Wednesday, November 14, 2012

Fortigate Firewall cfg script to speed up the configuration

I had a challenge with quickly producing a range of  fwpolicies/addess/ippools. So I want to share my  script generator tool that I used.

Let's say for an example, you needed to provide the following range of host a public nat-range.

{10.1.10.0/24    10-90 //  209.23.XXX/XXX/24  10-90 }

Will doing this one line by one line , could take for ever. :(

So a script can be use that crafts the range. In these examples, I 1st made an "fw-ippool  item"


configure firewall ippool

#!/bin/bash
for ((a=100; a <= 149 ; a++))
do
    echo  "edit XOpool-209.23.xxx.$a"
    echo  "set endip 209.23.xxx.$a"
    echo  "set startip 209.23.xxx.$a"
    echo  "next"
done

Next, I  add address entries for my inside hosts range 10.1.10.10-90;

#!/bin/bash
  for (( b=10; b <= 90 ; b++))
  do
    echo edit internal-server-01-$b
    echo    "set subnet 10.1.101.$b 255.255.255.255"
    echo   "next"
done

And lastly, I generate my fwpolicies;

#!/bin/bash
for ((a=100; a <= 149 ; a++))
do
echo "edit 0"
echo        "set srcintf WEBNETWORK-DMZ"
echo        "set dstintf EXTERNAT-OUTSIDE"
echo          "set srcaddr internal-server-01-$a"            
echo         "set dstaddr all"            
echo        "set action accept"
echo        "set schedule always"
echo           "set service ANY"            
echo        "set comments 1n1 SNAT something with starting address 10:10"
echo        "set nat enable"
echo        "set XOpool-209.23.xxx.$a enable"
echo        "set poolname 192.204.1.$a"            
echo   "next"
done

Now we build the cfgs and copy them into the firewall or use the batch cfg upload. This script can be used for a host of other profiles, and/or applications. So hack around with it, but it's start if  you need multiple repetive range of  the exact same item.

Ken Felix

No comments:

Post a Comment