engine_routing - Routing configurations on NGFW Engines¶

Synopsis ¶

Use this module to add or remove static routes, antispoofing entries, BGP, OSPF, or NetLink elements to the routing configuration on an NGFW Engine. You can use engine_facts to dump the engine configuration or use engine_routing_facts to specifically dump only the routing table.

Requirements (on host that executes module)¶

smc-python

Options ¶

parameter required default choices comments

antispoofing_network

no

List of antispoofing entries

**Dictionary object antispoofing_network**
parameter	required	default	choices	comments
destination	no			Destinations associated with this antispoofing entry. Multiple element types can be used as a destination.
interface_id	yes			The interface ID to which to add the antispoofing network. For VLANs, specify the interface ID in dot syntax. For example, 1.2 indicates interface 1, VLAN 2.

bgp_peering

no

List of dict describing the BGP peering to add

**Dictionary object bgp_peering**
parameter	required	comments
interface_id	yes	The interface id to which to add the peering. For VLANs, specify the interface ID in dot syntax. For example, 1.2 indicates interface 1, VLAN 2.
destination	no	The BGP Peer associated with this BGP Peering. The BGP Peer can be either another NGFW Engine or an external_bgp_peer element. Both element types must already exist in the SMC.
network	no	Optional network to which to bind the BGP Peer to. Only relevant if multiple IP addresses are assigned to the given interface and you only want to bind to one.
name	yes	Name of the BGP Peering element in the SMC

name

yes

The name of the single firewall or firewall cluster on which to access the routing table

netlink

no

List of dicts describing the NetLinks

**Dictionary object netlink**
parameter	required	comments
interface_id	yes	The interface ID to which to add the NetLink. For VLANs, specify the interface ID in dot syntax. For example, 1.2 indicates interface 1, VLAN 2.
destination	no	Destinations associated with this NetLink. Multiple element types can be used as a destination.
network	no	Optional network to which to bind the NetLink. Only relevant if multiple IP addresses are assigned to the given interface and you only want to bind to one.
name	yes	Name of the NetLink element in the SMC

ospfv2_area

no

List of dict describing the OSPF areas to add

**Dictionary object ospfv2_area**
parameter	required	comments
interface_id	yes	The interface ID to which to add the OSPF area. For VLANs, specify the interface ID in dot syntax. For example, 1.2 indicates interface 1, VLAN 2.
destination	no	The element referenced can be an OSPF Area interface setting element from the SMC. The destination parameter can be used to override the default interface settings for OSPF. This is optional.
network	no	Optional network to which to bind the OSPF area to. Only relevant if multiple IP addresses are assigned to the given interface and you only want to bind to one.
name	yes	Name of the OSPF area element in the SMC

smc_address

no

FQDN with port of SMC. The default value is the environment variable SMC_ADDRESS

smc_alt_filepath

no

Provide an alternate path location to read the credentials from. File is expected to be stored in ~.smcrc. If provided, url and api_key settings are not required and will be ignored.

smc_api_key

no

API key for api client. The default value is the environment variable SMC_API_KEY Required if url

smc_api_version

no

Optional API version to connect to. If none is provided, the latests LTS SMC API version will be used based on the Management Center version. Can be set though the environment variable SMC_API_VERSION

smc_domain

no

Optional domain to log in to. If no domain is provided, 'Shared Domain' is used. Can be set throuh the environment variable SMC_DOMAIN

smc_extra_args

no

Extra arguments to pass to login constructor. These are generally only used if specifically requested by support personnel.

**Dictionary object smc_extra_args**
parameter	required	default	choices	comments
verify	no	True	yes no	Is the connection to SMC is HTTPS, you can set this to True, or provide a path to a client certificate to verify the SMC SSL certificate. You can also explicitly set this to False.

smc_logging

no

Optionally enable SMC API logging to a file

**Dictionary object smc_logging**
parameter	required	default	choices	comments
path	yes			Full path to the log file
level	no			Log level as specified by the standard python logging library, in int format. Default setting is logging.DEBUG.

smc_timeout

no

Optional timeout for connections to the SMC. Can be set through environment SMC_TIMEOUT

state

no

present

present
absent

Add or remove the routing entry. If state=absent any defined routing configurations are considered a removal action.

static_route

no

List of static routes

**Dictionary object static_route**
parameter	required	comments
interface_id	yes	The interface ID to which to add the static route. Can be VLAN id if specified 1.23
destination	no	Destinations associated with this static route. Multiple element types can be used as a destination.
network	no	Optional network to which to bind the route. Only relevant if multiple IP addresses are assigned to the given interface and you only want to bind to one.
name	yes	Name of the router element to use as the next hop for the static route. Note that this MUST be a router element from the SMC.

Examples ¶

- name: Engine routing configuration
  hosts: localhost
  gather_facts: no
  tasks:
  - name: Add routing elements to engine sg_vm
    engine_routing:
      smc_logging:
        level: 10
        path: ansible-smc.log
      name: sg_vm
      bgp_peering:
      - destination:
        - name: bgppeer
          type: external_bgp_peer
        interface_id: '1000'
        name: bgppeering
      ospfv2_area:
      - interface_id: '2.1'
        name: myarea
        network: 21.21.21.0/24
        destination:
        - name: myinterface
          type: ospfv2_interface_settings
      - name: myarea2
        interface_id: 1
      netlink:
      - destination:
        - name: IP_10.3.3.1
          type: host
        interface_id: '2.1'
        name: netlink-21.21.21.0
      static_route:
      - destination:
        - name: Any network
          type: network
        interface_id: 0
        network: '1.1.1.0/24'
        name: myrouter # Must be element of type Router
      antispoofing_network:
      - destination:
        - name: foonet
          type: network
        interface_id: 0

- name: Engine routing configuration
  hosts: localhost
  gather_facts: no
  tasks:
  - name: Remove specific antispoofing network from engine sg_vm
    engine_routing:
      smc_logging:
        level: 10
        path: ansible-smc.log
      name: sg_vm
      antispoofing_network:
      - destination:
        - name: foonet
          type: network
        interface_id: 0
      state: absent

Return Values ¶

Common return values are documented Return Values, the following are the fields unique to this module:

name	description	returned	type	sample
state	The current state of the element		dict
changed	Whether or not the change succeeded	always	bool

Notes ¶

Note

Login credential information is either obtained by providing them directly to the task/play, specifying an alt_filepath to read the credentials from to the play, or from environment variables (in that order). See http://smc-python.readthedocs.io/en/latest/pages/session.html for more information.

Author ¶

Forcepoint

Status ¶

This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.

engine_routing - Routing configurations on NGFW Engines¶

Synopsis ¶

Requirements (on host that executes module)¶

Options ¶

Examples ¶

Return Values ¶

Notes ¶

Author ¶

Status ¶

Previous topic

Next topic