Bulk Addition of IP Address Objects On Fortigate using CSV, and PowerShell

During a recent redesign of a large Fortigate deployment I needed to be able to import large numbers of IP address objects into the new build.  Simply copying the configuration to the new box was out of the question as there were just as many Objects buried in the configuration that were not wanted/needed in the new build.

I had a spreadsheet developed listing everything I needed so I built this simple PowerShell script that will write a config that can be pasted into the Fortigate CLI.  It builds the Objects, and imports a comment for each to add clarity down the road, when an administrator needs to know what an object is for.  It also provides the option to create an address group and apply all of the objects to that group, and again a Comment is created on the group object as well.

This script can save a large amount of time on a rebuild, or new Fortigate deployment.  It is also a great help if you just want to add a bunch of Objects and group them, and do things consistently and quickly.

Script Walk Through:

The Script Looks for a CSV file named Addresses.csv in the same folder as the script. The file would have the following column Headings: Name,Address,Mask,Comment as shown in the screen below:

Running the Script in PowerShell will ask a few basic questions:

  1. Do you Use VDOM’s
  2. What is the Name of the VDOM you are adding the Objects to (Case Sensitive)
  3. Do you want to create a group for these Objects, If yes it asks for a group name and comment.

 

 

 

 

The Script Builds the configuration and dumps it to a text file.  It will then ask if you would like to open it in notepad.

 

The file content can be copied from Notepad and pasted into the Fortigate CLi using your favorite SSH client

 

 

 

 

 

Notes:

  • Currently the script only creates Subnet Objects, however I am looking to build the capability of it checking the address and if it looks like a FQDN it would create and FQDN object instead.

Script Contents:


#############################################################
#
# Script: Create-AddressObjects.PS1
# Description: This Script will Read a CSV file Included In
# In the folder with the script. Currently Hard Coded to
# ".\Addresses.csv". you will also be prompted to provide a
# Name and Comment info for any group that you want to create
# for these new adddress objects.
#
#
#
#
#############################################################
#Make Script location the current folder
Split-Path -parent $MyInvocation.MyCommand.Definition | Set-Location

function Answer-YesNo {
#Function Returns Boolean output from a yes/no question
#
# Usage: Answer-YesNo "Question Text" "Title Text"
#
$yes = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes",""
$no = New-Object System.Management.Automation.Host.ChoiceDescription "&No",""
$choices = [System.Management.Automation.Host.ChoiceDescription[]]($yes,$no)
$caption = "Warning!" #Default Caption
if ($args[1] -ne $null){
$caption = $args[1]} # Caption Passed as argument
$message = "Do you want to proceed" #Default Message
if ($args[0] -ne $null){
$message = $args[0]} #Message passed as argument
$result = $Host.UI.PromptForChoice($caption,$message,$choices,0)
if($result -eq 0) {return $true}
if($result -eq 1) {return $false}
}
clear
Write-Host -ForegroundColor Green "
#############################################################################
#
# FORTIGATE 5.X / 6.x ADDRESS OBJECT BULK IMPORT SCRIPT GENERATOR
#
# Ver. 1.2 / August 18 2018
# Author: Dan Parr /dparr@granite-it.net
#
# This Script is provided without warranty of any kind.
# Use at your own discretion.
#
#############################################################################

"

$VDOMName= ""
$ScriptStart = ""
$UseVDOMs = Answer-YesNo "Does The Fortigate Configured with VDOMs?" "VDOM Configuration"
If ($UseVDOMs -eq $True){
#VDOM Names are Case Sensitive Using the wrong Case could create a new vdom in the CLI
$VDOMName = Read-Host "Please Enter VDOM Name (!!Case Sensitive!!):"
$ScriptStart = "
config vdom
edit $VDOMName"}
$MakeGroup = Answer-YesNo "Will you be creating a group for the imported Objects?" "Please Provide a Y or N Answer:"
$AddressObjects = Import-Csv .\Addresses.csv
$Script = "
$ScriptStart
config firewall address
"
$MemberList = ""
If ($MakeGroup -eq $true){
$GroupName = Read-Host -Prompt "
Please Enter the Name of the Object Group You Wish to Create
(NOTE:Avoid Using Spaces)"
$GroupComment = Read-Host -Prompt "
Enter A Comment Describing this Group
(ex. `"Webserver: dparr/Aug 4, 2016`")"
$GroupScript = "
$ScriptStart
config firewall addrgrp
edit `"$GroupName`"
set member"
}
$AddressObjects | foreach {
$Addr = $_.Address
$Name = $_.Name.substring(0,1).toupper()+$_.Name.substring(1).tolower()
$Mask = $_.Mask
$Comment = $_.Comment

$Script += "
edit `"$Name`"
set subnet $Addr $Mask
set comment `"$Comment`"
next"
if ($MakeGroup -eq $true){
$MemberList += " `"$Name`""}
}
$Script += "
end"
if ($MakeGroup -eq $true){
$GroupScript += "$MemberList
set comment `"$GroupComment`"
next
end"
}
Write-Host $Script
$Script > .\AddressScript.txt
$GroupScript >> .\AddressScript.txt
Clear

If ((Answer-YesNo "The CLI Script Has been Written to .\AddressScript.txt Would you like to open this file in notepad now?" "Open CLI Script File?") -eq $true){

Notepad .\AddressScript.txt
}

Script and CSV can be Downloaded From Here

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s