This is a Powershell module for configure a FortiManager (Fortinet) Manager.
With this module (version 0.1.0) you can manage:
- Address (Add/Get/Copy/Set/Remove object type ipmask/subnet, FQDN, iprange)
There is some extra feature
More functionality will be added later.
Tested with FortiManager (using 6.x and 7.x)
All resource management functions are available with the Powershell verbs GET, ADD, COPY, SET, REMOVE.
For example, you can manage Address with the following commands:
Get-FMGFirewallAddressAdd-FMGFirewallAddressCopy-FMGFirewallAddressSet-FMGFirewallAddressRemove-FMGFirewallAddress
- Powershell 5 or 6.x/7.x (Core) (If possible get the latest version)
- A Fortinet FortiManager Manager and HTTPS enable with JSON API enable for the user
# Automated installation (Powershell 5 or later):
Install-Module PowerFMG
# Import the module
Import-Module PowerFMG
# Get commands in the module
Get-Command -Module PowerFMG
# Get help
Get-Help Get-FMGFirewallAddress -FullThe first thing to do is to create an user with API (JSON) Access
Go on WebGUI of your FortiManager, on System Settings
Go Administrators
Click on Create New
and create a new user and don't forget to enable JSON API Access to Read-Write
After connect to a FortiManager with the command Connect-FMG :
# Connect to the FortiManager
Connect-FMG 192.0.2.1
#we get a prompt for credentialif you get a warning about Unable to connect Look Issue
You can create a new Address Add-FMGFirewallAddress, retrieve its information Get-FMGFirewallAddress,
modify its properties Set-FMGFirewallAddress, copy/clone its properties Copy-FMGFirewallAddress
or delete it Remove-FMGFirewallAddress.
# Get information about ALL address (using Format Table)
Get-FMGFirewallAddress | Format-Table
dynamic_mapping list tagging name subnet type associated-interface comment
--------------- ---- ------- ---- ------ ---- -------------------- -------
FABRIC_DEVICE {0.0.0.0, 0.0.0.0} ipmask {any} IPv4 addresses of Fabric Devices.
FCTEMS_ALL_FORTICLOUD_SERVERS dynamic {any}
FIREWALL_AUTH_PORTAL_ADDRESS {0.0.0.0, 0.0.0.0} ipmask {any}
SSLVPN_TUNNEL_ADDR1 iprange {sslvpn_tun_intf}
all {0.0.0.0, 0.0.0.0} ipmask {any}
gmail.com fqdn {any}
login.microsoft.com fqdn {any}
login.microsoftonline.com fqdn {any}
login.windows.net fqdn {any}
metadata-server {169.254.169.254, 255.255.255.255} ipmask {any}
none {0.0.0.0, 255.255.255.255} ipmask {any}
wildcard.dropbox.com fqdn {any}
wildcard.google.com fqdn {any}
# Create an address (type ipmask)
Add-FMGFirewallAddress -Name 'My PowerFMG Network' -ip 192.0.2.1 -mask 255.255.255.0
dynamic_mapping :
list :
tagging :
name : My PowerFMG Network
subnet : {192.0.2.1, 255.255.255.0}
type : ipmask
associated-interface : {any}
color : 0
uuid : 1ce5dcd4-e4ac-51eb-114b-e1fc752f3cf3
allow-routing : disable
sdn-addr-type : private
clearpass-spt : unknown
obj-type : ip
node-ip-only : disable
fabric-object : disable
macaddr : {}
# Get information an address (name) and display only some field (using Format-Table)
Get-FMGFirewallAddress -name "My PowerFMG Network" | Select name, subnet, type, uuid
name subnet type uuid
---- ------ ---- ----
My PowerFMG Network {192.0.2.1, 255.255.255.0} ipmask 1ce5dcd4-e4ac-51eb-114b-e1fc752f3cf3
# Modify an address (name, comment, interface...)
Get-FMGFirewallAddress -name "My PowerFMG Network" | Set-FMGFirewallAddress -name "MyNetwork" -comment "My comment" -interface port2
dynamic_mapping :
list :
tagging :
name : MyNetwork
subnet : {192.0.2.0, 255.255.255.0}
type : ipmask
associated-interface : {port2}
comment : My comment
color : 0
uuid : 4d42661a-e4af-51eb-3720-bb2231d019c0
allow-routing : disable
sdn-addr-type : private
clearpass-spt : unknown
obj-type : ip
node-ip-only : disable
fabric-object : disable
macaddr : {}
# Copy/Clone an address
Get-FMGFirewallAddress -name "MyNetwork" | Copy-FMGFirewallAddress -name "My New Network"
dynamic_mapping :
list :
tagging :
name : My New Network
subnet : {192.0.2.0, 255.255.255.0}
type : ipmask
associated-interface : {port2}
comment : My comment
color : 0
uuid : 5f312104-e4af-51eb-de22-614ece107f71
allow-routing : disable
sdn-addr-type : private
clearpass-spt : unknown
obj-type : ip
node-ip-only : disable
fabric-object : disable
macaddr : {}
# Remove an address
Get-FMGFirewallAddress -name "MyNetwork" | Remove-FMGFirewallAddress
Confirm
Are you sure you want to perform this action?
Performing the operation "Remove Firewall Address" on target "MyNetwork".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"):Y
#You can also create other address type like fqdn or iprange
# Create an address (type fqdn)
Add-FMGFirewallAddress -Name FortiPower -fqdn fortipower.github.io
dynamic_mapping :
list :
tagging :
name : FortiPower
type : fqdn
fqdn : fortipower.github.io
associated-interface : {any}
cache-ttl : 0
color : 0
uuid : 8398e176-e4af-51eb-96ee-c11eb689e077
allow-routing : disable
sdn-addr-type : private
clearpass-spt : unknown
obj-type : ip
node-ip-only : disable
fabric-object : disable
macaddr : {}
# Create an address (type iprange)
Add-FMGFirewallAddress -Name MyRange -startip 192.0.2.1 -endip 192.0.2.100
dynamic_mapping :
list :
tagging :
name : MyRange
type : iprange
start-ip : 192.0.2.1
end-ip : 192.0.2.100
associated-interface : {any}
color : 0
uuid : 8f11fbc8-e4af-51eb-7ed4-b6f54e534624
sdn-addr-type : private
clearpass-spt : unknown
obj-type : ip
node-ip-only : disable
fabric-object : disable
macaddr : {}
For Invoke-FMGRestMethod, it is possible to use -filter parameter
You need to use FortiManager API syntax :
"filter": [ <source>, <operator>, <target1>, <target2>, ... ]
For example to get Firewall Address name equal to My Network, you need to use the following filter array
Invoke-FMGRestMethod -uri firewall/address -type pm -filter @("name", "==", "My Network")
[...]and Filter Operators :
| Operator | Description |
|---|---|
| == | Equal to |
| != | Not equal to |
| < | Less than |
| <= | Less than or equal to |
| > | Greater than |
| >= | Greater than or equal to |
| & | Bitwise AND, target can be integer value only, test if (source & target) = 0 |
| & | Bitwise AND, target can be integer value only, test if (source & target1) = target2 |
| in | Test if source is one of the values in target |
| contain | If source have a list of values, test if it contains target |
| like | SQL pattern matching, where target is a string using % (any character) and _ (single character) wildcard |
| !like | Not like, inverse of "like" operation |
| glob | Case-sensitive pattern matching with target string using UNIX wildcards |
| !glob | Not glob, inverse of "glob" operation |
| && | Logical AND operator for nested filter with multiple criteria, where source and target must be another filter |
| || | Logical OR operator for nested filter with multiple criteria, where source and target must be another filter |
For Invoke-FMGRestMethod and Get-XXX cmdlet like Get-FMGFirewallAddress, it is possible to using some helper filter (-filter_attribute, -filter_type, -filter_value)
# Get Firewall Address named myFMG
Get-FMGFirewallAddress -name myFMG
...
# Get Firewall Address where (like) %myFMG%
Get-FMGFirewallAddress -name myFMG -filter_type like
...
# Get Firewall Address where subnet equal 192.0.2.0 255.255.255.0
Get-FMGFirewallAddress -filter_attribute subnet -filter_type equal -filter_value 192.0.2.0 255.255.255.0
...
Actually, support only equal, contains and like filter type
for example to get FortiManager System Status Info
# get FortiManager System Status using API
Invoke-FMGRestMethod -method "get" sys/status
Admin Domain Configuration : Enabled
BIOS version : 04000002
Branch Point : 0047
Build : 0047
Current Time : Wed Jul 14 16:34:50 CEST 2021
Daylight Time Saving : Yes
FIPS Mode : Disabled
HA Mode : Stand Alone
Hostname : PowerFMG
License Status : Valid
Major : 7
Max Number of Admin Domains : 3
Max Number of Device Groups : 3
Minor : 0
Offline Mode : Disabled
Patch : 0
Platform Full Name : FortiManager-VM64
Platform Type : FMG-VM64
Release Version Information : (GA)
Serial Number : FMG-VMTM21000000
TZ : Europe/Brussels
Time Zone : (GMT+1:00) Brussels, Copenhagen, Madrid, Paris.
Version : v7.0.0-build0047 210422 (GA)
x86-64 Applications : Yes
[...]You can look FortiManager - JSON API (Full Reference) available on Fortinet Developer Network (FNDN)
You don't need to specify the ADOM when you query Configuration Database (pm), you can use type parameter to automally set the adom
For example to query the firewall address of pester adom (configured when connect)
Invoke-FMGRestMethod -type pm "firewall/address" -Verbose
VERBOSE: {
"id": 1,
"method": "get",
"session": "bxQu/WY9cgBFgtZcBMiUNaQydn2IBrPwSzc+e75d8JOmmjy9V9Dd/p6RuTCo2WaEA+ibRIxARrHcthInXGvQ9w==",
"params": [
{
"url": "pm/config/adom/pester/obj/firewall/address"
}
],
"verbose": 1
}
[...]it is possible set ADOM when connect to FortiManager (by default it is on root adom)
For connect on the pester vdom
Connect-FMG 192.0.2.1 -adom pester
[...]it is possible to connect on same times to multi FortiManager (or same Manager with different adom) You need to use -connection parameter to cmdlet
For example to get Firewall Address of 2 FortiManager
# Connect to first FortiManager
$fmg1 = Connect-FMG 192.0.2.1 -SkipCertificateCheck -DefaultConnection:$false
#DefaultConnection set to false is not mandatory but only don't set the connection info on global variable
# Connect to second FortiManager
$fmg2 = Connect-FMG 192.0.2.2 -SkipCertificateCheck -DefaultConnection:$false
# Get Firewall Address for first FortiManager
Get-FMGFirewallAddress -connection $fmg1 | Format-Table
dynamic_mapping list tagging name subnet type associated-interface comment
--------------- ---- ------- ---- ------ ---- -------------------- -------
FortiPower fqdn {any}
My New Network {192.0.2.0, 255.255.255.0} ipmask {port2} My comment
MyRange iprange {any}
....
# Get Firewall Address for second FortiManager
Get-FMGFirewallAddress -connection $fmg2 | Format-Table
dynamic_mapping list tagging name subnet type associated-interface comment
--------------- ---- ------- ---- ------ ---- -------------------- -------
FABRIC_DEVICE {0.0.0.0, 0.0.0.0} ipmask {any} IPv4 addresses of Fabric Devices.
FCTEMS_ALL_FORTICLOUD_SERVERS dynamic {any}
FIREWALL_AUTH_PORTAL_ADDRESS {0.0.0.0, 0.0.0.0} ipmask {any}
SSLVPN_TUNNEL_ADDR1 iprange {sslvpn_tun_intf}
all {0.0.0.0, 0.0.0.0} ipmask {any}
...
#Each cmdlet can use -connection parameter
# Disconnect from the FortiManager
Disconnect-FMGif you use Connect-FMG and get Unable to Connect (certificate)
The issue coming from use Self-Signed or Expired Certificate for FortiManager
Try to connect using Connect-FMG -SkipCertificateCheck
Contribution and feature requests are more than welcome. Please use the following methods:
- For bugs and issues, please use the issues register with details of the problem.
- For Feature Requests, please use the issues register with details of what's required.
- For code contribution (bug fixes, or feature request), please request fork PowerFMG, create a feature/fix branch, add tests if needed then submit a pull request.
Currently, @alagoutte started this project and will keep maintaining it. Reach out to me via Twitter, Email (see top of file) or the issues Page here on GitHub. If you want to contribute, also get in touch with me.
Add-FMGFirewallAddress
Confirm-FMGAddress
Connect-FMG
Copy-FMGFirewallAddress
Disconnect-FMG
Get-FMGFirewallAddress
Invoke-FMGRestMethod
Remove-FMGFirewallAddress
Set-FMGCipherSSL
Set-FMGFirewallAddress
Set-FMGUntrustedSSL
Show-FMGExceptionAlexis La Goutte
- Warren F. for his blog post 'Building a Powershell module'
- Erwan Quelin for help about Powershell
Copyright 2021 Alexis La Goutte and the community.