tools for FortiOS

From time to time I will add useful batch command files or scripts that deal with certain aspects of FortiOS, the operating system of FORTINET’s firewalls.

Copy-Left: feel free to use the scripts in your work as a firewall admin – as long as you retain the copyright notice to me and this website.

 

---

contents

• Using external blacklists
• Block traffic by country – All Countries address group

---

Using external blacklists

Use case: you have a list of IP addresses and want to import them into your Fortigate, and use them in a policy to block or allow traffic from or to these hosts (blacklist or whitelist).

Such a list can for instance be generated by hosts.deny.

The following script takes a text file with IP addresses and converts it to a FortiOS batch command file, ready to be imported as a ‘bulk command’ (System > Advanced > Configuration Scripts).

To circumvent certain object size limits the script has to

• parse the input for IP addresses and add them to an internal list
• for each IP address, create a FOS address object
• for each 100 addresses, create a FOS address group
• create one or more FOS ‘super’ address group(s) (group of groups)

As the script cannot read the ‘live’ configuration from the FGT it will create a ‘purge’ batchfile to delete the imported address objects before importing new addresses.

usage: iplist2forti.py [-h] [-m {s,m,l}] [-n MAXADDR] [-p PREVADDR] [-d] [-D]
 [-o CMDFNAME] [-s SPLITCOUNT]
 infile
 Create (a lot of) address objects and groups from list for use in FortiOS.

positional arguments:
 infile                read IPs from <infile>

optional arguments:
 -h, --help            show this help message and exit
 -m {s,m,l}, --model {s,m,l}
                       FortiGate model: small (<FGT-100) / medium (<FGT-1000)
                       / large
 -n MAXADDR, --newest MAXADDR
                       use only newest/last <maxAddr> addresses from list
 -p PREVADDR, --prev PREVADDR
                       replace <prevAddr> old addresses
 -d, --dontresolve     skip non-numeric addresses (FQDNs) in input
 -D, --debug           print debug output
 -o CMDFNAME, --outfile CMDFNAME
                       write output to <cmdfname>
 -s SPLITCOUNT, --split SPLITCOUNT
                       split output into <splitcount> parts

Download:
iplist2forti.py and a sample hosts.deny file

expected output:

iplist2forti.py -ms -p 0 -d -o out.txt hosts.deny

bulk commandfile created: out_2017-03-14_1935.txt
 specific for small Fortigate model
 4054 IPs in file
 1554 IPs skipped
 2500 IPs in 125 address groups of size 20
 125 address groups in 1 super group of size 125

apply bulk command file out_2017-03-14_1935.txt
 refer to address group "sblockgroups000" in DENY policy
 to get rid of these addresses, apply out_purge_2017-03-14_1935.txt

↑ back to top

---

Block traffic by country – All Countries address group

Sometimes it’s useful to block traffic by geolocation. In FortiOS v5 and newer, an address can have the “set type geography” setting to denote a dynamic object. It encompasses all IP addresses used by internet providers in a country. Of course, this is not 100% exact but it can help a lot to secure your traffic.

As assigned IP ranges change from time to time FortiGuard updates the internal list of address ranges for each country.

If you want to use this feature you create a new address object, preferably in the CLI, and add the type specifier:

config firewall address
   set type geography
   set country AQ
end

Unfortunately, there is no obvious relation between the country names you know and the country code FortiOS uses. There are 2 ways to cope with this:

• you can type a ‘?’ instead of a country code to get the current list of codes
• you can use my ‘all countries’ batch command files to create address objects for ALL countries

Additionally, an address group with all country address objects will be created.The batch command file is available in English (all_countries.bcmd) and German (alle_Laender.bcmd) and looks like this:

config firewall address
   edit Reserved
      set type geography
      set country ZZ
   next
...
   edit Andorra
     set type geography
     set country AD
   next
...
end
 
config firewall addrgrp
   edit all_countries
      set member Reserved Anonymous_Proxy Satellite_Provider ...
   next
end

Bug warning (2018-08-17):

If you happen to find one day that you cannot see any address objects anymore, and you have geolocation addresses defined, it might be due to a bug in FortiOS v5.2 and v5.4.

Fortinet has removed the “Asia-Pacific” and “Europe” country codes. If your address group still contains one of these, the address object page in the WebGUI will not be accessible anymore.

Fix: edit the address group in the CLI (“config firewall address group”) and delete these entries.

↑ back to top

---