New in version 2.9.
The below requirements are needed on the host that executes this module.
| Parameter | Choices/Defaults | Comments | ||
|---|---|---|---|---|
| host string | FortiOS or FortiGate IP address. | |||
| https boolean |
| Indicates if the requests towards FortiGate must use HTTPS protocol. | ||
| password string | Default: "" | FortiOS or FortiGate password. | ||
| ssl_verify boolean |
| Ensures FortiGate certificate must be verified by a proper CA. | ||
| system_ha dictionary | Default: null | Configure HA. | ||
| arps integer | Number of gratuitous ARPs (1 - 60). Lower to reduce traffic. Higher to reduce failover time. | |||
| arps_interval integer | Time between gratuitous ARPs (1 - 20 sec). Lower to reduce failover time. Higher to reduce traffic. | |||
| authentication string |
| Enable/disable heartbeat message authentication. | ||
| cpu_threshold string | Dynamic weighted load balancing CPU usage weight and high and low thresholds. | |||
| encryption string |
| Enable/disable heartbeat message encryption. | ||
| ftp_proxy_threshold string | Dynamic weighted load balancing weight and high and low number of FTP proxy sessions. | |||
| gratuitous_arps string |
| Enable/disable gratuitous ARPs. Disable if link-failed-signal enabled. | ||
| group_id integer | Cluster group ID (0 - 255). Must be the same for all members. | |||
| group_name string | Cluster group name. Must be the same for all members. | |||
| ha_direct string |
| Enable/disable using ha-mgmt interface for syslog, SNMP, remote authentication (RADIUS), FortiAnalyzer, and FortiSandbox. | ||
| ha_eth_type string | HA heartbeat packet Ethertype (4-digit hex). | |||
| ha_mgmt_interfaces list | Reserve interfaces to manage individual cluster units. | |||
| dst string | Default route destination for reserved HA management interface. | |||
| gateway string | Default route gateway for reserved HA management interface. | |||
| gateway6 string | Default IPv6 gateway for reserved HA management interface. | |||
| id integer / required | Table ID. | |||
| interface string | Interface to reserve for HA management. Source system.interface.name. | |||
| ha_mgmt_status string |
| Enable to reserve interfaces to manage individual cluster units. | ||
| ha_uptime_diff_margin integer | Normally you would only reduce this value for failover testing. | |||
| hb_interval integer | Time between sending heartbeat packets (1 - 20 (100*ms)). Increase to reduce false positives. | |||
| hb_lost_threshold integer | Number of lost heartbeats to signal a failure (1 - 60). Increase to reduce false positives. | |||
| hbdev string | Heartbeat interfaces. Must be the same for all members. | |||
| hc_eth_type string | Transparent mode HA heartbeat packet Ethertype (4-digit hex). | |||
| hello_holddown integer | Time to wait before changing from hello to work state (5 - 300 sec). | |||
| http_proxy_threshold string | Dynamic weighted load balancing weight and high and low number of HTTP proxy sessions. | |||
| imap_proxy_threshold string | Dynamic weighted load balancing weight and high and low number of IMAP proxy sessions. | |||
| inter_cluster_session_sync string |
| Enable/disable synchronization of sessions among HA clusters. | ||
| key string | key | |||
| l2ep_eth_type string | Telnet session HA heartbeat packet Ethertype (4-digit hex). | |||
| link_failed_signal string |
| Enable to shut down all interfaces for 1 sec after a failover. Use if gratuitous ARPs do not update network. | ||
| load_balance_all string |
| Enable to load balance TCP sessions. Disable to load balance proxy sessions only. | ||
| memory_compatible_mode string |
| Enable/disable memory compatible mode. | ||
| memory_threshold string | Dynamic weighted load balancing memory usage weight and high and low thresholds. | |||
| mode string |
| HA mode. Must be the same for all members. FGSP requires standalone. | ||
| monitor string | Interfaces to check for port monitoring (or link failure). Source system.interface.name. | |||
| multicast_ttl integer | HA multicast TTL on master (5 - 3600 sec). | |||
| nntp_proxy_threshold string | Dynamic weighted load balancing weight and high and low number of NNTP proxy sessions. | |||
| override string |
| Enable and increase the priority of the unit that should always be primary (master). | ||
| override_wait_time integer | Delay negotiating if override is enabled (0 - 3600 sec). Reduces how often the cluster negotiates. | |||
| password string | Cluster password. Must be the same for all members. | |||
| pingserver_failover_threshold integer | Remote IP monitoring failover threshold (0 - 50). | |||
| pingserver_flip_timeout integer | Time to wait in minutes before renegotiating after a remote IP monitoring failover. | |||
| pingserver_monitor_interface string | Interfaces to check for remote IP monitoring. Source system.interface.name. | |||
| pingserver_slave_force_reset string |
| Enable to force the cluster to negotiate after a remote IP monitoring failover. | ||
| pop3_proxy_threshold string | Dynamic weighted load balancing weight and high and low number of POP3 proxy sessions. | |||
| priority integer | Increase the priority to select the primary unit (0 - 255). | |||
| route_hold integer | Time to wait between routing table updates to the cluster (0 - 3600 sec). | |||
| route_ttl integer | TTL for primary unit routes (5 - 3600 sec). Increase to maintain active routes during failover. | |||
| route_wait integer | Time to wait before sending new routes to the cluster (0 - 3600 sec). | |||
| schedule string |
| Type of A-A load balancing. Use none if you have external load balancers. | ||
| secondary_vcluster dictionary | Configure virtual cluster 2. | |||
| monitor string | Interfaces to check for port monitoring (or link failure). Source system.interface.name. | |||
| override string |
| Enable and increase the priority of the unit that should always be primary (master). | ||
| override_wait_time integer | Delay negotiating if override is enabled (0 - 3600 sec). Reduces how often the cluster negotiates. | |||
| pingserver_failover_threshold integer | Remote IP monitoring failover threshold (0 - 50). | |||
| pingserver_monitor_interface string | Interfaces to check for remote IP monitoring. Source system.interface.name. | |||
| pingserver_slave_force_reset string |
| Enable to force the cluster to negotiate after a remote IP monitoring failover. | ||
| priority integer | Increase the priority to select the primary unit (0 - 255). | |||
| vcluster_id integer | Cluster ID. | |||
| vdom string | VDOMs in virtual cluster 2. | |||
| session_pickup string |
| Enable/disable session pickup. Enabling it can reduce session down time when fail over happens. | ||
| session_pickup_connectionless string |
| Enable/disable UDP and ICMP session sync for FGSP. | ||
| session_pickup_delay string |
| Enable to sync sessions longer than 30 sec. Only longer lived sessions need to be synced. | ||
| session_pickup_expectation string |
| Enable/disable session helper expectation session sync for FGSP. | ||
| session_pickup_nat string |
| Enable/disable NAT session sync for FGSP. | ||
| session_sync_dev string | Offload session sync to one or more interfaces to distribute traffic and prevent delays if needed. Source system.interface.name. | |||
| smtp_proxy_threshold string | Dynamic weighted load balancing weight and high and low number of SMTP proxy sessions. | |||
| standalone_config_sync string |
| Enable/disable FGSP configuration synchronization. | ||
| standalone_mgmt_vdom string |
| Enable/disable standalone management VDOM. | ||
| sync_config string |
| Enable/disable configuration synchronization. | ||
| sync_packet_balance string |
| Enable/disable HA packet distribution to multiple CPUs. | ||
| unicast_hb string |
| Enable/disable unicast heartbeat. | ||
| unicast_hb_netmask string | Unicast heartbeat netmask. | |||
| unicast_hb_peerip string | Unicast heartbeat peer IP. | |||
| uninterruptible_upgrade string |
| Enable to upgrade a cluster without blocking network traffic. | ||
| vcluster2 string |
| Enable/disable virtual cluster 2 for virtual clustering. | ||
| vcluster_id integer | Cluster ID. | |||
| vdom string | VDOMs in virtual cluster 1. | |||
| weight string | Weight-round-robin weight for each cluster unit. Syntax <priority> <weight>. | |||
| username string | FortiOS or FortiGate username. | |||
| vdom string | Default: "root" | Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. | ||
Note
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
ssl_verify: "False"
tasks:
- name: Configure HA.
fortios_system_ha:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
system_ha:
arps: "3"
arps_interval: "4"
authentication: "enable"
cpu_threshold: "<your_own_value>"
encryption: "enable"
ftp_proxy_threshold: "<your_own_value>"
gratuitous_arps: "enable"
group_id: "10"
group_name: "<your_own_value>"
ha_direct: "enable"
ha_eth_type: "<your_own_value>"
ha_mgmt_interfaces:
-
dst: "<your_own_value>"
gateway: "<your_own_value>"
gateway6: "<your_own_value>"
id: "18"
interface: "<your_own_value> (source system.interface.name)"
ha_mgmt_status: "enable"
ha_uptime_diff_margin: "21"
hb_interval: "22"
hb_lost_threshold: "23"
hbdev: "<your_own_value>"
hc_eth_type: "<your_own_value>"
hello_holddown: "26"
http_proxy_threshold: "<your_own_value>"
imap_proxy_threshold: "<your_own_value>"
inter_cluster_session_sync: "enable"
key: "<your_own_value>"
l2ep_eth_type: "<your_own_value>"
link_failed_signal: "enable"
load_balance_all: "enable"
memory_compatible_mode: "enable"
memory_threshold: "<your_own_value>"
mode: "standalone"
monitor: "<your_own_value> (source system.interface.name)"
multicast_ttl: "38"
nntp_proxy_threshold: "<your_own_value>"
override: "enable"
override_wait_time: "41"
password: "<your_own_value>"
pingserver_failover_threshold: "43"
pingserver_flip_timeout: "44"
pingserver_monitor_interface: "<your_own_value> (source system.interface.name)"
pingserver_slave_force_reset: "enable"
pop3_proxy_threshold: "<your_own_value>"
priority: "48"
route_hold: "49"
route_ttl: "50"
route_wait: "51"
schedule: "none"
secondary_vcluster:
monitor: "<your_own_value> (source system.interface.name)"
override: "enable"
override_wait_time: "56"
pingserver_failover_threshold: "57"
pingserver_monitor_interface: "<your_own_value> (source system.interface.name)"
pingserver_slave_force_reset: "enable"
priority: "60"
vcluster_id: "61"
vdom: "<your_own_value>"
session_pickup: "enable"
session_pickup_connectionless: "enable"
session_pickup_delay: "enable"
session_pickup_expectation: "enable"
session_pickup_nat: "enable"
session_sync_dev: "<your_own_value> (source system.interface.name)"
smtp_proxy_threshold: "<your_own_value>"
standalone_config_sync: "enable"
standalone_mgmt_vdom: "enable"
sync_config: "enable"
sync_packet_balance: "enable"
unicast_hb: "enable"
unicast_hb_netmask: "<your_own_value>"
unicast_hb_peerip: "<your_own_value>"
uninterruptible_upgrade: "enable"
vcluster_id: "78"
vcluster2: "enable"
vdom: "<your_own_value>"
weight: "<your_own_value>"
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| build string | always | Build number of the fortigate image Sample: 1547 |
| http_method string | always | Last method used to provision the content into FortiGate Sample: PUT |
| http_status string | always | Last result given by FortiGate on last operation applied Sample: 200 |
| mkey string | success | Master key (id) used in the last call to FortiGate Sample: id |
| name string | always | Name of the table used to fulfill the request Sample: urlfilter |
| path string | always | Path of the table used to fulfill the request Sample: webfilter |
| revision string | always | Internal revision number Sample: 17.0.2.10658 |
| serial string | always | Serial number of the unit Sample: FGVMEVYYQT3AB5352 |
| status string | always | Indication of the operation's result Sample: success |
| vdom string | always | Virtual domain used Sample: root |
| version string | always | Version of the FortiGate Sample: v5.6.3 |
Hint
If you notice any issues in this documentation, you can edit this document to improve it.
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.9/modules/fortios_system_ha_module.html