: Deploy Via Ansible on FMC

fmugambi — Mon, 12 May 2025 11:10:31 GMT

- name: Get the already existing nat pool to delete
cisco.fmcansible.fmc_configuration:
operation: getAllNetworkGroup
query_params:
filter: 'nameOrValue:DR-PROD-K8S-LOCAL'
path_params:
domainUUID: '{{ domain[0].uuid }}'
register_as: delete_source_network

- name: Fail if source network object to be deleted 'DR-PROD-K8S-LOCAL' not found
fail:
msg: "Source network object 'DR-PROD-K8S-LOCAL' not found."
when: delete_source_network | length == 0

- name: Get the translated network object from the intended to delete nat pool
cisco.fmcansible.fmc_configuration:
operation: getAllHostObject
query_params:
filter: 'nameOrValue:DR-PROD-K8S-NAT'
path_params:
domainUUID: '{{ domain[0].uuid }}'
register_as: delete_translated_network

- name: Fail if translated network object on the to be deleted source pool 'DR-PROD-K8S-NAT' not found
fail:
msg: "Translated network object for the pool to be deleted 'DR-PROD-K8S-NAT' not found."
when: delete_translated_network | length == 0

- name: Get FTD Manual NAT Rules for 'DR-NATs' to delete
cisco.fmcansible.fmc_configuration:
operation: "getAllFTDManualNatRule"
path_params:
containerUUID: "{{ natpolicy.id }}"
domainUUID: "{{ domain[0].uuid }}"
register_as: natrule_to_delete

- name: Debug Nat Rule to Delete
debug:
var: natrule_to_delete

- name: Find NAT rule with matching source and translated addresses to delete
set_fact:
rule_to_delete: "{{ natrule_to_delete.results | selectattr('originalSource.id', 'equalto', delete_source_network[0].id) | selectattr('translatedSource.id', 'equalto', delete_translated_network[0].id) | list | first }}"

- name: Fail if no matching NAT rule is found to delete
fail:
msg: "NAT rule with source 'DR-PROD-K8S-LOCAL' and translated source 'DR-PROD-K8S-NAT' not found."
when: rule_to_delete is not defined

- name: Delete the NAT rule
cisco.fmcansible.fmc_configuration:
operation: deleteFTDManualNatRule
path_params:
containerUUID: "{{ natpolicy.id }}"
domainUUID: "{{ domain[0].uuid }}"
objectId: "{{ rule_to_delete.id }}"

Re: Deploy Via Ansible on FMC

fmugambi — Mon, 12 May 2025 12:09:41 GMT

ASK [Find NAT rule with matching source and translated addresses to delete] *****************************************************************************************
fatal: [DR-FMCv]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'list object' has no attribute 'results'. 'list object' has no attribute 'results'\n\nThe error appears to be in '/etc/ansible/NAT_FAILOVER/dr-ftd-starting_traffic.yaml': line 130, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n - name: Find NAT rule with matching source and translated addresses to delete\n ^ here\n"}

PLAY RECAP ***********************************************************************************************************************************************************
DR-FMCv : ok=12 changed=0 unreachable=0 failed=1 skipped=5 rescued=0 ignored=0