In the previous post, I demonstrated how to get the fortigate configuration using Ansible with fortios module. In this post, I will show you how to get the backup config using Ansible with RestAPI via uri module.
Continue reading “Backup FortiOS config with Ansible – with RestAPI”Backup FortiOS config with Ansible – with fortios_config module
TL;DR
- fortios_config is based on pyFG which is not updated for 2 years
- If you have non-ascii characters in Fortigate, you should not use it
- Compare the result and your manual backup. Know what is omitted.
Fortigate SDWAN – All-In-One internet resilience
SDWAN is booming, and lots of vendors are promoting their SDWAN. According to Wikipedia, any SDWAN should have these characteristics:
- The ability to support multiple connection types, such as MPLS, frame relay and higher capacity LTE wireless communications
- The ability to do dynamic path selection, for load sharing and resiliency purposes
- A simple interface that is easy to configure and manage
- The ability to support VPNs, and third party services such as WAN optimization controllers, firewalls and web gateways
Fortigate Config version management
In this post, I’m going to configure Google Cloud Function as an interface among Fortigate, Slack and Github. Once all deploy completed, all the configuration changes on Fortigate will be automatically notified to Slack, and it will be uploaded to Github for version control.
Continue reading “Fortigate Config version management”Fortigate config management in Github
After Github opened its free repository function to free users, I’m using Github private repository to store lots of my applications config file. I usually don’t use version management because they usually never changes after initial deployment. However, especially while I write blog post I need to make changes just to check the functionality. And sometimes I forgot to rollback config and need to check manually on the device.
In this post, I show you how to integrate Fortigate config backup script and Github API. And in the next post I will deploy them in CloudFunction so that it can be invoked by Fortigate automation stitch.
Continue reading “Fortigate config management in Github”Fortigate RestAPI Config Backup – FortiOS 6.0.4
Previously I wrote a post how to backup the Fortigate config using session based authentication. As per the API reference, this is considered legacy, and other authentication method –API token, is preferred. In this post, I demonstrate how to use FortiOS RestAPI with API token. And I will introduce how to parse current configuration.
I used FortiOS 6.0.4 to deploy this, and it is most likely not working with other version(especially 5.x).
The flow is as follows:
- Create access profile for API user
- Create API user in Fortigate
- Generate API token for API user
- Send request and get the backup config
Fortigate Config Change Notification
Whenever changes are made in configuration, Fortigate posts notification at Slack channel.
Fortigate automation is composed of three elements:
- automation trigger … available trigger -HA Failover, Config change, Log, IOC, High CPU, Conserve mode
- automation action … available action -Email, IP Ban, AWS lambda, Webhook
- automation stitch … Combination of trigger and action
Python 100 project #37: Fortigate config backup via scp
Backup network device configuration is tedious job. I created backup script so that you can retrieve fortigate config.
Output Example:
Here is the code:
def backup_config(ip, username, password, full=False, path=None): """ Retrieve fortigate configuration and save it to the local path :param ip: a string for target ip address :param username: a string for username who has read access :param password: a string for password :param full: boolean . Get full config if True, Get minimum config(diff from the factory default conifg) if False :param path: path to save the backup file :return: Name of the file saved with full path """ import paramiko from scp import SCPClient ssh = paramiko.client.SSHClient() ssh.set_missing_host_key_policy(paramiko.client.AutoAddPolicy()) # ssh.load_system_host_keys() ssh.connect(ip, username=username, password=password) with SCPClient(ssh.get_transport()) as scp: if full: config = 'fgt_config' else: config = 'sys_config' scp.get(config) return "DONE!"
Python 100 project #30: Fortigate Policy to CSV
Today I made a script it takes fortigate config, and make a csv file for firewall policies.
If I use API, it can be much easier, as it does not require any data transformation required to collect those data. But still there are lots of cases (and most of the cases for me) the API is not enabled on the unit. In those cases, I need to use text based config file to make a parameter sheet.
Output Example:
>>> from fortigate_helper import policy_to_dict >>> from helper.dict_helper import to_csv >>> >>> policies = policy_to_dict('data_source/fg_sample_config.txt') >>> >>> to_csv(policies, 'data_out/fg_sample_policies.csv')
Here is the code:
def policy_to_dict(file): from collections import defaultdict parameters = [ "srcintf", "dstintf", "srcaddr", "dstaddr", "service", ] policy_dict = defaultdict(dict) policy_statements = [] with open(file, "r") as f: in_policy = False for line in f: line = line.strip() # check if it's under 'config firewall policy' section. Emit 'next' also. if in_policy and line != "next": if line == "end": break policy_statements.append(line) else: if line == "config firewall policy": in_policy = True if policy_statements: for statement in policy_statements: op, param, *val = statement.split() if op == "edit": policy_id = param elif op == "set" and param in parameters: policy_dict[policy_id][param] = ' '.join(val) return policy_dict
Python 100 project #10: FortiAnalyzer Past week Top Website
One thing I found out during the API exploration of various vendor, Fortinet is one of the vendor which has a broad set of those interfaces among their product lines. It was surprising as I had thought Fortinet had been one of the most locked in company in terms of API (as the document is extremely difficult to find).
Some of their product can be deployed onto the AWS quite easily, hence it’s easy to evaluate, and once you have access to the right channel, it has quite a bunch of resource to support you.
Output Example:
Streaming Media and Download 137171.941 Advertising 49508.214 Business 45659.808 Internet Radio and TV 27932.994 Information Technology 25066.791 Health and Wellness 18918.331 Government and Legal Organizations 18881.806 Web Hosting 18608.554 Shopping 10576.678 Education 9224.136 Games 9083.764 Newly Observed Domain 7193.726 Personal Websites and Blogs 7054.746 Society and Lifestyles 4378.23 Unrated 3771.063 Content Servers 2933.707 Search Engines and Portals 1620.786 Meaningless Content 1577.338 Restaurant and Dining 535.872 Proxy Avoidance 494.937 Malicious Websites 188.418 Newsgroups and Message Boards 160.979 News and Media 138.786 Social Networking 64.236 Information and Computer Security 51.736 Reference 44.47 Finance and Banking 42.153 Travel 29.101 Web Analytics 17.174 Entertainment 8.232 Web-based Applications 3.737 Instant Messaging 2.95
Because I usually watch Netflix for a few hours everyday, it occupies most of the internet usage.
Here is the code:
Most of the connection sequence, I used the class provided by Fortinet team (FNTNLIB).
import operator import fmg_jsonapi IPADDR = "your-fortianalyzer-ipaddress" USER = "admin" PASSWD = "your-admin-password" def get_top_website_params(): from datetime import datetime, timedelta current_time = datetime.now() week_before = current_time - timedelta(days=7) top_web_params = { "case-sensitive": "false", "device": [{"devid": "All_Devices"}], "filter": "", "limit": 100, "sort-by": [ { "field": "bandwidth", "order": "desc" } ], "time-range": { "end": current_time.strftime("%Y-%m-%d %H:%M"), "start": week_before.strftime("%Y-%m-%d %H:%M"), }, "url": "/fortiview/adom/root/top-websites/run" } return top_web_params def get_task_params(task_id): task_params = { "url": "/fortiview/adom/root/top-sources/run/" + str(task_id) } return task_params def get_data(): conn = fmg_jsonapi.FortiManagerJSON() # conn.verbose('on') # conn.debug('on') conn.login(IPADDR, USER, PASSWD) # create top website viewer tasks params1 = [{"apiver": 3}] params1[0].update(get_top_website_params()) status, data = conn.http_request('add', params1) task_id = data['tid'] params2 = [{"apiver": 3}] params2[0].update(get_task_params(task_id)) status, data = conn.http_request('get', params2) # conn.verbose('off') # conn.debug('off') conn.logout() return data if __name__ == "__main__": d = get_data() traffic_data = {} for category in d['data']: traffic_data[category['catdesc']] = float(category['bandwidth']) sorted_traffic_data = sorted(traffic_data.items(), key=operator.itemgetter(1), reverse=True) for cat in sorted_traffic_data: print(cat[0], cat[1]/1000)
このFortiAnalyzerからの出力結果をWordCloudにすると以下のような感じ。
これをEcho Spot, Echo Showなどと組み合わせれば、音声で過去一週間でどのようなWebサイトが閲覧されたかが表示される。