Show custom local-in policies in FortiGate WebUI

Dannу · ‎01-31-2023

Works with IPv4 & IPv6 local-in policies.

Can auto-run when imported as Userscript.
Purely reads and shows the config, not touching it.
If you use it, please write a comment or click the Kudo button.

Show custom local-in policies in FortiGate's WebUI with just a click!

Login to your FortiGate's WebUI and open to the local-in policy
- Enable in System > Feature Visibility if required
Create a new bookmark in your web browser and copy the JavaScript code below into the URL field.
Click the bookmark and enjoy viewing your custom local-in policies!

Result:
Copy & paste into a bookmark:

javascript:(async function(){const ip4=await fetch('/api/v2/cmdb/firewall/local-in-policy');const a4=await ip4.json();const ip6=await fetch('/api/v2/cmdb/firewall/local-in-policy6');const a6=await ip6.json();const m=document.querySelector('.mutable-menu');const p=document.createElement('div');p.setAttribute("id","clip");s=t="<table style='width:100%;padding:0;border-spacing:0;border-collapse:collapse'><tr>";if(a4.size===0 && a6.size===0){s+="<td style='text-align:center;color:#aaa'>No custom Local-in policy configured.</td></tr>"}else{u="<td style='height:37px;text-align:center;background-color:gainsboro;border:1px solid #B9B9B9' colspan='9'>Custom Local-In ";v="Policy<span style='color:#aaa'> &rarr; configured via CLI / API</span></td></tr>";w="<tr style='height:32px;text-align:center;color:#fff;background-color:#5A5A5A;border:1px solid #B9B9B9'><td>&nbsp;#&nbsp;</td><td>Status</td><td>Interface</td><td>Source</td><td>Destination</td><td>Service</td><td>Action</td><td>Schedule</td><td>Comments</td></tr>"}if(a4.size!=0){if(a6.size===0){s+=u+v+w}else{s+=u+"<span style='color:green'>IPv4</span> "+v+w}for(const _ of a4.results){src_='';for(let i in _.srcaddr){if(i!=0){src_+='<br>'}if(_["srcaddr-negate"]=='enable'){src_+='<f-icon class="fa-negate" title="Negated" style="cursor:pointer"></f-icon>&nbsp;'}src_+=_.srcaddr[i].name}dst_='';for(let j in _.dstaddr){if(j!=0){dst_+='<br>'}if(_["dstaddr-negate"]=='enable'){dst_+='<f-icon class="fa-negate" title="Negated" style="cursor:pointer"></f-icon>&nbsp;'}dst_+=_.dstaddr[j].name}svc_='';for(let k in _.service){if(k!=0){svc_+='<br>'}if(_["service-negate"]=='enable'){svc_+='<f-icon class="fa-negate" title="Negated" style="cursor:pointer"></f-icon>&nbsp;'}svc_+=_.service[k].name}s+='<tr style="height:32px;text-align:center"><td style="border:1px solid #E2E2E2">'+_.policyid+'</td><td style="border:1px solid #E2E2E2">'+_.status.replace('enable','<f-icon class="fa-enabled" title="Enabled" style="cursor:pointer"></f-icon>&nbsp;Enabled').replace('disable','<f-icon class="fa-disabled" title="Disabled" style="cursor:pointer"></f-icon>&nbsp;<span style="color:silver">Disabled</span>')+_["ha-mgmt-intf-only"].replace('enable','<br>HA&nbsp;management&nbsp;interface&nbsp;only').replace('disable','')+'</td><td style="border:1px solid #E2E2E2">'+_.intf+'</td><td style="border:1px solid #E2E2E2">'+src_+'</td><td style="border:1px solid #E2E2E2">'+dst_+'</td><td style="border:1px solid #E2E2E2">'+svc_+'</td><td style="border:1px solid #E2E2E2">'+_.action.replace('deny','<f-icon class="fa-denied" title="Deny" style="cursor:pointer"></f-icon>&nbsp;DENY').replace('accept','<f-icon class="fa-accepted" title="Accept" style="cursor:pointer"></f-icon>&nbsp;ACCEPT')+'</td><td style="border:1px solid #E2E2E2">'+_.schedule+'</td><td style="border:1px solid #E2E2E2">'+_.comments+'</td></tr>'}}if(a6.size!=0){t+=u+"<span style='color:darkviolet'>IPv6</span> "+v+w;for(const _ of a6.results){src_='';for(let l in _.srcaddr){if(l!=0){src_+='<br>'}if(_["srcaddr-negate"]=='enable'){src_+='<f-icon class="fa-negate" title="Negated" style="cursor:pointer"></f-icon>&nbsp;'}src_+=_.srcaddr[l].name}dst_='';for(let m in _.dstaddr){if(m!=0){dst_+='<br>'}if(_["dstaddr-negate"]=='enable'){dst_+='<f-icon class="fa-negate" title="Negated" style="cursor:pointer"></f-icon>&nbsp;'}dst_+=_.dstaddr[m].name}svc_='';for(let n in _.service){if(n!=0){svc_+='<br>'}if(_["service-negate"]=='enable'){svc_+='<f-icon class="fa-negate" title="Negated" style="cursor:pointer"></f-icon>&nbsp;'}svc_+=_.service[n].name}t+='<tr style="height:32px;text-align:center"><td style="border:1px solid #E2E2E2">'+_.policyid+'</td><td style="border:1px solid #E2E2E2">'+_.status.replace('enable','<f-icon class="fa-enabled" title="Enabled" style="cursor:pointer"></f-icon>&nbsp;Enabled').replace('disable','<f-icon class="fa-disabled" title="Disabled" style="cursor:pointer"></f-icon>&nbsp;<span style="color:silver">Disabled</span>')+'</td><td style="border:1px solid #E2E2E2">'+_.intf+'</td><td style="border:1px solid #E2E2E2">'+src_+'</td><td style="border:1px solid #E2E2E2">'+dst_+'</td><td style="border:1px solid #E2E2E2">'+svc_+'</td><td style="border:1px solid #E2E2E2">'+_.action.replace('deny','<f-icon class="fa-denied" title="Deny" style="cursor:pointer"></f-icon>&nbsp;DENY').replace('accept','<f-icon class="fa-accepted" title="Accept" style="cursor:pointer"></f-icon>&nbsp;ACCEPT')+'</td><td style="border:1px solid #E2E2E2">'+_.schedule+'</td><td style="border:1px solid #E2E2E2">'+_.comments+'</td></tr>'}}f="</table><br><table style='width:100%;padding:0;border-spacing:0;border-collapse:collapse'><tr><td style='height:37px;text-align:center;background-color:gainsboro;border:1px solid #B9B9B9;border-bottom:0'>Auto Local-In Policy<span style='color:#aaa'> &rarr; managed by FortiGate</span></td></tr></table>";if(a6.size===0){p.innerHTML=s+f}else{if(a4.size===0){p.innerHTML=t+f}else{p.innerHTML=s+"</table><br>"+t+f}}if(document.contains(document.getElementById("clip"))){document.getElementById("clip").remove();}m.after(p)})();

Yurisk · ‎02-01-2023

Hello Danny,

thanks for the useful script - tried it on few Forti already, works as expected, works on 6.4.x, 6.2.x, and 7.2.x. It does not work on 5.6.x I am sure because API paths are different in older versions, which is ok - not many left at 5.6.x train anyway.

If you can host it somewhere - your blog/Github/etc, I will be glad to put a link to it on my Local-in post https://yurisk.info/2020/06/07/fortigate-local-in-policy/ which comes quite high in the Google searches, for better outreach.

Best regards

Yuri

Yuri https://yurisk.info/ blog: All things Fortinet, no ads.

vweis · ‎02-01-2023

Very helpful UX improvement for Local-In Policies in the GUI!

Digital security, everywhere you need it.

KhanhVSS · ‎02-01-2023

Its so awesome, hope this will be added to UI soon

thantzm · ‎02-01-2023

It's awesome and very helpful.

Roee-Golan · ‎02-15-2023

Dear Dannу,

Thank you for the technical guide you provided.

Best regards,
Roee Golan.

PRosenlind · ‎02-15-2023

This looks amazing! I've always missed this feature. We always talk about using local-in policys but they are always very hard to "grip". This helps for sure!

Thanks for your contribution Danny!

YannicS · ‎05-12-2023

Very helpful!
Would be great if this could be added to your FortiGate WebUI tool.

Dannу · ‎07-06-2023

I added it to the WebUI tool.

ezhupa · ‎11-20-2024

Hello Danny,

Thanks a lot for your work and very convenient tools!!

Kudos to you!

Show custom local-in policies in FortiGate WebUI

Nominate a Forum Post for Knowledge Article Creation