FortiPower · alagoutte · Dec 23, 2019 · Dec 21, 2019 · Dec 21, 2019 · Dec 21, 2019
diff --git a/PowerFGT/Private/Confirm.ps1 b/PowerFGT/Private/Confirm.ps1
@@ -69,6 +69,47 @@ Function Confirm-FGTAddressGroup {
 
 }
 
+Function Confirm-FGTFirewallPolicy {
+
+    Param (
+        [Parameter (Mandatory = $true)]
+        [object]$argument
+    )
+
+    #Check if it looks like an Firewall Policy element
+
+    if ( -not ( $argument | get-member -name policyid -Membertype Properties)) {
+        throw "Element specified does not contain an policyid property."
+    }
+    if ( -not ( $argument | get-member -name name -Membertype Properties)) {
+        throw "Element specified does not contain an name property."
+    }
+    if ( -not ( $argument | get-member -name uuid -Membertype Properties)) {
+        throw "Element specified does not contain a uuid property."
+    }
+    if ( -not ( $argument | get-member -name srcintf -Membertype Properties)) {
+        throw "Element specified does not contain an srcintf property."
+    }
+    if ( -not ( $argument | get-member -name dstaddr -Membertype Properties)) {
+        throw "Element specified does not contain an dstaddr property."
+    }
+    if ( -not ( $argument | get-member -name srcaddr -Membertype Properties)) {
+        throw "Element specified does not contain an srcaddr property."
+    }
+    if ( -not ( $argument | get-member -name dstaddr -Membertype Properties)) {
+        throw "Element specified does not contain an dstaddr property."
+    }
+    if ( -not ( $argument | get-member -name action -Membertype Properties)) {
+        throw "Element specified does not contain an action property."
+    }
+    if ( -not ( $argument | get-member -name status -Membertype Properties)) {
+        throw "Element specified does not contain an status property."
+    }
+
+    $true
+
+}
+
 Function Confirm-FGTVip {
 
     Param (

diff --git a/PowerFGT/Public/cmdb/firewall/policy.ps1 b/PowerFGT/Public/cmdb/firewall/policy.ps1
@@ -5,6 +5,217 @@
 # SPDX-License-Identifier: Apache-2.0
 #
 
+function Add-FGTFirewallPolicy {
+
+    <#
+        .SYNOPSIS
+        Add a FortiGate Policy
+
+        .DESCRIPTION
+        Add a FortiGate Policy/Rules (source port/ip, destination port, ip, action, status...)
+
+        .EXAMPLE
+        Add-FGTFirewallPolicy -name MyFGTPolicy -srcintf port1 -dstintf port2 -srcaddr all -dstaddr all
+
+        Add a MyFGTPolicy with source port port1 and destination port1 and source and destination all
+
+        .EXAMPLE
+        Add-FGTFirewallPolicy -name MyFGTPolicy -srcintf port1 -dstintf port2 -srcaddr all -dstaddr all -nat
+
+        Add a MyFGTPolicy with NAT is enable
+
+        .EXAMPLE
+        Add-FGTFirewallPolicy -name MyFGTPolicy -srcintf port1 -dstintf port2 -srcaddr all -dstaddr all -action "deny"
+
+        Add a MyFGTPolicy with action is Deny
+
+        .EXAMPLE
+        Add-FGTFirewallPolicy -name MyFGTPolicy -srcintf port1 -dstintf port2 -srcaddr all -dstaddr all -status:$false
+
+        Add a MyFGTPolicy with status is disable
+
+        .EXAMPLE
+        Add-FGTFirewallPolicy -name MyFGTPolicy -srcintf port1 -dstintf port2 -srcaddr all -dstaddr all -service "HTTP, HTTPS, SSH"
+
+        Add a MyFGTPolicy with multiple service port
+
+        .EXAMPLE
+        Add-FGTFirewallPolicy -name MyFGTPolicy -srcintf port1 -dstintf port2 -srcaddr all -dstaddr all -schedule workhour
+
+        Add a MyFGTPolicy with schedule is workhour
+
+        .EXAMPLE
+        Add-FGTFirewallPolicy -name MyFGTPolicy -srcintf port1 -dstintf port2 -srcaddr all -dstaddr all -comments "My FGT Policy"
+
+        Add a MyFGTPolicy with comment "My FGT Policy"
+
+        .EXAMPLE
+        Add-FGTFirewallPolicy -name MyFGTPolicy -srcintf port1 -dstintf port2 -srcaddr all -dstaddr all -logtraffic "all"
+
+        Add a MyFGTPolicy with log traffic all
+
+        .EXAMPLE
+        Add-FGTFirewallPolicy -name MyFGTPolicy -srcintf port1 -dstintf port2 -srcaddr all -dstaddr all -nat -ippool "MyIPPool"
+
+        Add a MyFGTPolicy with IP Pool MyIPPool (with nat)
+    #>
+
+
+    Param(
+        [Parameter (Mandatory = $true)]
+        [string]$name,
+        [Parameter (Mandatory = $true)]
+        [string[]]$srcintf,
+        [Parameter (Mandatory = $true)]
+        [string[]]$dstintf,
+        [Parameter (Mandatory = $true)]
+        [string[]]$srcaddr,
+        [Parameter (Mandatory = $true)]
+        [string[]]$dstaddr,
+        [Parameter (Mandatory = $false)]
+        [ValidateSet("accept", "deny", "learn")]
+        [string]$action = "accept",
+        [Parameter (Mandatory = $false)]
+        [switch]$status = $true,
+        [Parameter (Mandatory = $false)]
+        [string]$schedule = "always",
+        [Parameter (Mandatory = $false)]
+        [string[]]$service = "ALL",
+        [Parameter (Mandatory = $false)]
+        [switch]$nat = $false,
+        [Parameter (Mandatory = $false)]
+        [ValidateLength(0, 255)]
+        [string]$comments,
+        [Parameter (Mandatory = $false)]
+        [ValidateSet("disable", "utm", "all")]
+        [string]$logtraffic,
+        [Parameter (Mandatory = $false)]
+        [string[]]$ippool,
+        [Parameter (Mandatory = $false)]
+        [switch]$skip,
+        [Parameter(Mandatory = $false)]
+        [String[]]$vdom,
+        [Parameter(Mandatory = $false)]
+        [psobject]$connection = $DefaultFGTConnection
+    )
+
+    Begin {
+    }
+
+    Process {
+
+        $invokeParams = @{ }
+        if ( $PsBoundParameters.ContainsKey('skip') ) {
+            $invokeParams.add( 'skip', $skip )
+        }
+        if ( $PsBoundParameters.ContainsKey('vdom') ) {
+            $invokeParams.add( 'vdom', $vdom )
+        }
+
+        if ( Get-FGTFirewallPolicy -connection $connection @invokeParams -name $name ) {
+            Throw "Already a Policy using the same name"
+        }
+
+        $uri = "api/v2/cmdb/firewall/policy"
+
+        # Source interface
+        $srcintf_array = @()
+        #TODO check if the interface (zone ?) is valid
+        foreach ($intf in $srcintf) {
+            $srcintf_array += @{ 'name' = $intf }
+        }
+
+        # Destination interface
+        $dstintf_array = @()
+        #TODO check if the interface (zone ?) is valid
+        foreach ($intf in $dstintf) {
+            $dstintf_array += @{ 'name' = $intf }
+        }
+
+        # Source address
+        $srcaddr_array = @()
+        #TODO check if the address (group, vip...) is valid
+        foreach ($addr in $srcaddr) {
+            $srcaddr_array += @{ 'name' = $addr }
+        }
+
+        # Destination address
+        $dstaddr_array = @()
+        #TODO check if the address (group, vip...) is valid
+        foreach ($addr in $dstaddr) {
+            $dstaddr_array += @{ 'name' = $addr }
+        }
+
+        # Service
+        $service_array = @()
+        #TODO check if the service (group...) is valid
+        foreach ($s in $service) {
+            $service_array += @{ 'name' = $s }
+        }
+
+        $policy = new-Object -TypeName PSObject
+
+        $policy | add-member -name "name" -membertype NoteProperty -Value $name
+
+        $policy | add-member -name "srcintf" -membertype NoteProperty -Value $srcintf_array
+
+        $policy | add-member -name "dstintf" -membertype NoteProperty -Value $dstintf_array
+
+        $policy | add-member -name "srcaddr" -membertype NoteProperty -Value $srcaddr_array
+
+        $policy | add-member -name "dstaddr" -membertype NoteProperty -Value $dstaddr_array
+
+        $policy | add-member -name "action" -membertype NoteProperty -Value $action
+
+        if ($status) {
+            $policy | add-member -name "status" -membertype NoteProperty -Value "enable"
+        }
+        else {
+            $policy | add-member -name "status" -membertype NoteProperty -Value "disable"
+        }
+
+        $policy | add-member -name "schedule" -membertype NoteProperty -Value $schedule
+
+        $policy | add-member -name "service" -membertype NoteProperty -Value $service_array
+
+        if ($nat) {
+            $policy | add-member -name "nat" -membertype NoteProperty -Value "enable"
+        }
+        else {
+
+            $policy | add-member -name "nat" -membertype NoteProperty -Value "disable"
+        }
+
+        if ( $PsBoundParameters.ContainsKey('comments') ) {
+            $policy | add-member -name "comments" -membertype NoteProperty -Value $comments
+        }
+
+        if ( $PsBoundParameters.ContainsKey('logtraffic') ) {
+            $policy | add-member -name "logtraffic" -membertype NoteProperty -Value $logtraffic
+        }
+
+        if ( $PsBoundParameters.ContainsKey('ippool') ) {
+            if (-not $nat) {
+                throw "You need to enable NAT (-nat)"
+            }
+            $ippool_array = @()
+            #TODO check if the IP Pool is valid
+            foreach ($i in $ippool) {
+                $ippool_array += @{ 'name' = $i }
+            }
+            $policy | add-member -name "ippool" -membertype NoteProperty -Value "enable"
+            $policy | add-member -name "poolname" -membertype NoteProperty -Value $ippool_array
+        }
+
+        Invoke-FGTRestMethod -method "POST" -body $policy -uri $uri -connection $connection @invokeParams | out-Null
+
+        Get-FGTFirewallPolicy -name $name -connection $connection @invokeParams
+
+    }
+
+    End {
+    }
+}
 function Get-FGTFirewallPolicy {
 
     <#
@@ -120,6 +331,74 @@ function Get-FGTFirewallPolicy {
         $reponse.results
     }
 
+    End {
+    }
+}
+
+function Remove-FGTFirewallPolicy {
+
+    <#
+        .SYNOPSIS
+        Remove a FortiGate Policy
+
+        .DESCRIPTION
+        Remove a Policy/Rule object on the FortiGate
+
+        .EXAMPLE
+        $MyFGTPolicy = Get-FGTFirewallPolicy -name MyFGTPolicy
+        PS C:\>$MyFGTPolicy | Remove-FGTFirewallPolicy
+
+        Remove Policy object $MyFGTPolicy
+
+        .EXAMPLE
+        $MyFGTPolicy = Get-FGTFirewallPolicy -name MyFGTPolicy
+        PS C:\>$MyFGTPolicy | Remove-FGTFirewallPolicy -noconfirm
+
+        Remove Policy object MyFGTPolicy with no confirmation
+
+    #>
+
+    Param(
+        [Parameter (Mandatory = $true, ValueFromPipeline = $true, Position = 1)]
+        [ValidateScript( { Confirm-FGTFirewallPolicy $_ })]
+        [psobject]$policy,
+        [Parameter(Mandatory = $false)]
+        [switch]$noconfirm,
+        [Parameter(Mandatory = $false)]
+        [String[]]$vdom,
+        [Parameter(Mandatory = $false)]
+        [psobject]$connection = $DefaultFGTConnection
+    )
+
+    Begin {
+    }
+
+    Process {
+
+        $invokeParams = @{ }
+        if ( $PsBoundParameters.ContainsKey('vdom') ) {
+            $invokeParams.add( 'vdom', $vdom )
+        }
+
+        $uri = "api/v2/cmdb/firewall/policy/$($policy.policyid)"
+
+        if ( -not ( $Noconfirm )) {
+            $message = "Remove Policy on Fortigate"
+            $question = "Proceed with removal of Policy $($policy.name) ?"
+            $choices = New-Object Collections.ObjectModel.Collection[Management.Automation.Host.ChoiceDescription]
+            $choices.Add((New-Object Management.Automation.Host.ChoiceDescription -ArgumentList '&Yes'))
+            $choices.Add((New-Object Management.Automation.Host.ChoiceDescription -ArgumentList '&No'))
+
+            $decision = $Host.UI.PromptForChoice($message, $question, $choices, 1)
+        }
+        else { $decision = 0 }
+        if ($decision -eq 0) {
+            Write-Progress -activity "Remove Policy"
+            $null = Invoke-FGTRestMethod -method "DELETE" -uri $uri -connection $connection @invokeParams
+            Write-Progress -activity "Remove Policy" -completed
+        }
+    }
+
     End {
     }
 }