Merge pull request #54 from alagoutte/enhance-vip

VIP: Add Add/Remove FGTFirewallVIP

PowerFGT/Private/Validate.ps1

@@ -33,6 +33,39 @@ Function ValidateFGTAddress {
     }
 
 
+    $true
+
+}
+
+
+Function ValidateFGTVip {
+
+    Param (
+        [Parameter (Mandatory = $true)]
+        [object]$argument
+    )
+
+    #Check if it looks like an VIP element
+
+    if ( -not ( $argument | get-member -name name -Membertype Properties)) {
+        throw "Element specified does not contain an name property."
+    }
+    if ( -not ( $argument | get-member -name uuid -Membertype Properties)) {
+        throw "Element specified does not contain a uuid property."
+    }
+    if ( -not ( $argument | get-member -name type -Membertype Properties)) {
+        throw "Element specified does not contain an type property."
+    }
+    if ( -not ( $argument | get-member -name extintf -Membertype Properties)) {
+        throw "Element specified does not contain an extintf property."
+    }
+    if ( -not ( $argument | get-member -name extip -Membertype Properties)) {
+        throw "Element specified does not contain an extip property."
+    }
+    if ( -not ( $argument | get-member -name mappedip -Membertype Properties)) {
+        throw "Element specified does not contain an mappedip property."
+    }
+
     $true
 
 }

PowerFGT/Public/cmdb/firewall/vip.ps1

@@ -4,6 +4,97 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 #
+function Add-FGTFirewallVip {
+
+    <#
+        .SYNOPSIS
+        Add a FortiGate Virtual IP
+
+        .DESCRIPTION
+        Add a FortiGate Virtual IP (VIP) (One to One)
+
+        .EXAMPLE
+        Add-FGTFirewallVip -name myVIP1 -type static-nat -extip 192.2.0.1 -mappedip 198.51.100.1
+
+        Add VIP objet type static-nat (One to One ) with name myVIP1 with external IP 192.2.0.1 and mapped IP 198.51.100.1
+
+        .EXAMPLE
+        Add-FGTFirewallVip -name myVIP2 -type static-nat -extip 192.2.0.2 -mappedip 198.51.100.2 -interface port1 -comment "My FGT VIP"
+
+        Add VIP objet type static-nat (One to One ) with name myVIP1 with external IP 192.2.0.1, mapped IP 198.51.100.1, associated to interface port2 and a comment
+
+    #>
+
+    Param(
+        [Parameter (Mandatory = $true)]
+        [ValidateSet("static-nat")]
+        [string]$type,
+        [Parameter (Mandatory = $true)]
+        [string]$name,
+        [Parameter (Mandatory = $true)]
+        [ipaddress]$extip,
+        [Parameter (Mandatory = $true)]
+        [ipaddress]$mappedip,
+        [Parameter (Mandatory = $false)]
+        [string]$interface = "any",
+        [Parameter (Mandatory = $false)]
+        [ValidateLength(0, 255)]
+        [string]$comment,
+        [Parameter (Mandatory = $false)]
+        [switch]$skip,
+        [Parameter(Mandatory = $false)]
+        [String[]]$vdom,
+        [Parameter(Mandatory = $false)]
+        [psobject]$connection = $DefaultFGTConnection
+    )
+
+    Begin {
+    }
+
+    Process {
+
+        $invokeParams = @{ }
+        if ( $PsBoundParameters.ContainsKey('skip') ) {
+            $invokeParams.add( 'skip', $skip )
+        }
+        if ( $PsBoundParameters.ContainsKey('vdom') ) {
+            $invokeParams.add( 'vdom', $vdom )
+        }
+
+        if ( Get-FGTFirewallVip -connection $connection @invokeParams -name $name ) {
+            Throw "Already a VIP object using the same name"
+        }
+
+        $uri = "api/v2/cmdb/firewall/vip"
+
+        $vip = new-Object -TypeName PSObject
+
+        $vip | add-member -name "name" -membertype NoteProperty -Value $name
+
+        $vip | add-member -name "type" -membertype NoteProperty -Value $type
+
+        $vip | add-member -name "extip" -membertype NoteProperty -Value $extip.ToString()
+
+        $range = New-Object -TypeName PSObject
+
+        $range | Add-member -name "range" -membertype NoteProperty -value $mappedip.ToString()
+        $vip | add-member -name "mappedip" -membertype NoteProperty -Value @($range)
+
+        #TODO check if the interface (zone ?) is valid
+        $vip | add-member -name "extintf" -membertype NoteProperty -Value $interface
+
+        if ( $PsBoundParameters.ContainsKey('comment') ) {
+            $vip | add-member -name "comment" -membertype NoteProperty -Value $comment
+        }
+
+        Invoke-FGTRestMethod -method "POST" -body $vip -uri $uri -connection $connection @invokeParams | out-Null
+
+        Get-FGTFirewallVip -connection $connection @invokeParams -name $name
+    }
+
+    End {
+    }
+}
 function Get-FGTFirewallVip {
 
     <#
@@ -18,6 +109,16 @@ function Get-FGTFirewallVip {
 
         Get list of all nat vip object
 
+        .EXAMPLE
+        Get-FGTFirewallVip -name myFGTVip
+
+        Get VIP named myFGTVip
+
+        .EXAMPLE
+        Get-FGTFirewallVip -match FGT
+
+        Get VIP match with *FGT*
+
         .EXAMPLE
         Get-FGTFirewallVip -skip
 
@@ -29,7 +130,12 @@ function Get-FGTFirewallVip {
         Get list of all nat vip object on vdomX
     #>
 
+    [CmdletBinding(DefaultParameterSetName = "default")]
     Param(
+        [Parameter (Mandatory = $false, Position = 1, ParameterSetName = "name")]
+        [string]$name,
+        [Parameter (Mandatory = $false, ParameterSetName = "match")]
+        [string]$match,
         [Parameter(Mandatory = $false)]
         [switch]$skip,
         [Parameter(Mandatory = $false)]
@@ -52,7 +158,81 @@ function Get-FGTFirewallVip {
         }
 
         $response = Invoke-FGTRestMethod -uri 'api/v2/cmdb/firewall/vip' -method 'GET' -connection $connection @invokeParams
-        $response.results
+
+        switch ( $PSCmdlet.ParameterSetName ) {
+            "name" { $response.results | where-object { $_.name -eq $name } }
+            "match" { $response.results | where-object { $_.name -match $match } }
+            default { $response.results }
+        }
+
+    }
+
+    End {
+    }
+}
+
+function Remove-FGTFirewallVip {
+
+    <#
+        .SYNOPSIS
+        Remove a FortiGate Virtual IP
+
+        .DESCRIPTION
+        Remove a Virtual (VIP) object on the FortiGate
+
+        .EXAMPLE
+        $MyFGTVIP = Get-FGTFirewallVip -name MyFGTVIP
+        PS C:\>$MyFGTVIP | Remove-FGTFirewallVip
+
+        Remove VIP object $MyFGTVIP
+
+        .EXAMPLE
+        $MyFGTVIP = Get-FGTFirewallVip -name MyFGTVIP
+        PS C:\>$MyFGTVIP | Remove-FGTFirewallVip -noconfirm
+
+        Remove VIP object MyFGTVIP with no confirmation
+
+    #>
+
+    Param(
+        [Parameter (Mandatory = $true, ValueFromPipeline = $true, Position = 1)]
+        [ValidateScript( { ValidateFGTVip $_ })]
+        [psobject]$vip,
+        [Parameter(Mandatory = $false)]
+        [switch]$noconfirm,
+        [Parameter(Mandatory = $false)]
+        [String[]]$vdom,
+        [Parameter(Mandatory = $false)]
+        [psobject]$connection=$DefaultFGTConnection
+    )
+
+    Begin {
+    }
+
+    Process {
+
+        $invokeParams = @{ }
+        if ( $PsBoundParameters.ContainsKey('vdom') ) {
+            $invokeParams.add( 'vdom', $vdom )
+        }
+
+        $uri = "api/v2/cmdb/firewall/vip/$($vip.name)"
+
+        if ( -not ( $Noconfirm )) {
+            $message = "Remove VIP on Fortigate"
+            $question = "Proceed with removal of VIP $($vip.name) ?"
+            $choices = New-Object Collections.ObjectModel.Collection[Management.Automation.Host.ChoiceDescription]
+            $choices.Add((New-Object Management.Automation.Host.ChoiceDescription -ArgumentList '&Yes'))
+            $choices.Add((New-Object Management.Automation.Host.ChoiceDescription -ArgumentList '&No'))
+
+            $decision = $Host.UI.PromptForChoice($message, $question, $choices, 1)
+        }
+        else { $decision = 0 }
+        if ($decision -eq 0) {
+            Write-Progress -activity "Remove VIP"
+            $null = Invoke-FGTRestMethod -method "DELETE" -uri $uri -connection $connection @invokeParams
+            Write-Progress -activity "Remove VIP" -completed
+        }
     }
 
     End {

README.md

@@ -20,7 +20,7 @@ With this module (version 0.3.0) you can manage:
 - Static Route (Get)
 - System Global (Get)
 - VDOM (Get)
-- Virtual IP (Get)
+- Virtual IP (Get/Add/Remove object type static-nat)
 - Virtual WAN Link/SD-WAN (Get)
 - VPN IPsec Phase 1/Phase 2 Interface (Get)
 - Zone (Get)
@@ -401,6 +401,7 @@ You can use also `Connect-FGT -httpOnly` for connect using HTTP (NOT RECOMMENDED
 # List of available command
 ```powershell
 Add-FGTFirewallAddress
+Add-FGTFirewallVip
 Connect-FGT
 Copy-FGTFirewallAddress
 Disconnect-FGT
@@ -425,11 +426,13 @@ Get-FGTVpnIpsecPhase1Interface
 Get-FGTVpnIpsecPhase2Interface
 Invoke-FGTRestMethod
 Remove-FGTFirewallAddress
+Remove-FGTFirewallVip
 Set-FGTCipherSSL
 Set-FGTFirewallAddress
 Set-FGTUntrustedSSL
 Show-FGTException
 ValidateFGTAddress
+ValidateFGTVip
 ```
 
 # Author