Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jokes54321
New Contributor III

Clone and modify policies in bulk

I am tasked with a project to implement MFA for VPN users but cannot simply enable it for all users, they want to trickle users into a new AD group to enable MFA for the users.

 

I've been instructed to setup a new IP Pool, then duplicate 50+ policies adjusting the srcaddr and group names for the new IP Pool and group. I know I could sit in front of the GUI and repetitively copy/paste policies and adjust them by hand, but what a waste of time.

 

I connected via SSH and issued a "show firewall policy" command with grep -B10 -A10 -f "<search criteria>" and got a messy output that I can now clean up by hand, but I am wondering if there is a better/easier way to do this?

 

Denny

 

 

6 REPLIES 6
lobstercreed
Valued Contributor

Why do you need additional policies?  It sounds like you just need to add the new addresses and group to the existing policies.

 

Otherwise the way you're doing it is pretty much the best.  (I haven't used the grep cleanup, but I just use the show command to get the output and remove the UUIDs using regex in Notepad++)

jokes54321

Thank you for replying, I just noticed your location is in Sedalia, I'm in Clinton, so howdy neighbor.

 

Back to your question, in the past we tried mixing different addresses and groups in the same policy and started getting weird results, mainly some VPN users were getting assigned an IP from the wrong VPN pool. We couldn't make much sense of it, so we stopped trying.

 

Another question, is there a way to specify where to put the new policy I am adding as I add it? For example, I am cloning policy 123, then when I issue edit 0 to add the new policy, I'd like it to move below policy 123.

 

 

Denny

 

Yurisk
Valued Contributor

Cloning in this case should be quite easy with Notepad++ Find & Replace, as you want to replace just the Pool ip, w/o changing interface names. I moved with Notepad++ whole VDOMs and it was doable but not fun because of interface names.

 

When creating rules on CLI the safe way (IMO)  is to create each rule with increasing ID then use move to CLI command to place it wherever you need.

E.g. I create policy with ID 3 and move it before policy 1:

 

(policy) # edit 3 new entry '3' added

....

next

 

(policy) # move 3 before 1

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
emnoc
Esteemed Contributor III

you method is what we do also grep -f and find the policy , extract, assign policyid 0 and find+replace or unix-sed the changes as required and ssh bulk re-insert as script via fortimanager or fortigate webUI

 

This is just park of a fwadmin job no easy way to skin a alive cat ;)

 

Ken Felix

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
lobstercreed
Valued Contributor

Hey Denny,

 

Very cool!  You're the first person I've seen remotely local.  You're running the same boxes we are it looks like too: 1500D.  Let me know if you want to chat sometime.  I'll send you my contact info in PM.

 

I use multiple users and address groups all the time in policies, but it probably depends how your portal configuration is set up as to whether you would have issues.  Either way you're adding complexity so I guess it's just a matter of picking your poison.  :)

 

I agree with Yuri on the approach to this.  It feels like a pain but once you've done it's really not that bad.  A lot better than copying the policies in the GUI and it'll preserve your comments too.  (When you copy in the GUI it gives you a policy that just says what it's a copy of in the comments.)

 

- Daniel

blanosko
New Contributor II

Hi, maybe this is a little late but I've been doing it this way:

 

On the FGT with this command you can list only policies with string of your liking (the most important is -f switch which lists the rules with context)

 

show firewall policy | grep -f '<string to find>'

 

 

 

Copy the output to Notepad++ and with Replace function and Regex replace "set uuid" line with blank line (You need to click Replace All)

 

^.*set uuid.*$

 

blanosko_0-1653654020359.png

 

 

Change policy ID to "    edit 0" (You need to click Replace All)

 

^.*edit.*$

 

blanosko_1-1653654050321.png

 

 

Delete the arrow symbols. They will be appended by grep -f switch after matched string which you selected to find in first command. So you just need to replace them with the same line but without the "<---" symbol

 

^.*<---.*$

 

blanosko_2-1653654050322.png

 

 

Now clean blank lines

 

Edit > Line Operations > Remove Empty Lines​

 

 

 

And now after you've sanitized and prepared policies for import just replace your dstintf or whatever you need to your requirement and just copy it to FGT

Hope this helps to anyone. Maybe there is a better/quicker way of doing this but at least it works

 

- Martin

 

 

 

Labels
Top Kudoed Authors