Re: Issue with Ansible for FTD - Invalid Data Provided 'Type'

an.balsby · ‎09-14-2023

Hello Cisco Community,

I hope this post finds you well. I'm encountering an issue while using Ansible to manage my Cisco Firepower Threat Defense (FTD) firewall. Specifically, I'm trying to create a network object, but I keep running into the error message "Invalid data provided 'type'". I've tried troubleshooting this problem extensively and reviewed the post at https://community.cisco.com/t5/network-security/ftd-ansible-module/td-p/4158369, but it didn't provide a solution.

Here are the specifics of my environment:

Operating System: Ubuntu 22.04
Ansible Version: 8.4.0
Firepower Version: 7.3

I've followed the documentation and examples provided by Cisco and Ansible, but I can't seem to get past this error. My playbook snippet looks something like this:

- name: Create Network Object
   community.network.ftd_configuration:
    operation: "addNetworkObject"
    data:
     name: "my-object"
     description: "some object descr."
     subtype: "HOST"
     value: "192.168.1.1"
     type: "networkobject"
   register_as: result

I've also looked into the Ansible GitHub repository for the cisco.ftd module, and it does indeed seem abandonded. This could be a contributing factor to the issue, but I'm hopeful that there might be a workaround or a solution that others in the community have discovered.

Has anyone encountered a similar problem with Ansible and FTD? If so, could you please share your insights or any possible workarounds? Any help or guidance would be greatly appreciated.

Thank you in advance for your assistance!

Marius Gunnerud · ‎09-30-2023

The fields look to be outdated. The fields you need are:

For Host

{
"name": "OBJECT NAME",
"description": "SOME DESCRIPTION",
"value": "192.168.1.1",
"type": "Host"
}

For Network

{
"name": "NETWORK NAME",
"description": "SOME DESCRIPTOIN",
"value": "192.168.1.0/24",
"type": "Network"
}

--
Please remember to select a correct answer and rate helpful posts

an.balsby · ‎09-30-2023

Hi Marius
I tried your suggestion, but it is still the same.

Marius Gunnerud · ‎09-30-2023

Is this an FTD managed by FMC or FDM?

--
Please remember to select a correct answer and rate helpful posts

an.balsby · ‎10-01-2023

This is managed by FDM.

urathod · ‎10-10-2023

The error message suggests that the value you're providing for the 'type' parameter is not valid. According to the Ansible documentation for the ftd_configuration module, the valid values for the 'type' parameter are 'host', 'network', 'range', 'fqdn', 'country', 'port', 'protocol', 'url', 'wildcard', 'mac', 'user', 'usergroup', 'realm', 'securityzone', 'geolocation', 'attribute', and 'atp'.

In your playbook snippet, you've set the 'type' parameter to 'networkobject', which is not a valid value. You should change it to one of the valid types mentioned above.

Here's an updated version of your playbook snippet:

- name: Create Network Object
  community.network.ftd_configuration:
    operation: "addNetworkObject"
    data:
      name: "my-object"
      description: "some object descr."
      subtype: "HOST"
      value: "192.168.1.1"
      type: "host"
  register_as: result

Please make sure to adjust the 'type' parameter to one of the valid values mentioned earlier. This should resolve the "Invalid data provided 'type'" error.

If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.

an.balsby · ‎10-11-2023

Hi Urathod

Thank you for trying to help.

I Just tried to run your sample, but it does exactly the same. I attached a screenshot.

I even tried running the exmple from the devnet, but that does the same: https://developer.cisco.com/docs/ftd-ansible-api-v7-2/#!ftd_configuration/examples.

I looked at the Ansible doc here: https://docs.ansible.com/ansible/latest/collections/community/network/ftd_configuration_module.html#ansible-collections-community-network-ftd-configuration-module

To me it looks like my initial playbook was correct. I am just not sure what is going on here...

Did you have your suggestion working?

AdamOrdal · ‎02-14-2024

Hey there, were you able to solve this problem? I ran into the same issue and it looks like the FTDAnsible included with even the latest version of Ansible is outdated and doesn't provide support for the type field. I was able to resolve this by replacing the fdm_swagger_client.py in my python distro with the newer version from https://github.com/CiscoDevNet/FTDAnsible/blob/master/module_utils/fdm_swagger_client.py. This may work for you by just doing that it did on one of my machines. On another of my machines with a newer version of Ansible I had to modify that file with the newer import on line 19. Essentially replacing the line with

from ansible_collections.community.network.plugins.module_utils.network.ftd.common import HTTPMethod

. Hope that helps!

an.balsby · ‎02-20-2024

Hi AdamOrdal

No i never got the Ansible scripts to work. I ended up stitching some Python together instead. It was a hassle to me, since i'm not a programmer, but i made it work.

I did find the suggestion you mention here, but never got it to work. If you just made it work, i will try it again, because i really rather want to use Ansible.

Thank you for the suggestion

mtejerob · ‎02-21-2024

I'm literally having the same error, I don't understand what's happening and I can't find a solution anywhere...

an.balsby · ‎02-21-2024

I have a feeling that the repos (or at least this code for FTD), has been abandoned. I tried reaching out via a bug report on GitHub, but no one ever responded.

But if the solution here works, then atleast. that will work until next time Cisco changes the API.

mtejerob · ‎02-21-2024

Hello, I have solved the error in the following way:
https://github.com/CiscoDevNet/FTDAnsible/blob/master/module_utils/fdm_swagger_client.py

You have to replace this file with this code and within this code you also have to replace the following line:
from ansible.module_utils.network.ftd.common import HTTPMethod
By this line:
from ansible_collections.community.network.plugins.module_utils.network.ftd.common import HTTPMethod
With these two changes it already works, I hope it works for you, if you have questions you can write to me without problem

dankang · ‎03-26-2024

This seems to happen due to the failure during data validation.
When you make 'add' or 'upsert' operation which works with 'PUT' or 'POST' api call, python module checks if the user input aligns with what FTD expected to see.( def validate_data in FTDAnsible / module_utils/fdm_swagger_client.py )
And to find what 'FTD expected to see' it makes an API call to "/apispec/ngfw.json".

For an example of 'networkobject', it will try to find 'networkobject' from ngfw.json file and see what is expected value and compare it with what you provided in the Ansible playbook.

The issue here is, in the ngfw.json file, I'm seeing unexpected value returned for some of attributes. Below is a snippet of ngfw.json where it relates to networkobject.

"NetworkObject": {
      "type": "object",
      "properties": {
        "version": {
          "type": "string"
        },
        "name": {
          "type": "string"
        },
        "description": {
          "type": "string"
        },
        "subType": {
          "$ref": "#/definitions/NetworkObjectType"
        },
        "value": {
          "type": "string"
        },
        "isSystemDefined": {
          "type": "boolean"
        },
        "dnsResolution": {
          "$ref": "#/definitions/FQDNDNSResolution"
        },
        "id": {
          "type": "string"
        },
        "type": {
          "type": "string",
          "default": "networkobject"
        }
      },
      "required": [
        "name",
        "subType",
        "type",
        "value"
      ]
    },

From this result, we can see version, name and description value's type needs to be string, however we are seeing '$ref' instead of 'type' under subType, also '#/definitions/NetworkObjectType' instead of 'string'. This will cause an exception during data valiadation process.

I wouldn't call this as Ansible module issue, but more of FTD providing unexpected value on /apispec/ngfw.json api call.
I haven't tested on various versions so, the outcome might be different based on the version.