Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ciscokid1903
New Contributor

Created on ‎10-11-2013 07:12 AM

Mass Creation of object addresses in FGT

Has anyone created a script for importing a list of IP addresses to create Object Addresses within the FortiGate firewall? Ideally this script would allow for updates etc on a monthly basis. example list IP,Hostname,Interface 111.111.111.111,HOST-1,OUTSIDE 222.222.222.222,HOST-2,OUTSIDE 333.333.333.333,HOST-3,OUTSIDE to produce an output like the following: 
  edit HOST-1 
  set type ipmask 
  set subnet 111.111.111.111/255.255.255.255 
  set associated-interface OUTSIDE  
  next 
  edit HOST-2 
  set type ipmask 
  set subnet 222.222.222.222/255.255.255.255 
  set associated-interface OUTSIDE  
  next 
  edit HOST-3 
  set type ipmask 
  set subnet 333.333.333.333/255.255.255.255 
  set associated-interface OUTSIDE  
  end
68717
0 Kudos
3 Solutions
rwpatterson
Valued Contributor III

Created on ‎10-11-2013 07:34 AM

That doesn' t look to be so difficult. You would still have to manually upload that into your unit though.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

View solution in original post

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
24176
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎10-11-2013 01:27 PM

here you are with a rudimentary batch script:
 @echo off
 REM input: textfile addr.txt with IP,name,interface (one per line)
 REM values delimited by commas, comments start with #
 
 REM redirect output to a batch command file for uploading to a Fortigate
 
 
 echo config firewall address
 for /f " eol=# tokens=1-3 delims=,"  %%i in (addr.txt) do CALL :oneaddr %%i %%j %%k
 echo end
 goto :EOF
 
 :oneaddr
 echo edit %2  
 echo set type ipmask  
 echo set subnet %1/32
 set intf=%3  
 if [%3]==[] set intf=ANY 
 echo set associated-interface %intf%   
 echo next
with this input file
# IP,Hostname,Interface 111.111.111.111,HOST-1,OUTSIDE 222.222.222.222,HOST-2 333.333.333.333,HOST-3,OUTSIDE
this output is produced:
config firewall address edit HOST-1 set type ipmask set subnet 111.111.111.111/32 set associated-interface OUTSIDE next edit HOST-2 set type ipmask set subnet 222.222.222.222/32 set associated-interface ANY next edit HOST-3 set type ipmask set subnet 333.333.333.333/32 set associated-interface OUTSIDE next end
Ede Kernel panic: Aiee, killing interrupt handler!

View solution in original post

Ede Kernel panic: Aiee, killing interrupt handler!
24176
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎09-18-2015 03:02 AM

hi,

 

step-by-step on a Windows PC:

 

assuming you copied and pasted my batch script into notepad and saved that as "mkadr.cmd".

Then you write down your addresses in notepad and save that as "addr.txt".

- this name is fixed! the script expects only this name, you cannot change it. -

Then you open a commandline: press the Windows key (lower left of keyboard, between Ctrl and Alt), and type "cmd.exe" into the search field. A DOS box/command line window should open.

Go into the directory where you saved the 2 files: cd "C:\users\blabla\downloads"

You should be able to list these files: "dir mkadr.cmd", "dir addr.txt"

Now generate the batchcommands for the Fortigate: "mkadr > newadr.bcmd"

Check the file: "dir newadr.bcmd", filesize should be > 0.

 

To upload to the Fortigate, in the GUI go to System > Config > Advanced, Scripts and upload the file.

Afterwards check the address objects in Firewall Objects > Addresses.

Ede Kernel panic: Aiee, killing interrupt handler!

View solution in original post

Ede Kernel panic: Aiee, killing interrupt handler!
24176
0 Kudos
31 REPLIES 31
ede_pfau
SuperUser
SuperUser

Created on ‎10-14-2013 02:38 AM

well, output goes to stdout, that is, to the screen. If you need it in a file just redirect it: mkbatch > bulk.txt (if you name the script " mkbatch.cmd" ). No experience with the command line? sic transit gloria mundi...
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
3978
0 Kudos
ciscokid1903
New Contributor

Created on ‎10-14-2013 02:54 AM

hi Ede, No, i' ve no real experience with the command line. Thanks for this info.
3976
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎10-14-2013 03:09 AM

For mass output and in consecutive ranges here' s what I do. http://socpuppet.blogspot.com/2012/11/fortigate-firewall-cfg-script-to-speed.html This helps when producing mass outputs on unix using basic scripting in bash.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
3976
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎09-18-2015 03:02 AM

hi,

 

step-by-step on a Windows PC:

 

assuming you copied and pasted my batch script into notepad and saved that as "mkadr.cmd".

Then you write down your addresses in notepad and save that as "addr.txt".

- this name is fixed! the script expects only this name, you cannot change it. -

Then you open a commandline: press the Windows key (lower left of keyboard, between Ctrl and Alt), and type "cmd.exe" into the search field. A DOS box/command line window should open.

Go into the directory where you saved the 2 files: cd "C:\users\blabla\downloads"

You should be able to list these files: "dir mkadr.cmd", "dir addr.txt"

Now generate the batchcommands for the Fortigate: "mkadr > newadr.bcmd"

Check the file: "dir newadr.bcmd", filesize should be > 0.

 

To upload to the Fortigate, in the GUI go to System > Config > Advanced, Scripts and upload the file.

Afterwards check the address objects in Firewall Objects > Addresses.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
24177
0 Kudos
Allwyn_Mascarenhas
Contributor
In response to ede_pfau

Created on ‎09-22-2015 11:44 PM

ede_pfau wrote:

hi,

 

step-by-step on a Windows PC:

 

assuming you copied and pasted my batch script into notepad and saved that as "mkadr.cmd".

Then you write down your addresses in notepad and save that as "addr.txt".

- this name is fixed! the script expects only this name, you cannot change it. -

Then you open a commandline: press the Windows key (lower left of keyboard, between Ctrl and Alt), and type "cmd.exe" into the search field. A DOS box/command line window should open.

Go into the directory where you saved the 2 files: cd "C:\users\blabla\downloads"

You should be able to list these files: "dir mkadr.cmd", "dir addr.txt"

Now generate the batchcommands for the Fortigate: "mkadr > newadr.bcmd"

Check the file: "dir newadr.bcmd", filesize should be > 0.

 

To upload to the Fortigate, in the GUI go to System > Config > Advanced, Scripts and upload the file.

Afterwards check the address objects in Firewall Objects > Addresses.

Got it! thanks. The generated conf file can be .conf ext too or has to be only .bcmd?

3976
0 Kudos
Valoni
New Contributor
In response to ede_pfau

Created on ‎11-06-2019 07:27 AM

thanks...

you said "Now generate the batchcommands for the Fortigate: "mkadr > newadr.bcmd""

 

should this command be run on the Fortigate or my windows pc

3976
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎09-23-2015 03:09 AM

The file extension can be anything. I personally prefer NOT to name it *.conf as not to mistake it for a full configuration - they are only snippets. "*.bcmd" is my invention for "batch command".

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
3978
0 Kudos
Allwyn_Mascarenhas
Contributor
In response to ede_pfau

Created on ‎09-23-2015 03:55 AM

ede_pfau wrote:

The file extension can be anything. I personally prefer NOT to name it *.conf as not to mistake it for a full configuration - they are only snippets. "*.bcmd" is my invention for "batch command".

I am using your concept of reading the txt file to read ip and auth from text files for fortigate devices and create config backups. I get the backup but i am getting stuck at the passing the 4th parameter client name to the bat file.

 

my cmd:

@echo off

for /f " eol=# tokens=1-4 delims=," %%i in (fgts.txt) do CALL :oneaddr %%i %%j %%k
echo end
goto :EOF

:oneaddr
cd c:\Program Files\PuTTY
pscp -pw %3 %2@%1:sys_config c:\backup\%4-%DATE%-%TIME::=%.conf

 

and my fgts.txt file:

# ip,username,password,clientname
x.x.x.x,admin,password,devicename
y.y.y.y,admin,password,devicename

 

i have changed the tokens = 1-4, is that correct? 

 

PS: enable admin-scp on the device if you trying this;

config system global
set admin-scp enable
end

 

help please.

3976
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎09-23-2015 08:24 AM

You've got to reference the 4th parameter in the loop, like this:

for /f " eol=# tokens=1-4 delims=," %%i in (fgts.txt) do CALL :oneaddr %%i %%j %%k %%l

First token is assigned to %%i, 2nd to %%j...4th to %%l (small L).

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
3978
0 Kudos
Allwyn_Mascarenhas
Contributor
In response to ede_pfau

Created on ‎09-25-2015 10:23 PM

ede_pfau wrote:

You've got to reference the 4th parameter in the loop, like this:

for /f " eol=# tokens=1-4 delims=," %%i in (fgts.txt) do CALL :oneaddr %%i %%j %%k %%l

First token is assigned to %%i, 2nd to %%j...4th to %%l (small L).

worked like a charm, exactly what was needed.

 

Thanks a ton!

3978
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.