Add Add/Set/Remove cmdlet for Firewall VIP/VIPGRP/AddressGroup

[poundy]

One of the most common things that I have to do that I'd love to script is to add a new IP address, then add that as a member to an addressgroup. When do you think we might see SET-* and ADD-* capabilities ?

As a side question, I'm still digging in to the capabilities, but wondered is there an easy way to pipeline entries from the member list of an address group to get the address values? Here's a hypothetical example of what I'm talking about:

(Get-FGTFirewallAddressgroup -connection $FG -vdom root | where name -like "MySpecialGroup").member | Get-FGTFirewallAddress

[poundy]

for the second question, it's possible to do the following but requires breaking out the input names with a foreach - many PS modules will handle this internally (I'd prefer SET- than this though :) )

(Get-FGTFirewallAddressgroup -connection $FG -vdom root | where name -like "MySpecialGroup").member.name|%{ Get-FGTFirewallAddress -vdom root -connection $FG -name $_}

[alagoutte]

Hi @poundy

Welcome on PowerFGT !

I'm busy by some other module actually...

For first question, there is already Add-FGTAddress cmdlet for add address and i will be not not too complicated to add member on addressgroup, do you need some other stuff ?

for second question, it is planned to have a better filtering stuff (using direclty API)
it will "fix your where name -like "MySpecialGroup"
There is some other stuff ?

[poundy]

The whole Quartet please :)
VIP
VIPGRP
ADDRESS
ADDRESSGRP

I'm often in "append" mode - so much so that I wrote a PowerShell text substitution script to create my standard named members, append them to a group, and add a policy. Oh yeah, I need the whole Quintuple, policies too please :)

here's example of one of the "shell" substitution tables I use

config firewall address
    edit "H_%vmIPAddress%"
        set associated-interface port1
        set subnet %vmIPAddress% 255.255.255.255
        set comment "%ClientCode% Svr"
    next
    edit "S_%ClientCode%_%ClientSite%"
        set associated-interface wan1
        set subnet %clientSiteIPAddress% 255.255.255.255
        set comment "%ClientCode% %ClientSite% Office"
    next
end
config firewall addrgrp
    edit "EIP_%ClientCode%_Sites"
        append member "S_%ClientCode%_%ClientSite%"
        set comment "%ClientCode% Sites"
    next
    edit "%ClientCode%_Servers"
        append member "H_%vmIPAddress%"
        set comment "%ClientCode% Servers"
    next
    edit _IP_Hosts
        append member "%ClientCode%_Servers"
    next

end

config firewall policy
    edit %PolicyNum%
        set name "%ClientCode%_Printing"
        set srcintf port1
        set dstintf wan1
        set srcaddr "%ClientCode%_Servers"
        set dstaddr "EIP_%ClientCode%_Sites"
        set action accept
        set schedule always
        set service "Port_Printing-9100-9130" "Port_Printing-11160-11190"
        set nat enable
        set ippool enable
        set poolname "Outbound NAT default"
        set fsso disable
        set comment "%ClientCode% printing to Client Sites"
    next
end

[poundy]

What I have done with this above powershell is what I'd prefer to directly do via PowerFGT if possible - take minimal input and then add all the components together. That's what I see that any programmatic driven access to the device should strive to do - make it simple to do the simple and repeatable tasks that you need to do frequently so you get a return on improving the process. Infrequently performed tasks are in my view less important to me to expose programmatically, because I am likely to have developed a detailed implementation plan around that and not going to worry about a few CLI commands versus a single powershell command instead. But the big things, I want to cut out manual errors and streamline the job and PS is the go to.

So in the above example I'd want to do an Add-FGTFirewallAddress followed by Get-FGTFirewallAddressGrp | {something to add-member}. Therein lies one of the complexities in multi-value elements like Member...

I'm no powershell architect, but a process like Get-FGTFirewallAddressGroup | Append-FGTMember $SavedNewAddress might work?

[alagoutte]

Hi poundy,

What I have done with this above powershell is what I'd prefer to directly do via PowerFGT if possible - take minimal input and then add all the components together. That's what I see that any programmatic driven access to the device should strive to do - make it simple to do the simple and repeatable tasks that you need to do frequently so you get a return on improving the process. Infrequently performed tasks are in my view less important to me to expose programmatically, because I am likely to have developed a detailed implementation plan around that and not going to worry about a few CLI commands versus a single powershell command instead. But the big things, I want to cut out manual errors and streamline the job and PS is the go to.

Yes it is my idea too but need time for make this...

So in the above example I'd want to do an Add-FGTFirewallAddress followed by Get-FGTFirewallAddressGrp | {something to add-member}. Therein lies one of the complexities in multi-value elements like Member...

Yes, it will be possible

I'm no powershell architect, but a process like Get-FGTFirewallAddressGroup | Append-FGTMember $SavedNewAddress might work?
there is no Append verb on PowerShell ;-) but it will be possible

and I'm not against a little help (i can explain how to make this with API

[poundy]

OK, sleeves rolled up... not sure how helpful I'll be, but I'll take a stab. I've looked at the code a bit, and think I'll look at VIPs first, to support ADD/SET. I however think i might need some hand holding in actually converting from a code change into something I can test/use, so any guidance there would be massively appreciated :) I have a server that is in use by others that has 0.3.0 currently installed, and ideally would be able to coexist on that (but understand that may not be possible). Then I'll start breaking into the code more and replicating the approach *-FGTFirewallAddress etc does.

[alagoutte]

i start to work on VIP and addrgrp, i will push a PR soon (next day)

[poundy]

Abort!
;-)
NP I will get back to figuring out a dev/test process that works for me :)

[alagoutte]

Hi @poundy,

I push a first PR with Add/Remove Virtual IP (#54), can you try ? if need you can send me a e-mail (my mail is on top of ps1 file)

[poundy]

I have seen your two PRs but haven't had a chance to deal with it yet or figure out how best for me to test things :) Other priorities right now :(

[alagoutte]

Hi @poundy

No problem, need more work (on filtering stuff) and i hope release a version for end of year...

For VIP, do you need to can configure port ?
I think the VIPGRP will be wait next release...

For add / Change / Remove policy, it will see (need some work for support all case and option..) but for basic policy, we can use Invoke-FGTRestMethod

[alagoutte]

I working to add (and remove) policy rule (#65) and it will be release a new release with VIP and AddressGroup Add/remove/Set support

I hope, it will be available for end of year

[alagoutte]

Hello, PowerFGT 0.4.0 is available !

here's example of one of the "shell" substitution tables I use

config firewall address
    edit "H_%vmIPAddress%"
        set associated-interface port1
        set subnet %vmIPAddress% 255.255.255.255
        set comment "%ClientCode% Svr"
    next
    edit "S_%ClientCode%_%ClientSite%"
        set associated-interface wan1
        set subnet %clientSiteIPAddress% 255.255.255.255
        set comment "%ClientCode% %ClientSite% Office"
    next
end

Look Add-FGTFirewallAddress (Already exist with 0.3.0 !)

config firewall addrgrp
edit "EIP_%ClientCode%Sites"
append member "S%ClientCode%_%ClientSite%"
set comment "%ClientCode% Sites"
next
edit "%ClientCode%Servers"
append member "H%vmIPAddress%"
set comment "%ClientCode% Servers"
next
edit _IP_Hosts
append member "%ClientCode%_Servers"
next

Look Add-FGTFirewallAddressGroup and Add-FGTFirewallAddressMember

end

config firewall policy
edit %PolicyNum%
set name "%ClientCode%_Printing"
set srcintf port1
set dstintf wan1
set srcaddr "%ClientCode%Servers"
set dstaddr "EIP%ClientCode%_Sites"
set action accept
set schedule always
set service "Port_Printing-9100-9130" "Port_Printing-11160-11190"
set nat enable
set ippool enable
set poolname "Outbound NAT default"
set fsso disable
set comment "%ClientCode% printing to Client Sites"
next
end

Look Add-FGTFirewallPolicy

[poundy]

Thanks for the update ! Sorry I didn't get a chance to assist in the testing - I was struggling to get time to do anything firewall in my day-job before the holidays, and now I'm on leave so there's even less time ;-)

Am still yet to find a good guide to set up a decent dev environment to allow editing of this project, but that's a separate issue to this :)

[alagoutte]

Hi @poundy

No problem ! Good holiday ! (it will also take day off too)

for dev env, it is "easy" fork this projet and git clone your repo after go on the PowerFGT folder and use import-module ./PowerFGT (you can use -force)
I will may be add a note on README about this