W3cubDocs

/Ansible 2.9

fortios_system_virtual_wan_link – Configure redundant internet connections using SD-WAN (formerly virtual WAN link) in Fortinet’s FortiOS and FortiGate

Synopsis

  • This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify system feature and virtual_wan_link category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.5

Requirements

The below requirements are needed on the host that executes this module.

  • fortiosapi>=0.9.8

Parameters

Parameter Choices/Defaults Comments
host
string
FortiOS or FortiGate IP address.
https
boolean
    Choices:
  • no
  • yes
Indicates if the requests towards FortiGate must use HTTPS protocol.
password
string
Default:
""
FortiOS or FortiGate password.
ssl_verify
boolean
added in 2.9
    Choices:
  • no
  • yes
Ensures FortiGate certificate must be verified by a proper CA.
system_virtual_wan_link
dictionary
Default:
null
Configure redundant internet connections using SD-WAN (formerly virtual WAN link).
fail_alert_interfaces
list
Physical interfaces that will be alerted.
name
string / required
Physical interface name. Source system.interface.name.
fail_detect
string
    Choices:
  • enable
  • disable
Enable/disable SD-WAN Internet connection status checking (failure detection).
health_check
list
SD-WAN status checking or health checking. Identify a server on the Internet and determine how SD-WAN verifies that the FortiGate can communicate with it.
addr_mode
string
    Choices:
  • ipv4
  • ipv6
Address mode (IPv4 or IPv6).
failtime
integer
Number of failures before server is considered lost (1 - 3600).
http_agent
string
String in the http-agent field in the HTTP header.
http_get
string
URL used to communicate with the server if the protocol if the protocol is HTTP.
http_match
string
Response string expected from the server if the protocol is HTTP.
interval
integer
Status check interval, or the time between attempting to connect to the server (1 - 3600 sec).
members
list
Member sequence number list.
seq_num
integer
Member sequence number. Source system.virtual-wan-link.members.seq-num.
name
string / required
Status check or health check name.
packet_size
integer
Packet size of a twamp test session,
password
string
Twamp controller password in authentication mode
port
integer
Port number used to communicate with the server over the selected protocol.
protocol
string
    Choices:
  • ping
  • tcp-echo
  • udp-echo
  • http
  • twamp
  • ping6
Protocol used to determine if the FortiGate can communicate with the server.
recoverytime
integer
Number of successful responses received before server is considered recovered (1 - 3600).
security_mode
string
    Choices:
  • none
  • authentication
Twamp controller security mode.
server
string
IP address or FQDN name of the server.
sla
list
Service level agreement (SLA).
id
integer / required
SLA ID.
jitter_threshold
integer
Jitter for SLA to make decision in milliseconds. (0 - 10000000).
latency_threshold
integer
Latency for SLA to make decision in milliseconds. (0 - 10000000).
link_cost_factor
string
    Choices:
  • latency
  • jitter
  • packet-loss
Criteria on which to base link selection.
packetloss_threshold
integer
Packet loss for SLA to make decision in percentage. (0 - 100).
threshold_alert_jitter
integer
Alert threshold for jitter (ms).
threshold_alert_latency
integer
Alert threshold for latency (ms).
threshold_alert_packetloss
integer
Alert threshold for packet loss (percentage).
threshold_warning_jitter
integer
Warning threshold for jitter (ms).
threshold_warning_latency
integer
Warning threshold for latency (ms).
threshold_warning_packetloss
integer
Warning threshold for packet loss (percentage).
update_cascade_interface
string
    Choices:
  • enable
  • disable
Enable/disable update cascade interface.
update_static_route
string
    Choices:
  • enable
  • disable
Enable/disable updating the static route.
load_balance_mode
string
    Choices:
  • source-ip-based
  • weight-based
  • usage-based
  • source-dest-ip-based
  • measured-volume-based
Algorithm or mode to use for load balancing Internet traffic to SD-WAN members.
members
list
Physical FortiGate interfaces added to the virtual-wan-link.
comment
string
Comments.
gateway
string
The default gateway for this interface. Usually the default gateway of the Internet service provider that this interface is connected to.
gateway6
string
IPv6 gateway.
ingress_spillover_threshold
integer
Ingress spillover threshold for this interface (0 - 16776000 kbit/s). When this traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN.
interface
string
Interface name. Source system.interface.name.
priority
integer
Priority of the interface (0 - 4294967295). Used for SD-WAN rules or priority rules.
seq_num
integer
Sequence number(1-255).
source
string
Source IP address used in the health-check packet to the server.
source6
string
Source IPv6 address used in the health-check packet to the server.
spillover_threshold
integer
Egress spillover threshold for this interface (0 - 16776000 kbit/s). When this traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN.
status
string
    Choices:
  • disable
  • enable
Enable/disable this interface in the SD-WAN.
volume_ratio
integer
Measured volume ratio (this value / sum of all values = percentage of link volume, 0 - 255).
weight
integer
Weight of this interface for weighted load balancing. (0 - 255) More traffic is directed to interfaces with higher weights.
service
list
Create SD-WAN rules or priority rules (also called services) to control how sessions are distributed to physical interfaces in the SD-WAN.
addr_mode
string
    Choices:
  • ipv4
  • ipv6
Address mode (IPv4 or IPv6).
bandwidth_weight
integer
Coefficient of reciprocal of available bidirectional bandwidth in the formula of custom-profile-1.
default
string
    Choices:
  • enable
  • disable
Enable/disable use of SD-WAN as default service.
dscp_forward
string
    Choices:
  • enable
  • disable
Enable/disable forward traffic DSCP tag.
dscp_forward_tag
string
Forward traffic DSCP tag.
dscp_reverse
string
    Choices:
  • enable
  • disable
Enable/disable reverse traffic DSCP tag.
dscp_reverse_tag
string
Reverse traffic DSCP tag.
dst
list
Destination address name.
name
string / required
Address or address group name. Source firewall.address.name firewall.addrgrp.name.
dst6
list
Destination address6 name.
name
string / required
Address6 or address6 group name. Source firewall.address6.name firewall.addrgrp6.name.
dst_negate
string
    Choices:
  • enable
  • disable
Enable/disable negation of destination address match.
end_port
integer
End destination port number.
gateway
string
    Choices:
  • enable
  • disable
Enable/disable SD-WAN service gateway.
groups
list
User groups.
name
string / required
Group name. Source user.group.name.
health_check
string
Health check. Source system.virtual-wan-link.health-check.name.
hold_down_time
integer
Waiting period in seconds when switching from the back-up member to the primary member (0 - 10000000).
id
integer / required
Priority rule ID (1 - 4000).
input_device
list
Source interface name.
name
string / required
Interface name. Source system.interface.name.
internet_service
string
    Choices:
  • enable
  • disable
Enable/disable use of Internet service for application-based load balancing.
internet_service_ctrl
list
Control-based Internet Service ID list.
id
integer / required
Control-based Internet Service ID.
internet_service_ctrl_group
list
Control-based Internet Service group list.
name
string / required
Control-based Internet Service group name. Source application.group.name.
internet_service_custom
list
Custom Internet service name list.
name
string / required
Custom Internet service name. Source firewall.internet-service-custom.name.
internet_service_custom_group
list
Custom Internet Service group list.
name
string / required
Custom Internet Service group name. Source firewall.internet-service-custom-group.name.
internet_service_group
list
Internet Service group list.
name
string / required
Internet Service group name. Source firewall.internet-service-group.name.
internet_service_id
list
Internet service ID list.
id
integer / required
Internet service ID. Source firewall.internet-service.id.
jitter_weight
integer
Coefficient of jitter in the formula of custom-profile-1.
latency_weight
integer
Coefficient of latency in the formula of custom-profile-1.
link_cost_factor
string
    Choices:
  • latency
  • jitter
  • packet-loss
  • inbandwidth
  • outbandwidth
  • bibandwidth
  • custom-profile-1
Link cost factor.
link_cost_threshold
integer
Percentage threshold change of link cost values that will result in policy route regeneration (0 - 10000000).
member
integer
Member sequence number.
mode
string
    Choices:
  • auto
  • manual
  • priority
  • sla
Control how the priority rule sets the priority of interfaces in the SD-WAN.
name
string
Priority rule name.
packet_loss_weight
integer
Coefficient of packet-loss in the formula of custom-profile-1.
priority_members
list
Member sequence number list.
seq_num
integer
Member sequence number. Source system.virtual-wan-link.members.seq-num.
protocol
integer
Protocol number.
quality_link
integer
Quality grade.
route_tag
integer
IPv4 route map route-tag.
sla
list
Service level agreement (SLA).
health_check
string
Virtual WAN Link health-check. Source system.virtual-wan-link.health-check.name.
id
integer
SLA ID.
src
list
Source address name.
name
string / required
Address or address group name. Source firewall.address.name firewall.addrgrp.name.
src6
list
Source address6 name.
name
string / required
Address6 or address6 group name. Source firewall.address6.name firewall.addrgrp6.name.
src_negate
string
    Choices:
  • enable
  • disable
Enable/disable negation of source address match.
start_port
integer
Start destination port number.
status
string
    Choices:
  • enable
  • disable
Enable/disable SD-WAN service.
tos
string
Type of service bit pattern.
tos_mask
string
Type of service evaluated bits.
users
list
User name.
name
string / required
User name. Source user.local.name.
status
string
    Choices:
  • disable
  • enable
Enable/disable SD-WAN.
username
string
FortiOS or FortiGate username.
vdom
string
Default:
"root"
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.

Notes

Note

  • Requires fortiosapi library developed by Fortinet
  • Run as a local_action in your playbook

Examples

- hosts: localhost
  vars:
   host: "192.168.122.40"
   username: "admin"
   password: ""
   vdom: "root"
   ssl_verify: "False"
  tasks:
  - name: Configure redundant internet connections using SD-WAN (formerly virtual WAN link).
    fortios_system_virtual_wan_link:
      host:  "{{ host }}"
      username: "{{ username }}"
      password: "{{ password }}"
      vdom:  "{{ vdom }}"
      https: "False"
      system_virtual_wan_link:
        fail_alert_interfaces:
         -
            name: "default_name_4 (source system.interface.name)"
        fail_detect: "enable"
        health_check:
         -
            addr_mode: "ipv4"
            failtime: "8"
            http_agent: "<your_own_value>"
            http_get: "<your_own_value>"
            http_match: "<your_own_value>"
            interval: "12"
            members:
             -
                seq_num: "14 (source system.virtual-wan-link.members.seq-num)"
            name: "default_name_15"
            packet_size: "16"
            password: "<your_own_value>"
            port: "18"
            protocol: "ping"
            recoverytime: "20"
            security_mode: "none"
            server: "192.168.100.40"
            sla:
             -
                id:  "24"
                jitter_threshold: "25"
                latency_threshold: "26"
                link_cost_factor: "latency"
                packetloss_threshold: "28"
            threshold_alert_jitter: "29"
            threshold_alert_latency: "30"
            threshold_alert_packetloss: "31"
            threshold_warning_jitter: "32"
            threshold_warning_latency: "33"
            threshold_warning_packetloss: "34"
            update_cascade_interface: "enable"
            update_static_route: "enable"
        load_balance_mode: "source-ip-based"
        members:
         -
            comment: "Comments."
            gateway: "<your_own_value>"
            gateway6: "<your_own_value>"
            ingress_spillover_threshold: "42"
            interface: "<your_own_value> (source system.interface.name)"
            priority: "44"
            seq_num: "45"
            source: "<your_own_value>"
            source6: "<your_own_value>"
            spillover_threshold: "48"
            status: "disable"
            volume_ratio: "50"
            weight: "51"
        service:
         -
            addr_mode: "ipv4"
            bandwidth_weight: "54"
            default: "enable"
            dscp_forward: "enable"
            dscp_forward_tag: "<your_own_value>"
            dscp_reverse: "enable"
            dscp_reverse_tag: "<your_own_value>"
            dst:
             -
                name: "default_name_61 (source firewall.address.name firewall.addrgrp.name)"
            dst_negate: "enable"
            dst6:
             -
                name: "default_name_64 (source firewall.address6.name firewall.addrgrp6.name)"
            end_port: "65"
            gateway: "enable"
            groups:
             -
                name: "default_name_68 (source user.group.name)"
            health_check: "<your_own_value> (source system.virtual-wan-link.health-check.name)"
            hold_down_time: "70"
            id:  "71"
            input_device:
             -
                name: "default_name_73 (source system.interface.name)"
            internet_service: "enable"
            internet_service_ctrl:
             -
                id:  "76"
            internet_service_ctrl_group:
             -
                name: "default_name_78 (source application.group.name)"
            internet_service_custom:
             -
                name: "default_name_80 (source firewall.internet-service-custom.name)"
            internet_service_custom_group:
             -
                name: "default_name_82 (source firewall.internet-service-custom-group.name)"
            internet_service_group:
             -
                name: "default_name_84 (source firewall.internet-service-group.name)"
            internet_service_id:
             -
                id:  "86 (source firewall.internet-service.id)"
            jitter_weight: "87"
            latency_weight: "88"
            link_cost_factor: "latency"
            link_cost_threshold: "90"
            member: "91"
            mode: "auto"
            name: "default_name_93"
            packet_loss_weight: "94"
            priority_members:
             -
                seq_num: "96 (source system.virtual-wan-link.members.seq-num)"
            protocol: "97"
            quality_link: "98"
            route_tag: "99"
            sla:
             -
                health_check: "<your_own_value> (source system.virtual-wan-link.health-check.name)"
                id:  "102"
            src:
             -
                name: "default_name_104 (source firewall.address.name firewall.addrgrp.name)"
            src_negate: "enable"
            src6:
             -
                name: "default_name_107 (source firewall.address6.name firewall.addrgrp6.name)"
            start_port: "108"
            status: "enable"
            tos: "<your_own_value>"
            tos_mask: "<your_own_value>"
            users:
             -
                name: "default_name_113 (source user.local.name)"
        status: "disable"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
build
string
always
Build number of the fortigate image

Sample:
1547
http_method
string
always
Last method used to provision the content into FortiGate

Sample:
PUT
http_status
string
always
Last result given by FortiGate on last operation applied

Sample:
200
mkey
string
success
Master key (id) used in the last call to FortiGate

Sample:
id
name
string
always
Name of the table used to fulfill the request

Sample:
urlfilter
path
string
always
Path of the table used to fulfill the request

Sample:
webfilter
revision
string
always
Internal revision number

Sample:
17.0.2.10658
serial
string
always
Serial number of the unit

Sample:
FGVMEVYYQT3AB5352
status
string
always
Indication of the operation's result

Sample:
success
vdom
string
always
Virtual domain used

Sample:
root
version
string
always
Version of the FortiGate

Sample:
v5.6.3


Status

Authors

  • Miguel Angel Munoz (@mamunozgonzalez)
  • Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation, you can edit this document to improve it.

© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.9/modules/fortios_system_virtual_wan_link_module.html