terraform-provider-fortios
terraform-provider-fortios copied to clipboard
fortinetdev
error creating vip and rule
hello problem to run completely code fortinet.
[Problema] fortios_networking_interface_port.port11: Creating... fortios_firewall_vip.vip: Creating... fortios_firewall_policy.rule: Creating... fortios_networking_interface_port.port11: Creation complete after 0s [id=LAN_TESTE] ╷ │ Error: Error creating FirewallVip resource: Internal Server Error - Internal error when processing the request (500) │ │ with fortios_firewall_vip.vip, │ on main.tf line 32, in resource "fortios_firewall_vip" "vip": │ 32: resource "fortios_firewall_vip" "vip" { │ ╵ ╷ │ Error: Error creating FirewallPolicy resource: Internal Server Error - Internal error when processing the request (500) │ │ with fortios_firewall_policy.rule, │ on main.tf line 46, in resource "fortios_firewall_policy" "rule": │ 46: resource "fortios_firewall_policy" "rule" {
[code]
terraform { required_providers { fortios = { source = "fortinetdev/fortios" version = "1.14.1" } } }
provider "fortios" { hostname = "192.168.5.1" token = "frx0wzbpdfsjQ34Q0rNqk9sd6jsn8r" insecure = "true" }
configure interface vlan
resource "fortios_networking_interface_port" "port11" { role = "lan" mode = "static" defaultgw = "enable" distance = "33" type = "vlan" vlanid = "234" name = "LAN_TESTE" vdom = "root" ip = "192.168.237.1 255.255.255.0" interface = "port11" allowaccess = "ping" }
configure firewall vip
resource "fortios_firewall_vip" "vip" { name = "NAT_TESTE_CLIENTE_RDP" extintf = "WAN_BGP_ROUTER" extip = "191.0.10.10" portforward = "enable" protocol = "tcp" extport = "48990" mappedport = "3389" mappedip { range = "192.168.237.131" } }
resource "fortios_firewall_policy" "rule" { action = "accept" logtraffic = "utm" name = "NAT_TESTE111_RDP" policyid = 1 schedule = "always" wanopt = "disable" wanopt_detection = "active" wanopt_passive_opt = "default" wccp = "disable" webcache = "disable" webcache_https = "disable" wsso = "enable"
dstaddr { name = "all" }
dstintf { name = "LAN_TESTE" }
service { name = "all" }
srcaddr { name = "all" }
srcintf { name = "WAN_BGP_ROUTER" } }
Hi @dandbr,
Thank you for raising this issue. It seems like the configuration content is not correct. I tested in my side, and the only place need to be modified is the argument service in resource fortios_firewall_policy. It should be "ALL" rather than "all". It works good in my end after changed "all" to "ALL" of argument service. As for resource fortios_firewall_vip, could you config it in GUI or CLI to see whether everything is correct? Please let me know if it still not work.
Thanks, Xing
Hello @lix-fortinet Thanks for feedback. See the code, you solution not resolved.
" firewall vip" GUI FortiOS 6.4 edit "NAT_TESTE_CLIENTE_RDP" set uuid 967fd8c2-e8ae-51ec-312a-685fd4ce8da9 set extip 191.6.5.62 set mappedip "192.168.237.231" set extintf "ha" set portforward enable set extport 48990 set mappedport 3389 next
extintf = "WAN_BGP_ROUTER" is HA physical interface
Hi @dandbr,
Thank you for your response. The screenshot of the HA physical interface 'WAN_BGP_ROUTER' shows that 'WAN_BGP_ROUTER' is an alias, not the real name. The real name is 'ha'. Could you switch 'WAN_BGP_ROUTER' to 'ha' in both of resource fortios_firewall_vip and fortios_firewall_policy, and try it again? Please let me know if it still not work.
Thanks, Xing
Hi @dandbr,
I am glad to hear it works. Alias could be duplicated, which means you could set the same alias for different interfaces. So, I don't think you could use the alias as the key to reference.
Thanks, Xing
Hello @lix-fortinet
Has anything changed in provider 1.15.0 ? I can not create policies with this new provider.
Code below.
#provider terraform { required_providers { fortios = { source = "fortinetdev/fortios" version = "1.15.0" } } }
#provider provider "fortios" { hostname = "192.168.5.1:4443" token = "fqQ1jn3tkgcm9q0QGcpcnGNwttgfm5" insecure = "true" }
#configure interface vlan resource "fortios_networking_interface_port" "port11" { role = "lan" mode = "static" defaultgw = "enable" distance = "33" type = "vlan" vlanid = "234" name = "LAN_TESTE" vdom = "root" ip = "192.168.234.1 255.255.255.0" interface = "port11" allowaccess = "ping" }
#configure firewall vip resource "fortios_firewall_vip" "vip" { name = "NAT_TESTE_CLIENTE_RDP" extintf = "ha" extip = "191.0.10.10" portforward = "enable" protocol = "tcp" extport = "48990" mappedport = "3389" mappedip { range = "192.168.234.131" } }
resource "fortios_firewall_policy" "rule" { action = "accept" logtraffic = "utm" name = "NAT_TESTE111_RDP" policyid = 665 schedule = "always" wanopt = "disable" wanopt_detection = "active" wanopt_passive_opt = "default" wccp = "disable" webcache = "disable" webcache_https = "disable" wsso = "enable"
dstaddr { name = "all" }
dstintf { name = "LAN_TESTE" }
service { name = "all" }
srcaddr { name = "all" }
srcintf { name = "ha" } }
Hi @dandbr,
This issue looks like the interface ha is not exist. Could you check whether interface ha is existed?
Thanks, Xing
Hi @dandbr,
Thank you for your update. Could you check whether the interface ha is in the same vdom with the policy? If yes, please try to create the firewall policy by GUI or CLI to see whether you can add interface ha.
By the way, please let me know your FortiOS version, so that I can try it in my end. I tested with FortiOS v7.2.1, and it did not reproduce this issue.
Thanks, Xing
@lix-fortinet Hello Xing. I was testing on a lab fortiOS.
But the settings I need to do, is on my production firewall. I'll send you the interfaces and my code.
On my production firewall, I have an aggregation link with two 10G interfaces. And on top of this aggregation I have WAN and LAN interface. How would that look in my code?
#configure system interface show
edit "LAG1" set vdom "root" set ip 192.168.55.1 255.255.255.0 set allowaccess snmp set type aggregate set member "x1" "x2" set description "LINKAGR" set alias "LAG1" set device-identification enable set lldp-reception disable set lldp-transmission disable set monitor-bandwidth enable set role lan set snmp-index 60 ipv6 config set ip6-send-adv enable set ip6-other-flag enable end
edit "WAN_BGP_ROUTER" set vdom "root" set ip x.x.x.253 255.255.x.x set alias "WAN_BGP_ROUTER" set monitor-bandwidth enable set role wan set snmp-index 69 set interface "LAG1" set vlanid 11 next edit "LAN_HOSPBOMJ" set vdom "root" set ip 192.168.206.1 255.255.255.0 set allowaccess ping set device-identification enable set role lan set snmp-index 42 set interface "LAG1" set vlanid 206 next
(CONFIG INTERFACE - SDWAN - POLICY - VIP)
--- SD-WAN ----
edit "SD_WAN_ALTATECH" next end config members edit 3 set interface "wan2" set zone "SD_WAN_ALTATECH" set gateway x.x.x.x next edit 4 set interface "WAN_BGP_ROUTER" set zone "SD_WAN_ALTATECH" set gateway x.x.x.x set priority 10 next edit 5 set interface "wan1" set zone "SD_WAN_ALTATECH" set gateway x.x.x.x next end
--- VIP ---
edit "NAT_MTX_RDP" set uuid 5d1c3742-09ac-51ec-1d82-2bf0dc6ce19a set extip 191.6.5.2 set mappedip "192.168.210.10" set extintf "WAN_BGP_ROUTER" set portforward enable set color 10 set extport 39114 set mappedport 3389 next
--- POLICY --- edit 201 set name "NAT_CLIENTE_RBO" set uuid 3448b8e2-3820-51ed-a6ac-8fcb7a6506cc set srcintf "SD_WAN_ALTATECH" set dstintf "LAN_RBO" set srcaddr "BRL_GEO" set dstaddr "NAT_RBO_SSH" "NAT_RBO_HTTP" "NAT_RBO_HTTPS" "NAT_RBO_SSH_2" set action accept set schedule "always" set service "SSH" "HTTP" "HTTPS" "SMTP" "SMTPS" set ssl-ssh-profile "no-ssl-inspection" set nat enable next
"code"
#provider terraform { required_providers { fortios = { source = "fortinetdev/fortios" version = "1.15.0" } } }
provider "fortios" { hostname = "192.168.254.1:4443" token = "040w4kssr6jw4x7tx45Hyc3pf0gt4m" insecure = "true" }
#configure interface vlan resource "fortios_networking_interface_port" "LAG1" { role = "lan" mode = "static" defaultgw = "enable" distance = "33" type = "vlan" vlanid = "237" name = "LAN_ENVDATA" vdom = "root" ip = "192.168.237.1 255.255.255.0" interface = "LAG1" allowaccess = "ping" }
#configure firewall vip resource "fortios_firewall_vip" "vip" { name = "NAT_CLIENTE_ENVDATA" extip = "191.0.10.10" extintf = "WAN_BGP_ROUTER" portforward = "enable" color = "10" protocol = "tcp" extport = "48990" mappedport = "3389" mappedip { range = "192.168.237.131" } }
resource "fortios_firewall_policy" "rule" { action = "accept" logtraffic = "utm" name = "NAT_CLIENTE_ENVDATA" policyid = 665 schedule = "always" wanopt = "disable" wanopt_detection = "active" wanopt_passive_opt = "default" wccp = "disable" webcache = "disable" webcache_https = "disable" wsso = "enable"
dstaddr { name = "all" }
dstintf { name = "LAN_ENVDATA" }
service { name = "all" }
srcaddr { name = "all" }
srcintf { name = "SD_WAN_ALTATECH"
} }
Hi @dandbr
Thank you for providing your configuration, In your latest code, I changed the service.name from "all" to "ALL", then everything works well on my side by using FortiOS provider 1.15.0 & 1.16.0 on Fortios 7.2.1 & 6.4.10. Also I don't find any interface named "ha" that showed on the error message you provided, do you change the interface name from "ha" to "WAN_BGP_ROUTER"? If you are still having this issue, my suggestion is to download your config file through GUI admin -> configuration -> backup button. the current config file will be saved. please feel free to delete any sensitive or private data in the config file, before sending to us. I will then try to restore your config file and try to replicate your issue again.
Thanks, Maxx
@MaxxLiu22
Hello Max,
I redid the code and now it works fine! See below.
#provider terraform { required_providers { fortios = { source = "fortinetdev/fortios" version = "1.15.0" } } }
provider "fortios" { hostname = "192.168.254.1:4443" token = "040w4kssr6jw4x7tx45Hyc3pf0gt4m" insecure = "true" }
#configure interface vlan resource "fortios_networking_interface_port" "LAG1" { role = "lan" mode = "static" defaultgw = "enable" distance = "33" type = "vlan" vlanid = "237" name = "LAN_ENVDATA" vdom = "root" ip = "192.168.237.1 255.255.255.0" interface = "LAG1" allowaccess = "ping" }
#configure firewall vip resource "fortios_firewall_vip" "vip" { name = "NAT_CLIENTE_ENVDATA" extip = "191.0.10.10" extintf = "WAN_BGP_ROUTER" portforward = "enable" color = "10" protocol = "tcp" extport = "48990" mappedport = "3389" mappedip { range = "192.168.237.131" } }
#configure firewall policy - nat resource "fortios_firewall_policy" "rule" { action = "accept" auth_path = "disable" auto_asic_offload = "enable" av_profile = "AV-PROTECTION" inspection_mode = "flow" ips_sensor = "Attack_Prevention" logtraffic = "utm" name = "NAT_CLIENTE_ENVDATA" policyid = 665 schedule = "always" ssl_ssh_profile = "certificate-inspection" status = "enable" utm_status = "enable" nat = "enable" dstaddr { name = "NAT_CLIENTE_ENVDATA" }
dstintf { name = "LAN_ENVDATA" }
service { name = "ANY_SERVICE" }
srcaddr { name = "any_network" }
srcintf { name = "SD_WAN_ALTATECH" }
}
#configure firewall policy - saida internet
OBS VERIFICAR OS ID'S DAS POLITICAS - DOCUMENTAR VIA NETBOX
resource "fortios_firewall_policy" "rule1" { action = "accept" auth_path = "disable" auto_asic_offload = "enable" inspection_mode = "flow" logtraffic = "utm" name = "VLANENVD-TOSDWAN" policyid = 289 schedule = "always" ssl_ssh_profile = "no-ssl-inspection" status = "enable" utm_status = "enable" nat = "enable" application_list = "APP_MINER_BLOCK"
dstaddr { name = "all" }
srcintf { name = "LAN_ENVDATA" }
service { name = "ANY_SERVICE" }
srcaddr { name = "all" }
dstintf { name = "SD_WAN_ALTATECH" }
depends_on = [ fortios_networking_interface_port.LAG1 ] }
#configure firewall policy - comunicação local network p/ vlan's
OBS VERIFICAR OS ID'S DAS POLITICAS - DOCUMENTAR VIA NETBOX
resource "fortios_firewall_policy" "rule2" { action = "accept" auth_path = "disable" auto_asic_offload = "enable" inspection_mode = "flow" logtraffic = "utm" name = "LANTOVLAN-ENVD" policyid = 290 schedule = "always" ssl_ssh_profile = "no-ssl-inspection" status = "enable" utm_status = "enable" nat = "enable"
dstaddr { name = "all" }
dstintf { name = "LAN_ENVDATA" }
service { name = "ANY_SERVICE" }
srcaddr { name = "all" }
srcintf { name = "lan" }
depends_on = [ fortios_networking_interface_port.LAG1 ] }