Hot!Method or Script for creating Fortigate firewall Object Configuration

Author
khurramkhan
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/03/30 10:34:25
  • Status: offline
2017/09/14 13:23:54 (permalink)
0

Method or Script for creating Fortigate firewall Object Configuration

Dears,
 
I need a method or an script to create firewall object configuration means that we receive multiple IP addresses to be blocked on daily basis on multiple locations, currently first we are creating a configuration on editor and add each IP in it then we are applying it on firewall in this process there is a chance of mistake and we also faced an issue.
For example i have a list of 100 IP addresses in Excel and i want a script that generate configuration for me so that i can apply it on firewall without any hesitation.
kindly share if anyone have an idea or solution.
 
Thanks & Regards,
Khurram Khan
#1

4 Replies Related Threads

    oheigl
    Gold Member
    • Total Posts : 259
    • Scores: 10
    • Reward points: 0
    • Joined: 2010/02/18 04:27:05
    • Location: Austria
    • Status: offline
    Re: Method or Script for creating Fortigate firewall Object Configuration 2017/09/15 01:03:55 (permalink)
    0
    I'm not the best script boy, but this is for example how you can do it, it's dirty - if you want to do it pretty you should write a program which does that via the JSON API and so on, but maybe it helps:
    import csv

    with open('test.csv', 'r') as csvfile, open('addrobjects.txt', 'w') as addrobjects:
        addrlist = csv.reader(csvfile, delimiter=';')
        addrobjects.write("config firewall address\n")
        for addr in addrlist:
            addrobjects.write('edit "' + addr[0] + '"\n')
            addrobjects.write('set subnet ' + addr[1] + ' 255.255.255.255\n')
            addrobjects.write('next\n')

        addrobjects.write("end\n")

    Your CSV needs to look like this:
    ADDR-SPAM1;1.2.3.4
    ADDR-SPAM2;4.5.6.7

    This is the file which is generated:
    config firewall address
    edit "ADDR-SPAM1"
    set subnet 1.2.3.4 255.255.255.255
    next
    edit "ADDR-SPAM2"
    set subnet 4.5.6.7 255.255.255.255
    next
    end

    So you can just copy paste it in a SSH session, or upload it via the web GUI
    HTH
    #2
    ede_pfau
    Expert Member
    • Total Posts : 5695
    • Scores: 385
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Method or Script for creating Fortigate firewall Object Configuration 2017/09/15 03:36:04 (permalink)
    0
    Some time ago I've published my python script iplist2forti.py for creating white/black lists here:
    http://beneicke-edv.de/support/tools/
    The header is 'Using external blacklists' and the description is in English. Feel free to use it for your work. Feedback welcome.
     
    It's capable to 'digest' 1000s of addresses, pouring them into address groups and those into address super-groups. All because there are limits to the size of an address group. I've used it successfully to import hosts.deny lists into a FG-310B. 4000 addresses took about 45 minutes to import (due to limited CPU power).
     
    One obstacle is that after importing addresses, you cannot tell which addresses are already defined on the FGT. For blacklists, the script generates a 'delete' batch command file in addition to the import batch command file. So you would import one list, and just before importing the updated list you first delete the original list entries.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #3
    emnoc
    Expert Member
    • Total Posts : 5020
    • Scores: 308
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Method or Script for creating Fortigate firewall Object Configuration 2017/09/15 07:42:45 (permalink)
    0
    I'm a bash  guy so we do something similar to the following;
     
    http://socpuppet.blogspot.com/2017/03/how-to-extract-ms-azure-dc-and-batch-of.html
     
    If you have a text file with single entry or even CSV it would be very easy to script it in  bash with a few clean up via sed and|or awk.
     
    We also  run  iplist that we extract from  logs from  security devices ( tippingpt, feye,etc.... ) and do the same for a major black listing operations.
     
    Ken
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #4
    MaleficentWoodpecker
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Status: offline
    Re: Method or Script for creating Fortigate firewall Object Configuration 2018/10/11 11:12:36 (permalink)
    0
    I created this powershell script to create one from a CSV.
     
     
    $inputCSV = "c:\Servers.csv"
    $outputFile = "c:\Addresses.txt"
    Add-Content -PassThru $outputFile -Value "config firewall address"
    Import-Csv $inputCSV | ForEach-Object {
     $Name = $_.Assetname
     $IP = $_.IPAddress
     Add-Content -Path $outputFile -Value "edit $Name"
     Add-Content -Path $outputFile -Value "set subnet $IP 255.255.255.255"
     Add-Content -Path $outputFile -Value "next"
    }
    Add-Content -PassThru $outputFile -Value "end"

     
    Feed it your CSV with Assetname and IPAddress as columns, and you're golden.
    #5
    Jump to:
    © 2018 APG vNext Commercial Version 5.5