Scripts to work with the Fortigate API
Switch branches/tags
Nothing to show
Clone or download
Latest commit eb9b599 Aug 24, 2018
Permalink
Failed to load latest commit information.
README.md added FW_move example Aug 24, 2018
api_prefix_list_not_working.py Example for Fortigate support Sep 7, 2017
fw_api_test.py updating library Jun 11, 2018

README.md

fw_api_test

Main library to interface with the Fortigate API It's best to use it with Fortigates running code 5.4 and later, as 5.2 lacks lots of API calls.

Consider taking a look at the Ansible modules that are based on this library, as they provide lots of additional functionality for managing the Fortigate Firewalls.

Usage:

Instantiate object
fw = fortigate_api('1.2.3.4:10443', un, pw)

Proxy servers are supported as well: Note that you will need to install socks5 for requests library: http://docs.python-requests.org/en/master/user/advanced/#socks

proxy={'https': 'socks5://127.0.0.1:9000'}
fw = fortigate_api('1.2.3.4:10443', un, pw, proxies=proxy)

You can enable HTTPS warnings if you are using real certs:

fw = fortigate_api('1.2.3.4:10443', un, pw, disable_warnings=False)

Show parameters of an object

For example, to print all the interfaces:

a = fw.show(['cmdb', 'system', 'interface'])
fw.print_data(a)

You can print only specific interface:

a = fw.show('cmdb/system/interface/port1') # note that you can provide either string or a list for API path
fw.print_data(a)

Sometimes it's hard to find the exact API path, so you can display the API schema (beware that it's very large)

fw.show(['cmdb', 'system', 'interface'], params={'action':'schema'}))

or for all the configurable objects (9M file), you can do

fw.show(['cmdb'], params={'action':'schema'}))

Edit parameters of an object

For example, edit route 1 and display OK if change successful:

a = fw.edit(['cmdb', 'router', 'static', '1'], data={"device": "FW_IP_outbound","dst": "0.0.0.0 0.0.0.0","gateway": "10.0.1.1","comment": "Default route for FW outbound"})
fw.print_data(a)

Remove object

For example, remove DHCP server 1

fw.remove(['cmdb', 'system.dhcp', 'server', '1'])

Create new object

For example, create new firewall rule:

policy = {"action": "accept",
            "dstaddr": [{"name": "all"}],
            "dstintf": [{"name": "Ext1"}],
            "name": "Allow_all_in",
            "nat": "disable",
            "policyid": 1,
            "schedule": "always",
            "service": [{"name": "ALL"}],
            "srcaddr": [{"name": "all"}],
            "srcintf": [{"name": "Ext2"}],
            "status": "disable"}
fw.create (['cmdb','firewall','policy'], data=policy)

Move policy around

By default, new policy is being placed at the end of the rules list. You can move it aroud as needed with the following code:

fw.edit(['cmdb', 'firewall', 'policy', '3'], params={"action": "move", "before": "1"})
fw.edit(['cmdb', 'firewall', 'policy', '3'], params={"action": "move", "after": "1"})

Note that you are referencing policies by their ID and not their position in the list. The first example above does not guarantee that the rule will be placed 1st in the rule list, as policy with ID 1 can be located anywhere in the list.

Working with VDOMs

By default, you are working with VDOM root, but you can specify any other VDOM with params={'vdom':'WAN'} For example, previous API call with VDOM would look like this:

fw.create (['cmdb','firewall','policy'], params={'vdom':'WAN'}, data=policy)

Known issues

  • Error checking is non-existent. For example, failed authentication would be raised as a JSON exception (as there would be nothing to decode from an API response, as there would be none)