AnsibleでFortigateのオブジェクト情報をGETしてみた(汎用版)
別記事でFortigateのポリシーをGETしてみたというのを書きましたが、それの汎用版です。
エンドポイントの指定にはAPIの種類であるtypeと、path・nameというのが必要そうな感じなので、それで大体どんなのが取れるのというのもメモ書きでまとめておきます。
fortios
理想は、これをuriで書くことなく、標準モジュールのGETメソッドにしてくれると嬉しいんですが…
Ansible関連の実践記事一覧はこちら。
汎用Playbook
group_varsで認証情報を指定し、fortiosモジュールの動作を参考にしてuriモジュールでREST APIを利用する形にしています。
--- - hosts: fortigate gather_facts: false vars: api_type: "cmdb" # cmdb/monitorの2種類があるようです。 api_path: "system" #必要に応じてここを書き換えたり-eしたりSurveyしたり api_name: "ha" #必要に応じてここを書き換えたり-eしたりSurveyしたり tasks: - name: Login uri: url: https://{{ ansible_host }}/logincheck validate_certs: no method : "POST" force_basic_auth: yes body_format: "form-urlencoded" url_username: "{{ ansible_user }}" url_password: "{{ ansible_password }}" body: - [ username, "{{ ansible_user }}" ] - [ secretkey, "{{ ansible_password }}" ] - [ ajax, "1" ] register: http_response - name: GET Object uri: url: https://{{ ansible_host }}/api/v2/{{ api_type }}/{{ api_path }}/{{ api_name }} validate_certs: no method: "GET" headers: Cookie: "{{ http_response.set_cookie }}" return_content: yes register: get_obj - name: Debug Object debug: var: get_obj.json.results
typeとpath、nameの組み合わせ表
| type | path | name | 概要 | 備考 |
|---|---|---|---|---|
| cmdb | firewall | policy | ファイアウォールのポリシー設定が取得可能 | /firewall/policy/1などとするとポリシーIDを限定可能 |
| monitor | firewall | policy | ファイアウォールのポリシー毎のActiveセッションや転送バイト数が取得可能 | |
| cmdb | firewall | address | ファイアウォールのアドレスオブジェクトが取得可能 | - |
| cmdb | firewall | addrgrp | ファイアウォールのアドレスグループオブジェクトが取得可能 | - |
| cmdb | firewall | internet-service | ファイアウォールのインターネットサービスオブジェクトが取得可能 | - |
| cmdb | system | interface | 物理IFの各種設定が取得可能。多すぎ… | - |
| monitor | system | interface | 物理IFのIPやTX/RXバイト、エラー数が取得可能 | fortios_factsの”system_interface_select”と同じだが、あちらはfilter設定で要素を追加可能な模様。 |
| cmdb | dlp | sensor | DLPセンサー設定が取得可能 | - |
| cmdb | ips | rule | 現在のIPSのシグネチャ情報が取得可能 | LTでは、このネタにtemplateを組み合わせてcsv出力した |
| cmdb | firewall | ssl-ssh-profile | SSL・SSHプロファイル情報が取得可能 |
実際のログ
cmdb/firewall/ssl-ssh-profile
詳細はここをクリック
"results": [ { "caname": "Fortinet_CA_SSL", "comment": "Read-only SSL handshake inspection profile.", "ftps": { "allow-invalid-server-cert": "disable", "client-cert-request": "bypass", "ports": [ 990 ], "status": "disable", "unsupported-ssl": "bypass", "untrusted-cert": "allow" }, "https": { "allow-invalid-server-cert": "disable", "client-cert-request": "bypass", "ports": [ 443 ], "status": "certificate-inspection", "unsupported-ssl": "bypass", "untrusted-cert": "allow" }, "imaps": { "allow-invalid-server-cert": "disable", "client-cert-request": "inspect", "ports": [ 993 ], "status": "disable", "unsupported-ssl": "bypass", "untrusted-cert": "allow" }, "mapi-over-https": "disable", "name": "certificate-inspection", "pop3s": { "allow-invalid-server-cert": "disable", "client-cert-request": "inspect", "ports": [ 995 ], "status": "disable", "unsupported-ssl": "bypass", "untrusted-cert": "allow" }, "q_origin_key": "certificate-inspection", "rpc-over-https": "disable", "server-cert": "Fortinet_SSL", "server-cert-mode": "re-sign", "smtps": { "allow-invalid-server-cert": "disable", "client-cert-request": "inspect", "ports": [ 465 ], "status": "disable", "unsupported-ssl": "bypass", "untrusted-cert": "allow" }, "ssh": { "inspect-all": "disable", "ports": [ 22 ], "ssh-algorithm": "compatible", "ssh-policy-check": "disable", "ssh-tun-policy-check": "disable", "status": "disable", "unsupported-version": "bypass" }, "ssl": { "allow-invalid-server-cert": "disable", "client-cert-request": "bypass", "inspect-all": "disable", "unsupported-ssl": "bypass", "untrusted-cert": "allow" }, "ssl-anomalies-log": "enable", "ssl-exempt": [], "ssl-exemptions-log": "disable", "ssl-server": [], "untrusted-caname": "Fortinet_CA_Untrusted", "use-ssl-server": "disable", "whitelist": "disable" }, { "caname": "Fortinet_CA_SSL", "comment": "Customizable deep inspection profile.", "ftps": { "allow-invalid-server-cert": "disable", "client-cert-request": "bypass", "ports": [ 990 ], "status": "deep-inspection", "unsupported-ssl": "bypass", "untrusted-cert": "allow" }, "https": { "allow-invalid-server-cert": "disable", "client-cert-request": "bypass", "ports": [ 443 ], "status": "deep-inspection", "unsupported-ssl": "bypass", "untrusted-cert": "allow" }, "imaps": { "allow-invalid-server-cert": "disable", "client-cert-request": "inspect", "ports": [ 993 ], "status": "deep-inspection", "unsupported-ssl": "bypass", "untrusted-cert": "allow" }, "mapi-over-https": "disable", "name": "custom-deep-inspection", "pop3s": { "allow-invalid-server-cert": "disable", "client-cert-request": "inspect", "ports": [ 995 ], "status": "deep-inspection", "unsupported-ssl": "bypass", "untrusted-cert": "allow" }, "q_origin_key": "custom-deep-inspection", "rpc-over-https": "disable", "server-cert": "", "server-cert-mode": "re-sign", "smtps": { "allow-invalid-server-cert": "disable", "client-cert-request": "inspect", "ports": [ 465 ], "status": "deep-inspection", "unsupported-ssl": "bypass", "untrusted-cert": "allow" }, "ssh": { "inspect-all": "disable", "ports": [ 22 ], "ssh-algorithm": "compatible", "ssh-policy-check": "disable", "ssh-tun-policy-check": "disable", "status": "deep-inspection", "unsupported-version": "bypass" }, "ssl": { "allow-invalid-server-cert": "disable", "client-cert-request": "bypass", "inspect-all": "disable", "unsupported-ssl": "bypass", "untrusted-cert": "allow" }, "ssl-anomalies-log": "enable", "ssl-exempt": [ { "address": "", "address6": "", "fortiguard-category": 31, "id": 1, "q_origin_key": 1, "regex": "", "type": "fortiguard-category", "wildcard-fqdn": "" }, { "address": "", "address6": "", "fortiguard-category": 33, "id": 2, "q_origin_key": 2, "regex": "", "type": "fortiguard-category", "wildcard-fqdn": "" }, { "address": "", "address6": "", "fortiguard-category": 0, "id": 3, "q_origin_key": 3, "regex": "", "type": "wildcard-fqdn", "wildcard-fqdn": "adobe" } ], "ssl-exemptions-log": "disable", "ssl-server": [], "untrusted-caname": "Fortinet_CA_Untrusted", "use-ssl-server": "disable", "whitelist": "disable" }, { "caname": "Fortinet_CA_SSL", "comment": "Read-only deep inspection profile.", "ftps": { "allow-invalid-server-cert": "disable", "client-cert-request": "bypass", "ports": [ 990 ], "status": "deep-inspection", "unsupported-ssl": "bypass", "untrusted-cert": "allow" }, "https": { "allow-invalid-server-cert": "disable", "client-cert-request": "bypass", "ports": [ 443 ], "status": "deep-inspection", "unsupported-ssl": "bypass", "untrusted-cert": "allow" }, "imaps": { "allow-invalid-server-cert": "disable", "client-cert-request": "inspect", "ports": [ 993 ], "status": "deep-inspection", "unsupported-ssl": "bypass", "untrusted-cert": "allow" }, "mapi-over-https": "disable", "name": "deep-inspection", "pop3s": { "allow-invalid-server-cert": "disable", "client-cert-request": "inspect", "ports": [ 995 ], "status": "deep-inspection", "unsupported-ssl": "bypass", "untrusted-cert": "allow" }, "q_origin_key": "deep-inspection", "rpc-over-https": "disable", "server-cert": "", "server-cert-mode": "re-sign", "smtps": { "allow-invalid-server-cert": "disable", "client-cert-request": "inspect", "ports": [ 465 ], "status": "deep-inspection", "unsupported-ssl": "bypass", "untrusted-cert": "allow" }, "ssh": { "inspect-all": "disable", "ports": [ 22 ], "ssh-algorithm": "compatible", "ssh-policy-check": "disable", "ssh-tun-policy-check": "disable", "status": "deep-inspection", "unsupported-version": "bypass" }, "ssl": { "allow-invalid-server-cert": "disable", "client-cert-request": "bypass", "inspect-all": "disable", "unsupported-ssl": "bypass", "untrusted-cert": "allow" }, "ssl-anomalies-log": "enable", "ssl-exempt": [ { "address": "", "address6": "", "fortiguard-category": 31, "id": 1, "q_origin_key": 1, "regex": "", "type": "fortiguard-category", "wildcard-fqdn": "" }, { "address": "", "address6": "", "fortiguard-category": 33, "id": 2, "q_origin_key": 2, "regex": "", "type": "fortiguard-category", "wildcard-fqdn": "" }, { "address": "", "address6": "", "fortiguard-category": 0, "id": 3, "q_origin_key": 3, "regex": "", "type": "wildcard-fqdn", "wildcard-fqdn": "adobe" }, { "address": "", "address6": "", "fortiguard-category": 0, "id": 4, "q_origin_key": 4, "regex": "", "type": "wildcard-fqdn", "wildcard-fqdn": "Adobe Login" }, { "address": "", "address6": "", "fortiguard-category": 0, "id": 5, "q_origin_key": 5, "regex": "", "type": "wildcard-fqdn", "wildcard-fqdn": "android" }, { "address": "", "address6": "", "fortiguard-category": 0, "id": 6, "q_origin_key": 6, "regex": "", "type": "wildcard-fqdn", "wildcard-fqdn": "apple" }, { "address": "", "address6": "", "fortiguard-category": 0, "id": 7, "q_origin_key": 7, "regex": "", "type": "wildcard-fqdn", "wildcard-fqdn": "appstore" }, { "address": "", "address6": "", "fortiguard-category": 0, "id": 8, "q_origin_key": 8, "regex": "", "type": "wildcard-fqdn", "wildcard-fqdn": "auth.gfx.ms" }, { "address": "", "address6": "", "fortiguard-category": 0, "id": 9, "q_origin_key": 9, "regex": "", "type": "wildcard-fqdn", "wildcard-fqdn": "citrix" }, { "address": "", "address6": "", "fortiguard-category": 0, "id": 10, "q_origin_key": 10, "regex": "", "type": "wildcard-fqdn", "wildcard-fqdn": "dropbox.com" }, { "address": "", "address6": "", "fortiguard-category": 0, "id": 11, "q_origin_key": 11, "regex": "", "type": "wildcard-fqdn", "wildcard-fqdn": "eease" }, { "address": "", "address6": "", "fortiguard-category": 0, "id": 12, "q_origin_key": 12, "regex": "", "type": "wildcard-fqdn", "wildcard-fqdn": "firefox update server" }, { "address": "", "address6": "", "fortiguard-category": 0, "id": 13, "q_origin_key": 13, "regex": "", "type": "wildcard-fqdn", "wildcard-fqdn": "fortinet" }, { "address": "", "address6": "", "fortiguard-category": 0, "id": 14, "q_origin_key": 14, "regex": "", "type": "wildcard-fqdn", "wildcard-fqdn": "googleapis.com" }, { "address": "", "address6": "", "fortiguard-category": 0, "id": 15, "q_origin_key": 15, "regex": "", "type": "wildcard-fqdn", "wildcard-fqdn": "google-drive" }, { "address": "", "address6": "", "fortiguard-category": 0, "id": 16, "q_origin_key": 16, "regex": "", "type": "wildcard-fqdn", "wildcard-fqdn": "google-play2" }, { "address": "", "address6": "", "fortiguard-category": 0, "id": 17, "q_origin_key": 17, "regex": "", "type": "wildcard-fqdn", "wildcard-fqdn": "google-play3" }, { "address": "", "address6": "", "fortiguard-category": 0, "id": 18, "q_origin_key": 18, "regex": "", "type": "wildcard-fqdn", "wildcard-fqdn": "Gotomeeting" }, { "address": "", "address6": "", "fortiguard-category": 0, "id": 19, "q_origin_key": 19, "regex": "", "type": "wildcard-fqdn", "wildcard-fqdn": "icloud" }, { "address": "", "address6": "", "fortiguard-category": 0, "id": 20, "q_origin_key": 20, "regex": "", "type": "wildcard-fqdn", "wildcard-fqdn": "itunes" }, { "address": "", "address6": "", "fortiguard-category": 0, "id": 21, "q_origin_key": 21, "regex": "", "type": "wildcard-fqdn", "wildcard-fqdn": "microsoft" }, { "address": "", "address6": "", "fortiguard-category": 0, "id": 22, "q_origin_key": 22, "regex": "", "type": "wildcard-fqdn", "wildcard-fqdn": "skype" }, { "address": "", "address6": "", "fortiguard-category": 0, "id": 23, "q_origin_key": 23, "regex": "", "type": "wildcard-fqdn", "wildcard-fqdn": "softwareupdate.vmware.com" }, { "address": "", "address6": "", "fortiguard-category": 0, "id": 24, "q_origin_key": 24, "regex": "", "type": "wildcard-fqdn", "wildcard-fqdn": "verisign" }, { "address": "", "address6": "", "fortiguard-category": 0, "id": 25, "q_origin_key": 25, "regex": "", "type": "wildcard-fqdn", "wildcard-fqdn": "Windows update 2" }, { "address": "", "address6": "", "fortiguard-category": 0, "id": 26, "q_origin_key": 26, "regex": "", "type": "wildcard-fqdn", "wildcard-fqdn": "live.com" }, { "address": "", "address6": "", "fortiguard-category": 0, "id": 27, "q_origin_key": 27, "regex": "", "type": "wildcard-fqdn", "wildcard-fqdn": "google-play" }, { "address": "", "address6": "", "fortiguard-category": 0, "id": 28, "q_origin_key": 28, "regex": "", "type": "wildcard-fqdn", "wildcard-fqdn": "update.microsoft.com" }, { "address": "", "address6": "", "fortiguard-category": 0, "id": 29, "q_origin_key": 29, "regex": "", "type": "wildcard-fqdn", "wildcard-fqdn": "swscan.apple.com" }, { "address": "", "address6": "", "fortiguard-category": 0, "id": 30, "q_origin_key": 30, "regex": "", "type": "wildcard-fqdn", "wildcard-fqdn": "autoupdate.opera.com" } ], "ssl-exemptions-log": "disable", "ssl-server": [], "untrusted-caname": "Fortinet_CA_Untrusted", "use-ssl-server": "disable", "whitelist": "disable" } ], "revision": "156.0.2.661485498.1576996671", "serial": "FGT6xxxxxx", "status": "success", "vdom": "root", "version": "v6.0.8" } }
