fortinet.fortios.fortios_system_ha – Configure HA in Fortinet’s FortiOS and FortiGate.

Note

This plugin is part of the fortinet.fortios collection (version 2.1.2).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install fortinet.fortios.

To use it in a playbook, specify: fortinet.fortios.fortios_system_ha.

New in version 2.10: of fortinet.fortios

Synopsis

This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify system feature and ha category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements

The below requirements are needed on the host that executes this module.

ansible>=2.9.0

Parameters

Parameter			Choices/Defaults	Comments
access_token string				Token-based authentication. Generated from GUI of Fortigate.
enable_log boolean			Choices: no ← yes	Enable/Disable logging for task.
system_ha dictionary				Configure HA.
	arps integer			Number of gratuitous ARPs (1 - 60). Lower to reduce traffic. Higher to reduce failover time.
	arps_interval integer			Time between gratuitous ARPs (1 - 20 sec). Lower to reduce failover time. Higher to reduce traffic.
	authentication string		Choices: enable disable	Enable/disable heartbeat message authentication.
	cpu_threshold string			Dynamic weighted load balancing CPU usage weight and high and low thresholds.
	encryption string		Choices: enable disable	Enable/disable heartbeat message encryption.
	failover_hold_time integer			Time to wait before failover (0 - 300 sec), to avoid flip.
	ftp_proxy_threshold string			Dynamic weighted load balancing weight and high and low number of FTP proxy sessions.
	gratuitous_arps string		Choices: enable disable	Enable/disable gratuitous ARPs. Disable if link-failed-signal enabled.
	group_id integer			Cluster group ID (0 - 255). Must be the same for all members.
	group_name string			Cluster group name. Must be the same for all members.
	ha_direct string		Choices: enable disable	Enable/disable using ha-mgmt interface for syslog, SNMP, remote authentication (RADIUS), FortiAnalyzer, and FortiSandbox.
	ha_eth_type string			HA heartbeat packet Ethertype (4-digit hex).
	ha_mgmt_interfaces list / elements=string			Reserve interfaces to manage individual cluster units.
		dst string		Default route destination for reserved HA management interface.
		gateway string		Default route gateway for reserved HA management interface.
		gateway6 string		Default IPv6 gateway for reserved HA management interface.
		id integer / required		Table ID.
		interface string		Interface to reserve for HA management. Source system.interface.name.
	ha_mgmt_status string		Choices: enable disable	Enable to reserve interfaces to manage individual cluster units.
	ha_uptime_diff_margin integer			Normally you would only reduce this value for failover testing.
	hb_interval integer			Time between sending heartbeat packets (1 - 20 (100*ms)). Increase to reduce false positives.
	hb_interval_in_milliseconds string		Choices: 100ms 10ms	Number of milliseconds for each heartbeat interval: 100ms or 10ms.
	hb_lost_threshold integer			Number of lost heartbeats to signal a failure (1 - 60). Increase to reduce false positives.
	hbdev string			Heartbeat interfaces. Must be the same for all members.
	hc_eth_type string			Transparent mode HA heartbeat packet Ethertype (4-digit hex).
	hello_holddown integer			Time to wait before changing from hello to work state (5 - 300 sec).
	http_proxy_threshold string			Dynamic weighted load balancing weight and high and low number of HTTP proxy sessions.
	imap_proxy_threshold string			Dynamic weighted load balancing weight and high and low number of IMAP proxy sessions.
	inter_cluster_session_sync string		Choices: enable disable	Enable/disable synchronization of sessions among HA clusters.
	key string			key
	l2ep_eth_type string			Telnet session HA heartbeat packet Ethertype (4-digit hex).
	link_failed_signal string		Choices: enable disable	Enable to shut down all interfaces for 1 sec after a failover. Use if gratuitous ARPs do not update network.
	load_balance_all string		Choices: enable disable	Enable to load balance TCP sessions. Disable to load balance proxy sessions only.
	logical_sn string		Choices: enable disable	Enable/disable usage of the logical serial number.
	memory_based_failover string		Choices: enable disable	Enable/disable memory based failover.
	memory_compatible_mode string		Choices: enable disable	Enable/disable memory compatible mode.
	memory_failover_flip_timeout integer			Time to wait between subsequent memory based failovers in minutes (6 - 2147483647).
	memory_failover_monitor_period integer			Duration of high memory usage before memory based failover is triggered in seconds (1 - 300).
	memory_failover_sample_rate integer			Rate at which memory usage is sampled in order to measure memory usage in seconds (1 - 60).
	memory_failover_threshold integer			Memory usage threshold to trigger memory based failover (0 means using conserve mode threshold).
	memory_threshold string			Dynamic weighted load balancing memory usage weight and high and low thresholds.
	mode string		Choices: standalone a-a a-p	HA mode. Must be the same for all members. FGSP requires standalone.
	monitor string			Interfaces to check for port monitoring (or link failure). Source system.interface.name.
	multicast_ttl integer			HA multicast TTL on master (5 - 3600 sec).
	nntp_proxy_threshold string			Dynamic weighted load balancing weight and high and low number of NNTP proxy sessions.
	override string		Choices: enable disable	Enable and increase the priority of the unit that should always be primary (master).
	override_wait_time integer			Delay negotiating if override is enabled (0 - 3600 sec). Reduces how often the cluster negotiates.
	password string			Cluster password. Must be the same for all members.
	pingserver_failover_threshold integer			Remote IP monitoring failover threshold (0 - 50).
	pingserver_flip_timeout integer			Time to wait in minutes before renegotiating after a remote IP monitoring failover.
	pingserver_monitor_interface string			Interfaces to check for remote IP monitoring. Source system.interface.name.
	pingserver_secondary_force_reset string		Choices: enable disable	Enable to force the cluster to negotiate after a remote IP monitoring failover.
	pingserver_slave_force_reset string		Choices: enable disable	Enable to force the cluster to negotiate after a remote IP monitoring failover.
	pop3_proxy_threshold string			Dynamic weighted load balancing weight and high and low number of POP3 proxy sessions.
	priority integer			Increase the priority to select the primary unit (0 - 255).
	route_hold integer			Time to wait between routing table updates to the cluster (0 - 3600 sec).
	route_ttl integer			TTL for primary unit routes (5 - 3600 sec). Increase to maintain active routes during failover.
	route_wait integer			Time to wait before sending new routes to the cluster (0 - 3600 sec).
	schedule string		Choices: none hub leastconnection round-robin weight-round-robin random ip ipport	Type of A-A load balancing. Use none if you have external load balancers.
	secondary_vcluster dictionary			Configure virtual cluster 2.
		monitor string		Interfaces to check for port monitoring (or link failure). Source system.interface.name.
		override string	Choices: enable disable	Enable and increase the priority of the unit that should always be primary (master).
		override_wait_time integer		Delay negotiating if override is enabled (0 - 3600 sec). Reduces how often the cluster negotiates.
		pingserver_failover_threshold integer		Remote IP monitoring failover threshold (0 - 50).
		pingserver_monitor_interface string		Interfaces to check for remote IP monitoring. Source system.interface.name.
		pingserver_secondary_force_reset string	Choices: enable disable	Enable to force the cluster to negotiate after a remote IP monitoring failover.
		pingserver_slave_force_reset string	Choices: enable disable	Enable to force the cluster to negotiate after a remote IP monitoring failover.
		priority integer		Increase the priority to select the primary unit (0 - 255).
		vcluster_id integer		Cluster ID.
		vdom string		VDOMs in virtual cluster 2.
	session_pickup string		Choices: enable disable	Enable/disable session pickup. Enabling it can reduce session down time when fail over happens.
	session_pickup_connectionless string		Choices: enable disable	Enable/disable UDP and ICMP session sync for FGSP.
	session_pickup_delay string		Choices: enable disable	Enable to sync sessions longer than 30 sec. Only longer lived sessions need to be synced.
	session_pickup_expectation string		Choices: enable disable	Enable/disable session helper expectation session sync for FGSP.
	session_pickup_nat string		Choices: enable disable	Enable/disable NAT session sync for FGSP.
	session_sync_dev string			Offload session sync to one or more interfaces to distribute traffic and prevent delays if needed. Source system.interface.name.
	smtp_proxy_threshold string			Dynamic weighted load balancing weight and high and low number of SMTP proxy sessions.
	ssd_failover string		Choices: enable disable	Enable/disable automatic HA failover on SSD disk failure.
	standalone_config_sync string		Choices: enable disable	Enable/disable FGSP configuration synchronization.
	standalone_mgmt_vdom string		Choices: enable disable	Enable/disable standalone management VDOM.
	sync_config string		Choices: enable disable	Enable/disable configuration synchronization.
	sync_packet_balance string		Choices: enable disable	Enable/disable HA packet distribution to multiple CPUs.
	unicast_gateway string			Default route gateway for unicast interface.
	unicast_hb string		Choices: enable disable	Enable/disable unicast heartbeat.
	unicast_hb_netmask string			Unicast heartbeat netmask.
	unicast_hb_peerip string			Unicast heartbeat peer IP.
	unicast_peers list / elements=string			Number of unicast peers.
		id integer / required		Table ID.
		peer_ip string		Unicast peer IP.
	unicast_status string		Choices: enable disable	Enable/disable unicast connection.
	uninterruptible_upgrade string		Choices: enable disable	Enable to upgrade a cluster without blocking network traffic.
	vcluster2 string		Choices: enable disable	Enable/disable virtual cluster 2 for virtual clustering.
	vcluster_id integer			Cluster ID.
	vdom string			VDOMs in virtual cluster 1.
	weight string			Weight-round-robin weight for each cluster unit. Syntax <priority> <weight>.
vdom string			Default: "root"	Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.

Notes

Note

Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks

Examples

- hosts: fortigates
  collections:
    - fortinet.fortios
  connection: httpapi
  vars:
   vdom: "root"
   ansible_httpapi_use_ssl: yes
   ansible_httpapi_validate_certs: no
   ansible_httpapi_port: 443
  tasks:
  - name: Configure HA.
    fortios_system_ha:
      vdom:  "{{ vdom }}"
      system_ha:
        arps: "3"
        arps_interval: "4"
        authentication: "enable"
        cpu_threshold: "<your_own_value>"
        encryption: "enable"
        failover_hold_time: "8"
        ftp_proxy_threshold: "<your_own_value>"
        gratuitous_arps: "enable"
        group_id: "11"
        group_name: "<your_own_value>"
        ha_direct: "enable"
        ha_eth_type: "<your_own_value>"
        ha_mgmt_interfaces:
         -
            dst: "<your_own_value>"
            gateway: "<your_own_value>"
            gateway6: "<your_own_value>"
            id:  "19"
            interface: "<your_own_value> (source system.interface.name)"
        ha_mgmt_status: "enable"
        ha_uptime_diff_margin: "22"
        hb_interval: "23"
        hb_interval_in_milliseconds: "100ms"
        hb_lost_threshold: "25"
        hbdev: "<your_own_value>"
        hc_eth_type: "<your_own_value>"
        hello_holddown: "28"
        http_proxy_threshold: "<your_own_value>"
        imap_proxy_threshold: "<your_own_value>"
        inter_cluster_session_sync: "enable"
        key: "<your_own_value>"
        l2ep_eth_type: "<your_own_value>"
        link_failed_signal: "enable"
        load_balance_all: "enable"
        logical_sn: "enable"
        memory_based_failover: "enable"
        memory_compatible_mode: "enable"
        memory_failover_flip_timeout: "39"
        memory_failover_monitor_period: "40"
        memory_failover_sample_rate: "41"
        memory_failover_threshold: "42"
        memory_threshold: "<your_own_value>"
        mode: "standalone"
        monitor: "<your_own_value> (source system.interface.name)"
        multicast_ttl: "46"
        nntp_proxy_threshold: "<your_own_value>"
        override: "enable"
        override_wait_time: "49"
        password: "<your_own_value>"
        pingserver_failover_threshold: "51"
        pingserver_flip_timeout: "52"
        pingserver_monitor_interface: "<your_own_value> (source system.interface.name)"
        pingserver_secondary_force_reset: "enable"
        pingserver_slave_force_reset: "enable"
        pop3_proxy_threshold: "<your_own_value>"
        priority: "57"
        route_hold: "58"
        route_ttl: "59"
        route_wait: "60"
        schedule: "none"
        secondary_vcluster:
            monitor: "<your_own_value> (source system.interface.name)"
            override: "enable"
            override_wait_time: "65"
            pingserver_failover_threshold: "66"
            pingserver_monitor_interface: "<your_own_value> (source system.interface.name)"
            pingserver_secondary_force_reset: "enable"
            pingserver_slave_force_reset: "enable"
            priority: "70"
            vcluster_id: "71"
            vdom: "<your_own_value>"
        session_pickup: "enable"
        session_pickup_connectionless: "enable"
        session_pickup_delay: "enable"
        session_pickup_expectation: "enable"
        session_pickup_nat: "enable"
        session_sync_dev: "<your_own_value> (source system.interface.name)"
        smtp_proxy_threshold: "<your_own_value>"
        ssd_failover: "enable"
        standalone_config_sync: "enable"
        standalone_mgmt_vdom: "enable"
        sync_config: "enable"
        sync_packet_balance: "enable"
        unicast_gateway: "<your_own_value>"
        unicast_hb: "enable"
        unicast_hb_netmask: "<your_own_value>"
        unicast_hb_peerip: "<your_own_value>"
        unicast_peers:
         -
            id:  "90"
            peer_ip: "<your_own_value>"
        unicast_status: "enable"
        uninterruptible_upgrade: "enable"
        vcluster_id: "94"
        vcluster2: "enable"
        vdom: "<your_own_value>"
        weight: "<your_own_value>"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Returned	Description
build string	always	Build number of the fortigate image Sample: 1547
http_method string	always	Last method used to provision the content into FortiGate Sample: PUT
http_status string	always	Last result given by FortiGate on last operation applied Sample: 200
mkey string	success	Master key (id) used in the last call to FortiGate Sample: id
name string	always	Name of the table used to fulfill the request Sample: urlfilter
path string	always	Path of the table used to fulfill the request Sample: webfilter
revision string	always	Internal revision number Sample: 17.0.2.10658
serial string	always	Serial number of the unit Sample: FGVMEVYYQT3AB5352
status string	always	Indication of the operation's result Sample: success
vdom string	always	Virtual domain used Sample: root
version string	always	Version of the FortiGate Sample: v5.6.3

Authors

Link Zheng (@chillancezen)
Jie Xue (@JieX19)
Hongbin Lu (@fgtdev-hblu)
Frank Shen (@frankshen01)
Miguel Angel Munoz (@mamunozgonzalez)
Nicolas Thomas (@thomnico)

© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/fortios_system_ha_module.html

Docs

Docs4dev

Title here