l3fw_cluster - Create or delete firewall clusters

DEPRECATED

In:

version:

Why:

Replaced with single module

Alternative:

engine

Synopsis

  • Firewall clusters can be created with up to 16 nodes per cluster. Each cluster_node specified will define a unique cluster member and dictate the number of cluster nodes. You can fetch an existing engine using engine_facts and optionally save this as YAML to identify differences between runs. Interfaces and VLANs can be added, modified or removed. By default if the interface is not defined in the YAML, but exists on the engine, it will be deleted. To change an interface ID or VLAN id, you must delete the old and recreate the new interface definition. In addition, it is not possible to modify interfaces that have multiple IP addresses defined (they will be skipped).

Requirements (on host that executes module)

  • smc-python

Options

parameter required default choices comments
antivirus
 no
  • yes
  • no

Enable Anti-Virus engine on the firewall
backup_mgt
 no

(Cluster only) Specify an interface by ID that will be the backup heartbeat interface. For VLAN, specify the interface ID in dot syntax. For example, 1.2 indicates interface 1, VLAN 2.
bgp
 no
If enabling BGP on the engine, provide BGP-related settings.
Dictionary object bgp
parameter required default choices comments
router_id
 no
Optional router ID to identify this BGP peer
bgp_peering
 no
BGP Peerings to add to specified interfaces.
announced_network
 no
  • network
  • group
  • host
Announced networks identify the network and optional route map for internal networks announced over BGP. The list should be a dict with the key identifying the announced network type from SMC. The key should have a dict with name and route_map (optional) if the element should have an associated route_map.
antispoofing_network
 no
  • network
  • group
  • host
Antispoofing networks are automatically added to the route antispoofing configuration. The dict should have a key specifying the element type from SMC. The dict key value should be a list of the element types by name.
enabled
 no
  • yes
  • no
Set to true or false to specify whether to configure BGP
autonomous_system
 no
The autonomous system for this engine. Provide additional arguments to allow for get or create logic
cluster_mode
 no standby
  • balancing
  • standby

How to perform clustering: load-balancing or standby
comment
 no

Optional comment tag for the engine
default_nat
 no
  • yes
  • no

Whether to enable default NAT on the firewall. Default NAT will identify internal networks and use the external interface IP for outgoing traffic
delete_undefined_interfaces
 no
  • yes
  • no

Delete interfaces that are not defined in the YAML file from the NGFW Engine. This parameter can be used as a strategy to remove interfaces. One option is to retrieve the full engine json using engine_facts as YAML, then remove the interfaces from the YAML and set delete_undefined_interfaces to yes.
domain_server_address
 no

A list of IP addresses to use as DNS resolvers for the firewall. Required to enable Antivirus, GTI and URL Filtering on the NGFW.
file_reputation
 no
  • yes
  • no

Enable file reputation
interfaces
 yes
Define the interface settings for this cluster interface, such as address, network and node id.
Dictionary object interfaces
parameter required default choices comments
comment
 no
Optional comment for this interface. If you want to unset the interface comment, set to an empty string or define with no value.
macaddress
 no
The mac address to assign to the cluster virtual IP interface. This is required if the cluster_virtual parameter is defined
zone_ref
 no
Optional zone name for this interface
network_value
 no
The cluster netmask for the cluster_vip. Required if the cluster_virtual parameter is defined
cluster_virtual
 no
The cluster virtual (shared) IP address for all cluster members. Not required if only creating NDIs
nodes
 yes
List of the nodes for this interface
interface_id
 yes
The cluster NIC ID for this interface. Required.
location
 no

Location identifier for the engine. Used when engine is behind NAT. If a location is set on the engine and you want to reset to unspecified, then use the keyword None.
name
 yes

The name of the firewall cluster to add or delete
primary_heartbeat
 no

Specify an interface for the primary heartbeat interface. This will default to the same interface as primary_mgt if not specified.
primary_mgt
 yes

Identify the interface to be specified as management. When creating a new cluster, the primary mgt must be a non-VLAN interface. You can move it to a VLAN interface after creation.
skip_interfaces
 no
  • yes
  • no

Optionally skip the analysis of interface changes. This is only relevant when running the playbook against an already created engine. This must be false if attempting to add interfaces.
smc_address
 no

FQDN with port of SMC. The default value is the environment variable SMC_ADDRESS
smc_alt_filepath
 no

Provide an alternate path location to read the credentials from. File is expected to be stored in ~.smcrc. If provided, url and api_key settings are not required and will be ignored.
smc_api_key
 no

API key for api client. The default value is the environment variable SMC_API_KEY Required if url
smc_api_version
 no

Optional API version to connect to. If none is provided, the latests LTS SMC API version will be used based on the Management Center version. Can be set though the environment variable SMC_API_VERSION
smc_domain
 no

Optional domain to log in to. If no domain is provided, 'Shared Domain' is used. Can be set throuh the environment variable SMC_DOMAIN
smc_extra_args
 no
Extra arguments to pass to login constructor. These are generally only used if specifically requested by support personnel.
Dictionary object smc_extra_args
parameter required default choices comments
verify
 no True
  • yes
  • no
Is the connection to SMC is HTTPS, you can set this to True, or provide a path to a client certificate to verify the SMC SSL certificate. You can also explicitly set this to False.
smc_logging
 no
Optionally enable SMC API logging to a file
Dictionary object smc_logging
parameter required default choices comments
path
 yes
Full path to the log file
level
 no
Log level as specified by the standard python logging library, in int format. Default setting is logging.DEBUG.
smc_timeout
 no

Optional timeout for connections to the SMC. Can be set through environment SMC_TIMEOUT
snmp
 no
SNMP settings for the engine
Dictionary object snmp
parameter required default choices comments
snmp_agent
 yes
The name of the SNMP agent from within the SMC
enabled
 no
  • yes
  • no
Set this to False if enabled on the engine and wanting to remove the configuration.
snmp_interface
 no
A list of interface IDs to enable SNMP. If enabling on a VLAN, use '2.3' syntax. If omitted, snmp is enabled on all interfaces
snmp_location
 no
Optional SNMP location string to add the SNMP configuration
state
 no present
  • present
  • absent

Create or delete a firewall cluster
tags
 no

Optional tags to add to this engine

Examples

- name: Firewall Template
  hosts: localhost
  gather_facts: no
  tasks:
  - name: Create a single firewall
    l3fw_cluster:
      smc_logging:
        level: 10
        path: ansible-smc.log
      antivirus: false
      backup_mgt: '2.34'
      bgp:
          announced_network:
          -   network:
                  name: foonet
                  route_map: newroutemap
          antispoofing_network:
              group:
              - group1
              host:
              - 2.2.2.3
              network:
              - foo
          autonomous_system:
              as_number: 4261608949
              comment: optional
              name: myas
          bgp_profile: Default BGP Profile
          enabled: true
          router_id: 1.2.3.4
      cluster_mode: balancing
      comment: my new firewall
      default_nat: false
      domain_server_address:
      - 8.8.8.8
      file_reputation: false
      interfaces:
      -   interface_id: '1000'
          interfaces:
          -   nodes:
              -   address: 100.100.100.1
                  network_value: 100.100.100.0/24
                  nodeid: 1
              -   address: 100.100.100.2
                  network_value: 100.100.100.0/24
                  nodeid: 2
          type: tunnel_interface
          zone_ref: AWSTunnel
      -   cvi_mode: packetdispatch
          interface_id: '21'
          interfaces:
          -   cluster_virtual: 22.22.22.254
              network_value: 22.22.22.0/24
              nodes:
              -   address: 22.22.22.1
                  network_value: 22.22.22.0/24
                  nodeid: 1
              -   address: 22.22.22.2
                  network_value: 22.22.22.0/24
                  nodeid: 2
              vlan_id: '21'
          -   cluster_virtual: 21.21.21.254
              network_value: 21.21.21.0/24
              nodes:
              -   address: 21.21.21.2
                  network_value: 21.21.21.0/24
                  nodeid: 2
              -   address: 21.21.21.1
                  network_value: 21.21.21.0/24
                  nodeid: 1
              vlan_id: '20'
          macaddress: 02:02:02:20:20:22
      -   interface_id: '4'
          interfaces:
          -   nodes:
              -   address: 5.5.5.2
                  network_value: 5.5.5.0/24
                  nodeid: 1
              -   address: 5.5.5.3
                  network_value: 5.5.5.0/24
                  nodeid: 2
          zone_ref: heartbeat
      -   cvi_mode: packetdispatch
          interface_id: '0'
          interfaces:
          -   cluster_virtual: 1.1.1.1
              network_value: 1.1.1.0/24
              nodes:
              -   address: 1.1.1.2
                  network_value: 1.1.1.0/24
                  nodeid: 1
              -   address: 1.1.1.3
                  network_value: 1.1.1.0/24
                  nodeid: 2
          macaddress: 02:02:02:02:02:02
      -   comment: foocomment
          interface_id: '2'
          interfaces:
          -   comment: vlan comment
              nodes:
              -   address: 34.34.34.35
                  network_value: 34.34.34.0/24
                  nodeid: 2
              -   address: 34.34.34.34
                  network_value: 34.34.34.0/24
                  nodeid: 1
              vlan_id: '34'
          -   nodes:
              -   address: 35.35.35.35
                  network_value: 35.35.35.0/24
                  nodeid: 1
              -   address: 35.35.35.36
                  network_value: 35.35.35.0/24
                  nodeid: 2
              vlan_id: '35'
      location: foolocation
      name: newcluster2
      primary_heartbeat: '4'
      primary_mgt: '0'
      snmp:
          snmp_agent: myagent
          snmp_interface:
          - '2.35'
          - '2.34'
          - '0'
          snmp_location: snmplocation
      tags:
      - footag
      #skip_interfaces: false
      #delete_undefined_interfaces: false
      #state: absent

# Delete a cluster
- name: firewall cluster with 3 members
  l3fw_cluster:
    name: mycluster
    state: absent

Return Values

Common return values are documented Return Values, the following are the fields unique to this module:

name description returned type sample
state
Full json definition of NGFW
 always dict
changed
Whether or not the change succeeded
 always bool


Author

  • Forcepoint