In the previous post, I demonstrated how to get the fortigate configuration using Ansible with fortios module. In this post, I will show you how to get the backup config using Ansible with RestAPI via uri module.
Here’s pros and cons compared to fortios module:
pros
- Not dependent on external module, which may be outdated/not maintained
- Access right is more developer friendly — it’s based on API token, which can be expired/regenerate on demand.
cons
- Not fully integrated with Ansible — you need to have a knowledge on FortiOS RestAPI to call them
Differences compared to fortios module generated backup, which might be or might not be important in your use case.
- uuid, snmp-index are not redacted in the config
- double quotation is not redacted in the config
1. Create API user and generate API key on Fortigate
Please refer my previous post “Fortigate RestAPI config backup – FortiOS” and generate API key.
2. Configure Ansible inventory and playbook
In your Ansible environment, configure inventory file. In my case, I just use default file in /etc/ansible/hosts for demonstration purpose. API_token is specific to each device, so it is registered as an individual variable.
|
1 2 3 4 5 |
$ cat hosts [fortigate] x.x.x.x access_token=w4q9qtfbGry3Nbc40kHjsk9mxG**** y.y.y.y access_token=tfy8c9b8Nxw6N3Q5Q5bg9z69dn**** |
In playbook, I use uri module to retrieve the config, and use copy to write the content into the local file. In my example below, I backup all the configuration, but you can change scope(vdom) or any other parameter to suite your needs. I’m gathering facts simply because I need to use ansible_date_time variable, you can disable fact gathering and save a few seconds per run if you don’t need these variable appended in your config.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
$ cat fortigate_backup.yml - name: fortigate config backup connection: local hosts: fortigate tasks: - name: get current config uri: url: 'https://{{ ansible_host }}/api/v2/monitor/system/config/backup/?scope=global&access_token={{ access_token }}' return_content: yes validate_certs: no register: current_config - name: write config to local file local_action: copy content={{ current_config.content }} dest=./{{ inventory_hostname }}_{{ ansible_date_time.date }}.txt |
3. Test
Once it’s configured, you can just run the playbook.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
$ ansible-playbook fortigate_backup.yml PLAY [fortigate config backup] ******************************************************************************************************************************************************* TASK [Gathering Facts] *************************************************************************************************************************************************************** ok: [x.x.x.x] ok: [y.y.y.y] TASK [get current config] ************************************************************************************************************************************************************ ok: [x.x.x.x] ok: [y.y.y.y] TASK [write config to local file] **************************************************************************************************************************************************** changed: [x.x.x.x -> localhost] changed: [y.y.y.y -> localhost] PLAY RECAP *************************************************************************************************************************************************************************** x.x.x.x : ok=3 changed=1 unreachable=0 failed=0 y.y.y.y : ok=3 changed=1 unreachable=0 failed=0 |
Now you should have backup file where you specified in the playbook. In my case, I got two backup config in the same directory as the playbook. And of course it correctly parses the Non-Ascii characters.
