Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDRCloud
- FortiNDR (on-premise)
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Requested 5.2.X Features
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Requested 5.2.X Features
I'm running a 100D with 5.2.2 We will be upgrading to a 300D later this year. Overall, I think 5.2.2 is a good release, but there are some improvements that I think would benefit users.
We have some Objects\Addresses\Groups with over 100 domains. When you attempt to add a new domain to one of those lists, it prompts you to add at the bottom which tends to scroll off the bottom of the screen. Better to prompt at the top of the list so it can be seen.
It would be incredibly helpful to be able to import and export lists in CSV or TAB format for review. (Native Excel would be even better!). This would help with bulk edits (as long as you could import them back in also!) and make it much easier to maintain large lists and spot discrepancies. I'm specifically speaking of Addresses Groups lists, and Static URL Filter lists in Web Filters.
In 4.3.18, I was able to both block and allow specific files by name or pattern. In 5.2.2 I'm only able to block. There is no option to allow now which creates a lot of extra work and can create some security gaps. Based on documentation I have read, if I want to block .EXEs but allow specific ones from specific hosts for example, I only have the option to use the "set exempt dlp" option under the "webfilter urlfilter" option. This is odd, and why are the exemptions for the various scanning engines not viewable in the GUI? Only a global "Exempt". This creates a lot of extra work. It is also not clear to me if this will even work because DLP is processed before Web Filtering based on the Life of a Packet explanation in the Handbook.
Solved! Go to Solution.
2 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'll address the following................
It would be incredibly helpful to be able to import and export lists in CSV or TAB format for review. (Native Excel would be even better!). This would help with bulk edits (as long as you could import them back in also!) and make it much easier to maintain large lists and spot discrepancies. I'm specifically speaking of Addresses Groups lists, and Static URL Filter lists in Web Filters.
You have script function that would allow for this currently. You can use a cfg maker to make the appropiate configuration and run the bulk script function from the webGui. Any errors will be quickly indicated.
config > advanced script
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you have to be creative & use some parser and scripting language. I'm sure a season perl, bash/csh, scripting guy could hack something up.
Take your earlier example. You could maybe use awk and export the ack- variable $values$ and make the cfg using a configuration script.
( a ruff ideal ,,,, haven't play around or given it alot of thought at this point )
( the sample file entry per line )
cat mycsv.txt "/dl.google/." regex exempt "dlp"
Now we export the awk variables
export VAL1=`awk ' { print $1 } ' mycsv.txt`
export VAL2=`awk ' { print $2 } ' mycsv.txt`
export VAL3=`awk ' { print $3 } ' mycsv.txt` export VAL4=`awk ' { print $4 } ' mycsv.txt`
And then pass this to a cfg maker script similar to the following in a loop that reads each lines in and process the variables
do echo "edit 6" echo "set url $VAL1" echo "set type $VAL2" echo "set exempt $VAL4" echo "next"
done
Maybe what fortinet could do is to build a script tool for processing flat comma or space separated file entries for common items
url list
address listing
addressgroups
Or you would need to make your own cfgmaker tools similar to this;
http://socpuppet.blogspot...g-script-to-speed.html
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'll address the following................
It would be incredibly helpful to be able to import and export lists in CSV or TAB format for review. (Native Excel would be even better!). This would help with bulk edits (as long as you could import them back in also!) and make it much easier to maintain large lists and spot discrepancies. I'm specifically speaking of Addresses Groups lists, and Static URL Filter lists in Web Filters.
You have script function that would allow for this currently. You can use a cfg maker to make the appropiate configuration and run the bulk script function from the webGui. Any errors will be quickly indicated.
config > advanced script
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc-
Thanks I've used that before, but I can get that from the show command in the CLI. What I'm suggesting is that instead of seeing this:
config webfilter urlfilter
edit 1
set name "URL_List"
config entries
edit 6
set url "/dl.google/."
set type regex
set exempt dlp
next
edit 8
It would be so much easier to see this:
"/dl.google/." regex exempt "dlp"
I think you would need "s around the URL and filter exemptions to account for escapable characters and commas.
I would hazard to guess that most of us are not the best scripters. Being able to arrange items in an Excel table is grade school level computer work and would be available to pretty much everyone who needed it for that purpose. I also think the ability to spot configuration deviation when items are laid out in a table are also of value.
Thanks
emnoc wrote:I'll address the following................
It would be incredibly helpful to be able to import and export lists in CSV or TAB format for review. (Native Excel would be even better!). This would help with bulk edits (as long as you could import them back in also!) and make it much easier to maintain large lists and spot discrepancies. I'm specifically speaking of Addresses Groups lists, and Static URL Filter lists in Web Filters.
You have script function that would allow for this currently. You can use a cfg maker to make the appropiate configuration and run the bulk script function from the webGui. Any errors will be quickly indicated.
config > advanced script
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you have to be creative & use some parser and scripting language. I'm sure a season perl, bash/csh, scripting guy could hack something up.
Take your earlier example. You could maybe use awk and export the ack- variable $values$ and make the cfg using a configuration script.
( a ruff ideal ,,,, haven't play around or given it alot of thought at this point )
( the sample file entry per line )
cat mycsv.txt "/dl.google/." regex exempt "dlp"
Now we export the awk variables
export VAL1=`awk ' { print $1 } ' mycsv.txt`
export VAL2=`awk ' { print $2 } ' mycsv.txt`
export VAL3=`awk ' { print $3 } ' mycsv.txt` export VAL4=`awk ' { print $4 } ' mycsv.txt`
And then pass this to a cfg maker script similar to the following in a loop that reads each lines in and process the variables
do echo "edit 6" echo "set url $VAL1" echo "set type $VAL2" echo "set exempt $VAL4" echo "next"
done
Maybe what fortinet could do is to build a script tool for processing flat comma or space separated file entries for common items
url list
address listing
addressgroups
Or you would need to make your own cfgmaker tools similar to this;
http://socpuppet.blogspot...g-script-to-speed.html
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I fully get what you are trying to say. If you can script, you can do anything. I fully admit, despite being in IT for over 20 years this is one of my weak points. I'm just not a good coder. I'm a mile wide on many different techs and deeper on particular things such as VMWare, Fortinet, switching, etc. I can do many things well, and many things that others seem to have trouble figuring out, but coding is not one of those things unfortunately (not that I haven't tried). So my point is why make it difficult? For those 90% of us that aren't good with regex, awk, or perl, allow us to export and import via tables using a simple template and a gui page (browse select file, import/export, save file). I've worked with many other systems that require input of lists and this is not a novel concept.
If you script all of the time, the type of solution you propose can flow like water from your brain. For me it is like hitting a brick wall, causes frustration, and requires a few days of time (which is always in short supply) digging though web pages and help commands. Then when I finally get it to work, I don't have a need to use it for another 6 to 12 months and it gets buried with all of the other day to day madness that compromises daily IT work.
So your solution is elegant and I'm sure would work, but why can't Fortinet just make it easy to begin with? The storage market is a good example of this. There are a hundred different SAN vendors, but they are vendors such as Dell Equallogic that focused on implementation simplicity from the start and it shows. I would say the Forti Configurator is a good step in this direction.
All that being said, I'll consider your example and see if that will work considering I have no other option as this time.
emnoc wrote:I think you have to be creative & use some parser and scripting language. I'm sure a season perl, bash/csh, scripting guy could hack something up.
Take your earlier example. You could maybe use awk and export the ack- variable $values$ and make the cfg using a configuration script.
( a ruff ideal ,,,, haven't play around or given it alot of thought at this point )
( the sample file entry per line )
cat mycsv.txt "/dl.google/." regex exempt "dlp"
Now we export the awk variables
export VAL1=`awk ' { print $1 } ' mycsv.txt`
export VAL2=`awk ' { print $2 } ' mycsv.txt`
export VAL3=`awk ' { print $3 } ' mycsv.txt` export VAL4=`awk ' { print $4 } ' mycsv.txt`
And then pass this to a cfg maker script similar to the following in a loop that reads each lines in and process the variables
do echo "edit 6" echo "set url $VAL1" echo "set type $VAL2" echo "set exempt $VAL4" echo "next"
done
Maybe what fortinet could do is to build a script tool for processing flat comma or space separated file entries for common items
url list
address listing
addressgroups
Or you would need to make your own cfgmaker tools similar to this;
http://socpuppet.blogspot...g-script-to-speed.html
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,815 -
FortiClient
1,789 -
5.2
801 -
FortiManager
747 -
5.4
639 -
FortiAnalyzer
567 -
FortiSwitch
481 -
FortiAP
476 -
FortiClient EMS
440 -
6.0
416 -
5.6
362 -
FortiMail
324 -
SSL-VPN
257 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
218 -
FortiWeb
211 -
5.0
196 -
FortiNAC
196 -
FortiGuard
139 -
6.4
128 -
SD-WAN
118 -
FortiAuthenticator
110 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
99 -
FortiToken
92 -
Firewall policy
86 -
Customer Service
81 -
Wireless Controller
81 -
4.0MR3
64 -
FortiProxy
61 -
High Availability
60 -
Fortivoice
57 -
FortiADC
54 -
VLAN
53 -
FortiEDR
52 -
ZTNA
50 -
Routing
49 -
DNS
47 -
FortiExtender
46 -
FortiSandbox
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
RADIUS
37 -
NAT
37 -
SAML
36 -
Certificate
36 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SSO
34 -
VDOM
33 -
Interface
32 -
FortiConnect
30 -
FortiLink
29 -
Application control
28 -
FortiWAN
27 -
Web profile
27 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
FortiGate-VM
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
18 -
OSPF
16 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
SNMP
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
IPS signature
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
DNS filter
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
Service
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1747 | |
| 1114 | |
| 764 | |
| 447 | |
| 241 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.