So the situation I'm in is, we have an existing set of servers (VMs) in Azure that are being updated to the newest versions of SQL and the core software they use for an application. Apparently the recommended way to do this is not to just upgrade the existing VMs to the new versions (thus keeping the existing IP) but to build brand new VMs on the new software then migrate the data over. Obviously this means these new servers have new IP addresses, but they each need all the same firewall permissions that their older counterpart currently has while they run simultaneously and are tested. Then once everything looks good, they will decommission the old VMs and I would remove them from the rules leaving only the new ones in their place.
I was trying to find some way other than manually searching by each old IP for all the rules it exists in, and manually adding the new IP to that rule.
I wondered if there was some script or batch file that would allow me to, for instance, tell it to add <new object> to <list of rules> as either a source or destination and it add them all at once. Or even better, if there was a way with some kind of script to tell it basically "every rule you see <old IP/object>, add <new IP/object> to the rule as well."
Am I making sense? And is this possible?
Hello,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello,
We are still looking for someone to help you.
We will come back to you ASAP.
Regards,
Such function, as far as I am aware, isn't natively available in FortiOS. (caveat: I cannot comment about FortiManager, maybe it does have some magic up its sleeve)
It definitely can be scripted with the REST API, but you'd need to write it yourself.
A rough sketch:
1, Get list of policies that contain address object "my-address" in sources or destinations. Return only policyID/srcaddr/dstaddr (to confirm match).
GET /api/v2/cmdb/firewall/policy/?filter==srcaddr==my-address,dstaddr==my-address&format=policyid|srcaddr|dstaddr
2, Make a list of policy IDs where my-address is among the sources (srcaddr; code depends on your language of choice)
3, Iterate through the list of IDs with a POST request to append "new-address" to these policies:
POST /api/v2/cmdb/firewall/policy/<policyid>/srcaddr
{"name": "new-address"}
4, Repeat #2 for destinations (dstaddr)
5, repeat #3 to update the destination address lists in the matching policies:
POST /api/v2/cmdb/firewall/policy/<policyid>/dstaddr
{"name": "new-address"}
Done.
The eventual removal can be automated with:
DELETE /api/v2/cmdb/firewall/policy/<policyid>/srcaddr/<address-object-name>/
As you can see, this takes a bit of effort, so I wouldn't bother if the number of policies to update is low.
A slightly easier, though a bit more primitive approach could be a bulk edit in a good enough text editor.
1, Create the new address object as usual
2, Back up the config and edit the backup file
3, Do a bulk-replace of all instances of:
"<old-address-object>"
...with:
"<old-address-object>" "<new-address-object>"
I would recommend doing this with manual confirmations for each occurence, since this will likely have some false positive matches. (the object being mentioned in non-relevant places that should not be touched, such as its own definition)
3, Restore the configuration (reboot needed)
Alternative-3, Yank just the "config firewall policy" section of the modified backup (+any other section you modified), and copy-paste it over the existing config in CLI/SSH. Assuming it contains only the relevant modifications, it will update the relevant policies and leave the others untouched.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.