New Member

Solved

dumping fwpolicies into a xls or csv format

Forum|Forum|12 years ago
March 10, 2014
10 replies
47063 views

Anybody seen any cool tools that will grab fwpolicies and dump them into a format to import into xls, or csv or any other method?

Best answer by TuncayBAS

Yes offcourse

I use fortigate rest api document.

http://www.tuncaybas.com/FOS_JSON_REST_API_523.pdf

Get all policy for 5.2 :

[link]https://192.168.0.1:443/api/cmdb?request=[/link]{'action':'select','path':'firewall','name':'policy','datasource':true,'skip':true,'with_meta':true}

Get all policy for 5.4 :

https://192.168.0.1:443/a..2/cmdb/firewall/policy/

This results json format.

{
  "http_method":"GET",
  "results":[
    {
      "policyid":7,
      "q_origin_key":"7",
      "name":"fatura-pc-deny",
      "uuid":"53e964d2-36b8-51e6-a95c-9c146a1da1c8",
      "srcintf":[
        {
          "name":"lan",
          "q_origin_key":"lan"
        }
      ],
      "dstintf":[
        {
          "name":"wan1",
          "q_origin_key":"wan1"
        }
      ],
      "srcaddr":[
        {
          "name":"all",
          "q_origin_key":"all"
        }
      ],

and parse with .net (or use other language).

jtfinley

New Member

Anybody seen any cool tools that will grab fwpolicies and dump them into a format to import into xls, or csv or any other method?

Sounds like a cool programming project. SNMP query a Fortigate and create a visual map of all interfaces & FW Policies

emnocAuthor

New Member

Yeah i' m working on it as I type. My perl scripting is not that good, but I cannibalize a script that works with junos that does just that. Stay tuned :) fwiw; my goal is to writ out policyid#, src/dst and interfaces/address. The problem I see is pertaining to the address-book and when we have multiple services.

SgtMalicious

New Member

I updated my policy viewer script with an option to dump all of the firewall policies in a tab delimited format. http://bit.ly/1kB2wV0

ShrewLWD

New Member

Sebastian of firewall guru fame posted on this topic here.. http://firewallguru.blogspot.com/2014/04/exporting-firewall-rules-to-csv.html?m=1

emnocAuthor

New Member

thanks

Andre_Backs

New Member

Woudn' t it be great if FG used XML for the firewall policies And since we are on the subject, wouldn' t it be nice if you could split out the policy sections (like firewall policy, system interface, pretty much all those things that ar between config ... and end) into seperate files and be joined back together at import time ?

emnocAuthor

New Member

FWIW their' a script for netscreen that actually does just what your asking. It dumps a ns config into various parts ( policy, nat, interfaces,et...) Also google source projects had this; https://code.google.com/p/aclparser/

Andre_Backs

New Member

Hi Emnoc, I looked at the site, but it seems to be an empty office :-) I saw a PERL script the other day, but that dumps into plain csv. It does not (as fas as I could tell) take in account that some fields are not always used, i.e. use a factory default value and do not show up in an edit / next clause. That leaves your csv garbled if you open it in Excel.

emnocAuthor

New Member

Here' s the NS2html site http://ns2html.sourceforge.net/download.html These where used back in the day when netscreens where very popular and scripts where need to parse cfg files. And here' s " nipper" http://blog.tevora.com/enterprise-applications/how-to-parse-firewall-configs-with-nipper-2/ Nipper doesn' t support fortigates :)

Andre_Backs

New Member

Hi emnoc, I just briefly tried NS2html, it didn' t work unfortunately. It did well on the test.cfg file (a Netcreen config) but it couldn' t make sense of the Fortigate config file

The " nipper" link links to the blog that has a link to a Sourceforge project which is marked as deleted (also

) So i Googled nipper and found another Sourceforge (http://sourceforge.net/projects/nipper/) which seemed promising at first but I found that the only files there are an IP subnet calculator and tool to decrypt Cisco type 7 passwords. Nipper itself has gone commercial and now belongs to Titania Ltd as Nipper Studio. An evaluation kit of that needed a lot more effort than I am willing to put in right now

Anyway, what I am looking for was more ore less the Webbased Manager but with just a bit more sofistication (things like search and replace, bulk edit, block moves, you get the drift)

emnocAuthor

New Member

Cool I was only pointing out previous works in this same area, did exist. Speaking of nscreen, the ns.cfg files are not 100% like a juniper or a fortigate. I' m really suprised nobody from fortinet has built a tool for this and included it on board the appliance directly ( fwpolicy and fwpolicy6 extraction into csv, xml,etc......) Next, I' m also wondering if a Fortimanager might have some type of extraction? Anybody here have access to a Fortimanager & can care to check and comment ?

neonbit

New Member

From what I can see the FortiManager allows you to export the policy packages to csv.

By76274.jpg

FatalHalt

New Member

I too have needed a tool for this for a while. Not finding anything, I' ve begun making one in python. It' s pretty rudimentary right now, but I currently have it parsing a config file for Addresses, Groups and Policies and dumping into 3 seperate TSV files which I then pull into a spreadsheet manually (for now). It also handles ' special' situations like if a policy is identity based. Next up is having it do static routes, interfaces, admins, local users, etc etc etc. Attached in a picture example of the data in a spreadsheet.

Ay74000.jpg