Skip to main content
ataro
ataro
Explorer II
July 4, 2025
Solved

Fortigate Firewall Rule Creation from Excel File

  • July 4, 2025
  • 4 replies
  • 2231 views

I have a requirement to implement firewall to different customers, the firewall service ports remain the same but source and destination addresses will change for each customer. I would like to populate the addresses and services in an excel file manually. Is there any way to auto generate rules/configuration file from excel file so that I can import them on the new firewall. Is it possible to automate?

Best answer by filiaks1

I did not say for you to use fortimanager as when you mentioned different customers I got the point so that was you interpretation about needing Fortimanager.

 

The endopoint is.

https://<FIREWALL_IP>/api/v2/cmdb/firewall/policy

 

 

Useful doc:

 

Using APIs | FortiGate / FortiOS 7.6.3 | Fortinet Document Library

 

Keep in mind that I saw a bug as mentioned in Set app control or ips in firewall via API does no... - Fortinet Community (yes there I have recommended fortimanager as 1 customer with 1000 firewalls seems a good option)so you need to send only the changes not the full POST request.

 

For more about API I suggest https://fndn.fortinet.net/

 

4 replies

mahesh_pm
mahesh_pm
Explorer
July 4, 2025

Hey,

How many rules are we talking about?

If it’s just a few, the easiest way is to open the script in a text editor, do a find-and-replace for things like source and destination, and then use the "Upload Script" option.

But if you've got a ton of rules, it’s better to automate it. You’ll find some handy Python scripts on GitHub that can do the job.

I actually found one that takes firewall addresses from Excel and spits out a FortiGate script

ataro
ataroAuthor
Explorer II
July 4, 2025

Please share the script / link that takes addresses from excel and generates FG script.

I have around 50 rules per firewalls, source and destination groups contain around 100 devices.

mahesh_pm
mahesh_pm
Explorer
July 4, 2025

Hi ,

 

find the below link.
https://github.com/Aztek1337/fortigate_address_create  

Note: This is not an official Fortinet document. Please perform this activity in an isolated or test environment first, and thoroughly verify that everything works as expected before applying it to a production setup.

Yurisk
SuperUser
Yurisk
SuperUser
July 4, 2025

"Just" source/destination IPs would be not enough as rules require specifying source/destination interface on Fortigate as well. Do all those Fortigates are of the same exact model, with exact same IP topology/VLANs?

 

And from the real-world experience - when you have 50 Fortigates to manage/deploy, it is usually done via Fortimanager, where, among other, you can have templates with variables for IPs that you can push to the FGTs.

filiaks1
filiaks1
Explorer III
July 4, 2025

Strange that fortigate has the export option Export firewall policy list to CSV and JSON formats 7.0.2 | FortiGate / FortiOS 7.0.0 | Fortinet Document Library but not the import without Fortimanager. Better use JSON as then you can use API to import the changes.

ataro
ataroAuthor
Explorer II
July 4, 2025

I am providing 50 firewalls to different customers, so I don't need Forti manager.

Is there any more information/material on the whole process API utilization?

filiaks1
filiaks1Answer
Explorer III
July 4, 2025

I did not say for you to use fortimanager as when you mentioned different customers I got the point so that was you interpretation about needing Fortimanager.

 

The endopoint is.

https://<FIREWALL_IP>/api/v2/cmdb/firewall/policy

 

 

Useful doc:

 

Using APIs | FortiGate / FortiOS 7.6.3 | Fortinet Document Library

 

Keep in mind that I saw a bug as mentioned in Set app control or ips in firewall via API does no... - Fortinet Community (yes there I have recommended fortimanager as 1 customer with 1000 firewalls seems a good option)so you need to send only the changes not the full POST request.

 

For more about API I suggest https://fndn.fortinet.net/

 

    Terms & ConditionsAccessibility statement