Helpful ReplyHot!Mass Creation of object addresses in FGT

Page: 12 > Showing page 1 of 2
Author
ciscokid1903
Silver Member
  • Total Posts : 61
  • Scores: 0
  • Reward points: 0
  • Joined: 2009/07/14 06:59:14
  • Status: offline
2013/10/11 07:12:33 (permalink)
0

Mass Creation of object addresses in FGT

Has anyone created a script for importing a list of IP addresses to create Object Addresses within the FortiGate firewall?

Ideally this script would allow for updates etc on a monthly basis.

example list


IP,Hostname,Interface
111.111.111.111,HOST-1,OUTSIDE
222.222.222.222,HOST-2,OUTSIDE
333.333.333.333,HOST-3,OUTSIDE

to produce an output like the following:



edit HOST-1
set type ipmask
set subnet 111.111.111.111/255.255.255.255
set associated-interface OUTSIDE
next
edit HOST-2
set type ipmask
set subnet 222.222.222.222/255.255.255.255
set associated-interface OUTSIDE
next
edit HOST-3
set type ipmask
set subnet 333.333.333.333/255.255.255.255
set associated-interface OUTSIDE
end
#1
rwpatterson
Expert Member
  • Total Posts : 8418
  • Scores: 195
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: online
RE: Mass Creation of object addresses in FGT 2013/10/11 07:34:22 (permalink) ☄ Helpfulby discoscott 2015/12/21 15:57:52
0
That doesn' t look to be so difficult. You would still have to manually upload that into your unit though.

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

-4.3.19-b0694
FWF60B
FWF80CM (4)
FWF81CM (2)
 
#2
ede_pfau
Expert Member
  • Total Posts : 6097
  • Scores: 490
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
RE: Mass Creation of object addresses in FGT 2013/10/11 13:27:34 (permalink) ☄ Helpfulby allwynmasc 2015/09/23 03:56:58
5 (3)
here you are with a rudimentary batch script:
 @echo off
REM input: textfile addr.txt with IP,name,interface (one per line)
REM values delimited by commas, comments start with #

REM redirect output to a batch command file for uploading to a Fortigate


echo config firewall address
for /f " eol=# tokens=1-3 delims=," %%i in (addr.txt) do CALL :oneaddr %%i %%j %%k
echo end
goto :EOF

:oneaddr
echo edit %2
echo set type ipmask
echo set subnet %1/32
set intf=%3
if [%3]==[] set intf=ANY
echo set associated-interface %intf%
echo next

with this input file
# IP,Hostname,Interface
111.111.111.111,HOST-1,OUTSIDE
222.222.222.222,HOST-2
333.333.333.333,HOST-3,OUTSIDE

this output is produced:
config firewall address
edit HOST-1
set type ipmask
set subnet 111.111.111.111/32
set associated-interface OUTSIDE
next
edit HOST-2
set type ipmask
set subnet 222.222.222.222/32
set associated-interface ANY
next
edit HOST-3
set type ipmask
set subnet 333.333.333.333/32
set associated-interface OUTSIDE
next
end

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#3
ciscokid1903
Silver Member
  • Total Posts : 61
  • Scores: 0
  • Reward points: 0
  • Joined: 2009/07/14 06:59:14
  • Status: offline
RE: Mass Creation of object addresses in FGT 2013/10/14 02:31:05 (permalink)
0
Thank you for this Ede. In your example, where is the output generated?
#4
ede_pfau
Expert Member
  • Total Posts : 6097
  • Scores: 490
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
RE: Mass Creation of object addresses in FGT 2013/10/14 02:38:08 (permalink)
0
well, output goes to stdout, that is, to the screen. If you need it in a file just redirect it:
mkbatch > bulk.txt

(if you name the script " mkbatch.cmd" ).

No experience with the command line? sic transit gloria mundi...

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#5
ciscokid1903
Silver Member
  • Total Posts : 61
  • Scores: 0
  • Reward points: 0
  • Joined: 2009/07/14 06:59:14
  • Status: offline
RE: Mass Creation of object addresses in FGT 2013/10/14 02:54:40 (permalink)
0
hi Ede,

No, i' ve no real experience with the command line.

Thanks for this info.
#6
emnoc
Expert Member
  • Total Posts : 5366
  • Scores: 351
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
RE: Mass Creation of object addresses in FGT 2013/10/14 03:09:17 (permalink)
0
For mass output and in consecutive ranges here' s what I do.

http://socpuppet.blogspot.com/2012/11/fortigate-firewall-cfg-script-to-speed.html

This helps when producing mass outputs on unix using basic scripting in bash.

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#7
Allwyn Mascarenhas
Silver Member
  • Total Posts : 89
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/08/25 03:05:38
  • Location: Dubai, UAE
  • Status: offline
Re: RE: Mass Creation of object addresses in FGT 2015/09/18 01:39:03 (permalink)
0
ede_pfau
here you are with a rudimentary batch script:
 @echo off
REM input: textfile addr.txt with IP,name,interface (one per line)
REM values delimited by commas, comments start with #

REM redirect output to a batch command file for uploading to a Fortigate


echo config firewall address
for /f " eol=# tokens=1-3 delims=," %%i in (addr.txt) do CALL :oneaddr %%i %%j %%k
echo end
goto :EOF

:oneaddr
echo edit %2
echo set type ipmask
echo set subnet %1/32
set intf=%3
if [%3]==[] set intf=ANY
echo set associated-interface %intf%
echo next

with this input file
# IP,Hostname,Interface
111.111.111.111,HOST-1,OUTSIDE
222.222.222.222,HOST-2
333.333.333.333,HOST-3,OUTSIDE

this output is produced:
config firewall address
edit HOST-1
set type ipmask
set subnet 111.111.111.111/32
set associated-interface OUTSIDE
next
edit HOST-2
set type ipmask
set subnet 222.222.222.222/32
set associated-interface ANY
next
edit HOST-3
set type ipmask
set subnet 333.333.333.333/32
set associated-interface OUTSIDE
next
end




Hey thanks for this, just need lil help on transferring it to a txt file. I tried the filename > bulk.txt in your next reply but couldn't get it to work. Where do i add this line?
#8
ede_pfau
Expert Member
  • Total Posts : 6097
  • Scores: 490
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Mass Creation of object addresses in FGT 2015/09/18 03:02:52 (permalink) ☄ Helpfulby allwynmasc 2015/09/23 03:56:34
0
hi,
 
step-by-step on a Windows PC:
 
assuming you copied and pasted my batch script into notepad and saved that as "mkadr.cmd".
Then you write down your addresses in notepad and save that as "addr.txt".
- this name is fixed! the script expects only this name, you cannot change it. -
Then you open a commandline: press the Windows key (lower left of keyboard, between Ctrl and Alt), and type "cmd.exe" into the search field. A DOS box/command line window should open.
Go into the directory where you saved the 2 files: cd "C:\users\blabla\downloads"
You should be able to list these files: "dir mkadr.cmd", "dir addr.txt"
Now generate the batchcommands for the Fortigate: "mkadr > newadr.bcmd"
Check the file: "dir newadr.bcmd", filesize should be > 0.
 
To upload to the Fortigate, in the GUI go to System > Config > Advanced, Scripts and upload the file.
Afterwards check the address objects in Firewall Objects > Addresses.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#9
Allwyn Mascarenhas
Silver Member
  • Total Posts : 89
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/08/25 03:05:38
  • Location: Dubai, UAE
  • Status: offline
Re: Mass Creation of object addresses in FGT 2015/09/22 23:44:30 (permalink)
0
ede_pfau
hi,
 
step-by-step on a Windows PC:
 
assuming you copied and pasted my batch script into notepad and saved that as "mkadr.cmd".
Then you write down your addresses in notepad and save that as "addr.txt".
- this name is fixed! the script expects only this name, you cannot change it. -
Then you open a commandline: press the Windows key (lower left of keyboard, between Ctrl and Alt), and type "cmd.exe" into the search field. A DOS box/command line window should open.
Go into the directory where you saved the 2 files: cd "C:\users\blabla\downloads"
You should be able to list these files: "dir mkadr.cmd", "dir addr.txt"
Now generate the batchcommands for the Fortigate: "mkadr > newadr.bcmd"
Check the file: "dir newadr.bcmd", filesize should be > 0.
 
To upload to the Fortigate, in the GUI go to System > Config > Advanced, Scripts and upload the file.
Afterwards check the address objects in Firewall Objects > Addresses.




Got it! thanks. The generated conf file can be .conf ext too or has to be only .bcmd?
#10
ede_pfau
Expert Member
  • Total Posts : 6097
  • Scores: 490
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Mass Creation of object addresses in FGT 2015/09/23 03:09:01 (permalink)
0
The file extension can be anything. I personally prefer NOT to name it *.conf as not to mistake it for a full configuration - they are only snippets. "*.bcmd" is my invention for "batch command".

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#11
Allwyn Mascarenhas
Silver Member
  • Total Posts : 89
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/08/25 03:05:38
  • Location: Dubai, UAE
  • Status: offline
Re: Mass Creation of object addresses in FGT 2015/09/23 03:55:03 (permalink)
0
ede_pfau
The file extension can be anything. I personally prefer NOT to name it *.conf as not to mistake it for a full configuration - they are only snippets. "*.bcmd" is my invention for "batch command".




I am using your concept of reading the txt file to read ip and auth from text files for fortigate devices and create config backups. I get the backup but i am getting stuck at the passing the 4th parameter client name to the bat file.
 
my cmd:
@echo off

for /f " eol=# tokens=1-4 delims=," %%i in (fgts.txt) do CALL :oneaddr %%i %%j %%k
echo end
goto :EOF

:oneaddr
cd c:\Program Files\PuTTY
pscp -pw %3 %2@%1:sys_config c:\backup\%4-%DATE%-%TIME::=%.conf

 
and my fgts.txt file:
# ip,username,password,clientname
x.x.x.x,admin,password,devicename
y.y.y.y,admin,password,devicename

 
i have changed the tokens = 1-4, is that correct? 
 
PS: enable admin-scp on the device if you trying this;
config system global
set admin-scp enable
end

 
help please.
#12
ede_pfau
Expert Member
  • Total Posts : 6097
  • Scores: 490
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Mass Creation of object addresses in FGT 2015/09/23 08:24:40 (permalink)
0
You've got to reference the 4th parameter in the loop, like this:
for /f " eol=# tokens=1-4 delims=," %%i in (fgts.txt) do CALL :oneaddr %%i %%j %%k %%l

First token is assigned to %%i, 2nd to %%j...4th to %%l (small L).

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#13
Allwyn Mascarenhas
Silver Member
  • Total Posts : 89
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/08/25 03:05:38
  • Location: Dubai, UAE
  • Status: offline
Re: Mass Creation of object addresses in FGT 2015/09/25 22:23:50 (permalink)
0
ede_pfau
You've got to reference the 4th parameter in the loop, like this:
for /f " eol=# tokens=1-4 delims=," %%i in (fgts.txt) do CALL :oneaddr %%i %%j %%k %%l

First token is assigned to %%i, 2nd to %%j...4th to %%l (small L).




worked like a charm, exactly what was needed.
 
Thanks a ton!
#14
Valoni
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/11/06 06:59:48
  • Status: offline
Re: RE: Mass Creation of object addresses in FGT 2019/11/06 07:03:08 (permalink)
0
rwpatterson
That doesn' t look to be so difficult. You would still have to manually upload that into your unit though.



is the script below supposed to be run on the FGT unit or the windows PC and why?
@echo off
REM input: textfile addr.txt with IP,name,interface (one per line)
REM values delimited by commas, comments start with #

REM redirect output to a batch command file for uploading to a Fortigate


echo config firewall address
for /f " eol=# tokens=1-3 delims=," %%i in (addr.txt) do CALL :oneaddr %%i %%j %%k
echo end
goto :EOF

:oneaddr
echo edit %2
echo set type ipmask
echo set subnet %1/32
set intf=%3
if [%3]==[] set intf=ANY
echo set associated-interface %intf%
echo next
#15
Valoni
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/11/06 06:59:48
  • Status: offline
Re: RE: Mass Creation of object addresses in FGT 2019/11/06 07:09:05 (permalink)
0
ede_pfau
here you are with a rudimentary batch script:
 @echo off
REM input: textfile addr.txt with IP,name,interface (one per line)
REM values delimited by commas, comments start with #

REM redirect output to a batch command file for uploading to a Fortigate


echo config firewall address
for /f " eol=# tokens=1-3 delims=," %%i in (addr.txt) do CALL :oneaddr %%i %%j %%k
echo end
goto :EOF

:oneaddr
echo edit %2
echo set type ipmask
echo set subnet %1/32
set intf=%3
if [%3]==[] set intf=ANY
echo set associated-interface %intf%
echo next

with this input file
# IP,Hostname,Interface
111.111.111.111,HOST-1,OUTSIDE
222.222.222.222,HOST-2
333.333.333.333,HOST-3,OUTSIDE

this output is produced:
config firewall address
edit HOST-1
set type ipmask
set subnet 111.111.111.111/32
set associated-interface OUTSIDE
next
edit HOST-2
set type ipmask
set subnet 222.222.222.222/32
set associated-interface ANY
next
edit HOST-3
set type ipmask
set subnet 333.333.333.333/32
set associated-interface OUTSIDE
next
end




 
what do you mean rudimentary? where do I run this script? the pc or the Fortigate unit? I have over 200 ip addresses I need to add to different vdoms on my unit, do you have any idea how I could go about this?
#16
ede_pfau
Expert Member
  • Total Posts : 6097
  • Scores: 490
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: RE: Mass Creation of object addresses in FGT 2019/11/06 07:15:36 (permalink)
0
This is a Windows script, run in a command line window (cmd.exe).
If you have to ask, you probably can't change it - which would be necessary to adopt it to VDOMs.
'Rudimentary' because it's so simple. On a PC because at that time there was no scripting on a FGT. IMHO there's still not a decent shell in FOS.
Just create the output and upload it to the FGT via 'batch command'.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#17
Valoni
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/11/06 06:59:48
  • Status: offline
Re: Mass Creation of object addresses in FGT 2019/11/06 07:27:24 (permalink)
0
thanks...
you said "Now generate the batchcommands for the Fortigate: "mkadr > newadr.bcmd""
 
should this command be run on the Fortigate or my windows pc
#18
Valoni
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/11/06 06:59:48
  • Status: offline
Re: RE: Mass Creation of object addresses in FGT 2019/11/06 07:41:43 (permalink)
0
Im thinking I may need edit the script since your script only has provision for 3 addresses, right?...
I wanted to understand the mechanism, run a windows script using cli and it operates in the Fortigate, which means I have to be logged in to the FGT before running this script right?
#19
ede_pfau
Expert Member
  • Total Posts : 6097
  • Scores: 490
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: RE: Mass Creation of object addresses in FGT 2019/11/06 07:53:50 (permalink)
0
No, not at all! Please re-read my posts...
 
This script is run on a Win PC. The output file (a text file) can be uploaded to the FGT via System > Advanced > Batch command. You will need admin access to the FGT for this, but not for the file creation.
 
You need to supply the 200 addresses in a CSV file (comma separated values), that is a text file where you put "ip address", comma, "hostname" on one line, with one line per host. My example just held only 3 addresses so not to bore the audience.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#20
Page: 12 > Showing page 1 of 2
Jump to:
© 2019 APG vNext Commercial Version 5.5