Mass Creation of object addresses in FGT

ciscokid1903 · ‎10-11-2013

Has anyone created a script for importing a list of IP addresses to create Object Addresses within the FortiGate firewall? Ideally this script would allow for updates etc on a monthly basis. example list IP,Hostname,Interface 111.111.111.111,HOST-1,OUTSIDE 222.222.222.222,HOST-2,OUTSIDE 333.333.333.333,HOST-3,OUTSIDE to produce an output like the following:

  edit HOST-1 
  set type ipmask 
  set subnet 111.111.111.111/255.255.255.255 
  set associated-interface OUTSIDE  
  next 
  edit HOST-2 
  set type ipmask 
  set subnet 222.222.222.222/255.255.255.255 
  set associated-interface OUTSIDE  
  next 
  edit HOST-3 
  set type ipmask 
  set subnet 333.333.333.333/255.255.255.255 
  set associated-interface OUTSIDE  
  end

rwpatterson · ‎10-11-2013

That doesn' t look to be so difficult. You would still have to manually upload that into your unit though.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

View solution in original post

ede_pfau · ‎10-11-2013

here you are with a rudimentary batch script:

 @echo off
 REM input: textfile addr.txt with IP,name,interface (one per line)
 REM values delimited by commas, comments start with #
 
 REM redirect output to a batch command file for uploading to a Fortigate
 
 
 echo config firewall address
 for /f " eol=# tokens=1-3 delims=,"  %%i in (addr.txt) do CALL :oneaddr %%i %%j %%k
 echo end
 goto :EOF
 
 :oneaddr
 echo edit %2  
 echo set type ipmask  
 echo set subnet %1/32
 set intf=%3  
 if [%3]==[] set intf=ANY 
 echo set associated-interface %intf%   
 echo next

with this input file

# IP,Hostname,Interface 111.111.111.111,HOST-1,OUTSIDE 222.222.222.222,HOST-2 333.333.333.333,HOST-3,OUTSIDE

this output is produced:

config firewall address edit HOST-1 set type ipmask set subnet 111.111.111.111/32 set associated-interface OUTSIDE next edit HOST-2 set type ipmask set subnet 222.222.222.222/32 set associated-interface ANY next edit HOST-3 set type ipmask set subnet 333.333.333.333/32 set associated-interface OUTSIDE next end

Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

ede_pfau · ‎09-18-2015

hi,

step-by-step on a Windows PC:

assuming you copied and pasted my batch script into notepad and saved that as "mkadr.cmd".

Then you write down your addresses in notepad and save that as "addr.txt".

- this name is fixed! the script expects only this name, you cannot change it. -

Then you open a commandline: press the Windows key (lower left of keyboard, between Ctrl and Alt), and type "cmd.exe" into the search field. A DOS box/command line window should open.

Go into the directory where you saved the 2 files: cd "C:\users\blabla\downloads"

You should be able to list these files: "dir mkadr.cmd", "dir addr.txt"

Now generate the batchcommands for the Fortigate: "mkadr > newadr.bcmd"

Check the file: "dir newadr.bcmd", filesize should be > 0.

To upload to the Fortigate, in the GUI go to System > Config > Advanced, Scripts and upload the file.

Afterwards check the address objects in Firewall Objects > Addresses.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

ede_pfau · ‎10-14-2013

well, output goes to stdout, that is, to the screen. If you need it in a file just redirect it: mkbatch > bulk.txt (if you name the script " mkbatch.cmd" ). No experience with the command line? sic transit gloria mundi...

Ede

"Kernel panic: Aiee, killing interrupt handler!"

ciscokid1903 · ‎10-14-2013

hi Ede, No, i' ve no real experience with the command line. Thanks for this info.

emnoc · ‎10-14-2013

For mass output and in consecutive ranges here' s what I do. http://socpuppet.blogspot.com/2012/11/fortigate-firewall-cfg-script-to-speed.html This helps when producing mass outputs on unix using basic scripting in bash.

PCNSE

NSE

StrongSwan

ede_pfau · ‎09-18-2015

hi,

step-by-step on a Windows PC:

assuming you copied and pasted my batch script into notepad and saved that as "mkadr.cmd".

Then you write down your addresses in notepad and save that as "addr.txt".

- this name is fixed! the script expects only this name, you cannot change it. -

Then you open a commandline: press the Windows key (lower left of keyboard, between Ctrl and Alt), and type "cmd.exe" into the search field. A DOS box/command line window should open.

Go into the directory where you saved the 2 files: cd "C:\users\blabla\downloads"

You should be able to list these files: "dir mkadr.cmd", "dir addr.txt"

Now generate the batchcommands for the Fortigate: "mkadr > newadr.bcmd"

Check the file: "dir newadr.bcmd", filesize should be > 0.

To upload to the Fortigate, in the GUI go to System > Config > Advanced, Scripts and upload the file.

Afterwards check the address objects in Firewall Objects > Addresses.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

Allwyn_Mascarenhas · ‎09-22-2015

ede_pfau wrote:
hi,

step-by-step on a Windows PC:

assuming you copied and pasted my batch script into notepad and saved that as "mkadr.cmd".
Then you write down your addresses in notepad and save that as "addr.txt".
- this name is fixed! the script expects only this name, you cannot change it. -
Then you open a commandline: press the Windows key (lower left of keyboard, between Ctrl and Alt), and type "cmd.exe" into the search field. A DOS box/command line window should open.
Go into the directory where you saved the 2 files: cd "C:\users\blabla\downloads"
You should be able to list these files: "dir mkadr.cmd", "dir addr.txt"
Now generate the batchcommands for the Fortigate: "mkadr > newadr.bcmd"
Check the file: "dir newadr.bcmd", filesize should be > 0.

To upload to the Fortigate, in the GUI go to System > Config > Advanced, Scripts and upload the file.
Afterwards check the address objects in Firewall Objects > Addresses.

Got it! thanks. The generated conf file can be .conf ext too or has to be only .bcmd?

Valoni · ‎11-06-2019

thanks...

you said "Now generate the batchcommands for the Fortigate: "mkadr > newadr.bcmd""

should this command be run on the Fortigate or my windows pc

ede_pfau · ‎09-23-2015

The file extension can be anything. I personally prefer NOT to name it *.conf as not to mistake it for a full configuration - they are only snippets. "*.bcmd" is my invention for "batch command".

Ede

"Kernel panic: Aiee, killing interrupt handler!"

Allwyn_Mascarenhas · ‎09-23-2015

ede_pfau wrote:
The file extension can be anything. I personally prefer NOT to name it *.conf as not to mistake it for a full configuration - they are only snippets. "*.bcmd" is my invention for "batch command".

I am using your concept of reading the txt file to read ip and auth from text files for fortigate devices and create config backups. I get the backup but i am getting stuck at the passing the 4th parameter client name to the bat file.

my cmd:

@echo off

for /f " eol=# tokens=1-4 delims=," %%i in (fgts.txt) do CALL :oneaddr %%i %%j %%k
echo end
goto :EOF

:oneaddr
cd c:\Program Files\PuTTY
pscp -pw %3 %2@%1:sys_config c:\backup\%4-%DATE%-%TIME::=%.conf

and my fgts.txt file:

# ip,username,password,clientname
x.x.x.x,admin,password,devicename
y.y.y.y,admin,password,devicename

i have changed the tokens = 1-4, is that correct?

PS: enable admin-scp on the device if you trying this;

config system global
set admin-scp enable
end

help please.

ede_pfau · ‎09-23-2015

You've got to reference the 4th parameter in the loop, like this:

for /f " eol=# tokens=1-4 delims=," %%i in (fgts.txt) do CALL :oneaddr %%i %%j %%k %%l

First token is assigned to %%i, 2nd to %%j...4th to %%l (small L).

Ede

"Kernel panic: Aiee, killing interrupt handler!"

Allwyn_Mascarenhas · ‎09-25-2015

ede_pfau wrote:
You've got to reference the 4th parameter in the loop, like this:
for /f " eol=# tokens=1-4 delims=," %%i in (fgts.txt) do CALL :oneaddr %%i %%j %%k %%l
First token is assigned to %%i, 2nd to %%j...4th to %%l (small L).

worked like a charm, exactly what was needed.

Thanks a ton!