Description
This article describes how to create or delete address objects that have per-device mapping by using a CLI script. This method is useful for mass creation of address objects or mass deletion of old mappings for existing addresses.
Scope
FortiManager.
Solution
A) Creating an address object with per-device mapping:
1) Navigate to Device Manager->Scripts and select Create new script.
2) For 'Run script on', choose 'Policy Package or ADOM Database' and enter the script below, which will create an address named 'Address_Lab' with per-device mapping.
The script:
# config firewall address
edit Address_Lab
# config dynamic_mapping
edit "Test_Lab"-"root"
set subnet 192.168.0.0 255.255.240.0
next
end
3) Note that, under 'config dynamic_Mapping', it is necessary to enter the name of the device followed by '–' and the vdom name. For example:
edit "Test_Lab"-"root"
'Test_Lab' refers to the name of the device as seen under the device manager, while 'root' refers to the root VDOM.
4) Select Ok to save the script. Then, right-click on the created Script and select Run script on default -> Run now.
5) Verify that the address was created by going to Policy & objects -> Object configuration -> Firewall objects -> Addresses.
B) Deleting per-device mapping for existing address objects:
1) Navigate to Device Manager->Scripts and select Create new script.
2) For 'Run script on', choose 'Policy Package or ADOM Database' and enter the script below, which will delete addresses named 'test_lab'-'root' with per-device mapping.
The script:
# config firewall address
edit Address_Lab
# config dynamic_mapping
delete "Test_Lab"-"root"
end
end
3) Select Ok to save the script. Then, right-click the created script and select Run script on default -> Run now.
4) Verify that the per-device mappings for the address were deleted by going to Policy & objects -> Object configuration ->Firewall objects -> Addresses and checking that the per-device mappings no longer exist.
5) Optionally, to remove the address entirely, run the following script which will delete the address object from the ADOM Database:
# config firewall address
delete Address_Lab
end
Note:
After running the script, if those addresses were used in the policy package, the policy package status will change to 'modified' and will be pending installation to the remote FortiGate.
Troubleshooting:
The below commands can be used during the installation for sake of troubleshooting incase an issue interrupted the installation
diagnose debug application securityconsole 255
diagnose debug enable