Fortigate API - bulk remove addresses

Dallustallus · ‎01-05-2024

Hi,

I have a script to block IP's for a given reason for Fortigate 400f, I am able to create addresses and apply to address group. However, I want to apply a form or rotation to avoid large address group.

I am able to clear up the members in the address group, however, I also want to remove the addresses. I know this can be done individually as an API call. But is there a way to bulk remove? I would likely be looking to remove 500 addresses as part of the rotation and I would not want to go down the route by removing one per API call

Anthony_E · ‎01-07-2024

Hello Dallustallus,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Anthony-Fortinet Community Team.

Anthony_E · ‎01-09-2024

Hello,

Could you please indicate to us under which firmware your FortiGate is running?

Regards,

Anthony-Fortinet Community Team.

Dallustallus · ‎01-11-2024

Hi, Sorry for the delay.. I am running version 7.4.1

Many Thanks

Dale

Anthony_E · ‎01-11-2024

Thank you.

I found this threat:

https://github.com/FortiPower/PowerFGT?tab=readme-ov-file#address-group

Could you please tell me if it helped?

Regards,

Anthony-Fortinet Community Team.

Dallustallus · ‎01-11-2024

Thank you.

I have had a look at it, it looks like it is only removing 1 member of a group, rather than multiple members.

As an example you can add multiple addresses to a group by:

POST: https://{{IP}}/api/v2/cmdb/firewall/addrgrp/Test_API/member

Body: [{"name": "45.132.194.7/32"},{"name": "68.235.44.69/32"}]

To remove a member:

DELETE: https://{{IP}}:8443/api/v2/cmdb/firewall/addrgrp/Test_API/member/45.132.194.7%2F32

No Body

What I cannot do is use DELETE https://{{IP}}:8443/api/v2/cmdb/firewall/addrgrp/Test_API/member/

And provide Body to define what members to remove. If I attempt using either:

[{"name": "45.132.194.7/32"},{"name": "68.235.44.69/32"}]

or

[{"name": "45.132.194.7/32","q_origin_key": "45.132.194.7/32"},{"name": "68.235.44.69/32","q_origin_key": "68.235.44.69/32"}]

as a body, it just deletes all members of that group.

I Hope that makes sense?

Many Thanks

Dale

Markus_M · ‎01-16-2024

Hi Dale,

I honestly do not know the API that well; someone has to do more research on it or knows it better to comment on it.

I can recommend an alternative, it may work for you - Threads feeds.

Thread feeds take an IP list (literally a text file with a bunch of IPs on it) and insert it to FortiGate as a usable address object inside a deny policy.

I'm making the guess you already have such a list that is curated by you.

You're trying to tell the FortiGate to reflect that list in address objects and address group objects. If that existing list is available to download for the FortiGate, it might make things and scripting easier (obsolete in that case).

If you use these objects split in various policies however, you may have to use multiple thread feeds, or be better off with restAPI.

Best regards,

Markus

Anthony_E · ‎01-11-2024

Hello,

Oh yes it makes sense :)! I will try to find somebody :)!

Regards,

Anthony-Fortinet Community Team.