Hello everyone,
I'm looking for a script to generate policy text file (CLI fromat) from CSV file.
Thanks
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
One drawback to this approach: All predefined Fortigate items NEED TO MATCH EXACTLY. Case sensitive, special characters... Everything.
Interfaces
Firewall Objects & groups
Services
Traffic Shapers...
Also the order is important. All the above needs to exist before policy creation is started. Unless you have hundreds of policies to input, I would take the time and put them in by hand. Using the CLI, you'll get feedback immediately if something was wrong. For the most part the GUI won't let you add anything that won't work.
My two cents.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Thank you so much guys, Actually a lot of firewalls to work on and configure, this is why i'm trying to minimize the work by automate it using some scripts. So far things are OK for static route and network objects (for sure some needs to be tuned manually but at least we can minimize the time).
One more thing, all firewalls are going to be built from scratch, so excel will be good choice to arrange things.
You should really look at the API for automation and call out items thru a API call. you could loop items thru and set the changes to policies. We do this to add to exist addrgrps and on a regular basis.
Ken Felix
PCNSE
NSE
StrongSwan
Good points, everyone. I've updated the example script to include API elements however this is still just a template to build upon (if anyone wants to use it). It will output the commands to an output file (instead of making live changes via API) for review. If you want to have the commands run immediately through the API calls, you can edit the parts in the "if [ $? == "0" ]" area.
This template only checks for object names existing and the object name has to be the first item in every row of the CSV. It does not check for services, interfaces, UTM features or anything else however this can easily be added in if you want to check for those as well. I would suggest an array that gets looped through and a variable in the 'curl' statement to update the object you're currently checking for (example: /ips/sensor/).
Lastly, to CMA... :) This is provided as an example and template only and shouldn't be run. *edit: Just to be clear, in this template, it will set your "srcint" to be the object name which, obviously, isn't going to work. Again, this is just a reference point if you want to expand on it and create your own automation. :)
--SNIP--
#!/bin/bash # Your input file will be the first variable IF=$1 # Your output file will be the second variable OF=$2 # Your API key will be the third variable API=$3 # Your firewall management will be the fourth variable HOST=$4 # Your firewall management port will be the last variable PORT=$5 if [ -z $1 ] || [ -z $2 ] || [ -z $3 ] || [ -z $4 ] || [ -z $5 ]; then echo "Missing options!" echo "Usage: fw.sh <input csv> <output file> <api key> <firewall IP> <management port>" echo "" exit 255 fi # Start at policy 1
# CHANGE THIS IF YOU ALREADY HAVE POLICIES policy_num=1
# Empty any existing output file if it exists
echo "" > $2
# Start the loop while IFS=, read -r col1 col2 # Add as many columns as you need do # Check with the API to see if the object exists echo -n "Checking for $col1 ... " curl -sk "https://$HOST:$PORT/api/v2/cmdb/firewall/address/$col1?vdom=root&access_token=$API" | grep -i "\"status\":\"success\"" > /dev/null 2>&1 # Get the return value of the previous command if [ $? == "0" ]; then echo "Found." echo "Creating commands to add firewall rule ... " # Create your commands like this echo "config firewall policy" >> $2 echo "edit $policy_num" >> $2 echo "set srcint $col1" >> $2 echo "set dstint $col2" >> $2 # ... # Continue to build your policy this way echo "next" >> $2 echo "end" >> $2 echo "" >> $2 policy_num=$((policy_num+1)) else echo "Not found." echo "$col1 was not found!" >> $2 echo "" >> $2 fi done < $1 # EOF
--SNIP--
Hope this helps,
Sean (Gr@ve_Rose)
Site: https://tcpdump101.com
Twitter: https://twitter.com/Grave_Rose
Reddit: https://reddit.com/r/tcpdump101
For mass creation of consective objs you could also do the following
#!/bin/bash for (( b=1; b <= 254 ; b++)) do echo edit HQ-NET172_16_1-SERVER-$b echo "set subnet 172.16.1.$b 255.255.255.255" echo "next" done
That would create objects from . .1 thru .254 in the 172.16.1.0/24 network. You can quickly . blast out address ranges for various networks and import the output as a script cfg for the FGT or FGTmgr for execution.
Ken Felix
Ken Felix
PCNSE
NSE
StrongSwan
Hey Ydaew,
I don't have anything handy myself but I would assume something along these lines could work.
Do not use this code! It's just an example.
#!/bin/bash
# Your input file will be the first variable
IF=$1
# Your output file will be the second variable
OF=$2
# Start the loop
while IFS=, read -r col1 col2 col3 ... # Add as many columns as you need
# Create a firewall policy number to increment as we go
policy_num=1
do
# Create your commands like this
echo "config firewall policy" >> $2
echo "edit $policy_num" >> $2
echo "set srcint $col1" >> $2
echo "set dstint $col2" >> $2
# ...
# Continue to build your policy this way
echo "next" >> $2
echo "end" >> $2
echo "" >> $2
policy_num=$((policy_num+1))
done < $1
# EOF
Hope this helps,
Sean (Gr@ve_Rose)
Site: https://tcpdump101.com
Twitter: https://twitter.com/Grave_Rose
Reddit: https://reddit.com/r/tcpdump101
One drawback to this approach: All predefined Fortigate items NEED TO MATCH EXACTLY. Case sensitive, special characters... Everything.
Interfaces
Firewall Objects & groups
Services
Traffic Shapers...
Also the order is important. All the above needs to exist before policy creation is started. Unless you have hundreds of policies to input, I would take the time and put them in by hand. Using the CLI, you'll get feedback immediately if something was wrong. For the most part the GUI won't let you add anything that won't work.
My two cents.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Thank you so much guys, Actually a lot of firewalls to work on and configure, this is why i'm trying to minimize the work by automate it using some scripts. So far things are OK for static route and network objects (for sure some needs to be tuned manually but at least we can minimize the time).
One more thing, all firewalls are going to be built from scratch, so excel will be good choice to arrange things.
You should really look at the API for automation and call out items thru a API call. you could loop items thru and set the changes to policies. We do this to add to exist addrgrps and on a regular basis.
Ken Felix
PCNSE
NSE
StrongSwan
Good points, everyone. I've updated the example script to include API elements however this is still just a template to build upon (if anyone wants to use it). It will output the commands to an output file (instead of making live changes via API) for review. If you want to have the commands run immediately through the API calls, you can edit the parts in the "if [ $? == "0" ]" area.
This template only checks for object names existing and the object name has to be the first item in every row of the CSV. It does not check for services, interfaces, UTM features or anything else however this can easily be added in if you want to check for those as well. I would suggest an array that gets looped through and a variable in the 'curl' statement to update the object you're currently checking for (example: /ips/sensor/).
Lastly, to CMA... :) This is provided as an example and template only and shouldn't be run. *edit: Just to be clear, in this template, it will set your "srcint" to be the object name which, obviously, isn't going to work. Again, this is just a reference point if you want to expand on it and create your own automation. :)
--SNIP--
#!/bin/bash # Your input file will be the first variable IF=$1 # Your output file will be the second variable OF=$2 # Your API key will be the third variable API=$3 # Your firewall management will be the fourth variable HOST=$4 # Your firewall management port will be the last variable PORT=$5 if [ -z $1 ] || [ -z $2 ] || [ -z $3 ] || [ -z $4 ] || [ -z $5 ]; then echo "Missing options!" echo "Usage: fw.sh <input csv> <output file> <api key> <firewall IP> <management port>" echo "" exit 255 fi # Start at policy 1
# CHANGE THIS IF YOU ALREADY HAVE POLICIES policy_num=1
# Empty any existing output file if it exists
echo "" > $2
# Start the loop while IFS=, read -r col1 col2 # Add as many columns as you need do # Check with the API to see if the object exists echo -n "Checking for $col1 ... " curl -sk "https://$HOST:$PORT/api/v2/cmdb/firewall/address/$col1?vdom=root&access_token=$API" | grep -i "\"status\":\"success\"" > /dev/null 2>&1 # Get the return value of the previous command if [ $? == "0" ]; then echo "Found." echo "Creating commands to add firewall rule ... " # Create your commands like this echo "config firewall policy" >> $2 echo "edit $policy_num" >> $2 echo "set srcint $col1" >> $2 echo "set dstint $col2" >> $2 # ... # Continue to build your policy this way echo "next" >> $2 echo "end" >> $2 echo "" >> $2 policy_num=$((policy_num+1)) else echo "Not found." echo "$col1 was not found!" >> $2 echo "" >> $2 fi done < $1 # EOF
--SNIP--
Hope this helps,
Sean (Gr@ve_Rose)
Site: https://tcpdump101.com
Twitter: https://twitter.com/Grave_Rose
Reddit: https://reddit.com/r/tcpdump101
For mass creation of consective objs you could also do the following
#!/bin/bash for (( b=1; b <= 254 ; b++)) do echo edit HQ-NET172_16_1-SERVER-$b echo "set subnet 172.16.1.$b 255.255.255.255" echo "next" done
That would create objects from . .1 thru .254 in the 172.16.1.0/24 network. You can quickly . blast out address ranges for various networks and import the output as a script cfg for the FGT or FGTmgr for execution.
Ken Felix
Ken Felix
PCNSE
NSE
StrongSwan
Thanks! this is a great start
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.