One drawback to this approach: All predefined Fortigate items NEED TO MATCH EXACTLY. Case sensitive, special characters... Everything.

Interfaces

Firewall Objects & groups

Services

Traffic Shapers...

Also the order is important. All the above needs to exist before policy creation is started. Unless you have hundreds of policies to input, I would take the time and put them in by hand. Using the CLI, you'll get feedback immediately if something was wrong. For the most part the GUI won't let you add anything that won't work.

My two cents.

Thank you so much guys, Actually a lot of firewalls to work on and configure, this is why i'm trying to minimize the work by automate it using some scripts. So far things are OK for static route and network objects (for sure some needs to be tuned manually but at least we can minimize the time). 

One more thing, all firewalls are going to be built from scratch, so excel will be good choice to arrange things. 

You should really look at the API for automation and call out items thru a API call. you could loop items thru and set the changes to policies. We do this to add to exist addrgrps and on a regular basis.

Ken Felix

Good points, everyone. I've updated the example script to include API elements however this is still just a template to build upon (if anyone wants to use it). It will output the commands to an output file (instead of making live changes via API) for review. If you want to have the commands run immediately through the API calls, you can edit the parts in the "if [ $? == "0" ]" area.

This template only checks for object names existing and the object name has to be the first item in every row of the CSV. It does not check for services, interfaces, UTM features or anything else however this can easily be added in if you want to check for those as well. I would suggest an array that gets looped through and a variable in the 'curl' statement to update the object you're currently checking for (example: /ips/sensor/).

Lastly, to CMA... :) This is provided as an example and template only and shouldn't be run. *edit: Just to be clear, in this template, it will set your "srcint" to be the object name which, obviously, isn't going to work. Again, this is just a reference point if you want to expand on it and create your own automation. :)

--SNIP--

#!/bin/bash   # Your input file will be the first variable IF=$1 # Your output file will be the second variable OF=$2 # Your API key will be the third variable API=$3 # Your firewall management will be the fourth variable HOST=$4 # Your firewall management port will be the last variable PORT=$5   if [ -z $1 ] || [ -z $2 ] || [ -z $3 ] || [ -z $4 ] || [ -z $5 ]; then    echo "Missing options!"    echo "Usage: fw.sh <input csv> <output file> <api key> <firewall IP> <management port>"    echo ""    exit 255 fi # Start at policy 1

# CHANGE THIS IF YOU ALREADY HAVE POLICIES policy_num=1

# Empty any existing output file if it exists

echo "" > $2

# Start the loop while IFS=, read -r col1 col2 # Add as many columns as you need do    # Check with the API to see if the object exists    echo -n "Checking for $col1 ... "    curl -sk "https://$HOST:$PORT/api/v2/cmdb/firewall/address/$col1?vdom=root&access_token=$API" | grep -i "\"status\":\"success\"" > /dev/null 2>&1    # Get the return value of the previous command    if [ $? == "0" ]; then        echo "Found."        echo "Creating commands to add firewall rule ... "        # Create your commands like this       echo "config firewall policy" >> $2       echo "edit $policy_num" >> $2       echo "set srcint $col1" >> $2       echo "set dstint $col2" >> $2       # ...       # Continue to build your policy this way       echo "next" >> $2       echo "end" >> $2       echo "" >> $2       policy_num=$((policy_num+1))    else        echo "Not found."        echo "$col1 was not found!" >> $2        echo "" >> $2    fi done < $1 # EOF

--SNIP--

Hope this helps,

Sean (Gr@ve_Rose)

For mass creation of consective objs you could also do the following 

#!/bin/bash   for (( b=1; b <= 254 ; b++))   do     echo edit HQ-NET172_16_1-SERVER-$b     echo    "set subnet 172.16.1.$b 255.255.255.255"     echo   "next" done

That would create objects from .  .1 thru .254 in the 172.16.1.0/24 network. You can quickly . blast out address ranges for various networks and import the output  as a script cfg for the FGT or FGTmgr for execution.

Ken Felix

Ken Felix