Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tozden
New Contributor

How to add 1000+ IP addresses?

We use FortiGate 100E as the company FW & VPN Gateway for remote workers. Within the office we access AWS services with IP based restrictions (office IP is granted access to AWS services). 

Now I need to give AWS Services access to remote users will be connected to office VPN on Fortigate 100E.

 

I do not want to inject default route to VPN users but selectively inject routes which are needed AWS services. Here I have a list of 1800+ different subnets which I obtained from Amazon.

It is not possible to insert them one by one manually over FortiGate web interface.

I think I am not the only person who needed to give access to AWS services over VPN gateway.  Does anyone has a better solution proposal (other than injecting default route)?

 

5 REPLIES 5
Cudin
New Contributor II

Hi tozden,

if possibile i would disable split-tunneling to force routing of all vpn traffic to the office, so it could be forwarded correctly to AWS services without the need to reconfigure all vpn routes client-side

 

hermann
New Contributor II

agree with Cudin.

Or, If you need access to Webservices only, you could make use of a Web proxy with a smart proxy.pac script that the VPN clients should use. The script could manage the access a smart way: AWS access through the Web proxy using the IP address of branch office and the rest on the direct way.

BR

Hermann M.

Best regards
Hermann
Cudin
New Contributor II

Hello Hermann,

very interesting solution, could you please detail further how to create the web proxy script in that way?

Markus_M
Staff
Staff

When I need to add a bunch of "the same" stuff to a FGT I will usually

- get a backup configuration

- copy the respective section out of it

- use some advanced search and replace editor, "Notepad++" or "sublime" do it well as example

- get my to be inserted data set into some format that can then be used to search and replace the unneeded content with the
edit 0
set ....
next
edit 0

set ...

next

 

and so on.

Search your list of IPs for the pattern as text before and after the IP, make it replaceable with some FGT syntax.

 

Best regards,

 

Markus

Jackstorm
New Contributor II

It is easy to use script and fortigate api to create huge address. 
if you cannot code, you can try nimble, (https://nimbletext.com/live), you can use list and template to create huge amount address, policy,etc. apply it via firewall script, it is also efficient. 

 


Lucas