Very experimental miscellaneous and extra utilities for fortios (fortigate).
- Parse and dump a structured JSON file from fortios CLI's "show *configuration" outputs
- Search an item or items from JSON files generated as a parsed result from fortios CLI's "show *configuration" outputs, using JMESPath query
- Collect nework information from the JSON files and generate a structured JSON files gives that network information
- Compose multiple network JSON files into a network file
- Analyze and dump firewall policy table as a pandas data for further analysis
- Search firewall policy matches given ip address
- Find the network paths from network JSON file by ip address (src and dst) to figure out which firewall nodes to configure
See fortios_xutils --help.
ssato@x1-carbon-gen6% PYTHONPATH=src python3 ./src/fortios_xutils/cli.py --help
Usage: cli.py [OPTIONS] COMMAND [ARGS]...
CLI frontend entrypoint.
Options:
-v, --verbose
--help Show this message and exit.
Commands:
firewall-policy-save Make and save firewall policy table...
firewall-policy-search Search firewall policy table generated by...
network-collect Make and save network data collected from the
JSON...
network-compose Compose network files collected from the
fortigate...
network-find-paths Search paths from the source `src_ip` to the...
parse Parse fortigate CLI's "show *configuration*...
search Search an item or items from JSON file generated...
ssato@x1-carbon-gen6% for sc in parse search network-collect network-compose firewall-policy-save firewall-policy-search; do echo "# $sc"; PYTHONPATH=src python3 ./src/fortios_xutils/cli.py $sc --help; done
# parse
Usage: cli.py parse [OPTIONS] [FILEPATHS]...
Parse fortigate CLI's "show *configuration* outputs and generate a
structured JSON file. FILEPATHS is a list of file paths or a glob pattern
gives that.
Examples:
$ fortios_xutils parse -O /tmp/0 \
> tests/res/show_configs/fortigate_cli_show_sample_*.txt
$ ls /tmp/0
fortigate-01 fortigate-02
$ ls /tmp/0/fortigate-01:
all.json firewall_address.json
firewall_addrgrp.json firewall_policy.json
firewall_service_category.json firewall_service_custom.json
firewall_service_group.json metadata.json
system_global.json system_interface.json
system_object-tagging.json system_replacemsg-group.json
system_settings.json
$ jq '.' /tmp/0/fortigate-01/system_interface.json
[
{
"edit": "dmz",
"vdom": "root",
"status": "down",
"type": "physical",
"role": "dmz",
"snmp-index": "1"
},
{
"edit": "port1",
"vdom": "root",
"ip": [
"192.168.122.10",
"255.255.255.0"
],
... (snip) ...
Options:
-O, --outdir TEXT Output dir to save parsed results [out/ relative to input
filepath]
--help Show this message and exit.
# search
Usage: cli.py search [OPTIONS] [FILEPATHS]...
Search an item or items from JSON file generated previously by 'parse' sub
command. FILEPATHS is a list of file paths or a glob pattern gives that.
Examples:
$ # List ip addresses of system interfaces.
$ fortios_xutils search \
> -P "configs[?config=='system interface'].edits[].ip" \
> tests/res/parsed/fortigate-01/all.json
[
[
"192.168.122.10",
"255.255.255.0"
],
[
"192.168.1.10",
"255.255.255.0"
]
]
$
Options:
-P, --path TEXT JMESPath expression to query
--help Show this message and exit.
# network-collect
Usage: cli.py network-collect [OPTIONS] [FILEPATHS]...
Collect and save network data from the parsed and structured fortigate's
configuration files in JSON formats. FILEPATHS is a list of path of the
JSON file, the parsed results of fortigate CLI's "show \*configuration"
outputs.
Examples:
$ fortios_xutils network-collect tests/res/parsed/*/all.json
$ head -n 10 tests/res/parsed/fortigate-01/networks.yml
metadata:
type: metadata
input: tests/res/parsed/fortigate-01/all.json
prefix: 24
timestamp: 2020-05-12_04_58_57
version: '1.0'
nodes:
- id: fortigate-01
name: fortigate-01
type: firewall
$
Options:
-O, --outdir TEXT Dir to save results
-P, --prefix TEXT Max network prefix [24]
--help Show this message and exit.
# network-compose
Usage: cli.py network-compose [OPTIONS] [FILEPATHS]...
Compose network files collected from the fortigate CLI's configurations
from multiple fortigate hosts using the preivous network-collect command,
into a network file.
Examples:
$ fortios_xutils network-compose \
> tests/res/parsed/fortigate-0*/networks.yml \
> -o tests/res/networks/all.yml
$ head -n 10 tests/res/networks/all.yml
metadata:
inputs:
- tests/res/parsed/fortigate-01/all.json
- tests/res/parsed/fortigate-02/all.json
timestamp: 2020-05-12_05_02_49
version: '1.0'
nodes:
- id: fortigate-01
name: fortigate-01
type: firewall
$
Options:
-o, --outpath TEXT Path of the outpath file to save network JSON data
--help Show this message and exit.
# firewall-policy-save
Usage: cli.py firewall-policy-save [OPTIONS] [FILEPATHS]...
Make and save firewall policy table (:class:`pandas.DataFrame` object).
Examples:
$ fortios_xutils firewall-policy-save \
> -o /tmp/0/test.pickle.gz \
> tests/res/parsed/fortigate-01/all.json
$ file /tmp/0/test.pickle.gz
/tmp/0/test.pickle.gz: gzip compressed data, was "test.pickle" ...
$
Options:
-O, --outdir TEXT Dir to save results [same dir input files exist]
--help Show this message and exit.
# firewall-policy-search
Usage: cli.py firewall-policy-search [OPTIONS] FILEPATH
Search firewall policy table generated by 'firewall-policy-save' command,
by ip address. FILEPATH is a file path to the pandas dataframe file
generated by 'firewall-policy-save' command.
Examples:
$ fortios_xutils firewall-policy-search \
> --ip 192.168.122.3 /tmp/0/test.pickle.gz
[
{
"edit": "20",
"name": "Monitor_Servers_02",
"uuid": "3da73baa-dacb-48cb-852c-c4be245b4609",
"srcintf": "port1",
"dstintf": "",
"srcaddr": "host_192.168.122.1",
"dstaddr": "network_192.168.122.0/24",
"action": "accept",
"schedule": "always",
"service": [
"HTTPS",
"HTTP"
],
"inspection-mode": "",
"nat": "",
"srcaddrs": [
"192.168.122.1/32"
],
"dstaddrs": [
"192.168.122.0/24"
],
"comments": ""
}
]
Options:
-i, --ip TEXT Specify an IP address to search
--help Show this message and exit.
ssato@x1-carbon-gen6%