Hi,
So, we just upgraded our FortiManager from 5.2.6 to 5.4.1. Most of our FortiGates are currently running 5.0.x, and the FMG is the first step to a global migration to 5.4. In 5.0 and 5.2, we were heavy users of object colors to denote different object types in our firewalls. 5.4 has put that in complete chaos. Forti[Gate]OS 5.4 has different colors versus 5.0/5.2, and for some even more bizzare reason, FortiManager 5.4.1's object color assignments are different that what shows up in FortiGate FortiOS 5.4.1. I really don't know what they were thinking.
Anyways, we now have a 5.0 ADOM with tens of thousands of firewall address objects of varying colors. Since Fortinet teams can't decide between themselves what color pallet to use, I want to just remove the "set color" line en masse from the objects so all of our objects are the standard default color. What is the best way to accomplish this? Is it possible to script on the FortiManager? Can I get an example script?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
You can use CLI script like this:
config firewall address
edit "address_name"
unset color
next
edit "another_address
unset color
next
...
end
Probably the easiest way to obtain a list of objects in an ADOM is to use "execute fmpolicy print-adom-object" command (use question marks to complete syntax with ADOM ID and object ID). Then you can use some Python or any other scripting language to generate correct syntax from the list of objects.
Best Regards,
Lukasz Korbasiewicz
Fortinet EMEA TAC Level 2
Fortinet NSE7 Certified
To reach support on call:
http://www.fortinet.com/support/contact_support.html
Helpful links:
Lukasz Korbasiewicz,
Fortinet TAC Support
Yes, but how would I apply that to the object database in the FortiManager?
Sorry for the different color issue on FMG side and we will fix this for FMG 5.4.2
for run script, please go to System Settings - Admin - Admin Settings, enable "Show Scripts", then go to "Device Manager", you will see a new tab on top "Scripts" and go to script page, you can create a CLI script, for device db, or remote device, or package db so if you want to modify address config on FMG db, you choose package db, and then copy the address CLI config into script, save script, then in script list page, you will see your newly created script, right click, you can then run script on package/ADOM db to modify the addresses
Thanks
Simon
Simon,
That allows me to run on the objects in a policy package, but not the global object database within the FMG in whole.
Hi, Aaron, for policy object, run script need to select a package but script actually run for that ADOM db, not just for policy package used objects
Thanks
Simon
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.