Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
IShall
New Contributor

Validating firewall address objects

Hello,

Just wondering if anyone has managed to export Fortigate address host objects and ip addresses to a text file or csv etc ?

What I am really trying to achieve is to identify any inconsistencies in the address objects where either the host no longer exists or where the ip has been reallocated to a different host. So the process would be to identify any address object with a 255.255.255.255 mask, do a DNS lookup, try to ping it etc and report on this.

 

If I could extract the address and ips then I could probably do the rest in a bash script or something, but I imagine someone has already done the initial extraction part ? I've found the perl script to extract the policies into a .csv, but I'm not a perl guy, so if someone has done this already, that would be very useful.

 

Thanks in advance,

 

Fortigate 310B

Fortimanager 400A

Fortianalyzer 200D

 

FGT310B MR3 Patch 15 FMGR MR3 Patch 8
FGT310B MR3 Patch 15 FMGR MR3 Patch 8
4 REPLIES 4
Somashekara_Hanumant

Hi IShall,

 

From the CLI console  you can save the firewall address objects to a file

 

Open ssh session with fortigate using putty.exe and log all the output to a file (Session > Logging > All session output > Log File name > save the file as *.log)

config firewall address

sh full

end

 

all the output will be saved on a text file.

 

let me know if you have any further queries.

 

Regards,

Somu

EMEA Technical Support
Somashekara_Hanumant

Hi IShall,

 

using below command you can list the address object with 255.255.255.255 mask

 

sh firewall address | grep "255.255.255.255"

 

Hope this helps you.

 

Regards,

Somu

EMEA Technical Support
IShall
New Contributor

Thanks Somu,

Certainly that is the starting point. What I am aiming to do is extract the host objects (i.e. address object with type "ipmask" and mask "255.255.255.255") and further process just these. So I'll need some scripting to do that.

Regards,

FGT310B MR3 Patch 15 FMGR MR3 Patch 8
FGT310B MR3 Patch 15 FMGR MR3 Patch 8
emnoc
Esteemed Contributor III

Yeas and with the -A  you ca get the full name;

 

 show firewall address | grep -A 4 "255.255.255.255"

 

You will still need to manipulate the items to  find any duplicates or unused address or address-groups. Than you can cross reference these to  active policies.

 

I'm sure you could write a script parser to find all occurrence of "named address" to the policies.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors