This is a Powershell module for configure a FortiGate (Fortinet) Firewall.
With this module (version 0.5.0) you can manage:
- Address (Add/Get/Copy/Set/Remove object type ipmask/subnet, FQDN, iprange)
- AddressGroup (Add/Get/Copy/Set/Remove and Add/Remove Member)
- DNS (Get)
- HA (Get)
- Interface (Get)
- IP Pool (Get)
- Local User (Get)
- Policy (Add/Get/Remove)
- Proxy Address/Address Group/ Policy (Add/Get/Set/Remove)
- RoutePolicy (Get)
- Service (Get)
- Service Group (Get)
- Static Route (Get)
- System Global (Get)
- System Settings (Get)
- VDOM (Get)
- Virtual IP (Add/Get/Remove object type static-nat)
- Virtual IP Group (Add/Get/Copy/Set/Remove and Add/Remove Member)
- Virtual WAN Link/SD-WAN (Get)
- VPN IPsec Phase 1/Phase 2 Interface (Get)
- Zone (Add/Get/Set/Remove and Add/Remove Member)
There is some extra feature
More functionality will be added later.
Connection can use HTTPS (default) or HTTP
Tested with FortiGate (using 5.6.x and 6.0.x firmware but it will be also work with 5.4.x)
Add (Experimental) support of VDOM is available using -vdom parameter for each cmdlet
Don't use support to connect using API Token from 5.6.x (and later)
All resource management functions are available with the Powershell verbs GET, ADD, COPY, SET, REMOVE.
For example, you can manage Address with the following commands:
Get-FGTFirewallAddressAdd-FGTFirewallAddressCopy-FGTFirewallAddressSet-FGTFirewallAddressRemove-FGTFirewallAddress
- Powershell 5 or 6 (Core) (If possible get the latest version)
- An Fortinet FortiGate Firewall and HTTPS enable (recommended)
# Automated installation (Powershell 5 or later):
Install-Module PowerFGT
# Import the module
Import-Module PowerFGT
# Get commands in the module
Get-Command -Module PowerFGT
# Get help
Get-Help Get-FGTFirewallAddress -FullThe first thing to do is to connect to a FortiGate Firewall with the command Connect-FGT :
# Connect to the FortiGate Firewall
Connect-FGT 192.0.2.1
#we get a prompt for credentialif you get a warning about Unable to connect Look Issue
You can create a new Address Add-FGTFirewallAddress, retrieve its information Get-FGTFirewallAddress,
modify its properties Set-FGTFirewallAddress, copy/clone its properties Copy-FGTFirewallAddress
or delete it Remove-FGTFirewallAddress.
# Get information about ALL address (using Format Table)
Get-FGTFirewallAddress | Format-Table
q_origin_key name uuid subnet
------------ ---- ---- ------
FIREWALL_AUTH_PORTAL_ADDRESS FIREWALL_AUTH_PORTAL_ADDRESS a940cdea-368c-51e9-2596-5ddfd54a087a 0.0.0.0 0.0.0.0
SSLVPN_TUNNEL_ADDR1 SSLVPN_TUNNEL_ADDR1 a9416aca-368c-51e9-fe74-7dbb95fa64c9 10.212.134.200 10.212...
all all a940cc32-368c-51e9-82f5-fa5337e9f45c 0.0.0.0 0.0.0.0
autoupdate.opera.com autoupdate.opera.com a918c192-368c-51e9-ca8d-88cc94ed2d54 0.0.0.0 0.0.0.0
google-play google-play a918cd22-368c-51e9-2f4f-2d914955741a 0.0.0.0 0.0.0.0
swscan.apple.com swscan.apple.com a918d1dc-368c-51e9-08a7-c6004bf38fb9 0.0.0.0 0.0.0.0
update.microsoft.com update.microsoft.com a918d650-368c-51e9-0cca-5f006a059f0b 0.0.0.0 0.0.0.0
# Create an address (type ipmask)
Add-FGTFirewallAddress -Name 'My PowerFGT Network' -ip 192.0.2.1 -mask 255.255.255.0
q_origin_key : My PowerFGT Network
name : My PowerFGT Network
uuid : 9c65f75e-383e-51e9-a33a-caeffb7cfd33
subnet : 192.0.2.0 255.255.255.0
type : ipmask
start-ip : 192.0.2.0
end-ip : 255.255.255.0
fqdn :
country :
wildcard-fqdn :
cache-ttl : 0
wildcard : 192.0.2.0 255.255.255.0
sdn :
tenant :
organization :
epg-name :
subnet-name :
sdn-tag :
policy-group :
comment :
visibility : enable
associated-interface :
color : 0
filter :
obj-id :
list : {}
tagging : {}
allow-routing : disable
# Get information an address (name) and display only some field (using Format-Table)
Get-FGTFirewallAddress -name "My PowerFGT Network" | Select name, subnet, type, start-ip, end-ip | Format-Table
name subnet type start-ip end-ip
---- ------ ---- -------- ------
My PowerFGT Network 192.0.2.0 255.255.255.0 ipmask 192.0.2.0 255.255.255.0
# Get information some address (filter_type contains) and display only some field (using Format-Table)
Get-FGTFirewallAddress -name update -filter_type contains | Select name, type, fqdn | Format-Table
name type fqdn
---- ---- ----
autoupdate.opera.com fqdn autoupdate.opera.com
update.microsoft.com fqdn update.microsoft.com
# Modify an address (name, comment, interface...)
Get-FGTFirewallAddress -name "My PowerFGT Network" | Set-FGTFirewallAddress -name "MyNetwork" -comment "My comment" -interface port2
q_origin_key : MyNetwork
name : MyNetwork
uuid : 9c65f75e-383e-51e9-a33a-caeffb7cfd33
subnet : 192.0.2.0 255.255.255.0
type : ipmask
start-ip : 192.0.2.0
end-ip : 255.255.255.0
fqdn :
country :
wildcard-fqdn :
cache-ttl : 0
wildcard : 192.0.2.0 255.255.255.0
sdn :
tenant :
organization :
epg-name :
subnet-name :
sdn-tag :
policy-group :
comment : My comment
visibility : enable
associated-interface : port2
color : 0
filter :
obj-id :
list : {}
tagging : {}
allow-routing : disable
# Copy/Clone an address
Get-FGTFirewallAddress -name "MyNetwork" | Copy-FGTFirewallAddress -name "My New Network"
q_origin_key : My New Network
name : My New Network
uuid : 0c8da508-3840-51e9-f525-0601066767cc
subnet : 192.0.2.0 255.255.255.0
type : ipmask
start-ip : 192.0.2.0
end-ip : 255.255.255.0
fqdn :
country :
wildcard-fqdn :
cache-ttl : 0
wildcard : 192.0.2.0 255.255.255.0
sdn :
tenant :
organization :
epg-name :
subnet-name :
sdn-tag :
policy-group :
comment : My comment
visibility : enable
associated-interface : port2
color : 0
filter :
obj-id :
list : {}
tagging : {}
allow-routing : disable
# Remove an address
Get-FGTFirewallAddress -name "MyNetwork" | Remove-FGTFirewallAddress
Confirm
Are you sure you want to perform this action?
Performing the operation "Remove Firewall Address" on target "MyNetwork".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"):Y
#You can also create other address type like fqdn or iprange
# Create an address (type fqdn)
Add-FGTFirewallAddress -Name FortiPower -fqdn fortipower.github.io
name : FortiPower
q_origin_key : FortiPower
uuid : 98af3292-3d6e-51eb-f488-f04057fbb871
type : fqdn
sub-type : sdn
clearpass-spt : unknown
start-mac : 00:00:00:00:00:00
end-mac : 00:00:00:00:00:00
fqdn : fortipower.github.io
country :
cache-ttl : 0
sdn :
fsso-group : {}
interface :
comment :
visibility : enable
associated-interface :
color : 0
filter :
sdn-addr-type : private
obj-id :
list : {}
tagging : {}
allow-routing : disable
# Create an address (type iprange)
Add-FGTFirewallAddress -Name MyRange -startip 192.0.2.1 -endip 192.0.2.100
name : MyRange
q_origin_key : MyRange
uuid : a683a420-3d6e-51eb-5c90-f471f85943e8
type : iprange
sub-type : sdn
clearpass-spt : unknown
start-mac : 00:00:00:00:00:00
end-mac : 00:00:00:00:00:00
start-ip : 192.0.2.1
end-ip : 192.0.2.100
country :
cache-ttl : 0
sdn :
fsso-group : {}
interface :
comment :
visibility : enable
associated-interface :
color : 0
filter :
sdn-addr-type : private
obj-id :
list : {}
tagging : {}
allow-routing : disable
For Invoke-FGTRestMethod, it is possible to use -filter parameter
You need to use FortiGate API syntax :
| Key | Operator | Pattern | Full Request | Description |
|---|---|---|---|---|
| schedule | == | always | GET /api/v2/cmdb/firewall/policy/?filter=schedule==always | Only return firewall policy with schedule 'always' |
| schedule | != | always | GET /api/v2/cmdb/firewall/policy/?filter=schedule!=always | Return all firewall policy with schedule other than 'always' |
and Filter Operators :
| Operator | Description |
|---|---|
| == | Case insensitive match with pattern. |
| != | Does not match with pattern (case insensitive). |
| =@ | Pattern found in object value (case insensitive). |
| !@ | Pattern not found in object value (case insensitive). |
| <= | Value must be less than or equal to pattern. |
| < | Value must be less than pattern. |
| >= | Value must be greater than or equal to pattern. |
| > | Value must be greater than pattern. |
For Invoke-FGTRestMethod and Get-XXX cmdlet like Get-FGTFirewallAddress, it is possible to using some helper filter (-filter_attribute, -filter_type, -filter_value)
# Get NetworkDevice named myFGT
Get-FGTFirewallAddress -name myFGT
...
# Get NetworkDevice contains myFGT
Get-FGTFirewallAddress -name myFGT -filter_type contains
...
# Get NetworkDevice where subnet equal 192.0.2.0 255.255.255.0
Get-FGTFirewallAddress -filter_attribute subnet -filter_type equal -filter_value 192.0.2.0 255.255.255.0
...
Actually, support only equal and contains filter type
You can create a new Address Group Add-FGTFirewallAddressGroup, retrieve its information Get-FGTFirewallAddressGroup,
modify its properties Set-FGTFirewallAddressGroup, copy/clone its properties Copy-FGTFirewallAddressGroup,
Add member to Address Group Add-FGTFirewallAddressGroupMember and remove member Remove-FGTFirewallAddressGroupMember,
or delete it Remove-FGTFirewallAddressGroup.
# Get information about ALL address Group (using Format Table)
Get-FGTFirewallAddressgroup | Format-Table
q_origin_key name uuid member
------------ ---- ---- ------
My Address Group My Address Group 292f6eaa-2613-51ea-866d-06cedca8805 {@{q_origin_key=FGT1; name=FGT1}, @{q_origin_ke…
# Add an address Group with FGT1 and FGT2
Add-FGTFirewallAddressGroup -name "My Address Group" -member FGT1, FGT2
q_origin_key : My Address Group
name : My Address Group
uuid : 292f6eaa-2613-51ea-866d-06cedca8805
member : {@{q_origin_key=FGT1; name=FGT1}, @{q_origin_key=FGT2; name=FGT2}}
comment :
visibility : enable
color : 0
tagging : {}
allow-routing : disable
# Add FGT3 member to existing address Group
Get-FGTFirewallAddressGroup -name "My Address Group" | Add-FGTFirewallAddressGroupMember -member FGT3
q_origin_key : MyAddressGroup
name : MyAddressGroup
uuid : 292f6eaa-2613-51ea-866d-06cedca8805a
member : {@{q_origin_key=FGT1; name=FGT1}, @{q_origin_key=FGT2; name=FGT2}, @{q_origin_key=FGT3; name=FGT3}}
comment :
visibility : enable
color : 0
tagging : {}
allow-routing : disable
# Remove FGT2 member to existing address Group
Get-FGTFirewallAddressGroup -name "My Address Group" | Remove-FGTFirewallAddressGroupMember -member FGT2
q_origin_key : My Address Group
name : My Address Group
uuid : 292f6eaa-2613-51ea-866d-06cedca8805a
member : {@{q_origin_key=FGT1; name=FGT1}, @{q_origin_key=FGT3; name=FGT3}}
comment :
visibility : enable
color : 0
tagging : {}
allow-routing : disable
# Modify an address (comment, member...)
Get-FGTFirewallAddressGroup -name "My Address Group" | Set-FGTFirewallAddressGroup -comment "My Address Group with only FGT2" -member FGT2
q_origin_key : My Address Group
name : My Address Group
uuid : 292f6eaa-2613-51ea-866d-06cedca8805a
member : {@{q_origin_key=FGT2; name=FGT2}}
comment : My Address Group with only FGT2
visibility : enable
color : 0
tagging : {}
allow-routing : disable
# Copy/Clone an address Group
Get-FGTFirewallAddressGroup -name "My Address Group" | Copy-FGTFirewallAddressGroup -name "My New Address Group"
q_origin_key : My New Address Group
name : My New Address Group
uuid : 9c2673a8-2614-51ea-9ab0-dfbd6f2c0475
member : {@{q_origin_key=FGT2; name=FGT2}}
comment : My Address Group with only FGT2
visibility : enable
color : 0
tagging : {}
allow-routing : disable
# Remove an address Group
Get-FGTFirewallAddressGroup -name "My Address Group" | Remove-FGTFirewallAddressGroup
Confirm
Are you sure you want to perform this action?
Performing the operation "Remove Firewall Address Group" on target "My Address Group".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): YYou can create a new Virtual IP Add-FGTFirewallVip, retrieve its information Get-FGTFirewallVip,
or delete it Remove-FGTFirewallVip.
# Get information about ALL Virtual IP (using Format Table)
Get-FGTFirewallVip | Format-Table
q_origin_key name id uuid comment type dns-mapping-ttl ldb-method src-filter service
------------ ---- -- ---- ------- ---- --------------- ---------- ---------- -------
myVIP1 myVIP1 0 3ccb44c6-2662-51ea-a469-3148c8eff287 static-nat 0 static {} {}
myVIP3-8080 myVIP3-8080 0 73989828-2662-51ea-c969-4ad22d450075 static-nat 0 static {} {}
# Add a Virtual IP with Static NAT (192.2.0.1 => 198.51.100.1)
Add-FGTFirewallVip -name myVIP1 -type static-nat -extip 192.2.0.1 -mappedip 198.51.100.1
q_origin_key : myVIP1
name : myVIP1
id : 0
uuid : 3ccb44c6-2662-51ea-a469-3148c8eff287
comment :
type : static-nat
dns-mapping-ttl : 0
ldb-method : static
src-filter : {}
service : {}
extip : 192.2.0.1
extaddr : {}
mappedip : {@{q_origin_key=198.51.100.1; range=198.51.100.1}}
[...]
# Add a Virtual IP with Static NAT and Port Forward (192.2.0.2:8080 => 198.51.100.2:80)
Add-FGTFirewallVip -name myVIP2-8080to80 -type static-nat -extip 192.2.0.2 -mappedip 198.51.100.2 -portforward -extport 8080 -mappedport 80
q_origin_key : myVIP2-8080to80
name : myVIP2-8080to80
id : 0
uuid : 73989828-2662-51ea-c969-4ad22d450075
comment :
type : static-nat
dns-mapping-ttl : 0
ldb-method : static
src-filter : {}
service : {}
extip : 192.2.0.2
extaddr : {}
mappedip : {@{q_origin_key=198.51.100.2; range=198.51.100.2}}
mapped-addr :
extintf : any
arp-reply : enable
server-type :
persistence : none
nat-source-vip : disable
portforward : enable
protocol : tcp
extport : 8080
mappedport : 80
[...]
# Remove a Virtual IP
Get-FGTFirewallVip -name myVIP1 | Remove-FGTFirewallVip
Confirm
Are you sure you want to perform this action?
Performing the operation "Remove Firewall VIP" on target "myVIP1".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): YYou can create a new VIP Group Add-FGTFirewallVIPGroup, retrieve its information Get-FGTFirewallVIPGroup,
modify its properties Set-FGTFirewallVIPGroup, copy/clone its properties Copy-FGTFirewallVIPGroup,
Add member to Address Group Add-FGTFirewallVIPGroupMember and remove member Remove-FGTFirewallVIPGroupMember,
or delete it Remove-FGTFirewallVIPGroup.
# Get information about ALL VIP Group (using Format Table)
Get-FGTFirewallVipGroup | Format-Table
name q_origin_key uuid interface color comments member
---- ------------ ---- --------- ----- -------- ------
MyVIPGroup MyVIPGroup cb875532-3d82-51eb-f120-075c29c10657 any 0 {@{name=myVIP1; q_origin_key=myVIP1}, @{name=myVIP2; q_origin_key=myVIP2}}
# Add a VIP Group with myVIP1 and myVIP2
Add-FGTFirewallVIPGroup -name "MyVIPGroup" -member myVIP1, myVIP2
name : MyVIPGroup
q_origin_key : MyVIPGroup
uuid : cb875532-3d82-51eb-f120-075c29c10657
interface : any
color : 0
comments :
member : {@{name=myVIP1; q_origin_key=myVIP1}, @{name=myVIP2; q_origin_key=myVIP2}}
# Add myVIP3 member to existing Virtual IP GROUP
Get-FGTFirewallVIPGroup -name "MyVIPGroup" | Add-FGTFirewallVIPGroupMember -member myVIP3
name : MyVIPGroup
q_origin_key : MyVIPGroup
uuid : cb875532-3d82-51eb-f120-075c29c10657
interface : any
color : 0
comments :
member : {@{name=myVIP1; q_origin_key=myVIP1}, @{name=myVIP2; q_origin_key=myVIP2}, @{name=myVIP3; q_origin_key=myVIP3}}
# Remove myVIP2 member to existing Virtual IP Group
Get-FGTFirewallVIPGroup -name "MyVIPGroup" | Remove-FGTFirewallVIPGroupMember -member myVIP2
name : MyVIPGroup
q_origin_key : MyVIPGroup
uuid : cb875532-3d82-51eb-f120-075c29c10657
interface : any
color : 0
comments :
member : {@{name=myVIP1; q_origin_key=myVIP1}, @{name=myVIP3; q_origin_key=myVIP3}}
# Modify a Virtual IP Group
Get-FGTFirewallVIPGroup -name "MyVIPGroup" | Set-FGTFirewallVIPGroup -comment "My Virtual IP with only myVIP2" -member myVIP2
name : MyVIPGroup
q_origin_key : MyVIPGroup
uuid : cb875532-3d82-51eb-f120-075c29c10657
interface : any
color : 0
comments : My Virtual IP with only myVIP2
member : {@{name=myVIP2; q_origin_key=myVIP2}}
# Remove a Virtual IP Group
Get-FGTFirewallVIPGroup -name "MyVIPGroup" | Remove-FGTFirewallVIPGroup
Confirm
Are you sure you want to perform this action?
Performing the operation "Remove Firewall VIP Group" on target "MyVIPGroup".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): yYou can create a new Policy Add-FGTFirewallPolicy, retrieve its information Get-FGTFirewallPolicy
Add member to source or destinationn address Add-FGTFirewallPolicyMember and remove member Add-FGTFirewallPolicyMember,
or delete it Remove-FGTFirewallPolicy.
# Get information about ALL Policies (using Format Table)
Get-FGTFirewallPolicy | Format-Table
q_origin_key policyid name uuid srcintf dstintf srcaddr
------------ -------- ---- ---- ------- ------- -------
1 1 MyFGTPolicy 31a7ad9e-266e-51ea-1691-4906abad2e8b {@{q_origin_key=port1; name=port1}} {@{q_origin_key=port2; name=port2}} {@{q_origin_key=all; name=all}
2 2 MyFGTPolicy2 3c8e5212-266e-51ea-2300-dc5fcb1a8e2a {@{q_origin_key=port1; name=port1}} {@{q_origin_key=port3; name=port3}} {@{q_origin_key=all; name=all}}
# Add Policy (MyFGTPolicy) allow ALL traffic between port1 to port2
Add-FGTFirewallPolicy -name MyFGTPolicy -srcintf port1 -dstintf port2 -srcaddr all -dstaddr all
q_origin_key : 1
policyid : 1
name : MyFGTPolicy
uuid : 31a7ad9e-266e-51ea-1691-4906abad2e8b
srcintf : {@{q_origin_key=port1; name=port1}}
dstintf : {@{q_origin_key=port2; name=port2}}
srcaddr : {@{q_origin_key=all; name=all}}
dstaddr : {@{q_origin_key=all; name=all}}
internet-service : disable
internet-service-id : {}
internet-service-custom : {}
internet-service-src : disable
internet-service-src-id : {}
internet-service-src-custom : {}
rtp-nat : disable
rtp-addr : {}
learning-mode : disable
action : accept
send-deny-packet : disable
firewall-session-dirty : check-all
status : enable
schedule : always
schedule-timeout : disable
service : {@{q_origin_key=ALL; name=ALL}}
[...]
# Add Policy (MyFGTPolicy2) allow ALL traffic between port1 to port3 and enable NAT (but disable rule)
Add-FGTFirewallPolicy -name MyFGTPolicy2 -srcintf port1 -dstintf port3 -srcaddr all -dstaddr all -nat -status:$false -skip
q_origin_key : 2
policyid : 2
name : MyFGTPolicy2
uuid : dc941a9e-266e-51ea-2f5c-41da0d900d92
srcintf : {@{q_origin_key=port1; name=port1}}
dstintf : {@{q_origin_key=port3; name=port3}}
srcaddr : {@{q_origin_key=all; name=all}}
dstaddr : {@{q_origin_key=all; name=all}}
internet-service : disable
internet-service-src : disable
rtp-nat : disable
learning-mode : disable
action : accept
status : disable
schedule : always
schedule-timeout : disable
[...]
# Add FGT2 and FGT3 to source address (only FGT1 before)
Get-FGTFirewallPolicy -name MyFGTPolicy3 | Add-FGTFirewallPolicyMember -srcaddr FGT1, FGT2
q_origin_key : 2
policyid : 2
name : MyFGTPolicy3
uuid : dc941a9e-266e-51ea-2f5c-41da0d900d92
srcintf : {@{q_origin_key=port1; name=port1}}
dstintf : {@{q_origin_key=port2; name=port2}}
srcaddr : {@{q_origin_key=FGT1; name=FGT1}, @{q_origin_key=FGT2; name=FGT2}, @{q_origin_key=FGT3;name=FGT3}}
dstaddr : {@{q_origin_key=all; name=all}}
internet-service : disable
internet-service-src : disable
rtp-nat : disable
learning-mode : disable
action : accept
status : disable
schedule : always
schedule-timeout : disable
[...]
# Remove FGT3 from destination address (FGT1, FGT2, FGT3 before)
Get-FGTFirewallPolicy -name MyFGTPolicy3 | Remove-FGTFirewallPolicyMember -srcaddr FGT3
q_origin_key : 2
policyid : 2
name : MyFGTPolicy4
uuid : dc941a9e-266e-51ea-2f5c-41da0d900d92
srcintf : {@{q_origin_key=port1; name=port1}}
dstintf : {@{q_origin_key=port2; name=port2}}
srcaddr : {@{q_origin_key=all; name=all}}
dstaddr : {@{q_origin_key=FGT1; name=FGT1}, @{q_origin_key=FGT2; name=FGT2}}
internet-service : disable
internet-service-src : disable
rtp-nat : disable
learning-mode : disable
action : accept
status : disable
schedule : always
schedule-timeout : disable
[...]
# Remove a Policy
Get-FGTFirewallPolicy -name MyFGTPolicy2 | Remove-FGTFirewallPolicy
Remove Policy on Fortigate
Proceed with removal of Policy MyFGTPolicy2 ?
[Y] Yes [N] No [?] Help (default is "N"): yYou can create a new Zone Add-FGTSystemZone, retrieve its information Get-FGTFSystemZone,
modify its properties Set-SystemZone,
Add member to Zone Add-SystemZoneMember and remove member Remove-SystemZoneMember,
or delete it Remove-SystemZone.
# Get information about ALL Zone
Get-FGTSystemZone
name : myPowerFGTZone
q_origin_key : myPowerFGTZone
tagging : {}
description :
intrazone : deny
interface : {@{interface-name=port5; q_origin_key=port5}, @{interface-name=port6; q_origin_key=port6}}
# Add new Zone myPowerFGTZone2 with port7 and intrazone allowed
Add-FGTSystemZone -name myPowerFGTZone2 -intrazone allow -interfaces port7
name : myPowerFGTZone2
q_origin_key : myPowerFGTZone2
tagging : {}
description :
intrazone : allow
interface : {@{interface-name=port7; q_origin_key=port7}}
# Add new member (port8) to existing zone myPowerFGTZone2
Get-FGTSystemZone -name myPowerFGTZone2 | Add-FGTSystemZoneMember -interfaces port8
name : myPowerFGTZone2
q_origin_key : myPowerFGTZone2
tagging : {}
description :
intrazone : allow
interface : {@{interface-name=port7; q_origin_key=port7}, @{interface-name=port8; q_origin_key=port8}}
# Remove port7 member to existing zone myPowerFGTZone2
Get-FGTSystemZone -name myPowerFGTZone2 | Remove-FGTSystemZoneMember -interfaces port7
name : myPowerFGTZone2
q_origin_key : myPowerFGTZone2
tagging : {}
description :
intrazone : allow
interface : {@{interface-name=port8; q_origin_key=port8}}
# Modify a Zone (intrazone, interface...)
Get-FGTSystemZone -name myPowerFGTZone2 | Set-FGTSystemZone -intrazone deny
name : myPowerFGTZone2
q_origin_key : myPowerFGTZone2
tagging : {}
description :
intrazone : deny
interface : {@{interface-name=port8; q_origin_key=port8}}
# Remove a zone
Get-FGTSystemZone -name myPowerFGTZone2 | Remove-FGTSystemZone
Confirm
Are you sure you want to perform this action?
Performing the operation "Remove zone" on target "myPowerFGTZone2".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): Yfor example to get Fortigate System Global Info
# get FortiGate System Global using API
(Invoke-FGTRestMethod -method "get" -uri "api/v2/cmdb/system/global").results
language : english
gui-ipv6 : disable
gui-certificates : enable
gui-custom-language : disable
gui-wireless-opensecurity : disable
gui-display-hostname : disable
gui-lines-per-page : 50
admin-https-ssl-versions : tlsv1-1 tlsv1-2
admintimeout : 120
admin-console-timeout : 0
admin-concurrent : enable
admin-lockout-threshold : 3
admin-lockout-duration : 60
refresh : 0
interval : 5
failtime : 5
daily-restart : disable
restart-time : 00:00
radius-port : 1812
admin-login-max : 100
remoteauthtimeout : 5
ldapconntimeout : 500
batch-cmdb : enable
multi-factor-authentication : optional
dst : enable
timezone : 04
traffic-priority : tos
traffic-priority-level : medium
anti-replay : strict
send-pmtu-icmp : enable
honor-df : enable
revision-image-auto-backup : disable
revision-backup-on-logout : disable
management-vdom : root
hostname : PowerFGT-FW1
[...]to get API uri, you can use api/v2/cmdb/?action=schema uri for get schema
You can look also FortiOS - REST API Reference available on Fortinet Developer Network (FNDN)
it is possible use VDOM using -vdom parameter on cmdlet command (by default it is root vdom)
For get FGT Firewall Address of vdomX
Get-FGTFirewallAddress -vdom vdomX
[...]For get FGT Firewall Address of vdomX and root
Get-FGTFirewallAddress -vdom vdomX,root
[...]For get FGT Firewall Address of all vdom
Get-FGTFirewallAddress -vdom *
[...]You can configure the "default" vdom when connect using
Connect-FGT 192.0.2.1 -vdom vdomX
[...]You can also change default vdom using
Set-FGTConnection -vdom vdomY
[...]There is also cmdlet for Proxy
- Proxy Address (Add/Copy/Get/Remove-FGTFirewallProxyAddress)
- Proxy Address Group (Add/Copy/Get/Set/Remove-FGTFirewallProxyAddressGroup)
- Proxy Policy (Add/Get/Remove-FGTFirewallProxyPolicy)
For Proxy Policy, it is possible to specific explict proxy or transparent For FortiGate 6.0.x, you need to enable proxy mode before (and enable feature)
From release 0.3.0, it is possible to connect on same times to multi FortiGate You need to use -connection parameter to cmdlet
For example to get interface of 2 FortiGate
# Connect to first FortiGate
$fw1 = Connect-FGT 192.0.2.1 -SkipCertificateCheck -DefaultConnection:$false
#DefaultConnection set to false is not mandatory but only don't set the connection info on global variable
# Connect to second FortiGate
$fw2 = Connect-FGT 192.0.2.2 -SkipCertificateCheck -DefaultConnection:$false
# Get Interface for first FortiGate
Get-FGTSystemInterface -connection $fw1 | Format-Table
q_origin_key name vdom vrf cli-conn-status fortilink mode distance priority dhcp-relay-service
------------ ---- ---- --- --------------- --------- ---- -------- -------- ------------------
DCFW DCFW root 0 0 disable static 5 0 enable
FITNUC FITNUC root 0 0 disable static 5 0 disable
....
# Get Interface for second FortiGate
Get-FGTSystemInterface -connection $fw2 | Format-Table
q_origin_key name vdom vrf cli-conn-status fortilink mode distance priority dhcp-relay-service
------------ ---- ---- --- --------------- --------- ---- -------- -------- ------------------
FSA-DMZ FSA-DMZ root 0 0 disable static 5 0 disable
FSA-DMZ2 FSA-DMZ2 root 0 0 disable static 5 0 disable
FWLC FWLC root 0 0 disable static 5 0 enable
...
#Each cmdlet can use -connection parameter
# Disconnect from the FortiGate
Disconnect-FGTYou can deploy FortiGate OVA (vapp), you need VMware.PowerCLI module and FortiGate OVF (available on support web site)
$fortiBuildParams = @{
ovf_path = "C:\FortiGate-VM64.vapp.ovf"
vm_host = "MyHost"
datastore = "MyDataStore"
Cluster = "MyCluster"
name_vm = "PowerFGT"
hostname = "PowerFGT"
dns_primary = "192.0.2.3"
dns_secondary = "192.0.2.4"
int0_network_mode = "Static"
int0_gateway = "192.0.2.254"
int0_ip = "192.0.2.1"
int0_netmask = "255.255.255.0"
int0_port_group = "PG-PowerFGT"
net_adapter = "vmxnet3"
}
Deploy-FGTVm @fortiBuildParams
PowerFGT is ready to use (http://192.0.2.1) (need to Start VM !)
if you use Connect-FGT and get Unable to Connect (certificate)
The issue coming from use Self-Signed or Expired Certificate for Firewall Management
Try to connect using Connect-FGT -SkipCertificateCheck
You can use also Connect-FGT -httpOnly for connect using HTTP (NOT RECOMMENDED !)
Contribution and feature requests are more than welcome. Please use the following methods:
- For bugs and issues, please use the issues register with details of the problem.
- For Feature Requests, please use the issues register with details of what's required.
- For code contribution (bug fixes, or feature request), please request fork PowerFGT, create a feature/fix branch, add tests if needed then submit a pull request.
Currently, @alagoutte started this project and will keep maintaining it. Reach out to me via Twitter, Email (see top of file) or the issues Page here on GitHub. If you want to contribute, also get in touch with me.
Add-FGTFirewallAddress
Add-FGTFirewallAddressGroup
Add-FGTFirewallAddressGroupMember
Add-FGTFirewallPolicy
Add-FGTFirewallPolicyMember
Add-FGTFirewallProxyAddress
Add-FGTFirewallProxyAddressGroup
Add-FGTFirewallProxyAddressGroupMember
Add-FGTFirewallProxyPolicy
Add-FGTFirewallVip
Add-FGTFirewallVipGroup
Add-FGTFirewallVipGroupMember
Add-FGTSystemZone
Add-FGTSystemZoneMember
Confirm-FGTAddress
Confirm-FGTAddressGroup
Confirm-FGTFirewallPolicy
Confirm-FGTFirewallProxyPolicy
Confirm-FGTProxyAddress
Confirm-FGTProxyAddressGroup
Confirm-FGTVip
Confirm-FGTVipGroup
Confirm-FGTZone
Connect-FGT
Copy-FGTFirewallAddress
Copy-FGTFirewallAddressGroup
Copy-FGTFirewallProxyAddress
Copy-FGTFirewallProxyAddressGroup
Copy-FGTFirewallVipGroup
Deploy-FGTVm
Disconnect-FGT
Get-FGTFirewallAddress
Get-FGTFirewallAddressGroup
Get-FGTFirewallIPPool
Get-FGTFirewallPolicy
Get-FGTFirewallProxyAddress
Get-FGTFirewallProxyAddressGroup
Get-FGTFirewallProxyPolicy
Get-FGTFirewallServiceCustom
Get-FGTFirewallServiceGroup
Get-FGTFirewallVip
Get-FGTFirewallVipGroup
Get-FGTRouterPolicy
Get-FGTRouterStatic
Get-FGTSystemDns
Get-FGTSystemGlobal
Get-FGTSystemHA
Get-FGTSystemInterface
Get-FGTSystemSDWAN
Get-FGTSystemSettings
Get-FGTSystemVdom
Get-FGTSystemVirtualWANLink
Get-FGTSystemZone
Get-FGTUserLocal
Get-FGTVpnIpsecPhase1Interface
Get-FGTVpnIpsecPhase2Interface
Invoke-FGTRestMethod
Remove-FGTFirewallAddress
Remove-FGTFirewallAddressGroup
Remove-FGTFirewallAddressGroupMember
Remove-FGTFirewallPolicy
Remove-FGTFirewallPolicyMember
Remove-FGTFirewallProxyAddress
Remove-FGTFirewallProxyAddressGroup
Remove-FGTFirewallProxyAddressGroupMember
Remove-FGTFirewallProxyPolicy
Remove-FGTFirewallVip
Remove-FGTFirewallVipGroup
Remove-FGTFirewallVipGroupMember
Remove-FGTSystemZone
Remove-FGTSystemZoneMember
Set-FGTCipherSSL
Set-FGTConnection
Set-FGTFirewallAddress
Set-FGTFirewallAddressGroup
Set-FGTFirewallProxyAddressGroup
Set-FGTFirewallVipGroup
Set-FGTSystemZone
Set-FGTUntrustedSSL
Show-FGTExceptionAlexis La Goutte
- Arthur Heijnen
- Benjamin Perrier
- Brett Pound
- Cédric Moreau
- Evan Chisholm
- Jelmer Jaarsma
Sort by name (git shortlog -s)
- Warren F. for his blog post 'Building a Powershell module'
- Erwan Quelin for help about Powershell
Copyright 2019 Alexis La Goutte and the community.