fortipower / powerfgt Goto Github PK
View Code? Open in Web Editor NEWPowerShell module to manage Fortinet (FortiGate) Firewall
License: Apache License 2.0
PowerShell module to manage Fortinet (FortiGate) Firewall
License: Apache License 2.0
Is there a way that you can create and remove users?
Using your module for FortiGate is it possible to get the ARP table? I used the following to pull all the different monitors
Invoke-FGTRestMethod api/v2/monitor/?action=schema -connection $connection | select -Property directory -ExpandProperty directory
I found a monitor for ARP which shows the path is network and the name is ARP but I get an error when I use the following
Invoke-FGTRestMethod -method "get" -uri "api/v2/monitor/network/arp"
WARNING: The FortiGate API sends an error message:
WARNING: Error description (code): Not Found (404)
WARNING: Error details: {
"path":"network",
"name":"arp",
"action":"",
"serial":"",
"version":"v6.0.4",
"build":231,
"status":"error",
"http_status":404
}
Unable to use FortiGate API
At C:\Program Files\WindowsPowerShell\Modules\PowerFGT\0.6.1\Private\RestMethod.ps1:171 char:13
+ throw "Unable to use FortiGate API"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (Unable to use FortiGate API:String) [], RuntimeEx
ception
+ FullyQualifiedErrorId : Unable to use FortiGate API
Hello
When using the "Remove-FGTFirewallAddressGroupMember" cmdlet, nothing happens:
Verbose:
PUT https://FORTIGATE_IP/api/v2/cmdb/firewall/addrgrp/GROUP_NAME? with -1-byte payload
received 303-byte response of content type application/json
https://FORTIGATE_IP:443/api/v2/cmdb/firewall/addrgrp?&filter=name==GROUP_NAME
GET https://FORTIGATE_IP/api/v2/cmdb/firewall/addrgrp?&filter=name==GROUP_NAME with 0-byte payload
received 771-byte response of content type application/json
FortiOS version: 6.0.11
This is my query:
Get-FGTLogTraffic -vdom ISSTN -type disk -subtype forward -dstip 8.8.8.8 -rows 10 -since 30d | select srcip, dstip, dstport, proto | Format-Table
and this is the output:
srcip dstip dstport proto
----- ----- ------- -----
172.20.43.24 10.141.64.2 4343 6
10.140.179.209 10.141.64.2 4343 6
10.140.128.2 10.141.64.2 4343 6
172.20.47.79 10.141.64.2 4343 6
10.140.169.27 10.141.64.6 5274 6
10.127.6.1 10.141.64.7 5274 6
10.140.128.2 10.141.64.7 443 6
10.167.0.2 10.141.20.51 8383 6
172.24.55.150 10.141.64.2 4343 6
172.20.39.14 10.141.64.2 8080 6
As you can see there is no trace of the IP 8.8.8.8 in the dstip column
hi
TNX for your contrectbtion!
can you pls add the ability to add a Security profile to a newly created policy or old policy?
TNX again!
Hello,
I need to use your Powershell module but when I'm trying to connect my admin Powershell windows, it says :
_Unable to connect to FortiGate
At C:\Program Files\WindowsPowerShell\Modules\PowerFGT\0.4.1\Public\Connection.ps1:148 char:13
+ throw "Unable to connect to FortiGate"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (Unable to connect to FortiGate:String) [], RuntimeException
+ FullyQualifiedErrorId : Unable to connect to FortiGate_
I've checked with the option -SkipCertificateCheck, same issue.
I've checked with the option -httpOnly, same issue.
Each time, it's asking me to login myself.
I've found that our HTTPS port of our Fortigate another port than 443.
So I ran the cmd : Connect-FGT "IpAdress":"otherport" -SkipCertificateCheck
Same error :
_Unable to connect to FortiGate
At C:\Program Files\WindowsPowerShell\Modules\PowerFGT\0.4.1\Public\Connection.ps1:148 char:13
+ throw "Unable to connect to FortiGate"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (Unable to connect to FortiGate:String) [], RuntimeException
+ FullyQualifiedErrorId : Unable to connect to FortiGate_
So is it possible to use this module for connecting to Fortigate using a different port for HTTPS connection ?
Thank you in advance.
Regards,
Hi, could you please make the firewall policy name not required? Or let me know how to disable the name property from being required
Hi Team I would like to know does the script supports importing CSV files and looping it through each management IP address in CSV file.
I got the below error when I import it however it works fine when looping it through this way
$unique_device_ips = "172.16.10.10", "172.16.10.11"
Foreach($unique_device_ip in $unique_device_ips) {
Connect-FGT -Server $unique_device_ip -Credentials $psCred -SkipCertificateCheck
}
Unable to connect to FortiGate
At C:\Program Files\WindowsPowerShell\Modules\PowerFGT\0.6.1\Public\Connection.ps1:181 char:17
+ throw "Unable to connect to FortiGate"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (Unable to connect to FortiGate:String) [], RuntimeException
+ FullyQualifiedErrorId : Unable to connect to FortiGate
Also, I would like to know if is there a way to get export CSV every result from the below modules in one short
Get-FGTMonitorSystemFirmware
Get-FGTSystemGlobal
Get-FGTMonitorSystemHAPeer
Get-FGTSystemInterface
Thanks for the quick reply.
API details for Add Firewall Policy?
My use case needs me to explicitly set policy IDs to maintain configuration drift, and the current implementation doesn't allow for this; I've tested out adding this using the REST method and adding the PolicyID property, but that hasn't seemed to work. So I'm wondering if anyone has access to real documentation on the API and can see whether there's an option to do this?
Is there some way to connect to FortiGate on custom HTTPS port? I dont know anyone who is running admin/rest interface on default 443 port.
Hi,
How/where can I see if a device update is available via FGM API or this PowerShell Module?
I have tried loking everywhere within this repo but cannot find the information?
TIA
There is some known issue with address cmdlet
This issues will be fixed on a next release...
I'm at last able to start focussing on FGT again for a while and started digging in to the new capabilities in the 0.4.1 release, but I hit a snag.
Based on the help info, it seems Add-FGTFirewallAddressGroupMember will take pipeline input, so you should be able to Get-FGTFirewallAddressGroup | Add-FGTFirewallAddressGroupMember successfully. I've tried using this combo, and it didn't seem to work and I can't be sure whether it's my understanding, my group/member/firewall, or if it's a bug. What I can however do is use the assignment-then-add-member approach that the help info shows, with the same group and member, which does work.
Error message is shown below (redacted).
PS >
Get-FGTFirewallAddressGroup -vdom root -connection $conn[0] -name TestGroupNameHere | Add-FGTFirewallAddressGroupMember -member TestMemberHere -vdom root
WARNING: The FortiGate API sends an error message:
WARNING: Error description (code): Internal Server Error (500)
WARNING: Error details: {
"http_method":"PUT",
"revision":"537.0.665.2897040576.1559001134",
"error":-3,
"status":"error",
"http_status":500,
"vdom":"root",
"path":"firewall",
"name":"addrgrp",
"mkey":"TestGroupNameHere",
"serial":"",
"version":"",
"build":
}
Unable to use FortiGate API
At C:\Program Files\WindowsPowerShell\Modules\powerfgt\0.4.1\Private\RestMethod.ps1:166
char:13
throw "Unable to use FortiGate API"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CategoryInfo : OperationStopped: (Unable to use FortiGate API:String) []
, RuntimeException
FullyQualifiedErrorId : Unable to use FortiGate API
The return object of Connect-FGT isn't an object, but a set of objects.
I'd like to have been able to do the following:
$conn = connect-fgt FGT-A.fqdn.com -SkipCertificateCheck -Credentials $fwcred
$conn += connect-fgt FGT-B.fqdn.com -SkipCertificateCheck -Credentials $fwcred
and then later do foreach operations on that. But I found that connection object returned isn't really an object...
Like *AddressGroup, we need *VipGroup functions
Hi,
I'm having a problem with French accented characters.
For example, if I list addresses objects:
Get-FGTFirewallAddress | select name
name
----
...
Réseau local
Réseau invité
SSLVPN_TUNNEL_ADDR1
all
none
...
Is there any way to fix this? Or is there anything I can do to convert it on the fly?
help to disassemble. how to modify your function, or pass it the correct parameters so that it will work correctly on FortiGate-40C v5.2.15 models.
yes i read that your module is only supported from a certain branch. but still there is an API too. and it means there is also its own principle of work.
When uploading default value filtered by WAN Interface Name
$ fw3 = Connect-FGT 192.168.1.99 -SkipCertificateCheck -DefaultConnection: $ false -Timeout 15
Get-FGTSystemInterface -connection $ fw3 -name wan -filter_type contains | Select name, username, password, status, mode, ip, speed, mtu, mtu-override
Unable to convert value ".." to type "System.Version". Error: "The input string was not in the correct format."
line: 160 character: 111
+ .... $ ($ version.results.current.minor). $ ($ version.results.current.patch) "
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo: InvalidArgument: (:) [], RuntimeException
+ FullyQualifiedErrorId: InvalidCastParseTargetInvocation
Please help me understand how to debug, for whatever reason, the filter does not work.!
thanks in advance.!
I totally know how to get access to the .Member property, and suspect that this is just a PS behaviour that can't be overridden, but it'd be nice if it could.
When you use Get-FGTFirewallAddressMember, the output shows up to 4 members and then an ellipsis of members... Is there any way to influence that to report them all ?
uuid : 37231bb8-ebc3-51e9-dd1f-a50c2fa0b8cf
member : {@{q_origin_key=H_10.1.0.1; name=H_10.1.0.1},
@{q_origin_key=H_10.1.0.2; name=H_10.1.0.2},
@{q_origin_key=H_10.1.0.3; name=H_10.1.0.3},
@{q_origin_key=H_10.1.0.4; name=H_10.1.0.4}...}
comment :
I have a question about the managed the sequence of the policy rule. By default all rules created are implement the last position of the Fortinet zone.
Does possible to define when the rule is created her postion in the Fortinet Zone.
The cli command on the Fortinet is move <id#> [before|after] <id#>
Thank in advance
When connect using /logincheck, the API return a "status" code (From REST API Ref 6.0.0x guide :)
Code | Description |
---|---|
0 | Log in failure. Most likely an incorrect username/password combo. |
1 | Successful log in* |
2 | Admin is now locked out |
3 | Two-factor Authentication is needed |
And with FortiOS 6.2 (and 6.4), the first connection ask to change password and there there is a new code 4
I can successfully retrieve address information from Get-FGTFirewallAddress, but when piping the output of that to Set-FGTFirewallAddress to make changes to that address I receive an error:
PS C:\Users\a-timothy.murphy> Get-FGTFirewallAddress -name 10.100.13.235
name : 10.100.13.235
q_origin_key : 10.100.13.235
uuid : 8c606492-3fc7-51eb-07bd-d7a98c853186
subnet : 10.100.13.235 255.255.255.255
type : ipmask
sub-type : sdn
clearpass-spt : unknown
start-mac : 00:00:00:00:00:00
end-mac : 00:00:00:00:00:00
country :
cache-ttl : 0
sdn :
fsso-group : {}
interface :
comment : TM 12/16/20
visibility : enable
associated-interface :
color : 0
filter :
sdn-addr-type : private
obj-id :
list : {}
tagging : {}
allow-routing : disable
PS C:\Users\a-timothy.murphy> Get-FGTFirewallAddress -name 10.100.13.235 | Set-FGTFirewallAddress -comment "Test"
Set-FGTFirewallAddress : Cannot validate argument on parameter 'address'. Element specified does not contain an fqdn
property.
At line:1 char:46
+ ... lAddress -name 10.100.13.235 | Set-FGTFirewallAddress -comment "Test"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (@{name=10.100.1...outing=disable}:PSObject) [Set-FGTFirewallAddress], Para
meterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Set-FGTFirewallAddress
Is there any option to fetch and replace a renewed SSL certificate from a local pc
OR
any option by which we can upload and replace a renewed SSL certificate from a local pc
Hi Alexis,
Get-FGTMonitorSystemFirmware -upgrade_paths returns a 404 error.
URI called:
Invoke-FGTRestMethod -uri api/v2/monitor/system/firmware/upgrade_paths
URI working:
Invoke-FGTRestMethod -uri api/v2/monitor/system/firmware/upgrade-paths
Made a PR for that #177
Is there a way to pull the number of current dial up IPSec VPN users using this powershell module?
hello alagoutte))
cls
sl $PSScriptRoot
[Environment]::CurrentDirectory = gl
$eol = [Environment]::NewLine
Add-Type -Name Window -Namespace Console -MemberDefinition '
[DllImport("Kernel32.dll")]
public static extern IntPtr GetConsoleWindow();
[DllImport("user32.dll")]
public static extern bool ShowWindow(IntPtr hWnd, Int32 nCmdShow);
'
function Hide-Console
{
$consolePtr = [Console.Window]::GetConsoleWindow()
#0 hide
[Console.Window]::ShowWindow($consolePtr, 0)
}
Hide-Console
Add-Type -AssemblyName System.Windows.Forms
Add-Type -AssemblyName System.Drawing
[System.Windows.Forms.Application]::EnableVisualStyles()
function TextToArray{
$returndata = @()
$txtboxdata = New-Object System.IO.StringReader($objTextBox.Text)
$Linedata = $txtboxdata.readline()
while ($Linedata -ne $null)
{ $returndata += @($Linedata)
$Linedata = $txtboxdata.readline() }
$objtextbox.Clear()
$txtboxdata.dispose()
return $returndata
}
function Textbox {
[CmdletBinding()]
param(
[Parameter(Mandatory=$true,valuefrompipeline=$true)]
[string]$Label,
[string]$LabelText
)
$objForm = New-Object System.Windows.Forms.Form
$objForm.Text = $label
$objForm.Size = New-Object System.Drawing.Size(300,415)
$objForm.AutoSize = $true
$objForm.StartPosition = "CenterScreen"
$objForm.MinimumSize = New-object System.Drawing.Size(200, 30)
$objForm.MaximumSize = New-object System.Drawing.Size(600, 600)
$objForm.FormBorderStyle = [System.Windows.Forms.AutoSizeMode]::GrowOnly
####
####
$global:x = @()
$OKButton = New-Object System.Windows.Forms.Button
$OKButton.Location = New-Object System.Drawing.Size(45,345)
$OKButton.Size = New-Object System.Drawing.Size(75,23)
$OKButton.Text = "OK"
$OKButton.Add_Click({$global:x +=@(TextToArray);$objForm.Close()})
$objForm.Controls.Add($OKButton)
$CancelButton = New-Object System.Windows.Forms.Button
$CancelButton.Location = New-Object System.Drawing.Size(150,345)
$CancelButton.Size = New-Object System.Drawing.Size(90,23)
$CancelButton.Text = "Cancel"
$CancelButton.DialogResult = [System.Windows.Forms.DialogResult]::Cancel
$objform.CancelButton = $CancelButton
$objForm.Controls.Add($CancelButton)
$objLabel = New-Object System.Windows.Forms.Label
$objLabel.Location = New-Object System.Drawing.Point(22,20)
$objLabel.Size = New-Object System.Drawing.Size(280,20)
$objLabel.Text = $LabelText
$objForm.Controls.Add($objlabel)
$objTextBox = New-Object System.Windows.Forms.TextBox
$objTextBox.Location = New-Object System.Drawing.Size(10,40)
$objTextBox.Size = New-Object System.Drawing.Size(260,300)
$objTextBox.Multiline = $true
$objTextBox.ScrollBars = "Vertical"
$objForm.Controls.Add($objTextBox)
$objForm.Topmost = $True
$objForm.Add_Shown({$objForm.Activate()})
$result = $objForm.ShowDialog()
return $x
}
#########
$serverlist =@()
$serverlist += @(TextBox "FGT by Frortigate" "obj. From FGT:")
($online,$offline) = $serverlist.Where({Test-Connection $_ -count 1 -delay 1 -Quiet}, "split")
$online.foreach(
{
$fs=Connect-FGT $_ -SkipCertificateCheck -DefaultConnection:$false -Timeout 15
$resalllt = Get-FGTSystemFirmware -connection $fs -name fortios -filter_type contains | Select platform-id
switch( $resalllt."platform-id"){
FGT30E {
###many conditions, later the output of the received variables and the generation of the file.
$MyPath = "Configs\30E\$($netWAN.mode)____FG$($netNAME)__30E.conf"
$MyFile = (CONFIG_30E_u) -replace "(?m)^\s*`n",''.trim()
$Utf8NoBomEncoding = New-Object System.Text.UTF8Encoding $False
[System.IO.File]::WriteAllLines($MyPath, $MyFile, $Utf8NoBomEncoding)
Disconnect-FGT -connection $fs -confirm:$false
}
FGT30D {
###many conditions, later the output of the received variables and the generation of the file.
$MyPath = "Configs\30D\$($netWAN.mode)____FG$($netNAME)__30D.conf"
$MyFile = (CONFIG_30D_u) -replace "(?m)^\s*`n",''.trim()
$Utf8NoBomEncoding = New-Object System.Text.UTF8Encoding $False
[System.IO.File]::WriteAllLines($MyPath, $MyFile, $Utf8NoBomEncoding)
Disconnect-FGT -connection $fs -confirm:$false
}
FGT40F {
###many conditions, later the output of the received variables and the generation of the file.
$MyPath = "Configs\40F\$($netWAN.mode)____FG$($netNAME)__40F.conf"
$MyFile = (CONFIG_40F_u) -replace "(?m)^\s*`n",''.trim()
$Utf8NoBomEncoding = New-Object System.Text.UTF8Encoding $False
[System.IO.File]::WriteAllLines($MyPath, $MyFile, $Utf8NoBomEncoding)
Disconnect-FGT -connection $fs -confirm:$false
}
Default {
###many conditions, later the output of the received variables and the generation of the file.
$MyPath = "Configs\40C\$($statusWan1)-$($statusWan2)____FG$($netNAME)__40C.conf"
$MyFile = (CONFIG_40C_t) -replace "(?m)^\s*`n",''.trim()
$Utf8NoBomEncoding = New-Object System.Text.UTF8Encoding $False
[System.IO.File]::WriteAllLines($MyPath, $MyFile, $Utf8NoBomEncoding)
Disconnect-FGT -connection $fs -confirm:$false
}
}
Disconnect-FGT -connection $fs -confirm:$false
}
)
$offline.foreach(
{
"$_ ***offline***" | Out-File Offline.txt -Append
}
)
Thanks in advance for your help)
Hi!!
I'm trying to remove a member from an address group and that doesn't work. I see when verbose mode is enable that the member I'm trying to remove is not listed but after the command, it was listed again!!
command used:
`Get-FGTFirewallAddressGroup -name "Windows2008" | Remove-FGTFirewallAddressGroupMember -verbose -member $Inputmachine`
Output:
`COMMENTAIRES : {
"member": {
"name": "04chrtr00035.04trvr08.reg04.rtss.qc.ca_fqdn"
}
}
COMMENTAIRES : PUT https://10.38.220.221/api/v2/cmdb/firewall/addrgrp/Windows 2008?&vdom=WAN with -1-byte payload
COMMENTAIRES : received 278-byte response of content type application/json
COMMENTAIRES : GET https://10.38.220.221/api/v2/cmdb/firewall/addrgrp?&vdom=WAN&filter=name==Windows 2008 with 0-byte payload
COMMENTAIRES : received 798-byte response of content type application/json
name : Windows 2008
q_origin_key : Windows 2008
uuid : d5539d2c-621e-51ea-61ad-45d8d89f136d
member : {@{name=04chrtr00035.04trvr08.reg04.rtss.qc.ca_fqdn; q_origin_key=04chrtr00035.04trvr08.reg04.rtss.qc.ca_fqdn}, @{name=mcq04000389; q_origin_key=mcq04000389}}
comment :
visibility : enable
color : 0
tags : {}
allow-routing : disable`
Pascal
I've been trying to add a VIP for a UDP port, and don't get an error but the VIP is always created with TCP instead. Has anyone else tried / tested this?
These two statements are part of a script I am using to create these; as you can see, they're identical in parameters except the -protocol option (I do manipulate the VIP name in $prtname and the $mappedport and $extport items so they're unique)
Add-FGTFirewallVip -connection $conn[0] -vdom root -type static-nat -name $prtname `
-extip $ext_ip -mappedip $mappedip -mappedport $mappedport `
-comment "Printer for client $($prt.client)" -portforward -protocol UDP -extport $extport
Add-FGTFirewallVip -connection $conn[0] -vdom root -type static-nat -name $prtname `
-extip $ext_ip -mappedip $mappedip -mappedport $mappedport `
-comment "Printer for client $($prt.client)" -portforward -protocol TCP -extport $extport
When I execute them, the first one is correct except for it being a TCP not UDP VIP, and the second is always fine.
I can't see any recent activity in vip.ps1 that looks relevant, and the version I have running was loaded at the beginning of the year in my initial 0.4.1 load.
Any thoughts, anyone else used it and had different results?
Hello, there is a problem with the "Move-FGTFirewallPolicy" function.
If no default connection is specified, the function returns an error when calling the last command "Get-FGTFirewallPolicy -policyid $policy.policyid" inside the function.
Can you add "-connection $connection" at the end of the line.
Thanks.
Regards.
When trying to connect with v0.5.0 I got the following error:
PS C:\scripts\> Connect-FGT -Server xxx.xxx.xxx.xxx -SkipCertificateCheck -Username xxx -Password $pass
Unable to found CSRF Cookie
At C:\Program Files\WindowsPowerShell\Modules\PowerFGT\0.4.1\Public\Connection.ps1:161 char:13
+ throw "Unable to found CSRF Cookie"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (Unable to found CSRF Cookie:String) [], RuntimeException
+ FullyQualifiedErrorId : Unable to found CSRF Cookie
I made sure to uninstall the old v0.4.1 module but still the error is there.
Hi,
Here's a litte function I wrote to compute upgrade path.
Function Get-FirmwareUpdate{
$firmware = (Invoke-FGTRestMethod -uri api/v2/monitor/system/firmware)
$FortiOS = $firmware.results.current | select version
$Update = $firmware.results.available | select version -First 1
if($Update){
if($FortiOS -eq $Update){# Firmware is up to date
[pscustomobject]@{
"Installed" = $($FortiOS.version)
"Available" = $($Update.version)
}
}else{# Firmware is not up to date, compute the upgrade path
$major = $firmware.results.current.major
$minor = $firmware.results.current.minor
$patch = $firmware.results.current.patch
$updateMajor = ($firmware.results.available | select -First 1).major
$updateMinor = ($firmware.results.available | select -First 1).minor
$updatePatch = ($firmware.results.available | select -First 1).patch
$upgradePath = "v$($major).$($minor).$($patch)"
Do{
$nextFirmware = Invoke-FGTRestMethod -uri api/v2/monitor/system/firmware/upgrade-paths | select -ExpandProperty results | where { $_.from.major -eq $major -and $_.from.minor -eq $minor -and $_.from.patch -eq $patch } | select -First 1
$major = $nextFirmware.to.major
$minor = $nextFirmware.to.minor
$patch = $nextFirmware.to.patch
$upgradePath = $upgradePath + " -> v$($major).$($minor).$($patch)"
}Until($major -eq $updateMajor -and $minor -eq $updateMinor -and $patch -eq $updatePatch)
[pscustomobject]@{
"Installed" = $($FortiOS.version)
"Available" = $($Update.version)
"Upgrade Path" = $upgradePath
}
}
}else{# No firmware available (support expired)
[pscustomobject]@{
"Installed" = $($FortiOS.version)
"Available" = "N/A"
}
}
}
Get-FirmwareUpdate
Installed Available Upgrade Path
--------- --------- ------------
v6.0.13 v7.0.5 v6.0.13 -> v6.2.10 -> v6.4.8 -> v7.0.5
Tested with various firmware releases (v6.0.8 through 6.4.4),Connect-FGT fails if a post-login-banner is configured.
PowerFGT version 0.5.0
Unable to found FGT version
At C:\Program Files\WindowsPowerShell\Modules\PowerFGT\0.5.0\Public\Connection.ps1:176 char:13
+ throw "Unable to found FGT version"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (Unable to found FGT version:String) [], RuntimeException
+ FullyQualifiedErrorId : Unable to found FGT version
If the post-login-banner is removed, login works as expected:
config system global
set post-login-banner disable
Please add feature to add mac address to Address or Address Group
with FortiGate 6.2.x, there is also a description (comment) field.
need to add on Add/Set System Zone cmdlet
Hi,
When I use your module for managed the policy of the Fortinet, I have remark that when i launched the command of Remove-FGTFirewallPolicyMember the command is executed without error but the action isn't set.
Also i have a second question about the managed the sequence of the policy rule. Does the module can we managed ther sequence of the policy rule?
Thank in advance for your reponse
Regards,
Loving this Module so far!
Running to an issue where a few clients will not connect and Connect-FGT will not time out.
It looks like the Invoke-WebRequest in "Connection.ps1" on line 135 needs a -timeout added and parameterized with a default.
The default timeout of Invoke-WebRequest seems to be over 5+ minutes.
FortiManager can use like or contain for filtering
it is more limited with FortiGate (equal or contains actually).
Need to replace contain by like for align with PowerFMG
Hello, is there a way to connect to prompt for FortiToken? Thank you!
The module don't yet support account with access to multi vdom
The account can only access to one VDOM
Hi,
when importing the module hte first time you will get following error:
C:\Program Files\WindowsPowerShell\Modules\PowerFGT\0.4.0\PowerFGT.psm1 : Failed to import function C:\Program
Files\WindowsPowerShell\Modules\PowerFGT\0.4.0\Public\Deploy.ps1: Das Skript "Deploy.ps1" kann nicht ausgeführt
werden, da die folgenden in den "#requires"-Anweisungen des Skripts angegebenen Module fehlen:
VMware.VimAutomation.Common.
In Zeile:1 Zeichen:1
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,PowerFGT.psm1
This can be solved by installing this missing module using:
Install-Module VMware.VimAutomation.Common
Maybe this can be fixed on initial Module installation.
Best Regards
Gerald Gaugusch
working command:
Get-FGTLogTraffic -vdom FW-ASL8 -type fortianalyzer -subtype forward -dstip 8.8.8.8 -rows 10 -since 1h | select srcip, dstip, dstport, proto, date, time, action | Format-Table
srcip dstip dstport proto date time action
172.23.100.21 8.8.8.8 53 17 2023-12-04 09:41:56 accept
172.23.100.21 8.8.8.8 53 17 2023-12-04 09:41:49 accept
172.23.100.21 8.8.8.8 53 17 2023-12-04 09:41:40 accept
172.23.100.21 8.8.8.8 53 17 2023-12-04 09:41:17 accept
172.23.100.31 8.8.8.8 53 17 2023-12-04 09:40:58 accept
172.23.100.21 8.8.8.8 53 17 2023-12-04 09:40:40 accept
172.23.100.21 8.8.8.8 53 17 2023-12-04 09:40:40 dns
172.23.100.21 8.8.8.8 53 17 2023-12-04 09:40:28 accept
172.23.100.21 8.8.8.8 53 17 2023-12-04 09:39:35 accept
172.23.100.21 8.8.8.8 53 17 2023-12-04 09:39:23 accept
not working command:
Get-FGTLogTraffic -vdom FW-ASL8 -type fortianalyzer -subtype forward -srcip 172.23.100.21 -dstip 8.8.8.8 -rows 10 -since 1h | select srcip, dstip, dstport, proto, date, time, action | Format-Table
Get-FGTLogTraffic: Parameter set cannot be resolved using the specified named parameters. One or more parameters issued cannot be used together or an insufficient number of parameters were provided.
Am I doing something wrong or is this how it's supposed to work?
In any case, is it possible to concatenate the source address and destination address on the Get-FGTLogTraffic function?
Is it possible to define networks? (e.g. 10.0.0.1/24)
Thank you in advance for your valuable support.
Hey there, just checked and couldn't see any info on how the confirm-* cmdlets were expected to be used so thought I'd ask!
One of the most common things that I have to do that I'd love to script is to add a new IP address, then add that as a member to an addressgroup. When do you think we might see SET-* and ADD-* capabilities ?
As a side question, I'm still digging in to the capabilities, but wondered is there an easy way to pipeline entries from the member list of an address group to get the address values? Here's a hypothetical example of what I'm talking about:
(Get-FGTFirewallAddressgroup -connection $FG -vdom root | where name -like "MySpecialGroup").member | Get-FGTFirewallAddress
It would be great to add support for reading and writing DHCP server configuration.
I am trying to retrieve all interfaces belonging to a certain VDOM:
`$SourceInterfaces = Get-FGTSystemInterface -connection $SourceConnection -filter_attribute vdom -filter_type equal -filter_value $SourceVDOM`
But this doesn't seem to work.
Hi
I have a question about the cmdlet Remove-FGTFirewallPolicy, it's possible to use directly the cmdlet Remove-FGTFirewallPolicy with the parameter name or we are must to make the Get-FGTFirewallPolicy -name XXX |Remove-FGTFirewallPolicy ?
Thank in advance
Regards,
Powershell version: 5.1 and 7.3.7
Fortigate version: 7.0.12
Example without "-since" parameter:
PS Z:\FortiACL> Get-FGTLogTraffic -vdom XXXXXX -type fortianalyzer -subtype forward -policyid XXXX -rows 1 | select srcip, dstip, dstport, proto | Format-Table
srcip dstip dstport proto
x.x.x.x x.x.x.x 49155 6
Error with "-since" parameter:
PS Z:\FortiACL> Get-FGTLogTraffic -vdom XXXXX -type fortianalyzer -subtype forward -policyid XXXX -since 1h -rows 1 | select srcip, dstip, dstport, proto | Format-Table
InvalidArgument: C:\Users\user\Documents\PowerShell\Modules\PowerFGT\0.7.0\Public\log\traffic.ps1:189
Line |
189 | $filter_value += "&filter=" + $filter
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Cannot convert value "&filter=_metadata.timestamp>=1695801386405" to type "System.Int32". Error: "The input
| string '&filter=_metadata.timestamp>=1695801386405' was not in a correct format."
srcip dstip dstport proto
x.x.x.x x.x.x.x 49155 6
OT:
If I use "-type memory" or "-type disk" I always receive empty output.
Good day.
I am interested in the ability to extract the password from the phase in the tunnel. even if it is encrypted
in the form of such
psksecret ENC ppDZlb3tJGNOcQqwi7O8ER/eOA2iYkzgfxWtDVkOZPnctdgBrJ7+F/QhwYnYt+J6YR
$mysecpassword = ConvertTo-SecureString "testtss" -AsPlainText -Force
#$fw3 = Connect-FGT 192.168.1.99 -Username admin -Password $mysecpassword -SkipCertificateCheck -DefaultConnection:$false
<# Splatting
-name , If I want to add more than one interface name, I had to get out like this.
#>
$names = @(@{nam ="tunnel1"},@{nam ="tunnel2"},@{nam ="tunnel3"},@{nam ="tunnel4"})
foreach ($nam in $names) {
Get-FGTVpnIpsecPhase1Interface -connection $fw3 @nam -filter_type contains | Select mode, name, psksecret
}
mode name psksecret
aggressive tunnel1 ENC XXXX
aggressive tunnel2 ENC XXXX
aggressive tunnel3 ENC XXXX
aggressive tunnel4 ENC XXXX
As a result, I get passwords at the exit
))) XXXX !!! what ...
leafed through the api, I could not figure out how to pull the values. in its normal form. without decryption .. it is not important to me ..
I ask you to suggest any options. yes via ssh shows. why then does not work here.
Hi Alexis,
Found a bug in Get-FGTMonitorSystemConfigBackup: this function isn't working.
It returns $response.results
but it should returns $response
Also fixed in PR #177
Will you be implementing IPv6 support on all current GET/ADD/SET/REMOVE methods?
From FortiOS 5.6, it is possible to use a token for access to API
but need to specific Trusted Hosts (and 0.0.0.0/0 is not allowed...)
There is also an API Call to generate token
POST /api/v2/monitor/system/api-user/generate-key?vdom=root
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.