Skip to main content
ciscokid1903
ciscokid1903
New Member
October 11, 2013
Solved

Mass Creation of object addresses in FGT

  • October 11, 2013
  • 10 replies
  • 76249 views
Has anyone created a script for importing a list of IP addresses to create Object Addresses within the FortiGate firewall? Ideally this script would allow for updates etc on a monthly basis. example list IP,Hostname,Interface 111.111.111.111,HOST-1,OUTSIDE 222.222.222.222,HOST-2,OUTSIDE 333.333.333.333,HOST-3,OUTSIDE to produce an output like the following: 
   edit HOST-1    set type ipmask    set subnet 111.111.111.111/255.255.255.255    set associated-interface OUTSIDE     next    edit HOST-2    set type ipmask    set subnet 222.222.222.222/255.255.255.255    set associated-interface OUTSIDE     next    edit HOST-3    set type ipmask    set subnet 333.333.333.333/255.255.255.255    set associated-interface OUTSIDE     end
    Best answer by ede_pfau

    hi,

     

    step-by-step on a Windows PC:

     

    assuming you copied and pasted my batch script into notepad and saved that as "mkadr.cmd".

    Then you write down your addresses in notepad and save that as "addr.txt".

    - this name is fixed! the script expects only this name, you cannot change it. -

    Then you open a commandline: press the Windows key (lower left of keyboard, between Ctrl and Alt), and type "cmd.exe" into the search field. A DOS box/command line window should open.

    Go into the directory where you saved the 2 files: cd "C:\users\blabla\downloads"

    You should be able to list these files: "dir mkadr.cmd", "dir addr.txt"

    Now generate the batchcommands for the Fortigate: "mkadr > newadr.bcmd"

    Check the file: "dir newadr.bcmd", filesize should be > 0.

     

    To upload to the Fortigate, in the GUI go to System > Config > Advanced, Scripts and upload the file.

    Afterwards check the address objects in Firewall Objects > Addresses.

    10 replies

    rwpatterson
    rwpatterson
    New Member
    October 11, 2013
    That doesn' t look to be so difficult. You would still have to manually upload that into your unit though.
    Valoni
    Valoni
    New Member
    November 6, 2019

    rwpatterson wrote:
    That doesn' t look to be so difficult. You would still have to manually upload that into your unit though.

    is the script below supposed to be run on the FGT unit or the windows PC and why?

    @echo off
     REM input: textfile addr.txt with IP,name,interface (one per line)
     REM values delimited by commas, comments start with #
     
     REM redirect output to a batch command file for uploading to a Fortigate
     
     
     echo config firewall address
     for /f " eol=# tokens=1-3 delims=,"  %%i in (addr.txt) do CALL :oneaddr %%i %%j %%k
     echo end
     goto :EOF
     
     :oneaddr
     echo edit %2  
     echo set type ipmask  
     echo set subnet %1/32
     set intf=%3  
     if [%3]==[] set intf=ANY 
     echo set associated-interface %intf%   
     echo next
    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    October 11, 2013
    here you are with a rudimentary batch script:
     @echo off  REM input: textfile addr.txt with IP,name,interface (one per line)  REM values delimited by commas, comments start with #    REM redirect output to a batch command file for uploading to a Fortigate      echo config firewall address  for /f " eol=# tokens=1-3 delims=,"  %%i in (addr.txt) do CALL :oneaddr %%i %%j %%k  echo end  goto :EOF    :oneaddr  echo edit %2    echo set type ipmask    echo set subnet %1/32  set intf=%3    if [%3]==[] set intf=ANY   echo set associated-interface %intf%     echo next
    with this input file
    # IP,Hostname,Interface 111.111.111.111,HOST-1,OUTSIDE 222.222.222.222,HOST-2 333.333.333.333,HOST-3,OUTSIDE
    this output is produced:
    config firewall address edit HOST-1 set type ipmask set subnet 111.111.111.111/32 set associated-interface OUTSIDE next edit HOST-2 set type ipmask set subnet 222.222.222.222/32 set associated-interface ANY next edit HOST-3 set type ipmask set subnet 333.333.333.333/32 set associated-interface OUTSIDE next end
    Allwyn_Mascarenhas
    Allwyn_Mascarenhas
    New Member
    September 18, 2015

    ede_pfau wrote:
    here you are with a rudimentary batch script:
     @echo off
    REM input: textfile addr.txt with IP,name,interface (one per line)
    REM values delimited by commas, comments start with #

    REM redirect output to a batch command file for uploading to a Fortigate


    echo config firewall address
    for /f " eol=# tokens=1-3 delims=," %%i in (addr.txt) do CALL :oneaddr %%i %%j %%k
    echo end
    goto :EOF

    :oneaddr
    echo edit %2 
    echo set type ipmask 
    echo set subnet %1/32
    set intf=%3 
    if [%3]==[] set intf=ANY 
    echo set associated-interface %intf% 
    echo next
    with this input file
    # IP,Hostname,Interface 111.111.111.111,HOST-1,OUTSIDE 222.222.222.222,HOST-2 333.333.333.333,HOST-3,OUTSIDE
    this output is produced:
    config firewall address edit HOST-1 set type ipmask set subnet 111.111.111.111/32 set associated-interface OUTSIDE next edit HOST-2 set type ipmask set subnet 222.222.222.222/32 set associated-interface ANY next edit HOST-3 set type ipmask set subnet 333.333.333.333/32 set associated-interface OUTSIDE next end

    Hey thanks for this, just need lil help on transferring it to a txt file. I tried the filename > bulk.txt in your next reply but couldn't get it to work. Where do i add this line?

    ciscokid1903
    ciscokid1903Author
    New Member
    October 14, 2013
    Thank you for this Ede. In your example, where is the output generated?
    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    October 14, 2013
    well, output goes to stdout, that is, to the screen. If you need it in a file just redirect it: mkbatch > bulk.txt (if you name the script " mkbatch.cmd" ). No experience with the command line? sic transit gloria mundi...
    ciscokid1903
    ciscokid1903Author
    New Member
    October 14, 2013
    hi Ede, No, i' ve no real experience with the command line. Thanks for this info.
    emnoc
    emnoc
    New Member
    October 14, 2013
    For mass output and in consecutive ranges here' s what I do. http://socpuppet.blogspot.com/2012/11/fortigate-firewall-cfg-script-to-speed.html This helps when producing mass outputs on unix using basic scripting in bash.
    ede_pfau
    SuperUser
    ede_pfauAnswer
    SuperUser
    September 18, 2015

    hi,

     

    step-by-step on a Windows PC:

     

    assuming you copied and pasted my batch script into notepad and saved that as "mkadr.cmd".

    Then you write down your addresses in notepad and save that as "addr.txt".

    - this name is fixed! the script expects only this name, you cannot change it. -

    Then you open a commandline: press the Windows key (lower left of keyboard, between Ctrl and Alt), and type "cmd.exe" into the search field. A DOS box/command line window should open.

    Go into the directory where you saved the 2 files: cd "C:\users\blabla\downloads"

    You should be able to list these files: "dir mkadr.cmd", "dir addr.txt"

    Now generate the batchcommands for the Fortigate: "mkadr > newadr.bcmd"

    Check the file: "dir newadr.bcmd", filesize should be > 0.

     

    To upload to the Fortigate, in the GUI go to System > Config > Advanced, Scripts and upload the file.

    Afterwards check the address objects in Firewall Objects > Addresses.

    Allwyn_Mascarenhas
    Allwyn_Mascarenhas
    New Member
    September 23, 2015

    ede_pfau wrote:

    hi,

     

    step-by-step on a Windows PC:

     

    assuming you copied and pasted my batch script into notepad and saved that as "mkadr.cmd".

    Then you write down your addresses in notepad and save that as "addr.txt".

    - this name is fixed! the script expects only this name, you cannot change it. -

    Then you open a commandline: press the Windows key (lower left of keyboard, between Ctrl and Alt), and type "cmd.exe" into the search field. A DOS box/command line window should open.

    Go into the directory where you saved the 2 files: cd "C:\users\blabla\downloads"

    You should be able to list these files: "dir mkadr.cmd", "dir addr.txt"

    Now generate the batchcommands for the Fortigate: "mkadr > newadr.bcmd"

    Check the file: "dir newadr.bcmd", filesize should be > 0.

     

    To upload to the Fortigate, in the GUI go to System > Config > Advanced, Scripts and upload the file.

    Afterwards check the address objects in Firewall Objects > Addresses.

    Got it! thanks. The generated conf file can be .conf ext too or has to be only .bcmd?

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    September 23, 2015

    The file extension can be anything. I personally prefer NOT to name it *.conf as not to mistake it for a full configuration - they are only snippets. "*.bcmd" is my invention for "batch command".

    Allwyn_Mascarenhas
    Allwyn_Mascarenhas
    New Member
    September 23, 2015

    ede_pfau wrote:

    The file extension can be anything. I personally prefer NOT to name it *.conf as not to mistake it for a full configuration - they are only snippets. "*.bcmd" is my invention for "batch command".

    I am using your concept of reading the txt file to read ip and auth from text files for fortigate devices and create config backups. I get the backup but i am getting stuck at the passing the 4th parameter client name to the bat file.

     

    my cmd:

    @echo off

    for /f " eol=# tokens=1-4 delims=," %%i in (fgts.txt) do CALL :oneaddr %%i %%j %%k
    echo end
    goto :EOF

    :oneaddr
    cd c:\Program Files\PuTTY
    pscp -pw %3 %2@%1:sys_config c:\backup\%4-%DATE%-%TIME::=%.conf

     

    and my fgts.txt file:

    # ip,username,password,clientname
    x.x.x.x,admin,password,devicename
    y.y.y.y,admin,password,devicename

     

    i have changed the tokens = 1-4, is that correct? 

     

    PS: enable admin-scp on the device if you trying this;

    config system global
    set admin-scp enable
    end

     

    help please.

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    September 23, 2015

    You've got to reference the 4th parameter in the loop, like this:

    for /f " eol=# tokens=1-4 delims=," %%i in (fgts.txt) do CALL :oneaddr %%i %%j %%k %%l

    First token is assigned to %%i, 2nd to %%j...4th to %%l (small L).

    Allwyn_Mascarenhas
    Allwyn_Mascarenhas
    New Member
    September 26, 2015

    ede_pfau wrote:

    You've got to reference the 4th parameter in the loop, like this:

    for /f " eol=# tokens=1-4 delims=," %%i in (fgts.txt) do CALL :oneaddr %%i %%j %%k %%l

    First token is assigned to %%i, 2nd to %%j...4th to %%l (small L).

    worked like a charm, exactly what was needed.

     

    Thanks a ton!

    KPS
    KPS
    New Member
    November 8, 2019

    Hi!

     

    I dont't know, what you exactly want to achieve (finally), but perhaps, it's worth to look at the new "Farbric-Connector-Feeds" in 6.2

     

    You can dynamically feed in lists of ip addresses as http-download and use these lists as address objects in policies.

     

    ...just in case...

    emnoc
    emnoc
    New Member
    November 8, 2019

    Also if you need to build azure dc range lists or similar you can do the following

     

    http://socpuppet.blogspot.com/2017/03/how-to-extract-ms-azure-dc-and-batch-of.html

     

    if your doing consecutive items in bulk you can also do something similar

     

    http://socpuppet.blogspot.com/2012/11/fortigate-firewall-cfg-script-to-speed.html

     

    Great for new deployments and where items are consecutive in nature.

     

    Ken Felix

    Terms & ConditionsAccessibility statement