tools for FortiOS
From time to time I will add useful batch command files or scripts that deal with certain aspects of FortiOS, the operating system of FORTINET’s firewalls.
Copy-Left: feel free to use the scripts in your work as a firewall admin – as long as you retain the copyright notice to me and this website.
contents
Using external blacklists
Use case: you have a list of IP addresses and want to import them into your Fortigate, and use them in a policy to block or allow traffic from or to these hosts (blacklist or whitelist).
Such a list can for instance be generated by hosts.deny.
The following script takes a text file with IP addresses and converts it to a FortiOS batch command file, ready to be imported as a ‘bulk command’ (System > Advanced > Configuration Scripts).
To circumvent certain object size limits the script has to
- parse the input for IP addresses and add them to an internal list
- for each IP address, create a FOS address object
- for each 100 addresses, create a FOS address group
- create one or more FOS ‘super’ address group(s) (group of groups)
As the script cannot read the ‘live’ configuration from the FGT it will create a ‘purge’ batchfile to delete the imported address objects before importing new addresses.
usage: iplist2forti.py [-h] [-m {s,m,l}] [-n MAXADDR] [-p PREVADDR] [-d] [-D]
[-o CMDFNAME] [-s SPLITCOUNT]
infile
Create (a lot of) address objects and groups from list for use in FortiOS.
positional arguments:
infile read IPs from <infile>
optional arguments:
-h, --help show this help message and exit
-m {s,m,l}, --model {s,m,l}
FortiGate model: small (<FGT-100) / medium (<FGT-1000)
/ large
-n MAXADDR, --newest MAXADDR
use only newest/last <maxAddr> addresses from list
-p PREVADDR, --prev PREVADDR
replace <prevAddr> old addresses
-d, --dontresolve skip non-numeric addresses (FQDNs) in input
-D, --debug print debug output
-o CMDFNAME, --outfile CMDFNAME
write output to <cmdfname>
-s SPLITCOUNT, --split SPLITCOUNT
split output into <splitcount> parts
Download:
iplist2forti.py and a sample hosts.deny file
expected output:
iplist2forti.py -ms -p 0 -d -o out.txt hosts.deny bulk commandfile created: out_2017-03-14_1935.txt specific for small Fortigate model 4054 IPs in file 1554 IPs skipped 2500 IPs in 125 address groups of size 20 125 address groups in 1 super group of size 125 apply bulk command file out_2017-03-14_1935.txt refer to address group "sblockgroups000" in DENY policy to get rid of these addresses, apply out_purge_2017-03-14_1935.txt
↑ back to top
Block traffic by country – All Countries address group
Sometimes it’s useful to block traffic by geolocation. In FortiOS v5 and newer, an address can have the “set type geography” setting to denote a dynamic object. It encompasses all IP addresses used by internet providers in a country. Of course, this is not 100% exact but it can help a lot to secure your traffic.
As assigned IP ranges change from time to time FortiGuard updates the internal list of address ranges for each country.
If you want to use this feature you create a new address object, preferably in the CLI, and add the type specifier:
config firewall address set type geography set country AQ end
Unfortunately, there is no obvious relation between the country names you know and the country code FortiOS uses. There are 2 ways to cope with this:
- you can type a ‘?’ instead of a country code to get the current list of codes
- you can use my ‘all countries’ batch command files to create address objects for ALL countries
Additionally, an address group with all country address objects will be created.The batch command file is available in English (all_countries.bcmd) and German (alle_Laender.bcmd) and looks like this:
config firewall address edit Reserved set type geography set country ZZ next ... edit Andorra set type geography set country AD next ... end config firewall addrgrp edit all_countries set member Reserved Anonymous_Proxy Satellite_Provider ... next end