Wednesday, November 14, 2012

Fortigate Firewall cfg script to speed up the configuration

I had a challenge with quickly producing a range of  fwpolicies/addess/ippools. So I want to share my  script generator tool that I used.

Let's say for an example, you needed to provide the following range of host a public nat-range.

{    10-90 //  209.23.XXX/XXX/24  10-90 }

Will doing this one line by one line , could take for ever. :(

So a script can be use that crafts the range. In these examples, I 1st made an "fw-ippool  item"

configure firewall ippool

for ((a=100; a <= 149 ; a++))
    echo  "edit$a"
    echo  "set endip$a"
    echo  "set startip$a"
    echo  "next"

Next, I  add address entries for my inside hosts range;

  for (( b=10; b <= 90 ; b++))
    echo edit internal-server-01-$b
    echo    "set subnet 10.1.101.$b"
    echo   "next"

And lastly, I generate my fwpolicies;

for ((a=100; a <= 149 ; a++))
echo "edit 0"
echo        "set srcintf WEBNETWORK-DMZ"
echo        "set dstintf EXTERNAT-OUTSIDE"
echo          "set srcaddr internal-server-01-$a"            
echo         "set dstaddr all"            
echo        "set action accept"
echo        "set schedule always"
echo           "set service ANY"            
echo        "set comments 1n1 SNAT something with starting address 10:10"
echo        "set nat enable"
echo        "set$a enable"
echo        "set poolname 192.204.1.$a"            
echo   "next"

Now we build the cfgs and copy them into the firewall or use the batch cfg upload. This script can be used for a host of other profiles, and/or applications. So hack around with it, but it's start if  you need multiple repetive range of  the exact same item.

Ken Felix

No comments:

Post a Comment