system_version check breaks support for using vDOM-specific credentials

[moonrail]

Hallo altogether,

this very hardcoded string ?vdom=root here breaks any support for vDOM-specific credentials:
https://github.com/fortinet-ansible-dev/ansible-galaxy-fortios-collection/blob/2.3.7/plugins/httpapi/fortios.py#L259

When not using credentials with access to root-vDOM the following is returned by Forti API:

{
  "http_method":"GET",
  "status":"error",
  "http_status":403,
  "vdom":"root",
  "path":"system",
  "name":"status",
  "action":""
}

When using the vDOM of used credentials the expected result is returned:

{
  "http_method":"GET",
  "results":{
    "model_name":"...",
    "model_number":"...",
    "model":"...",
    "hostname":"...",
    "log_disk_status":"available"
  },
  "vdom":"myvDOM",
  "path":"system",
  "name":"status",
  "action":"",
  "status":"success",
  "serial":"...",
  "version":"...",
  "build":...
}

Why not just use user-provided vDOM?
https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/fortios_firewall_address_module.html#parameter-vdom

Most other modules have this parameter as well.

[MaxxLiu22]

Hi @moonrail ,

Thank you for bringing up this question. As per the FOS design, it's necessary to grant root VDOM permissions to a user, even if they have vDOM-specific credentials. Without these permissions, the user won't be able to access the FGT through any method (CLI, GUI, Ansible), and the system status information can only be retrieved via the root management VDOM. Let me know if that doesn't solve your question.

config system api-user
    edit "api2"
        set api-key ENC SH2ipHjvcqlUqQXHwubNJrZp+pfvfKm+6TG7YmIlJ1hq96W19pUyypw046LHfE=
        set accprofile "vdom"
        set vdom "root" "vdom"
    next
end

Thanks,
Maxx

[moonrail]

Hi @MaxxLiu22,

I cannot understand your explanation and my colleagues who administer the Fortigate firewalls cannot as well.

From our knowledge the vDOM construct is designed to make tenancy possible. By checking the FortiOS version with the root vDOM this feature is not usable with these Ansible modules.
Granting any tenant privileges on the root vDOM sounds like a clear breach of security.

So - Is this by design? Should nobody but the administrator be allowed to automate their simplest firewall policies using Ansible modules?

Without these permissions, the user won't be able to access the FGT through any method (CLI, GUI, Ansible), and the system status information can only be retrieved via the root management VDOM.

I cannot reproduce this behaviour. With the tenant vDOM credentials I can administer the vDOM contents fully via UI and CLI. Only Ansible does not work. Are you certain, I should not be able to do that without your mentioned root vDOM permission? If so, then we'd have a security incident in FortiOS here, no?

[MaxxLiu22]

Hi @moonrail ,

Thank you for your information. After consulting with my colleague, I realize that you are correct—root vDOM permission is not required for a vDOM-specific credentials user. The issue I encountered was due to not assigning an IP and router to the specific vDOM, which should function as an individual FGT. Consequently, the root vDOM was needed as a connecting bridge to access the specific vDOM. I have reported the hardcoded issue with "vdom=root" to the Ansible development team for resolution. I apologize for any inconvenience this may have caused.

Thanks,
Maxx

[thunderstorm99]

I can also add calling /api/v2/monitor/system/status without any vdom parameter works with vdom specific tokens.