Bulk Addition of IP Address Objects On Fortigate using CSV, and PowerShell

During a recent redesign of a large Fortigate deployment I needed to be able to import large numbers of IP address objects into the new build.  Simply copying the configuration to the new box was out of the question as there were just as many Objects buried in the configuration that were not wanted/needed in the new build.

I had a spreadsheet developed listing everything I needed so I built this simple PowerShell script that will write a config that can be pasted into the Fortigate CLI.  It builds the Objects, and imports a comment for each to add clarity down the road, when an administrator needs to know what an object is for.  It also provides the option to create an address group and apply all of the objects to that group, and again a Comment is created on the group object as well.

This script can save a large amount of time on a rebuild, or new Fortigate deployment.  It is also a great help if you just want to add a bunch of Objects and group them, and do things consistently and quickly.

Script Walk Through:

The Script Looks for a CSV file named Addresses.csv in the same folder as the script. The file would have the following column Headings: Name,Address,Mask,Comment as shown in the screen below:

Running the Script in PowerShell will ask a few basic questions:

  1. Do you Use VDOM’s
  2. What is the Name of the VDOM you are adding the Objects to (Case Sensitive)
  3. Do you want to create a group for these Objects, If yes it asks for a group name and comment.

 

 

 

 

The Script Builds the configuration and dumps it to a text file.  It will then ask if you would like to open it in notepad.

 

The file content can be copied from Notepad and pasted into the Fortigate CLi using your favorite SSH client

 

 

 

 

 

Notes:

  • Currently the script only creates Subnet Objects, however I am looking to build the capability of it checking the address and if it looks like a FQDN it would create and FQDN object instead.

Script Contents:


#############################################################
#
# Script: Create-AddressObjects.PS1
# Description: This Script will Read a CSV file Included In
# In the folder with the script. Currently Hard Coded to
# ".\Addresses.csv". you will also be prompted to provide a
# Name and Comment info for any group that you want to create
# for these new adddress objects.
#
#
#
#
#############################################################
#Make Script location the current folder
Split-Path -parent $MyInvocation.MyCommand.Definition | Set-Location

function Answer-YesNo {
#Function Returns Boolean output from a yes/no question
#
# Usage: Answer-YesNo "Question Text" "Title Text"
#
$yes = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes",""
$no = New-Object System.Management.Automation.Host.ChoiceDescription "&No",""
$choices = [System.Management.Automation.Host.ChoiceDescription[]]($yes,$no)
$caption = "Warning!" #Default Caption
if ($args[1] -ne $null){
$caption = $args[1]} # Caption Passed as argument
$message = "Do you want to proceed" #Default Message
if ($args[0] -ne $null){
$message = $args[0]} #Message passed as argument
$result = $Host.UI.PromptForChoice($caption,$message,$choices,0)
if($result -eq 0) {return $true}
if($result -eq 1) {return $false}
}
clear
Write-Host -ForegroundColor Green "
#############################################################################
#
# FORTIGATE 5.X / 6.x ADDRESS OBJECT BULK IMPORT SCRIPT GENERATOR
#
# Ver. 1.2 / August 18 2018
# Author: Dan Parr /dparr@granite-it.net
#
# This Script is provided without warranty of any kind.
# Use at your own discretion.
#
#############################################################################

"

$VDOMName= ""
$ScriptStart = ""
$UseVDOMs = Answer-YesNo "Does The Fortigate Configured with VDOMs?" "VDOM Configuration"
If ($UseVDOMs -eq $True){
#VDOM Names are Case Sensitive Using the wrong Case could create a new vdom in the CLI
$VDOMName = Read-Host "Please Enter VDOM Name (!!Case Sensitive!!):"
$ScriptStart = "
config vdom
edit $VDOMName"}
$MakeGroup = Answer-YesNo "Will you be creating a group for the imported Objects?" "Please Provide a Y or N Answer:"
$AddressObjects = Import-Csv .\Addresses.csv
$Script = "
$ScriptStart
config firewall address
"
$MemberList = ""
If ($MakeGroup -eq $true){
$GroupName = Read-Host -Prompt "
Please Enter the Name of the Object Group You Wish to Create
(NOTE:Avoid Using Spaces)"
$GroupComment = Read-Host -Prompt "
Enter A Comment Describing this Group
(ex. `"Webserver: dparr/Aug 4, 2016`")"
$GroupScript = "
$ScriptStart
config firewall addrgrp
edit `"$GroupName`"
set member"
}
$AddressObjects | foreach {
$Addr = $_.Address
$Name = $_.Name.substring(0,1).toupper()+$_.Name.substring(1).tolower()
$Mask = $_.Mask
$Comment = $_.Comment

$Script += "
edit `"$Name`"
set subnet $Addr $Mask
set comment `"$Comment`"
next"
if ($MakeGroup -eq $true){
$MemberList += " `"$Name`""}
}
$Script += "
end"
if ($MakeGroup -eq $true){
$GroupScript += "$MemberList
set comment `"$GroupComment`"
next
end"
}
Write-Host $Script
$Script > .\AddressScript.txt
$GroupScript >> .\AddressScript.txt
Clear

If ((Answer-YesNo "The CLI Script Has been Written to .\AddressScript.txt Would you like to open this file in notepad now?" "Open CLI Script File?") -eq $true){

Notepad .\AddressScript.txt
}

Script and CSV can be Downloaded From Here

Advertisements

Enforceing DNS Web Filtering On Apple IOS Devices, Wherever They May Roam…

Rocket iconIn a previous Blog post I talked about setting up Open DNS Family Sheild on your home internet connection as an inexpensive option for performing Web Filtering that can protect your home systems from sites that are known to infect you with Malware and Viruses, as well as protecting children from a lot of the icky stuff that is so easily found on the web.  I use this on my home internet connection, and have for some time now.  My systems stay clean and healthy and so do my children.  However as the kids have gotten bigger, and mobile devices have come into play I have found that although I can protect devices connected to my home WiFi network, I have no control over other networks.. Public Hot Spots, the WiFi at the homes of their friends, and even Cellular Data connections are outside the reach of my protection.

Windows based devices are easy, because the DNS settings are bound to the WiFi Adapter, and not the WiFi Network that you are connecting to.  So for Windows Devices The settings listed here will work regardless of the WiFi network you connect to.  However Apple does not allow you to change the DNS settings for your cellular data connection, and all WiFi networks contain their own DNS configuration settings rather than using a global setting.

The Backstory:
One day not long ago on our way back from a weekend away with my family, I was in a local coffee shop with my family.  I had forgotten my phone in the car, and had one of those “Gotta Google it” moments where I needed an answer right away.  I borrowed by Son’s iPhone, Cracked Open Safari, and right there in that busy little coffee shop was greeted with Pornhub.com, wide open on his screen.  He swore it wasn’t him.  After checking the internet history I asked him if it also wasn’t him the 50 previous times over the weekend while we were connected to the internet at the hotel…

First:
I had a talk with him.  I explained that I understood his curiosity and I wasn’t really Mad at him.  I let him know that, more than anything I was concerned for him.  I wanted him to know that the acts and behavior he may have seen on that screen are not real, and the way the people in those videos treat one another is not normal behavior.  I really wanted to get across to him that, I never wanted to find out that he treated any woman in his life they way those girls are treated.

Second:
I went searching.  I knew there must be something I could do to help filter adult content from my son’s phone even when he wasn’t connected to our home internet connection. After doing some digging I found “DNS OverRide” .  The App is free to download, and with a simple $2.79 cdn in app purchase DNS Override does exactly what you need it to. It protects your device over all WiFi and Cellular networks. Once configured you can enable a pass-code to prevent users from turning off it’s settings.  See the link to configuration instructions below. It accomplishes this global setting by installing a “Dummy VPN (virtual private network) connection”  Although the settings it installs never really connect they do enable the app to set the DNS server based on the profile you select.  The App has several built in DNS profiles one of which is Open DNS Family Sheild.  You can also create your own profiles although this is probably not needed for most parents.

Hands Down this is one of the best apps I have found to enable security and web filtering on Apple devices.  It’s simple and inexpensive.  And frankly any parent who’s children use Mobile devices should be looking for a solution like this to keep them safe.

For More information on Configuring DNS OverRide to protect your device you can check out their Blog Post Here

If you wish you can further enforce this configuration by restricting users from uninstalling apps from the device.  You can access these settings (also pass-code protected) from the “Settings | General | Resrictions” screen and turning off the “Delete Apps” Option.

RestricDeleteApps

I do not want to police my children to death, but I don’t want them to be exposed to Adult content and other dangerous websites, when there are great and easy options out there for me to protect them. I hope that after reading this post, others are now able to take advantage of this information and protect their youngsters as well.

Windows Powershell Script to Collect CDP and LLDP Information

Often as a Network administrator I find myself trying to determine what port, of which switch does a network drop connect back to.  I may need this information for VLAN changes etc.  I have a fluke Etherscope that has a CDP test but it is older and will not communicate with new non-cisco gear.

I have looked unsuccessfully for a simple tool to gather this information for me.  Every project I looked at on GitHub or Sourceforge seemed ill maintained and buggy.  I decided that I could use a Capture filter in Wireshark to capture CDP and LLDP packets. This succeeds in getting the info.  But reading through all the info in the packets, and expanding all the parts of the tree, is a pain.  I decided to simplify this by having a powershell script collect the information using TShark.exe and then parsing the output for the information I wanted to display.

This script requires that a recent version of Wireshark be installed on the system running the script along with the optional tshark components.

I am sure that some of the code here could be improved and welcome comments and suggestions.

############################################################################
# Script: PortCheck.ps1
#
# Description: Listens for CDP and LLDP Displays Switch Port Information
# For the Selected Interface
#
# Author: Dan Parr / 2016
#
# Version: 1.4
#
# NOTE: Script Requires a Recent Version of Wireshark to be installed in the
# Default program files directory
############################################################################


Function Process-CDP{

#This Function Pulls some info from the CDP Packet blob To Display to the User
#And Returns the display string. Could be expanded to Include any other details
#contained in the packet.

$Device = $args[0] | Select-String -Pattern "Device ID: " -Encoding Unicode
$Platform = $args[0] | Select-String -Pattern "Platform: " -Encoding Unicode
$IP = $args[0] | Select-String -Pattern "IP Address: " -Encoding Unicode
$Interface = $args[0]| Select-String -Pattern "Port ID: " -Encoding Unicode
$VLanID = $args[0]| Select-String -Pattern "Native VLAN: " -Encoding Unicode

$D = $Device[0].tostring().trim().replace("Device ID: ","Switch Name: ")
$P = $Platform[0].tostring().trim().replace("Platform: ","Switch Description: ")
#Truncate Platform information if needed

if ($P.lenght -gt 88){
$P = $P.substring(0,87).trim() + " (Truncated...)"}

$I = $IP[0].tostring().trim().replace("IP Address: ","Switch IP Address: ")
$V = $VLanID[0].tostring().trim().replace("Native VLAN: ","Current VLAN Assignment: ")
$Int = $Interface[0].tostring().trim().replace("Port Id: ","Switch Port: ")

$Response = "
######################################################
CDP information Collected
######################################################

$D
$Int
$I
$V

$P

######################################################"

$Response
}

Function Process-LLDP{

#This Function Pulls some info from the CDP Packet blob To Display to the User
#And Returns the display string. Could be expanded to Include any other details
#contained in the packet.

$Device = $args[0] | Select-String -Pattern "System Name: " -Encoding Unicode
$IP = $args[0] | Select-String -Pattern "Management Address: " -Encoding Unicode
$Platform = $args[0] | Select-String -Pattern "^\s*System Description" -Encoding Unicode
$Interface = $args[0]| Select-String -Pattern "Port ID: " -Encoding Unicode
$VLanID = $args[0]| Select-String -Pattern "Port VLAN Identifier: " -Encoding Unicode

$D = $Device[0].tostring().trim().replace("System Name: ","Switch Name: ")
$P = $Platform[0].tostring().trim().replace("System Description =","Switch Description:")
#Truncate Platform Info if needed
if ($P.length -gt 88){
$P = $P.substring(0,87).trim() + " (Truncated...)"}

$V = $VLanID[0].tostring().trim().replace("Port VLAN Identifier: ","Current VLAN Assignment: ")

$I = $IP[0].tostring().trim().replace("Management Address: ","Switch IP Address: ")
$Int = $Interface[0].tostring().trim().replace("Port Id: ","Switch Port: ")

$Response = "
######################################################
LLDP information Collected
######################################################

$D
$Int
$I
$V

$P

######################################################"

$Response

}

### MAIN SCRIPT ###

Clear
Write-Host -ForegroundColor Green "
#############################################################################
#
# PortCheck: CDP and LLDP Scanner
#
# Ver. 1.4 / Jan 26 2017
# Author: Dan Parr
#
# This Script is provided without warranty of any kind.
# Use at your own discretion.
# This Script Requires Wireshark (with TShark) to be installed
#
#############################################################################
"

#Utilize TShark.exe to display interfaces
$Command = "C:\Program Files\Wireshark\tshark.exe"
$InterfaceOptions = @('-D')

Write-Host "Collecting Adapters:"
#Execute Tshark.exe and pass an array of arguments
& $Command $InterfaceOptions

#Have user Input the interface ID number
$IntID = Read-Host -Prompt "Please Enter The Interface ID# That You want to Monitor"

##########################################################################
#TShark Command Line Options
##########################################################################

#Define a Capture Filter to Capture only CDP or LLDP packets
$CaptureFilter = "(ether proto 0x88cc) or ( ether host 01:00:0c:cc:cc:cc and ether[16:4] = 0x0300000C and ether[20:2] == 0x2000)"
#Define How long TShark will Wait in Seconds for a CDP or LLDP packet
$Duration = "120"

#Other CMD Options used:
#-c: Count of Packets to Capture
#-V: Collect Packtet Details
#-Q: Only Log true errors to stderr (quieter than -q)


#Found some possible unneeded command line options ('-S','-l')
#$Options= @('-i',"$IntID",'-f',$CaptureFilter,'-a',"duration:$Duration",'-S','-l','-c','1','-V','-Q')

$Options= @('-i',"$IntID",'-f',$CaptureFilter,'-a',"duration:$Duration",'-c','1','-V','-Q')

###########################################################################

Clear
Write-Host -ForegroundColor Green "
Listening for CDP or LLDP Advertisements on the Wire
This May Take up to 90 Seconds
"
#Execute TShark Command and pass an array of arguments. Use STDOut to populate Variable
$CDP = & $Command $Options
$CDP > .\Packet.txt
#Determine the type of Data Received and Act on it
If ((Select-String -Pattern "Cisco Discovery Protocol" -InputObject $CDP).length -gt 0) {
Write-Host -ForegroundColor Yellow "Received CDP Annoucement:
"
$CollectedInfo = Process-CDP $CDP
}
ElseIf ((Select-string -Pattern "Link Layer Discovery Protocol" -InputObject $CDP).length -gt 0) {
Write-Host -ForegroundColor Yellow "Found LLDP Annoucement on the Wire:
"
$CollectedInfo = Process-LLDP $CDP
}
Else {
Write-Host -ForegroundColor Magenta "No CDP Or LLDP info Received"
}
Set-Clipboard $CollectedInfo
Write-Host -ForegroundColor Green $CollectedInfo
Write-Host -ForegroundColor Yellow "Note: This information has been copied to the Windows clipboard
"
Read-host -Prompt "Press Enter to End the Script and close"

Easy Family Friendly Web Filtering, And Best of All it’s Free

One of the easiest protections that I use on my home network to prevent inappropriate websites from finding their way onto my children’s screens is a DNS Web filtering.

DNS stands for Domain Naming System.  The easiest way to describe this is that DNS is the phone book of the internet.  A web address is a name, and the web servers IP address is the phone number.  When you key in a website or click a link your computer sends the website address to the DNS server which returns the correct IP address for your computer to contact for the content it is looking for.  DNS Filtering simply does not give back the correct IP address to your computers when trying to reach inappropriate web sites.

OpenDNS is a free DNS provider that offers a simple an easy to use product called Family Shield.  Click the following link for more information: Family Shield.

Once Configured, when a user attempts to access an adult website either accidentally or out of curiosity (We are all curious, especially in our youth…) they are redirected to a standard block page:

Blocked Playboy

OpenDNS provides basic configuration instructions Here: https://www.opendns.com/setupguide/?url=familyshield

The recommended configuration is to configure your home router to issue these servers to any device that connects using your internet connections.  This allows you to easily and automatically configure this protection for every PC, Laptop, tablet, iPod, Cell phone, or Gaming console that connects from inside your home network.  However you can easily set this up on individual devices as well.

In the coming days I hope to provide a tutorial video on configuring a router, as well as a utility to easily configure a single Windows PC with Family Shield protection.

Comment below if you have any questions!

Simple Steps toward a Safer Online Experience

Although the Internet offers the most amazing resources for research, education, information, and media.  We are all aware of of how ugly the internet can be. However at this day in age our impressionable children are some of the most reliant on the internet for their daily lives.  Everything from education to entertainment is centered on the internet.  I am an IT Dad.  I have made it my life to be in touch with technology and my children hate it.  I impose restrictions on them that many parents do not know are possible. I am currently working to educate others, and make them aware of how easy some of these changes are implement.  Future posts will touch on some basic filtering, technologies, and how to limit access via time limits and curfews. Where possible I will be including instructions, videos and access to utilities to help others safeguard their children while online.