I want to set all the category's in one group to Block, that isn't difficult as long as all the firewalls are using the exact same web policy name and all the other category settings are identical across all the firewalls. BUT, even where the policies are named the same the category settings differ, and some firewalls have many more policies that others.
I can look up the category numbers that make up the group and set them based on that if it helps. And I can write a CLI script that will do all I need for the default policies.
The problem comes when the firewall has many more, or differently named policies. Is there any kind of command line wildcard that would apply my change to all web policies? Or maybe there is a better approach? Going through each firewall individually would be a solid week of work and wouldn't give me anything I can add to Fortimanager for future use.
I do have a standard that most of our commercial clients get, then there is another standard our Gov clients and that is broken down to basically 3 standards dept-A, dept-B, and other. But even then there are individual departments with widely varying approaches to who gets what access. I wish I could just say "everyone get this". In the end I can make a number of groups but nothing close to a global standard.
I already use scrips like you show, but that means many scripts.
What I was hoping for was a script that would query the web profile names and stor them as a list of variables. Then use those variables in the "edit "variable-x" command, thus applying all the changes to all the profiles known or unknown.
You can create a meta field (System Settings > Advanced > Meta Fields) for the webfilter. Then for each unit, you can put the webfilter profile name in this field. The metafield can then be used in a cli script as long as you are pushing the script to the device database instead of the policy package.
It should run this way, then you would have to do an install of the device database settings to the device. The only downfall to this is since it is pushed from the device database, the policy package is going to probably become out of sync and you would need to re-import that to sync it up again. I have not tried it so I am not 100% sure.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.