PowerFGT
PowerShell module to manage Fortinet (FortiGate) Firewall
Install / Use
/learn @FortiPower/PowerFGTREADME
PowerFGT
<p align="center"> <a href="https://www.powershellgallery.com/packages/PowerFGT/" alt="PowerShell Gallery Version"> <img src="https://img.shields.io/powershellgallery/v/PowerFGT.svg" /></a> <a href="https://www.powershellgallery.com/packages/PowerFGT/" alt="PS Gallery Downloads"> <img src="https://img.shields.io/powershellgallery/dt/PowerFGT.svg" /></a> <!-- <a href="https://www.powershellgallery.com/packages/PowerFGT/" alt="PS Platform"> <img src="https://img.shields.io/powershellgallery/p/PowerFGT.svg" /></a> --> </p> <p align="center"> <a href="https://github.com/FortiPower/PowerFGT/graphs/commit-activity" alt="GitHub Last Commit"> <img src="https://img.shields.io/github/last-commit/FortiPower/PowerFGT/master.svg" /></a> <a href="https://raw.githubusercontent.com/FortiPower/PowerFGT/master/LICENSE" alt="GitHub License"> <img src="https://img.shields.io/github/license/FortiPower/PowerFGT.svg" /></a> <a href="https://github.com/FortiPower/PowerFGT/graphs/contributors" alt="GitHub Contributors"> <img src="https://img.shields.io/github/contributors/FortiPower/PowerFGT.svg"/></a> </p>This is a Powershell module for configure a FortiGate (Fortinet) Firewall.
With this module (version 0.10.0) you can manage:
- Address (Add/Get/Copy/Set/Remove object type ipmask/subnet, FQDN, iprange, geo, mac and dynamic (SDN))
- AddressGroup (Add/Get/Copy/Set/Remove and Add/Remove Member)
- DHCPServer (Get)
- DNS (Get)
- HA (Get)
- Interface (Add/Get/Set/Remove Vlan, aggregate, loopback and Add/Remove Member)
- IP Pool (Get)
- Log Traffic/Event (Get)
- Monitor (Get)
- Policy (Add/Get/Remove)
- Proxy Address/Address Group/ Policy (Add/Get/Set/Remove)
- Local In Policy (Add/Get/Copy/Set/Remove and Add/Remove Member)
- Router BGP (Get/Set)
- Router OSPF (Get/Set)
- RoutePolicy (Get)
- SDN Connector (Get)
- Service Custom (Add/Get/Set/Remove)
- Service Group (Add/Get/Copy/Set/Remove and Add/Remove Member)
- Static Route (Add/Get/Remove)
- Switch(-controller) (Get)
- System Admin (Add/Get/Set/Remove)
- System Global (Get/Set)
- System Settings (Get/Set)
- Security Profiles (Get)
- User LDAP (Add/Get/Set/Remove)
- User Local (Add/Get/Set/Remove)
- User Group (Add/Get/Copy/Set/Remove and Add/Remove Member)
- User SAML (Get)
- User RADIUS (Add/Get/Set/Remove)
- User TACACS (Add/Get/Set/Remove)
- VDOM (Get)
- Virtual IP (Add/Get/Remove object type static-nat)
- Virtual IP Group (Add/Get/Copy/Set/Remove and Add/Remove Member)
- Virtual WAN Link/SD-WAN (Get)
- VPN IPsec Phase 1/Phase 2 Interface (Add/Get/Set/Remove)
- VPN SSL (Get Client, Portal, Settings)
- Web Filter (Get Profile)
- Wireless (Get)
- Zone (Add/Get/Set/Remove and Add/Remove Member)
- ZTNA (Get Access Proxy)
There is some extra feature
More functionality will be added later.
Connection can use HTTPS (default) or HTTP
Tested with FortiGate (using 5.6.x, 6.x, 7.x and 8.x (beta) firmware but it will be also work with 5.4.x)
Add (Experimental) support of VDOM is available using -vdom parameter for each cmdlet
Usage
All resource management functions are available with the Powershell verbs GET, ADD, COPY, SET, REMOVE.
For example, you can manage Address with the following commands:
Get-FGTFirewallAddressAdd-FGTFirewallAddressCopy-FGTFirewallAddressSet-FGTFirewallAddressRemove-FGTFirewallAddress
Requirements
- Powershell 5 or 6.x/7.x (Core) (If possible get the latest version)
- A Fortinet FortiGate Firewall and HTTPS enable (recommended)
Instructions
Install the module
# Automated installation (Powershell 5 or later):
Install-Module PowerFGT
# Import the module
Import-Module PowerFGT
# Get commands in the module
Get-Command -Module PowerFGT
# Get help
Get-Help Get-FGTFirewallAddress -Full
Examples
Connecting to the FortiGate Firewall
The first thing to do is to connect to a FortiGate Firewall with the command Connect-FGT :
# Connect to the FortiGate Firewall
Connect-FGT 192.0.2.1
#we get a prompt for credential
You can select the port using -port parameter
# Connect to the FortiGate Firewall using port 4443
Connect-FGT 192.0.2.1 -port 4443
if you are using OTP (FortiToken) for admin access, you can use -token_code or -token_prompt for specifity or ask the token/OTP when connecting
# Connect to the FortiGate Firewall with the token asked
Connect-FGT 192.0.2.1 -token_prompt
You can also connect using API Token (Documentation for Generate REST API )
# Connect to the FortiGate Firewall with API Token
Connect-FGT 192.0.2.1 -apitoken 79GyN89Q7w00rG6pj09yd7wGG3kmds
if you get a warning about Unable to connect Look Issue
Address
You can create a new Address Add-FGTFirewallAddress, retrieve its information Get-FGTFirewallAddress,
modify its properties Set-FGTFirewallAddress, copy/clone its properties Copy-FGTFirewallAddress
or delete it Remove-FGTFirewallAddress.
# Get information about ALL address (using Format Table)
Get-FGTFirewallAddress | Format-Table
q_origin_key name uuid subnet
------------ ---- ---- ------
FIREWALL_AUTH_PORTAL_ADDRESS FIREWALL_AUTH_PORTAL_ADDRESS a940cdea-368c-51e9-2596-5ddfd54a087a 0.0.0.0 0.0.0.0
SSLVPN_TUNNEL_ADDR1 SSLVPN_TUNNEL_ADDR1 a9416aca-368c-51e9-fe74-7dbb95fa64c9 10.212.134.200 10.212...
all all a940cc32-368c-51e9-82f5-fa5337e9f45c 0.0.0.0 0.0.0.0
autoupdate.opera.com autoupdate.opera.com a918c192-368c-51e9-ca8d-88cc94ed2d54 0.0.0.0 0.0.0.0
google-play google-play a918cd22-368c-51e9-2f4f-2d914955741a 0.0.0.0 0.0.0.0
swscan.apple.com swscan.apple.com a918d1dc-368c-51e9-08a7-c6004bf38fb9 0.0.0.0 0.0.0.0
update.microsoft.com update.microsoft.com a918d650-368c-51e9-0cca-5f006a059f0b 0.0.0.0 0.0.0.0
# Create an address (type ipmask)
Add-FGTFirewallAddress -Name 'My PowerFGT Network' -ip 192.0.2.1 -mask 255.255.255.0
q_origin_key : My PowerFGT Network
name : My PowerFGT Network
uuid : 9c65f75e-383e-51e9-a33a-caeffb7cfd33
subnet : 192.0.2.0 255.255.255.0
type : ipmask
start-ip : 192.0.2.0
end-ip : 255.255.255.0
fqdn :
country :
wildcard-fqdn :
cache-ttl : 0
wildcard : 192.0.2.0 255.255.255.0
sdn :
tenant :
organization :
epg-name :
subnet-name :
sdn-tag :
policy-group :
comment :
visibility : enable
associated-interface :
color : 0
filter :
obj-id :
list : {}
tagging : {}
allow-routing : disable
# Get information an address (name) and display only some field (using Format-Table)
Get-FGTFirewallAddress -name "My PowerFGT Network" | Select name, subnet, type, start-ip, end-ip | Format-Table
name subnet type start-ip end-ip
---- ------ ---- -------- ------
My PowerFGT Network 192.0.2.0 255.255.255.0 ipmask 192.0.2.0 255.255.255.0
# Get information some address (filter_type contains) and display only some field (using Format-Table)
Get-FGTFirewallAddress -name update -filter_type contains | Select name, type, fqdn | Format-Table
name type fqdn
---- ---- ----
autoupdate.opera.com fqdn autoupdate.opera.com
update.microsoft.com fqdn update.microsoft.com
# Modify an address (name, comment, interface...)
Get-FGTFirewallAddress -name "My PowerFGT Network" | Set-FGTFirewallAddress -name "MyNetwork" -comment "My comment" -interface port2
q_origin_key : MyNetwork
name : MyNetwork
uuid : 9c65f75e-383e-51e9-a33a-caeffb7cfd33
subnet : 192.0.2.0 255.255.255.0
type : ipmask
start-ip : 192.0.2.0
end-ip : 255.255.255.0
fqdn :
country :
wildcard-fqdn :
cache-ttl : 0
wildcard : 192.0.2.0 255.255.255.0
sdn :
tenant :
organization :
epg-name :
subnet-name :
sdn-tag :
policy-group :
comment : My comment
visibility : enable
associated-interface : port2
color : 0
filter :
obj-id :
list : {}
tagging : {}
allow-routing : disable
# Copy/Clone an address
Get-FGTFirewallAddress -name "MyNe
