https://linzeyan.github.io/zh-tw/categories/fortios/Recent content in FortiOS on RickyHugo -- gohugo.iozh-twTue, 03 Nov 2020 17:59:24 +0800https://linzeyan.github.io/zh-tw/posts/2020/20201103-backup-fortios-config-with-ansible-with-restapi/Tue, 03 Nov 2020 17:59:24 +0800https://linzeyan.github.io/zh-tw/posts/2020/20201103-backup-fortios-config-with-ansible-with-restapi/<ul> <li><a href="http://shogokobayashi.com/2019/02/15/fortigate-restapi-config-backup-fortios-6-0-4/" target="_blank" rel="noopener">Fortigate RestAPI 設定備份 - FortiOS 6.0.4</a></li> <li><a href="http://shogokobayashi.com/2019/04/05/backup-fortios-config-with-ansible-with-restapi/" target="_blank" rel="noopener">使用 Ansible 透過 RestAPI 備份 FortiOS 設定</a></li> </ul> <h5 id="建立存取設定檔">建立存取設定檔</h5> <pre tabindex="0"><code>FGTAWS0004BE1ADE # config system accprofile FGTAWS0004BE1ADE (accprofile) # edit readOnly new entry &#39;readOnly&#39; added FGTAWS0004BE1ADE (readOnly) # set sysgrp read FGTAWS0004BE1ADE (readOnly) # end </code></pre><h5 id="在-fortigate-建立-api-使用者">在 Fortigate 建立 API 使用者</h5> <pre tabindex="0"><code>FGTAWS0004BE1ADE # config system api-user FGTAWS0004BE1ADE (api-user) # edit api-admin new entry &#39;api-admin&#39; added FGTAWS0004BE1ADE (api-admin) # set accprofile &#34;readOnly&#34; FGTAWS0004BE1ADE (api-admin) # set vdom root FGTAWS0004BE1ADE (api-admin) # config trusthost FGTAWS0004BE1ADE (trusthost) # edit 1 new entry &#39;1&#39; added FGTAWS0004BE1ADE (1) # set ipv4-trusthost &#39;ip_address_of_your_machine&#39; 255.255.255.255 FGTAWS0004BE1ADE (1) # end FGTAWS0004BE1ADE (api-admin) # end </code></pre><h5 id="產生-api-token">產生 API token</h5> <pre tabindex="0"><code>FGTAWS0004BE1ADE # execute api-user generate-key api-admin New API key: &#39;your_api_token&#39; NOTE: The bearer of this API key will be granted all access privileges assigned to the api-user api-admin. </code></pre><h5 id="測試">測試</h5> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#75715e"># fortigate.py</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> requests </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> urllib3 <span style="color:#75715e"># disable security warning for SSL certificate</span> </span></span><span style="display:flex;"><span>urllib3<span style="color:#f92672">.</span>disable_warnings(urllib3<span style="color:#f92672">.</span>exceptions<span style="color:#f92672">.</span>InsecureRequestWarning) <span style="color:#75715e"># disable security warning for SSL certificate</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">config_download</span>(ipaddr, api_token, filename<span style="color:#f92672">=</span><span style="color:#e6db74">&#39;backup.conf&#39;</span>): </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;&#39;&#39; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> input: ipaddr(string) - target ip address of fortigate </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> input: api_token(string) - api_token for api user(accprofile should have sysgrp.mnt) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> input: filename(string) - file name of the config to be saved. default backup.conf </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> output: True if backup successfule. False if not successful. </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> Tested on: Fortigate OnDemand on AWS - FortiOS6.0.4 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#39;&#39;&#39;</span> </span></span><span style="display:flex;"><span> base_url <span style="color:#f92672">=</span> <span style="color:#e6db74">f</span><span style="color:#e6db74">&#39;https://</span><span style="color:#e6db74">{</span>ipaddr<span style="color:#e6db74">}</span><span style="color:#e6db74">/api/v2/&#39;</span> </span></span><span style="display:flex;"><span> headers <span style="color:#f92672">=</span> {<span style="color:#e6db74">&#39;Authorization&#39;</span>: <span style="color:#e6db74">f</span><span style="color:#e6db74">&#39;Bearer </span><span style="color:#e6db74">{</span>api_token<span style="color:#e6db74">}</span><span style="color:#e6db74">&#39;</span>} </span></span><span style="display:flex;"><span> params <span style="color:#f92672">=</span> {<span style="color:#e6db74">&#39;scope&#39;</span>: <span style="color:#e6db74">&#39;global&#39;</span>} </span></span><span style="display:flex;"><span> uri <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;monitor/system/config/backup/&#39;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> rep <span style="color:#f92672">=</span> requests<span style="color:#f92672">.</span>get(base_url <span style="color:#f92672">+</span> uri, headers<span style="color:#f92672">=</span>headers, params<span style="color:#f92672">=</span>params, verify<span style="color:#f92672">=</span><span style="color:#66d9ef">False</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> rep<span style="color:#f92672">.</span>status_code <span style="color:#f92672">!=</span> <span style="color:#ae81ff">200</span>: </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#39;Something went wrong. status_code: </span><span style="color:#e6db74">{</span>rep<span style="color:#f92672">.</span>status_code<span style="color:#e6db74">}</span><span style="color:#e6db74">&#39;</span>) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#66d9ef">False</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">with</span> open(filename, <span style="color:#e6db74">&#39;w&#39;</span>) <span style="color:#66d9ef">as</span> f: </span></span><span style="display:flex;"><span> f<span style="color:#f92672">.</span>write(rep<span style="color:#f92672">.</span>text) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#66d9ef">True</span> </span></span></code></pre></div><pre tabindex="0"><code>&gt;&gt;&gt; import fortigate &gt;&gt;&gt; &gt;&gt;&gt; ip_addr = &#39;Fortigate_IP_Address&#39; &gt;&gt;&gt; api_token = &#39;API_TOKEN&#39; &gt;&gt;&gt; &gt;&gt;&gt; if (fortigate.config_download(ip_addr, api_token, &#39;backup20190215.conf&#39;)): ... print(&#39;Done!&#39;) ... else: ... print(&#39;Error!!&#39;) ... Done! &gt;&gt;&gt; &gt;&gt;&gt; with open(&#39;backup20190215.conf&#39;, &#39;r&#39;) as f: ... f.readline() ... &#39;#config-version=FGTAWS-6.0.4-FW-build0231-190107:opmode=0:vdom=0:user=api-admin\n&#39; &gt;&gt;&gt; </code></pre><hr> <h5 id="設定-ansible-inventory-與-playbook">設定 Ansible inventory 與 playbook</h5> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ cat hosts </span></span><span style="display:flex;"><span><span style="color:#f92672">[</span>fortigate<span style="color:#f92672">]</span> </span></span><span style="display:flex;"><span>x.x.x.x access_token<span style="color:#f92672">=</span>w4q9qtfbGry3Nbc40kHjsk9mxG**** </span></span><span style="display:flex;"><span>y.y.y.y access_token<span style="color:#f92672">=</span>tfy8c9b8Nxw6N3Q5Q5bg9z69dn**** </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#ae81ff">$ cat fortigate_backup.yml</span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">fortigate config backup</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">connection</span>: <span style="color:#ae81ff">local</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">hosts</span>: <span style="color:#ae81ff">fortigate</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">tasks</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">get current config</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">uri</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">url</span>: <span style="color:#e6db74">&#39;https://{{ ansible_host }}/api/v2/monitor/system/config/backup/?scope=global&amp;access_token={{ access_token }}&#39;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">return_content</span>: <span style="color:#66d9ef">yes</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">validate_certs</span>: <span style="color:#66d9ef">no</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">register</span>: <span style="color:#ae81ff">current_config</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">write config to local file</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">local_action</span>: <span style="color:#ae81ff">copy content={{ current_config.content }} dest=./{{ inventory_hostname }}_{{ ansible_date_time.date }}.txt</span> </span></span></code></pre></div>