1

I'm currently attempting to upgrade a FortiGate-60F firewall using fortios_monitor module which is part of the 'fortinet.fortios' collection and as described in FortiOS Collection Issue #107. The current version of the firewall is v6.4.6 build1879.

The problem is that after running the playbook it returns that it was successful but when I check the firmware on the firewall wasn't upgraded. After checking the output in verbose I found that it did in fact make a connection to the firewall and retrieved info of the firewall but it also returned this error message:

"error": { "code": -586, "message": "-586" }.

I've looked through the documentation of the module I'm using and tried searching the error code but I came up short.

My main questions:

  • What do these errors mean?
  • How can I get it to actually perform the upgrade?

My playbook:

- hosts: fortigates
  collections:
    - fortinet.fortios
  connection: httpapi
  gather_facts: "False"

  vars:

    vdom: "root"
    ansible_httpapi_use_ssl: yes
    ansible_httpapi_validate_certs: no
    ansible_httpapi_port: 443

  tasks:

  - name: Upgrade firmware 
    fortinet.fortios.fortios_monitor:
      vdom: "{{ vdom }}"
      selector: 'upgrade.system.firmware'
      params:
        source: "upload"
        filename: 'FGT_60F-v6-build1911-FORTINET.out'
        file_content: x"{{ lookup( 'file', './FGT_60F-v6-build1911-FORTINET.out') | string | b64encode }}"

I was expecting for it authenticate then perform the upgrade on the device. Instead when I run my playbook in verbose it returns this output:

"filename": "FGT_60F-v6-build1911-FORTINET.out",
                "source": "upload"
            },
            "selector": "upgrade.system.firmware",
            "vdom": "root"
        }
    },
    "meta": {
        "action": "upgrade",
        "build": 1879,
        "http_method": "POST",
        "name": "firmware",
        "path": "system",
        "results": {
            "error": {
                "code": -586,
                "message": "-586"
            },
            "status": "error"
        },
        "serial": "FGT60FKT1290VA4B",
        "status": "success",
        "vdom": "root",
        "version": "v6.4.6"

What I got from this output was that it successfully made a connection and retrieved some info from the device but didn't upgrade the firmware, and you can see the firmware hasn't changed.

U880D
  • 8,601
  • 6
  • 24
  • 40
JehhmD
  • 31
  • 3
  • "_What do these errors mean?_" it is an error message directly from the FortiOS REST API. See in example [Response Error Codes](https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Rest-API-response-error-codes/ta-p/202126). But that one is not documented there. You may need to proceed further with FortiGate. – U880D Apr 05 '23 at 08:57
  • "_How can I get it to actually perform the upgrade?_" according [`fortios_monitor` module – Ansible Module for FortiOS Monitor API](https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/fortios_monitor_module.html), maybe the `parameters`for the `selector` choosed aren't correct, but that's just a guess. – U880D Apr 05 '23 at 09:01
  • 1
    @U880D if you go to this link `https://github.com/fortinet-ansible-dev/ansible-galaxy-fortios-collection/issues/107` and scroll down you will see that JieX19 used this exact same parameters for the selector and was able to successfully upgrade their firewall. As for the error code I will proceed further with FortiGate – JehhmD Apr 05 '23 at 09:32
  • To come back on the parameters, according the current given example the tasks are defined to run on the Remote Node (targets, `fortigates`), whereby the `filecontent` references a file on the Control Node since "_[Like all templating, lookups execute and are evaluated on the Ansible control machine.](https://docs.ansible.com/ansible/latest/plugins/lookup.html)_", to which the task isn't delegated. Furthermore, there seems to be also a syntax error `file_content: x"{{ lookup( 'file', ...`, the leading `x`. – U880D Apr 06 '23 at 09:48

1 Answers1

2

I realised that it was trying to perform the upgrade without the firmware image which resulted in the error. So after looking through the selectors in the fortios_monitor module, I found 'upload.wifi.firmware' which uploads the firmware to the firewall:

- name: Upload firmware image
    fortinet.fortios.fortios_monitor:
      selector: 'upload.wifi.firmware'
      vdom: "{{ vdom }}"
      params: 
        serials: '{{ serial_number_of_firewall }}'
        file_content: "{{ lookup( 'file', './FGT_60F-v6-build1911-FORTINET.out') | string | b64encode }}"

After adding the above task to my code I was able to send the firmware image to the firewall and successfully automate the upgrade of the firewall.

JehhmD
  • 31
  • 3