Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Fern-X
New Contributor

CLI for locating Firewall Policies or Address/Groups whose members match a searched address

Hello!

Fortigate GUI's 'Policy & Objects > Firewall Policy' (attachment) and 'Policy & Objects > Addresses' has a "Search" field to locate a firewall policy or Address Group containing within it (either explicitly, or implicitly, within address range or subnet) the specified address.

Two questions:

  1. is there a corresponding CLI command for either variant?

  2. is there a corresponding API call for either variant?

(I'm NOT seeking workarounds - merely answer(s) to above.)

Thanks!

x.png

6 REPLIES 6
ozkanaltas
Valued Contributor III

Hello @Fern-X 

 

You can use grep command for that question. For example;

 

show firewall policy | grep -f Object_NAME

 

This command searches your query in the policy configuration.

 

For API, you can use the filtering feature. 

 

blob_chrome-extension___fdpohaocaechififmbbbbbknoalclacl_e502d0e9-706a-488d-b1cf-540bfa73b609.png

 

PS.

Also, I found one more thing about API, but didn't try it before.

 

/api/v2/monitor/system/global-search

 

image.png

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Fern-X

Hi ozkanaltas !

> show firewall policy | grep -f Object_NAME

no, this shows Tables matching specified regexp pattern, not an IP addresses within within a Address or Address Group instance. Look at my screenshot - yours won't find what I've shown.

ozkanaltas
Valued Contributor III

Hello @Fern-X ,

 

It's my fault that I didn't pay attention to the image strings on the screen. Unfortunately, there is no different solution for CLI.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Fern-X

Hi ozkanaltas!

> Unfortunately, there is no different solution for CLI.

that may or may not be true. My experience is that there's a hidden cryptic or surreptitious CLI equivalent for all GUI functions.

It'd be great if a Fortinet-er provides a definitive answer.

Thanks!

hbac

Hi @Fern-X,

 

Why not? the grep command will find the exact match so you cannot enter 10.0.0.2 but 10.0.0 should work. Below is an example. I don't think there is another way. 

 

Atlantis-kvm60 # show firewall policy | grep 192.168.10 -f
config firewall policy
edit 10
set name "sslvpn"
set uuid 94a8f498-b64d-51ee-9b3b-2eaa3b5051c9
set srcintf "ssl.root"
set dstintf "port4"
set action accept
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "192.168.10.0/24" <---
set schedule "always"
set service "ALL"
set logtraffic all
set groups "Guest-group"
next
end

 

Regards, 

Fern-X
New Contributor

Bump! Fortinet-er for a definitive answer?

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors