Comments (15)
for the second question, it's possible to do the following but requires breaking out the input names with a foreach - many PS modules will handle this internally (I'd prefer SET- than this though :) )
(Get-FGTFirewallAddressgroup -connection $FG -vdom root | where name -like "MySpecialGroup").member.name|%{ Get-FGTFirewallAddress -vdom root -connection $FG -name $_}
from powerfgt.
Hi @poundy
Welcome on PowerFGT !
I'm busy by some other module actually...
For first question, there is already Add-FGTAddress cmdlet for add address and i will be not not too complicated to add member on addressgroup, do you need some other stuff ?
for second question, it is planned to have a better filtering stuff (using direclty API)
it will "fix your where name -like "MySpecialGroup"
There is some other stuff ?
from powerfgt.
The whole Quartet please :)
VIP
VIPGRP
ADDRESS
ADDRESSGRP
I'm often in "append" mode - so much so that I wrote a PowerShell text substitution script to create my standard named members, append them to a group, and add a policy. Oh yeah, I need the whole Quintuple, policies too please :)
here's example of one of the "shell" substitution tables I use
config firewall address
edit "H_%vmIPAddress%"
set associated-interface port1
set subnet %vmIPAddress% 255.255.255.255
set comment "%ClientCode% Svr"
next
edit "S_%ClientCode%_%ClientSite%"
set associated-interface wan1
set subnet %clientSiteIPAddress% 255.255.255.255
set comment "%ClientCode% %ClientSite% Office"
next
end
config firewall addrgrp
edit "EIP_%ClientCode%_Sites"
append member "S_%ClientCode%_%ClientSite%"
set comment "%ClientCode% Sites"
next
edit "%ClientCode%_Servers"
append member "H_%vmIPAddress%"
set comment "%ClientCode% Servers"
next
edit _IP_Hosts
append member "%ClientCode%_Servers"
next
end
config firewall policy
edit %PolicyNum%
set name "%ClientCode%_Printing"
set srcintf port1
set dstintf wan1
set srcaddr "%ClientCode%_Servers"
set dstaddr "EIP_%ClientCode%_Sites"
set action accept
set schedule always
set service "Port_Printing-9100-9130" "Port_Printing-11160-11190"
set nat enable
set ippool enable
set poolname "Outbound NAT default"
set fsso disable
set comment "%ClientCode% printing to Client Sites"
next
end
from powerfgt.
What I have done with this above powershell is what I'd prefer to directly do via PowerFGT if possible - take minimal input and then add all the components together. That's what I see that any programmatic driven access to the device should strive to do - make it simple to do the simple and repeatable tasks that you need to do frequently so you get a return on improving the process. Infrequently performed tasks are in my view less important to me to expose programmatically, because I am likely to have developed a detailed implementation plan around that and not going to worry about a few CLI commands versus a single powershell command instead. But the big things, I want to cut out manual errors and streamline the job and PS is the go to.
So in the above example I'd want to do an Add-FGTFirewallAddress followed by Get-FGTFirewallAddressGrp | {something to add-member}. Therein lies one of the complexities in multi-value elements like Member...
I'm no powershell architect, but a process like Get-FGTFirewallAddressGroup | Append-FGTMember $SavedNewAddress might work?
from powerfgt.
Hi poundy,
What I have done with this above powershell is what I'd prefer to directly do via PowerFGT if possible - take minimal input and then add all the components together. That's what I see that any programmatic driven access to the device should strive to do - make it simple to do the simple and repeatable tasks that you need to do frequently so you get a return on improving the process. Infrequently performed tasks are in my view less important to me to expose programmatically, because I am likely to have developed a detailed implementation plan around that and not going to worry about a few CLI commands versus a single powershell command instead. But the big things, I want to cut out manual errors and streamline the job and PS is the go to.
Yes it is my idea too but need time for make this...
So in the above example I'd want to do an Add-FGTFirewallAddress followed by Get-FGTFirewallAddressGrp | {something to add-member}. Therein lies one of the complexities in multi-value elements like Member...
Yes, it will be possible
I'm no powershell architect, but a process like Get-FGTFirewallAddressGroup | Append-FGTMember $SavedNewAddress might work?
there is no Append verb on PowerShell ;-) but it will be possible
and I'm not against a little help (i can explain how to make this with API
from powerfgt.
OK, sleeves rolled up... not sure how helpful I'll be, but I'll take a stab. I've looked at the code a bit, and think I'll look at VIPs first, to support ADD/SET. I however think i might need some hand holding in actually converting from a code change into something I can test/use, so any guidance there would be massively appreciated :) I have a server that is in use by others that has 0.3.0 currently installed, and ideally would be able to coexist on that (but understand that may not be possible). Then I'll start breaking into the code more and replicating the approach *-FGTFirewallAddress etc does.
from powerfgt.
i start to work on VIP and addrgrp, i will push a PR soon (next day)
from powerfgt.
Abort!
;-)
NP I will get back to figuring out a dev/test process that works for me :)
from powerfgt.
Hi @poundy,
I push a first PR with Add/Remove Virtual IP (#54), can you try ? if need you can send me a e-mail (my mail is on top of ps1 file)
from powerfgt.
I have seen your two PRs but haven't had a chance to deal with it yet or figure out how best for me to test things :) Other priorities right now :(
from powerfgt.
Hi @poundy
No problem, need more work (on filtering stuff) and i hope release a version for end of year...
For VIP, do you need to can configure port ?
I think the VIPGRP will be wait next release...
For add / Change / Remove policy, it will see (need some work for support all case and option..) but for basic policy, we can use Invoke-FGTRestMethod
from powerfgt.
I working to add (and remove) policy rule (#65) and it will be release a new release with VIP and AddressGroup Add/remove/Set support
I hope, it will be available for end of year
from powerfgt.
Hello, PowerFGT 0.4.0 is available !
here's example of one of the "shell" substitution tables I use
config firewall address edit "H_%vmIPAddress%" set associated-interface port1 set subnet %vmIPAddress% 255.255.255.255 set comment "%ClientCode% Svr" next edit "S_%ClientCode%_%ClientSite%" set associated-interface wan1 set subnet %clientSiteIPAddress% 255.255.255.255 set comment "%ClientCode% %ClientSite% Office" next end
Look Add-FGTFirewallAddress (Already exist with 0.3.0 !)
config firewall addrgrp
edit "EIP_%ClientCode%Sites"
append member "S%ClientCode%_%ClientSite%"
set comment "%ClientCode% Sites"
next
edit "%ClientCode%Servers"
append member "H%vmIPAddress%"
set comment "%ClientCode% Servers"
next
edit _IP_Hosts
append member "%ClientCode%_Servers"
next
Look Add-FGTFirewallAddressGroup and Add-FGTFirewallAddressMember
end
config firewall policy
edit %PolicyNum%
set name "%ClientCode%_Printing"
set srcintf port1
set dstintf wan1
set srcaddr "%ClientCode%Servers"
set dstaddr "EIP%ClientCode%_Sites"
set action accept
set schedule always
set service "Port_Printing-9100-9130" "Port_Printing-11160-11190"
set nat enable
set ippool enable
set poolname "Outbound NAT default"
set fsso disable
set comment "%ClientCode% printing to Client Sites"
next
end
Look Add-FGTFirewallPolicy
from powerfgt.
Thanks for the update ! Sorry I didn't get a chance to assist in the testing - I was struggling to get time to do anything firewall in my day-job before the holidays, and now I'm on leave so there's even less time ;-)
Am still yet to find a good guide to set up a decent dev environment to allow editing of this project, but that's a separate issue to this :)
from powerfgt.
Hi @poundy
No problem ! Good holiday ! (it will also take day off too)
for dev env, it is "easy" fork this projet and git clone your repo after go on the PowerFGT folder and use import-module ./PowerFGT (you can use -force)
I will may be add a note on README about this
from powerfgt.
Related Issues (20)
- Filtering does not work correctly in old operating systems (5.x) HOT 10
- Align Filtering with FortiManager (PowerFMG) HOT 1
- Display the progress BAR HOT 5
- Bug with diacritics HOT 9
- Upgrade Path HOT 3
- Upgrade path error HOT 2
- Backup config isn't working HOT 1
- When using the "Remove-FGTFirewallAddressGroupMember" cmdlet, nothing happens HOT 12
- Reg Connect-FGT HOT 4
- Connecting with FortiToken? HOT 3
- Getting Arp Table HOT 2
- Can you create new users? HOT 9
- Upload and replace renewed SSL Certificate offline HOT 3
- Move-FGTFirewallPolicy function problem HOT 1
- Custom HTTPS port? HOT 1
- Error when using "-since" option with Get-FGTLogTraffic command HOT 2
- Unexpected behavior with log search - Get-FGTLogTraffic HOT 6
- MAC address feature request! HOT 1
- add ability to add security profile to firewall policy HOT 4
- Unable to concatenate -srcip and -dstip in the Get-FGTLogTraffic function. HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from powerfgt.