From 37e932c4eef3548cfa0f6dd8a5f86fc85e9ab00d Mon Sep 17 00:00:00 2001 From: ftntcorecse <43451990+ftntcorecse@users.noreply.github.com> Date: Tue, 20 Nov 2018 22:44:47 -0700 Subject: [PATCH] Fortinet FortiManager IPv4 Policy Module (#47638) * Needs unit test fix -- the "delete" calls a GET command and another function to get policy ID of a firewall policy before deleting it. Nested functions like this, where a GET occurs to determine a new call, breaks the unitTestGen output. Need to figure out what's going on, and adjust the generator. * PR Candidate * PR Candidate (fixes) * Reverting * Fixing Edits. * Fixing Authors - Fixing Requested Changes --- .../network/fortimanager/fmgr_fwpol_ipv4.py | 1508 +++++++++++++++++ .../fixtures/test_fmgr_fwpol_ipv4.json | 877 ++++++++++ .../fortimanager/test_fmgr_fwpol_ipv4.py | 846 +++++++++ 3 files changed, 3231 insertions(+) create mode 100644 lib/ansible/modules/network/fortimanager/fmgr_fwpol_ipv4.py create mode 100644 test/units/modules/network/fortimanager/fixtures/test_fmgr_fwpol_ipv4.json create mode 100644 test/units/modules/network/fortimanager/test_fmgr_fwpol_ipv4.py diff --git a/lib/ansible/modules/network/fortimanager/fmgr_fwpol_ipv4.py b/lib/ansible/modules/network/fortimanager/fmgr_fwpol_ipv4.py new file mode 100644 index 00000000000..cdee82865a3 --- /dev/null +++ b/lib/ansible/modules/network/fortimanager/fmgr_fwpol_ipv4.py @@ -0,0 +1,1508 @@ +#!/usr/bin/python +# +# This file is part of Ansible +# +# Ansible is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Ansible is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Ansible. If not, see . +# + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +ANSIBLE_METADATA = {'status': ['preview'], + 'supported_by': 'community', + 'metadata_version': '1.1'} + +DOCUMENTATION = ''' +--- +module: fmgr_fwpol_ipv4 +version_added: "2.8" +author: + - Luke Weighall (@lweighall) + - Andrew Welsh (@Ghilli3) + - Jim Huber (@p4r4n0y1ng) +short_description: Allows the add/delete of Firewall Policies on Packages in FortiManager. +description: + - Allows the add/delete of Firewall Policies on Packages in FortiManager. + +options: + adom: + description: + - The ADOM the configuration should belong to. + required: false + default: root + + host: + description: + - The FortiManager's address. + required: true + + username: + description: + - The username associated with the account. + required: true + + password: + description: + - The password associated with the username account. + required: true + + mode: + description: + - Sets one of three modes for managing the object. + - Allows use of soft-adds instead of overwriting existing values + choices: ['add', 'set', 'delete', 'update'] + required: false + default: add + + package_name: + description: + - The policy package you want to modify + required: false + default: "default" + + wsso: + description: + - Enable/disable WiFi Single Sign On (WSSO). + - choice | disable | Disable setting. + - choice | enable | Enable setting. + required: false + choices: ["disable", "enable"] + + webfilter_profile: + description: + - Name of an existing Web filter profile. + required: false + + webcache_https: + description: + - Enable/disable web cache for HTTPS. + - choice | disable | Disable web cache for HTTPS. + - choice | enable | Enable web cache for HTTPS. + required: false + choices: ["disable", "enable"] + + webcache: + description: + - Enable/disable web cache. + - choice | disable | Disable setting. + - choice | enable | Enable setting. + required: false + choices: ["disable", "enable"] + + wccp: + description: + - Enable/disable forwarding traffic matching this policy to a configured WCCP server. + - choice | disable | Disable WCCP setting. + - choice | enable | Enable WCCP setting. + required: false + choices: ["disable", "enable"] + + wanopt_profile: + description: + - WAN optimization profile. + required: false + + wanopt_peer: + description: + - WAN optimization peer. + required: false + + wanopt_passive_opt: + description: + - WAN optimization passive mode options. This option decides what IP address will be used to connect server. + - choice | default | Allow client side WAN opt peer to decide. + - choice | transparent | Use address of client to connect to server. + - choice | non-transparent | Use local FortiGate address to connect to server. + required: false + choices: ["default", "transparent", "non-transparent"] + + wanopt_detection: + description: + - WAN optimization auto-detection mode. + - choice | active | Active WAN optimization peer auto-detection. + - choice | passive | Passive WAN optimization peer auto-detection. + - choice | off | Turn off WAN optimization peer auto-detection. + required: false + choices: ["active", "passive", "off"] + + wanopt: + description: + - Enable/disable WAN optimization. + - choice | disable | Disable setting. + - choice | enable | Enable setting. + required: false + choices: ["disable", "enable"] + + waf_profile: + description: + - Name of an existing Web application firewall profile. + required: false + + vpntunnel: + description: + - Policy-based IPsec VPN | name of the IPsec VPN Phase 1. + required: false + + voip_profile: + description: + - Name of an existing VoIP profile. + required: false + + vlan_filter: + description: + - Set VLAN filters. + required: false + + vlan_cos_rev: + description: + - VLAN reverse direction user priority | 255 passthrough, 0 lowest, 7 highest.. + required: false + + vlan_cos_fwd: + description: + - VLAN forward direction user priority | 255 passthrough, 0 lowest, 7 highest. + required: false + + utm_status: + description: + - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. + - choice | disable | Disable setting. + - choice | enable | Enable setting. + required: false + choices: ["disable", "enable"] + + users: + description: + - Names of individual users that can authenticate with this policy. + required: false + + url_category: + description: + - URL category ID list. + required: false + + traffic_shaper_reverse: + description: + - Reverse traffic shaper. + required: false + + traffic_shaper: + description: + - Traffic shaper. + required: false + + timeout_send_rst: + description: + - Enable/disable sending RST packets when TCP sessions expire. + - choice | disable | Disable sending of RST packet upon TCP session expiration. + - choice | enable | Enable sending of RST packet upon TCP session expiration. + required: false + choices: ["disable", "enable"] + + tcp_session_without_syn: + description: + - Enable/disable creation of TCP session without SYN flag. + - choice | all | Enable TCP session without SYN. + - choice | data-only | Enable TCP session data only. + - choice | disable | Disable TCP session without SYN. + required: false + choices: ["all", "data-only", "disable"] + + tcp_mss_sender: + description: + - Sender TCP maximum segment size (MSS). + required: false + + tcp_mss_receiver: + description: + - Receiver TCP maximum segment size (MSS). + required: false + + status: + description: + - Enable or disable this policy. + - choice | disable | Disable setting. + - choice | enable | Enable setting. + required: false + choices: ["disable", "enable"] + + ssl_ssh_profile: + description: + - Name of an existing SSL SSH profile. + required: false + + ssl_mirror_intf: + description: + - SSL mirror interface name. + required: false + + ssl_mirror: + description: + - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). + - choice | disable | Disable SSL mirror. + - choice | enable | Enable SSL mirror. + required: false + choices: ["disable", "enable"] + + ssh_filter_profile: + description: + - Name of an existing SSH filter profile. + required: false + + srcintf: + description: + - Incoming (ingress) interface. + required: false + + srcaddr_negate: + description: + - When enabled srcaddr specifies what the source address must NOT be. + - choice | disable | Disable source address negate. + - choice | enable | Enable source address negate. + required: false + choices: ["disable", "enable"] + + srcaddr: + description: + - Source address and address group names. + required: false + + spamfilter_profile: + description: + - Name of an existing Spam filter profile. + required: false + + session_ttl: + description: + - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL). + required: false + + service_negate: + description: + - When enabled service specifies what the service must NOT be. + - choice | disable | Disable negated service match. + - choice | enable | Enable negated service match. + required: false + choices: ["disable", "enable"] + + service: + description: + - Service and service group names. + required: false + + send_deny_packet: + description: + - Enable to send a reply when a session is denied or blocked by a firewall policy. + - choice | disable | Disable deny-packet sending. + - choice | enable | Enable deny-packet sending. + required: false + choices: ["disable", "enable"] + + schedule_timeout: + description: + - Enable to force current sessions to end when the schedule object times out. + - choice | disable | Disable schedule timeout. + - choice | enable | Enable schedule timeout. + required: false + choices: ["disable", "enable"] + + schedule: + description: + - Schedule name. + required: false + + scan_botnet_connections: + description: + - Block or monitor connections to Botnet servers or disable Botnet scanning. + - choice | disable | Do not scan connections to botnet servers. + - choice | block | Block connections to botnet servers. + - choice | monitor | Log connections to botnet servers. + required: false + choices: ["disable", "block", "monitor"] + + rtp_nat: + description: + - Enable Real Time Protocol (RTP) NAT. + - choice | disable | Disable setting. + - choice | enable | Enable setting. + required: false + choices: ["disable", "enable"] + + rtp_addr: + description: + - Address names if this is an RTP NAT policy. + required: false + + rsso: + description: + - Enable/disable RADIUS single sign-on (RSSO). + - choice | disable | Disable setting. + - choice | enable | Enable setting. + required: false + choices: ["disable", "enable"] + + replacemsg_override_group: + description: + - Override the default replacement message group for this policy. + required: false + + redirect_url: + description: + - URL users are directed to after seeing and accepting the disclaimer or authenticating. + required: false + + radius_mac_auth_bypass: + description: + - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. + - choice | disable | Disable MAC authentication bypass. + - choice | enable | Enable MAC authentication bypass. + required: false + choices: ["disable", "enable"] + + profile_type: + description: + - Determine whether the firewall policy allows security profile groups or single profiles only. + - choice | single | Do not allow security profile groups. + - choice | group | Allow security profile groups. + required: false + choices: ["single", "group"] + + profile_protocol_options: + description: + - Name of an existing Protocol options profile. + required: false + + profile_group: + description: + - Name of profile group. + required: false + + poolname: + description: + - IP Pool names. + required: false + + policyid: + description: + - Policy ID. + required: false + + permit_stun_host: + description: + - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. + - choice | disable | Disable setting. + - choice | enable | Enable setting. + required: false + choices: ["disable", "enable"] + + permit_any_host: + description: + - Accept UDP packets from any host. + - choice | disable | Disable setting. + - choice | enable | Enable setting. + required: false + choices: ["disable", "enable"] + + per_ip_shaper: + description: + - Per-IP traffic shaper. + required: false + + outbound: + description: + - Policy-based IPsec VPN | only traffic from the internal network can initiate a VPN. + - choice | disable | Disable setting. + - choice | enable | Enable setting. + required: false + choices: ["disable", "enable"] + + ntlm_guest: + description: + - Enable/disable NTLM guest user access. + - choice | disable | Disable setting. + - choice | enable | Enable setting. + required: false + choices: ["disable", "enable"] + + ntlm_enabled_browsers: + description: + - HTTP-User-Agent value of supported browsers. + required: false + + ntlm: + description: + - Enable/disable NTLM authentication. + - choice | disable | Disable setting. + - choice | enable | Enable setting. + required: false + choices: ["disable", "enable"] + + np_acceleration: + description: + - Enable/disable UTM Network Processor acceleration. + - choice | disable | Disable UTM Network Processor acceleration. + - choice | enable | Enable UTM Network Processor acceleration. + required: false + choices: ["disable", "enable"] + + natoutbound: + description: + - Policy-based IPsec VPN | apply source NAT to outbound traffic. + - choice | disable | Disable setting. + - choice | enable | Enable setting. + required: false + choices: ["disable", "enable"] + + natip: + description: + - Policy-based IPsec VPN | source NAT IP address for outgoing traffic. + required: false + + natinbound: + description: + - Policy-based IPsec VPN | apply destination NAT to inbound traffic. + - choice | disable | Disable setting. + - choice | enable | Enable setting. + required: false + choices: ["disable", "enable"] + + nat: + description: + - Enable/disable source NAT. + - choice | disable | Disable setting. + - choice | enable | Enable setting. + required: false + choices: ["disable", "enable"] + + name: + description: + - Policy name. + required: false + + mms_profile: + description: + - Name of an existing MMS profile. + required: false + + match_vip: + description: + - Enable to match packets that have had their destination addresses changed by a VIP. + - choice | disable | Do not match DNATed packet. + - choice | enable | Match DNATed packet. + required: false + choices: ["disable", "enable"] + + logtraffic_start: + description: + - Record logs when a session starts and ends. + - choice | disable | Disable setting. + - choice | enable | Enable setting. + required: false + choices: ["disable", "enable"] + + logtraffic: + description: + - Enable or disable logging. Log all sessions or security profile sessions. + - choice | disable | Disable all logging for this policy. + - choice | all | Log all sessions accepted or denied by this policy. + - choice | utm | Log traffic that has a security profile applied to it. + required: false + choices: ["disable", "all", "utm"] + + learning_mode: + description: + - Enable to allow everything, but log all of the meaningful data for security information gathering. + - choice | disable | Disable learning mode in firewall policy. + - choice | enable | Enable learning mode in firewall policy. + required: false + choices: ["disable", "enable"] + + label: + description: + - Label for the policy that appears when the GUI is in Section View mode. + required: false + + ips_sensor: + description: + - Name of an existing IPS sensor. + required: false + + ippool: + description: + - Enable to use IP Pools for source NAT. + - choice | disable | Disable setting. + - choice | enable | Enable setting. + required: false + choices: ["disable", "enable"] + + internet_service_src_negate: + description: + - When enabled internet-service-src specifies what the service must NOT be. + - choice | disable | Disable negated Internet Service source match. + - choice | enable | Enable negated Internet Service source match. + required: false + choices: ["disable", "enable"] + + internet_service_src_id: + description: + - Internet Service source ID. + required: false + + internet_service_src_custom: + description: + - Custom Internet Service source name. + required: false + + internet_service_src: + description: + - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. + - choice | disable | Disable use of Internet Services source in policy. + - choice | enable | Enable use of Internet Services source in policy. + required: false + choices: ["disable", "enable"] + + internet_service_negate: + description: + - When enabled internet-service specifies what the service must NOT be. + - choice | disable | Disable negated Internet Service match. + - choice | enable | Enable negated Internet Service match. + required: false + choices: ["disable", "enable"] + + internet_service_id: + description: + - Internet Service ID. + required: false + + internet_service_custom: + description: + - Custom Internet Service name. + required: false + + internet_service: + description: + - Enable/disable use of Internet Services for this policy. If enabled, dstaddr and service are not used. + - choice | disable | Disable use of Internet Services in policy. + - choice | enable | Enable use of Internet Services in policy. + required: false + choices: ["disable", "enable"] + + inbound: + description: + - Policy-based IPsec VPN | only traffic from the remote network can initiate a VPN. + - choice | disable | Disable setting. + - choice | enable | Enable setting. + required: false + choices: ["disable", "enable"] + + identity_based_route: + description: + - Name of identity-based routing rule. + required: false + + icap_profile: + description: + - Name of an existing ICAP profile. + required: false + + gtp_profile: + description: + - GTP profile. + required: false + + groups: + description: + - Names of user groups that can authenticate with this policy. + required: false + + global_label: + description: + - Label for the policy that appears when the GUI is in Global View mode. + required: false + + fsso_agent_for_ntlm: + description: + - FSSO agent to use for NTLM authentication. + required: false + + fsso: + description: + - Enable/disable Fortinet Single Sign-On. + - choice | disable | Disable setting. + - choice | enable | Enable setting. + required: false + choices: ["disable", "enable"] + + fixedport: + description: + - Enable to prevent source NAT from changing a session's source port. + - choice | disable | Disable setting. + - choice | enable | Enable setting. + required: false + choices: ["disable", "enable"] + + firewall_session_dirty: + description: + - How to handle sessions if the configuration of this firewall policy changes. + - choice | check-all | Flush all current sessions accepted by this policy. + - choice | check-new | Continue to allow sessions already accepted by this policy. + required: false + choices: ["check-all", "check-new"] + + dstintf: + description: + - Outgoing (egress) interface. + required: false + + dstaddr_negate: + description: + - When enabled dstaddr specifies what the destination address must NOT be. + - choice | disable | Disable destination address negate. + - choice | enable | Enable destination address negate. + required: false + choices: ["disable", "enable"] + + dstaddr: + description: + - Destination address and address group names. + required: false + + dsri: + description: + - Enable DSRI to ignore HTTP server responses. + - choice | disable | Disable DSRI. + - choice | enable | Enable DSRI. + required: false + choices: ["disable", "enable"] + + dscp_value: + description: + - DSCP value. + required: false + + dscp_negate: + description: + - Enable negated DSCP match. + - choice | disable | Disable DSCP negate. + - choice | enable | Enable DSCP negate. + required: false + choices: ["disable", "enable"] + + dscp_match: + description: + - Enable DSCP check. + - choice | disable | Disable DSCP check. + - choice | enable | Enable DSCP check. + required: false + choices: ["disable", "enable"] + + dnsfilter_profile: + description: + - Name of an existing DNS filter profile. + required: false + + dlp_sensor: + description: + - Name of an existing DLP sensor. + required: false + + disclaimer: + description: + - Enable/disable user authentication disclaimer. + - choice | disable | Disable user authentication disclaimer. + - choice | enable | Enable user authentication disclaimer. + required: false + choices: ["disable", "enable"] + + diffservcode_rev: + description: + - Change packet's reverse (reply) DiffServ to this value. + required: false + + diffservcode_forward: + description: + - Change packet's DiffServ to this value. + required: false + + diffserv_reverse: + description: + - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. + - choice | disable | Disable setting. + - choice | enable | Enable setting. + required: false + choices: ["disable", "enable"] + + diffserv_forward: + description: + - Enable to change packet's DiffServ values to the specified diffservcode-forward value. + - choice | disable | Disable WAN optimization. + - choice | enable | Enable WAN optimization. + required: false + choices: ["disable", "enable"] + + devices: + description: + - Names of devices or device groups that can be matched by the policy. + required: false + + delay_tcp_npu_session: + description: + - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. + - choice | disable | Disable TCP NPU session delay in order to guarantee packet order of 3-way handshake. + - choice | enable | Enable TCP NPU session delay in order to guarantee packet order of 3-way handshake. + required: false + choices: ["disable", "enable"] + + custom_log_fields: + description: + - Custom fields to append to log messages for this policy. + required: false + + comments: + description: + - Comment. + required: false + + capture_packet: + description: + - Enable/disable capture packets. + - choice | disable | Disable capture packets. + - choice | enable | Enable capture packets. + required: false + choices: ["disable", "enable"] + + captive_portal_exempt: + description: + - Enable to exempt some users from the captive portal. + - choice | disable | Disable exemption of captive portal. + - choice | enable | Enable exemption of captive portal. + required: false + choices: ["disable", "enable"] + + block_notification: + description: + - Enable/disable block notification. + - choice | disable | Disable setting. + - choice | enable | Enable setting. + required: false + choices: ["disable", "enable"] + + av_profile: + description: + - Name of an existing Antivirus profile. + required: false + + auto_asic_offload: + description: + - Enable/disable offloading security profile processing to CP processors. + - choice | disable | Disable ASIC offloading. + - choice | enable | Enable auto ASIC offloading. + required: false + choices: ["disable", "enable"] + + auth_redirect_addr: + description: + - HTTP-to-HTTPS redirect address for firewall authentication. + required: false + + auth_path: + description: + - Enable/disable authentication-based routing. + - choice | disable | Disable authentication-based routing. + - choice | enable | Enable authentication-based routing. + required: false + choices: ["disable", "enable"] + + auth_cert: + description: + - HTTPS server certificate for policy authentication. + required: false + + application_list: + description: + - Name of an existing Application list. + required: false + + application: + description: + - Application ID list. + required: false + + app_group: + description: + - Application group names. + required: false + + app_category: + description: + - Application category ID list. + required: false + + action: + description: + - Policy action (allow/deny/ipsec). + - choice | deny | Blocks sessions that match the firewall policy. + - choice | accept | Allows session that match the firewall policy. + - choice | ipsec | Firewall policy becomes a policy-based IPsec VPN policy. + required: false + choices: ["deny", "accept", "ipsec"] + + vpn_dst_node: + description: + - EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED! + - List of multiple child objects to be added. Expects a list of dictionaries. + - Dictionaries must use FortiManager API parameters, not the ansible ones listed below. + - If submitted, all other prefixed sub-parameters ARE IGNORED. This object is MUTUALLY EXCLUSIVE with its options. + - We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide. + required: false + + vpn_dst_node_host: + description: + - VPN Destination Node Host. + required: false + + vpn_dst_node_seq: + description: + - VPN Destination Node Seq. + required: false + + vpn_dst_node_subnet: + description: + - VPN Destination Node Seq. + required: false + + vpn_src_node: + description: + - EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED! + - List of multiple child objects to be added. Expects a list of dictionaries. + - Dictionaries must use FortiManager API parameters, not the ansible ones listed below. + - If submitted, all other prefixed sub-parameters ARE IGNORED. This object is MUTUALLY EXCLUSIVE with its options. + - We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide. + required: false + + vpn_src_node_host: + description: + - VPN Source Node Host. + required: false + + vpn_src_node_seq: + description: + - VPN Source Node Seq. + required: false + + vpn_src_node_subnet: + description: + - VPN Source Node. + required: false + + +''' + +EXAMPLES = ''' +- name: ADD VERY BASIC IPV4 POLICY WITH NO NAT (WIDE OPEN) + fmgr_fwpol_ipv4: + host: "{{ inventory_hostname }}" + username: "{{ username }}" + password: "{{ password }}" + mode: "set" + adom: "ansible" + package_name: "default" + name: "Basic_IPv4_Policy" + comments: "Created by Ansible" + action: "accept" + dstaddr: "all" + srcaddr: "all" + dstintf: "any" + srcintf: "any" + logtraffic: "utm" + service: "ALL" + schedule: "always" + +- name: ADD VERY BASIC IPV4 POLICY WITH NAT AND MULTIPLE ENTRIES + fmgr_fwpol_ipv4: + host: "{{ inventory_hostname }}" + username: "{{ username }}" + password: "{{ password }}" + mode: "set" + adom: "ansible" + package_name: "default" + name: "Basic_IPv4_Policy_2" + comments: "Created by Ansible" + action: "accept" + dstaddr: "google-play" + srcaddr: "all" + dstintf: "any" + srcintf: "any" + logtraffic: "utm" + service: "HTTP, HTTPS" + schedule: "always" + nat: "enable" + users: "karen, kevin" + +- name: ADD VERY BASIC IPV4 POLICY WITH NAT AND MULTIPLE ENTRIES AND SEC PROFILES + fmgr_fwpol_ipv4: + host: "{{ inventory_hostname }}" + username: "{{ username }}" + password: "{{ password }}" + mode: "set" + adom: "ansible" + package_name: "default" + name: "Basic_IPv4_Policy_3" + comments: "Created by Ansible" + action: "accept" + dstaddr: "google-play, autoupdate.opera.com" + srcaddr: "corp_internal" + dstintf: "zone_wan1, zone_wan2" + srcintf: "zone_int1" + logtraffic: "utm" + service: "HTTP, HTTPS" + schedule: "always" + nat: "enable" + users: "karen, kevin" + av_profile: "sniffer-profile" + ips_sensor: "default" + +''' + +RETURN = """ +api_result: + description: full API response, includes status code and message + returned: always + type: string +""" + +from ansible.module_utils.basic import AnsibleModule, env_fallback +from ansible.module_utils.network.fortimanager.fortimanager import AnsibleFortiManager + +# check for pyFMG lib +try: + from pyFMG.fortimgr import FortiManager + + HAS_PYFMGR = True +except ImportError: + HAS_PYFMGR = False + +############### +# START METHODS +############### + + +def fmgr_firewall_policy_addsetdelete(fmg, paramgram): + """ + fmgr_firewall_policy -- Add/Set/Deletes Firewall Policy Objects defined in the "paramgram" + """ + + mode = paramgram["mode"] + adom = paramgram["adom"] + # INIT A BASIC OBJECTS + response = (-100000, {"msg": "Illegal or malformed paramgram discovered. System Exception"}) + url = "" + datagram = {} + + # EVAL THE MODE PARAMETER FOR SET OR ADD + if mode in ['set', 'add', 'update']: + url = '/pm/config/adom/{adom}/pkg/{pkg}/firewall/policy'.format(adom=adom, pkg=paramgram["package_name"]) + datagram = fmgr_del_none(fmgr_prepare_dict(paramgram)) + del datagram["package_name"] + datagram = fmgr_split_comma_strings_into_lists(datagram) + + # EVAL THE MODE PARAMETER FOR DELETE + elif mode == "delete": + + # WE NEED TO GET THE POLICY ID FROM THE NAME OF THE POLICY + url = '/pm/config/adom/{adom}/pkg/{pkg}/firewall' \ + '/policy/{policyid}'.format(adom=paramgram["adom"], + pkg=paramgram["package_name"], + policyid=paramgram["policyid"]) + datagram = { + "policyid": paramgram["policyid"] + } + + # IF MODE = SET -- USE THE 'SET' API CALL MODE + if mode == "set": + response = fmg.set(url, datagram) + # IF MODE = UPDATE -- USER THE 'UPDATE' API CALL MODE + elif mode == "update": + response = fmg.update(url, datagram) + # IF MODE = ADD -- USE THE 'ADD' API CALL MODE + elif mode == "add": + response = fmg.add(url, datagram) + # IF MODE = DELETE -- USE THE DELETE URL AND API CALL MODE + elif mode == "delete": + response = fmg.delete(url, datagram) + + return response + + +# ADDITIONAL COMMON FUNCTIONS +# FUNCTION/METHOD FOR LOGGING OUT AND ANALYZING ERROR CODES +def fmgr_logout(fmg, module, msg="NULL", results=(), good_codes=(0,), logout_on_fail=True, logout_on_success=False): + """ + THIS METHOD CONTROLS THE LOGOUT AND ERROR REPORTING AFTER AN METHOD OR FUNCTION RUNS + """ + + # VALIDATION ERROR (NO RESULTS, JUST AN EXIT) + if msg != "NULL" and len(results) == 0: + try: + fmg.logout() + except: + pass + module.fail_json(msg=msg) + + # SUBMISSION ERROR + if len(results) > 0: + if msg == "NULL": + try: + msg = results[1]['status']['message'] + except: + msg = "No status message returned from pyFMG. Possible that this was a GET with a tuple result." + + if results[0] not in good_codes: + if logout_on_fail: + fmg.logout() + module.fail_json(msg=msg, **results[1]) + else: + if logout_on_success: + fmg.logout() + module.exit_json(msg="API Called worked, but logout handler has been asked to logout on success", + **results[1]) + + return msg + + +# FUNCTION/METHOD FOR CONVERTING CIDR TO A NETMASK +# DID NOT USE IP ADDRESS MODULE TO KEEP INCLUDES TO A MINIMUM +def fmgr_cidr_to_netmask(cidr): + cidr = int(cidr) + mask = (0xffffffff >> (32 - cidr)) << (32 - cidr) + return (str((0xff000000 & mask) >> 24) + '.' + + str((0x00ff0000 & mask) >> 16) + '.' + + str((0x0000ff00 & mask) >> 8) + '.' + + str((0x000000ff & mask))) + + +# utility function: removing keys wih value of None, nothing in playbook for that key +def fmgr_del_none(obj): + if isinstance(obj, dict): + return type(obj)((fmgr_del_none(k), fmgr_del_none(v)) + for k, v in obj.items() if k is not None and (v is not None and not fmgr_is_empty_dict(v))) + else: + return obj + + +# utility function: remove keys that are need for the logic but the FMG API won't accept them +def fmgr_prepare_dict(obj): + list_of_elems = ["mode", "adom", "host", "username", "password"] + if isinstance(obj, dict): + obj = dict((key, fmgr_prepare_dict(value)) for (key, value) in obj.items() if key not in list_of_elems) + return obj + + +def fmgr_is_empty_dict(obj): + return_val = False + if isinstance(obj, dict): + if len(obj) > 0: + for k, v in obj.items(): + if isinstance(v, dict): + if len(v) == 0: + return_val = True + elif len(v) > 0: + for k1, v1 in v.items(): + if v1 is None: + return_val = True + elif v1 is not None: + return_val = False + return return_val + elif v is None: + return_val = True + elif v is not None: + return_val = False + return return_val + elif len(obj) == 0: + return_val = True + + return return_val + + +def fmgr_split_comma_strings_into_lists(obj): + if isinstance(obj, dict): + if len(obj) > 0: + for k, v in obj.items(): + if isinstance(v, str): + new_list = list() + if "," in v: + new_items = v.split(",") + for item in new_items: + new_list.append(item.strip()) + obj[k] = new_list + + return obj + + +############# +# END METHODS +############# + + +def main(): + argument_spec = dict( + adom=dict(type="str", default="root"), + host=dict(required=True, type="str"), + password=dict(fallback=(env_fallback, ["ANSIBLE_NET_PASSWORD"]), no_log=True, required=True), + username=dict(fallback=(env_fallback, ["ANSIBLE_NET_USERNAME"]), no_log=True, required=True), + mode=dict(choices=["add", "set", "delete", "update"], type="str", default="add"), + package_name=dict(type="str", required=False, default="default"), + + wsso=dict(required=False, type="str", choices=["disable", "enable"]), + webfilter_profile=dict(required=False, type="str"), + webcache_https=dict(required=False, type="str", choices=["disable", "enable"]), + webcache=dict(required=False, type="str", choices=["disable", "enable"]), + wccp=dict(required=False, type="str", choices=["disable", "enable"]), + wanopt_profile=dict(required=False, type="str"), + wanopt_peer=dict(required=False, type="str"), + wanopt_passive_opt=dict(required=False, type="str", choices=["default", "transparent", "non-transparent"]), + wanopt_detection=dict(required=False, type="str", choices=["active", "passive", "off"]), + wanopt=dict(required=False, type="str", choices=["disable", "enable"]), + waf_profile=dict(required=False, type="str"), + vpntunnel=dict(required=False, type="str"), + voip_profile=dict(required=False, type="str"), + vlan_filter=dict(required=False, type="str"), + vlan_cos_rev=dict(required=False, type="int"), + vlan_cos_fwd=dict(required=False, type="int"), + utm_status=dict(required=False, type="str", choices=["disable", "enable"]), + users=dict(required=False, type="str"), + url_category=dict(required=False, type="str"), + traffic_shaper_reverse=dict(required=False, type="str"), + traffic_shaper=dict(required=False, type="str"), + timeout_send_rst=dict(required=False, type="str", choices=["disable", "enable"]), + tcp_session_without_syn=dict(required=False, type="str", choices=["all", "data-only", "disable"]), + tcp_mss_sender=dict(required=False, type="int"), + tcp_mss_receiver=dict(required=False, type="int"), + status=dict(required=False, type="str", choices=["disable", "enable"]), + ssl_ssh_profile=dict(required=False, type="str"), + ssl_mirror_intf=dict(required=False, type="str"), + ssl_mirror=dict(required=False, type="str", choices=["disable", "enable"]), + ssh_filter_profile=dict(required=False, type="str"), + srcintf=dict(required=False, type="str"), + srcaddr_negate=dict(required=False, type="str", choices=["disable", "enable"]), + srcaddr=dict(required=False, type="str"), + spamfilter_profile=dict(required=False, type="str"), + session_ttl=dict(required=False, type="int"), + service_negate=dict(required=False, type="str", choices=["disable", "enable"]), + service=dict(required=False, type="str"), + send_deny_packet=dict(required=False, type="str", choices=["disable", "enable"]), + schedule_timeout=dict(required=False, type="str", choices=["disable", "enable"]), + schedule=dict(required=False, type="str"), + scan_botnet_connections=dict(required=False, type="str", choices=["disable", "block", "monitor"]), + rtp_nat=dict(required=False, type="str", choices=["disable", "enable"]), + rtp_addr=dict(required=False, type="str"), + rsso=dict(required=False, type="str", choices=["disable", "enable"]), + replacemsg_override_group=dict(required=False, type="str"), + redirect_url=dict(required=False, type="str"), + radius_mac_auth_bypass=dict(required=False, type="str", choices=["disable", "enable"]), + profile_type=dict(required=False, type="str", choices=["single", "group"]), + profile_protocol_options=dict(required=False, type="str"), + profile_group=dict(required=False, type="str"), + poolname=dict(required=False, type="str"), + policyid=dict(required=False, type="str"), + permit_stun_host=dict(required=False, type="str", choices=["disable", "enable"]), + permit_any_host=dict(required=False, type="str", choices=["disable", "enable"]), + per_ip_shaper=dict(required=False, type="str"), + outbound=dict(required=False, type="str", choices=["disable", "enable"]), + ntlm_guest=dict(required=False, type="str", choices=["disable", "enable"]), + ntlm_enabled_browsers=dict(required=False, type="str"), + ntlm=dict(required=False, type="str", choices=["disable", "enable"]), + np_acceleration=dict(required=False, type="str", choices=["disable", "enable"]), + natoutbound=dict(required=False, type="str", choices=["disable", "enable"]), + natip=dict(required=False, type="str"), + natinbound=dict(required=False, type="str", choices=["disable", "enable"]), + nat=dict(required=False, type="str", choices=["disable", "enable"]), + name=dict(required=False, type="str"), + mms_profile=dict(required=False, type="str"), + match_vip=dict(required=False, type="str", choices=["disable", "enable"]), + logtraffic_start=dict(required=False, type="str", choices=["disable", "enable"]), + logtraffic=dict(required=False, type="str", choices=["disable", "all", "utm"]), + learning_mode=dict(required=False, type="str", choices=["disable", "enable"]), + label=dict(required=False, type="str"), + ips_sensor=dict(required=False, type="str"), + ippool=dict(required=False, type="str", choices=["disable", "enable"]), + internet_service_src_negate=dict(required=False, type="str", choices=["disable", "enable"]), + internet_service_src_id=dict(required=False, type="str"), + internet_service_src_custom=dict(required=False, type="str"), + internet_service_src=dict(required=False, type="str", choices=["disable", "enable"]), + internet_service_negate=dict(required=False, type="str", choices=["disable", "enable"]), + internet_service_id=dict(required=False, type="str"), + internet_service_custom=dict(required=False, type="str"), + internet_service=dict(required=False, type="str", choices=["disable", "enable"]), + inbound=dict(required=False, type="str", choices=["disable", "enable"]), + identity_based_route=dict(required=False, type="str"), + icap_profile=dict(required=False, type="str"), + gtp_profile=dict(required=False, type="str"), + groups=dict(required=False, type="str"), + global_label=dict(required=False, type="str"), + fsso_agent_for_ntlm=dict(required=False, type="str"), + fsso=dict(required=False, type="str", choices=["disable", "enable"]), + fixedport=dict(required=False, type="str", choices=["disable", "enable"]), + firewall_session_dirty=dict(required=False, type="str", choices=["check-all", "check-new"]), + dstintf=dict(required=False, type="str"), + dstaddr_negate=dict(required=False, type="str", choices=["disable", "enable"]), + dstaddr=dict(required=False, type="str"), + dsri=dict(required=False, type="str", choices=["disable", "enable"]), + dscp_value=dict(required=False, type="str"), + dscp_negate=dict(required=False, type="str", choices=["disable", "enable"]), + dscp_match=dict(required=False, type="str", choices=["disable", "enable"]), + dnsfilter_profile=dict(required=False, type="str"), + dlp_sensor=dict(required=False, type="str"), + disclaimer=dict(required=False, type="str", choices=["disable", "enable"]), + diffservcode_rev=dict(required=False, type="str"), + diffservcode_forward=dict(required=False, type="str"), + diffserv_reverse=dict(required=False, type="str", choices=["disable", "enable"]), + diffserv_forward=dict(required=False, type="str", choices=["disable", "enable"]), + devices=dict(required=False, type="str"), + delay_tcp_npu_session=dict(required=False, type="str", choices=["disable", "enable"]), + custom_log_fields=dict(required=False, type="str"), + comments=dict(required=False, type="str"), + capture_packet=dict(required=False, type="str", choices=["disable", "enable"]), + captive_portal_exempt=dict(required=False, type="str", choices=["disable", "enable"]), + block_notification=dict(required=False, type="str", choices=["disable", "enable"]), + av_profile=dict(required=False, type="str"), + auto_asic_offload=dict(required=False, type="str", choices=["disable", "enable"]), + auth_redirect_addr=dict(required=False, type="str"), + auth_path=dict(required=False, type="str", choices=["disable", "enable"]), + auth_cert=dict(required=False, type="str"), + application_list=dict(required=False, type="str"), + application=dict(required=False, type="str"), + app_group=dict(required=False, type="str"), + app_category=dict(required=False, type="str"), + action=dict(required=False, type="str", choices=["deny", "accept", "ipsec"]), + vpn_dst_node=dict(required=False, type="list"), + vpn_dst_node_host=dict(required=False, type="str"), + vpn_dst_node_seq=dict(required=False, type="str"), + vpn_dst_node_subnet=dict(required=False, type="str"), + vpn_src_node=dict(required=False, type="list"), + vpn_src_node_host=dict(required=False, type="str"), + vpn_src_node_seq=dict(required=False, type="str"), + vpn_src_node_subnet=dict(required=False, type="str"), + + ) + + module = AnsibleModule(argument_spec, supports_check_mode=False) + + # MODULE PARAMGRAM + paramgram = { + "mode": module.params["mode"], + "adom": module.params["adom"], + "package_name": module.params["package_name"], + "wsso": module.params["wsso"], + "webfilter-profile": module.params["webfilter_profile"], + "webcache-https": module.params["webcache_https"], + "webcache": module.params["webcache"], + "wccp": module.params["wccp"], + "wanopt-profile": module.params["wanopt_profile"], + "wanopt-peer": module.params["wanopt_peer"], + "wanopt-passive-opt": module.params["wanopt_passive_opt"], + "wanopt-detection": module.params["wanopt_detection"], + "wanopt": module.params["wanopt"], + "waf-profile": module.params["waf_profile"], + "vpntunnel": module.params["vpntunnel"], + "voip-profile": module.params["voip_profile"], + "vlan-filter": module.params["vlan_filter"], + "vlan-cos-rev": module.params["vlan_cos_rev"], + "vlan-cos-fwd": module.params["vlan_cos_fwd"], + "utm-status": module.params["utm_status"], + "users": module.params["users"], + "url-category": module.params["url_category"], + "traffic-shaper-reverse": module.params["traffic_shaper_reverse"], + "traffic-shaper": module.params["traffic_shaper"], + "timeout-send-rst": module.params["timeout_send_rst"], + "tcp-session-without-syn": module.params["tcp_session_without_syn"], + "tcp-mss-sender": module.params["tcp_mss_sender"], + "tcp-mss-receiver": module.params["tcp_mss_receiver"], + "status": module.params["status"], + "ssl-ssh-profile": module.params["ssl_ssh_profile"], + "ssl-mirror-intf": module.params["ssl_mirror_intf"], + "ssl-mirror": module.params["ssl_mirror"], + "ssh-filter-profile": module.params["ssh_filter_profile"], + "srcintf": module.params["srcintf"], + "srcaddr-negate": module.params["srcaddr_negate"], + "srcaddr": module.params["srcaddr"], + "spamfilter-profile": module.params["spamfilter_profile"], + "session-ttl": module.params["session_ttl"], + "service-negate": module.params["service_negate"], + "service": module.params["service"], + "send-deny-packet": module.params["send_deny_packet"], + "schedule-timeout": module.params["schedule_timeout"], + "schedule": module.params["schedule"], + "scan-botnet-connections": module.params["scan_botnet_connections"], + "rtp-nat": module.params["rtp_nat"], + "rtp-addr": module.params["rtp_addr"], + "rsso": module.params["rsso"], + "replacemsg-override-group": module.params["replacemsg_override_group"], + "redirect-url": module.params["redirect_url"], + "radius-mac-auth-bypass": module.params["radius_mac_auth_bypass"], + "profile-type": module.params["profile_type"], + "profile-protocol-options": module.params["profile_protocol_options"], + "profile-group": module.params["profile_group"], + "poolname": module.params["poolname"], + "policyid": module.params["policyid"], + "permit-stun-host": module.params["permit_stun_host"], + "permit-any-host": module.params["permit_any_host"], + "per-ip-shaper": module.params["per_ip_shaper"], + "outbound": module.params["outbound"], + "ntlm-guest": module.params["ntlm_guest"], + "ntlm-enabled-browsers": module.params["ntlm_enabled_browsers"], + "ntlm": module.params["ntlm"], + "np-acceleration": module.params["np_acceleration"], + "natoutbound": module.params["natoutbound"], + "natip": module.params["natip"], + "natinbound": module.params["natinbound"], + "nat": module.params["nat"], + "name": module.params["name"], + "mms-profile": module.params["mms_profile"], + "match-vip": module.params["match_vip"], + "logtraffic-start": module.params["logtraffic_start"], + "logtraffic": module.params["logtraffic"], + "learning-mode": module.params["learning_mode"], + "label": module.params["label"], + "ips-sensor": module.params["ips_sensor"], + "ippool": module.params["ippool"], + "internet-service-src-negate": module.params["internet_service_src_negate"], + "internet-service-src-id": module.params["internet_service_src_id"], + "internet-service-src-custom": module.params["internet_service_src_custom"], + "internet-service-src": module.params["internet_service_src"], + "internet-service-negate": module.params["internet_service_negate"], + "internet-service-id": module.params["internet_service_id"], + "internet-service-custom": module.params["internet_service_custom"], + "internet-service": module.params["internet_service"], + "inbound": module.params["inbound"], + "identity-based-route": module.params["identity_based_route"], + "icap-profile": module.params["icap_profile"], + "gtp-profile": module.params["gtp_profile"], + "groups": module.params["groups"], + "global-label": module.params["global_label"], + "fsso-agent-for-ntlm": module.params["fsso_agent_for_ntlm"], + "fsso": module.params["fsso"], + "fixedport": module.params["fixedport"], + "firewall-session-dirty": module.params["firewall_session_dirty"], + "dstintf": module.params["dstintf"], + "dstaddr-negate": module.params["dstaddr_negate"], + "dstaddr": module.params["dstaddr"], + "dsri": module.params["dsri"], + "dscp-value": module.params["dscp_value"], + "dscp-negate": module.params["dscp_negate"], + "dscp-match": module.params["dscp_match"], + "dnsfilter-profile": module.params["dnsfilter_profile"], + "dlp-sensor": module.params["dlp_sensor"], + "disclaimer": module.params["disclaimer"], + "diffservcode-rev": module.params["diffservcode_rev"], + "diffservcode-forward": module.params["diffservcode_forward"], + "diffserv-reverse": module.params["diffserv_reverse"], + "diffserv-forward": module.params["diffserv_forward"], + "devices": module.params["devices"], + "delay-tcp-npu-session": module.params["delay_tcp_npu_session"], + "custom-log-fields": module.params["custom_log_fields"], + "comments": module.params["comments"], + "capture-packet": module.params["capture_packet"], + "captive-portal-exempt": module.params["captive_portal_exempt"], + "block-notification": module.params["block_notification"], + "av-profile": module.params["av_profile"], + "auto-asic-offload": module.params["auto_asic_offload"], + "auth-redirect-addr": module.params["auth_redirect_addr"], + "auth-path": module.params["auth_path"], + "auth-cert": module.params["auth_cert"], + "application-list": module.params["application_list"], + "application": module.params["application"], + "app-group": module.params["app_group"], + "app-category": module.params["app_category"], + "action": module.params["action"], + "vpn_dst_node": { + "host": module.params["vpn_dst_node_host"], + "seq": module.params["vpn_dst_node_seq"], + "subnet": module.params["vpn_dst_node_subnet"], + }, + "vpn_src_node": { + "host": module.params["vpn_src_node_host"], + "seq": module.params["vpn_src_node_seq"], + "subnet": module.params["vpn_src_node_subnet"], + } + } + list_overrides = ['vpn_dst_node', 'vpn_src_node'] + for list_variable in list_overrides: + override_data = list() + try: + override_data = module.params[list_variable] + except: + pass + try: + if override_data: + del paramgram[list_variable] + paramgram[list_variable] = override_data + except: + pass + + # CHECK IF THE HOST/USERNAME/PW EXISTS, AND IF IT DOES, LOGIN. + host = module.params["host"] + password = module.params["password"] + username = module.params["username"] + if host is None or username is None or password is None: + module.fail_json(msg="Host and username and password are required") + + # CHECK IF LOGIN FAILED + fmg = AnsibleFortiManager(module, module.params["host"], module.params["username"], module.params["password"]) + + response = fmg.login() + if response[1]['status']['code'] != 0: + module.fail_json(msg="Connection to FortiManager Failed") + + if paramgram["mode"] == "delete": + # WE NEED TO GET THE POLICY ID FROM THE NAME OF THE POLICY TO DELETE IT + url = '/pm/config/adom/{adom}/pkg/{pkg}/firewall' \ + '/policy/'.format(adom=paramgram["adom"], + pkg=paramgram["package_name"]) + datagram = { + "filter": ["name", "==", paramgram["name"]] + } + response = fmg.get(url, datagram) + try: + if response[1][0]["policyid"]: + policy_id = response[1][0]["policyid"] + paramgram["policyid"] = policy_id + except: + fmgr_logout(fmg, module, results=response, msg="Couldn't get Policy ID from name, delete failed") + + results = fmgr_firewall_policy_addsetdelete(fmg, paramgram) + if results[0] == -10131: + fmgr_logout(fmg, module, results=results, good_codes=[0, -9998, ], + msg=str(results[0]) + " - Object Dependency Failed. Do the objects named in parameters exist?!") + elif results[0] == -3: + fmgr_logout(fmg, module, results=results, good_codes=[0, -3], + msg="Couldn't Delete - Policy Doesn't Exist") + elif results[0] == 0: + fmgr_logout(fmg, module, results=results, good_codes=[0, -9998], + msg="Successfully Set FW Policy") + elif results[0] not in [0, -9998]: + fmgr_logout(fmg, module, results=results, good_codes=[0, -9998], + msg=str(results[0]) + "Could not set FW policy.") + + fmg.logout() + + if results is not None: + return module.exit_json(**results[1]) + else: + return module.exit_json(msg="No results were returned from the API call.") + + +if __name__ == "__main__": + main() diff --git a/test/units/modules/network/fortimanager/fixtures/test_fmgr_fwpol_ipv4.json b/test/units/modules/network/fortimanager/fixtures/test_fmgr_fwpol_ipv4.json new file mode 100644 index 00000000000..d86f49b76b0 --- /dev/null +++ b/test/units/modules/network/fortimanager/fixtures/test_fmgr_fwpol_ipv4.json @@ -0,0 +1,877 @@ +{ + "fmgr_firewall_policy_addsetdelete": [ + { + "url": "/pm/config/adom/ansible/pkg/default/firewall/policy", + "paramgram_used": { + "wanopt-passive-opt": null, + "package_name": "default", + "wanopt-detection": null, + "scan-botnet-connections": null, + "profile-group": null, + "wanopt-peer": null, + "dscp-match": null, + "replacemsg-override-group": null, + "internet-service-negate": null, + "np-acceleration": null, + "learning-mode": null, + "session-ttl": null, + "ntlm-guest": null, + "ips-sensor": null, + "diffservcode-rev": null, + "match-vip": null, + "natip": null, + "dlp-sensor": null, + "traffic-shaper": null, + "groups": null, + "schedule-timeout": null, + "name": "Basic_IPv4_Policy", + "tcp-session-without-syn": null, + "ntlm": null, + "permit-stun-host": null, + "diffservcode-forward": null, + "internet-service-src-custom": null, + "mode": "set", + "disclaimer": null, + "rtp-nat": null, + "auth-cert": null, + "timeout-send-rst": null, + "auth-redirect-addr": null, + "ssl-mirror-intf": null, + "identity-based-route": null, + "natoutbound": null, + "wanopt-profile": null, + "per-ip-shaper": null, + "profile-protocol-options": null, + "diffserv-forward": null, + "poolname": null, + "comments": "Created by Ansible", + "label": null, + "global-label": null, + "firewall-session-dirty": null, + "wanopt": null, + "schedule": "always", + "internet-service-id": null, + "auth-path": null, + "vlan-cos-fwd": null, + "custom-log-fields": null, + "dstintf": "any", + "srcintf": "any", + "block-notification": null, + "internet-service-src-id": null, + "redirect-url": null, + "waf-profile": null, + "ntlm-enabled-browsers": null, + "dscp-negate": null, + "action": "accept", + "fsso-agent-for-ntlm": null, + "logtraffic": "utm", + "vlan-filter": null, + "policyid": null, + "logtraffic-start": null, + "webcache-https": null, + "webfilter-profile": null, + "internet-service-src": null, + "webcache": null, + "utm-status": null, + "vpn_src_node": { + "subnet": null, + "host": null, + "seq": null + }, + "ippool": null, + "service": "ALL", + "wccp": null, + "auto-asic-offload": null, + "dscp-value": null, + "url-category": null, + "capture-packet": null, + "adom": "ansible", + "inbound": null, + "internet-service": null, + "profile-type": null, + "ssl-mirror": null, + "srcaddr-negate": null, + "gtp-profile": null, + "mms-profile": null, + "send-deny-packet": null, + "devices": null, + "permit-any-host": null, + "av-profile": null, + "internet-service-src-negate": null, + "service-negate": null, + "rsso": null, + "app-group": null, + "tcp-mss-sender": null, + "natinbound": null, + "fixedport": null, + "ssl-ssh-profile": null, + "outbound": null, + "spamfilter-profile": null, + "application-list": null, + "application": null, + "dnsfilter-profile": null, + "nat": null, + "fsso": null, + "vlan-cos-rev": null, + "status": null, + "dsri": null, + "users": null, + "voip-profile": null, + "dstaddr-negate": null, + "traffic-shaper-reverse": null, + "internet-service-custom": null, + "diffserv-reverse": null, + "srcaddr": "all", + "ssh-filter-profile": null, + "delay-tcp-npu-session": null, + "icap-profile": null, + "captive-portal-exempt": null, + "vpn_dst_node": { + "subnet": null, + "host": null, + "seq": null + }, + "app-category": null, + "rtp-addr": null, + "wsso": null, + "tcp-mss-receiver": null, + "dstaddr": "all", + "radius-mac-auth-bypass": null, + "vpntunnel": null + }, + "raw_response": { + "policyid": 25 + }, + "post_method": "set" + }, + { + "url": "/pm/config/adom/ansible/pkg/default/firewall/policy", + "raw_response": { + "policyid": 26 + }, + "paramgram_used": { + "package_name": "default", + "wanopt-detection": null, + "scan-botnet-connections": null, + "profile-group": null, + "dlp-sensor": null, + "dscp-match": null, + "replacemsg-override-group": null, + "internet-service-negate": null, + "np-acceleration": null, + "learning-mode": null, + "session-ttl": null, + "ntlm-guest": null, + "ips-sensor": null, + "diffservcode-rev": null, + "match-vip": null, + "natip": null, + "wanopt-peer": null, + "traffic-shaper": null, + "groups": null, + "schedule-timeout": null, + "name": "Basic_IPv4_Policy_2", + "tcp-session-without-syn": null, + "rtp-nat": null, + "permit-stun-host": null, + "natoutbound": null, + "internet-service-src-custom": null, + "mode": "set", + "logtraffic": "utm", + "ntlm": null, + "auth-cert": null, + "timeout-send-rst": null, + "auth-redirect-addr": null, + "ssl-mirror-intf": null, + "identity-based-route": null, + "diffservcode-forward": null, + "wanopt-profile": null, + "per-ip-shaper": null, + "users": null, + "diffserv-forward": null, + "poolname": null, + "comments": "Created by Ansible", + "label": null, + "global-label": null, + "firewall-session-dirty": null, + "wanopt": null, + "schedule": "always", + "internet-service-id": null, + "auth-path": null, + "vlan-cos-fwd": null, + "custom-log-fields": null, + "dstintf": "any", + "srcintf": "any", + "block-notification": null, + "internet-service-src-id": null, + "redirect-url": null, + "waf-profile": null, + "ntlm-enabled-browsers": null, + "dscp-negate": null, + "action": "accept", + "fsso-agent-for-ntlm": null, + "disclaimer": null, + "vlan-filter": null, + "dstaddr-negate": null, + "logtraffic-start": null, + "webcache-https": null, + "webfilter-profile": null, + "internet-service-src": null, + "webcache": null, + "utm-status": null, + "vpn_src_node": { + "subnet": null, + "host": null, + "seq": null + }, + "ippool": null, + "service": "HTTP, HTTPS", + "wccp": null, + "auto-asic-offload": null, + "dscp-value": null, + "url-category": null, + "capture-packet": null, + "adom": "ansible", + "inbound": null, + "internet-service": null, + "profile-type": null, + "ssl-mirror": null, + "srcaddr-negate": null, + "gtp-profile": null, + "mms-profile": null, + "send-deny-packet": null, + "devices": null, + "permit-any-host": null, + "av-profile": null, + "internet-service-src-negate": null, + "service-negate": null, + "rsso": null, + "application-list": null, + "app-group": null, + "tcp-mss-sender": null, + "natinbound": null, + "fixedport": null, + "ssl-ssh-profile": null, + "outbound": null, + "spamfilter-profile": null, + "wanopt-passive-opt": null, + "application": null, + "dnsfilter-profile": null, + "nat": "enable", + "fsso": null, + "vlan-cos-rev": null, + "status": null, + "dsri": null, + "profile-protocol-options": null, + "voip-profile": null, + "policyid": null, + "traffic-shaper-reverse": null, + "internet-service-custom": null, + "diffserv-reverse": null, + "srcaddr": "all", + "dstaddr": "google-play", + "delay-tcp-npu-session": null, + "icap-profile": null, + "captive-portal-exempt": null, + "vpn_dst_node": { + "subnet": null, + "host": null, + "seq": null + }, + "app-category": null, + "rtp-addr": null, + "wsso": null, + "tcp-mss-receiver": null, + "ssh-filter-profile": null, + "radius-mac-auth-bypass": null, + "vpntunnel": null + }, + "post_method": "set" + }, + { + "url": "/pm/config/adom/ansible/pkg/default/firewall/policy", + "paramgram_used": { + "wanopt-passive-opt": null, + "package_name": "default", + "wanopt-detection": null, + "scan-botnet-connections": null, + "profile-group": null, + "wanopt-peer": null, + "dscp-match": null, + "replacemsg-override-group": null, + "internet-service-negate": null, + "np-acceleration": null, + "learning-mode": null, + "session-ttl": null, + "ntlm-guest": null, + "ips-sensor": "default", + "diffservcode-rev": null, + "match-vip": null, + "natip": null, + "dlp-sensor": null, + "traffic-shaper": null, + "groups": null, + "schedule-timeout": null, + "name": "Basic_IPv4_Policy_3", + "tcp-session-without-syn": null, + "ntlm": null, + "permit-stun-host": null, + "diffservcode-forward": null, + "internet-service-src-custom": null, + "mode": "set", + "disclaimer": null, + "rtp-nat": null, + "auth-cert": null, + "timeout-send-rst": null, + "auth-redirect-addr": null, + "ssl-mirror-intf": null, + "identity-based-route": null, + "natoutbound": null, + "wanopt-profile": null, + "per-ip-shaper": null, + "profile-protocol-options": null, + "diffserv-forward": null, + "poolname": null, + "comments": "Created by Ansible", + "label": null, + "global-label": null, + "firewall-session-dirty": null, + "wanopt": null, + "schedule": "always", + "internet-service-id": null, + "auth-path": null, + "vlan-cos-fwd": null, + "custom-log-fields": null, + "dstintf": "zone_wan1, zone_wan2", + "srcintf": "zone_int1", + "block-notification": null, + "internet-service-src-id": null, + "redirect-url": null, + "waf-profile": null, + "ntlm-enabled-browsers": null, + "dscp-negate": null, + "action": "accept", + "fsso-agent-for-ntlm": null, + "logtraffic": "utm", + "vlan-filter": null, + "policyid": null, + "logtraffic-start": null, + "webcache-https": null, + "webfilter-profile": null, + "internet-service-src": null, + "webcache": null, + "utm-status": null, + "vpn_src_node": { + "subnet": null, + "host": null, + "seq": null + }, + "ippool": null, + "service": "HTTP, HTTPS", + "wccp": null, + "auto-asic-offload": null, + "dscp-value": null, + "url-category": null, + "capture-packet": null, + "adom": "ansible", + "inbound": null, + "internet-service": null, + "profile-type": null, + "ssl-mirror": null, + "srcaddr-negate": null, + "gtp-profile": null, + "mms-profile": null, + "send-deny-packet": null, + "devices": null, + "permit-any-host": null, + "av-profile": "sniffer-profile", + "internet-service-src-negate": null, + "service-negate": null, + "rsso": null, + "app-group": null, + "tcp-mss-sender": null, + "natinbound": null, + "fixedport": null, + "ssl-ssh-profile": null, + "outbound": null, + "spamfilter-profile": null, + "application-list": null, + "application": null, + "dnsfilter-profile": null, + "nat": "enable", + "fsso": null, + "vlan-cos-rev": null, + "status": null, + "dsri": null, + "users": null, + "voip-profile": null, + "dstaddr-negate": null, + "traffic-shaper-reverse": null, + "internet-service-custom": null, + "diffserv-reverse": null, + "srcaddr": "corp_internal", + "ssh-filter-profile": null, + "delay-tcp-npu-session": null, + "icap-profile": null, + "captive-portal-exempt": null, + "vpn_dst_node": { + "subnet": null, + "host": null, + "seq": null + }, + "app-category": null, + "rtp-addr": null, + "wsso": null, + "tcp-mss-receiver": null, + "dstaddr": "google-play, autoupdate.opera.com", + "radius-mac-auth-bypass": null, + "vpntunnel": null + }, + "raw_response": { + "policyid": 27 + }, + "post_method": "set" + }, + { + "raw_response": { + "status": { + "message": "OK", + "code": 0 + }, + "url": "/pm/config/adom/ansible/pkg/default/firewall/policy/25" + }, + "paramgram_used": { + "package_name": "default", + "wanopt-detection": null, + "scan-botnet-connections": null, + "profile-group": null, + "dlp-sensor": null, + "dscp-match": null, + "replacemsg-override-group": null, + "internet-service-negate": null, + "np-acceleration": null, + "learning-mode": null, + "session-ttl": null, + "ntlm-guest": null, + "ips-sensor": null, + "diffservcode-rev": null, + "match-vip": null, + "natip": null, + "wanopt-peer": null, + "traffic-shaper": null, + "groups": null, + "schedule-timeout": null, + "name": "Basic_IPv4_Policy", + "tcp-session-without-syn": null, + "rtp-nat": null, + "permit-stun-host": null, + "natoutbound": null, + "internet-service-src-custom": null, + "mode": "delete", + "logtraffic": null, + "ntlm": null, + "auth-cert": null, + "timeout-send-rst": null, + "auth-redirect-addr": null, + "ssl-mirror-intf": null, + "identity-based-route": null, + "diffservcode-forward": null, + "wanopt-profile": null, + "per-ip-shaper": null, + "users": null, + "diffserv-forward": null, + "poolname": null, + "comments": null, + "label": null, + "global-label": null, + "firewall-session-dirty": null, + "wanopt": null, + "schedule": null, + "internet-service-id": null, + "auth-path": null, + "vlan-cos-fwd": null, + "custom-log-fields": null, + "dstintf": null, + "srcintf": null, + "block-notification": null, + "internet-service-src-id": null, + "redirect-url": null, + "waf-profile": null, + "ntlm-enabled-browsers": null, + "dscp-negate": null, + "action": null, + "fsso-agent-for-ntlm": null, + "disclaimer": null, + "vlan-filter": null, + "dstaddr-negate": null, + "logtraffic-start": null, + "webcache-https": null, + "webfilter-profile": null, + "internet-service-src": null, + "webcache": null, + "utm-status": null, + "vpn_src_node": { + "subnet": null, + "host": null, + "seq": null + }, + "ippool": null, + "service": null, + "wccp": null, + "auto-asic-offload": null, + "dscp-value": null, + "url-category": null, + "capture-packet": null, + "adom": "ansible", + "inbound": null, + "internet-service": null, + "profile-type": null, + "ssl-mirror": null, + "srcaddr-negate": null, + "gtp-profile": null, + "mms-profile": null, + "send-deny-packet": null, + "devices": null, + "permit-any-host": null, + "av-profile": null, + "internet-service-src-negate": null, + "service-negate": null, + "rsso": null, + "application-list": null, + "app-group": null, + "tcp-mss-sender": null, + "natinbound": null, + "fixedport": null, + "ssl-ssh-profile": null, + "outbound": null, + "spamfilter-profile": null, + "wanopt-passive-opt": null, + "application": null, + "dnsfilter-profile": null, + "nat": null, + "fsso": null, + "vlan-cos-rev": null, + "status": null, + "dsri": null, + "profile-protocol-options": null, + "voip-profile": null, + "policyid": 25, + "traffic-shaper-reverse": null, + "internet-service-custom": null, + "diffserv-reverse": null, + "srcaddr": null, + "dstaddr": null, + "delay-tcp-npu-session": null, + "icap-profile": null, + "captive-portal-exempt": null, + "vpn_dst_node": { + "subnet": null, + "host": null, + "seq": null + }, + "app-category": null, + "rtp-addr": null, + "wsso": null, + "tcp-mss-receiver": null, + "ssh-filter-profile": null, + "radius-mac-auth-bypass": null, + "vpntunnel": null + }, + "post_method": "delete" + }, + { + "paramgram_used": { + "wanopt-passive-opt": null, + "package_name": "default", + "wanopt-detection": null, + "scan-botnet-connections": null, + "profile-group": null, + "wanopt-peer": null, + "dscp-match": null, + "replacemsg-override-group": null, + "internet-service-negate": null, + "np-acceleration": null, + "learning-mode": null, + "session-ttl": null, + "ntlm-guest": null, + "ips-sensor": null, + "diffservcode-rev": null, + "match-vip": null, + "natip": null, + "dlp-sensor": null, + "traffic-shaper": null, + "groups": null, + "schedule-timeout": null, + "name": "Basic_IPv4_Policy_2", + "tcp-session-without-syn": null, + "ntlm": null, + "permit-stun-host": null, + "diffservcode-forward": null, + "internet-service-src-custom": null, + "mode": "delete", + "disclaimer": null, + "rtp-nat": null, + "auth-cert": null, + "timeout-send-rst": null, + "auth-redirect-addr": null, + "ssl-mirror-intf": null, + "identity-based-route": null, + "natoutbound": null, + "wanopt-profile": null, + "per-ip-shaper": null, + "profile-protocol-options": null, + "diffserv-forward": null, + "poolname": null, + "comments": null, + "label": null, + "global-label": null, + "firewall-session-dirty": null, + "wanopt": null, + "schedule": null, + "internet-service-id": null, + "auth-path": null, + "vlan-cos-fwd": null, + "custom-log-fields": null, + "dstintf": null, + "srcintf": null, + "block-notification": null, + "internet-service-src-id": null, + "redirect-url": null, + "waf-profile": null, + "ntlm-enabled-browsers": null, + "dscp-negate": null, + "action": null, + "fsso-agent-for-ntlm": null, + "logtraffic": null, + "vlan-filter": null, + "policyid": 26, + "logtraffic-start": null, + "webcache-https": null, + "webfilter-profile": null, + "internet-service-src": null, + "webcache": null, + "utm-status": null, + "vpn_src_node": { + "subnet": null, + "host": null, + "seq": null + }, + "ippool": null, + "service": null, + "wccp": null, + "auto-asic-offload": null, + "dscp-value": null, + "url-category": null, + "capture-packet": null, + "adom": "ansible", + "inbound": null, + "internet-service": null, + "profile-type": null, + "ssl-mirror": null, + "srcaddr-negate": null, + "gtp-profile": null, + "mms-profile": null, + "send-deny-packet": null, + "devices": null, + "permit-any-host": null, + "av-profile": null, + "internet-service-src-negate": null, + "service-negate": null, + "rsso": null, + "app-group": null, + "tcp-mss-sender": null, + "natinbound": null, + "fixedport": null, + "ssl-ssh-profile": null, + "outbound": null, + "spamfilter-profile": null, + "application-list": null, + "application": null, + "dnsfilter-profile": null, + "nat": null, + "fsso": null, + "vlan-cos-rev": null, + "status": null, + "dsri": null, + "users": null, + "voip-profile": null, + "dstaddr-negate": null, + "traffic-shaper-reverse": null, + "internet-service-custom": null, + "diffserv-reverse": null, + "srcaddr": null, + "ssh-filter-profile": null, + "delay-tcp-npu-session": null, + "icap-profile": null, + "captive-portal-exempt": null, + "vpn_dst_node": { + "subnet": null, + "host": null, + "seq": null + }, + "app-category": null, + "rtp-addr": null, + "wsso": null, + "tcp-mss-receiver": null, + "dstaddr": null, + "radius-mac-auth-bypass": null, + "vpntunnel": null + }, + "raw_response": { + "status": { + "message": "OK", + "code": 0 + }, + "url": "/pm/config/adom/ansible/pkg/default/firewall/policy/26" + }, + "post_method": "delete" + }, + { + "raw_response": { + "status": { + "message": "OK", + "code": 0 + }, + "url": "/pm/config/adom/ansible/pkg/default/firewall/policy/27" + }, + "paramgram_used": { + "package_name": "default", + "wanopt-detection": null, + "scan-botnet-connections": null, + "profile-group": null, + "dlp-sensor": null, + "dscp-match": null, + "replacemsg-override-group": null, + "internet-service-negate": null, + "np-acceleration": null, + "learning-mode": null, + "session-ttl": null, + "ntlm-guest": null, + "ips-sensor": null, + "diffservcode-rev": null, + "match-vip": null, + "natip": null, + "wanopt-peer": null, + "traffic-shaper": null, + "groups": null, + "schedule-timeout": null, + "name": "Basic_IPv4_Policy_3", + "tcp-session-without-syn": null, + "rtp-nat": null, + "permit-stun-host": null, + "natoutbound": null, + "internet-service-src-custom": null, + "mode": "delete", + "logtraffic": null, + "ntlm": null, + "auth-cert": null, + "timeout-send-rst": null, + "auth-redirect-addr": null, + "ssl-mirror-intf": null, + "identity-based-route": null, + "diffservcode-forward": null, + "wanopt-profile": null, + "per-ip-shaper": null, + "users": null, + "diffserv-forward": null, + "poolname": null, + "comments": null, + "label": null, + "global-label": null, + "firewall-session-dirty": null, + "wanopt": null, + "schedule": null, + "internet-service-id": null, + "auth-path": null, + "vlan-cos-fwd": null, + "custom-log-fields": null, + "dstintf": null, + "srcintf": null, + "block-notification": null, + "internet-service-src-id": null, + "redirect-url": null, + "waf-profile": null, + "ntlm-enabled-browsers": null, + "dscp-negate": null, + "action": null, + "fsso-agent-for-ntlm": null, + "disclaimer": null, + "vlan-filter": null, + "dstaddr-negate": null, + "logtraffic-start": null, + "webcache-https": null, + "webfilter-profile": null, + "internet-service-src": null, + "webcache": null, + "utm-status": null, + "vpn_src_node": { + "subnet": null, + "host": null, + "seq": null + }, + "ippool": null, + "service": null, + "wccp": null, + "auto-asic-offload": null, + "dscp-value": null, + "url-category": null, + "capture-packet": null, + "adom": "ansible", + "internet-service": null, + "inbound": null, + "profile-type": null, + "ssl-mirror": null, + "srcaddr-negate": null, + "gtp-profile": null, + "mms-profile": null, + "send-deny-packet": null, + "devices": null, + "permit-any-host": null, + "av-profile": null, + "internet-service-src-negate": null, + "service-negate": null, + "rsso": null, + "application-list": null, + "app-group": null, + "tcp-mss-sender": null, + "natinbound": null, + "fixedport": null, + "ssl-ssh-profile": null, + "outbound": null, + "spamfilter-profile": null, + "wanopt-passive-opt": null, + "application": null, + "dnsfilter-profile": null, + "nat": null, + "fsso": null, + "vlan-cos-rev": null, + "status": null, + "dsri": null, + "profile-protocol-options": null, + "voip-profile": null, + "policyid": 27, + "traffic-shaper-reverse": null, + "internet-service-custom": null, + "diffserv-reverse": null, + "srcaddr": null, + "dstaddr": null, + "delay-tcp-npu-session": null, + "icap-profile": null, + "captive-portal-exempt": null, + "vpn_dst_node": { + "subnet": null, + "host": null, + "seq": null + }, + "app-category": null, + "rtp-addr": null, + "wsso": null, + "tcp-mss-receiver": null, + "ssh-filter-profile": null, + "radius-mac-auth-bypass": null, + "vpntunnel": null + }, + "post_method": "delete" + } + ] +} diff --git a/test/units/modules/network/fortimanager/test_fmgr_fwpol_ipv4.py b/test/units/modules/network/fortimanager/test_fmgr_fwpol_ipv4.py new file mode 100644 index 00000000000..42bb7c3d99f --- /dev/null +++ b/test/units/modules/network/fortimanager/test_fmgr_fwpol_ipv4.py @@ -0,0 +1,846 @@ +# Copyright 2018 Fortinet, Inc. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Ansible. If not, see . + +# Make coding more python3-ish +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +import os +import json +from pyFMG.fortimgr import FortiManager +import pytest + +try: + from ansible.modules.network.fortimanager import fmgr_fwpol_ipv4 +except ImportError: + pytest.skip("Could not load required modules for testing", allow_module_level=True) + +fmg_instance = FortiManager("1.1.1.1", "admin", "") + + +def load_fixtures(): + fixture_path = os.path.join(os.path.dirname(__file__), 'fixtures') + "/{filename}.json".format( + filename=os.path.splitext(os.path.basename(__file__))[0]) + try: + with open(fixture_path, "r") as fixture_file: + fixture_data = json.load(fixture_file) + except IOError: + return [] + return [fixture_data] + + +@pytest.fixture(scope="function", params=load_fixtures()) +def fixture_data(request): + func_name = request.function.__name__.replace("test_", "") + return request.param.get(func_name, None) + + +def test_fmgr_firewall_policy_addsetdelete(fixture_data, mocker): + mocker.patch("pyFMG.fortimgr.FortiManager._post_request", side_effect=fixture_data) + # Fixture sets used:########################### + + ################################################## + # wanopt-passive-opt: None + # package_name: default + # wanopt-detection: None + # scan-botnet-connections: None + # profile-group: None + # wanopt-peer: None + # dscp-match: None + # replacemsg-override-group: None + # internet-service-negate: None + # np-acceleration: None + # learning-mode: None + # session-ttl: None + # ntlm-guest: None + # ips-sensor: None + # diffservcode-rev: None + # match-vip: None + # natip: None + # dlp-sensor: None + # traffic-shaper: None + # groups: None + # schedule-timeout: None + # name: Basic_IPv4_Policy + # tcp-session-without-syn: None + # ntlm: None + # permit-stun-host: None + # diffservcode-forward: None + # internet-service-src-custom: None + # mode: set + # disclaimer: None + # rtp-nat: None + # auth-cert: None + # timeout-send-rst: None + # auth-redirect-addr: None + # ssl-mirror-intf: None + # identity-based-route: None + # natoutbound: None + # wanopt-profile: None + # per-ip-shaper: None + # profile-protocol-options: None + # diffserv-forward: None + # poolname: None + # comments: Created by Ansible + # label: None + # global-label: None + # firewall-session-dirty: None + # wanopt: None + # schedule: always + # internet-service-id: None + # auth-path: None + # vlan-cos-fwd: None + # custom-log-fields: None + # dstintf: any + # srcintf: any + # block-notification: None + # internet-service-src-id: None + # redirect-url: None + # waf-profile: None + # ntlm-enabled-browsers: None + # dscp-negate: None + # action: accept + # fsso-agent-for-ntlm: None + # logtraffic: utm + # vlan-filter: None + # policyid: None + # logtraffic-start: None + # webcache-https: None + # webfilter-profile: None + # internet-service-src: None + # webcache: None + # utm-status: None + # vpn_src_node: {'subnet': None, 'host': None, 'seq': None} + # ippool: None + # service: ALL + # wccp: None + # auto-asic-offload: None + # dscp-value: None + # url-category: None + # capture-packet: None + # adom: ansible + # inbound: None + # internet-service: None + # profile-type: None + # ssl-mirror: None + # srcaddr-negate: None + # gtp-profile: None + # mms-profile: None + # send-deny-packet: None + # devices: None + # permit-any-host: None + # av-profile: None + # internet-service-src-negate: None + # service-negate: None + # rsso: None + # app-group: None + # tcp-mss-sender: None + # natinbound: None + # fixedport: None + # ssl-ssh-profile: None + # outbound: None + # spamfilter-profile: None + # application-list: None + # application: None + # dnsfilter-profile: None + # nat: None + # fsso: None + # vlan-cos-rev: None + # status: None + # dsri: None + # users: None + # voip-profile: None + # dstaddr-negate: None + # traffic-shaper-reverse: None + # internet-service-custom: None + # diffserv-reverse: None + # srcaddr: all + # ssh-filter-profile: None + # delay-tcp-npu-session: None + # icap-profile: None + # captive-portal-exempt: None + # vpn_dst_node: {'subnet': None, 'host': None, 'seq': None} + # app-category: None + # rtp-addr: None + # wsso: None + # tcp-mss-receiver: None + # dstaddr: all + # radius-mac-auth-bypass: None + # vpntunnel: None + ################################################## + ################################################## + # package_name: default + # wanopt-detection: None + # scan-botnet-connections: None + # profile-group: None + # dlp-sensor: None + # dscp-match: None + # replacemsg-override-group: None + # internet-service-negate: None + # np-acceleration: None + # learning-mode: None + # session-ttl: None + # ntlm-guest: None + # ips-sensor: None + # diffservcode-rev: None + # match-vip: None + # natip: None + # wanopt-peer: None + # traffic-shaper: None + # groups: None + # schedule-timeout: None + # name: Basic_IPv4_Policy_2 + # tcp-session-without-syn: None + # rtp-nat: None + # permit-stun-host: None + # natoutbound: None + # internet-service-src-custom: None + # mode: set + # logtraffic: utm + # ntlm: None + # auth-cert: None + # timeout-send-rst: None + # auth-redirect-addr: None + # ssl-mirror-intf: None + # identity-based-route: None + # diffservcode-forward: None + # wanopt-profile: None + # per-ip-shaper: None + # users: None + # diffserv-forward: None + # poolname: None + # comments: Created by Ansible + # label: None + # global-label: None + # firewall-session-dirty: None + # wanopt: None + # schedule: always + # internet-service-id: None + # auth-path: None + # vlan-cos-fwd: None + # custom-log-fields: None + # dstintf: any + # srcintf: any + # block-notification: None + # internet-service-src-id: None + # redirect-url: None + # waf-profile: None + # ntlm-enabled-browsers: None + # dscp-negate: None + # action: accept + # fsso-agent-for-ntlm: None + # disclaimer: None + # vlan-filter: None + # dstaddr-negate: None + # logtraffic-start: None + # webcache-https: None + # webfilter-profile: None + # internet-service-src: None + # webcache: None + # utm-status: None + # vpn_src_node: {'subnet': None, 'host': None, 'seq': None} + # ippool: None + # service: HTTP, HTTPS + # wccp: None + # auto-asic-offload: None + # dscp-value: None + # url-category: None + # capture-packet: None + # adom: ansible + # inbound: None + # internet-service: None + # profile-type: None + # ssl-mirror: None + # srcaddr-negate: None + # gtp-profile: None + # mms-profile: None + # send-deny-packet: None + # devices: None + # permit-any-host: None + # av-profile: None + # internet-service-src-negate: None + # service-negate: None + # rsso: None + # application-list: None + # app-group: None + # tcp-mss-sender: None + # natinbound: None + # fixedport: None + # ssl-ssh-profile: None + # outbound: None + # spamfilter-profile: None + # wanopt-passive-opt: None + # application: None + # dnsfilter-profile: None + # nat: enable + # fsso: None + # vlan-cos-rev: None + # status: None + # dsri: None + # profile-protocol-options: None + # voip-profile: None + # policyid: None + # traffic-shaper-reverse: None + # internet-service-custom: None + # diffserv-reverse: None + # srcaddr: all + # dstaddr: google-play + # delay-tcp-npu-session: None + # icap-profile: None + # captive-portal-exempt: None + # vpn_dst_node: {'subnet': None, 'host': None, 'seq': None} + # app-category: None + # rtp-addr: None + # wsso: None + # tcp-mss-receiver: None + # ssh-filter-profile: None + # radius-mac-auth-bypass: None + # vpntunnel: None + ################################################## + ################################################## + # wanopt-passive-opt: None + # package_name: default + # wanopt-detection: None + # scan-botnet-connections: None + # profile-group: None + # wanopt-peer: None + # dscp-match: None + # replacemsg-override-group: None + # internet-service-negate: None + # np-acceleration: None + # learning-mode: None + # session-ttl: None + # ntlm-guest: None + # ips-sensor: default + # diffservcode-rev: None + # match-vip: None + # natip: None + # dlp-sensor: None + # traffic-shaper: None + # groups: None + # schedule-timeout: None + # name: Basic_IPv4_Policy_3 + # tcp-session-without-syn: None + # ntlm: None + # permit-stun-host: None + # diffservcode-forward: None + # internet-service-src-custom: None + # mode: set + # disclaimer: None + # rtp-nat: None + # auth-cert: None + # timeout-send-rst: None + # auth-redirect-addr: None + # ssl-mirror-intf: None + # identity-based-route: None + # natoutbound: None + # wanopt-profile: None + # per-ip-shaper: None + # profile-protocol-options: None + # diffserv-forward: None + # poolname: None + # comments: Created by Ansible + # label: None + # global-label: None + # firewall-session-dirty: None + # wanopt: None + # schedule: always + # internet-service-id: None + # auth-path: None + # vlan-cos-fwd: None + # custom-log-fields: None + # dstintf: zone_wan1, zone_wan2 + # srcintf: zone_int1 + # block-notification: None + # internet-service-src-id: None + # redirect-url: None + # waf-profile: None + # ntlm-enabled-browsers: None + # dscp-negate: None + # action: accept + # fsso-agent-for-ntlm: None + # logtraffic: utm + # vlan-filter: None + # policyid: None + # logtraffic-start: None + # webcache-https: None + # webfilter-profile: None + # internet-service-src: None + # webcache: None + # utm-status: None + # vpn_src_node: {'subnet': None, 'host': None, 'seq': None} + # ippool: None + # service: HTTP, HTTPS + # wccp: None + # auto-asic-offload: None + # dscp-value: None + # url-category: None + # capture-packet: None + # adom: ansible + # inbound: None + # internet-service: None + # profile-type: None + # ssl-mirror: None + # srcaddr-negate: None + # gtp-profile: None + # mms-profile: None + # send-deny-packet: None + # devices: None + # permit-any-host: None + # av-profile: sniffer-profile + # internet-service-src-negate: None + # service-negate: None + # rsso: None + # app-group: None + # tcp-mss-sender: None + # natinbound: None + # fixedport: None + # ssl-ssh-profile: None + # outbound: None + # spamfilter-profile: None + # application-list: None + # application: None + # dnsfilter-profile: None + # nat: enable + # fsso: None + # vlan-cos-rev: None + # status: None + # dsri: None + # users: None + # voip-profile: None + # dstaddr-negate: None + # traffic-shaper-reverse: None + # internet-service-custom: None + # diffserv-reverse: None + # srcaddr: corp_internal + # ssh-filter-profile: None + # delay-tcp-npu-session: None + # icap-profile: None + # captive-portal-exempt: None + # vpn_dst_node: {'subnet': None, 'host': None, 'seq': None} + # app-category: None + # rtp-addr: None + # wsso: None + # tcp-mss-receiver: None + # dstaddr: google-play, autoupdate.opera.com + # radius-mac-auth-bypass: None + # vpntunnel: None + ################################################## + ################################################## + # package_name: default + # wanopt-detection: None + # scan-botnet-connections: None + # profile-group: None + # dlp-sensor: None + # dscp-match: None + # replacemsg-override-group: None + # internet-service-negate: None + # np-acceleration: None + # learning-mode: None + # session-ttl: None + # ntlm-guest: None + # ips-sensor: None + # diffservcode-rev: None + # match-vip: None + # natip: None + # wanopt-peer: None + # traffic-shaper: None + # groups: None + # schedule-timeout: None + # name: Basic_IPv4_Policy + # tcp-session-without-syn: None + # rtp-nat: None + # permit-stun-host: None + # natoutbound: None + # internet-service-src-custom: None + # mode: delete + # logtraffic: None + # ntlm: None + # auth-cert: None + # timeout-send-rst: None + # auth-redirect-addr: None + # ssl-mirror-intf: None + # identity-based-route: None + # diffservcode-forward: None + # wanopt-profile: None + # per-ip-shaper: None + # users: None + # diffserv-forward: None + # poolname: None + # comments: None + # label: None + # global-label: None + # firewall-session-dirty: None + # wanopt: None + # schedule: None + # internet-service-id: None + # auth-path: None + # vlan-cos-fwd: None + # custom-log-fields: None + # dstintf: None + # srcintf: None + # block-notification: None + # internet-service-src-id: None + # redirect-url: None + # waf-profile: None + # ntlm-enabled-browsers: None + # dscp-negate: None + # action: None + # fsso-agent-for-ntlm: None + # disclaimer: None + # vlan-filter: None + # dstaddr-negate: None + # logtraffic-start: None + # webcache-https: None + # webfilter-profile: None + # internet-service-src: None + # webcache: None + # utm-status: None + # vpn_src_node: {'subnet': None, 'host': None, 'seq': None} + # ippool: None + # service: None + # wccp: None + # auto-asic-offload: None + # dscp-value: None + # url-category: None + # capture-packet: None + # adom: ansible + # inbound: None + # internet-service: None + # profile-type: None + # ssl-mirror: None + # srcaddr-negate: None + # gtp-profile: None + # mms-profile: None + # send-deny-packet: None + # devices: None + # permit-any-host: None + # av-profile: None + # internet-service-src-negate: None + # service-negate: None + # rsso: None + # application-list: None + # app-group: None + # tcp-mss-sender: None + # natinbound: None + # fixedport: None + # ssl-ssh-profile: None + # outbound: None + # spamfilter-profile: None + # wanopt-passive-opt: None + # application: None + # dnsfilter-profile: None + # nat: None + # fsso: None + # vlan-cos-rev: None + # status: None + # dsri: None + # profile-protocol-options: None + # voip-profile: None + # policyid: 25 + # traffic-shaper-reverse: None + # internet-service-custom: None + # diffserv-reverse: None + # srcaddr: None + # dstaddr: None + # delay-tcp-npu-session: None + # icap-profile: None + # captive-portal-exempt: None + # vpn_dst_node: {'subnet': None, 'host': None, 'seq': None} + # app-category: None + # rtp-addr: None + # wsso: None + # tcp-mss-receiver: None + # ssh-filter-profile: None + # radius-mac-auth-bypass: None + # vpntunnel: None + ################################################## + ################################################## + # wanopt-passive-opt: None + # package_name: default + # wanopt-detection: None + # scan-botnet-connections: None + # profile-group: None + # wanopt-peer: None + # dscp-match: None + # replacemsg-override-group: None + # internet-service-negate: None + # np-acceleration: None + # learning-mode: None + # session-ttl: None + # ntlm-guest: None + # ips-sensor: None + # diffservcode-rev: None + # match-vip: None + # natip: None + # dlp-sensor: None + # traffic-shaper: None + # groups: None + # schedule-timeout: None + # name: Basic_IPv4_Policy_2 + # tcp-session-without-syn: None + # ntlm: None + # permit-stun-host: None + # diffservcode-forward: None + # internet-service-src-custom: None + # mode: delete + # disclaimer: None + # rtp-nat: None + # auth-cert: None + # timeout-send-rst: None + # auth-redirect-addr: None + # ssl-mirror-intf: None + # identity-based-route: None + # natoutbound: None + # wanopt-profile: None + # per-ip-shaper: None + # profile-protocol-options: None + # diffserv-forward: None + # poolname: None + # comments: None + # label: None + # global-label: None + # firewall-session-dirty: None + # wanopt: None + # schedule: None + # internet-service-id: None + # auth-path: None + # vlan-cos-fwd: None + # custom-log-fields: None + # dstintf: None + # srcintf: None + # block-notification: None + # internet-service-src-id: None + # redirect-url: None + # waf-profile: None + # ntlm-enabled-browsers: None + # dscp-negate: None + # action: None + # fsso-agent-for-ntlm: None + # logtraffic: None + # vlan-filter: None + # policyid: 26 + # logtraffic-start: None + # webcache-https: None + # webfilter-profile: None + # internet-service-src: None + # webcache: None + # utm-status: None + # vpn_src_node: {'subnet': None, 'host': None, 'seq': None} + # ippool: None + # service: None + # wccp: None + # auto-asic-offload: None + # dscp-value: None + # url-category: None + # capture-packet: None + # adom: ansible + # inbound: None + # internet-service: None + # profile-type: None + # ssl-mirror: None + # srcaddr-negate: None + # gtp-profile: None + # mms-profile: None + # send-deny-packet: None + # devices: None + # permit-any-host: None + # av-profile: None + # internet-service-src-negate: None + # service-negate: None + # rsso: None + # app-group: None + # tcp-mss-sender: None + # natinbound: None + # fixedport: None + # ssl-ssh-profile: None + # outbound: None + # spamfilter-profile: None + # application-list: None + # application: None + # dnsfilter-profile: None + # nat: None + # fsso: None + # vlan-cos-rev: None + # status: None + # dsri: None + # users: None + # voip-profile: None + # dstaddr-negate: None + # traffic-shaper-reverse: None + # internet-service-custom: None + # diffserv-reverse: None + # srcaddr: None + # ssh-filter-profile: None + # delay-tcp-npu-session: None + # icap-profile: None + # captive-portal-exempt: None + # vpn_dst_node: {'subnet': None, 'host': None, 'seq': None} + # app-category: None + # rtp-addr: None + # wsso: None + # tcp-mss-receiver: None + # dstaddr: None + # radius-mac-auth-bypass: None + # vpntunnel: None + ################################################## + ################################################## + # package_name: default + # wanopt-detection: None + # scan-botnet-connections: None + # profile-group: None + # dlp-sensor: None + # dscp-match: None + # replacemsg-override-group: None + # internet-service-negate: None + # np-acceleration: None + # learning-mode: None + # session-ttl: None + # ntlm-guest: None + # ips-sensor: None + # diffservcode-rev: None + # match-vip: None + # natip: None + # wanopt-peer: None + # traffic-shaper: None + # groups: None + # schedule-timeout: None + # name: Basic_IPv4_Policy_3 + # tcp-session-without-syn: None + # rtp-nat: None + # permit-stun-host: None + # natoutbound: None + # internet-service-src-custom: None + # mode: delete + # logtraffic: None + # ntlm: None + # auth-cert: None + # timeout-send-rst: None + # auth-redirect-addr: None + # ssl-mirror-intf: None + # identity-based-route: None + # diffservcode-forward: None + # wanopt-profile: None + # per-ip-shaper: None + # users: None + # diffserv-forward: None + # poolname: None + # comments: None + # label: None + # global-label: None + # firewall-session-dirty: None + # wanopt: None + # schedule: None + # internet-service-id: None + # auth-path: None + # vlan-cos-fwd: None + # custom-log-fields: None + # dstintf: None + # srcintf: None + # block-notification: None + # internet-service-src-id: None + # redirect-url: None + # waf-profile: None + # ntlm-enabled-browsers: None + # dscp-negate: None + # action: None + # fsso-agent-for-ntlm: None + # disclaimer: None + # vlan-filter: None + # dstaddr-negate: None + # logtraffic-start: None + # webcache-https: None + # webfilter-profile: None + # internet-service-src: None + # webcache: None + # utm-status: None + # vpn_src_node: {'subnet': None, 'host': None, 'seq': None} + # ippool: None + # service: None + # wccp: None + # auto-asic-offload: None + # dscp-value: None + # url-category: None + # capture-packet: None + # adom: ansible + # internet-service: None + # inbound: None + # profile-type: None + # ssl-mirror: None + # srcaddr-negate: None + # gtp-profile: None + # mms-profile: None + # send-deny-packet: None + # devices: None + # permit-any-host: None + # av-profile: None + # internet-service-src-negate: None + # service-negate: None + # rsso: None + # application-list: None + # app-group: None + # tcp-mss-sender: None + # natinbound: None + # fixedport: None + # ssl-ssh-profile: None + # outbound: None + # spamfilter-profile: None + # wanopt-passive-opt: None + # application: None + # dnsfilter-profile: None + # nat: None + # fsso: None + # vlan-cos-rev: None + # status: None + # dsri: None + # profile-protocol-options: None + # voip-profile: None + # policyid: 27 + # traffic-shaper-reverse: None + # internet-service-custom: None + # diffserv-reverse: None + # srcaddr: None + # dstaddr: None + # delay-tcp-npu-session: None + # icap-profile: None + # captive-portal-exempt: None + # vpn_dst_node: {'subnet': None, 'host': None, 'seq': None} + # app-category: None + # rtp-addr: None + # wsso: None + # tcp-mss-receiver: None + # ssh-filter-profile: None + # radius-mac-auth-bypass: None + # vpntunnel: None + ################################################## + + # Test using fixture 1 # + output = fmgr_fwpol_ipv4.fmgr_firewall_policy_addsetdelete(fmg_instance, fixture_data[0]['paramgram_used']) + assert isinstance(output['raw_response'], dict) is True + # Test using fixture 2 # + output = fmgr_fwpol_ipv4.fmgr_firewall_policy_addsetdelete(fmg_instance, fixture_data[1]['paramgram_used']) + assert isinstance(output['raw_response'], dict) is True + # Test using fixture 3 # + output = fmgr_fwpol_ipv4.fmgr_firewall_policy_addsetdelete(fmg_instance, fixture_data[2]['paramgram_used']) + assert isinstance(output['raw_response'], dict) is True + # Test using fixture 4 # + output = fmgr_fwpol_ipv4.fmgr_firewall_policy_addsetdelete(fmg_instance, fixture_data[3]['paramgram_used']) + assert output['raw_response']['status']['code'] == 0 + # Test using fixture 5 # + output = fmgr_fwpol_ipv4.fmgr_firewall_policy_addsetdelete(fmg_instance, fixture_data[4]['paramgram_used']) + assert output['raw_response']['status']['code'] == 0 + # Test using fixture 6 # + output = fmgr_fwpol_ipv4.fmgr_firewall_policy_addsetdelete(fmg_instance, fixture_data[5]['paramgram_used']) + assert output['raw_response']['status']['code'] == 0