- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Mass Creation of object addresses in FGT
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mass Creation of object addresses in FGT
Has anyone created a script for importing a list of IP addresses to create Object Addresses within the FortiGate firewall?
Ideally this script would allow for updates etc on a monthly basis.
example list
IP,Hostname,Interface
111.111.111.111,HOST-1,OUTSIDE
222.222.222.222,HOST-2,OUTSIDE
333.333.333.333,HOST-3,OUTSIDE
to produce an output like the following:
edit HOST-1 set type ipmask set subnet 111.111.111.111/255.255.255.255 set associated-interface OUTSIDE next edit HOST-2 set type ipmask set subnet 222.222.222.222/255.255.255.255 set associated-interface OUTSIDE next edit HOST-3 set type ipmask set subnet 333.333.333.333/255.255.255.255 set associated-interface OUTSIDE end
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, Wrong Forum. I' ve added this to the FortiGate specific forum.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I use excel and word to create a new text file that I can import as a script
I use this to block the latest top 100 attackers ip list from SANS
First create an address group that contains all of the address NAMES listed below. We use SANS_TOP_100 and it contains SANS_T100_001, 002, 003, etc.
then create an excel spreadsheet with no column names. (each <c> means a new column):
line 1: config firewall address
line 2: edit SANS_T100_001 <c> @ <c> set subnet <c> 64.236.64.139 <c> 255.255.255.255 <c> @ <c> next
line 3: edit SANS_T100_002 <c> @ <c> set subnet <c> 218.64.114.103 <c> 255.255.255.255 <c> @ <c> next
line4 through 101: repeat for each address
line 102: end
each month I past the latest column of addresses over the existing column (happens to be column D)
save the spreadsheet and then do a save as and choose a text file format, this will convert all columns to tabs.
Open the text file in MSWord
Using MSWord I do a search and replace (control-H) (expand the more) button and use " special" to replace all " tab" characters with a space character.
replace all double spaces with a single space and continue until no more are found
replace all " @ " (space, ampersand, space) with a " paragraph mark" (in special)
This will leave you with a text file that reads:
line 1: config firewall address
line 2: edit SANS_T100_001
line 3: set subnet 64.236.64.139 255.255.255.255
line 4: next
line 5: edit SANS_T100_002
line 6: set subnet 218.64.114.103 255.255.255.255
line 7: next
line 8 - xxx: etc, etc, etc
last line: end
save the text file and import it into the firewall as a script. Or copy and paste it as a new script.
By assigning all of the addresses to a group and using the address group in your policies, you are able to just update the addresses and not have to update every policy that uses the individual address names.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I know this is an old post - but I made a TCL-script to create firewall objects when I had the same scenario. I had a bunch of host addresses I needed to create a deny policy for.
You can read about it on my blog:
http://exceededintransit.net/?p=191
.. If you want to use more variables, you can create more variables by simply adding a new section to the array. Eg. if you want a variable subnet mask, you could do this:
array set objects {
10.0.0.0 "H-DENY-1.1.1.1" 255.255.255.0
2.2.2.0 "H-DENY-2.2.2.2" 255.255.254.0
3.3.3.0 "H-DENY-3.3.3.3" 255.255.255.128
}foreach {object_ip object_name object_subnet}Now you should be able to use the $object_subnet variable as well when creating the object. The config would look like this:
# lookup in array "objects"
foreach {object_ip object_name} [array get objects] {
puts \n
puts "edit $object_name"
puts "set subnet $object_ip $object_subnet"
puts "next"
}
When creating the array, you should use excel for the production of the rows. You should be able to copy the cells from excel directly to your script.
Regards,
Martin Karlsen
Related Posts
Labels
-
FortiGate
6,530 -
FortiClient
1,303 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.