- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Importing Firewall Addresses
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Importing Firewall Addresses
I'm testing a migration to 5.4. I have two 500Ds. One is in production right now running 5.2.3 and is stable. I decided I want to do a clean config for 5.4 because doing so exposes old settings you no longer need and forces you to rethink how you have rules setup, etc. It isn't easy, BUT it would be SO much easier if I could export or at least import a CSV list of my over 500 firewall addresses.
I did a select copy from the Firewall Address Screen copied those to Excel. This makes it very easy to sort and spot anomalies. I noticed that in 5.4 you have both "FDQN" and "Wildcard FQDN" so you need to make sure addresses are identified as such and have their "Type" converted. It is really unfortunate that color and tags are no longer in the 5.4 GUI as those were very useful for Addresses.
Anyway being able to build a clean list of addresses and types, then importing as a CSV via the GUi would be awesome. I may be able to figure out how to transpose my values using a script, but why create all the extra work when it could be built into the firewall and made easy? I'm sure there is a perl/regex wizard who has done this, but not my specialty unfortunately.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This may work for you - save an unenrypted backup of the old config and load that into a text editor, edit/trim the firewall address section, and enter/merge that into the new config (live or via text editer), perform a diagnose debug config-error-log read after merging/loading the changes.
config firewall address
edit "update.microsoft.com"
set associated-interface "port16"
set type fqdn
set fqdn "update.microsoft.com"
next
edit "download.windowsupdate.com"
set associated-interface "port16"
set type fqdn
set fqdn "download.windowsupdate.com"
next
edit "windowsupdate.microsoft.com"
set associated-interface "port16"
set type fqdn
set fqdn "windowsupdate.microsoft.com"
next
edit "msftncsi"
set associated-interface "port16"
set type fqdn
set fqdn "www.msftncsi.com"
next
edit "download.microsoft.com"
set associated-interface "port16"
set type fqdn
set fqdn "download.microsoft.com"
next
edit "wustat.windows.com"
set associated-interface "port16"
set type fqdn
set fqdn "wustat.windows.com"
next
edit "ntservicepack.microsoft.com"
set associated-interface "port16"
set type fqdn
set fqdn "ntservicepack.microsoft.com"
next
end
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
...never associate an address object with a port...next time, the port is renamed, other hardware or whatever, poof...
And yes, I've ported addresses, adress groups and other mass definitions from the config file into a *.bcmd text file to bulk import it. Runs smoothly.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ede_pfau wrote:Funny was just thanking your for your script. Can you elaborate on the above?And yes, I've ported addresses, adress groups and other mass definitions from the config file into a *.bcmd text file to bulk import it. Runs smoothly.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, what I meant was that while porting I grabbed the original data from the old config file (just the part of the "firewall address" block), skimmed through and then bulk imported that into the new config.
Cleaning up is a whole different process, especially in a "grown" config. The XML-like structure makes sorting etc. clumsy in a regular editor but should make it easier if the editor would handle that format. Scripting guy that I am I'd rather not start off with a screen grab but pick the addresses from the config via grep or the like.
There's another task, importing lists of IP addresses, be it blacklisted addresses or TOR network nodes or whatever. They usually come in thousands, and one better use scripting for this. Then, an address group can only hold nnn addresses (model dependent) so the script has to split the addresses up into groups etc.
For example, I had a list of ~ 7.000 addresses to import into a FG-240D (v5.2). Address group size limit is 10.000 - so I read in the Max Values table. The thing would not import more than 4.937 in one group no matter what. So I had to create multiple address groups and one supergroup to hold these. I'm sure Fortinet doesn't know about this yet...
My script really is rudimentary, and for the Windows cmdline. But it's short, and I hope that means it doesn't have many chances to fail.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. I've used that method a bunch of times, but the nice thing about Excel is it allows you to really clean things up before exporting back to the native format. This list has been growing since 2007! I can search and group on "microsoft.com" for example to see how many duplicates I might have. User @ede_pfau has a nice script (https://forum.fortinet.com/tm.aspx?m=102532) that should take CSV text output and transpose it to the Fortinet format with the next, set, and end commands added. I'm planning to test that in the next few days.
You can highlight all of your entries in the FG Addresses Window to copy and then paste into Excel. For me, having over 500 entries it really helped me spot some mistakes in how another user had entered some FQDNs.
I think one missing field is whether the domain entered is "trusted" or "hostile". I used to color code my domains, red for bad, green for good. I also had them tagged. Along the way those features were removed. So I'm now considering prefacing all of my entries with TR (trusted) and H (hostile) and then the type of entry it is:
WD - Wildcard Domain
FD - Fully Qualified Domain
SN - Subnet
GEO - Geography
So TR-WD-domain.com would be an example of what the entry NAME would be for a trusted, wildcard, domain. I'm thinking it not wise to put the * in the description of the name.
That way they should sort logically in the display and allow me to create rules/groups where I'm not mixing WD and SN for example which from experience tends to break rules I think. One group for each type applied to specific rules keeps things cleaner.
I agree to keep the port to ANY in most cases and it causes problems down the road.
Related Posts
Labels
-
FortiGate
6,498 -
FortiClient
1,298 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
261 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
105 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiAuthenticator
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
NAT
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.