Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rofo_xdf
New Contributor

Bulk import policy address object into fortigate firewall from a text file

Hi

Is it possible to bulk import address objekt into fortigate fw from text file

need to set up a lot of address objects and map to to one address Group.

the text file look like this

config firewall address   edit adr1 set subnet x.x.x.x 255.255.255.255 next edit adr2 set subnet y.y.y.y 255.255.255.255 next edit adr3 set subnet z.z.z.z 255.255.255.255 next repeat for each address   end

7 REPLIES 7
rofo_xdf
New Contributor

Edit

get it to work but only for 4976 objects.

is it a limit for max objects in fortigate 60D?

rofo_xdf

edit

Find the limit for firewall objects is 5000 in fgt60D.

 

emnoc
Esteemed Contributor III

read the max value matrix per fortios and model ( google ) . I'm sure you have pre-allocated address so the 5K number is not doable.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
gschmitt
Valued Contributor

rofo.xdf wrote:

Edit

get it to work but only for 4976 objects.

is it a limit for max objects in fortigate 60D?

As others stated. 5000 is max, the remaining objects are probably default or preexisting ones.

If you don't mind me asking: Why in the name of <insert deity> do you need more than 5000 address objects for? You can use IP Ranges or subnets.

ede_pfau
Esteemed Contributor III

hint: the TOR nodes list has currently ~ 6.969 entries ([link]https://www.dan.me.uk/tornodes/)[/link]


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
gschmitt
Valued Contributor

ede_pfau wrote:

hint: the TOR nodes list has currently ~ 6.969 entries (https://www.dan.me.uk/tornodes/)

Which is a dynamic list by nature.

ede_pfau
Esteemed Contributor III

Sure but sometimes you need to protect a network from some bad guy coming from the TOR realm.

The list from the website is refreshed every 30 minutes, and loading it takes only 1-2 minutes in all.

 

Of course it would be more convenient to have the same mechanism as for botnet C&C servers via the AV engine.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors