Generating Fortigate policies

Ydaew · ‎06-27-2019

Hello everyone,

I'm looking for a script to generate policy text file (CLI fromat) from CSV file.

Thanks

rwpatterson · ‎06-27-2019

One drawback to this approach: All predefined Fortigate items NEED TO MATCH EXACTLY. Case sensitive, special characters... Everything.

Interfaces

Firewall Objects & groups

Services

Traffic Shapers...

Also the order is important. All the above needs to exist before policy creation is started. Unless you have hundreds of policies to input, I would take the time and put them in by hand. Using the CLI, you'll get feedback immediately if something was wrong. For the most part the GUI won't let you add anything that won't work.

My two cents.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

View solution in original post

Ydaew · ‎06-27-2019

Thank you so much guys, Actually a lot of firewalls to work on and configure, this is why i'm trying to minimize the work by automate it using some scripts. So far things are OK for static route and network objects (for sure some needs to be tuned manually but at least we can minimize the time).

One more thing, all firewalls are going to be built from scratch, so excel will be good choice to arrange things.

View solution in original post

emnoc · ‎06-27-2019

You should really look at the API for automation and call out items thru a API call. you could loop items thru and set the changes to policies. We do this to add to exist addrgrps and on a regular basis.

Ken Felix

PCNSE

NSE

StrongSwan

View solution in original post

Grave_Rose · ‎06-27-2019

Good points, everyone. I've updated the example script to include API elements however this is still just a template to build upon (if anyone wants to use it). It will output the commands to an output file (instead of making live changes via API) for review. If you want to have the commands run immediately through the API calls, you can edit the parts in the "if [ $? == "0" ]" area.

This template only checks for object names existing and the object name has to be the first item in every row of the CSV. It does not check for services, interfaces, UTM features or anything else however this can easily be added in if you want to check for those as well. I would suggest an array that gets looped through and a variable in the 'curl' statement to update the object you're currently checking for (example: /ips/sensor/).

Lastly, to CMA... :) This is provided as an example and template only and shouldn't be run. *edit: Just to be clear, in this template, it will set your "srcint" to be the object name which, obviously, isn't going to work. Again, this is just a reference point if you want to expand on it and create your own automation. :)

--SNIP--

#!/bin/bash # Your input file will be the first variable IF=$1 # Your output file will be the second variable OF=$2 # Your API key will be the third variable API=$3 # Your firewall management will be the fourth variable HOST=$4 # Your firewall management port will be the last variable PORT=$5 if [ -z $1 ] || [ -z $2 ] || [ -z $3 ] || [ -z $4 ] || [ -z $5 ]; then echo "Missing options!" echo "Usage: fw.sh <input csv> <output file> <api key> <firewall IP> <management port>" echo "" exit 255 fi # Start at policy 1

# CHANGE THIS IF YOU ALREADY HAVE POLICIES policy_num=1

# Empty any existing output file if it exists

echo "" > $2

# Start the loop while IFS=, read -r col1 col2 # Add as many columns as you need do # Check with the API to see if the object exists echo -n "Checking for $col1 ... " curl -sk "https://$HOST:$PORT/api/v2/cmdb/firewall/address/$col1?vdom=root&access_token=$API" | grep -i "\"status\":\"success\"" > /dev/null 2>&1 # Get the return value of the previous command if [ $? == "0" ]; then echo "Found." echo "Creating commands to add firewall rule ... " # Create your commands like this echo "config firewall policy" >> $2 echo "edit $policy_num" >> $2 echo "set srcint $col1" >> $2 echo "set dstint $col2" >> $2 # ... # Continue to build your policy this way echo "next" >> $2 echo "end" >> $2 echo "" >> $2 policy_num=$((policy_num+1)) else echo "Not found." echo "$col1 was not found!" >> $2 echo "" >> $2 fi done < $1 # EOF

--SNIP--

Hope this helps,

Sean (Gr@ve_Rose)

Site: https://tcpdump101.com

Twitter: https://twitter.com/Grave_Rose

Reddit: https://reddit.com/r/tcpdump101

Discord: https://discordapp.com/invite/2MZCqn6

View solution in original post

emnoc · ‎06-28-2019

For mass creation of consective objs you could also do the following

#!/bin/bash for (( b=1; b <= 254 ; b++)) do echo edit HQ-NET172_16_1-SERVER-$b echo "set subnet 172.16.1.$b 255.255.255.255" echo "next" done

That would create objects from . .1 thru .254 in the 172.16.1.0/24 network. You can quickly . blast out address ranges for various networks and import the output as a script cfg for the FGT or FGTmgr for execution.

Ken Felix

PCNSE

NSE

StrongSwan

View solution in original post

Grave_Rose · ‎06-27-2019

Hey Ydaew,

I don't have anything handy myself but I would assume something along these lines could work.

Do not use this code! It's just an example.

#!/bin/bash

# Your input file will be the first variable

IF=$1

# Your output file will be the second variable

OF=$2

# Start the loop

while IFS=, read -r col1 col2 col3 ... # Add as many columns as you need

# Create a firewall policy number to increment as we go

policy_num=1

do

# Create your commands like this

echo "config firewall policy" >> $2

echo "edit $policy_num" >> $2

echo "set srcint $col1" >> $2

echo "set dstint $col2" >> $2

# ...

# Continue to build your policy this way

echo "next" >> $2

echo "end" >> $2

echo "" >> $2

policy_num=$((policy_num+1))

done < $1

# EOF

Hope this helps,

Sean (Gr@ve_Rose)

Site: https://tcpdump101.com

Twitter: https://twitter.com/Grave_Rose

Reddit: https://reddit.com/r/tcpdump101

Discord: https://discordapp.com/invite/2MZCqn6

rwpatterson · ‎06-27-2019

One drawback to this approach: All predefined Fortigate items NEED TO MATCH EXACTLY. Case sensitive, special characters... Everything.

Interfaces

Firewall Objects & groups

Services

Traffic Shapers...

Also the order is important. All the above needs to exist before policy creation is started. Unless you have hundreds of policies to input, I would take the time and put them in by hand. Using the CLI, you'll get feedback immediately if something was wrong. For the most part the GUI won't let you add anything that won't work.

My two cents.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Ydaew · ‎06-27-2019

Thank you so much guys, Actually a lot of firewalls to work on and configure, this is why i'm trying to minimize the work by automate it using some scripts. So far things are OK for static route and network objects (for sure some needs to be tuned manually but at least we can minimize the time).

One more thing, all firewalls are going to be built from scratch, so excel will be good choice to arrange things.

emnoc · ‎06-27-2019

You should really look at the API for automation and call out items thru a API call. you could loop items thru and set the changes to policies. We do this to add to exist addrgrps and on a regular basis.

Ken Felix

PCNSE

NSE

StrongSwan

Grave_Rose · ‎06-27-2019

Good points, everyone. I've updated the example script to include API elements however this is still just a template to build upon (if anyone wants to use it). It will output the commands to an output file (instead of making live changes via API) for review. If you want to have the commands run immediately through the API calls, you can edit the parts in the "if [ $? == "0" ]" area.

This template only checks for object names existing and the object name has to be the first item in every row of the CSV. It does not check for services, interfaces, UTM features or anything else however this can easily be added in if you want to check for those as well. I would suggest an array that gets looped through and a variable in the 'curl' statement to update the object you're currently checking for (example: /ips/sensor/).

Lastly, to CMA... :) This is provided as an example and template only and shouldn't be run. *edit: Just to be clear, in this template, it will set your "srcint" to be the object name which, obviously, isn't going to work. Again, this is just a reference point if you want to expand on it and create your own automation. :)

--SNIP--

#!/bin/bash # Your input file will be the first variable IF=$1 # Your output file will be the second variable OF=$2 # Your API key will be the third variable API=$3 # Your firewall management will be the fourth variable HOST=$4 # Your firewall management port will be the last variable PORT=$5 if [ -z $1 ] || [ -z $2 ] || [ -z $3 ] || [ -z $4 ] || [ -z $5 ]; then echo "Missing options!" echo "Usage: fw.sh <input csv> <output file> <api key> <firewall IP> <management port>" echo "" exit 255 fi # Start at policy 1

# CHANGE THIS IF YOU ALREADY HAVE POLICIES policy_num=1

# Empty any existing output file if it exists

echo "" > $2

# Start the loop while IFS=, read -r col1 col2 # Add as many columns as you need do # Check with the API to see if the object exists echo -n "Checking for $col1 ... " curl -sk "https://$HOST:$PORT/api/v2/cmdb/firewall/address/$col1?vdom=root&access_token=$API" | grep -i "\"status\":\"success\"" > /dev/null 2>&1 # Get the return value of the previous command if [ $? == "0" ]; then echo "Found." echo "Creating commands to add firewall rule ... " # Create your commands like this echo "config firewall policy" >> $2 echo "edit $policy_num" >> $2 echo "set srcint $col1" >> $2 echo "set dstint $col2" >> $2 # ... # Continue to build your policy this way echo "next" >> $2 echo "end" >> $2 echo "" >> $2 policy_num=$((policy_num+1)) else echo "Not found." echo "$col1 was not found!" >> $2 echo "" >> $2 fi done < $1 # EOF

--SNIP--

Hope this helps,

Sean (Gr@ve_Rose)

Site: https://tcpdump101.com

Twitter: https://twitter.com/Grave_Rose

Reddit: https://reddit.com/r/tcpdump101

Discord: https://discordapp.com/invite/2MZCqn6

emnoc · ‎06-28-2019

For mass creation of consective objs you could also do the following

#!/bin/bash for (( b=1; b <= 254 ; b++)) do echo edit HQ-NET172_16_1-SERVER-$b echo "set subnet 172.16.1.$b 255.255.255.255" echo "next" done

That would create objects from . .1 thru .254 in the 172.16.1.0/24 network. You can quickly . blast out address ranges for various networks and import the output as a script cfg for the FGT or FGTmgr for execution.

Ken Felix

PCNSE

NSE

StrongSwan

Ydaew · ‎06-29-2019

Thanks! this is a great start

Generating Fortigate policies

Nominate a Forum Post for Knowledge Article Creation