fortipower / powerfgt Goto Github PK

Is there a way that you can create and remove users?

Using your module for FortiGate is it possible to get the ARP table? I used the following to pull all the different monitors
Invoke-FGTRestMethod api/v2/monitor/?action=schema -connection $connection | select -Property directory -ExpandProperty directory
I found a monitor for ARP which shows the path is network and the name is ARP but I get an error when I use the following

Invoke-FGTRestMethod -method "get" -uri "api/v2/monitor/network/arp"

WARNING: The FortiGate API sends an error message:
WARNING: Error description (code): Not Found (404)
WARNING: Error details: {
  "path":"network",
  "name":"arp",
  "action":"",
  "serial":"",
  "version":"v6.0.4",
  "build":231,
  "status":"error",
  "http_status":404
}
Unable to use FortiGate API
At C:\Program Files\WindowsPowerShell\Modules\PowerFGT\0.6.1\Private\RestMethod.ps1:171 char:13
+             throw "Unable to use FortiGate API"
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Unable to use FortiGate API:String) [], RuntimeEx 
   ception
    + FullyQualifiedErrorId : Unable to use FortiGate API

Hello
When using the "Remove-FGTFirewallAddressGroupMember" cmdlet, nothing happens:

Verbose:
PUT https://FORTIGATE_IP/api/v2/cmdb/firewall/addrgrp/GROUP_NAME? with -1-byte payload
received 303-byte response of content type application/json
https://FORTIGATE_IP:443/api/v2/cmdb/firewall/addrgrp?&filter=name==GROUP_NAME
GET https://FORTIGATE_IP/api/v2/cmdb/firewall/addrgrp?&filter=name==GROUP_NAME with 0-byte payload
received 771-byte response of content type application/json

FortiOS version: 6.0.11

This is my query:

Get-FGTLogTraffic -vdom ISSTN -type disk -subtype forward -dstip 8.8.8.8 -rows 10 -since 30d | select srcip, dstip, dstport, proto | Format-Table

and this is the output:

srcip          dstip        dstport proto
-----          -----        ------- -----
172.20.43.24   10.141.64.2     4343     6
10.140.179.209 10.141.64.2     4343     6
10.140.128.2   10.141.64.2     4343     6
172.20.47.79   10.141.64.2     4343     6
10.140.169.27  10.141.64.6     5274     6
10.127.6.1     10.141.64.7     5274     6
10.140.128.2   10.141.64.7      443     6
10.167.0.2     10.141.20.51    8383     6
172.24.55.150  10.141.64.2     4343     6
172.20.39.14   10.141.64.2     8080     6

As you can see there is no trace of the IP 8.8.8.8 in the dstip column

hi

TNX for your contrectbtion!

can you pls add the ability to add a Security profile to a newly created policy or old policy?

TNX again!

Hello,

I need to use your Powershell module but when I'm trying to connect my admin Powershell windows, it says :

_Unable to connect to FortiGate
At C:\Program Files\WindowsPowerShell\Modules\PowerFGT\0.4.1\Public\Connection.ps1:148 char:13
+             throw "Unable to connect to FortiGate"
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : OperationStopped: (Unable to connect to FortiGate:String) [], RuntimeException
+ FullyQualifiedErrorId : Unable to connect to FortiGate_

I've checked with the option -SkipCertificateCheck, same issue.
I've checked with the option -httpOnly, same issue.

Each time, it's asking me to login myself.

I've found that our HTTPS port of our Fortigate another port than 443.
So I ran the cmd : Connect-FGT "IpAdress":"otherport" -SkipCertificateCheck
Same error :

_Unable to connect to FortiGate
At C:\Program Files\WindowsPowerShell\Modules\PowerFGT\0.4.1\Public\Connection.ps1:148 char:13
+             throw "Unable to connect to FortiGate"
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : OperationStopped: (Unable to connect to FortiGate:String) [], RuntimeException
+ FullyQualifiedErrorId : Unable to connect to FortiGate_

So is it possible to use this module for connecting to Fortigate using a different port for HTTPS connection ?

Thank you in advance.

Regards,

Hi, could you please make the firewall policy name not required? Or let me know how to disable the name property from being required

Hi Team I would like to know does the script supports importing CSV files and looping it through each management IP address in CSV file.

I got the below error when I import it however it works fine when looping it through this way

$unique_device_ips = "172.16.10.10", "172.16.10.11"
Foreach($unique_device_ip in $unique_device_ips) { 
Connect-FGT -Server $unique_device_ip -Credentials $psCred -SkipCertificateCheck
}

Unable to connect to FortiGate
At C:\Program Files\WindowsPowerShell\Modules\PowerFGT\0.6.1\Public\Connection.ps1:181 char:17
+                 throw "Unable to connect to FortiGate"
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : OperationStopped: (Unable to connect to FortiGate:String) [], RuntimeException
+ FullyQualifiedErrorId : Unable to connect to FortiGate

Also, I would like to know if is there a way to get export CSV every result from the below modules in one short

Get-FGTMonitorSystemFirmware
Get-FGTSystemGlobal 
Get-FGTMonitorSystemHAPeer
Get-FGTSystemInterface

Thanks for the quick reply.

API details for Add Firewall Policy?
My use case needs me to explicitly set policy IDs to maintain configuration drift, and the current implementation doesn't allow for this; I've tested out adding this using the REST method and adding the PolicyID property, but that hasn't seemed to work. So I'm wondering if anyone has access to real documentation on the API and can see whether there's an option to do this?

Is there some way to connect to FortiGate on custom HTTPS port? I dont know anyone who is running admin/rest interface on default 443 port.

Hi,

How/where can I see if a device update is available via FGM API or this PowerShell Module?
I have tried loking everywhere within this repo but cannot find the information?

TIA

There is some known issue with address cmdlet

• Only support ipmask(subnet) address for the moment
• Don't check if the interface exist when add or edit
• search/match is make by PowerShell (via Where-Object) and not direclty using API
• Don't check if the address is use before modify/remove

This issues will be fixed on a next release...

I'm at last able to start focussing on FGT again for a while and started digging in to the new capabilities in the 0.4.1 release, but I hit a snag.

Based on the help info, it seems Add-FGTFirewallAddressGroupMember will take pipeline input, so you should be able to Get-FGTFirewallAddressGroup | Add-FGTFirewallAddressGroupMember successfully. I've tried using this combo, and it didn't seem to work and I can't be sure whether it's my understanding, my group/member/firewall, or if it's a bug. What I can however do is use the assignment-then-add-member approach that the help info shows, with the same group and member, which does work.

Error message is shown below (redacted).

PS > 
Get-FGTFirewallAddressGroup -vdom root -connection $conn[0] -name TestGroupNameHere | Add-FGTFirewallAddressGroupMember -member TestMemberHere -vdom root

WARNING: The FortiGate API sends an error message:
WARNING: Error description (code): Internal Server Error (500)
WARNING: Error details: {
  "http_method":"PUT",
  "revision":"537.0.665.2897040576.1559001134",
  "error":-3,
  "status":"error",
  "http_status":500,
  "vdom":"root",
  "path":"firewall",
  "name":"addrgrp",
  "mkey":"TestGroupNameHere",
  "serial":"",
  "version":"",
  "build":
}
Unable to use FortiGate API
At C:\Program Files\WindowsPowerShell\Modules\powerfgt\0.4.1\Private\RestMethod.ps1:166 
char:13
              throw "Unable to use FortiGate API"
              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     CategoryInfo          : OperationStopped: (Unable to use FortiGate API:String) [] 
   , RuntimeException
     FullyQualifiedErrorId : Unable to use FortiGate API

The return object of Connect-FGT isn't an object, but a set of objects.

I'd like to have been able to do the following:

$conn = connect-fgt FGT-A.fqdn.com -SkipCertificateCheck -Credentials $fwcred
$conn += connect-fgt FGT-B.fqdn.com -SkipCertificateCheck -Credentials $fwcred

and then later do foreach operations on that. But I found that connection object returned isn't really an object...

Like *AddressGroup, we need *VipGroup functions

Hi,

I'm having a problem with French accented characters.
For example, if I list addresses objects:

Get-FGTFirewallAddress | select name

name
----
...
Réseau local
Réseau invité
SSLVPN_TUNNEL_ADDR1
all
none
...

Is there any way to fix this? Or is there anything I can do to convert it on the fly?

help to disassemble. how to modify your function, or pass it the correct parameters so that it will work correctly on FortiGate-40C v5.2.15 models.
yes i read that your module is only supported from a certain branch. but still there is an API too. and it means there is also its own principle of work.
When uploading default value filtered by WAN Interface Name

$ fw3 = Connect-FGT 192.168.1.99 -SkipCertificateCheck -DefaultConnection: $ false -Timeout 15
Get-FGTSystemInterface -connection $ fw3 -name wan -filter_type contains | Select name, username, password, status, mode, ip, speed, mtu, mtu-override

1. this error appears

Unable to convert value ".." to type "System.Version". Error: "The input string was not in the correct format."
line: 160 character: 111
+ .... $ ($ version.results.current.minor). $ ($ version.results.current.patch) "
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo: InvalidArgument: (:) [], RuntimeException
    + FullyQualifiedErrorId: InvalidCastParseTargetInvocation

2. The script is working off, but! as I diagnosed, filtering by the "-name wan" key will not work
   instead I get the whole list of interfaces,
   No matter what filtering key I put, it simply does not work.

Please help me understand how to debug, for whatever reason, the filter does not work.!

thanks in advance.!

I totally know how to get access to the .Member property, and suspect that this is just a PS behaviour that can't be overridden, but it'd be nice if it could.
When you use Get-FGTFirewallAddressMember, the output shows up to 4 members and then an ellipsis of members... Is there any way to influence that to report them all ?

uuid          : 37231bb8-ebc3-51e9-dd1f-a50c2fa0b8cf
member        : {@{q_origin_key=H_10.1.0.1; name=H_10.1.0.1}, 
                @{q_origin_key=H_10.1.0.2; name=H_10.1.0.2}, 
                @{q_origin_key=H_10.1.0.3; name=H_10.1.0.3}, 
                @{q_origin_key=H_10.1.0.4; name=H_10.1.0.4}...}
comment       : 

I have a question about the managed the sequence of the policy rule. By default all rules created are implement the last position of the Fortinet zone.

Does possible to define when the rule is created her postion in the Fortinet Zone.

The cli command on the Fortinet is move <id#> [before|after] <id#>

Thank in advance

When connect using /logincheck, the API return a "status" code (From REST API Ref 6.0.0x guide :)

And with FortiOS 6.2 (and 6.4), the first connection ask to change password and there there is a new code 4

I can successfully retrieve address information from Get-FGTFirewallAddress, but when piping the output of that to Set-FGTFirewallAddress to make changes to that address I receive an error:

PS C:\Users\a-timothy.murphy> Get-FGTFirewallAddress -name 10.100.13.235

name                 : 10.100.13.235
q_origin_key         : 10.100.13.235
uuid                 : 8c606492-3fc7-51eb-07bd-d7a98c853186
subnet               : 10.100.13.235 255.255.255.255
type                 : ipmask
sub-type             : sdn
clearpass-spt        : unknown
start-mac            : 00:00:00:00:00:00
end-mac              : 00:00:00:00:00:00
country              :
cache-ttl            : 0
sdn                  :
fsso-group           : {}
interface            :
comment              : TM 12/16/20
visibility           : enable
associated-interface :
color                : 0
filter               :
sdn-addr-type        : private
obj-id               :
list                 : {}
tagging              : {}
allow-routing        : disable



PS C:\Users\a-timothy.murphy> Get-FGTFirewallAddress -name 10.100.13.235 | Set-FGTFirewallAddress -comment "Test"
Set-FGTFirewallAddress : Cannot validate argument on parameter 'address'. Element specified does not contain an fqdn
property.
At line:1 char:46
+ ... lAddress -name 10.100.13.235 | Set-FGTFirewallAddress -comment "Test"
+                                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (@{name=10.100.1...outing=disable}:PSObject) [Set-FGTFirewallAddress], Para
   meterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Set-FGTFirewallAddress

Is there any option to fetch and replace a renewed SSL certificate from a local pc

OR

any option by which we can upload and replace a renewed SSL certificate from a local pc

Hi Alexis,

Get-FGTMonitorSystemFirmware -upgrade_paths returns a 404 error.
URI called:
Invoke-FGTRestMethod -uri api/v2/monitor/system/firmware/upgrade_paths
URI working:
Invoke-FGTRestMethod -uri api/v2/monitor/system/firmware/upgrade-paths

Made a PR for that #177

Is there a way to pull the number of current dial up IPSec VPN users using this powershell module?

hello alagoutte))

A question ...
how to organize a progress bar
For example If I use Connection in stages to objects
..
in my case, I just close the powershell window
and the script is executed.
As an observer, I remain unaware of what is happening ..
..
If you have an implementation of the Progress bar, please tell me .. how to implement it ...

cls
sl $PSScriptRoot
[Environment]::CurrentDirectory = gl
$eol = [Environment]::NewLine
 

Add-Type -Name Window -Namespace Console -MemberDefinition '
[DllImport("Kernel32.dll")]
public static extern IntPtr GetConsoleWindow();

[DllImport("user32.dll")]
public static extern bool ShowWindow(IntPtr hWnd, Int32 nCmdShow);
'
function Hide-Console
{
    $consolePtr = [Console.Window]::GetConsoleWindow()
    #0 hide
    [Console.Window]::ShowWindow($consolePtr, 0)
}
Hide-Console


Add-Type -AssemblyName System.Windows.Forms
Add-Type -AssemblyName System.Drawing
[System.Windows.Forms.Application]::EnableVisualStyles()
function TextToArray{
       $returndata = @()
       $txtboxdata = New-Object System.IO.StringReader($objTextBox.Text)
       $Linedata = $txtboxdata.readline()
       while ($Linedata -ne $null)
           {   $returndata += @($Linedata)
               $Linedata = $txtboxdata.readline() }
       $objtextbox.Clear()
       $txtboxdata.dispose()
       return $returndata
}

function Textbox {
    [CmdletBinding()]
    param(
    [Parameter(Mandatory=$true,valuefrompipeline=$true)]
    [string]$Label,
       [string]$LabelText
       )
       $objForm = New-Object System.Windows.Forms.Form
       $objForm.Text = $label
       $objForm.Size = New-Object System.Drawing.Size(300,415)
       $objForm.AutoSize = $true
       $objForm.StartPosition = "CenterScreen"
       $objForm.MinimumSize = New-object System.Drawing.Size(200, 30)
       $objForm.MaximumSize = New-object System.Drawing.Size(600, 600)
       $objForm.FormBorderStyle = [System.Windows.Forms.AutoSizeMode]::GrowOnly
       ####

       ####
       $global:x = @()
       $OKButton = New-Object System.Windows.Forms.Button
       $OKButton.Location = New-Object System.Drawing.Size(45,345)
       $OKButton.Size = New-Object System.Drawing.Size(75,23)
       $OKButton.Text = "OK"
       $OKButton.Add_Click({$global:x +=@(TextToArray);$objForm.Close()})
       $objForm.Controls.Add($OKButton)
       
       
       $CancelButton = New-Object System.Windows.Forms.Button
       $CancelButton.Location = New-Object System.Drawing.Size(150,345)
       $CancelButton.Size = New-Object System.Drawing.Size(90,23)
       $CancelButton.Text = "Cancel"
       $CancelButton.DialogResult = [System.Windows.Forms.DialogResult]::Cancel
       $objform.CancelButton = $CancelButton
       $objForm.Controls.Add($CancelButton)
      

       $objLabel = New-Object System.Windows.Forms.Label
       $objLabel.Location = New-Object System.Drawing.Point(22,20)
       $objLabel.Size = New-Object System.Drawing.Size(280,20)
       $objLabel.Text = $LabelText
       $objForm.Controls.Add($objlabel)

       
       $objTextBox = New-Object System.Windows.Forms.TextBox
       $objTextBox.Location = New-Object System.Drawing.Size(10,40)
       $objTextBox.Size = New-Object System.Drawing.Size(260,300)
       $objTextBox.Multiline = $true
       $objTextBox.ScrollBars = "Vertical"
       $objForm.Controls.Add($objTextBox)
       $objForm.Topmost = $True
       $objForm.Add_Shown({$objForm.Activate()})
       $result = $objForm.ShowDialog()
       return $x
}
#########
$serverlist =@()
$serverlist += @(TextBox "FGT by Frortigate" "obj. From FGT:")
($online,$offline) =  $serverlist.Where({Test-Connection $_ -count 1 -delay 1 -Quiet}, "split")

$online.foreach(
{
$fs=Connect-FGT $_ -SkipCertificateCheck -DefaultConnection:$false -Timeout 15
$resalllt = Get-FGTSystemFirmware -connection $fs -name fortios -filter_type contains |  Select platform-id
    switch( $resalllt."platform-id"){
       FGT30E {
		   ###many conditions, later the output of the received variables and the generation of the file.
		       $MyPath = "Configs\30E\$($netWAN.mode)____FG$($netNAME)__30E.conf"
               $MyFile = (CONFIG_30E_u) -replace "(?m)^\s*`n",''.trim()
               $Utf8NoBomEncoding = New-Object System.Text.UTF8Encoding $False
               [System.IO.File]::WriteAllLines($MyPath, $MyFile, $Utf8NoBomEncoding)
		   Disconnect-FGT -connection $fs -confirm:$false
	   }
       FGT30D {
		   ###many conditions, later the output of the received variables and the generation of the file.
		       $MyPath = "Configs\30D\$($netWAN.mode)____FG$($netNAME)__30D.conf"
               $MyFile = (CONFIG_30D_u) -replace "(?m)^\s*`n",''.trim()
               $Utf8NoBomEncoding = New-Object System.Text.UTF8Encoding $False
               [System.IO.File]::WriteAllLines($MyPath, $MyFile, $Utf8NoBomEncoding)
		   Disconnect-FGT -connection $fs -confirm:$false
	   }
       FGT40F {
		   ###many conditions, later the output of the received variables and the generation of the file.
		       $MyPath = "Configs\40F\$($netWAN.mode)____FG$($netNAME)__40F.conf"
               $MyFile = (CONFIG_40F_u) -replace "(?m)^\s*`n",''.trim()
               $Utf8NoBomEncoding = New-Object System.Text.UTF8Encoding $False
               [System.IO.File]::WriteAllLines($MyPath, $MyFile, $Utf8NoBomEncoding)
		   Disconnect-FGT -connection $fs -confirm:$false
	   }
       Default {
		   	###many conditions, later the output of the received variables and the generation of the file.
               $MyPath = "Configs\40C\$($statusWan1)-$($statusWan2)____FG$($netNAME)__40C.conf"
               $MyFile = (CONFIG_40C_t) -replace "(?m)^\s*`n",''.trim()
               $Utf8NoBomEncoding = New-Object System.Text.UTF8Encoding $False
               [System.IO.File]::WriteAllLines($MyPath, $MyFile, $Utf8NoBomEncoding)
		   Disconnect-FGT -connection $fs -confirm:$false
	   }
    }
Disconnect-FGT -connection $fs -confirm:$false
 }
                )

$offline.foreach( 
   { 
    "$_ ***offline***" | Out-File Offline.txt -Append
  }
)

Thanks in advance for your help)

Hi!!

I'm trying to remove a member from an address group and that doesn't work. I see when verbose mode is enable that the member I'm trying to remove is not listed but after the command, it was listed again!!

command used:

`Get-FGTFirewallAddressGroup -name "Windows2008" | Remove-FGTFirewallAddressGroupMember -verbose -member $Inputmachine`

Output: 
`COMMENTAIRES : {
    "member":  {
                   "name":  "04chrtr00035.04trvr08.reg04.rtss.qc.ca_fqdn"
               }
}
COMMENTAIRES : PUT https://10.38.220.221/api/v2/cmdb/firewall/addrgrp/Windows 2008?&vdom=WAN with -1-byte payload
COMMENTAIRES : received 278-byte response of content type application/json
COMMENTAIRES : GET https://10.38.220.221/api/v2/cmdb/firewall/addrgrp?&vdom=WAN&filter=name==Windows 2008 with 0-byte payload
COMMENTAIRES : received 798-byte response of content type application/json

name          : Windows 2008
q_origin_key  : Windows 2008
uuid          : d5539d2c-621e-51ea-61ad-45d8d89f136d
member        : {@{name=04chrtr00035.04trvr08.reg04.rtss.qc.ca_fqdn; q_origin_key=04chrtr00035.04trvr08.reg04.rtss.qc.ca_fqdn}, @{name=mcq04000389; q_origin_key=mcq04000389}}
comment       : 
visibility    : enable
color         : 0
tags          : {}
allow-routing : disable`

Pascal

I've been trying to add a VIP for a UDP port, and don't get an error but the VIP is always created with TCP instead. Has anyone else tried / tested this?

These two statements are part of a script I am using to create these; as you can see, they're identical in parameters except the -protocol option (I do manipulate the VIP name in $prtname and the $mappedport and $extport items so they're unique)

Add-FGTFirewallVip -connection $conn[0] -vdom root -type static-nat -name $prtname `
    -extip $ext_ip -mappedip $mappedip -mappedport $mappedport `
    -comment "Printer for client $($prt.client)" -portforward -protocol UDP -extport $extport 

Add-FGTFirewallVip -connection $conn[0] -vdom root -type static-nat -name $prtname `
    -extip $ext_ip -mappedip $mappedip -mappedport $mappedport `
    -comment "Printer for client $($prt.client)" -portforward -protocol TCP -extport $extport 

When I execute them, the first one is correct except for it being a TCP not UDP VIP, and the second is always fine.

I can't see any recent activity in vip.ps1 that looks relevant, and the version I have running was loaded at the beginning of the year in my initial 0.4.1 load.

Any thoughts, anyone else used it and had different results?

Hello, there is a problem with the "Move-FGTFirewallPolicy" function.

If no default connection is specified, the function returns an error when calling the last command "Get-FGTFirewallPolicy -policyid $policy.policyid" inside the function.

Can you add "-connection $connection" at the end of the line.

Thanks.

Regards.

When trying to connect with v0.5.0 I got the following error:

PS C:\scripts\> Connect-FGT -Server xxx.xxx.xxx.xxx -SkipCertificateCheck -Username xxx -Password $pass
Unable to found CSRF Cookie
At C:\Program Files\WindowsPowerShell\Modules\PowerFGT\0.4.1\Public\Connection.ps1:161 char:13
+             throw "Unable to found CSRF Cookie"
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Unable to found CSRF Cookie:String) [], RuntimeException
    + FullyQualifiedErrorId : Unable to found CSRF Cookie

I made sure to uninstall the old v0.4.1 module but still the error is there.

Hi,

Here's a litte function I wrote to compute upgrade path.

Function Get-FirmwareUpdate{
    $firmware = (Invoke-FGTRestMethod -uri api/v2/monitor/system/firmware)
    $FortiOS  = $firmware.results.current   | select version
    $Update   = $firmware.results.available | select version -First 1
    if($Update){
        if($FortiOS -eq $Update){# Firmware is up to date
            [pscustomobject]@{
                "Installed" = $($FortiOS.version)
                "Available" = $($Update.version)
            }
        }else{# Firmware is not up to date, compute the upgrade path
            $major       = $firmware.results.current.major
            $minor       = $firmware.results.current.minor
            $patch       = $firmware.results.current.patch
            $updateMajor = ($firmware.results.available | select -First 1).major
            $updateMinor = ($firmware.results.available | select -First 1).minor
            $updatePatch = ($firmware.results.available | select -First 1).patch
            $upgradePath = "v$($major).$($minor).$($patch)"
            Do{
                $nextFirmware = Invoke-FGTRestMethod -uri api/v2/monitor/system/firmware/upgrade-paths | select -ExpandProperty results | where { $_.from.major -eq $major -and $_.from.minor -eq $minor -and $_.from.patch -eq $patch } | select -First 1
                $major        = $nextFirmware.to.major
                $minor        = $nextFirmware.to.minor
                $patch        = $nextFirmware.to.patch
                $upgradePath = $upgradePath + " -> v$($major).$($minor).$($patch)"
            }Until($major -eq $updateMajor -and $minor -eq $updateMinor -and $patch -eq $updatePatch)
            [pscustomobject]@{
                "Installed"    = $($FortiOS.version)
                "Available"    = $($Update.version)
                "Upgrade Path" = $upgradePath
            }
        }
    }else{# No firmware available (support expired)
        [pscustomobject]@{
            "Installed" = $($FortiOS.version)
            "Available" = "N/A"
        }
    }
}

Get-FirmwareUpdate

Installed Available Upgrade Path
--------- --------- ------------
v6.0.13   v7.0.5    v6.0.13 -> v6.2.10 -> v6.4.8 -> v7.0.5

Tested with various firmware releases (v6.0.8 through 6.4.4),Connect-FGT fails if a post-login-banner is configured.

PowerFGT version 0.5.0

Unable to found FGT version
At C:\Program Files\WindowsPowerShell\Modules\PowerFGT\0.5.0\Public\Connection.ps1:176 char:13
+             throw "Unable to found FGT version"
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Unable to found FGT version:String) [], RuntimeException
    + FullyQualifiedErrorId : Unable to found FGT version

If the post-login-banner is removed, login works as expected:

config system global
set post-login-banner disable

Please add feature to add mac address to Address or Address Group

with FortiGate 6.2.x, there is also a description (comment) field.

need to add on Add/Set System Zone cmdlet

Hi,

When I use your module for managed the policy of the Fortinet, I have remark that when i launched the command of Remove-FGTFirewallPolicyMember the command is executed without error but the action isn't set.

Also i have a second question about the managed the sequence of the policy rule. Does the module can we managed ther sequence of the policy rule?

Thank in advance for your reponse

Regards,

Loving this Module so far!

Running to an issue where a few clients will not connect and Connect-FGT will not time out.

It looks like the Invoke-WebRequest in "Connection.ps1" on line 135 needs a -timeout added and parameterized with a default.

The default timeout of Invoke-WebRequest seems to be over 5+ minutes.

FortiManager can use like or contain for filtering
it is more limited with FortiGate (equal or contains actually).

Need to replace contain by like for align with PowerFMG

Hello, is there a way to connect to prompt for FortiToken? Thank you!

The module don't yet support account with access to multi vdom

The account can only access to one VDOM

Hi,

when importing the module hte first time you will get following error:

C:\Program Files\WindowsPowerShell\Modules\PowerFGT\0.4.0\PowerFGT.psm1 : Failed to import function C:\Program
Files\WindowsPowerShell\Modules\PowerFGT\0.4.0\Public\Deploy.ps1: Das Skript "Deploy.ps1" kann nicht ausgeführt
werden, da die folgenden in den "#requires"-Anweisungen des Skripts angegebenen Module fehlen:
VMware.VimAutomation.Common.
In Zeile:1 Zeichen:1

• Import-Module PowerFGT

•   + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,PowerFGT.psm1
  
  

This can be solved by installing this missing module using:
Install-Module VMware.VimAutomation.Common

Maybe this can be fixed on initial Module installation.

Best Regards
Gerald Gaugusch

working command:

Get-FGTLogTraffic -vdom FW-ASL8 -type fortianalyzer -subtype forward -dstip 8.8.8.8 -rows 10 -since 1h | select srcip, dstip, dstport, proto, date, time, action | Format-Table

srcip dstip dstport proto date time action

172.23.100.21 8.8.8.8 53 17 2023-12-04 09:41:56 accept
172.23.100.21 8.8.8.8 53 17 2023-12-04 09:41:49 accept
172.23.100.21 8.8.8.8 53 17 2023-12-04 09:41:40 accept
172.23.100.21 8.8.8.8 53 17 2023-12-04 09:41:17 accept
172.23.100.31 8.8.8.8 53 17 2023-12-04 09:40:58 accept
172.23.100.21 8.8.8.8 53 17 2023-12-04 09:40:40 accept
172.23.100.21 8.8.8.8 53 17 2023-12-04 09:40:40 dns
172.23.100.21 8.8.8.8 53 17 2023-12-04 09:40:28 accept
172.23.100.21 8.8.8.8 53 17 2023-12-04 09:39:35 accept
172.23.100.21 8.8.8.8 53 17 2023-12-04 09:39:23 accept

not working command:

Get-FGTLogTraffic -vdom FW-ASL8 -type fortianalyzer -subtype forward -srcip 172.23.100.21 -dstip 8.8.8.8 -rows 10 -since 1h | select srcip, dstip, dstport, proto, date, time, action | Format-Table

Get-FGTLogTraffic: Parameter set cannot be resolved using the specified named parameters. One or more parameters issued cannot be used together or an insufficient number of parameters were provided.

Am I doing something wrong or is this how it's supposed to work?

In any case, is it possible to concatenate the source address and destination address on the Get-FGTLogTraffic function?

Is it possible to define networks? (e.g. 10.0.0.1/24)

Thank you in advance for your valuable support.

Hey there, just checked and couldn't see any info on how the confirm-* cmdlets were expected to be used so thought I'd ask!

One of the most common things that I have to do that I'd love to script is to add a new IP address, then add that as a member to an addressgroup. When do you think we might see SET-* and ADD-* capabilities ?

As a side question, I'm still digging in to the capabilities, but wondered is there an easy way to pipeline entries from the member list of an address group to get the address values? Here's a hypothetical example of what I'm talking about:

(Get-FGTFirewallAddressgroup -connection $FG -vdom root | where name -like "MySpecialGroup").member | Get-FGTFirewallAddress

It would be great to add support for reading and writing DHCP server configuration.

I am trying to retrieve all interfaces belonging to a certain VDOM:

`$SourceInterfaces = Get-FGTSystemInterface -connection $SourceConnection -filter_attribute vdom -filter_type equal -filter_value $SourceVDOM`  

But this doesn't seem to work.

Hi

I have a question about the cmdlet Remove-FGTFirewallPolicy, it's possible to use directly the cmdlet Remove-FGTFirewallPolicy with the parameter name or we are must to make the Get-FGTFirewallPolicy -name XXX |Remove-FGTFirewallPolicy ?

Thank in advance

Regards,

Powershell version: 5.1 and 7.3.7
Fortigate version: 7.0.12

Example without "-since" parameter:

PS Z:\FortiACL> Get-FGTLogTraffic -vdom XXXXXX -type fortianalyzer -subtype forward -policyid XXXX -rows 1 | select srcip, dstip, dstport, proto | Format-Table

srcip dstip dstport proto

x.x.x.x x.x.x.x 49155 6

Error with "-since" parameter:

PS Z:\FortiACL> Get-FGTLogTraffic -vdom XXXXX -type fortianalyzer -subtype forward -policyid XXXX -since 1h -rows 1 | select srcip, dstip, dstport, proto | Format-Table
InvalidArgument: C:\Users\user\Documents\PowerShell\Modules\PowerFGT\0.7.0\Public\log\traffic.ps1:189
Line |
189 | $filter_value += "&filter=" + $filter
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Cannot convert value "&filter=_metadata.timestamp>=1695801386405" to type "System.Int32". Error: "The input
| string '&filter=_metadata.timestamp>=1695801386405' was not in a correct format."

srcip dstip dstport proto

x.x.x.x x.x.x.x 49155 6

OT:
If I use "-type memory" or "-type disk" I always receive empty output.

Good day.
I am interested in the ability to extract the password from the phase in the tunnel. even if it is encrypted
in the form of such
psksecret ENC ppDZlb3tJGNOcQqwi7O8ER/eOA2iYkzgfxWtDVkOZPnctdgBrJ7+F/QhwYnYt+J6YR

$mysecpassword = ConvertTo-SecureString "testtss" -AsPlainText -Force
#$fw3 = Connect-FGT 192.168.1.99 -Username admin -Password $mysecpassword -SkipCertificateCheck -DefaultConnection:$false
<#          Splatting 
-name     ,  If I want to add more than one interface name, I had to get out like this.
                      #>
$names = @(@{nam ="tunnel1"},@{nam ="tunnel2"},@{nam ="tunnel3"},@{nam ="tunnel4"})
foreach ($nam in $names) {
Get-FGTVpnIpsecPhase1Interface -connection $fw3  @nam -filter_type contains | Select mode, name, psksecret 
}

mode name psksecret

aggressive tunnel1 ENC XXXX
aggressive tunnel2 ENC XXXX
aggressive tunnel3 ENC XXXX
aggressive tunnel4 ENC XXXX

As a result, I get passwords at the exit
))) XXXX !!! what ...
leafed through the api, I could not figure out how to pull the values. in its normal form. without decryption .. it is not important to me ..

I ask you to suggest any options. yes via ssh shows. why then does not work here.

Hi Alexis,

Found a bug in Get-FGTMonitorSystemConfigBackup: this function isn't working.
It returns $response.results but it should returns $response

Also fixed in PR #177

Will you be implementing IPv6 support on all current GET/ADD/SET/REMOVE methods?

From FortiOS 5.6, it is possible to use a token for access to API

but need to specific Trusted Hosts (and 0.0.0.0/0 is not allowed...)

There is also an API Call to generate token
POST /api/v2/monitor/system/api-user/generate-key?vdom=root