I am tasked with a project to implement MFA for VPN users but cannot simply enable it for all users, they want to trickle users into a new AD group to enable MFA for the users.
I've been instructed to setup a new IP Pool, then duplicate 50+ policies adjusting the srcaddr and group names for the new IP Pool and group. I know I could sit in front of the GUI and repetitively copy/paste policies and adjust them by hand, but what a waste of time.
I connected via SSH and issued a "show firewall policy" command with grep -B10 -A10 -f "<search criteria>" and got a messy output that I can now clean up by hand, but I am wondering if there is a better/easier way to do this?
Denny
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Why do you need additional policies? It sounds like you just need to add the new addresses and group to the existing policies.
Otherwise the way you're doing it is pretty much the best. (I haven't used the grep cleanup, but I just use the show command to get the output and remove the UUIDs using regex in Notepad++)
Thank you for replying, I just noticed your location is in Sedalia, I'm in Clinton, so howdy neighbor.
Back to your question, in the past we tried mixing different addresses and groups in the same policy and started getting weird results, mainly some VPN users were getting assigned an IP from the wrong VPN pool. We couldn't make much sense of it, so we stopped trying.
Another question, is there a way to specify where to put the new policy I am adding as I add it? For example, I am cloning policy 123, then when I issue edit 0 to add the new policy, I'd like it to move below policy 123.
Denny
Cloning in this case should be quite easy with Notepad++ Find & Replace, as you want to replace just the Pool ip, w/o changing interface names. I moved with Notepad++ whole VDOMs and it was doable but not fun because of interface names.
When creating rules on CLI the safe way (IMO) is to create each rule with increasing ID then use move to CLI command to place it wherever you need.
E.g. I create policy with ID 3 and move it before policy 1:
(policy) # edit 3 new entry '3' added
....
next
(policy) # move 3 before 1
you method is what we do also grep -f and find the policy , extract, assign policyid 0 and find+replace or unix-sed the changes as required and ssh bulk re-insert as script via fortimanager or fortigate webUI
This is just park of a fwadmin job no easy way to skin a alive cat ;)
Ken Felix
PCNSE
NSE
StrongSwan
Hey Denny,
Very cool! You're the first person I've seen remotely local. You're running the same boxes we are it looks like too: 1500D. Let me know if you want to chat sometime. I'll send you my contact info in PM.
I use multiple users and address groups all the time in policies, but it probably depends how your portal configuration is set up as to whether you would have issues. Either way you're adding complexity so I guess it's just a matter of picking your poison. :)
I agree with Yuri on the approach to this. It feels like a pain but once you've done it's really not that bad. A lot better than copying the policies in the GUI and it'll preserve your comments too. (When you copy in the GUI it gives you a policy that just says what it's a copy of in the comments.)
- Daniel
Hi, maybe this is a little late but I've been doing it this way:
On the FGT with this command you can list only policies with string of your liking (the most important is -f switch which lists the rules with context)
show firewall policy | grep -f '<string to find>'
Copy the output to Notepad++ and with Replace function and Regex replace "set uuid" line with blank line (You need to click Replace All)
^.*set uuid.*$
Change policy ID to " edit 0" (You need to click Replace All)
^.*edit.*$
Delete the arrow symbols. They will be appended by grep -f switch after matched string which you selected to find in first command. So you just need to replace them with the same line but without the "<---" symbol
^.*<---.*$
Now clean blank lines
Edit > Line Operations > Remove Empty Lines
And now after you've sanitized and prepared policies for import just replace your dstintf or whatever you need to your requirement and just copy it to FGT
Hope this helps to anyone. Maybe there is a better/quicker way of doing this but at least it works
- Martin
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1666 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.