Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
KrzysztofPL
New Contributor

IP Address Assignment Rules list to txt flat file in FortiGate 600E

Hello everybody,

As in topic, I got FortiGate 600E

I'm looking for a solution to get list of all reserved address (from each vlan) preferably to some txt flat file, as well as get device inventory list (with last seen column) to match those list compare in some external tool.

 

Regards

7 REPLIES 7
AlexC-FTNT
Staff
Staff

diag ip add list >> shows IPs assigned to interfaces

diag ip arp list >> shows the mac address and arp lists currently active

show system dhcp server >> will show you the IP ranges used by DHCP servers
( show system dhcp server | grep start -A1 )


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
KrzysztofPL

Thank You Alex,

As for the suggested commands - second one is more sutiable, hoever is not exacly what I mean,

first of all I want to get list of all active addresses (it's similar to a device inventory from web-access Dashboard/users&Devices -> but in CLI and with information about 'last seen' time of the address)

second, 

'IP Address Assignment Rules' find in interface/VLAN/Advanced.

This also possible export to a flat txt file

Regards

AlexC-FTNT

I don't think that is possible at the moment in the FortiOS, but sounds like a good feature request. Other products lige FAZ or FortiSOAR may be able to handle this natively.
On the FortiOS I think there are some limitations to that, given the fact that the device-identification feature needs to store data on a database that takes up memory (and link these IPs to traffic logs). For a small network that shouldn't be a problem, but the FortiOS is consistent over several ranges of devices. Enabling such feature on a device handling thousands of clients, even by mistake, may cause instant filling of memory and bring down the device.


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
Yurisk
Contributor III

What do you mean by "reserved addresses" ? IP addresses configured on the interfaces/VLANs of the FGT, addresses created in FIrewall -> Objects, addresses used in Security rules ?

 

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.
KrzysztofPL

Tahnks Yuri for Yor reply,

I mean:

'IP Address Assignment Rules' find in interface/VLAN/Advanced.

I want to export this list to a flat txt file.

AlexC-FTNT
Staff
Staff

You may also find a list of assigned DHCP addresses here (again, not an automatic export):

exec dhcp lease-list


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
Debbie_FTNT
Staff
Staff

Hey Krzysztof,

this is technically doable via API, but would very likely need some scripting.
You can have a look at what information is available via API:
1. Log into admin GUI


2. Access these URLs:

https://<FortiGate>/api/v2/cmdb/system.dhcp/server  
-> gives you all DHCP servers, which include a subsection 'reserved-address', essentially the same as 'config system dhcp server/show'

https://<FortiGate>/api/v2/monitor/dhcp 
-> all DHCP and DHCP6 leases, with a 'reserved' boolean attribute (is this a reserved IP or not)
-> you can filter for reserved entries:
-> https://<FortiGate>/api/v2/monitor/dhcp?filter=reserved==true

https://<FortiGate>/api/v2/monitor/user/device/query 
-> all detected devices
-> includes information on "last seen" (in epoch time, https://www.epochconverter.com/)
-> you can filter for online status:
-> https://<FortiGate>/api/v2/monitor/user/device/query?filter=is_online==true  
-> depending on firmware version, the query would be
https://<FortiGate>/api/v2/monitor/detected-device  
instead
If that provides an easier format to work with and/or you are comfortable with scripting, API might be the way for you to get the information into a text file and compare

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++