Skip to main content
IShall
IShall
New Member
April 14, 2015
Question

Validating firewall address objects

  • April 14, 2015
  • 3 replies
  • 7937 views

Hello,

Just wondering if anyone has managed to export Fortigate address host objects and ip addresses to a text file or csv etc ?

What I am really trying to achieve is to identify any inconsistencies in the address objects where either the host no longer exists or where the ip has been reallocated to a different host. So the process would be to identify any address object with a 255.255.255.255 mask, do a DNS lookup, try to ping it etc and report on this.

 

If I could extract the address and ips then I could probably do the rest in a bash script or something, but I imagine someone has already done the initial extraction part ? I've found the perl script to extract the policies into a .csv, but I'm not a perl guy, so if someone has done this already, that would be very useful.

 

Thanks in advance,

 

Fortigate 310B

Fortimanager 400A

Fortianalyzer 200D

 

    3 replies

    Somashekara_Hanumant
    Staff & Editor
    Somashekara_Hanumant
    Staff & Editor
    April 14, 2015

    Hi IShall,

     

    From the CLI console  you can save the firewall address objects to a file

     

    Open ssh session with fortigate using putty.exe and log all the output to a file (Session > Logging > All session output > Log File name > save the file as *.log)

    config firewall address

    sh full

    end

     

    all the output will be saved on a text file.

     

    let me know if you have any further queries.

     

    Regards,

    Somu

    Somashekara_Hanumant
    Staff & Editor
    Somashekara_Hanumant
    Staff & Editor
    April 16, 2015

    Hi IShall,

     

    using below command you can list the address object with 255.255.255.255 mask

     

    sh firewall address | grep "255.255.255.255"

     

    Hope this helps you.

     

    Regards,

    Somu

    IShall
    IShallAuthor
    New Member
    April 15, 2015

    Thanks Somu,

    Certainly that is the starting point. What I am aiming to do is extract the host objects (i.e. address object with type "ipmask" and mask "255.255.255.255") and further process just these. So I'll need some scripting to do that.

    Regards,

    emnoc
    emnoc
    New Member
    April 16, 2015

    Yeas and with the -A  you ca get the full name;

     

     show firewall address | grep -A 4 "255.255.255.255"

     

    You will still need to manipulate the items to  find any duplicates or unused address or address-groups. Than you can cross reference these to  active policies.

     

    I'm sure you could write a script parser to find all occurrence of "named address" to the policies.

     

    Terms & ConditionsAccessibility statement