dumping fwpolicies into a xls or csv format

emnoc · ‎03-10-2014

Anybody seen any cool tools that will grab fwpolicies and dump them into a format to import into xls, or csv or any other method?

PCNSE

NSE

StrongSwan

TuncayBAS · ‎10-04-2016

Yes offcourse

I use fortigate rest api document.

http://www.tuncaybas.com/FOS_JSON_REST_API_523.pdf

Get all policy for 5.2 :

[link]https://192.168.0.1:443/api/cmdb?request=[/link]{'action':'select','path':'firewall','name':'policy','datasource':true,'skip':true,'with_meta':true}

Get all policy for 5.4 :

https://192.168.0.1:443/a..2/cmdb/firewall/policy/

This results json format.

{
  "http_method":"GET",
  "results":[
    {
      "policyid":7,
      "q_origin_key":"7",
      "name":"fatura-pc-deny",
      "uuid":"53e964d2-36b8-51e6-a95c-9c146a1da1c8",
      "srcintf":[
        {
          "name":"lan",
          "q_origin_key":"lan"
        }
      ],
      "dstintf":[
        {
          "name":"wan1",
          "q_origin_key":"wan1"
        }
      ],
      "srcaddr":[
        {
          "name":"all",
          "q_origin_key":"all"
        }
      ],

and parse with .net (or use other language).

Tuncay BAS RZK Muhendislik Turkey NSE 4 5 6 FCESP v5

View solution in original post

Andre_Backs · ‎05-12-2014

Hi emnoc, I just briefly tried NS2html, it didn' t work unfortunately. It did well on the test.cfg file (a Netcreen config) but it couldn' t make sense of the Fortigate config file

The " nipper" link links to the blog that has a link to a Sourceforge project which is marked as deleted (also

) So i Googled nipper and found another Sourceforge (http://sourceforge.net/projects/nipper/) which seemed promising at first but I found that the only files there are an IP subnet calculator and tool to decrypt Cisco type 7 passwords. Nipper itself has gone commercial and now belongs to Titania Ltd as Nipper Studio. An evaluation kit of that needed a lot more effort than I am willing to put in right now

Anyway, what I am looking for was more ore less the Webbased Manager but with just a bit more sofistication (things like search and replace, bulk edit, block moves, you get the drift)

ABB@ProBiblio Fortigate 200D (slave master)

emnoc · ‎05-12-2014

Cool I was only pointing out previous works in this same area, did exist. Speaking of nscreen, the ns.cfg files are not 100% like a juniper or a fortigate. I' m really suprised nobody from fortinet has built a tool for this and included it on board the appliance directly ( fwpolicy and fwpolicy6 extraction into csv, xml,etc......) Next, I' m also wondering if a Fortimanager might have some type of extraction? Anybody here have access to a Fortimanager & can care to check and comment ?

PCNSE

NSE

StrongSwan

neonbit · ‎06-10-2014

From what I can see the FortiManager allows you to export the policy packages to csv.

FatalHalt · ‎06-11-2014

I too have needed a tool for this for a while. Not finding anything, I' ve begun making one in python. It' s pretty rudimentary right now, but I currently have it parsing a config file for Addresses, Groups and Policies and dumping into 3 seperate TSV files which I then pull into a spreadsheet manually (for now). It also handles ' special' situations like if a policy is identity based. Next up is having it do static routes, interfaces, admins, local users, etc etc etc. Attached in a picture example of the data in a spreadsheet.

SgtMalicious · ‎06-18-2014

Do you have your source up somewhere? I have some Python up on GitHub if you' re interested: http://bit.ly/1kB2wV0

TuncayBAS · ‎10-04-2016

Policy export tool:

http://www.tuncaybas.com/...rtigate-policy-export/

Tuncay BAS RZK Muhendislik Turkey NSE 4 5 6 FCESP v5

FatalHalt · ‎10-04-2016

yaba wrote:
Policy export tool:

http://www.tuncaybas.com/...rtigate-policy-export/

Tell us a little about this! Did you write this yourself!?

TuncayBAS · ‎10-04-2016

Yes offcourse

I use fortigate rest api document.

http://www.tuncaybas.com/FOS_JSON_REST_API_523.pdf

Get all policy for 5.2 :

[link]https://192.168.0.1:443/api/cmdb?request=[/link]{'action':'select','path':'firewall','name':'policy','datasource':true,'skip':true,'with_meta':true}

Get all policy for 5.4 :

https://192.168.0.1:443/a..2/cmdb/firewall/policy/

This results json format.

{
  "http_method":"GET",
  "results":[
    {
      "policyid":7,
      "q_origin_key":"7",
      "name":"fatura-pc-deny",
      "uuid":"53e964d2-36b8-51e6-a95c-9c146a1da1c8",
      "srcintf":[
        {
          "name":"lan",
          "q_origin_key":"lan"
        }
      ],
      "dstintf":[
        {
          "name":"wan1",
          "q_origin_key":"wan1"
        }
      ],
      "srcaddr":[
        {
          "name":"all",
          "q_origin_key":"all"
        }
      ],

and parse with .net (or use other language).

Tuncay BAS RZK Muhendislik Turkey NSE 4 5 6 FCESP v5

TuncayBAS · ‎10-04-2016

program is for local use and is secure.

Those who know me know in the Forum. My address is known.

You can trust me. or even whether the program decompiler, you can look.

Tuncay BAS RZK Muhendislik Turkey NSE 4 5 6 FCESP v5

oheigl · ‎10-04-2016

The rest API document is awesome, thanks! Do you also have it for the 5.4 firmware?