Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DirtyBlueshirt
New Contributor

5.4.1 - Removing object colors en masse

Hi,

 

So, we just upgraded our FortiManager from 5.2.6 to 5.4.1. Most of our FortiGates are currently running 5.0.x, and the FMG is the first step to a global migration to 5.4. In 5.0 and 5.2, we were heavy users of object colors to denote different object types in our firewalls. 5.4 has put that in complete chaos. Forti[Gate]OS 5.4 has different colors versus 5.0/5.2, and for some even more bizzare reason, FortiManager 5.4.1's object color assignments are different that what shows up in FortiGate FortiOS 5.4.1. I really don't know what they were thinking.

 

Anyways, we now have a 5.0 ADOM with tens of thousands of firewall address objects of varying colors. Since Fortinet teams can't decide between themselves what color pallet to use, I want to just remove the "set color" line en masse from the objects so all of our objects are the standard default color. What is the best way to accomplish this? Is it possible to script on the FortiManager? Can I get an example script?

--- Aaron Slater Security Analyst, Network Engineer, Part-Time Everything Else
5 REPLIES 5
lkorbasiewicz_FTNT

Hi,

 

You can use CLI script like this:

 

config firewall address

edit "address_name"

unset color

next

edit "another_address

unset color

next

...

end

 

Probably the easiest way to obtain a list of objects in an ADOM is to use "execute fmpolicy print-adom-object" command (use question marks to complete syntax with ADOM ID and object ID). Then you can use some Python or any other scripting language to generate correct syntax from the list of objects.

 

Best Regards,

Lukasz Korbasiewicz

Fortinet EMEA TAC Level 2

Fortinet NSE7 Certified

To reach support on call:

http://www.fortinet.com/support/contact_support.html

 

Helpful links:

http://kb.fortinet.com

http://video.fortinet.com

http://docs.fortinet.com

Lukasz Korbasiewicz,

Fortinet TAC Support

DirtyBlueshirt

Yes, but how would I apply that to the object database in the FortiManager?

--- Aaron Slater Security Analyst, Network Engineer, Part-Time Everything Else
scao_FTNT

Sorry for the different color issue on FMG side and we will fix this for FMG 5.4.2

 

for run script, please go to System Settings - Admin - Admin Settings, enable "Show Scripts", then go to "Device Manager", you will see a new tab on top "Scripts" and go to script page, you can create a CLI script, for device db, or remote device, or package db   so if you want to modify address config on FMG db, you choose package db, and then copy the address CLI config into script, save script, then in script list page, you will see your newly created script, right click, you can then run script on package/ADOM db to modify the addresses

 

Thanks

 

Simon

DirtyBlueshirt

Simon,

 

That allows me to run on the objects in a policy package, but not the global object database within the FMG in whole.

--- Aaron Slater Security Analyst, Network Engineer, Part-Time Everything Else
scao_FTNT

Hi, Aaron, for policy object, run script need to select a package but script actually run for that ADOM db, not just for policy package used objects

 

Thanks

 

Simon