fortipower / powerfgt Goto Github PK

View Code? Open in Web Editor NEW

105.0 15.0 33.0 1.21 MB

PowerShell module to manage Fortinet (FortiGate) Firewall

License: Apache License 2.0

PowerShell 100.00%

api powershell powershell-module fortinet fortigate fortigate-automation fortigate-firewall

powerfgt's Introduction

PowerFGT

This is a Powershell module for configure a FortiGate (Fortinet) Firewall.

With this module (version 0.8.1) you can manage:

Address (Add/Get/Copy/Set/Remove object type ipmask/subnet, FQDN, iprange, geo and mac)
AddressGroup (Add/Get/Copy/Set/Remove and Add/Remove Member)
DHCPServer (Get)
DNS (Get)
HA (Get)
Interface (Add/Get/Set/Remove Vlan, aggregate, loopback and Add/Remove Member)
IP Pool (Get)
Log Traffic (Get)
Monitor (Get)
Policy (Add/Get/Remove)
Proxy Address/Address Group/ Policy (Add/Get/Set/Remove)
RoutePolicy (Get)
Service (Get)
Service Group (Get)
Static Route (Add/Get/Remove)
System Admin (Get)
System Global (Get/Set)
System Settings (Get/Set)
Security Profiles (Get)
User LDAP (Get)
User Local (Get)
User Group (Get)
User SAML (Get)
User RADIUS (Get)
VDOM (Get)
Virtual IP (Add/Get/Remove object type static-nat)
Virtual IP Group (Add/Get/Copy/Set/Remove and Add/Remove Member)
Virtual WAN Link/SD-WAN (Get)
VPN IPsec Phase 1/Phase 2 Interface (Add/Get/Set/Remove)
VPN SSL (Get Client, Portal, Settings)
Web Filter (Get Profile)
Zone (Add/Get/Set/Remove and Add/Remove Member)

There is some extra feature

Invoke API
Filtering
Multi Connection

More functionality will be added later.

Connection can use HTTPS (default) or HTTP
Tested with FortiGate (using 5.6.x, 6.x and 7.x firmware but it will be also work with 5.4.x)
Add (Experimental) support of VDOM is available using -vdom parameter for each cmdlet

Usage

All resource management functions are available with the Powershell verbs GET, ADD, COPY, SET, REMOVE.
For example, you can manage Address with the following commands:

Get-FGTFirewallAddress
Add-FGTFirewallAddress
Copy-FGTFirewallAddress
Set-FGTFirewallAddress
Remove-FGTFirewallAddress

Requirements

Powershell 5 or 6.x/7.x (Core) (If possible get the latest version)
A Fortinet FortiGate Firewall and HTTPS enable (recommended)

Instructions

Install the module

# Automated installation (Powershell 5 or later):
    Install-Module PowerFGT

# Import the module
    Import-Module PowerFGT

# Get commands in the module
    Get-Command -Module PowerFGT

# Get help
    Get-Help Get-FGTFirewallAddress -Full

Examples

Connecting to the FortiGate Firewall

The first thing to do is to connect to a FortiGate Firewall with the command Connect-FGT :

# Connect to the FortiGate Firewall
    Connect-FGT 192.0.2.1

#we get a prompt for credential

You can select the port using -port parameter

# Connect to the FortiGate Firewall using port 4443
    Connect-FGT 192.0.2.1 -port 4443

if you are using OTP (FortiToken) for admin access, you can use -token_code or -token_prompt for specifity or ask the token/OTP when connecting

# Connect to the FortiGate Firewall with the token asked
    Connect-FGT 192.0.2.1 -token_prompt

You can also connect using API Token (Documentation for Generate REST API )

# Connect to the FortiGate Firewall with API Token
    Connect-FGT 192.0.2.1 -api_token 79GyN89Q7w00rG6pj09yd7wGG3kmds

if you get a warning about Unable to connect Look Issue

Address

You can create a new Address Add-FGTFirewallAddress, retrieve its information Get-FGTFirewallAddress, modify its properties Set-FGTFirewallAddress, copy/clone its properties Copy-FGTFirewallAddress or delete it Remove-FGTFirewallAddress.

# Get information about ALL address (using Format Table)
    Get-FGTFirewallAddress | Format-Table

    q_origin_key                 name                         uuid                                 subnet
    ------------                 ----                         ----                                 ------
    FIREWALL_AUTH_PORTAL_ADDRESS FIREWALL_AUTH_PORTAL_ADDRESS a940cdea-368c-51e9-2596-5ddfd54a087a 0.0.0.0 0.0.0.0
    SSLVPN_TUNNEL_ADDR1          SSLVPN_TUNNEL_ADDR1          a9416aca-368c-51e9-fe74-7dbb95fa64c9 10.212.134.200 10.212...
    all                          all                          a940cc32-368c-51e9-82f5-fa5337e9f45c 0.0.0.0 0.0.0.0
    autoupdate.opera.com         autoupdate.opera.com         a918c192-368c-51e9-ca8d-88cc94ed2d54 0.0.0.0 0.0.0.0
    google-play                  google-play                  a918cd22-368c-51e9-2f4f-2d914955741a 0.0.0.0 0.0.0.0
    swscan.apple.com             swscan.apple.com             a918d1dc-368c-51e9-08a7-c6004bf38fb9 0.0.0.0 0.0.0.0
    update.microsoft.com         update.microsoft.com         a918d650-368c-51e9-0cca-5f006a059f0b 0.0.0.0 0.0.0.0

# Create an address (type ipmask)
    Add-FGTFirewallAddress -Name 'My PowerFGT Network' -ip 192.0.2.1 -mask 255.255.255.0

    q_origin_key         : My PowerFGT Network
    name                 : My PowerFGT Network
    uuid                 : 9c65f75e-383e-51e9-a33a-caeffb7cfd33
    subnet               : 192.0.2.0 255.255.255.0
    type                 : ipmask
    start-ip             : 192.0.2.0
    end-ip               : 255.255.255.0
    fqdn                 :
    country              :
    wildcard-fqdn        :
    cache-ttl            : 0
    wildcard             : 192.0.2.0 255.255.255.0
    sdn                  :
    tenant               :
    organization         :
    epg-name             :
    subnet-name          :
    sdn-tag              :
    policy-group         :
    comment              :
    visibility           : enable
    associated-interface :
    color                : 0
    filter               :
    obj-id               :
    list                 : {}
    tagging              : {}
    allow-routing        : disable


# Get information an address (name) and display only some field (using Format-Table)
    Get-FGTFirewallAddress -name "My PowerFGT Network" | Select name, subnet, type, start-ip, end-ip | Format-Table

    name                subnet                  type   start-ip  end-ip
    ----                ------                  ----   --------  ------
    My PowerFGT Network 192.0.2.0 255.255.255.0 ipmask 192.0.2.0 255.255.255.0

# Get information some address (filter_type contains) and display only some field (using Format-Table)
    Get-FGTFirewallAddress -name update -filter_type contains | Select name, type, fqdn | Format-Table

    name                 type fqdn
    ----                 ---- ----
    autoupdate.opera.com fqdn autoupdate.opera.com
    update.microsoft.com fqdn update.microsoft.com

# Modify an address (name, comment, interface...)
    Get-FGTFirewallAddress -name "My PowerFGT Network" | Set-FGTFirewallAddress -name "MyNetwork" -comment "My comment" -interface port2

    q_origin_key         : MyNetwork
    name                 : MyNetwork
    uuid                 : 9c65f75e-383e-51e9-a33a-caeffb7cfd33
    subnet               : 192.0.2.0 255.255.255.0
    type                 : ipmask
    start-ip             : 192.0.2.0
    end-ip               : 255.255.255.0
    fqdn                 :
    country              :
    wildcard-fqdn        :
    cache-ttl            : 0
    wildcard             : 192.0.2.0 255.255.255.0
    sdn                  :
    tenant               :
    organization         :
    epg-name             :
    subnet-name          :
    sdn-tag              :
    policy-group         :
    comment              : My comment
    visibility           : enable
    associated-interface : port2
    color                : 0
    filter               :
    obj-id               :
    list                 : {}
    tagging              : {}
    allow-routing        : disable

# Copy/Clone an address
    Get-FGTFirewallAddress -name "MyNetwork" | Copy-FGTFirewallAddress -name "My New Network"

    q_origin_key         : My New Network
    name                 : My New Network
    uuid                 : 0c8da508-3840-51e9-f525-0601066767cc
    subnet               : 192.0.2.0 255.255.255.0
    type                 : ipmask
    start-ip             : 192.0.2.0
    end-ip               : 255.255.255.0
    fqdn                 :
    country              :
    wildcard-fqdn        :
    cache-ttl            : 0
    wildcard             : 192.0.2.0 255.255.255.0
    sdn                  :
    tenant               :
    organization         :
    epg-name             :
    subnet-name          :
    sdn-tag              :
    policy-group         :
    comment              : My comment
    visibility           : enable
    associated-interface : port2
    color                : 0
    filter               :
    obj-id               :
    list                 : {}
    tagging              : {}
    allow-routing        : disable

# Remove an address
    Get-FGTFirewallAddress -name "MyNetwork" | Remove-FGTFirewallAddress

    Confirm
    Are you sure you want to perform this action?
    Performing the operation "Remove Firewall Address" on target "MyNetwork".
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"):Y

#You can also create other address type like fqdn, iprange or geography

# Create an address (type fqdn)
    Add-FGTFirewallAddress -Name FortiPower -fqdn fortipower.github.io

    name                 : FortiPower
    q_origin_key         : FortiPower
    uuid                 : 98af3292-3d6e-51eb-f488-f04057fbb871
    type                 : fqdn
    sub-type             : sdn
    clearpass-spt        : unknown
    start-mac            : 00:00:00:00:00:00
    end-mac              : 00:00:00:00:00:00
    fqdn                 : fortipower.github.io
    country              : 
    cache-ttl            : 0
    sdn                  : 
    fsso-group           : {}
    interface            : 
    comment              : 
    visibility           : enable
    associated-interface : 
    color                : 0
    filter               : 
    sdn-addr-type        : private
    obj-id               : 
    list                 : {}
    tagging              : {}
    allow-routing        : disable

# Create an address (type iprange)
   Add-FGTFirewallAddress -Name MyRange -startip 192.0.2.1 -endip 192.0.2.100

    name                 : MyRange
    q_origin_key         : MyRange
    uuid                 : a683a420-3d6e-51eb-5c90-f471f85943e8
    type                 : iprange
    sub-type             : sdn
    clearpass-spt        : unknown
    start-mac            : 00:00:00:00:00:00
    end-mac              : 00:00:00:00:00:00
    start-ip             : 192.0.2.1
    end-ip               : 192.0.2.100
    country              : 
    cache-ttl            : 0
    sdn                  : 
    fsso-group           : {}
    interface            : 
    comment              : 
    visibility           : enable
    associated-interface : 
    color                : 0
    filter               : 
    sdn-addr-type        : private
    obj-id               : 
    list                 : {}
    tagging              : {}
    allow-routing        : disable

# Create an address (type geography)
    Add-FGTFirewallAddress -name MyCountry -country FR

    name                 : MyCountry
    q_origin_key         : MyCountry
    uuid                 : 7cca6b06-f8ab-51ec-8db4-a82384435e50
    type                 : geography
    country              : FR
    cache-ttl            : 0
    sdn                  :
    comment              :
    visibility           : enable
    associated-interface :
    color                : 0
    filter               :
    obj-id               :
    list                 : {}
    tagging              : {}
    allow-routing        : disable

# Create an address (type mac)
    Add-FGTFirewallAddress -Name MyMAC -mac 01:02:03:04:05:06

    name                 : MyMAC
    q_origin_key         : MyMAC
    uuid                 : eabaa884-c42d-51ee-4a87-4605a5021da9
    type                 : mac
    sub-type             : sdn
    clearpass-spt        : unknown
    macaddr              : {@{macaddr=01:02:03:04:05:06; q_origin_key=01:02:03:04:05:06}}
    country              :
    cache-ttl            : 0
    sdn                  :
    fsso-group           : {}
    interface            :
    obj-type             : ip
    tag-detection-level  :
    tag-type             :
    dirty                : dirty
    comment              :
    associated-interface :
    color                : 0
    filter               :
    sdn-addr-type        : private
    node-ip-only         : disable
    obj-id               :
    list                 : {}
    tagging              : {}
    allow-routing        : disable
    fabric-object        : disable

Filtering

For Invoke-FGTRestMethod, it is possible to use -filter parameter You need to use FortiGate API syntax :

Key	Operator	Pattern	Full Request	Description
schedule	==	always	GET /api/v2/cmdb/firewall/policy/?filter=schedule==always	Only return firewall policy with schedule 'always'
schedule	!=	always	GET /api/v2/cmdb/firewall/policy/?filter=schedule!=always	Return all firewall policy with schedule other than 'always'

and Filter Operators :

Operator	Description
==	Case insensitive match with pattern.
!=	Does not match with pattern (case insensitive).
=@	Pattern found in object value (case insensitive).
!@	Pattern not found in object value (case insensitive).
<=	Value must be less than or equal to pattern.
<	Value must be less than pattern.
>=	Value must be greater than or equal to pattern.
>	Value must be greater than pattern.

For Invoke-FGTRestMethod and Get-XXX cmdlet like Get-FGTFirewallAddress, it is possible to using some helper filter (-filter_attribute, -filter_type, -filter_value)

# Get Firewall Address named myFGT
    Get-FGTFirewallAddress -name myFGT
...

# Get Firewall Address contains myFGT
    Get-FGTFirewallAddress -name myFGT -filter_type contains
...

# Get Firewall Address where subnet equal 192.0.2.0 255.255.255.0
    Get-FGTFirewallAddress -filter_attribute subnet -filter_type equal -filter_value 192.0.2.0 255.255.255.0
...

Actually, support only equal and contains filter type

Address Group

You can create a new Address Group Add-FGTFirewallAddressGroup, retrieve its information Get-FGTFirewallAddressGroup, modify its properties Set-FGTFirewallAddressGroup, copy/clone its properties Copy-FGTFirewallAddressGroup, Add member to Address Group Add-FGTFirewallAddressGroupMember and remove member Remove-FGTFirewallAddressGroupMember, or delete it Remove-FGTFirewallAddressGroup.

# Get information about ALL address Group (using Format Table)
    Get-FGTFirewallAddressgroup | Format-Table

    q_origin_key     name             uuid                                 member
    ------------     ----             ----                                 ------
    My Address Group My Address Group 292f6eaa-2613-51ea-866d-06cedca8805 {@{q_origin_key=FGT1; name=FGT1}, @{q_origin_ke…

# Add an address Group with FGT1 and FGT2 
    Add-FGTFirewallAddressGroup -name "My Address Group" -member FGT1, FGT2

    q_origin_key  : My Address Group
    name          : My Address Group
    uuid          : 292f6eaa-2613-51ea-866d-06cedca8805
    member        : {@{q_origin_key=FGT1; name=FGT1}, @{q_origin_key=FGT2; name=FGT2}}
    comment       :
    visibility    : enable
    color         : 0
    tagging       : {}
    allow-routing : disable

# Add FGT3 member to existing address Group
    Get-FGTFirewallAddressGroup -name "My Address Group" | Add-FGTFirewallAddressGroupMember -member FGT3

    q_origin_key  : MyAddressGroup
    name          : MyAddressGroup
    uuid          : 292f6eaa-2613-51ea-866d-06cedca8805a
    member        : {@{q_origin_key=FGT1; name=FGT1}, @{q_origin_key=FGT2; name=FGT2}, @{q_origin_key=FGT3; name=FGT3}}
    comment       :
    visibility    : enable
    color         : 0
    tagging       : {}
    allow-routing : disable

# Remove FGT2 member to existing address Group
    Get-FGTFirewallAddressGroup -name "My Address Group" | Remove-FGTFirewallAddressGroupMember -member FGT2

    q_origin_key  : My Address Group
    name          : My Address Group
    uuid          : 292f6eaa-2613-51ea-866d-06cedca8805a
    member        : {@{q_origin_key=FGT1; name=FGT1}, @{q_origin_key=FGT3; name=FGT3}}
    comment       :
    visibility    : enable
    color         : 0
    tagging       : {}
    allow-routing : disable

# Modify an address (comment, member...)
    Get-FGTFirewallAddressGroup -name "My Address Group" | Set-FGTFirewallAddressGroup -comment "My Address Group with only FGT2" -member FGT2

    q_origin_key  : My Address Group
    name          : My Address Group
    uuid          : 292f6eaa-2613-51ea-866d-06cedca8805a
    member        : {@{q_origin_key=FGT2; name=FGT2}}
    comment       : My Address Group with only FGT2
    visibility    : enable
    color         : 0
    tagging       : {}
    allow-routing : disable

# Copy/Clone an address Group
    Get-FGTFirewallAddressGroup -name "My Address Group" | Copy-FGTFirewallAddressGroup -name "My New Address Group"

    q_origin_key  : My New Address Group
    name          : My New Address Group
    uuid          : 9c2673a8-2614-51ea-9ab0-dfbd6f2c0475
    member        : {@{q_origin_key=FGT2; name=FGT2}}
    comment       : My Address Group with only FGT2
    visibility    : enable
    color         : 0
    tagging       : {}
    allow-routing : disable

# Remove an address Group
    Get-FGTFirewallAddressGroup -name "My Address Group" | Remove-FGTFirewallAddressGroup

    Confirm
    Are you sure you want to perform this action?
    Performing the operation "Remove Firewall Address Group" on target "My Address Group".
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): Y

Virtual IP

You can create a new Virtual IP Add-FGTFirewallVip, retrieve its information Get-FGTFirewallVip, or delete it Remove-FGTFirewallVip.

# Get information about ALL Virtual IP (using Format Table)
    Get-FGTFirewallVip | Format-Table

    q_origin_key name        id uuid                                 comment type       dns-mapping-ttl ldb-method src-filter service
    ------------ ----        -- ----                                 ------- ----       --------------- ---------- ---------- -------
    myVIP1       myVIP1       0 3ccb44c6-2662-51ea-a469-3148c8eff287         static-nat               0 static     {}         {}
    myVIP3-8080  myVIP3-8080  0 73989828-2662-51ea-c969-4ad22d450075         static-nat               0 static     {}         {}

# Add a Virtual IP with Static NAT (192.2.0.1 => 198.51.100.1)
    Add-FGTFirewallVip -name myVIP1 -type static-nat -extip 192.2.0.1 -mappedip 198.51.100.1

    q_origin_key                     : myVIP1
    name                             : myVIP1
    id                               : 0
    uuid                             : 3ccb44c6-2662-51ea-a469-3148c8eff287
    comment                          :
    type                             : static-nat
    dns-mapping-ttl                  : 0
    ldb-method                       : static
    src-filter                       : {}
    service                          : {}
    extip                            : 192.2.0.1
    extaddr                          : {}
    mappedip                         : {@{q_origin_key=198.51.100.1; range=198.51.100.1}}
    [...]

# Add a Virtual IP with Static NAT and Port Forward (192.2.0.2:8080 => 198.51.100.2:80)
    Add-FGTFirewallVip -name myVIP2-8080to80 -type static-nat -extip 192.2.0.2 -mappedip 198.51.100.2 -portforward -extport 8080 -mappedport 80

    q_origin_key                     : myVIP2-8080to80
    name                             : myVIP2-8080to80
    id                               : 0
    uuid                             : 73989828-2662-51ea-c969-4ad22d450075
    comment                          :
    type                             : static-nat
    dns-mapping-ttl                  : 0
    ldb-method                       : static
    src-filter                       : {}
    service                          : {}
    extip                            : 192.2.0.2
    extaddr                          : {}
    mappedip                         : {@{q_origin_key=198.51.100.2; range=198.51.100.2}}
    mapped-addr                      :
    extintf                          : any
    arp-reply                        : enable
    server-type                      :
    persistence                      : none
    nat-source-vip                   : disable
    portforward                      : enable
    protocol                         : tcp
    extport                          : 8080
    mappedport                       : 80
    [...]

# Remove a Virtual IP
    Get-FGTFirewallVip -name myVIP1 | Remove-FGTFirewallVip

    Confirm
    Are you sure you want to perform this action?
    Performing the operation "Remove Firewall VIP" on target "myVIP1".
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): Y

Virtual IP Group

You can create a new VIP Group Add-FGTFirewallVIPGroup, retrieve its information Get-FGTFirewallVIPGroup, modify its properties Set-FGTFirewallVIPGroup, copy/clone its properties Copy-FGTFirewallVIPGroup, Add member to Address Group Add-FGTFirewallVIPGroupMember and remove member Remove-FGTFirewallVIPGroupMember, or delete it Remove-FGTFirewallVIPGroup.

# Get information about ALL VIP Group (using Format Table)
    Get-FGTFirewallVipGroup | Format-Table

    name       q_origin_key uuid                                 interface color comments member
    ----       ------------ ----                                 --------- ----- -------- ------
    MyVIPGroup MyVIPGroup   cb875532-3d82-51eb-f120-075c29c10657 any           0          {@{name=myVIP1; q_origin_key=myVIP1}, @{name=myVIP2; q_origin_key=myVIP2}}

# Add a VIP Group with myVIP1 and myVIP2
    Add-FGTFirewallVIPGroup -name "MyVIPGroup" -member myVIP1, myVIP2

    name         : MyVIPGroup
    q_origin_key : MyVIPGroup
    uuid         : cb875532-3d82-51eb-f120-075c29c10657
    interface    : any
    color        : 0
    comments     :
    member       : {@{name=myVIP1; q_origin_key=myVIP1}, @{name=myVIP2; q_origin_key=myVIP2}}

# Add myVIP3 member to existing Virtual IP GROUP
    Get-FGTFirewallVIPGroup -name "MyVIPGroup" | Add-FGTFirewallVIPGroupMember -member myVIP3

    name         : MyVIPGroup
    q_origin_key : MyVIPGroup
    uuid         : cb875532-3d82-51eb-f120-075c29c10657
    interface    : any
    color        : 0
    comments     :
    member       : {@{name=myVIP1; q_origin_key=myVIP1}, @{name=myVIP2; q_origin_key=myVIP2}, @{name=myVIP3; q_origin_key=myVIP3}}

# Remove myVIP2 member to existing Virtual IP Group
    Get-FGTFirewallVIPGroup -name "MyVIPGroup" | Remove-FGTFirewallVIPGroupMember -member myVIP2

    name         : MyVIPGroup
    q_origin_key : MyVIPGroup
    uuid         : cb875532-3d82-51eb-f120-075c29c10657
    interface    : any
    color        : 0
    comments     :
    member       : {@{name=myVIP1; q_origin_key=myVIP1}, @{name=myVIP3; q_origin_key=myVIP3}}

# Modify a Virtual IP Group
    Get-FGTFirewallVIPGroup -name "MyVIPGroup" | Set-FGTFirewallVIPGroup -comment "My Virtual IP with only myVIP2" -member myVIP2

    name         : MyVIPGroup
    q_origin_key : MyVIPGroup
    uuid         : cb875532-3d82-51eb-f120-075c29c10657
    interface    : any
    color        : 0
    comments     : My Virtual IP with only myVIP2
    member       : {@{name=myVIP2; q_origin_key=myVIP2}}

# Remove a Virtual IP Group
    Get-FGTFirewallVIPGroup -name "MyVIPGroup" | Remove-FGTFirewallVIPGroup

    Confirm
    Are you sure you want to perform this action?
    Performing the operation "Remove Firewall VIP Group" on target "MyVIPGroup".
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y

Policy

You can create a new Policy Add-FGTFirewallPolicy, retrieve its information Get-FGTFirewallPolicy Add member to source or destinationn address Add-FGTFirewallPolicyMember and remove member Add-FGTFirewallPolicyMember, set it Set-FGTFirewallPolicy or delete it Remove-FGTFirewallPolicy.

# Get information about ALL Policies (using Format Table)
    Get-FGTFirewallPolicy | Format-Table
    q_origin_key policyid name         uuid                                 srcintf                             dstintf                             srcaddr
    ------------ -------- ----         ----                                 -------                             -------                             -------
            1           1 MyFGTPolicy  31a7ad9e-266e-51ea-1691-4906abad2e8b {@{q_origin_key=port1; name=port1}} {@{q_origin_key=port2; name=port2}} {@{q_origin_key=all; name=all}
            2           2 MyFGTPolicy2 3c8e5212-266e-51ea-2300-dc5fcb1a8e2a {@{q_origin_key=port1; name=port1}} {@{q_origin_key=port3; name=port3}} {@{q_origin_key=all; name=all}}

# Add Policy (MyFGTPolicy) allow ALL traffic between port1 to port2
    Add-FGTFirewallPolicy -name MyFGTPolicy -srcintf port1 -dstintf port2 -srcaddr all -dstaddr all
    q_origin_key                : 1
    policyid                    : 1
    name                        : MyFGTPolicy
    uuid                        : 31a7ad9e-266e-51ea-1691-4906abad2e8b
    srcintf                     : {@{q_origin_key=port1; name=port1}}
    dstintf                     : {@{q_origin_key=port2; name=port2}}
    srcaddr                     : {@{q_origin_key=all; name=all}}
    dstaddr                     : {@{q_origin_key=all; name=all}}
    internet-service            : disable
    internet-service-id         : {}
    internet-service-custom     : {}
    internet-service-src        : disable
    internet-service-src-id     : {}
    internet-service-src-custom : {}
    rtp-nat                     : disable
    rtp-addr                    : {}
    learning-mode               : disable
    action                      : accept
    send-deny-packet            : disable
    firewall-session-dirty      : check-all
    status                      : enable
    schedule                    : always
    schedule-timeout            : disable
    service                     : {@{q_origin_key=ALL; name=ALL}}
    [...]

# Add Policy (MyFGTPolicy2) allow ALL traffic between port1 to port3 and enable NAT (but disable rule)
    Add-FGTFirewallPolicy -name MyFGTPolicy2 -srcintf port1 -dstintf port3 -srcaddr all -dstaddr all -nat -status:$false -skip
    q_origin_key              : 2
    policyid                  : 2
    name                      : MyFGTPolicy2
    uuid                      : 6ad55b33-e514-4d60-a661-6addfe7b3ac8
    srcintf                   : {@{q_origin_key=port1; name=port1}}
    dstintf                   : {@{q_origin_key=port3; name=port3}}
    srcaddr                   : {@{q_origin_key=all; name=all}}
    dstaddr                   : {@{q_origin_key=all; name=all}}
    internet-service          : disable
    internet-service-src      : disable
    rtp-nat                   : disable
    learning-mode             : disable
    action                    : accept
    status                    : disable
    schedule                  : always
    schedule-timeout          : disable
    [...]

# Add FGT2 and FGT3 to source address (only FGT1 before)
    Get-FGTFirewallPolicy -name MyFGTPolicy3 | Add-FGTFirewallPolicyMember -srcaddr FGT1, FGT2

    q_origin_key              : 3
    policyid                  : 3
    name                      : MyFGTPolicy3
    uuid                      : d7d0fa66-3352-51ec-52cf-a215389b0ddb
    srcintf                   : {@{q_origin_key=port1; name=port1}}
    dstintf                   : {@{q_origin_key=port2; name=port2}}
    srcaddr                   : {@{q_origin_key=FGT1; name=FGT1}, @{q_origin_key=FGT2; name=FGT2}, @{q_origin_key=FGT3;name=FGT3}}
    dstaddr                   : {@{q_origin_key=all; name=all}}
    internet-service          : disable
    internet-service-src      : disable
    rtp-nat                   : disable
    learning-mode             : disable
    action                    : accept
    status                    : disable
    schedule                  : always
    schedule-timeout          : disable
    [...]

# Remove FGT3 from destination address (FGT1, FGT2, FGT3 before)
    Get-FGTFirewallPolicy -name MyFGTPolicy3 | Remove-FGTFirewallPolicyMember -srcaddr FGT3

    q_origin_key              : 3
    policyid                  : 3
    name                      : MyFGTPolicy3
    uuid                      : d7d0fa66-3352-51ec-52cf-a215389b0ddb
    srcintf                   : {@{q_origin_key=port1; name=port1}}
    dstintf                   : {@{q_origin_key=port2; name=port2}}
    srcaddr                   : {@{q_origin_key=all; name=all}}
    dstaddr                   : {@{q_origin_key=FGT1; name=FGT1}, @{q_origin_key=FGT2; name=FGT2}}
    internet-service          : disable
    internet-service-src      : disable
    rtp-nat                   : disable
    learning-mode             : disable
    action                    : accept
    status                    : disable
    schedule                  : always
    schedule-timeout          : disable
    [...]

# Move a Policy (MyFGTPolicy2 after MyFGTPolicy3)
    Get-FGTFirewallPolicy -name MyFGTPolicy2 | Move-FGTFirewallPolicy -after (Get-FGTFirewallPolicy -name MyFGTPolicy3)

    q_origin_key              : 2
    policyid                  : 2
    name                      : MyFGTPolicy2
    uuid                      : 6ad55b33-e514-4d60-a661-6addfe7b3ac8
    [...]


# Move a Policy (MyFGTPolicy3 before MyFGTPolicy2) with ask confirm
    Get-FGTFirewallPolicy -name MyFGTPolicy3 | Move-FGTFirewallPolicy -before (Get-FGTFirewallPolicy -name MyFGTPolicy2) -confirm

    Confirm
    Are you sure you want to perform this action?
    Performing the operation "Move Firewall Policy" on target "MyFGTPolicy3".
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"):

    q_origin_key              : 3
    policyid                  : 3
    name                      : MyFGTPolicy3
    uuid                      : d7d0fa66-3352-51ec-52cf-a215389b0ddb
    [...]


# Change a Policy Settings (Security Profiles with default profiles)
    Get-FGTFirewallPolicy -name MyFGTPolicy3 | Set-FGTFirewallPolicy -avprofile default -webfilterprofile default -dnsfilterprofile default -applicationlist default -ipssensor default

    q_origin_key              : 3
    policyid                  : 3
    name                      : MyFGTPolicy3
    uuid                      : d7d0fa66-3352-51ec-52cf-a215389b0ddb
    [...]
    av-profile                : default
    webfilter-profile         : default
    dnsfilter-profile         : default
    application-list          : default
    ips-sensor                : default

# Remove a Policy
    Get-FGTFirewallPolicy -name MyFGTPolicy2 | Remove-FGTFirewallPolicy
    Remove Policy on Fortigate
    Proceed with removal of Policy MyFGTPolicy2 ?
    [Y] Yes  [N] No  [?] Help (default is "N"): y

Zone

You can create a new Zone Add-FGTSystemZone, retrieve its information Get-FGTFSystemZone, modify its properties Set-SystemZone, Add member to Zone Add-SystemZoneMember and remove member Remove-SystemZoneMember, or delete it Remove-SystemZone.

# Get information about ALL Zone
    Get-FGTSystemZone

    name         : myPowerFGTZone
    q_origin_key : myPowerFGTZone
    tagging      : {}
    description  :
    intrazone    : deny
    interface    : {@{interface-name=port5; q_origin_key=port5}, @{interface-name=port6; q_origin_key=port6}}

# Add new Zone myPowerFGTZone2 with port7 and intrazone allowed
    Add-FGTSystemZone -name myPowerFGTZone2 -intrazone allow -interfaces port7

    name         : myPowerFGTZone2
    q_origin_key : myPowerFGTZone2
    tagging      : {}
    description  :
    intrazone    : allow
    interface    : {@{interface-name=port7; q_origin_key=port7}}

# Add new member (port8) to existing zone myPowerFGTZone2
    Get-FGTSystemZone -name myPowerFGTZone2 | Add-FGTSystemZoneMember -interfaces port8

    name         : myPowerFGTZone2
    q_origin_key : myPowerFGTZone2
    tagging      : {}
    description  :
    intrazone    : allow
    interface    : {@{interface-name=port7; q_origin_key=port7}, @{interface-name=port8; q_origin_key=port8}}

# Remove port7 member to existing zone myPowerFGTZone2
    Get-FGTSystemZone -name myPowerFGTZone2 | Remove-FGTSystemZoneMember -interfaces port7

    name         : myPowerFGTZone2
    q_origin_key : myPowerFGTZone2
    tagging      : {}
    description  :
    intrazone    : allow
    interface    : {@{interface-name=port8; q_origin_key=port8}}

# Modify a Zone (intrazone, interface...)
    Get-FGTSystemZone -name myPowerFGTZone2 | Set-FGTSystemZone -intrazone deny

    name         : myPowerFGTZone2
    q_origin_key : myPowerFGTZone2
    tagging      : {}
    description  :
    intrazone    : deny
    interface    : {@{interface-name=port8; q_origin_key=port8}}

# Remove a zone
    Get-FGTSystemZone -name myPowerFGTZone2 | Remove-FGTSystemZone

    Confirm
    Are you sure you want to perform this action?
    Performing the operation "Remove zone" on target "myPowerFGTZone2".
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): Y

Static Route

You can create a new Static Route Add-FGTRouterStatic, retrieve its information Get-FGTRouterStatic, or delete it Remove-FGTRouterStatic.

# Get information about ALL Static Route (using Format Table)
    Get-FGTRouterStatic | Format-Table
    seq-num q_origin_key status dst                        src             gateway        distance weight priority device
    ------- ------------ ------ ---                        ---             -------        -------- ------ -------- ------
          2            2 enable 192.0.2.0 255.255.255.0    0.0.0.0 0.0.0.0 198.51.100.254       10      0        0 port1
          3            3 enable 198.51.100.0 255.255.255.0 0.0.0.0 0.0.0.0 192.0.2.254          10      0        0 port2

# Add Static Route to 192.0.2.0/24 via 198.51.100.254 from port1
    Add-FGTRouterStatic -dst 192.0.2.0/24 -gateway 198.51.100.254 -device port1
    seq-num                 : 2
    q_origin_key            : 2
    status                  : enable
    dst                     : 192.0.2.0 255.255.255.0
    src                     : 0.0.0.0 0.0.0.0
    gateway                 : 198.51.100.254
    distance                : 10
    weight                  : 0
    priority                : 0
    device                  : port1
    comment                 :
    blackhole               : disable
    dynamic-gateway         : disable
    sdwan-zone              : {}
    dstaddr                 :
    internet-service        : 0
    internet-service-custom :
    link-monitor-exempt     : disable
    vrf                     : 0
    bfd                     : disable
    [...]

# Add Static Route to 198.51.100.0/24 via 192.0.2.254 from port2
    Add-FGTRouterStatic -dst 198.51.100.0/24 -gateway 192.0.2.254 -device port2
    seq-num                 : 3
    q_origin_key            : 3
    status                  : enable
    dst                     : 198.51.100.0 255.255.255.0
    src                     : 0.0.0.0 0.0.0.0
    gateway                 : 192.0.2.254
    distance                : 10
    weight                  : 0
    priority                : 0
    device                  : port2
    comment                 :
    blackhole               : disable
    dynamic-gateway         : disable
    sdwan-zone              : {}
    dstaddr                 :
    internet-service        : 0
    internet-service-custom :
    link-monitor-exempt     : disable
    vrf                     : 0
    bfd                     : disable
    [...]

# Remove a Static Route
    Get-FGTRouterStatic -filter_attribute seq-num -filter_type equal -filter_value 2 | Remove-FGTRouterStatic

    Confirm
    Are you sure you want to perform this action?
    Performing the operation "Remove Router Static" on target "2".
    [Y] Yes  [N] No  [?] Help (default is "N"): y

Interface

You can create a new interface (Vlan ...) Add-FGTSystemInterface, retrieve its information Get-FGTSystemInterface, modify its properties Set-FGTSystemInterface or delete it Remove-FGTSystemInterface.

# Get information about ALL Interface (using Format Table)
    Get-FGTSystemInterface | Format-Table

    name      q_origin_key vdom vrf cli-conn-status fortilink switch-controller-source-ip mode   client-options distance
    ----      ------------ ---- --- --------------- --------- --------------------------- ----   -------------- --------
    fortilink fortilink    root   0               0 enable    outbound                    static {}                    5
    l2t.root  l2t.root     root   0               0 disable   outbound                    static {}                    5
    naf.root  naf.root     root   0               0 disable   outbound                    static {}                    5
    port1     port1        root   0               0 disable   outbound                    static {}                    5
    port2     port2        root   0               0 disable   outbound                    static {}                    5
    port3     port3        root   0               0 disable   outbound                    static {}                    5
    port4     port4        root   0               0 disable   outbound                    static {}                    5
    port5     port5        root   0               0 disable   outbound                    static {}                    5
    port6     port6        root   0               0 disable   outbound                    static {}                    5
    port7     port7        root   0               0 disable   outbound                    static {}                    5
    port8     port8        root   0               0 disable   outbound                    static {}                    5
    port9     port9        root   0               0 disable   outbound                    static {}                    5
    port10    port10       root   0               0 disable   outbound                    static {}                    5
    ssl.root  ssl.root     root   0               0 disable   outbound                    static {}                    5

# Create an interface (type vlan)
    Add-FGTSystemInterface -vlan_id 23 -interface port9 -name "PowerFGT_vlan23"

    name                                       : PowerFGT_vlan23
    q_origin_key                               : PowerFGT_vlan23
    vdom                                       : root
    vrf                                        : 0
    cli-conn-status                            : 0
    fortilink                                  : disable
    switch-controller-source-ip                : outbound
    mode                                       : static
    [...]

# Create an interface (type LACP)
    Add-FGTSystemInterface -name PowerFGT_lacp -atype lacp -member port9, port10

    name                                       : PowerFGT_lacp
    q_origin_key                               : PowerFGT_lacp
    vdom                                       : root
    vrf                                        : 0
    [...]
    type                                       : aggregate
    [...]
    member                                     : {@{interface-name=port9; q_origin_key=port9}, @{interface-name=port10; q_origin_key=port10}}
    lacp-mode                                  : active
    [...]

# Create an interface (type Loopback)
    Add-FGTSystemInterface -name PowerFGT_lo -loopback -mode static -ip 192.0.2.1 -netmask 255.255.255.255 -allowaccess ping

    name                                       : PowerFGT_lo
    q_origin_key                               : PowerFGT_lo
    vdom                                       : root
    [...]
    ip                                         : 192.0.2.1 255.255.255.255
    allowaccess                                : ping
    type                                       : loopback
    [...]

# Get information an Interface (name) and display only some field (using Format-Table)
    Get-FGTSystemInterface -name PowerFGT_vlan23 | select name, vlanid, ip

    name            vlanid ip
    ----            ------ --
    PowerFGT_vlan23     23 0.0.0.0 0.0.0.0

# Modify an interface (description, ip ...)
    Get-FGTSystemInterface -name PowerFGT_vlan23 | Set-FGTSystemInterface -alias ALIAS_PowerFGT -role lan -mode static -ip 192.0.2.1 -netmask 255.255.255.0 -allowaccess ping,https

    name                                       : PowerFGT_vlan23
    q_origin_key                               : PowerFGT_vlan23
    vdom                                       : root
    [...]
    ip                                         : 192.0.2.1 255.255.255.0
    allowaccess                                : ping https
    [...]
    interface                                  : port9
    external                                   : disable
    vlan-protocol                              : 8021q
    vlanid                                     : 23
    [...]
    description                                :
    alias                                      : ALIAS_PowerFGT
    [...]
    role                                       : lan
    [...]


# Add (append) allowaccess with SSH
    Get-FGTSystemInterface -name PowerFGT_vlan23 | Add-FGTSystemInterfaceMember -allowaccess ssh | select name, allowaccess

    name            allowaccess
    ----            -----------
    PowerFGT_vlan23 ping https ssh

# Remove allowaccess (https)
    Get-FGTSystemInterface -name PowerFGT_vlan23 | Remove-FGTSystemInterfaceMember -allowaccess https | select name, allowaccess

    name            allowaccess
    ----            -----------
    PowerFGT_vlan23 ping ssh

# Remove an interface
    Get-FGTSystemInterface -name PowerFGT_vlan23 | Remove-FGTSystemInterface

    Confirm
    Are you sure you want to perform this action?
    Performing the operation "Remove interface" on target "PowerFGT_vlan23".
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): Y

Security Profiles

You can change System Settings and System Global (settings) using Set-FGTSystemSettings and Set-FGTSystemGlobal

It is possible to Get Security Profiles (Antivirus, Application Control, DNS Filter, ISDB, SSL/SSH, IPS)

Get-FGTAntivirusProfile List and Settings of Antivirus
Get-FGTApplicationList List and Settings of Application (List)
Get-FGTDnsfilterProfile List and Settings of DNS Filter Profile
Get-FGTFirewallInternetServiceName List of Internet Service Name (ISDB)
Get-FGTFirewallSSLSSHProfile List and Settings of SSL/SSH Profile
Get-FGTIpsSensor List and Settings of IPS Sensor

Settings

You can change System Settings and System Global (settings) using Set-FGTSystemSettings and Set-FGTSystemGlobal

# Get ALL information about System Global
    Get-FGTSystemGlobal

    language                                 : english
    gui-ipv6                                 : disable
    gui-replacement-message-groups           : disable
    gui-local-out                            : disable
    gui-certificates                         : enable
    gui-custom-language                      : disable
    gui-wireless-opensecurity                : disable
    gui-display-hostname                     : disable
    gui-fortigate-cloud-sandbox              : disable
    gui-firmware-upgrade-warning             : enable
    gui-allow-default-hostname               : disable
    gui-forticare-registration-setup-warning : enable
    gui-cdn-usage                            : enable
    admin-https-ssl-versions                 : tlsv1-2
    [...]

# Get only admintimeout and admin-sport of System Global

    Get-FGTSystemGlobal -Name admintimeout, admin-sport

    admintimeout admin-sport
    ------------ -----------
            5         443

# Configure admintimeout and admin-sport of System Global

    Set-FGTSystemGlobal -admintimeout 30 -admin_sport 8443

    [...]
    admintimeout                             : 30
    [...]
    admin-sport                              : 8443
    [...]

# for configure a setting not yet available on parameter of Set-FGTSystemGlobal, you can use

    $data = @{ "two-factor-sms-expiry" = 120 }
    Set-FGTSystemGlobal -data $data

    [...]
    two-factor-sms-expiry                    : 120
    [...]

# Get ALL information about System Settings
    Get-FGTSystemSettings

    comments                           : 
    opmode                             : nat
    ngfw-mode                          : profile-based
    http-external-dest                 : fortiweb
    firewall-session-dirty             : check-all
    manageip                           :
    gateway                            : 0.0.0.0
    ip                                 : 0.0.0.0 0.0.0.0
    manageip6                          : ::/0
    gateway6                           : ::
    ip6                                : ::/0
    device                             :
    bfd                                : disable
    [...]

# Get only gui-allow-unnamed-policy and opmode of System Settings

    Get-FGTSystemSettings -Name gui-allow-unnamed-policy, opmode

    gui-allow-unnamed-policy opmode
    ------------------------ ------
    disable                  nat


# Configure gui-allow-unnamed-policy of System Settings

    Set-FGTSystemSettings -gui_allow_unnamed_policy

    [...]
    gui-allow-unnamed-policy           : enable
    [...]

# for configure a setting not yet available on parameter of Set-FGTSystemSettings, you can use

    $data = @{ "location-id" = "192.0.2.1" }
    Set-FGTSystemSettings -data $data

    [...]
    location-id                        : 192.0.2.1
    [...]

VPN IPsec

VPN IPsec Interface Phase 1

You can create a new VPN IPsec (Interface Phase1) Add-FGTVpnIpsecPhase1Interface, retrieve its information Get-FGTVpnIpsecPhase1Interface, modify its properties Set-FGTVpnIpsecPhase1Interface or delete it Remove-FGTVpnIpsecPhase1Interface.

# Create a static VPN IPsec Phase 1 Interface named PowerFGT_VPN with interface port2 with Remote Gateway 192.0.2.1
    Add-FGTVpnIpsecPhase1Interface -name PowerFGT_VPN -type static -interface port2 -psksecret MySecret -remotegw 192.0.2.1

    name                        : PowerFGT_VPN
    q_origin_key                : PowerFGT_VPN
    type                        : static
    interface                   : port2
    ip-version                  : 4
    ike-version                 : 1
    local-gw                    : 0.0.0.0
    local-gw6                   : ::
    remote-gw                   : 192.0.2.1
    [...]


# Get information about ALL VPN IPsec Phase 1 Interface (using Format Table)
    Get-FGTVpnIpsecPhase1Interface | Format-Table

    name          q_origin_key  type    interface ip-version ike-version local-gw local-gw6 remote-gw remote-gw6
    ----          ------------  ----    --------- ---------- ----------- -------- --------- --------- ----------
    PowerFGT_VPN  PowerFGT_VPN  static  port2     4          1           0.0.0.0  ::        192.0.2.1 ::
    PowerFGT_VPN2 PowerFGT_VPN2 dynamic port2     4          2           0.0.0.0  ::        0.0.0.0   ::

# Modify a VPN IPsec 1 Interface (dhgrp, autodiscovery ...)
    Get-FGTVpnIpsecPhase1Interface PowerFGT_VPN | Set-FGTVpnIpsecPhase1Interface -dhgrp 14 -autodiscoverysender

    name                        : PowerFGT_VPN
    q_origin_key                : PowerFGT_VPN
    type                        : static
    interface                   : port2
    ip-version                  : 4
    ike-version                 : 1
    local-gw                    : 0.0.0.0
    local-gw6                   : ::
    remote-gw                   : 192.0.2.1
    [...]
    dhgrp                       : 14
    [...]
    auto-discovery-sender       : enable


# Remove a VPN IPsec 1 Interface
    Get-FGTVpnIpsecPhase1Interface PowerFGT_VPN | Remove-FGTVpnIpsecPhase1Interface

    Confirm
    Are you sure you want to perform this action?
    Performing the operation "Remove Vpn IPsec Phase 1 Interface" on target "PowerFGT_VPN".
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y

VPN IPsec Interface Phase 2

You can create a new VPN IPsec (Interface Phase2) Add-FGTVpnIpsecPhase2Interface, retrieve its information Get-FGTVpnIpsecPhase2Interface, modify its properties Set-FGTVpnIpsecPhase2Interface or delete it Remove-FGTVpnIpsecPhase2Interface.

You need to have VPN IPsec Interface Phase 1 created before

# Create a VPN IPsec Phase 2 Interface named ph2_PowerFGT_VPN based on PowerFGT_VPN phase 1 with source network VPN_LOCAL and desination network VPN_REMOTE
    Get-FGTVpnIpsecPhase1Interface -name PowerFGT_VPN | Add-FGTVpnIpsecPhase2Interface -name ph2_PowerFGT_VPN -srcname VPN_LOCAL -dstname VPN_REMOTE

    name                     : ph2_PowerFGT_VPN
    q_origin_key             : ph2_PowerFGT_VPN
    phase1name               : PowerFGT_VPN
    [...]
    src-name                 : VPN_LOCAL
    src-name6                :
    src-addr-type            : name
    src-end-ip6              : ::
    src-port                 : 0
    dst-name                 : VPN_REMOTE
    dst-name6                :
    dst-addr-type            : name
    dst-end-ip6              : ::
    dst-port                 : 0


# Get information about ALL VPN IPsec Phase 2 Interface (using Format Table)
    Get-FGTVpnIpsecPhase2Interface | Format-Table

    name             q_origin_key     phase1name   dhcp-ipsec proposal         pfs    ipv4-df dhgrp replay keepalive
    ----             ------------     ----------   ---------- --------         ---    ------- ----- ------ ---------
    ph2_PowerFGT_VPN ph2_PowerFGT_VPN PowerFGT_VPN disable    aes256-sha1      enable disable 14 5  enable disable

# Modify a VPN IPsec 2 Interface (comments ...)
    Get-FGTVpnIpsecPhase2Interface ph2_PowerFGT_VPN | Set-FGTVpnIpsecPhase2Interface -comments "My PowerFGT IPsec Phase2"

    name                     : ph2_PowerFGT_VPN
    q_origin_key             : ph2_PowerFGT_VPN
    phase1name               : PowerFGT_VPN
    [...]
    comments                 : My PowerFGT IPsec Phase2
    [...]


# Remove a VPN IPsec 2 Interface
    Get-FGTVpnIpsecPhase2Interface ph2_PowerFGT_VPN | Remove-FGTVpnIpsecPhase2Interface

    Confirm
    Are you sure you want to perform this action?
    Performing the operation "Remove Vpn IPsec Phase 2 Interface" on target "ph2_PowerFGT_VPN".
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): Y

Monitor

It is possible to monitor FortiGate

Get-FGTMonitorFirewallPolicy List traffic statistics for firewall policies
Get-FGTMonitorFirewallSession List all active firewall sessions
Get-FGTMonitorRouterIPv4 List all active IPv4 routing table entries
Get-FGTMonitorLicenseStatus Get current license & registration status
Get-FGTMonitorNetworkARP Get IPv4 ARP table
Get-FGTMonitorSystemConfigBackup Backup system config
Get-FGTMonitorSystemFirmware Retrieve a list of firmware images available to use for upgrade on this device
Get-FGTMonitorSystemHAChecksum List of checksums for members of HA cluster
Get-FGTMonitorSystemHAPeer Get configuration of peer(s) in HA cluster
Get-FGTMonitorUtmApplicationCategories Get list of (UTM) Application Categories
Get-FGTMonitorVpnIPsec Return active IPsec VPNs
Get-FGTMonitorVpnSsl Retrieve a list of all SSL-VPN sessions and sub-sessions and Return statistics about the SSL-VPN
Get-FGTMonitorWebfilterCategories Return FortiGuard web filter categories

to get API uri, you can use Invoke-FGTRestMethod api/v2/monitor/?action=schema for get list of uri for monitor

Log Traffic

It is possible to get log traffic of FortiGate.

You can get the following type log

disk
fortianalyzer
forticloud
memory

and subtype

forward
local
multicast
sniffer
fortiview
threat

by default, it is only first 20 rows availables (use -rows parameter )’ /!\ you can get issue if you ask too many rows on small appliance /!\

can also filter by

Source IP (-srcip)
Source Interface (-srcintf)
Destination IP (-dstip)
Destination Interface (-dstintf)
Destination Port (-dstport)
Action (-action)
Policy ID (-policyid)
Policy UUID (-poluuid)

for Example

    #Get Log Traffic from memory on subtype forward and 10 000 rows

    Get-FGTLogTraffic -type memory -subtype forward -rows 10000 | Format-Table
    date       time               eventtime tz    logid      type    subtype level   vd   srcip
    ----       ----               --------- --    -----      ----    ------- -----   --   -----
    2022-03-06 22:52:28 1646635948633219391 -0800 0000000013 traffic forward notice  root 103.39.247.123
    2022-03-06 22:52:28 1646635948603208109 -0800 0000000013 traffic forward notice  root 103.39.247.123
    2022-03-06 22:52:28 1646635948593207059 -0800 0000000013 traffic forward notice  root 103.39.247.123
    2022-03-06 22:52:28 1646635948483209427 -0800 0000000022 traffic forward notice  root 10.88.130.131
    2022-03-06 22:52:28 1646635948483206444 -0800 0000000022 traffic forward notice  root 10.88.102.99
    2022-03-06 22:52:28 1646635948443205594 -0800 0000000022 traffic forward notice  root 10.88.110.122
    2022-03-06 22:52:28 1646635948443208223 -0800 0000000022 traffic forward notice  root 10.88.2.21
    2022-03-06 22:52:28 1646635948333207985 -0800 0000000013 traffic forward notice  root 216.251.148.178
    2022-03-06 22:52:28 1646635948283206523 -0800 0000000022 traffic forward notice  root 10.88.130.131
    2022-03-06 22:52:27 1646635948153206637 -0800 0001000014 traffic local   notice  root 127.0.0.1
    2022-03-06 22:52:27 1646635948083207799 -0800 0001000014 traffic local   notice  root 127.0.0.1
    2022-03-06 22:52:27 1646635948083211212 -0800 0001000014 traffic local   notice  root 127.0.0.1
    2022-03-06 22:52:27 1646635948163208549 -0800 0000000022 traffic forward notice  root 10.88.110.122
    [...]

you can also get some extra info using -extra parameter :
* reverse_lookup to get name of IP (found by the fortigate)
* country_id to get country of IP Address

You can also select the 'timeline' using -since parameter 1h(our), 1d(ay), 7d(ays), 30(days), only for Fortiguard type

You can use also `Get-FGTLogSetting` for get setting for Log (Syslogd, FortiAnalyzer...)

Invoke API

for example to get Fortigate System Global Info

# get FortiGate System Global using API
    (Invoke-FGTRestMethod -method "get" -uri "api/v2/cmdb/system/global").results

    language                                : english
    gui-ipv6                                : disable
    gui-certificates                        : enable
    gui-custom-language                     : disable
    gui-wireless-opensecurity               : disable
    gui-display-hostname                    : disable
    gui-lines-per-page                      : 50
    admin-https-ssl-versions                : tlsv1-1 tlsv1-2
    admintimeout                            : 120
    admin-console-timeout                   : 0
    admin-concurrent                        : enable
    admin-lockout-threshold                 : 3
    admin-lockout-duration                  : 60
    refresh                                 : 0
    interval                                : 5
    failtime                                : 5
    daily-restart                           : disable
    restart-time                            : 00:00
    radius-port                             : 1812
    admin-login-max                         : 100
    remoteauthtimeout                       : 5
    ldapconntimeout                         : 500
    batch-cmdb                              : enable
    multi-factor-authentication             : optional
    dst                                     : enable
    timezone                                : 04
    traffic-priority                        : tos
    traffic-priority-level                  : medium
    anti-replay                             : strict
    send-pmtu-icmp                          : enable
    honor-df                                : enable
    revision-image-auto-backup              : disable
    revision-backup-on-logout               : disable
    management-vdom                         : root
    hostname                                : PowerFGT-FW1
[...]

to get API uri, you can use api/v2/cmdb/?action=schema uri for get schema
You can look also FortiOS - REST API Reference available on Fortinet Developer Network (FNDN)

VDOM

it is possible use VDOM using -vdom parameter on cmdlet command (by default it is root vdom)

For get FGT Firewall Address of vdomX

    Get-FGTFirewallAddress -vdom vdomX
[...]

For get FGT Firewall Address of vdomX and root

    Get-FGTFirewallAddress -vdom vdomX,root
[...]

For get FGT Firewall Address of all vdom

    Get-FGTFirewallAddress -vdom *
[...]

You can configure the "default" vdom when connect using

    Connect-FGT 192.0.2.1 -vdom vdomX
[...]

You can also change default vdom using

    Set-FGTConnection -vdom vdomY
[...]

Proxy

There is also cmdlet for Proxy

Proxy Address (Add/Copy/Get/Remove-FGTFirewallProxyAddress)
Proxy Address Group (Add/Copy/Get/Set/Remove-FGTFirewallProxyAddressGroup)
Proxy Policy (Add/Get/Remove-FGTFirewallProxyPolicy)

For Proxy Policy, it is possible to specific explict proxy or transparent For FortiGate 6.0.x, you need to enable proxy mode before (and enable feature)

Connecting with API Token

If you have a REST API administrator account setup, you can connect with the API

Connect-FGT 192.0.2.1 -ApiToken "yourtoken"

You can use API Token with HTTPS (or HTTP with FortiOS > 7.0.x but not recommended)

A REST API administrator account can be setup using the following FortiOS CLI commands:

config system accprofile
    edit "api_powerfgt"
        set netgrp read-write
        set fwgrp read-write
        set vpngrp read-write
        set system-diagnostics disable
    next
end

config system api-user
    edit "myaccount_powerfgt"
        set accprofile "api_powerfgt"
        config trusthost
            edit 1
                set ipv4-trusthost 192.0.2.0 255.255.255.0
            next
        end
    next
end

MultiConnection

From release 0.3.0, it is possible to connect on same times to multi FortiGate You need to use -connection parameter to cmdlet

For example to get interface of 2 FortiGate

# Connect to first FortiGate
    $fw1 = Connect-FGT 192.0.2.1 -SkipCertificateCheck -DefaultConnection:$false

#DefaultConnection set to false is not mandatory but only don't set the connection info on global variable

# Connect to second FortiGate
    $fw2 = Connect-FGT 192.0.2.2 -SkipCertificateCheck -DefaultConnection:$false

# Get Interface for first FortiGate
    Get-FGTSystemInterface -connection $fw1 | Format-Table

    q_origin_key  name          vdom vrf cli-conn-status fortilink mode   distance priority dhcp-relay-service
    ------------  ----          ---- --- --------------- --------- ----   -------- -------- ------------------
    DCFW          DCFW          root   0               0 disable   static        5        0 enable
    FITNUC        FITNUC        root   0               0 disable   static        5        0 disable
....

# Get Interface for second FortiGate
    Get-FGTSystemInterface -connection $fw2 | Format-Table

    q_origin_key  name          vdom vrf cli-conn-status fortilink mode   distance priority dhcp-relay-service
    ------------  ----          ---- --- --------------- --------- ----   -------- -------- ------------------
    FSA-DMZ       FSA-DMZ       root   0               0 disable   static        5        0 disable
    FSA-DMZ2      FSA-DMZ2      root   0               0 disable   static        5        0 disable
    FWLC          FWLC          root   0               0 disable   static        5        0 enable
...

#Each cmdlet can use -connection parameter

Disconnecting

# Disconnect from the FortiGate
    Disconnect-FGT

Deploy-VM

You can deploy FortiGate OVA (vapp), you need VMware.PowerCLI module and FortiGate OVF (available on support web site)

    $fortiBuildParams = @{
        ovf_path                    = "C:\FortiGate-VM64.vapp.ovf"
        vm_host                     = "MyHost"
        datastore                   = "MyDataStore"
        Cluster                     = "MyCluster"
        name_vm                     = "PowerFGT"
        hostname                    = "PowerFGT"
        dns_primary                 = "192.0.2.3"
        dns_secondary               = "192.0.2.4"
        int0_network_mode           = "Static"
        int0_gateway                = "192.0.2.254"
        int0_ip                     = "192.0.2.1"
        int0_netmask                = "255.255.255.0"
        int0_port_group             = "PG-PowerFGT"
        net_adapter                 = "vmxnet3"
    }
    Deploy-FGTVm @fortiBuildParams

    PowerFGT is ready to use (http://192.0.2.1) (need to Start VM !)

Issue

Unable to connect (certificate)

if you use Connect-FGT and get Unable to Connect (certificate)

The issue coming from use Self-Signed or Expired Certificate for Firewall Management
Try to connect using Connect-FGT -SkipCertificateCheck

Unable to connect

You can use also Connect-FGT -httpOnly for connect using HTTP (NOT RECOMMENDED !)

How to contribute

Contribution and feature requests are more than welcome. Please use the following methods:

For bugs and issues, please use the issues register with details of the problem.
For Feature Requests, please use the issues register with details of what's required.
For code contribution (bug fixes, or feature request), please request fork PowerFGT, create a feature/fix branch, add tests if needed then submit a pull request.

Contact

Currently, @alagoutte started this project and will keep maintaining it. Reach out to me via Twitter, Email (see top of file) or the issues Page here on GitHub. If you want to contribute, also get in touch with me.

List of available command

Add-FGTFirewallAddress
Add-FGTFirewallAddressGroup
Add-FGTFirewallAddressGroupMember
Add-FGTFirewallPolicy
Add-FGTFirewallPolicyMember
Add-FGTFirewallProxyAddress
Add-FGTFirewallProxyAddressGroup
Add-FGTFirewallProxyAddressGroupMember
Add-FGTFirewallProxyPolicy
Add-FGTFirewallVip
Add-FGTFirewallVipGroup
Add-FGTFirewallVipGroupMember
Add-FGTRouterStatic
Add-FGTSystemInterface
Add-FGTSystemInterfaceMember
Add-FGTSystemZone
Add-FGTSystemZoneMember
Add-FGTVpnIpsecPhase1Interface
Add-FGTVpnIpsecPhase2Interface
Confirm-FGTAddress
Confirm-FGTAddressGroup
Confirm-FGTFirewallPolicy
Confirm-FGTFirewallProxyPolicy
Confirm-FGTInterface
Confirm-FGTProxyAddress
Confirm-FGTProxyAddressGroup
Confirm-FGTRouterStatic
Confirm-FGTVip
Confirm-FGTVipGroup
Confirm-FGTVpnIpsecPhase1Interface
Confirm-FGTVpnIpsecPhase2Interface
Confirm-FGTZone
Connect-FGT
Copy-FGTFirewallAddress
Copy-FGTFirewallAddressGroup
Copy-FGTFirewallProxyAddress
Copy-FGTFirewallProxyAddressGroup
Copy-FGTFirewallVipGroup
Deploy-FGTVm
Disconnect-FGT
Get-FGTAntivirusProfile
Get-FGTApplicationList
Get-FGTDnsfilterProfile
Get-FGTFirewallAddress
Get-FGTFirewallAddressGroup
Get-FGTFirewallInternetServiceName
Get-FGTFirewallIPPool
Get-FGTFirewallPolicy
Get-FGTFirewallProxyAddress
Get-FGTFirewallProxyAddressGroup
Get-FGTFirewallProxyPolicy
Get-FGTFirewallServiceCustom
Get-FGTFirewallServiceGroup
Get-FGTFirewallSSLSSHProfile
Get-FGTFirewallVip
Get-FGTFirewallVipGroup
Get-FGTIpsSensor
Get-FGTLogSetting
Get-FGTLogTraffic
Get-FGTMonitorFirewallPolicy
Get-FGTMonitorFirewallSession
Get-FGTMonitorLicenseStatus
Get-FGTMonitorNetworkARP
Get-FGTMonitorRouterIPv4
Get-FGTMonitorSystemConfigBackup
Get-FGTMonitorSystemFirmware
Get-FGTMonitorSystemHAChecksum
Get-FGTMonitorSystemHAPeer
Get-FGTMonitorUtmApplicationCategories
Get-FGTMonitorVpnIPsec
Get-FGTMonitorVpnSsl
Get-FGTMonitorWebfilterCategories
Get-FGTRouterPolicy
Get-FGTRouterStatic
Get-FGTSystemAdmin
Get-FGTSystemDHCPServer
Get-FGTSystemDns
Get-FGTSystemDnsServer
Get-FGTSystemGlobal
Get-FGTSystemHA
Get-FGTSystemInterface
Get-FGTSystemSDWAN
Get-FGTSystemSettings
Get-FGTSystemVdom
Get-FGTSystemVirtualWANLink
Get-FGTSystemZone
Get-FGTUserGroup
Get-FGTUserLDAP
Get-FGTUserLocal
Get-FGTUserRADIUS
Get-FGTUserSAML
Get-FGTVpnIpsecPhase1Interface
Get-FGTVpnIpsecPhase2Interface
Get-FGTVpnSSLClient
Get-FGTVpnSSLPortal
Get-FGTVpnSSLSettings
Get-FGTWebfilterProfile
Invoke-FGTRestMethod
Move-FGTFirewallPolicy
Remove-FGTFirewallAddress
Remove-FGTFirewallAddressGroup
Remove-FGTFirewallAddressGroupMember
Remove-FGTFirewallPolicy
Remove-FGTFirewallPolicyMember
Remove-FGTFirewallProxyAddress
Remove-FGTFirewallProxyAddressGroup
Remove-FGTFirewallProxyAddressGroupMember
Remove-FGTFirewallProxyPolicy
Remove-FGTFirewallVip
Remove-FGTFirewallVipGroup
Remove-FGTFirewallVipGroupMember
Remove-FGTRouterStatic
Remove-FGTSystemInterface
Remove-FGTSystemInterfaceMember
Remove-FGTSystemZone
Remove-FGTSystemZoneMember
Remove-FGTVpnIpsecPhase1Interface
Remove-FGTVpnIpsecPhase2Interface
Set-FGTCipherSSL
Set-FGTConnection
Set-FGTFirewallAddress
Set-FGTFirewallAddressGroup
Set-FGTFirewallPolicy
Set-FGTFirewallProxyAddressGroup
Set-FGTFirewallVipGroup
Set-FGTSystemGlobal
Set-FGTSystemInterface
Set-FGTSystemSettings
Set-FGTSystemZone
Set-FGTUntrustedSSL
Set-FGTVpnIpsecPhase1Interface
Set-FGTVpnIpsecPhase2Interface
Show-FGTException

Author

Alexis La Goutte

Contributors

Arthur Heijnen
Benjamin Perrier
Brett Pound
Dave Hope
Cédric Moreau
Evan Chisholm
Jelmer Jaarsma
Kevin Shu
Sylvain Gomez

Sort by name (git shortlog -s)

Special Thanks

Warren F. for his blog post 'Building a Powershell module'
Erwan Quelin for help about Powershell

License

powerfgt's People

Contributors

Stargazers

Watchers

powerfgt's Issues

Display the progress BAR

hello alagoutte))

A question ...
how to organize a progress bar
For example If I use Connection in stages to objects
..
in my case, I just close the powershell window
and the script is executed.
As an observer, I remain unaware of what is happening ..
..
If you have an implementation of the Progress bar, please tell me .. how to implement it ...

cls
sl $PSScriptRoot
[Environment]::CurrentDirectory = gl
$eol = [Environment]::NewLine
 

Add-Type -Name Window -Namespace Console -MemberDefinition '
[DllImport("Kernel32.dll")]
public static extern IntPtr GetConsoleWindow();

[DllImport("user32.dll")]
public static extern bool ShowWindow(IntPtr hWnd, Int32 nCmdShow);
'
function Hide-Console
{
    $consolePtr = [Console.Window]::GetConsoleWindow()
    #0 hide
    [Console.Window]::ShowWindow($consolePtr, 0)
}
Hide-Console


Add-Type -AssemblyName System.Windows.Forms
Add-Type -AssemblyName System.Drawing
[System.Windows.Forms.Application]::EnableVisualStyles()
function TextToArray{
       $returndata = @()
       $txtboxdata = New-Object System.IO.StringReader($objTextBox.Text)
       $Linedata = $txtboxdata.readline()
       while ($Linedata -ne $null)
           {   $returndata += @($Linedata)
               $Linedata = $txtboxdata.readline() }
       $objtextbox.Clear()
       $txtboxdata.dispose()
       return $returndata
}

function Textbox {
    [CmdletBinding()]
    param(
    [Parameter(Mandatory=$true,valuefrompipeline=$true)]
    [string]$Label,
       [string]$LabelText
       )
       $objForm = New-Object System.Windows.Forms.Form
       $objForm.Text = $label
       $objForm.Size = New-Object System.Drawing.Size(300,415)
       $objForm.AutoSize = $true
       $objForm.StartPosition = "CenterScreen"
       $objForm.MinimumSize = New-object System.Drawing.Size(200, 30)
       $objForm.MaximumSize = New-object System.Drawing.Size(600, 600)
       $objForm.FormBorderStyle = [System.Windows.Forms.AutoSizeMode]::GrowOnly
       ####

       ####
       $global:x = @()
       $OKButton = New-Object System.Windows.Forms.Button
       $OKButton.Location = New-Object System.Drawing.Size(45,345)
       $OKButton.Size = New-Object System.Drawing.Size(75,23)
       $OKButton.Text = "OK"
       $OKButton.Add_Click({$global:x +=@(TextToArray);$objForm.Close()})
       $objForm.Controls.Add($OKButton)
       
       
       $CancelButton = New-Object System.Windows.Forms.Button
       $CancelButton.Location = New-Object System.Drawing.Size(150,345)
       $CancelButton.Size = New-Object System.Drawing.Size(90,23)
       $CancelButton.Text = "Cancel"
       $CancelButton.DialogResult = [System.Windows.Forms.DialogResult]::Cancel
       $objform.CancelButton = $CancelButton
       $objForm.Controls.Add($CancelButton)
      

       $objLabel = New-Object System.Windows.Forms.Label
       $objLabel.Location = New-Object System.Drawing.Point(22,20)
       $objLabel.Size = New-Object System.Drawing.Size(280,20)
       $objLabel.Text = $LabelText
       $objForm.Controls.Add($objlabel)

       
       $objTextBox = New-Object System.Windows.Forms.TextBox
       $objTextBox.Location = New-Object System.Drawing.Size(10,40)
       $objTextBox.Size = New-Object System.Drawing.Size(260,300)
       $objTextBox.Multiline = $true
       $objTextBox.ScrollBars = "Vertical"
       $objForm.Controls.Add($objTextBox)
       $objForm.Topmost = $True
       $objForm.Add_Shown({$objForm.Activate()})
       $result = $objForm.ShowDialog()
       return $x
}
#########
$serverlist =@()
$serverlist += @(TextBox "FGT by Frortigate" "obj. From FGT:")
($online,$offline) =  $serverlist.Where({Test-Connection $_ -count 1 -delay 1 -Quiet}, "split")

$online.foreach(
{
$fs=Connect-FGT $_ -SkipCertificateCheck -DefaultConnection:$false -Timeout 15
$resalllt = Get-FGTSystemFirmware -connection $fs -name fortios -filter_type contains |  Select platform-id
    switch( $resalllt."platform-id"){
       FGT30E {
		   ###many conditions, later the output of the received variables and the generation of the file.
		       $MyPath = "Configs\30E\$($netWAN.mode)____FG$($netNAME)__30E.conf"
               $MyFile = (CONFIG_30E_u) -replace "(?m)^\s*`n",''.trim()
               $Utf8NoBomEncoding = New-Object System.Text.UTF8Encoding $False
               [System.IO.File]::WriteAllLines($MyPath, $MyFile, $Utf8NoBomEncoding)
		   Disconnect-FGT -connection $fs -confirm:$false
	   }
       FGT30D {
		   ###many conditions, later the output of the received variables and the generation of the file.
		       $MyPath = "Configs\30D\$($netWAN.mode)____FG$($netNAME)__30D.conf"
               $MyFile = (CONFIG_30D_u) -replace "(?m)^\s*`n",''.trim()
               $Utf8NoBomEncoding = New-Object System.Text.UTF8Encoding $False
               [System.IO.File]::WriteAllLines($MyPath, $MyFile, $Utf8NoBomEncoding)
		   Disconnect-FGT -connection $fs -confirm:$false
	   }
       FGT40F {
		   ###many conditions, later the output of the received variables and the generation of the file.
		       $MyPath = "Configs\40F\$($netWAN.mode)____FG$($netNAME)__40F.conf"
               $MyFile = (CONFIG_40F_u) -replace "(?m)^\s*`n",''.trim()
               $Utf8NoBomEncoding = New-Object System.Text.UTF8Encoding $False
               [System.IO.File]::WriteAllLines($MyPath, $MyFile, $Utf8NoBomEncoding)
		   Disconnect-FGT -connection $fs -confirm:$false
	   }
       Default {
		   	###many conditions, later the output of the received variables and the generation of the file.
               $MyPath = "Configs\40C\$($statusWan1)-$($statusWan2)____FG$($netNAME)__40C.conf"
               $MyFile = (CONFIG_40C_t) -replace "(?m)^\s*`n",''.trim()
               $Utf8NoBomEncoding = New-Object System.Text.UTF8Encoding $False
               [System.IO.File]::WriteAllLines($MyPath, $MyFile, $Utf8NoBomEncoding)
		   Disconnect-FGT -connection $fs -confirm:$false
	   }
    }
Disconnect-FGT -connection $fs -confirm:$false
 }
                )

$offline.foreach( 
   { 
    "$_ ***offline***" | Out-File Offline.txt -Append
  }
)

Thanks in advance for your help)

Failure to connect when post-login-banner is configured

Tested with various firmware releases (v6.0.8 through 6.4.4),Connect-FGT fails if a post-login-banner is configured.

PowerFGT version 0.5.0

Unable to found FGT version
At C:\Program Files\WindowsPowerShell\Modules\PowerFGT\0.5.0\Public\Connection.ps1:176 char:13
+             throw "Unable to found FGT version"
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Unable to found FGT version:String) [], RuntimeException
    + FullyQualifiedErrorId : Unable to found FGT version

If the post-login-banner is removed, login works as expected:

config system global
set post-login-banner disable

add ability to add security profile to firewall policy

TNX for your contrectbtion!

can you pls add the ability to add a Security profile to a newly created policy or old policy?

TNX again!

Error connecting with v0.5.0

When trying to connect with v0.5.0 I got the following error:

PS C:\scripts\> Connect-FGT -Server xxx.xxx.xxx.xxx -SkipCertificateCheck -Username xxx -Password $pass
Unable to found CSRF Cookie
At C:\Program Files\WindowsPowerShell\Modules\PowerFGT\0.4.1\Public\Connection.ps1:161 char:13
+             throw "Unable to found CSRF Cookie"
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Unable to found CSRF Cookie:String) [], RuntimeException
    + FullyQualifiedErrorId : Unable to found CSRF Cookie

I made sure to uninstall the old v0.4.1 module but still the error is there.

Move-FGTFirewallPolicy function problem

Hello, there is a problem with the "Move-FGTFirewallPolicy" function.

If no default connection is specified, the function returns an error when calling the last command "Get-FGTFirewallPolicy -policyid $policy.policyid" inside the function.

Can you add "-connection $connection" at the end of the line.

Thanks.

Regards.

Use case for "confirm-*" cmdlets?

Hey there, just checked and couldn't see any info on how the confirm-* cmdlets were expected to be used so thought I'd ask!

Create new policy with defined PolicyID

API details for Add Firewall Policy?
My use case needs me to explicitly set policy IDs to maintain configuration drift, and the current implementation doesn't allow for this; I've tested out adding this using the REST method and adding the PolicyID property, but that hasn't seemed to work. So I'm wondering if anyone has access to real documentation on the API and can see whether there's an option to do this?

Don't correctly work with VDOM

The module don't yet support account with access to multi vdom

The account can only access to one VDOM

Align Filtering with FortiManager (PowerFMG)

FortiManager can use like or contain for filtering
it is more limited with FortiGate (equal or contains actually).

Need to replace contain by like for align with PowerFMG

Reg Connect-FGT

Hi Team I would like to know does the script supports importing CSV files and looping it through each management IP address in CSV file.

I got the below error when I import it however it works fine when looping it through this way

$unique_device_ips = "172.16.10.10", "172.16.10.11"
Foreach($unique_device_ip in $unique_device_ips) { 
Connect-FGT -Server $unique_device_ip -Credentials $psCred -SkipCertificateCheck
}

Unable to connect to FortiGate
At C:\Program Files\WindowsPowerShell\Modules\PowerFGT\0.6.1\Public\Connection.ps1:181 char:17
+                 throw "Unable to connect to FortiGate"
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : OperationStopped: (Unable to connect to FortiGate:String) [], RuntimeException
+ FullyQualifiedErrorId : Unable to connect to FortiGate

Also, I would like to know if is there a way to get export CSV every result from the below modules in one short

Get-FGTMonitorSystemFirmware
Get-FGTSystemGlobal 
Get-FGTMonitorSystemHAPeer
Get-FGTSystemInterface

Thanks for the quick reply.

Add Timeout Functionality to Connect-FGT

Loving this Module so far!

Running to an issue where a few clients will not connect and Connect-FGT will not time out.

It looks like the Invoke-WebRequest in "Connection.ps1" on line 135 needs a -timeout added and parameterized with a default.

The default timeout of Invoke-WebRequest seems to be over 5+ minutes.

Connecting with FortiToken?

Hello, is there a way to connect to prompt for FortiToken? Thank you!

problem with Add-FgtFirewallVip and UDP

I've been trying to add a VIP for a UDP port, and don't get an error but the VIP is always created with TCP instead. Has anyone else tried / tested this?

These two statements are part of a script I am using to create these; as you can see, they're identical in parameters except the -protocol option (I do manipulate the VIP name in $prtname and the $mappedport and $extport items so they're unique)

Add-FGTFirewallVip -connection $conn[0] -vdom root -type static-nat -name $prtname `
    -extip $ext_ip -mappedip $mappedip -mappedport $mappedport `
    -comment "Printer for client $($prt.client)" -portforward -protocol UDP -extport $extport 

Add-FGTFirewallVip -connection $conn[0] -vdom root -type static-nat -name $prtname `
    -extip $ext_ip -mappedip $mappedip -mappedport $mappedport `
    -comment "Printer for client $($prt.client)" -portforward -protocol TCP -extport $extport

When I execute them, the first one is correct except for it being a TCP not UDP VIP, and the second is always fine.

I can't see any recent activity in vip.ps1 that looks relevant, and the version I have running was loaded at the beginning of the year in my initial 0.4.1 load.

Any thoughts, anyone else used it and had different results?

Question about use Remove-FGTFirewallPolicy

I have a question about the cmdlet Remove-FGTFirewallPolicy, it's possible to use directly the cmdlet Remove-FGTFirewallPolicy with the parameter name or we are must to make the Get-FGTFirewallPolicy -name XXX |Remove-FGTFirewallPolicy ?

Thank in advance

Regards,

Backup config isn't working

Hi Alexis,

Found a bug in Get-FGTMonitorSystemConfigBackup: this function isn't working.
It returns $response.results but it should returns $response

Also fixed in PR #177

Zone: Add description field

with FortiGate 6.2.x, there is also a description (comment) field.

need to add on Add/Set System Zone cmdlet

Return object of Connect-FGT is not an object

The return object of Connect-FGT isn't an object, but a set of objects.

I'd like to have been able to do the following:

$conn = connect-fgt FGT-A.fqdn.com -SkipCertificateCheck -Credentials $fwcred
$conn += connect-fgt FGT-B.fqdn.com -SkipCertificateCheck -Credentials $fwcred

and then later do foreach operations on that. But I found that connection object returned isn't really an object...

Feature request: DHCP Server support

It would be great to add support for reading and writing DHCP server configuration.

Check if device update is available

Hi,

How/where can I see if a device update is available via FGM API or this PowerShell Module?
I have tried loking everywhere within this repo but cannot find the information?

TIA

Upgrade Path

Hi,

Here's a litte function I wrote to compute upgrade path.

Function Get-FirmwareUpdate{
    $firmware = (Invoke-FGTRestMethod -uri api/v2/monitor/system/firmware)
    $FortiOS  = $firmware.results.current   | select version
    $Update   = $firmware.results.available | select version -First 1
    if($Update){
        if($FortiOS -eq $Update){# Firmware is up to date
            [pscustomobject]@{
                "Installed" = $($FortiOS.version)
                "Available" = $($Update.version)
            }
        }else{# Firmware is not up to date, compute the upgrade path
            $major       = $firmware.results.current.major
            $minor       = $firmware.results.current.minor
            $patch       = $firmware.results.current.patch
            $updateMajor = ($firmware.results.available | select -First 1).major
            $updateMinor = ($firmware.results.available | select -First 1).minor
            $updatePatch = ($firmware.results.available | select -First 1).patch
            $upgradePath = "v$($major).$($minor).$($patch)"
            Do{
                $nextFirmware = Invoke-FGTRestMethod -uri api/v2/monitor/system/firmware/upgrade-paths | select -ExpandProperty results | where { $_.from.major -eq $major -and $_.from.minor -eq $minor -and $_.from.patch -eq $patch } | select -First 1
                $major        = $nextFirmware.to.major
                $minor        = $nextFirmware.to.minor
                $patch        = $nextFirmware.to.patch
                $upgradePath = $upgradePath + " -> v$($major).$($minor).$($patch)"
            }Until($major -eq $updateMajor -and $minor -eq $updateMinor -and $patch -eq $updatePatch)
            [pscustomobject]@{
                "Installed"    = $($FortiOS.version)
                "Available"    = $($Update.version)
                "Upgrade Path" = $upgradePath
            }
        }
    }else{# No firmware available (support expired)
        [pscustomobject]@{
            "Installed" = $($FortiOS.version)
            "Available" = "N/A"
        }
    }
}

Get-FirmwareUpdate

Installed Available Upgrade Path
--------- --------- ------------
v6.0.13   v7.0.5    v6.0.13 -> v6.2.10 -> v6.4.8 -> v7.0.5

Upgrade path error

Hi Alexis,

Get-FGTMonitorSystemFirmware -upgrade_paths returns a 404 error.
URI called:
Invoke-FGTRestMethod -uri api/v2/monitor/system/firmware/upgrade_paths
URI working:
Invoke-FGTRestMethod -uri api/v2/monitor/system/firmware/upgrade-paths

Made a PR for that #177

Is PowerFGT able to connect to another port than 443 or 80 ?

Hello,

I need to use your Powershell module but when I'm trying to connect my admin Powershell windows, it says :

_Unable to connect to FortiGate
At C:\Program Files\WindowsPowerShell\Modules\PowerFGT\0.4.1\Public\Connection.ps1:148 char:13
+             throw "Unable to connect to FortiGate"
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : OperationStopped: (Unable to connect to FortiGate:String) [], RuntimeException
+ FullyQualifiedErrorId : Unable to connect to FortiGate_

I've checked with the option -SkipCertificateCheck, same issue.
I've checked with the option -httpOnly, same issue.

Each time, it's asking me to login myself.

I've found that our HTTPS port of our Fortigate another port than 443.
So I ran the cmd : Connect-FGT "IpAdress":"otherport" -SkipCertificateCheck
Same error :

_Unable to connect to FortiGate
At C:\Program Files\WindowsPowerShell\Modules\PowerFGT\0.4.1\Public\Connection.ps1:148 char:13
+             throw "Unable to connect to FortiGate"
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : OperationStopped: (Unable to connect to FortiGate:String) [], RuntimeException
+ FullyQualifiedErrorId : Unable to connect to FortiGate_

So is it possible to use this module for connecting to Fortigate using a different port for HTTPS connection ?

Thank you in advance.

Regards,

Get IPsec vpn phase1 PSK

Good day.
I am interested in the ability to extract the password from the phase in the tunnel. even if it is encrypted
in the form of such
psksecret ENC ppDZlb3tJGNOcQqwi7O8ER/eOA2iYkzgfxWtDVkOZPnctdgBrJ7+F/QhwYnYt+J6YR

$mysecpassword = ConvertTo-SecureString "testtss" -AsPlainText -Force
#$fw3 = Connect-FGT 192.168.1.99 -Username admin -Password $mysecpassword -SkipCertificateCheck -DefaultConnection:$false
<#          Splatting 
-name     ,  If I want to add more than one interface name, I had to get out like this.
                      #>
$names = @(@{nam ="tunnel1"},@{nam ="tunnel2"},@{nam ="tunnel3"},@{nam ="tunnel4"})
foreach ($nam in $names) {
Get-FGTVpnIpsecPhase1Interface -connection $fw3  @nam -filter_type contains | Select mode, name, psksecret 
}

mode name psksecret

aggressive tunnel1 ENC XXXX
aggressive tunnel2 ENC XXXX
aggressive tunnel3 ENC XXXX
aggressive tunnel4 ENC XXXX

As a result, I get passwords at the exit
))) XXXX !!! what ...
leafed through the api, I could not figure out how to pull the values. in its normal form. without decryption .. it is not important to me ..

I ask you to suggest any options. yes via ssh shows. why then does not work here.

Filtering does not work correctly in old operating systems (5.x)

help to disassemble. how to modify your function, or pass it the correct parameters so that it will work correctly on FortiGate-40C v5.2.15 models.
yes i read that your module is only supported from a certain branch. but still there is an API too. and it means there is also its own principle of work.
When uploading default value filtered by WAN Interface Name

$ fw3 = Connect-FGT 192.168.1.99 -SkipCertificateCheck -DefaultConnection: $ false -Timeout 15
Get-FGTSystemInterface -connection $ fw3 -name wan -filter_type contains | Select name, username, password, status, mode, ip, speed, mtu, mtu-override

this error appears

Unable to convert value ".." to type "System.Version". Error: "The input string was not in the correct format."
line: 160 character: 111
+ .... $ ($ version.results.current.minor). $ ($ version.results.current.patch) "
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo: InvalidArgument: (:) [], RuntimeException
    + FullyQualifiedErrorId: InvalidCastParseTargetInvocation

The script is working off, but! as I diagnosed, filtering by the "-name wan" key will not work
instead I get the whole list of interfaces,
No matter what filtering key I put, it simply does not work.

Please help me understand how to debug, for whatever reason, the filter does not work.!

thanks in advance.!

MAC address feature request!

Please add feature to add mac address to Address or Address Group

Get-FGTFirewallAddressGroup return showing only 4x member entries...

I totally know how to get access to the .Member property, and suspect that this is just a PS behaviour that can't be overridden, but it'd be nice if it could.
When you use Get-FGTFirewallAddressMember, the output shows up to 4 members and then an ellipsis of members... Is there any way to influence that to report them all ?

uuid          : 37231bb8-ebc3-51e9-dd1f-a50c2fa0b8cf
member        : {@{q_origin_key=H_10.1.0.1; name=H_10.1.0.1}, 
                @{q_origin_key=H_10.1.0.2; name=H_10.1.0.2}, 
                @{q_origin_key=H_10.1.0.3; name=H_10.1.0.3}, 
                @{q_origin_key=H_10.1.0.4; name=H_10.1.0.4}...}
comment       :

Add VIPGRP functions

Like *AddressGroup, we need *VipGroup functions

Getting Arp Table

Using your module for FortiGate is it possible to get the ARP table? I used the following to pull all the different monitors
Invoke-FGTRestMethod api/v2/monitor/?action=schema -connection $connection | select -Property directory -ExpandProperty directory
I found a monitor for ARP which shows the path is network and the name is ARP but I get an error when I use the following

Invoke-FGTRestMethod -method "get" -uri "api/v2/monitor/network/arp"

WARNING: The FortiGate API sends an error message:
WARNING: Error description (code): Not Found (404)
WARNING: Error details: {
  "path":"network",
  "name":"arp",
  "action":"",
  "serial":"",
  "version":"v6.0.4",
  "build":231,
  "status":"error",
  "http_status":404
}
Unable to use FortiGate API
At C:\Program Files\WindowsPowerShell\Modules\PowerFGT\0.6.1\Private\RestMethod.ps1:171 char:13
+             throw "Unable to use FortiGate API"
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Unable to use FortiGate API:String) [], RuntimeEx 
   ception
    + FullyQualifiedErrorId : Unable to use FortiGate API

Get current IPsec vpn numbers

Is there a way to pull the number of current dial up IPSec VPN users using this powershell module?

Unexpected behavior with log search - Get-FGTLogTraffic

This is my query:

Get-FGTLogTraffic -vdom ISSTN -type disk -subtype forward -dstip 8.8.8.8 -rows 10 -since 30d | select srcip, dstip, dstport, proto | Format-Table

and this is the output:

srcip          dstip        dstport proto
-----          -----        ------- -----
172.20.43.24   10.141.64.2     4343     6
10.140.179.209 10.141.64.2     4343     6
10.140.128.2   10.141.64.2     4343     6
172.20.47.79   10.141.64.2     4343     6
10.140.169.27  10.141.64.6     5274     6
10.127.6.1     10.141.64.7     5274     6
10.140.128.2   10.141.64.7      443     6
10.167.0.2     10.141.20.51    8383     6
172.24.55.150  10.141.64.2     4343     6
172.20.39.14   10.141.64.2     8080     6

As you can see there is no trace of the IP 8.8.8.8 in the dstip column

Allow to organize policy in the Fortigate

I have a question about the managed the sequence of the policy rule. By default all rules created are implement the last position of the Fortinet zone.

Does possible to define when the rule is created her postion in the Fortinet Zone.

The cli command on the Fortinet is move <id#> [before|after] <id#>

Thank in advance

Add Add/Set/Remove cmdlet for Firewall VIP/VIPGRP/AddressGroup

One of the most common things that I have to do that I'd love to script is to add a new IP address, then add that as a member to an addressgroup. When do you think we might see SET-* and ADD-* capabilities ?

As a side question, I'm still digging in to the capabilities, but wondered is there an easy way to pipeline entries from the member list of an address group to get the address values? Here's a hypothetical example of what I'm talking about:

(Get-FGTFirewallAddressgroup -connection $FG -vdom root | where name -like "MySpecialGroup").member | Get-FGTFirewallAddress

Error when using "-since" option with Get-FGTLogTraffic command

Powershell version: 5.1 and 7.3.7
Fortigate version: 7.0.12

Example without "-since" parameter:

PS Z:\FortiACL> Get-FGTLogTraffic -vdom XXXXXX -type fortianalyzer -subtype forward -policyid XXXX -rows 1 | select srcip, dstip, dstport, proto | Format-Table

srcip dstip dstport proto

x.x.x.x x.x.x.x 49155 6

Error with "-since" parameter:

PS Z:\FortiACL> Get-FGTLogTraffic -vdom XXXXX -type fortianalyzer -subtype forward -policyid XXXX -since 1h -rows 1 | select srcip, dstip, dstport, proto | Format-Table
InvalidArgument: C:\Users\user\Documents\PowerShell\Modules\PowerFGT\0.7.0\Public\log\traffic.ps1:189
Line |
189 | $filter_value += "&filter=" + $filter
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Cannot convert value "&filter=_metadata.timestamp>=1695801386405" to type "System.Int32". Error: "The input
| string '&filter=_metadata.timestamp>=1695801386405' was not in a correct format."

srcip dstip dstport proto

x.x.x.x x.x.x.x 49155 6

OT:
If I use "-type memory" or "-type disk" I always receive empty output.

Filtering on interface properties

I am trying to retrieve all interfaces belonging to a certain VDOM:

`$SourceInterfaces = Get-FGTSystemInterface -connection $SourceConnection -filter_attribute vdom -filter_type equal -filter_value $SourceVDOM`

But this doesn't seem to work.

Set/Remove-FGTFirewallAddress not working when piping object from Get-FGTFirewallAddress

I can successfully retrieve address information from Get-FGTFirewallAddress, but when piping the output of that to Set-FGTFirewallAddress to make changes to that address I receive an error:

PS C:\Users\a-timothy.murphy> Get-FGTFirewallAddress -name 10.100.13.235

name                 : 10.100.13.235
q_origin_key         : 10.100.13.235
uuid                 : 8c606492-3fc7-51eb-07bd-d7a98c853186
subnet               : 10.100.13.235 255.255.255.255
type                 : ipmask
sub-type             : sdn
clearpass-spt        : unknown
start-mac            : 00:00:00:00:00:00
end-mac              : 00:00:00:00:00:00
country              :
cache-ttl            : 0
sdn                  :
fsso-group           : {}
interface            :
comment              : TM 12/16/20
visibility           : enable
associated-interface :
color                : 0
filter               :
sdn-addr-type        : private
obj-id               :
list                 : {}
tagging              : {}
allow-routing        : disable



PS C:\Users\a-timothy.murphy> Get-FGTFirewallAddress -name 10.100.13.235 | Set-FGTFirewallAddress -comment "Test"
Set-FGTFirewallAddress : Cannot validate argument on parameter 'address'. Element specified does not contain an fqdn
property.
At line:1 char:46
+ ... lAddress -name 10.100.13.235 | Set-FGTFirewallAddress -comment "Test"
+                                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (@{name=10.100.1...outing=disable}:PSObject) [Set-FGTFirewallAddress], Para
   meterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Set-FGTFirewallAddress

Upload and replace renewed SSL Certificate offline

Is there any option to fetch and replace a renewed SSL certificate from a local pc

any option by which we can upload and replace a renewed SSL certificate from a local pc

Issue for delete the member of the Policy

Hi,

When I use your module for managed the policy of the Fortinet, I have remark that when i launched the command of Remove-FGTFirewallPolicyMember the command is executed without error but the action isn't set.

Also i have a second question about the managed the sequence of the policy rule. Does the module can we managed ther sequence of the policy rule?

Thank in advance for your reponse

Regards,

Add access_token support

From FortiOS 5.6, it is possible to use a token for access to API

but need to specific Trusted Hosts (and 0.0.0.0/0 is not allowed...)

There is also an API Call to generate token
POST /api/v2/monitor/system/api-user/generate-key?vdom=root

Custom HTTPS port?

Is there some way to connect to FortiGate on custom HTTPS port? I dont know anyone who is running admin/rest interface on default 443 port.

IPv6 support

Will you be implementing IPv6 support on all current GET/ADD/SET/REMOVE methods?

When using the "Remove-FGTFirewallAddressGroupMember" cmdlet, nothing happens

Hello
When using the "Remove-FGTFirewallAddressGroupMember" cmdlet, nothing happens:

Verbose:
PUT https://FORTIGATE_IP/api/v2/cmdb/firewall/addrgrp/GROUP_NAME? with -1-byte payload
received 303-byte response of content type application/json
https://FORTIGATE_IP:443/api/v2/cmdb/firewall/addrgrp?&filter=name==GROUP_NAME
GET https://FORTIGATE_IP/api/v2/cmdb/firewall/addrgrp?&filter=name==GROUP_NAME with 0-byte payload
received 771-byte response of content type application/json

FortiOS version: 6.0.11

Can you create new users?

Is there a way that you can create and remove users?

Check code return when connect

When connect using /logincheck, the API return a "status" code (From REST API Ref 6.0.0x guide :)

Code	Description
0	Log in failure. Most likely an incorrect username/password combo.
1	Successful log in*
2	Admin is now locked out
3	Two-factor Authentication is needed

And with FortiOS 6.2 (and 6.4), the first connection ask to change password and there there is a new code 4

Allow unnamed Firewall Policy

Hi, could you please make the firewall policy name not required? Or let me know how to disable the name property from being required

pipeline for Add-FGTFirewallAddressGroupMember returns 500

I'm at last able to start focussing on FGT again for a while and started digging in to the new capabilities in the 0.4.1 release, but I hit a snag.

Based on the help info, it seems Add-FGTFirewallAddressGroupMember will take pipeline input, so you should be able to Get-FGTFirewallAddressGroup | Add-FGTFirewallAddressGroupMember successfully. I've tried using this combo, and it didn't seem to work and I can't be sure whether it's my understanding, my group/member/firewall, or if it's a bug. What I can however do is use the assignment-then-add-member approach that the help info shows, with the same group and member, which does work.

Error message is shown below (redacted).

PS > 
Get-FGTFirewallAddressGroup -vdom root -connection $conn[0] -name TestGroupNameHere | Add-FGTFirewallAddressGroupMember -member TestMemberHere -vdom root

WARNING: The FortiGate API sends an error message:
WARNING: Error description (code): Internal Server Error (500)
WARNING: Error details: {
  "http_method":"PUT",
  "revision":"537.0.665.2897040576.1559001134",
  "error":-3,
  "status":"error",
  "http_status":500,
  "vdom":"root",
  "path":"firewall",
  "name":"addrgrp",
  "mkey":"TestGroupNameHere",
  "serial":"",
  "version":"",
  "build":
}
Unable to use FortiGate API
At C:\Program Files\WindowsPowerShell\Modules\powerfgt\0.4.1\Private\RestMethod.ps1:166 
char:13
              throw "Unable to use FortiGate API"
              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     CategoryInfo          : OperationStopped: (Unable to use FortiGate API:String) [] 
   , RuntimeException
     FullyQualifiedErrorId : Unable to use FortiGate API

Unable to concatenate -srcip and -dstip in the Get-FGTLogTraffic function.

working command:

Get-FGTLogTraffic -vdom FW-ASL8 -type fortianalyzer -subtype forward -dstip 8.8.8.8 -rows 10 -since 1h | select srcip, dstip, dstport, proto, date, time, action | Format-Table

srcip dstip dstport proto date time action

172.23.100.21 8.8.8.8 53 17 2023-12-04 09:41:56 accept
172.23.100.21 8.8.8.8 53 17 2023-12-04 09:41:49 accept
172.23.100.21 8.8.8.8 53 17 2023-12-04 09:41:40 accept
172.23.100.21 8.8.8.8 53 17 2023-12-04 09:41:17 accept
172.23.100.31 8.8.8.8 53 17 2023-12-04 09:40:58 accept
172.23.100.21 8.8.8.8 53 17 2023-12-04 09:40:40 accept
172.23.100.21 8.8.8.8 53 17 2023-12-04 09:40:40 dns
172.23.100.21 8.8.8.8 53 17 2023-12-04 09:40:28 accept
172.23.100.21 8.8.8.8 53 17 2023-12-04 09:39:35 accept
172.23.100.21 8.8.8.8 53 17 2023-12-04 09:39:23 accept

not working command:

Get-FGTLogTraffic -vdom FW-ASL8 -type fortianalyzer -subtype forward -srcip 172.23.100.21 -dstip 8.8.8.8 -rows 10 -since 1h | select srcip, dstip, dstport, proto, date, time, action | Format-Table

Get-FGTLogTraffic: Parameter set cannot be resolved using the specified named parameters. One or more parameters issued cannot be used together or an insufficient number of parameters were provided.

Am I doing something wrong or is this how it's supposed to work?

In any case, is it possible to concatenate the source address and destination address on the Get-FGTLogTraffic function?

Is it possible to define networks? (e.g. 10.0.0.1/24)

Thank you in advance for your valuable support.

Bug with diacritics

Hi,

I'm having a problem with French accented characters.
For example, if I list addresses objects:

Get-FGTFirewallAddress | select name

name
----
...
RÃ©seau local
RÃ©seau invitÃ©
SSLVPN_TUNNEL_ADDR1
all
none
...

Is there any way to fix this? Or is there anything I can do to convert it on the fly?

Unable to remove member from group

Hi!!

I'm trying to remove a member from an address group and that doesn't work. I see when verbose mode is enable that the member I'm trying to remove is not listed but after the command, it was listed again!!

command used:

`Get-FGTFirewallAddressGroup -name "Windows2008" | Remove-FGTFirewallAddressGroupMember -verbose -member $Inputmachine`

Output: 
`COMMENTAIRES : {
    "member":  {
                   "name":  "04chrtr00035.04trvr08.reg04.rtss.qc.ca_fqdn"
               }
}
COMMENTAIRES : PUT https://10.38.220.221/api/v2/cmdb/firewall/addrgrp/Windows 2008?&vdom=WAN with -1-byte payload
COMMENTAIRES : received 278-byte response of content type application/json
COMMENTAIRES : GET https://10.38.220.221/api/v2/cmdb/firewall/addrgrp?&vdom=WAN&filter=name==Windows 2008 with 0-byte payload
COMMENTAIRES : received 798-byte response of content type application/json

name          : Windows 2008
q_origin_key  : Windows 2008
uuid          : d5539d2c-621e-51ea-61ad-45d8d89f136d
member        : {@{name=04chrtr00035.04trvr08.reg04.rtss.qc.ca_fqdn; q_origin_key=04chrtr00035.04trvr08.reg04.rtss.qc.ca_fqdn}, @{name=mcq04000389; q_origin_key=mcq04000389}}
comment       : 
visibility    : enable
color         : 0
tags          : {}
allow-routing : disable`

Pascal

Address : Known issue

There is some known issue with address cmdlet

Only support ipmask(subnet) address for the moment
Don't check if the interface exist when add or edit
search/match is make by PowerShell (via Where-Object) and not direclty using API
Don't check if the address is use before modify/remove

This issues will be fixed on a next release...

VMware.VimAutomation.Common is required to use module

Hi,

when importing the module hte first time you will get following error:

C:\Program Files\WindowsPowerShell\Modules\PowerFGT\0.4.0\PowerFGT.psm1 : Failed to import function C:\Program
Files\WindowsPowerShell\Modules\PowerFGT\0.4.0\Public\Deploy.ps1: Das Skript "Deploy.ps1" kann nicht ausgeführt
werden, da die folgenden in den "#requires"-Anweisungen des Skripts angegebenen Module fehlen:
VMware.VimAutomation.Common.
In Zeile:1 Zeichen:1

Import-Module PowerFGT

  + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
  + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,PowerFGT.psm1

This can be solved by installing this missing module using:
Install-Module VMware.VimAutomation.Common

Maybe this can be fixed on initial Module installation.

Best Regards
Gerald Gaugusch

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.

fortipower / powerfgt Goto Github PK

powerfgt's Introduction

PowerFGT

Usage

Requirements

Instructions

Install the module

Examples

Connecting to the FortiGate Firewall

Address

Filtering

Address Group

Virtual IP

Virtual IP Group

Policy

Zone

Static Route

Interface

Security Profiles

Settings

VPN IPsec

VPN IPsec Interface Phase 1

VPN IPsec Interface Phase 2

Monitor

Log Traffic

Invoke API

VDOM

Proxy

Connecting with API Token

MultiConnection

Disconnecting

Deploy-VM

Issue

Unable to connect (certificate)

Unable to connect

How to contribute

Contact

List of available command

Author

Contributors

Special Thanks

License

powerfgt's People

Contributors

Stargazers

Watchers

Forkers

powerfgt's Issues

Recommend Projects

Recommend Topics

Recommend Org