Method or Script for creating Fortigate firewall Object Configuration

khurramkhan · ‎09-14-2017

Dears,

I need a method or an script to create firewall object configuration means that we receive multiple IP addresses to be blocked on daily basis on multiple locations, currently first we are creating a configuration on editor and add each IP in it then we are applying it on firewall in this process there is a chance of mistake and we also faced an issue.

For example i have a list of 100 IP addresses in Excel and i want a script that generate configuration for me so that i can apply it on firewall without any hesitation.

kindly share if anyone have an idea or solution.

Thanks & Regards,

Khurram Khan

oheigl · ‎09-15-2017

I'm not the best script boy, but this is for example how you can do it, it's dirty - if you want to do it pretty you should write a program which does that via the JSON API and so on, but maybe it helps:

import csv

with open('test.csv', 'r') as csvfile, open('addrobjects.txt', 'w') as addrobjects:
    addrlist = csv.reader(csvfile, delimiter=';')
    addrobjects.write("config firewall address\n")
    for addr in addrlist:
        addrobjects.write('edit "' + addr[0] + '"\n')
        addrobjects.write('set subnet ' + addr[1] + ' 255.255.255.255\n')
        addrobjects.write('next\n')

    addrobjects.write("end\n")

Your CSV needs to look like this:

ADDR-SPAM1;1.2.3.4
ADDR-SPAM2;4.5.6.7

This is the file which is generated:

config firewall address
edit "ADDR-SPAM1"
set subnet 1.2.3.4 255.255.255.255
next
edit "ADDR-SPAM2"
set subnet 4.5.6.7 255.255.255.255
next
end

So you can just copy paste it in a SSH session, or upload it via the web GUI

HTH

ede_pfau · ‎09-15-2017

Some time ago I've published my python script iplist2forti.py for creating white/black lists here:

http://beneicke-edv.de/support/tools/

The header is 'Using external blacklists' and the description is in English. Feel free to use it for your work. Feedback welcome.

It's capable to 'digest' 1000s of addresses, pouring them into address groups and those into address super-groups. All because there are limits to the size of an address group. I've used it successfully to import hosts.deny lists into a FG-310B. 4000 addresses took about 45 minutes to import (due to limited CPU power).

One obstacle is that after importing addresses, you cannot tell which addresses are already defined on the FGT. For blacklists, the script generates a 'delete' batch command file in addition to the import batch command file. So you would import one list, and just before importing the updated list you first delete the original list entries.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

emnoc · ‎09-15-2017

I'm a bash guy so we do something similar to the following;

http://socpuppet.blogspot.com/2017/03/how-to-extract-ms-azure-dc-and-batch-of.html

If you have a text file with single entry or even CSV it would be very easy to script it in bash with a few clean up via sed and|or awk.

We also run iplist that we extract from logs from security devices ( tippingpt, feye,etc.... ) and do the same for a major black listing operations.

Ken

PCNSE

NSE

StrongSwan

MaleficentWoodpecker · ‎10-11-2018

I created this powershell script to create one from a CSV.

$inputCSV = "c:\Servers.csv"
$outputFile = "c:\Addresses.txt"
Add-Content -PassThru $outputFile -Value "config firewall address"
Import-Csv $inputCSV | ForEach-Object {
 $Name = $_.Assetname
 $IP = $_.IPAddress
 Add-Content -Path $outputFile -Value "edit $Name"
 Add-Content -Path $outputFile -Value "set subnet $IP 255.255.255.255"
 Add-Content -Path $outputFile -Value "next"
}
Add-Content -PassThru $outputFile -Value "end"

Feed it your CSV with Assetname and IPAddress as columns, and you're golden.