9. Policy Package Management#
9.1. Folders#
9.1.1. How to create a folder hierarchy#
REQUEST:
{
"id": 1,
"method": "set",
"params": [
{
"data": [
{
"name": "folder_001",
"subobj": [
{
"name": "folder_002",
"subobj": [
{
"name": "folder_003",
"subobj": [
{
"name": "folder_004",
"type": "folder"
}
],
"type": "folder"
}
],
"type": "folder"
}
],
"type": "folder"
}
],
"url": "pm/pkg/adom/demo_001"
}
],
"session": 46811
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "pm/pkg/adom/demo_001"
}
],
"session": 46811
}
9.1.2. How to move a folder?#
REQUEST:
{
"id": 1,
"method": "exec",
"params": [
{
"url": "/securityconsole/package/move",
"data": {
"adom": "demo_001",
"pkg": "italy",
"dst_parent": "world/emea",
"dst_name": "italy"
}
}
],
"session": 11111,
}
9.1.3. How to delete a folder?#
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "delete",
"params": [
{
"url": "/pm/pkg/adom/demo/foobar"
}
],
"session": "NlLwCb+SB5wikMi1MPdTOnRtWOg6gM9z36yMMttHuWPZKoWW4Ia7/B/pGUjZMr4uZGqrw7J9aBImePfl9eZhbw==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/adom/demo/foobar"
}
]
}
9.2. Policy Packages#
9.2.1. How to create a policy package?#
We create policy package pp.003 in adom DEMO:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "add",
"params": [
{
"data": {
"name": "pp.003",
"package settings": {
"central-nat": "disable",
"consolidated-firewall-mode": "disable",
"fwpolicy-implicit-log": "disable",
"fwpolicy6-implicit-log": "disable",
"ngfw-mode": "profile-based"
},
"type": "pkg"
},
"url": "/pm/pkg/adom/DEMO"
}
],
"session": "4VUbMWg40/hOwzHt5/BRKRIbaAd0MBkTwprdFs4iG+w8QPSwyoa/MVrwHtVV7oQ463ifbp1I30eZ9FSluYtJuQ==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/adom/DEMO"
}
]
}
Starting with FMG 7.0.1 (#708471), the response will also contain the pkg oid.
9.2.2. How to get the list of Policy Package?#
Following example shows how to get the list of Policy Packages in the demo ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"url": "/pm/pkg/adom/demo"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"data": [
{
"name": "default",
"obj ver": 13,
"oid": 4971,
"package settings": {
"central-nat": 0,
"consolidated-firewall-mode": 0,
"fwpolicy-implicit-log": 0,
"fwpolicy6-implicit-log": 0,
"hitc-taskid": 0,
"hitc-timestamp": 0,
"ngfw-mode": 0,
"policy-offload-level": 0
},
"type": "pkg"
},
{
"name": "fgt-742-001",
"obj ver": 5,
"oid": 6584,
"package settings": {
"central-nat": 0,
"consolidated-firewall-mode": 0,
"fwpolicy-implicit-log": 0,
"fwpolicy6-implicit-log": 0,
"hitc-taskid": 0,
"hitc-timestamp": 0,
"ngfw-mode": 0,
"policy-offload-level": 0
},
"type": "pkg"
},
{
"name": "ppkg_001",
"obj ver": 6,
"oid": 10850,
"package settings": {
"central-nat": 0,
"consolidated-firewall-mode": 0,
"fwpolicy-implicit-log": 0,
"fwpolicy6-implicit-log": 0,
"hitc-taskid": 0,
"hitc-timestamp": 0,
"ngfw-mode": 0,
"policy-offload-level": 0
},
"scope member": [
{
"name": "dc_emea_dev_001",
"vdom": "root"
},
{
"name": "dc_emea_dev_002",
"vdom": "root"
},
{
"name": "dc_emea_dev_003",
"vdom": "root"
}
],
"type": "pkg"
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/adom/demo"
}
]
}
Note
You can observe that when the Policy Package is assigned to managed devices, then FortiManager returns the
scope memberattribute
9.2.3. How to get a single Policy Package?#
Following example returns the details of the ppkg_001 Policy Package from
the demo ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"url": "/pm/pkg/adom/demo/ppkg_001"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"data": {
"name": "ppkg_001",
"obj ver": 6,
"oid": 10850,
"package settings": {
"central-nat": 0,
"consolidated-firewall-mode": 0,
"fwpolicy-implicit-log": 0,
"fwpolicy6-implicit-log": 0,
"hitc-taskid": 0,
"hitc-timestamp": 0,
"ngfw-mode": 0,
"policy-offload-level": 0
},
"scope member": [
{
"name": "dc_emea_dev_001",
"vdom": "root"
},
{
"name": "dc_emea_dev_002",
"vdom": "root"
},
{
"name": "dc_emea_dev_003",
"vdom": "root"
}
],
"type": "pkg"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/adom/demo/ppkg_001"
}
]
}
Note
By default, FortiManager returns the Installation Targets of the Policy Package via the
scope memberattribute
9.2.4. How to get the Installation Targets of a Policy Package?#
See How to get the list of Policy Package? or How to get a single Policy Package?
9.2.5. How to assign a device to a Policy Package?#
We want to assign device hub1 to policy package hubs.pp in ADOM
DEMO_007.
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "add",
"params": [
{
"data": {
"name": "hub1",
"vdom": "root"
},
"url": "/pm/pkg/adom/DEMO_007/hubs.pp/scope member"
}
],
"session": "RNBTLp49bHV+yvRAw1FRGkvjURd7V13+GtS8Vk8KQ/VFZ4gPrIfGd4f09nrKk6ppw9QCUj1C1CbZz4d7/e7GmA==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/adom/DEMO_007/hubs.pp/scope member"
}
]
}
9.2.6. Policy Package Installation#
9.2.6.1. How to install a Policy Package?#
To install the branches Policy Package from ADOM demo:
{
"id": 3,
"method": "exec",
"params": [
{
"data": {
"adom": "demo",
"adom_rev_comments": "Changes from SR #01233",
"adom_rev_name": "ADOM Revision #01233",
"dev_rev_comments": "sr_01233",
"flags": [
"none"
],
"pkg": "branches"
},
"url": "/securityconsole/install/package"
}
],
"session": "{{session}}"
}
Note
There’s not
scopeattribute; it means that the Policy Package will be install against all the assigned Installation Targetsadom_rev_commentswill be used as a comment for the created ADOM Revisionadom_rev_namewill be used as the name for the created ADOM Revisiondev_rev_commentswill be used as the comment for the created Device Revision (see section Device revisions)
{
"id": 3,
"result": [
{
"data": {
"task": 3468
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/package"
}
]
}
9.2.6.2. How to install a Policy Package against a device?#
It is required to add the scope attribute:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "exec",
"params": [
{
"data": {
"adom": "DEMO",
"flags": [
"none"
],
"pkg": "pp.branches",
"scope": [
{
"name": "branch2_fgt",
"vdom": "root"
}
]
},
"url": "/securityconsole/install/package"
}
],
"session": "3xJ+a4TrhW5fSFSy3AQixRxRnINFsQhvOMXiSMVC1ryEMVZQ/enwiTasPzY9X1e64KT/UoTdl8lfory4wXub4A==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"task": 536
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/package"
}
]
}
Note
The
scopeattribute is a list, hence it could contains multiple devices or device groups.The devices/device groups listed in the
scopeshould belong to the list of assigned installation targets for this Policy Package.- The membership could be indirect or direct:
Direct membership means the device listed in the
scopeattribute is also in the installation targets list of the Policy Package.Indirect membership means the device listed in the
scopeattribute is a member of a device group or of a nested device group of a device group present in the installation targets list of the policy package .For instance, if the installation targets list of the Policy Package is having device group
branches, then you can use devicebranch_001in thescopeattribute if it belongs to this device group or one of its nested device groups.
9.2.6.3. How to install a Policy Package against a Device Group?#
We have Policy Package pp_france in foldler france which is in turn in
folder emea.
Policy Package pp_france is having device group france and device
test-001 as installation targets.
Goal is to install Policy Package pp_france against device group france
only.
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "exec",
"params": [
{
"data": {
"adom": "root",
"flags": [
"none"
],
"pkg": "emea/france/pp_france",
"scope": [
{
"name": "france"
}
]
},
"url": "/securityconsole/install/package"
}
],
"session": "Of286Bft82otZnCz6da2+FEskUyY6q4Opnyd1/nkpAoEMem7osWNVkU0XEGC24lIobP43qxJsmmnqUVGd88Cqw==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"task": 148
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/package"
}
]
}
#02764941 is stating that when the scope is just having a name attribute, it is considered a device group.
If device group france is in a device group emea, we can just use the full path in the name attribute:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "exec",
"params": [
{
"data": {
"adom": "root",
"flags": [
"none"
],
"pkg": "emea/france/pp_france",
"scope": [
{
"name": "emea/france"
}
]
},
"url": "/securityconsole/install/package"
}
],
"session": "Of286Bft82otZnCz6da2+FEskUyY6q4Opnyd1/nkpAoEMem7osWNVkU0XEGC24lIobP43qxJsmmnqUVGd88Cqw==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"task": 148
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/package"
}
]
}
9.2.6.4. How to install a policy package located in a folder?#
To install policy package pp_corporate placed in folder /duts/emea,
from ADOM adom_dut:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "exec",
"params": [
{
"data": {
"adom": "adom_dut",
"flags": [
"none"
],
"pkg": "duts/emea/pp_corporate",
"scope": [
{
"name": "fgt_dut1",
"vdom": "root"
}
]
},
"url": "/securityconsole/install/package"
}
],
"session": "za3jFQLMS8vEoQzyoby34nnzKHz6kF7Di1DDyLEID0P2wj09hzdofc09CDocYgZCQ7wT1nlEtzRxAtykowfuEw==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"task": 1273
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/package"
}
]
}
9.2.6.5. How to install a policy package against a device’s device db only?#
Why would we need this?
It could be because we prefer to review definitive configuration offline, i.e. from fortimanager database.
To achieve this, we can use the copy_only flag.
It will take pending changes from ADOM DB and will copy them in the target’s
device db.
In below example we trigger the copy operation against managed device
branch12 considering the pending security changes from policy package
pp_branches in ADOM demo:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "exec",
"params": [
{
"data": {
"adom": "DB",
"flags": [
"copy_only"
],
"pkg": "pp.003",
"scope": [
{
"name": "branch12",
"vdom": "root"
}
]
},
"url": "/securityconsole/install/package"
}
],
"session": "o9m+9/oQ101vfDhLYU3WkKa1YJR6p3nA0NFVmuBKw3JxgFYtD7Y3FekxTuMNZ1TgG8gslO6g/gzZtvVIKPZQnmtQETm7OABp",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"task": 133
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/package"
}
]
}
9.2.6.6. How to install a policy package against an offline device?#
This is for when the ADOM is configured with Auto-Push Policy Packages When Device Back Online enabled:
It’s a three steps process:
First we need to trigger a copy operation
REQUEST:
{ "id": 3, "method": "exec", "params": [ { "data": { "adom": "knock_39363", "adom_rev_name": "dut_fgt_34_235_2022-4-6-20-2-51", "flags": [ "generate_rev", "preview" ], "pkg": "dut_fgt_34_235", "scope": [ { "name": "dut_fgt_34_235", "vdom": "root" } ] }, "url": "/securityconsole/install/package" } ], "session": "2D7yrlIbNRf/1kt9B+ame4T2G/RFfW2DGboxzrV6xa50olO2utVGM0c7fQtkblrBtt57m8l3x3651mH2hiQ2eg==" }
RESPONSE:
{ "id": 3, "result": [ { "data": { "task": 148 }, "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/install/package" } ] }
Note
Of course, we need to monitor the returned task’s progress
Then we commit!
REQUEST:
{ "id": 4, "method": "exec", "params": [ { "data": { "adom": "knock_39363", "scope": [ { "name": "dut_fgt_34_235", "vdom": "root" } ] }, "url": "/securityconsole/package/commit" } ], "session": "2D7yrlIbNRf/1kt9B+ame4T2G/RFfW2DGboxzrV6xa50olO2utVGM0c7fQtkblrBtt57m8l3x3651mH2hiQ2eg==" }
RESPONSE:
{ "id": 4, "result": [ { "data": { "task": 149 }, "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/package/commit" } ] }
Then we can cancel the install
REQUEST:
{ "id": 5, "method": "exec", "params": [ { "data": { "adom": "knock_39363" }, "url": "/securityconsole/package/cancel/install" } ], "session": "2D7yrlIbNRf/1kt9B+ame4T2G/RFfW2DGboxzrV6xa50olO2utVGM0c7fQtkblrBtt57m8l3x3651mH2hiQ2eg==" }
RESPONSE:
{ "id": 5, "result": [ { "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/package/cancel/install" } ] }
9.2.6.7. How to install multiple policy packages against multiple devices?#
Using a single API call, it is possible to install multiple policy packages to
different devices by using the reinstall operation.
Below example is installing policy package ppkg_hubs and ppkg_branches
against devices fgt_00_1 and fgt_01_1 respectively (in ADOM demo):
REQUEST:
{
"id": 3,
"method": "exec",
"params": [
{
"data": {
"adom": "demo",
"flags": [
"generate_rev"
],
"target": [
{
"pkg": "ppkg_hubs",
"scope": {
"name": "fgt_00_1",
"vdom": "root"
}
},
{
"pkg": "ppkg_branches",
"scope": {
"name": "fgt_01_1",
"vdom": "root"
}
}
]
},
"url": "/securityconsole/reinstall/package"
}
],
"session": "is4k5yJ0zojKcdpHdovj/jc74ROm39WD/lN4VuxRFDGrlCJev4O8M/R2mdbj9dXoiEu30PO2FzRCc7vFL1dEDQ=="
}
RESPONSE:
{
"id": 3,
"result": [
{
"data": {
"task": 595
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/reinstall/package"
}
]
}
If you look at the generated task, you will see that FMG will proceed with a
sequential install. Considering the above example, it will first install policy
package ppkg_hubs against device "fgt_00_1" and then will install
policy package ppkg_branches against device fgt_01_1.
9.2.6.8. How to reinstall a policy package against a device group?#
As usual, when you consider a Device Group, you still have to use the scope
but this time only with the name attribute (i.e. vdom attribute should be omitted)
The following example shows how to reinstall the ppkg_001 Policy Package from the demo``ADOM agains the ``grp_001 Device Group:
{
"method": "exec",
"params": [
{
"data": {
"adom": "demo",
"flags": [
"none"
],
"extflags": 0,
"target": [
{
"pkg": "ppkg_001",
"scope": [
{
"name": "grp_001"
}
]
}
]
},
"url": "/securityconsole/reinstall/package"
}
],
"session": "{{session}}",
}
{
"result": [
{
"data": {
"task": 4140
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/reinstall/package"
}
]
}
In this case, FortiManager will proceed with a parallel policy package installation for all the device group’s members.
However, should you have two or more target elements in the above API request, then like for the How to install multiple policy packages against multiple devices? case seen in the previous section, FortiManager will go with a sequential installation for them.
9.2.6.9. How to reinstall multiple policy packages against multiple devices in parallel?#
In that case, we have to replicate the Re-install Policy mechanism from GUI.
It’s a three steps process:
Trigger the reinstall in preview mode:
This time we use the same API request as in How to install
multiple policy packages against multiple devices? but we use the preview
flag:
REQUEST:
{
"method": "exec",
"params": [
{
"data": {
"adom": "{{adom}}",
"flags": [
"preview"
],
"extflags": 0,
"target": [
{
"pkg": "ppkg_dut_fgt_1",
"scope": [
{
"name": "dut_fgt_1",
"vdom": "root"
}
]
},
{
"pkg": "ppkg_dut_fgt_2",
"scope": [
{
"name": "dut_fgt_2",
"vdom": "root"
}
]
}
]
},
"url": "/securityconsole/reinstall/package"
}
],
"session": "{{session_id}}",
"verbose": 1
}
RESPONSE:
{
"result": [
{
"data": {
"task": 4149
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/reinstall/package"
}
]
}
Commit the changes against the concerned devices
REQUEST:
{
"method": "exec",
"params": [
{
"data": {
"adom": "{{adom}}",
"scope": [
{
"name": "dut_fgt_1",
"vdom": "root"
},
{
"name": "dut_fgt_2",
"vdom": "root"
}
]
},
"url": "/securityconsole/package/commit"
}
],
"session": "{{session_id}}",
"verbose": 1
}
RESPONSE:
{
"result": [
{
"data": {
"task": 4150
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/package/commit"
}
]
}
Cancel the install operation
REQUEST:
{
"id": 1,
"method": "exec",
"params": [
{
"data": {
"adom": "{{adom}}"
},
"url": "/securityconsole/package/cancel/install"
}
],
"session": "{{session_id}}"
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/package/cancel/install"
}
]
}
9.2.7. How to copy a firewall policy?#
Here the word copy refers to the action of copying a firewall policy from ADOM DB to Device DB.
For more information see section How to copy objects?
Below example shows how to copy a firewall policy from the dc_helsinki ADOM
to the dut_fgt_10 managed device and its root VDOM:
{
"id": 3,
"method": "exec",
"params": [
{
"data": {
"adom": "dc_helsinki",
"category": 181,
"override_conflict": 1,
"query_only": 0,
"scope": [
{
"name": "dut_fgt_10",
"vdom": "root"
}
],
"src_list": [
{
"oid": 4835
}
]
},
"url": "/securityconsole/install/global"
}
],
"session": "{{session}"
}
Note
181is the category ID for thefirewall policy4835is the policy OID of the firewall policy we want to copyWe don’t have to specify the policy package name, the policy OID is unique
See section How to copy objects?; it describes how to get those category ID and OID
{
"id": 3,
"result": [
{
"data": {
"task": 1355
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/global"
}
]
}
9.2.8. Scheduling operations for policy package#
9.2.8.1. How to schedule a policy package install?#
To schedule a policy package install for policy package pp_001 from ADOM
adom_72_001 against two of its installation targets (adom_72_001_dev_001
and adom_72_001_dev_002, and their respective root VDOMs):
REQUEST:
{
"id": 3,
"method": "add",
"params": [
{
"data": {
"adom_rev_name": "scheduled_install_pp_001",
"datetime": "2022-10-27 23:24",
"scope": [
{
"name": "adom_72_001_dev_001",
"vdom": "root"
},
{
"name": "adom_72_001_dev_002",
"vdom": "root"
}
]
},
"url": "/pm/pkg/adom/adom_72_001/pp_001/schedule"
}
],
"session": "GorqROcoKWFpFT1pTDoxC1VICdiSmSxDm+nWGfs1UvBg8NsQwlSFQ0oShWHKZ0iOf1lWC172lODt0gq86lmdpA=="
}
RESPONSE:
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/adom/adom_72_001/pp_001/schedule"
}
]
}
9.2.8.2. How to check for a scheduled policy package installation?#
To obtain the schedule information for policy package pp_001 from ADOM
adom_72_001:
REQUEST:
{
"id": 3,
"method": "get",
"params": [
{
"fields": [
"name",
"schedule"
],
"filter": [
"name",
"==",
"pp_001"
],
"option": [
"schedule"
],
"url": "/pm/pkg/adom/adom_72_001"
}
],
"session": "bN0lF16C5n3JhtmrB85zE3IZHJeazCTMs16RbfGxVO6mLnKEbBKFS53CpIbB0pe9RebYYaxP6IWDOSS4Bnx1/g=="
}
RESPONSE:
{
"id": 3,
"result": [
{
"data": [
{
"name": "pp_001",
"oid": 7131,
"schedule": {
"adom_rev_name": "pp_001_2022-10-23-22-56-49",
"datetime": "2022-10-23 23:56",
"scope": [
{
"name": "adom_72_001_dev_001",
"vdom": "root"
},
{
"name": "adom_72_001_dev_002",
"vdom": "root"
}
]
}
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/adom/adom_72_001"
}
]
}
Note
The
scheduleoption seems to work only for the entirepm/pkg/adom/{adom}table.This is why the
filterhas been used to limit the output to the desiredpp_001policy package.
9.2.8.3. How to cancel a policy package scheduled install?#
To cancel the policy package scheduled install for policy package pp_001
from ADOM adom_72_001:
REQUEST:
{
"id": 3,
"method": "delete",
"params": [
{
"url": "/pm/pkg/adom/adom_72_001/pp_001/schedule"
}
],
"session": "DTepc/8+5+SD3IOwZE/1fVlMMTx1OZA227E8qL+2R+UK7+wW00aUxBQQ80Ptqnb5He5RRJYKBjam9f2SXJ6gOw=="
}
RESPONSE:
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/adom/adom_72_001/pp_001/schedule"
}
]
}
9.2.9. How to get the status of all policy packages in an ADOM?#
To get policy package status for all policy package in ADOM TEST:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "get",
"params": [
{
"url": "/pm/config/adom/TEST/_package/status"
}
],
"session": "zGecPX8WgrXs3Hx0gkZOW36iBAg8g+151Z64dD1q52D448Jm5pZxaSPf9fgx+BXGyYQ/8AzmRAKGgicCrzLk022CDSRIo5qL",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": [
{
"dev": "fr_device_001",
"pkg": "emea/france/pp.fw",
"status": "installed",
"vdom": "root"
},
{
"dev": "sp_device_001",
"pkg": "emea/spain/pp.fw",
"status": "installed",
"vdom": "root"
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/TEST/_package/status"
}
]
}
9.2.10. How to get the status of a specific policy package?#
To get the policy package status of policy package pp.fw placed in policy
package folder emea/spain in ADOM TEST:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "get",
"params": [
{
"url": "/pm/config/adom/TEST/pkg/emea/spain/pp.fw/_package/status"
}
],
"session": "aHWQmCRzK68XQoEu/7kBNI4Sn3jfqtSkItg0h8ysZwUCg58bpMYwDnNZe6rDSNcYg1as84XmyRb0+5B+9CcFgtxnFBsR9Em0",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": [
{
"dev": "sp_device_001",
"pkg": "emea/spain/pp.fw",
"status": "installed",
"vdom": "root"
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/TEST/pkg/emea/spain/pp.fw/_package/status"
}
]
}
9.2.11. How to figure out whether interface pair view are supported by a type of policies?#
Caught in #0601320.
For instance, if one of the policy is having source or destination
interface set to any, section view mode isn’t supported.
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "get",
"params": [
{
"fields": [
"srcintf",
"dstintf"
],
"url": "/pm/config/adom/TEST/pkg/emea/spain/pp.fw/_query/interface_pair_view/firewall/policy"
}
],
"session": "JDr9djBNCnlYSOnS3dc/SmaReOUbJtwseckMQnIPkL6BvVdb+8rJnO3vxnSED/Xa27E2Xki8jr/k3JYh4FCpIYSY5/0JIjvF",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"interface_pair_view": 1,
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/TEST/pkg/emea/spain/pp.fw/_query/interface_pair_view/firewall/policy"
}
]
}
Returned attribute interface_pair_view is 1 meaning we can use
the interface pair view mode in the mentioned policy package.
Other FortiManager API endpoints are possible:
/pm/config/adom/TEST/pkg/<pkg>/_query/interface_pair_view/firewall/proxy-policy
/pm/config/adom/TEST/pkg/<pkg>/_query/interface_pair_view/firewall/security-policy
Note
For policies in Policy Block, while the endpoint is:
/pm/config/adom/<adom>/pblock/<pblock>/firewall/policy
then you still need to use this endpoint when you want to get the interface pair view feasability:
/pm/config/adom/<adom>/pkg/Policy Blocks/<pblock>/_query/interface_pair_view/firewall/policy
9.2.12. How to clone a Policy Package?#
REQUEST:
{
"id": 1,
"result": [
{
"data": {
"task": 62
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/package/clone"
}
]
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"task": 62
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/package/clone"
}
]
}
9.2.13. How to trigger an install preview?#
When you install a policy package, the FortiManager UI lets you select an Install Preview action in order to review the CLI that will be pushed down to the managed devices.
We explain here how to operate this Install Preview action by using the API.
It’s a four steps process:
We have to start a policy package install process in preview mode
We have to ask for the preview generation
We need to collect the preview output
We need to cancel the install policy package process
We have to start a policy package install process in preview mode
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "exec",
"params": [
{
"data": {
"adom": "customer_001",
"adom_rev_comments": "Test [1]",
"adom_rev_name": "Revision [1]",
"flags": [
"preview"
],
"pkg": "pp.dut_fgt2",
"scope": [
{
"name": "dut_fgt2",
"vdom": "root"
}
]
},
"url": "/securityconsole/install/package"
}
],
"session": "TFWLZCzMyiukI25p2kEmmrv7TO9wHkLHWph8rouoG1TCYeojlUx6OVXqn0wyZ1mymYdRfH2n7JvNEJWONzm1Jg==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"task": 69
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/package"
}
]
}
Here you have to track the progress of the returned task id 69 (you can get
/task/task/69)
Once the task is completed, you can proceed with step 2.
We have to ask for the preview generation
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "exec",
"params": [
{
"data": {
"adom": "customer_001",
"device": "dut_fgt2",
"flags": [
"none"
],
"vdoms": [
"root"
]
},
"url": "/securityconsole/install/preview"
}
],
"session": "6a5HWsj6o0L5da8oTZB26wapTtrMlsQxmNt24mWeL/80VRqy5OdbM6kntlkrX7L3rsw9rbRK1rqZvLlfXTCIKw==",
"verbose": 1
}
Note
Attribute flags could be none or json.
It determines the nature of the output produced in the preview report: CLI
based when it is none and obviously JSON based when it is json.
There is a bug (#0713778) where using:
"flags": "json"
or:
"flags": ["json"]
doesn’t work: the preview report is still CLI based.
The solution is to use this form:
"flags": 1
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"task": 70
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/preview"
}
]
}
Here you have to track the progress of the returned task id 70 (you can get
/task/task/70)
Once the task is completed, you can proceed with step 3.
We need to collect the preview output
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "exec",
"params": [
{
"data": {
"adom": "customer_001",
"device": "dut_fgt2"
},
"url": "/securityconsole/preview/result"
}
],
"session": "6a5HWsj6o0L5da8oTZB26wapTtrMlsQxmNt24mWeL/80VRqy5OdbM6kntlkrX7L3rsw9rbRK1rqZvLlfXTCIKw==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"message": "config system dns\n set primary 8.8.8.8\n unset secondary\nend\nconfig firewall address\n edit \"host_001\"\n set uuid 09ce3330-b06e-51ea-6497-48f76b1e8626\n set color 3\n set subnet 10.0.0.1 255.255.255.255\n next\nend\nconfig system dhcp server\n edit 1\n set status disable\n set dns-service default\n set ntp-service default\n set default-gateway 172.16.2.102\n set netmask 255.255.255.0\n set interface \"port3\"\n config ip-range\n edit 1\n set start-ip 172.16.2.1\n set end-ip 172.16.2.101\n next\n edit 2\n set start-ip 172.16.2.103\n set end-ip 172.16.2.254\n next\n end\n set timezone-option default\n next\nend\nconfig firewall policy\n edit 1\n set srcaddr \"host_001\"\n next\nend\n"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/preview/result"
}
]
}
Note
Here FortiManager will report pending changes coming from ADOM DB (objects & policies) but also from Device DB (when you trigger an install preview for a device only, it will only expose the pending changes coming from the corresponding device’s Device DB.
We need to cancel the install policy package process
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "exec",
"params": [
{
"data": {
"adom": "customer_001"
},
"url": "/securityconsole/package/cancel/install"
}
],
"session": "6a5HWsj6o0L5da8oTZB26wapTtrMlsQxmNt24mWeL/80VRqy5OdbM6kntlkrX7L3rsw9rbRK1rqZvLlfXTCIKw==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/package/cancel/install"
}
]
}
9.2.14. How to get the Policy Package hitcount?#
Caught in #0673650 (and applicable to FMG 6.4.7+ and FMG 7.0.3+).
Hitcount refers to the set of attributes linked to a firewall policy that maintain several utilization information like the Last Used, First Use, Packets, Bytes, etc. as shown below:
Getting the hitcount details is an on demand action that requires two steps.
For instance, to get the policy hitcount for firewall policies in the
ppkg_001 Policy Package of the demo ADOM:
Step #1: Trigger the hitcount refresh
{ "id": 1, "method": "exec", "params": [ { "data": { "adom": "demo", "pkg": "ppkg_001" }, "url": "/sys/hitcount" } ], "session": "{{session}}", }
{ "id": 1, "result": [ { "status": { "code": 0, "message": "OK" }, "taskid": 217, "url": "/sys/hitcount" } ] }
Note
You need to remember the returned
taskidvalue for the next step
Step #2 - Collect the result
{ "id": 4, "method": "exec", "params": [ { "data": { "taskid": 217 }, "url": "/sys/task/result" } ], "session": "{{session}}" }
{ "id": 4, "result": [ { "data": { "firewall policy": [ { "byte": 2266808, "dstintf": "any", "first_hit": 1702099572, "first_session": 0, "hitcount": 6911, "last_hit": 1702145401, "last_session": 0, "name": "Implicit Deny", "pkts": 6911, "policyid": 0, "sesscount": 0, "srcintf": "any" }, { "byte": 198373, "dstintf": "WAN1", "first_hit": 1701085009, "first_session": 1701085009, "hitcount": 380, "last_hit": 1702981443, "last_session": 1702981443, "name": "Generic_Internet", "pkts": 1534, "policyid": 2, "sesscount": 0, "srcintf": "vl_lan", "uuid": "2654008a-896d-51ee-e595-b22bf9abffc0" }, { "byte": 0, "dstintf": "HUB1", "first_hit": 0, "first_session": 0, "hitcount": 0, "last_hit": 0, "last_session": 0, "name": "Health Check Access", "pkts": 0, "policyid": 1071741826, "sesscount": 0, "srcintf": "Branch-Lo", "uuid": "9ac943e0-7d1e-51ee-42fb-fe716908a3d9" } ], "firewall policy6": [], "firewall proxy-policy": [ { "byte": 0, "dstintf": "any", "first_hit": 0, "first_session": 0, "hitcount": 0, "last_hit": 0, "last_session": 0, "name": "Implicit Deny", "pkts": 0, "policyid": 0, "sesscount": 0, "srcintf": "any" } ], "firewall security-policy": [], "global footer policy": [], "global header policy": [] }, "status": { "code": 0, "message": "OK" }, "taskid": 541, "url": "/sys/task/result" } ] }
Starting with FortiManager 7.4.1, the Last Used (i.e, _last_hit attribute)
can be maintained as it is in FortiManager side, even if it gets reset on the
FortiGate side (caught in #0910402).
It’s configurable with the following FortiManager CLI:
config system global
set save-last-hit-in-adomdb enable
end
Note
Default value for
save-last-hit-in-adomdbisdisable
Furthermore, the _last_hit attribute can be retrieved by getting the
firewall policies.
For instance, to get the last_hit attribute for firewall policies in the sites_BRANCH_PPKG Policy Package from the production ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"fields": [
"name",
"policyid",
"_last_hit"
],
"loadsub": 0,
"url": "/pm/config/adom/production/pkg/sites_BRANCH_PPKG/firewall/policy"
}
],
"session": "{{session}}",
"verbose": 1
}
{
"id": 3,
"result": [
{
"data": [
{
"_last_hit": 0,
"obj seq": 1,
"oid": 5460,
"policyid": 1
},
{
"_last_hit": 1705003857,
"name": "Generic_Internet",
"obj seq": 2,
"oid": 5784,
"policyid": 2
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/production/pkg/sites_BRANCH_PPKG/firewall/policy"
}
]
}
Note
The
_last_hitis returned in epoch format
However, to get an up to date Last Used information, you still have to trigger a hitcount refresh by using the /sys/hitcount JSON RPC url described above.
9.2.15. How to get the policy package checksum?#
Idea is to be able to detect whether a policy package has been modified or not.
The good news, is that there’s nothing special to do.
It is just enough to get the policy package and look at the returned obj
ver attribute:
REQUEST:
{
"id": 1,
"method": "get",
"params": [
{
"url": "pm/pkg/adom/CUSTOMER_001/FGT60D-001"
}
],
"session": "6iOnXClkXrGNFaLSHv3P18vdC0K3detcN+CAfvcwPRJjd0i54+WYRimlIclzP1i4W+/KZAvg16NGDoOT3Z7gmg==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"name": "FGT60D-001",
"obj ver": 4,
"oid": 955,
"type": "pkg"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "pm/pkg/adom/CUSTOMER_001/FGT60D-001"
}
]
}
We can also use the option chksum as documented in section Option chksum.
With FMG 5.6.0-INTERIM build 1510, we can also retrieve a checksum value using following request:
REQUEST:
{
"id": 1,
"method": "get",
"params": [
{
"url": "pm/config/adom/CM-LAB-001/pkg/PP_EXAMPLE/policy/package/settings"
}
],
"session": "5jZjkRrZBtpgEDR1G9RiPBKjEiNG/9+zwKZNnzFsvfsbSAie70YEA4ilLhabdGrVLqXvpUGyDdeuv7iV4+SgsA==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"central-nat": "disable",
"checksum": "1494203765-161359940",
"fwpolicy-implicit-log": "disable",
"fwpolicy6-implicit-log": "disable"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "pm/config/adom/CM-LAB-001/pkg/PP_EXAMPLE/policy/package/settings"
}
]
}
9.2.16. Policy Package Revision#
9.2.16.1. How to get the list of changes made on a Policy Package?#
The following example shows how to get all the changes made on the ppkg_001
Policy Package from the demo ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"url": "/pm/config/adom/demo/_objrev/pkg/ppkg_001/firewall/policy"
}
],
"session": "{{session}}",
"verbose": 1
}
{ "id": 3, "result": [ { "data": [ { "act": 2, "category": 181, "config": "{ \"_byte\": 0, \"_first_hit\": 0, \"_first_session\": 0, \"_global-dst-intf\": null, \"_global-label-color\": 0, \"_global-src-intf\": null, \"_global-vpn\": [ ], \"_global-vpn-tgt\": 0, \"_hitcount\": 0, \"_label-color\": 0, \"_last_hit\": 0, \"_last_session\": 0, \"_pkts\": 0, \"_sesscount\": 0, \"action\": 0, \"anti-replay\": 1, \"application-list\": [ ], \"auth-cert\": [ ], \"auth-path\": 0, \"auth-redirect-addr\": null, \"auto-asic-offload\": 1, \"av-profile\": [ ], \"block-notification\": 0, \"captive-portal-exempt\": 0, \"capture-packet\": 0, \"casb-profile\": [ ], \"cgn-eif\": 0, \"cgn-eim\": 0, \"cgn-log-server-grp\": null, \"cgn-resource-quota\": 16, \"cgn-session-quota\": 16777215, \"cifs-profile\": [ ], \"comments\": null, \"custom-log-fields\": [ ], \"decrypted-traffic-mirror\": [ ], \"delay-tcp-npu-session\": 0, \"diameter-filter-profile\": [ ], \"diffserv-copy\": 0, \"diffserv-forward\": 0, \"diffserv-reverse\": 0, \"diffservcode-forward\": \"000000\", \"diffservcode-rev\": \"000000\", \"disclaimer\": 0, \"dlp-profile\": [ ], \"dnsfilter-profile\": [ ], \"dsri\": 0, \"dstaddr\": [ \"all\" ], \"dstaddr-negate\": 0, \"dstaddr6\": [ ], \"dstaddr6-negate\": 0, \"dstintf\": [ \"any\" ], \"dynamic-shaping\": 0, \"email-collect\": 0, \"emailfilter-profile\": [ ], \"fec\": 0, \"file-filter-profile\": [ ], \"firewall-session-dirty\": 0, \"fixedport\": 0, \"fsso-agent-for-ntlm\": [ ], \"fsso-groups\": [ ], \"geoip-anycast\": 0, \"geoip-match\": 0, \"global-label\": null, \"groups\": [ ], \"gtp-profile\": [ ], \"http-policy-redirect\": 0, \"icap-profile\": [ ], \"identity-based-route\": [ ], \"inbound\": 0, \"inspection-mode\": 1, \"internet-service\": 0, \"internet-service-custom\": [ ], \"internet-service-custom-group\": [ ], \"internet-service-group\": [ ], \"internet-service-name\": [ ], \"internet-service-negate\": 0, \"internet-service-src\": 0, \"internet-service-src-custom\": [ ], \"internet-service-src-custom-group\": [ ], \"internet-service-src-group\": [ ], \"internet-service-src-name\": [ ], \"internet-service-src-negate\": 0, \"internet-service6\": 0, \"internet-service6-custom\": [ ], \"internet-service6-custom-group\": [ ], \"internet-service6-group\": [ ], \"internet-service6-name\": [ ], \"internet-service6-negate\": 0, \"internet-service6-src\": 0, \"internet-service6-src-custom\": [ ], \"internet-service6-src-custom-group\": [ ], \"internet-service6-src-group\": [ ], \"internet-service6-src-name\": [ ], \"internet-service6-src-negate\": 0, \"ip-version-type\": \"ipv4\", \"ippool\": 0, \"ips-sensor\": [ ], \"ips-voip-filter\": [ ], \"label\": null, \"logtraffic\": 2, \"logtraffic-start\": 0, \"match-vip\": 1, \"match-vip-only\": 0, \"name\": null, \"nat\": 0, \"nat46\": 0, \"nat64\": 0, \"natinbound\": 0, \"natip\": [ \"0.0.0.0\", \"0.0.0.0\" ], \"natoutbound\": 0, \"network-service-dynamic\": [ ], \"network-service-src-dynamic\": [ ], \"np-acceleration\": 1, \"ntlm\": 0, \"ntlm-enabled-browsers\": [ ], \"ntlm-guest\": 0, \"oid\": 11296, \"outbound\": 1, \"passive-wan-health-measurement\": 0, \"pcp-inbound\": 0, \"pcp-outbound\": 0, \"pcp-poolname\": [ ], \"per-ip-shaper\": [ ], \"permit-any-host\": 0, \"permit-stun-host\": 0, \"pfcp-profile\": [ ], \"policy-behaviour-type\": \"standard\", \"policy-expiry\": 0, \"policy-expiry-date\": \"0000-00-00 00:00:00\", \"policy-expiry-date-utc\": null, \"policy-offload\": 1, \"policyid\": 1, \"poolname\": [ ], \"poolname6\": [ ], \"profile-group\": [ ], \"profile-protocol-options\": [ \"default\" ], \"profile-type\": 0, \"radius-mac-auth-bypass\": 0, \"redirect-url\": null, \"replacemsg-override-group\": [ ], \"reputation-direction\": 2, \"reputation-direction6\": 42, \"reputation-minimum\": 0, \"reputation-minimum6\": 0, \"rtp-addr\": [ ], \"rtp-nat\": 0, \"schedule\": [ \"always\" ], \"schedule-timeout\": 0, \"sctp-filter-profile\": [ ], \"send-deny-packet\": 0, \"service\": [ \"ALL\" ], \"service-negate\": 0, \"session-ttl\": \"0\", \"sgt\": [ ], \"sgt-check\": 0, \"src-vendor-mac\": [ ], \"srcaddr\": [ \"all\" ], \"srcaddr-negate\": 0, \"srcaddr6\": [ ], \"srcaddr6-negate\": 0, \"srcintf\": [ \"any\" ], \"ssh-filter-profile\": [ ], \"ssh-policy-redirect\": 0, \"ssl-ssh-profile\": [ \"no-inspection\" ], \"status\": 1, \"tcp-mss-receiver\": 0, \"tcp-mss-sender\": 0, \"tcp-session-without-syn\": 2, \"tcp-timeout-pid\": [ ], \"timeout-send-rst\": 0, \"tos\": \"0x00\", \"tos-mask\": \"0x00\", \"tos-negate\": 0, \"traffic-shaper\": [ ], \"traffic-shaper-reverse\": [ ], \"udp-timeout-pid\": [ ], \"users\": [ ], \"utm-status\": 0, \"uuid\": \"44d742cc-cef2-51ee-71ef-68f2fe808584\", \"videofilter-profile\": [ ], \"virtual-patch-profile\": [ ], \"vlan-cos-fwd\": 255, \"vlan-cos-rev\": 255, \"vlan-filter\": null, \"voip-profile\": [ ], \"vpn_dst_node\": null, \"vpn_src_node\": null, \"vpntunnel\": [ ], \"waf-profile\": [ ], \"wanopt\": 0, \"wanopt-detection\": 1, \"wanopt-passive-opt\": 0, \"wanopt-peer\": [ ], \"wanopt-profile\": [ ], \"wccp\": 0, \"webcache\": 0, \"webcache-https\": 0, \"webfilter-profile\": [ ], \"webproxy-forward-server\": [ ], \"webproxy-profile\": [ ], \"ztna-device-ownership\": 0, \"ztna-ems-tag\": [ ], \"ztna-ems-tag-secondary\": [ ], \"ztna-geo-tag\": [ ], \"ztna-policy-redirect\": 0, \"ztna-status\": 0, \"ztna-tags-match-logic\": 0 }", "flags": 0, "key": "1", "note": "", "oid": 0, "pkg_oid": 11294, "timestamp": 1708325042, "user": "admin" }, { "act": 3, "category": 181, "config": "{ \"_byte\": 0, \"_first_hit\": 0, \"_first_session\": 0, \"_global-dst-intf\": null, \"_global-label-color\": 0, \"_global-src-intf\": null, \"_global-vpn\": [ ], \"_global-vpn-tgt\": 0, \"_hitcount\": 0, \"_label-color\": 0, \"_last_hit\": 0, \"_last_session\": 0, \"_pkts\": 0, \"_sesscount\": 0, \"action\": 1, \"anti-replay\": 1, \"application-list\": [ ], \"auth-cert\": [ ], \"auth-path\": 0, \"auth-redirect-addr\": null, \"auto-asic-offload\": 1, \"av-profile\": [ ], \"block-notification\": 0, \"captive-portal-exempt\": 0, \"capture-packet\": 0, \"casb-profile\": [ ], \"cgn-eif\": 0, \"cgn-eim\": 0, \"cgn-log-server-grp\": null, \"cgn-resource-quota\": 16, \"cgn-session-quota\": 16777215, \"cifs-profile\": [ ], \"comments\": null, \"custom-log-fields\": [ ], \"decrypted-traffic-mirror\": [ ], \"delay-tcp-npu-session\": 0, \"diameter-filter-profile\": [ ], \"diffserv-copy\": 0, \"diffserv-forward\": 0, \"diffserv-reverse\": 0, \"diffservcode-forward\": \"000000\", \"diffservcode-rev\": \"000000\", \"disclaimer\": 0, \"dlp-profile\": [ ], \"dnsfilter-profile\": [ ], \"dsri\": 0, \"dstaddr\": [ \"host_102\" ], \"dstaddr-negate\": 0, \"dstaddr6\": [ ], \"dstaddr6-negate\": 0, \"dstintf\": [ \"wan\" ], \"dynamic-shaping\": 0, \"email-collect\": 0, \"emailfilter-profile\": [ ], \"fec\": 0, \"file-filter-profile\": [ ], \"firewall-session-dirty\": 0, \"fixedport\": 0, \"fsso-agent-for-ntlm\": [ ], \"fsso-groups\": [ ], \"geoip-anycast\": 0, \"geoip-match\": 0, \"global-label\": null, \"groups\": [ ], \"gtp-profile\": [ ], \"http-policy-redirect\": 0, \"icap-profile\": [ ], \"identity-based-route\": [ ], \"inbound\": 0, \"inspection-mode\": 1, \"internet-service\": 0, \"internet-service-custom\": [ ], \"internet-service-custom-group\": [ ], \"internet-service-group\": [ ], \"internet-service-name\": [ ], \"internet-service-negate\": 0, \"internet-service-src\": 0, \"internet-service-src-custom\": [ ], \"internet-service-src-custom-group\": [ ], \"internet-service-src-group\": [ ], \"internet-service-src-name\": [ ], \"internet-service-src-negate\": 0, \"internet-service6\": 0, \"internet-service6-custom\": [ ], \"internet-service6-custom-group\": [ ], \"internet-service6-group\": [ ], \"internet-service6-name\": [ ], \"internet-service6-negate\": 0, \"internet-service6-src\": 0, \"internet-service6-src-custom\": [ ], \"internet-service6-src-custom-group\": [ ], \"internet-service6-src-group\": [ ], \"internet-service6-src-name\": [ ], \"internet-service6-src-negate\": 0, \"ip-version-type\": \"ipv4\", \"ippool\": 0, \"ips-sensor\": [ ], \"ips-voip-filter\": [ ], \"label\": null, \"logtraffic\": 2, \"logtraffic-start\": 0, \"match-vip\": 1, \"match-vip-only\": 0, \"name\": \"\", \"nat\": 0, \"nat46\": 0, \"nat64\": 0, \"natinbound\": 0, \"natip\": [ \"0.0.0.0\", \"0.0.0.0\" ], \"natoutbound\": 0, \"network-service-dynamic\": [ ], \"network-service-src-dynamic\": [ ], \"np-acceleration\": 1, \"ntlm\": 0, \"ntlm-enabled-browsers\": [ ], \"ntlm-guest\": 0, \"oid\": 11298, \"outbound\": 1, \"passive-wan-health-measurement\": 0, \"pcp-inbound\": 0, \"pcp-outbound\": 0, \"pcp-poolname\": [ ], \"per-ip-shaper\": [ ], \"permit-any-host\": 0, \"permit-stun-host\": 0, \"pfcp-profile\": [ ], \"policy-behaviour-type\": \"standard\", \"policy-expiry\": 0, \"policy-expiry-date\": \"0000-00-00 00:00:00\", \"policy-expiry-date-utc\": null, \"policy-offload\": 1, \"policyid\": 3, \"poolname\": [ ], \"poolname6\": [ ], \"profile-group\": [ ], \"profile-protocol-options\": [ \"default\" ], \"profile-type\": 0, \"radius-mac-auth-bypass\": 0, \"redirect-url\": null, \"replacemsg-override-group\": [ ], \"reputation-direction\": 2, \"reputation-direction6\": 42, \"reputation-minimum\": 0, \"reputation-minimum6\": 0, \"rtp-addr\": [ ], \"rtp-nat\": 0, \"schedule\": [ \"always\" ], \"schedule-timeout\": 0, \"sctp-filter-profile\": [ ], \"send-deny-packet\": 0, \"service\": [ \"ALL\" ], \"service-negate\": 0, \"session-ttl\": \"0\", \"sgt\": [ ], \"sgt-check\": 0, \"src-vendor-mac\": [ ], \"srcaddr\": [ \"host_002\", \"host_001\" ], \"srcaddr-negate\": 0, \"srcaddr6\": [ ], \"srcaddr6-negate\": 0, \"srcintf\": [ \"lan\" ], \"ssh-filter-profile\": [ ], \"ssh-policy-redirect\": 0, \"ssl-ssh-profile\": [ \"no-inspection\" ], \"status\": 1, \"tcp-mss-receiver\": 0, \"tcp-mss-sender\": 0, \"tcp-session-without-syn\": 2, \"tcp-timeout-pid\": [ ], \"timeout-send-rst\": 0, \"tos\": \"0x00\", \"tos-mask\": \"0x00\", \"tos-negate\": 0, \"traffic-shaper\": [ ], \"traffic-shaper-reverse\": [ ], \"udp-timeout-pid\": [ ], \"users\": [ ], \"utm-status\": 0, \"uuid\": \"4828b014-cef2-51ee-2ab3-cce3da14bded\", \"videofilter-profile\": [ ], \"virtual-patch-profile\": [ ], \"vlan-cos-fwd\": 255, \"vlan-cos-rev\": 255, \"vlan-filter\": null, \"voip-profile\": [ ], \"vpn_dst_node\": null, \"vpn_src_node\": null, \"vpntunnel\": [ ], \"waf-profile\": [ ], \"wanopt\": 0, \"wanopt-detection\": 1, \"wanopt-passive-opt\": 0, \"wanopt-peer\": [ ], \"wanopt-profile\": [ ], \"wccp\": 0, \"webcache\": 0, \"webcache-https\": 0, \"webfilter-profile\": [ ], \"webproxy-forward-server\": [ ], \"webproxy-profile\": [ ], \"ztna-device-ownership\": 0, \"ztna-ems-tag\": [ ], \"ztna-ems-tag-secondary\": [ ], \"ztna-geo-tag\": [ ], \"ztna-policy-redirect\": 0, \"ztna-status\": 0, \"ztna-tags-match-logic\": 0 }", "flags": 0, "key": "3", "note": "", "oid": 11298, "pkg_oid": 11294, "timestamp": 1708325089, "user": "admin" }, { "act": 1, "category": 181, "config": "{ \"_byte\": 0, \"_first_hit\": 0, \"_first_session\": 0, \"_global-label-color\": 0, \"_global-vpn\": [ ], \"_global-vpn-tgt\": 0, \"_hitcount\": 0, \"_label-color\": 0, \"_last_hit\": 0, \"_last_session\": 0, \"_pkts\": 0, \"_sesscount\": 0, \"action\": 0, \"anti-replay\": 1, \"application-list\": [ ], \"auth-cert\": [ ], \"auth-path\": 0, \"auto-asic-offload\": 1, \"av-profile\": [ ], \"block-notification\": 0, \"captive-portal-exempt\": 0, \"capture-packet\": 0, \"casb-profile\": [ ], \"cgn-eif\": 0, \"cgn-eim\": 0, \"cgn-resource-quota\": 16, \"cgn-session-quota\": 16777215, \"cifs-profile\": [ ], \"custom-log-fields\": [ ], \"decrypted-traffic-mirror\": [ ], \"delay-tcp-npu-session\": 0, \"diameter-filter-profile\": [ ], \"diffserv-copy\": 0, \"diffserv-forward\": 0, \"diffserv-reverse\": 0, \"diffservcode-forward\": \"000000\", \"diffservcode-rev\": \"000000\", \"disclaimer\": 0, \"dlp-profile\": [ ], \"dnsfilter-profile\": [ ], \"dsri\": 0, \"dstaddr\": [ \"all\" ], \"dstaddr-negate\": 0, \"dstaddr6\": [ ], \"dstaddr6-negate\": 0, \"dstintf\": [ \"wan\" ], \"dynamic-shaping\": 0, \"email-collect\": 0, \"emailfilter-profile\": [ ], \"fec\": 0, \"file-filter-profile\": [ ], \"firewall-session-dirty\": 0, \"fixedport\": 0, \"fsso-agent-for-ntlm\": [ ], \"fsso-groups\": [ ], \"geoip-anycast\": 0, \"geoip-match\": 0, \"groups\": [ ], \"gtp-profile\": [ ], \"http-policy-redirect\": 0, \"icap-profile\": [ ], \"identity-based-route\": [ ], \"inbound\": 0, \"inspection-mode\": 1, \"internet-service\": 0, \"internet-service-custom\": [ ], \"internet-service-custom-group\": [ ], \"internet-service-group\": [ ], \"internet-service-name\": [ ], \"internet-service-negate\": 0, \"internet-service-src\": 0, \"internet-service-src-custom\": [ ], \"internet-service-src-custom-group\": [ ], \"internet-service-src-group\": [ ], \"internet-service-src-name\": [ ], \"internet-service-src-negate\": 0, \"internet-service6\": 0, \"internet-service6-custom\": [ ], \"internet-service6-custom-group\": [ ], \"internet-service6-group\": [ ], \"internet-service6-name\": [ ], \"internet-service6-negate\": 0, \"internet-service6-src\": 0, \"internet-service6-src-custom\": [ ], \"internet-service6-src-custom-group\": [ ], \"internet-service6-src-group\": [ ], \"internet-service6-src-name\": [ ], \"internet-service6-src-negate\": 0, \"ip-version-type\": \"ipv4\", \"ippool\": 0, \"ips-sensor\": [ ], \"ips-voip-filter\": [ ], \"logtraffic\": 2, \"logtraffic-start\": 0, \"match-vip\": 1, \"match-vip-only\": 0, \"nat\": 0, \"nat46\": 0, \"nat64\": 0, \"natinbound\": 0, \"natip\": [ \"0.0.0.0\", \"0.0.0.0\" ], \"natoutbound\": 0, \"network-service-dynamic\": [ ], \"network-service-src-dynamic\": [ ], \"np-acceleration\": 1, \"ntlm\": 0, \"ntlm-enabled-browsers\": [ ], \"ntlm-guest\": 0, \"oid\": 11307, \"outbound\": 1, \"passive-wan-health-measurement\": 0, \"pcp-inbound\": 0, \"pcp-outbound\": 0, \"pcp-poolname\": [ ], \"per-ip-shaper\": [ ], \"permit-any-host\": 0, \"permit-stun-host\": 0, \"pfcp-profile\": [ ], \"policy-behaviour-type\": \"standard\", \"policy-expiry\": 0, \"policy-expiry-date\": \"0000-00-00 00:00:00\", \"policy-offload\": 1, \"policyid\": 12, \"poolname\": [ ], \"poolname6\": [ ], \"profile-group\": [ ], \"profile-protocol-options\": [ \"default\" ], \"profile-type\": 0, \"radius-mac-auth-bypass\": 0, \"replacemsg-override-group\": [ ], \"reputation-direction\": 2, \"reputation-direction6\": 42, \"reputation-minimum\": 0, \"reputation-minimum6\": 0, \"rtp-addr\": [ ], \"rtp-nat\": 0, \"schedule\": [ \"always\" ], \"schedule-timeout\": 0, \"sctp-filter-profile\": [ ], \"send-deny-packet\": 0, \"service\": [ \"ALL\" ], \"service-negate\": 0, \"session-ttl\": \"0\", \"sgt\": [ ], \"sgt-check\": 0, \"src-vendor-mac\": [ ], \"srcaddr\": [ \"all\" ], \"srcaddr-negate\": 0, \"srcaddr6\": [ ], \"srcaddr6-negate\": 0, \"srcintf\": [ \"lan\" ], \"ssh-filter-profile\": [ ], \"ssh-policy-redirect\": 0, \"ssl-ssh-profile\": [ \"no-inspection\" ], \"status\": 0, \"tcp-mss-receiver\": 0, \"tcp-mss-sender\": 0, \"tcp-session-without-syn\": 2, \"tcp-timeout-pid\": [ ], \"timeout-send-rst\": 0, \"tos\": \"0x00\", \"tos-mask\": \"0x00\", \"tos-negate\": 0, \"traffic-shaper\": [ ], \"traffic-shaper-reverse\": [ ], \"udp-timeout-pid\": [ ], \"users\": [ ], \"utm-status\": 0, \"uuid\": \"a027db5a-cef2-51ee-313e-00ee89b1203e\", \"videofilter-profile\": [ ], \"virtual-patch-profile\": [ ], \"vlan-cos-fwd\": 255, \"vlan-cos-rev\": 255, \"voip-profile\": [ ], \"vpn_dst_node\": null, \"vpn_src_node\": null, \"vpntunnel\": [ ], \"waf-profile\": [ ], \"wanopt\": 0, \"wanopt-detection\": 1, \"wanopt-passive-opt\": 0, \"wanopt-peer\": [ ], \"wanopt-profile\": [ ], \"wccp\": 0, \"webcache\": 0, \"webcache-https\": 0, \"webfilter-profile\": [ ], \"webproxy-forward-server\": [ ], \"webproxy-profile\": [ ], \"ztna-device-ownership\": 0, \"ztna-ems-tag\": [ ], \"ztna-ems-tag-secondary\": [ ], \"ztna-geo-tag\": [ ], \"ztna-policy-redirect\": 0, \"ztna-status\": 0, \"ztna-tags-match-logic\": 0 }", "flags": 0, "key": "12", "note": "", "oid": 11307, "pkg_oid": 11294, "timestamp": 1708325195, "user": "admin" } ], "status": { "code": 0, "message": "OK" }, "url": "/pm/config/adom/demo/_objrev/pkg/ppkg_001/firewall/policy" } ] }
Note
For each change the
actis giving you the nature of the change:Value
meaning
1New policy created
2Existing policy deleted
3Existing policy modified
The
keyattribute is thepolicyidThe
configattribute is a copy of the firewall policy containing the changeFortiManager returns an ordered list of changes; the first item is the first change
9.2.16.2. Can we revert a Policy Package from a specific changes?#
You can only revert a firewall policy provided it does exist (see How to revert a firewall policy from a past changes?
9.3. Policy Blocks#
9.3.1. How to create a Policy Block?#
{
"id": 1,
"method": "add",
"params": [
{
"data": {
"name": "ppb_002",
"package settings": {
"central-nat": "disable",
"consolidated-firewall-mode": "disable",
"fwpolicy-implicit-log": "disable",
"fwpolicy6-implicit-log": "disable",
"ngfw-mode": "profile-based"
},
"type": "pkg"
},
"url": "/pm/pblock/adom/DEMO_014/"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pblock/adom/DEMO_014/"
}
]
}
9.3.2. How to add a policy in a Policy Block?#
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "add",
"params": [
{
"data": {
"action": "accept",
"dstaddr": [
"all"
],
"dstintf": [
"any"
],
"logtraffic": "utm",
"logtraffic-start": "disable",
"name": "Policy_002",
"schedule": [
"always"
],
"service": [
"ALL"
],
"srcaddr": [
"all"
],
"srcintf": [
"any"
]
},
"url": "/pm/config/adom/DEMO_014/pblock/ppb_001/firewall/policy"
}
],
"session": "0ZY5z0s/JngkUaryMxPtobzfWQwDekg5dW2E04a1oib0bOxmYoqsev/QRq1wn/K1XG2Fl2yeXim+UF2C3pCq6w==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"policyid": 1071741828
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/DEMO_014/pblock/ppb_001/firewall/policy"
}
]
}
9.3.3. How to insert a Policy Block in a Policy Package?#
You can use the before and after attribute followed by the policyid
of the firewall policy.
The following request inserts the ppb_001 Policy Block before the firewall policy with policyid 2 in the pp.device1 Policy Package
from the DEMO_014 ADOM:
{
"id": 3,
"method": "add",
"params": [
{
"before": "2",
"data": {
"_policy_block": "ppb_001"
},
"url": "/pm/config/adom/DEMO_014/pkg/pp.device1/firewall/policy"
}
],
"session": "{{session}}"
}
Warning
The
policyidhas to be passed as a string!
9.3.4. How to where used a Policy Block?#
This is for when you want to get the list of Policy Packages (and relative policyid the Policy Packages’ firewall policies) referencing the given
Policy Block.
For instance, to where used the sites_HBLK Policy Block from the dc_emea
ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"option": [
"where_used"
],
"url": "/pm/pblock/adom/dc_emea/sites_HBLK"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"data": {
"name": "sites_HBLK",
"oid": 5276,
"package settings": {
"central-nat": 0,
"consolidated-firewall-mode": 0,
"fwpolicy-implicit-log": 0,
"fwpolicy6-implicit-log": 0,
"hitc-taskid": 0,
"hitc-timestamp": 0,
"ngfw-mode": 0,
"policy-offload-level": 0
},
"type": "pblock",
"where_used": [
{
"data": [
{
"category": 181,
"mapping_name": "firewall policy",
"mattr": "policyid",
"mkey": "110",
"pkg": {
"name": "ppkg_001",
"oid": 6079
}
},
{
"category": 181,
"mapping_name": "firewall policy",
"mattr": "policyid",
"mkey": "3",
"pkg": {
"name": "ppkg_002",
"oid": 6181
}
}
],
"root": {
"name": "dc_emea",
"oid": 165
}
}
]
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pblock/adom/dc_emea/sites_HBLK"
}
]
}
Note
The response indicates that the sites_HBLK Policy Block is used in the
ppkg_001andppkg_002Policy PackagesThe relative
policyidis given by themkeyattributeIt is
110in theppkg_001Policy Package and3in theppkg_002Policy PackageIt means that next firewall policy that will get created in the
ppkg_001andppkg_002Policy Packages will be111and4respectively
9.3.5. How to clone a firewall policy from a Policy Package to a Policy Block?#
Why would you need to perform such clone operation?
It is just how the FortiManager GUI is implementing the copy & paste operation:
FortiManager administrator right-clicks and copy a firewall policy from a Policy Package
Then he right-clicks and paste it in a Policy Block
The above process is triggering two FortiManager JSON RPC API calls:
A clone operation
A move operation
9.3.5.1. Clone operation#
To clone firewall policy with policyid 1 from the ppkg_001 Policy
Package into the sites_HBLK Policy Block from the dc_emea ADOM:
{
"id": 3,
"method": "clone",
"params": [
{
"data": {
"name": "New_Policy_Name",
"new parent": "pblock/sites_HBLK"
},
"url": "/pm/config/adom/dc_emea/pkg/ppkg_001/firewall/policy/1"
}
],
"session": "{{session}}"
}
Note
Cloned firewall policy will have its
nameattribute set withNew_Policy_Name
{
"id": 3,
"result": [
{
"data": {
"policyid": 1071741830
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/dc_emea/pkg/ppkg_001/firewall/policy/1"
}
]
}
Note
The FortiManager returns the
policyidof the cloned firewall policy:1071741830The cloned firewall policy is located at the end of the firewall policy list
9.3.5.2. Move operation#
To cloned firewall policy has been placed at the end of the firewall policy list in the Policy Block.
To move the cloned firewall policy with policyid 1071741830 above the firewall policy with policyid 1071741828, both being in the sites_HBLK Policy Block of the dc_emea ADOM:
{
"id": 3,
"method": "move",
"params": [
{
"option": "before",
"target": "1071741828",
"url": "pm/config/adom/dc_emea/pblock/sites_HBLK/firewall/policy/1071741830"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"data": {
"policyid": 1071741830
},
"status": {
"code": 0,
"message": "OK"
},
"url": "pm/config/adom/dc_emea/pblock/sites_HBLK/firewall/policy/1071741830"
}
]
}
Note
FortiManager confirms the success of the
moveoperation by returning thepolicyidof the moved firewall policy (1071741830)
9.4. Firewall Policies#
9.4.1. How to get the default values for a firewall policy?#
This is when you plan to suggest default values in an application you’re developping and where you offer to add a new firewall policy.
You can get the firewall policy table of a Policy Package using the object template attribute.
To get the default value for a firewall policy in the pp.003 Policy Package from the DEMO ADOM:
{
"id": 1,
"method": "get",
"params": [
{
"object template": 1,
"url": "/pm/config/adom/DEMO/pkg/pp.003/firewall/policy/"
}
],
"session": "{{session}}",
"verbose": 1
}
9.4.2. How to add a firewall policy?#
To add a new firewall policy in the dut_fgt_02 Policy Package from the dc_amer ADOM:
{
"id": 3,
"method": "add",
"params": [
{
"data": {
"action": "accept",
"dstaddr": [
"host_001",
"host_002"
],
"dstintf": [
"internal1",
"internal2"
],
"logtraffic": "all",
"schedule": "always",
"service": [
"FTP",
"HTTPS"
],
"srcaddr": [
"host_003",
"host_004"
],
"srcintf": [
"internal3",
"internal4"
],
"status": "enable"
},
"url": "/pm/config/adom/dc_amer/pkg/dut_fgt_02/firewall/policy"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"data": {
"policyid": 2
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/dc_amer/pkg/dut_fgt_02/firewall/policy"
}
]
}
Note
FortiManager returns the
policyidof the created policy.
If a specific policyid is required, and provided it isn’t already used,
then you can specify it:
{
"id": 3,
"method": "add",
"params": [
{
"data": {
"action": "accept",
"dstaddr": [
"host_001",
"host_002"
],
"dstintf": [
"internal1",
"internal2"
],
"logtraffic": "all",
"policyid": 10,
"schedule": "always",
"service": [
"FTP",
"HTTPS"
],
"srcaddr": [
"host_003",
"host_004"
],
"srcintf": [
"internal3",
"internal4"
],
"status": "enable"
},
"url": "/pm/config/adom/dc_amer/pkg/dut_fgt_02/firewall/policy"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"data": {
"policyid": 10
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/dc_amer/pkg/dut_fgt_02/firewall/policy"
}
]
}
9.4.3. How to delete a firewall policy?#
TBD.
9.4.4. How to delete multiple firewall policies?#
The below example shows how to delete multiple firewall policies by combining in
a single API call the delete and filter operation:
{
"id": 3,
"method": "delete",
"params": [
{
"url": "pm/config/adom/dc_amer/pkg/dut_fgt_2/firewall/policy",
"confirm": 1,
"filter": [
"policyid",
"in",
1,2,3,
]
}
],
"session": "{{session}}"
}
{
"result": [
{
"data": null,
"id": 3,
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/dc_amer/pkg/dut_fgt_02/firewall/policy"
}
]
}
9.4.5. How to purge all firewall policies?#
The following example shows you how to purge all firewall policies from the ppkg_001 Policy Package in the demo ADOM:
{
"id": 3,
"method": "delete",
"params": [
{
"confirm": 1,
"url": "/pm/config/adom/demo/pkg/ppkg_001/firewall/policy"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/ppkg_001/firewall/policy"
}
]
}
9.4.6. How to update a firewall policy?#
9.4.6.1. Update elements of an existing firewall policy#
You just need to specify in the JSON RPC body the elements you want to update:
REQUEST:
{
"id": 3,
"method": "update",
"params": [
{
"data": {
"ips-sensor": "default",
"name": "Project_XXX_Traffic",
"nat": "enable",
"utm-status": "enable"
},
"url": "/pm/config/adom/dc_amer/pkg/dut_fgt_02/firewall/policy/10"
}
],
"session": "EnRb2hecAsLL/i6DwUZ0WpibwI5a4KC58vm7ta1IivNT4Gwjqhp5sXUG+3YmdwIvnTlkdltTtHYzxSrOBbTcxg=="
}
RESPONSE:
{
"id": 3,
"result": [
{
"data": {
"policyid": 10
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/dc_amer/pkg/dut_fgt_02/firewall/policy/10"
}
]
}
9.4.6.2. How to update a specific field without overwriting it?#
The goal is just to add new srcaddr elements of a specific policy without
overwriting the existing ones.
For instance, if srcaddr is set with:
[
"host_001",
"host_002"
]
then after this API request, it will be with:
[
"host_001",
"host_002",
"host_005",
"host_006"
]
REQUEST:
{
"id": 3,
"method": "add",
"params": [
{
"data": [
"host_005",
"host_006"
],
"url": "/pm/config/adom/dc_amer/pkg/dut_fgt_02/firewall/policy/10/srcaddr"
}
],
"session": "RI6Bcs0YtRnh8dJoVsNqmV4A8+CNQZEyFIO5bZafv8xWMykF6ySvFSoitQld49G1bG3Sfug6h1LKmdR/1jt3uw=="
}
RESPONSE:
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/dc_amer/pkg/dut_fgt_02/firewall/policy/10/srcaddr"
}
]
}
9.4.7. How to move a firewall policy?#
Considering we know the policyid of the source policy and the policyid
of the destination policy (i.e., the destination location), we can use the move
operation.
This request is moving policyid 3 after policyid 4 (for policy
package pp.003 of ADOM demo):
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "move",
"params": [
{
"option": "after",
"target": "4",
"url": "/pm/config/adom/demo/pkg/pp.003/firewall/policy/3"
}
],
"session": "tAgknLN52psfVRRYxPcGgWM45/i1OkEQ8bcnBc2LMyNThEmZfqY6h2C5h0IqDsEMX5p3+wjoKuRdodehh10zLUw+iEXyxwio",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"policyid": 3
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom//pkg/pp.003/firewall/policy/3"
}
]
}
9.4.8. How to insert a policy?#
Three options are available:
Use the
addandmoveoperationsYou add a policy, it gets automatically placed at the last position
You move the policy to the desired location
Using the
object positionattribute to specify the desired locationUsing the
beforeandafterattributes
Those three alternatives are described below.
9.4.8.1. Use the add and move operations#
To add a new firewall policy, please review How to add a firewall policy?
To move a firewall policy, please review: How to move a firewall policy?
9.4.8.2. Use the object position attribute#
Caught in #0306003.
To insert a new firewall policy after the firewall policy with policyid
13 in the pp.001 Policy Package from the DEMO ADOM:
{
"id": 1,
"method": "add",
"params": [
{
"data": {
"action": "accept",
"dstaddr": [
"host_001"
],
"dstintf": [
"ul_isp1"
],
"logtraffic": "all",
"name": "This is a test!",
"object position": [
"after",
"13"
],
"schedule": [
"always"
],
"service": [
"FTP"
],
"srcaddr": [
"host_002"
],
"srcintf": [
"lan"
]
},
"url": "/pm/config/adom/DEMO/pkg/pp.001/firewall/policy"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"data": {
"policyid": 51
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/DEMO/pkg/pp.001/firewall/policy"
}
]
}
Note
policyid51is the policy id of the newly created firewall policy
9.4.8.3. Using the before and after attributes#
A new way of placing a new firewall policy has been observed.
It consists in adding attribute before or after placed outside of the
data block.
To insert a new firewall policy before the firewall policy with policyid
3 in the pp.001 Policy Package from the DEMO ADOM:
{
"id": 1,
"method": "add",
"params": [
{
"before": "3",
"data": {
"action": "accept",
"dstaddr": [
"all"
],
"dstintf": [
"dmz"
],
"ips-sensor": "all_default",
"logtraffic": "all",
"name": "Test_001",
"profile-protocol-options": [
"default"
],
"schedule": [
"always"
],
"service": [
"ALL"
],
"srcaddr": [
"all"
],
"srcintf": [
"wan"
],
"ssl-ssh-profile": [
"no-inspection"
],
"utm-status": "enable"
},
"url": "/pm/config/adom/DEMO/pkg/pp.001/firewall/policy"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"data": {
"policyid": 52
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/DEMO/pkg/pp.001/firewall/policy"
}
]
}
Note
policyid52is the policy id of the newly created firewall policy
9.4.9. How to clone a policy?#
Cloning a policy doesn’t require to specify the destination
policyid since it is auto-generated.
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "clone",
"params": [
{
"url": "/pm/config/adom/DEMO_013/pkg/pp.hub1/firewall/policy/1"
}
],
"session": "ngFWU2SEY8rBX368VnxURvNKOfncqe7i5GWjOomUkeNrZPzBs/rhclDiyvNL825baHw+Sjq3z0YmV01imbg16Q==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"policyid": 4
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/DEMO_013/pkg/pp.hub1/firewall/policy/1"
}
]
}
But we can also force a specific policyid if required:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "clone",
"params": [
{
"data": {
"policyid": 111
},
"url": "/pm/config/adom/DEMO_013/pkg/pp.hub1/firewall/policy/1"
}
],
"session": "LmM3A03tHkgNxRJiSRxCMCrcqzZCBZYJKiZRfJDlJ1d5JTk3hrIlLqZITXTdAwJX4yToHOQ0NRojwHP6DEZX0Q==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"policyid": 111
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/DEMO_013/pkg/pp.hub1/firewall/policy/1"
}
]
}
9.4.10. How to insert a section title for a firewall policy?#
REQUEST:
{
"id": 1,
"method": "set",
"params": [
{
"data": {
"name": "Project #001"
},
"url": "pm/config/adom/DEMO_014/pkg\/pp.device1/firewall/policy/4/section value"
}
],
"session": 12841
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "pm/config/adom/DEMO_014/pkg/pp.device1/firewall/policy/4/section value"
}
]
}
9.4.11. How to get the section title of a policy?#
The section title is saved in the global-label attribute of each policies:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "get",
"params": [
{
"fields": [
"name",
"policyid",
"global-label"
],
"loadsub": 0,
"url": "/pm/config/adom/DEMO_014/pkg/pp.device1/firewall/policy"
}
],
"session": "CHaKn3hVODf8U3cz1PByenpgjjeFTlwgtDj8b163pVqiaNW7JnUk+IMnVPVi90Jf+lxcpib6HLJPhislBJlPwg==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": [
{
"obj seq": 1,
"policyid": 1
},
{
"global-label": "Project #001",
"obj seq": 2,
"policyid": 4
},
{
"global-label": "Project #001",
"obj seq": 3,
"policyid": 5
},
{
"global-label": "Project #001",
"obj seq": 4,
"policyid": 2
},
{
"global-label": "Project #001",
"obj seq": 5,
"policyid": 3
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/DEMO_014/pkg/pp.device1/firewall/policy"
}
]
}
In this output, we can see that policy #1 (ie. "obj seq": 1) isn’t
having any section title while all other policies are in a section
title named Project #001.
9.4.12. How to insert a section title for a consolidated policy?#
Caught in #0597802.
REQUEST:
{
"id": 4,
"method": "set",
"params": [
{
"url": "pm/config/adom/root/pkg/pkg1/firewall/consolidated/policy/2/section value",
"data": {
"name": "section 1"
}
}
]
}
RESPONSE:
TBD
9.4.13. How to get creation and modification timestamps along with the owner of the change?#
We need to pass the extra info option.
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "get",
"params": [
{
"fields": [
"policyid"
],
"loadsub": 0,
"option": [
"extra info"
],
"url": "/pm/config/adom/TEST/pkg/pp.001/firewall/policy"
}
],
"session": "8DvhCgFU4hHlb2yaTj89lH0Yx1muBZYEtkAqfCstMKzolG0wsXSCkHrUn4/ZoClSBrGjruJ5ey6aZP6OjZ3pwxhUNUj0Lyzi",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": [
{
"_created timestamp": 1584462465,
"_last-modified-by": "admin",
"_modified timestamp": 1584462794,
"obj seq": 1,
"obj ver": 4,
"policyid": 1
},
{
"_created timestamp": 1584462465,
"_last-modified-by": "admin",
"_modified timestamp": 1584462465,
"obj seq": 2,
"obj ver": 1,
"policyid": 2
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/TEST/pkg/pp.001/firewall/policy"
}
]
}
It should work for all objects with timestamp/owner change support. For instance, we can also get same information for the firewall addresses:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "get",
"params": [
{
"fields": [
"name"
],
"loadsub": 0,
"option": [
"extra info"
],
"url": "/pm/config/adom/TEST/obj/firewall/address"
}
],
"session": "zGBZ3O/1FRg8fW+pObix36eCH4aUBabYbNqzCMtW3sG3hXAfhtNJMvSZg5atCfjR7hbXrYPcsOmZTD5O/w6htwbVzTZOSep9",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": [
{
"_created timestamp": 1584462001,
"_last-modified-by": "admin",
"_modified timestamp": 1584462001,
"name": "FABRIC_DEVICE",
"obj ver": 1
},
{
"_created timestamp": 1584462001,
"_last-modified-by": "admin",
"_modified timestamp": 1584462001,
"name": "FIREWALL_AUTH_PORTAL_ADDRESS",
"obj ver": 1
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/TEST/obj/firewall/address"
}
]
}
9.4.14. How to get the meta-fields for policies?#
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "get",
"params": [
{
"fields": [
"policyid",
"meta fields"
],
"loadsub": 0,
"option": [
"get meta"
],
"url": "/pm/config/adom/TEST/pkg/pp.001/firewall/policy"
}
],
"session": "MUhOUM7HF72aAOx9qSmnjeRie3pBjtNPrOhN15/VPC+NxVuILkXFCLAbTPlIgqF/vWQ9uyBtTuV3RmD14xXoP9dLTMLWoqyJ",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": [
{
"meta fields": {
"change_type": "temporary"
},
"obj seq": 1,
"policyid": 1
},
{
"meta fields": {
"change_type": ""
},
"obj seq": 2,
"policyid": 2
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/TEST/pkg/pp.001/firewall/policy"
}
]
}
9.4.15. How to do a policy lookup?#
When we debug the fortimanager while operating the policy lookup from its UI:
diagnose debug service sys 255
diagnose debug enable
diagnose debug timestamp enable
to lookup for a policy matching the following criterias:
Device/VDOM
branch1_fgtSource Interface
vl_lanProtocol
IPProtocol Number
6Source
Empty
Destination
8.8.8.8
we can see two operations:
Fortimanager is first doing a route lookup!
REQUEST:
{
"id": "9cd0139f-1713-4b57-b5f4-48a74f53baee",
"method": "exec",
"params": [
{
"data": {
"action": "get",
"resource": "/api/v2/monitor/router/lookup/select?&destination=8.8.8.8&ipv6=0",
"target": [
"adom/DEMO/device/branch1_fgt"
]
},
"target start": 1,
"url": "sys/proxy/json"
}
],
"session": 11017
}
RESPONSE:
{
"id": "2e65b687-2d69-42c8-a716-a0ebb07162c0",
"result": [
{
"data": [
{
"response": {
"action": "select",
"build": 8348,
"http_method": "GET",
"name": "lookup",
"path": "router",
"results": {
"gateway": "0.0.0.0",
"interface": "ol_mpls_0",
"network": "0.0.0.0/0",
"success": true
},
"serial": "FGVM04REDACTED73",
"status": "success",
"vdom": "root",
"version": "v6.2.3"
},
"status": {
"code": 0,
"message": "OK"
},
"target": "branch1_fgt"
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "sys/proxy/json"
}
]
}
And we assume that because there are existing routes, fortimanager proceeds with the next step.
It does the policy lookup!
REQUEST:
{
"id": "9bddbb32-7a3f-4547-af43-cb9812c9fc81",
"method": "exec",
"params": [
{
"data": {
"action": "get",
"resource": "/api/v2/monitor/firewall/policy-lookup/select?&srcintf=vl_lan&protocol=6&protocol_number=6&sourceip=&sourceport=&dest=8.8.8.8&destport=0",
"target": [
"adom/DEMO/device/branch1_fgt"
]
},
"target start": 1,
"url": "sys/proxy/json"
}
],
"session": 11017
}
RESPONSE:
{
"id": "9bddbb32-7a3f-4547-af43-cb9812c9fc81",
"result": [
{
"data": [
{
"response": {
"action": "select",
"build": 8348,
"http_method": "GET",
"name": "policy-lookup",
"path": "firewall",
"results": {
"success": false
},
"serial": "FGVM04REDACTED73",
"status": "success",
"vdom": "root",
"version": "v6.2.3"
},
"status": {
"code": 0,
"message": "OK"
},
"target": "branch1_fgt"
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "sys/proxy/json"
}
]
}
Well, we don’t have a match, but at least we can see how the policy lookup was done by fortimanager :-)
9.4.16. Operating the firewall policy Install On column#
This is about replacing the default Installation Targets value of the Install On column by one or more managed devices or device groups.
To operate the Install On column of a firewall policy, recent FortiManager versions offer the following capabilities:
You can click the pen icon to select specific devices or device groups; you can only select devices or device groups being part of the Policy Package’s installation targets
You can right-click and select:
Edit Install On, and in this case, you can select specific devices or device groups; you can only select devices or device groups being part of the Policy Package’s installation targets
Set Install On To Default, and in this case all, devices and devices group set in the Policy Package’s installation targets will be considered
Set Install On To None, and in this case, this firewall policy won’t used at all
In the following screenshot, the pp_branches Policy Package is shared with
some managed devices:
Policy ID 1 will be installed on all managed devices specified in the installation targets list of this policy package (i.e. set to Default).
Policy ID 2 won’t be installed since its Install On column is empty (i.e. set to None)
Policy ID 2 will be installed on device
branch11only.
9.4.16.1. How to get the existing values for the Install On column?#
You just have to pass the option scope member when getting the firewall
policies information.
It works when getting the firewall policy table.
For instance, to get the first three firewall policies from the ppkg_001
Policy Package in the dc_jani ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"fields": [
"name",
"policyid",
"comments"
],
"loadsub": 0,
"option": [
"scope member"
],
"range": [
0,
3
],
"url": "/pm/config/adom/dc_jani/pkg/pkg_001/firewall/policy"
}
],
"session": "{{session}}",
"verbose": 1
}
{
"id": 3,
"result": [
{
"data": [
{
"comments": "Install On: dev_003, dev_004",
"name": "Policy_001",
"obj flags": 16,
"obj seq": 1,
"oid": 5916,
"policyid": 1,
"scope member": [
{
"name": "dev_003",
"vdom": "root"
},
{
"name": "dev_004",
"vdom": "root"
}
]
},
{
"comments": "Install On: Installation Targets (Default)",
"name": "Policy_002",
"obj seq": 2,
"oid": 5917,
"policyid": 2
},
{
"comments": "Install On: None",
"name": "Policy_003",
"obj seq": 3,
"oid": 5918,
"policyid": 3,
"scope member": []
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/dc_jani/pkg/pkg_001/firewall/policy"
}
]
}
This output shows the FortiManager behavior when it returns firewall policies with specific devices, the Default, or the None target in the Install On column.
There is a
scope membershowing up when the policy is having its cell Install On set with managed devices and/or device groups (see firewall policy withpolicyid1)There’s no
scope memberreturned when the firewall policy is having its cell Install On set with Default (see firewall policy withpolicyid2)There is an empty
scope memberreturned when the firewall policy is having its cell Install On set to None (see firewall policy withpolicyid3)
Note
With FortiManager 6, when the Install On cell was set with None, then the
response was not having any scope member returned.
In that case, how could you figure out whether you were in the Default Installation Targets situation or the None one?
You add to check for the presence of the obj flags attribute (see
#0305108).
When you’re in the Default Installation Targets case, this is what you should get:
[...]
"obj flags": 16,
[...]
Here the "obj flags": 16 confirms there’s a scope member but since,
it is using the Default value, it is not showing up.
Hence, it’s normal not to have any scope member returned.
You could interprete the above output as:
[...]
"scope member": null,
[...]
When you’re in the None case, this is what we should get:
[...]
[...]
Here the absence of "obj flags": 16 clearly indicates there is no scope
member at all.
Hence, it’s normal not to have the scope member nor the obj flags.
You could interprete the above output as:
[...]
"scope member": [],
[...]
The empty array clearly shows the scope member is empty (i.e. None).
You will have to wait for FortiManager 7.0.11/7.2.5/7.4.3 (#0953665) to get a more meaningful response.
It also works when getting a specific firewall policy by policyid.
For instance, to firewall policy with policyid 3, from the ppkg_001
Policy Package in the dc_jani ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"fields": [
"name",
"policyid",
"comments"
],
"loadsub": 0,
"option": [
"scope member"
],
"url": "/pm/config/adom/dc_jani/pkg/pkg_001/firewall/policy/3"
}
],
"session": "{{session}}",
"verbose": 1
}
{
"id": 3,
"result": [
{
"data": {
"comments": "Install On: None",
"name": "Policy_003",
"obj flags": 16,
"obj seq": 3,
"oid": 5918,
"policyid": 3,
"scope member": []
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/dc_jani/pkg/pkg_001/firewall/policy/3"
}
]
}
Note
In this case, firewall policy with
policyid3is having its Install On column set to NoneNow an explicit empty
scope memberlist is returned
9.4.16.2. How to change the Install On column?#
Now that you know how to get the Install On value for any situations, let’s see how to change it.
You want the branch11 managed device to be the unique target for policy ID 2.
With FortiManager version lesser than 6.0, the very first time (i.e. when we
replace the default Installation Targets value by a specific managed device),
we have to use method set or update:
{
"id": 1,
"method": "set",
"params": [
{
"data": [
{
"name": "branch11",
"vdom": "root"
}
],
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
],
"session": "{{session}}"
}
Note
You just need to append the
scope memberat the end of the main URL to operate the Install On column
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
]
}
You can review your Policy Package with the FortiManager GUI, policy seq #2 (i.e. policyid 2) should have branch11 showing up in the Install On column.
But if you keep using update or set to add additional managed devices,
we’re going to overwrite the existing list of managed devices placed in the
scope member table.
So once default Installation Target value is replaced by one or multiple
managed devices (i.e. the scope member table has been created) we can keep
adding additional managed devices on top of the existing ones, by using the
method add.
Starting with FMG 6.0.0, it is possible to use method add even when the
Install On column is having its default value (i.e. Installation Targets) -
(#0482431).
Now that you have added branch11 in the Install Column of policy ID 2, add additional devices.
You need to use the add method with the devices (one or multiple) you want to add:
{
"id": 1,
"method": "add",
"params": [
{
"data": [
{
"name": "branch12",
"vdom": "root"
}
],
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
]
}
Policy seq #2 is now having branch11 and branch12 under column Install
On.
It’s possible to add multiple firewalls:
{
"id": 1,
"method": "add",
"params": [
{
"data": [
{
"name": "branch13",
"vdom": "root"
},
{
"name": "branch14",
"vdom": "root"
}
],
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
]
}
Policy seq #2 is now having branch11, branch12, branch13 and
branch14 under column Install On.
To delete a specific target from the scope member table, you can use the
method delete:
{
"id": 1,
"method": "delete",
"params": [
{
"data": [
{
"name": "branch14",
"vdom": "root"
}
],
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
]
}
Policy seq #2 is now having branch11, branch12 and branch13 under
column Install On.
It’s possible to delete multiple firewalls:
{
"id": 1,
"method": "delete",
"params": [
{
"data": [
{
"name": "branch12",
"vdom": "root"
},
{
"name": "branch13",
"vdom": "root"
}
],
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
]
}
Policy seq #2 is now having branch11 under column Install On.
To set Install On to None (i.e. to empty the cell), you can use the method
set with an empty list:
{
"id": 1,
"method": "set",
"params": [
{
"data": [
{}
],
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
]
}
To get back the default value of Install On (i.e. Installation Targets), you
just need to unset:
{
"id": 1,
"method": "unset",
"params": [
{
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
]
}
9.4.17. How to get the firewall policies along with used object definitions?#
When you just get the firewall policies, FortiManager just return something like:
[...]
"srcaddr": ["object1", "object2", ...]
[...]
But you don’t get what’s behind objects object1 and object2.
Should you want to get object definitions at the time you get the firewall
policies, just use the expand datasrc as shown below:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "get",
"params": [
{
"expand datasrc": [
{
"datasrc": [
{
"fields": [
"name",
"subnet",
"comment",
"color"
],
"obj type": "firewall address"
}
],
"name": "srcaddr"
},
{
"datasrc": [
{
"fields": [
"name",
"subnet",
"comment",
"color"
],
"obj type": "firewall address"
}
],
"name": "dstaddr"
},
{
"datasrc": [
{
"fields": [
"name",
"subnet",
"comment",
"color"
],
"obj type": "firewall address"
}
],
"name": "dstaddr"
},
{
"datasrc": [
{
"fields": [
"name",
"description",
"wildcar",
"wildcard-intf",
"default-mapping",
"defmap-intf",
"color"
],
"obj type": "dynamic interface"
}
],
"name": "srcintf"
},
{
"datasrc": [
{
"fields": [
"name",
"description",
"wildcar",
"wildcard-intf",
"default-mapping",
"defmap-intf",
"color"
],
"obj type": "dynamic interface"
}
],
"name": "dstintf"
},
{
"datasrc": [
{
"fields": [
"name",
"tcp-portrange",
"color",
"comment"
],
"obj type": "firewall service custom"
}
],
"name": "service"
},
{
"datasrc": [
{
"fields": [
"name",
"day",
"color"
],
"obj type": "firewall schedule recurring"
}
],
"name": "schedule"
},
{
"datasrc": [
{
"obj type": "ips sensor"
}
],
"name": "ips-sensor"
},
{
"datasrc": [
{
"obj type": "webfilter profile"
}
],
"name": "webfilter-profile"
}
],
"fields": [
"name",
"policyid",
"srcintf",
"dstintf",
"srcaddr",
"dstaddr",
"service",
"action",
"schedule",
"utm-status",
"logtraffic-start",
"webfilter-profile",
"ips-sensor",
"global-label",
"comments"
],
"loadsub": 0,
"range": null,
"url": "/pm/config/adom/deutsche_bank_benchmark/pkg/ppkg_001/firewall/policy/"
}
],
"session": "qk4LfxNkgZuewjwk7mp4Vt4e+f2OJR3Bvo/xdj73PN5pul8AZq7a58qp4LJ+DwvJHIvT1r17SAoGYjKyTueJGw==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": [
{
"action": "accept",
"comments": "Created with FMG API",
"dstaddr": [
{
"color": 28,
"comment": "Created with FMG API",
"name": "tc_004_dst_000001",
"obj type": "firewall address",
"subnet": [
"10.0.0.1",
"255.255.255.255"
]
}
],
"dstintf": [
{
"color": 16,
"default-mapping": "enable",
"defmap-intf": "wan",
"description": "Created with FortiManager Ansible",
"name": "wan",
"obj type": "dynamic interface",
"wildcard-intf": "wan"
}
],
"global-label": "Project #1",
"ips-sensor": [
{
"_baseline": [],
"block-malicious-url": "disable",
"comment": "Prevent critical attacks.",
"extended-log": "disable",
"name": "default",
"obj type": "ips sensor",
"replacemsg-group": [],
"scan-botnet-connections": "disable"
}
],
"logtraffic-start": "enable",
"name": "Policy_000001",
"obj seq": 1,
"policyid": 1,
"schedule": [
{
"color": 0,
"day": [
"sunday",
"monday",
"tuesday",
"wednesday",
"thursday",
"friday",
"saturday"
],
"name": "always",
"obj type": "firewall schedule recurring"
}
],
"service": [
{
"color": 0,
"comment": null,
"name": "ALL",
"obj seq": 1,
"obj type": "firewall service custom",
"tcp-portrange": [],
"unset attrs": [
"icmptype",
"icmpcode"
]
}
],
"srcaddr": [
{
"color": 18,
"comment": "Created with FMG API",
"name": "tc_004_src_000001",
"obj type": "firewall address",
"subnet": [
"10.0.0.1",
"255.255.255.255"
]
}
],
"srcintf": [
{
"color": 6,
"default-mapping": "enable",
"defmap-intf": "lan",
"description": "Created with FortiManager Ansible",
"name": "lan",
"obj type": "dynamic interface",
"wildcard-intf": "lan"
}
],
"utm-status": "enable",
"webfilter-profile": [
{
"comment": "Default web filtering.",
"extended-log": "disable",
"https-replacemsg": "enable",
"log-all-url": "disable",
"name": "default",
"obj type": "webfilter profile",
"options": null,
"ovrd-perm": null,
"post-action": "normal",
"replacemsg-group": [],
"web-content-log": "enable",
"web-extended-all-action-log": "disable",
"web-filter-activex-log": "enable",
"web-filter-applet-log": "enable",
"web-filter-command-block-log": "enable",
"web-filter-cookie-log": "enable",
"web-filter-cookie-removal-log": "enable",
"web-filter-js-log": "enable",
"web-filter-jscript-log": "enable",
"web-filter-referer-log": "enable",
"web-filter-unknown-log": "enable",
"web-filter-vbs-log": "enable",
"web-ftgd-err-log": "enable",
"web-ftgd-quota-usage": "enable",
"web-invalid-domain-log": "enable",
"web-url-log": "enable",
"wisp": "disable",
"wisp-algorithm": "auto-learning",
"wisp-servers": [],
"youtube-channel-status": "disable"
}
]
},
[...]
9.4.18. Partial Install#
9.4.18.1. Legacy Partial Install API#
9.4.18.1.1. How to partial install a firewall policy?#
The idea behind the partial installation mechanism is to install a very specific object (could be a firewall policy, a firewall address, a firewall address group with members, an UTM profiles, etc.) but not the other pending changes!
The partial installation is mainly for objects maintained in ADOM DB.
To enable it:
config system global
set partial-install enable
set partial-install-force enable
set partial-install-rev enable
end
where:
partial-install:Value
Description
enableEnable the partial installation mechanism
disableDisable the partial installation mechanism
partial-install-force:Value
Description
enableForce the installation of the targetd object along with the pending changes in Device DB
disableIf any pending changes are detected in Device DB, partial installation will be stopped. If no change are detected in Device DB, then partial installation will work normally
partial-install-rev:Value
Description
enableCreate an ADOM Revision
disableDon’t create an ADOM Revision
It is possible to partial install most of the objects maintained in the FortiManager’s ADOM DB.
The generic request is:
{
"id": 1,
"method": "exec",
"params": [
{
"data": {
"adom": "{{adom}}",
"scope": [
{
"name": "{{device}}",
"vdom": "{{vdom}}"
},
{"...", "..."}
],
"target": [
"{{ target }}"
]
},
"url": "/securityconsole/install/objects"
}
],
"session": "{{session}}",
}
where {{ target }} should be replaced by a FortiManager JSON RPC API url.
The partial installation works as defined below:
If the target does exist on the managed device, FortiManager will update it.
If the target doesn’t exist on the managed devices, FortiManager will install it.
If the target is an object with members (think about a firewall address group) and some of the members don’t exist on the managed devices, they will be automatically installed.
The following example shows the generic REQUEST format to partial install a firewall policy:
{
"id": 1,
"method": "exec",
"params": [
{
"data": {
"adom": "{{adom}}",
"scope": [
{
"name": "{{device}}",
"vdom": "{{vdom}}"
}
],
"target": [
"/pm/config/adom/{{adom}}/pkg/{{pkg}}/firewall/policy/{{policyid}}"
]
},
"url": "/securityconsole/install/objects"
}
],
"session": "{{session}}",
}
{
"id": 1,
"result": [
{
"data": {
"task": 184
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/objects"
}
]
}
Note
New or updated objects belonging to the targeted
policyidobject will be automatically added or updated.
The rest of this section describes the partial install behavior for different cases.
Update of the policy’s properties only
This is the situation before the test:
One policy package with 100 policies already installed on the managed device.
The
commentsofpolicyid5was modified (new comment isTest #005).No other pending changes in ADOM DB.
The partial install is performed against the
policyid5.
This is the installation output we got from FortiManager GUI:
Starting log (Run on device) Start installing dev_001 $ config firewall policy dev_001 (policy) $ edit 5 dev_001 (5) $ set comments "Test #005" dev_001 (5) $ next dev_001 (policy) $ end ---> generating verification report <--- done generating verification report install finished
Conclusion
As expected, the updated
comments- only - is sent to the managed device
Update of the policy’s properties + new existing objects
This is the situation before the test:
One policy package with 100 policies already installed on the managed device
The
commentsofpolicyid5was modified (new comment isTest #006)Firewall addresse
host_105already used in some of the 99 other policies (hence aleady existing in managed device) have been added in thedstaddrofpolicyid5The partial install is performed against the
policyid5
This is the installation output we got from FortiManager GUI:
Starting log (Run on device) Start installing dev_001 $ config firewall policy dev_001 (policy) $ edit 5 dev_001 (5) $ set dstaddr "host_004" "host_105" dev_001 (5) $ set comments "Test #006" dev_001 (5) $ next dev_001 (policy) $ end ---> generating verification report <--- done generating verification report install finished
Conclusion
As expected, the updated
commentsis sent to the managed device
As expected, the reference (i.e., name only) of the firewall address
host_105is added in thedstaddr
New objects added in firewall policy + other ADOM DB pending changes
This is the situation before the test:
One policy package with 100 policies already installed on the managed device
New firewall address created:
host_201and placed assrcaddrofpolicyid5Other pending changes in ADOM DB (other policies from same policy package have been modified for instance)
The partial install is performed against the
policyid5
This is the installation output we got from FortiManager GUI:
Starting log (Run on device) Start installing dev_001 $ config firewall address dev_001 (address) $ edit "host_201" dev_001 (host_201) $ set uuid edf0802e-dc52-51ec-eead-9a86a08a872a dev_001 (host_201) $ set color 17 dev_001 (host_201) $ set subnet 145.124.204.58 255.255.255.255 dev_001 (host_201) $ next dev_001 (address) $ end dev_001 $ config firewall policy dev_001 (policy) $ edit 5 dev_001 (5) $ set srcaddr "host_005" "host_201" dev_001 (5) $ next dev_001 (policy) $ end ---> generating verification report <--- done generating verification report install finished
Conclusions
FortiManager is really in charge! It detected a new firewall address had to be installed on the managed device:
host_201Once the new firewall address is installed, it can be referenced and added as
srcaddrAs expected, other pending changes haven’t been installed!
New more complexe objects added + other ADOM DB pending changes
This is the situation before the test:
One policy package with 100 policies already installed on the managed device
New firewall addresses created:
host_202andhost_203New firewall address group created:
grp_host_20xMembers arehost_202andhost_203Firewall address group
grp_host_20xadded asdstaddrofpolicyid5New IPS profile created:
ips_profile_001New profile group created:
profile_group_001ips_profile_001IPS profile and some other UTM profiles added in theprofile_group_001Profile Groupprofile_group_001Profile Group added inpolicyid5The partial install is performed against the
policyid5
This is the installation output we got from FortiManager GUI:
Starting log (Run on device) Start installing dev_001 $ config firewall address dev_001 (address) $ edit "host_202" dev_001 (host_202) $ set uuid 347190b0-dc53-51ec-137e-2a05a016d500 dev_001 (host_202) $ set color 17 dev_001 (host_202) $ set subnet 145.124.202.58 255.255.255.255 dev_001 (host_202) $ next dev_001 (address) $ edit "host_203" dev_001 (host_203) $ set uuid 3c63b8a2-dc53-51ec-634e-3872e5836416 dev_001 (host_203) $ set color 17 dev_001 (host_203) $ set subnet 145.123.202.58 255.255.255.255 dev_001 (host_203) $ next dev_001 (address) $ end dev_001 $ config firewall addrgrp dev_001 (addrgrp) $ edit "grp_host_20x" dev_001 (grp_host_20x) $ set uuid 469eec38-dc53-51ec-4fcc-3e14b47114a4 dev_001 (grp_host_20x) $ set member "host_202" "host_203" dev_001 (grp_host_20x) $ set color 18 dev_001 (grp_host_20x) $ next dev_001 (addrgrp) $ end dev_001 $ config ips sensor dev_001 (sensor) $ edit "ips_profile_001" dev_001 (ips_profile_001) $ set comment "Prevent critical attacks." dev_001 (ips_profile_001) $ config entries dev_001 (entries) $ edit 1 dev_001 (1) $ set severity medium high critical dev_001 (1) $ next dev_001 (entries) $ end dev_001 (ips_profile_001) $ next dev_001 (sensor) $ end dev_001 $ config firewall profile-group dev_001 (profile-group) $ edit "profile_group_001" dev_001 (profile_group_001) $ set ips-sensor "ips_profile_001" dev_001 (profile_group_001) $ set application-list "default" dev_001 (profile_group_001) $ next dev_001 (profile-group) $ end dev_001 $ config firewall policy dev_001 (policy) $ edit 5 dev_001 (5) $ set dstaddr "grp_host_20x" "host_004" "host_105" dev_001 (5) $ set utm-status enable dev_001 (5) $ set profile-type group dev_001 (5) $ set profile-group "profile_group_001" dev_001 (5) $ next dev_001 (policy) $ end ---> generating verification report <--- done generating verification report install finished
Conclusions
All new objects have been successfully sent to the managed device
Only
policyid5changes have been sent as expectedOther pending changes haven ‘t been installed!
Partial Install New Firewall Policy
This is the situation before the test:
One policy package with 100 policies already installed on the managed device
A new firewall policy is created, referencing existing (
host_004andhost_104) and new object (host_204)This new firewall policy has been placed between firewall policies with
policyid5and6The partial install is performed against this new firewall policy
This is the installation output we got from FortiManager GUI:
Starting log (Run on device) Start installing dev_001 $ config firewall address dev_001 (address) $ edit "host_204" dev_001 (host_204) $ set uuid dadfea46-dc53-51ec-dee7-d0e7acd6a7da dev_001 (host_204) $ set color 17 dev_001 (host_204) $ set subnet 145.123.202.54 255.255.255.255 dev_001 (host_204) $ next dev_001 (address) $ end dev_001 $ config firewall policy dev_001 (policy) $ edit 101 dev_001 (101) $ set uuid ae0d8f6e-dc53-51ec-af49-7683cdf87a8d dev_001 (101) $ set action accept dev_001 (101) $ set srcintf "port1" dev_001 (101) $ set dstintf "port2" dev_001 (101) $ set srcaddr "host_104" dev_001 (101) $ set dstaddr "host_004" "host_204" dev_001 (101) $ set schedule "always" dev_001 (101) $ set service "ALL" dev_001 (101) $ set logtraffic all dev_001 (101) $ set label "Project #1" dev_001 (101) $ set global-label "Project #1" dev_001 (101) $ next dev_001 (policy) $ end ---> generating verification report <--- done generating verification report install finished
Conclusions
Partial install also works for new firewall policy!
Warning
New firewall policy has been pushed to managed device and has been placed at the end of the existing firewall policies!
This is not conform to what has been configured in FortiManager: new firewall policy should have been placed between firewall policies with
policyid5and6!The legacy partial install doesn’t support pushing a new firewall policy at a specific position
You have to consider the partial install v2 (see New Partial Install API).
9.4.18.1.2. How to trigger an install preview for a partial install?#
Following example describes how to trigger an install prefiew for the partial
installation of the used host_001 firewall address in the dc_amies ADOM.
It’s a three steps process.
You have to trigger the Partial Install
Below example start the Partial Install process against the host_001
firewall address from the dc_amiens ADOM.
You are expected to know what’s the target device; here it is dut_fgt_02 and
its root VDOM.
You also have to specify the preview flag.
{
"id": 1,
"method": "exec",
"params": [
{
"data": {
"adom": "dc_amiens",
"flags": [
"preview"
],
"scope": [
{
"name": "dut_fgt_02",
"vdom": "root"
}
],
"target": [
"/pm/config/adom/dc_amiens/obj/firewall/address/host_001"
]
},
"url": "/securityconsole/install/objects"
}
],
"session": 4902
}
{
"id": 1,
"result": [
{
"data": {
"task": 1244
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/objects"
}
]
}
You are given a task ID that you have to monitor.
Then you need to explicitely ask for a preview report
You just need to specify the target device (dc_fgt_02).
FortiManager will manage to collect the preview information generated via
previous step.
{
"method": "exec",
"params": [
{
"data": {
"adom": "dc_amiens",
"device": "dc_fgt_02",
},
"url": "/securityconsole/install/preview"
}
],
"session": 4902
}
{
"result": [
{
"data": {
"task": 1245
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/preview"
}
]
}
You’re also given a task ID that you have to monitor.
Finally, you can obtain the preview report
{
"method": "exec",
"params": [
{
"data": {
"adom": "dc_amiens",
"device": "dut_fgt_02",
"flags": 1024
},
"url": "/securityconsole/preview/result"
}
],
"session": 4902
}
{
"result": [
{
"data": {
"message": "config firewall address\n edit \"host_001\"\n set comment \"Test #001\"\n next\nend\n"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/preview/result"
}
]
}
9.4.19. New Partial Install API#
Note
The new Partial Install API is also named Partial Install v2
9.4.19.1. Introducing the new partial install API#
Starting with FMG 7.4.1, a new partial install API has been implemented.
The former one (see Legacy Partial Install API) is still available.
9.4.19.2. New Partial Install API JSON RPC payload#
This is the generic JSON RPC payload for the new Partial Install API:
{
"method": "exec",
"params": [
{
"data": {
"adom": "<adom>",
"objects": [
["<action>", "<object>", "<relative_position>", "<position>"],
["<other action lines>"]
],
"scope": [
{
"name": "<device>",
"vdom": "<vdom>"
}
],
"flags": <value>,
},
"url": "securityconsole/install/objects/v2"
}
],
"session": "<session>"
}
where:
Item |
Value |
||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
||||||||||
|
Is the object to partial install (a firewall address, a firewall policy, etc.) |
||||||||||
|
Indicate how to place the object with regard to specified This argument is applicable for when action is Possible values are For |
||||||||||
|
Indicate after/before which element to partial install the selected object |
||||||||||
|
Can contains a list of actions! It is possible to combine multiple partial install operations in a single API call |
||||||||||
|
Can have two values
|
Example:
{
"method": "exec",
"params": [
{
"data": {
"adom": "root",
"objects": [
["add", "pkg/default/firewall/policy/8", "before", "1"],
["update", "obj/firewall/address/Addr_1", "", ""],
["delete", "pkg/default/firewall/policy/3", "", ""],
["move", "pkg/default/firewall/policy/6", "after", "3"]
],
"flags": 0
},
"url": "securityconsole/install/objects/v2"
}
],
"session": 52904,
}
In the above example a partial install (flags is 0) is made to:
Add new firewall policy with
policyid8before existing firewall policy withpolicyid1Update existing
Addr_1firewall addressDelete existing firewall policy
policyid3Move existing firewall policy with
policyid6after existing firewall policy withpolicyid3
9.4.19.3. Enable Partial Install#
Enter the following command to enable to Partial Install mechanism:
config system global
set partial-install enable
end
Note
No need to enable the
partial-install-forceNew Partial Install API will only push selected objects and won’t consider the network and system setting changes pending in Device DB
9.4.19.4. Partial install to only install the instructed changes#
Unlike the Legacy Partial Install API, the new Partial Install API will only push selected objects and won’t consider the network and system setting changes pending in Device DB.
The feature has been implemented in FortiManager 7.4.1 (#875715).
9.4.19.4.1. Partial install of a used/updated firewall address#
Preparation
Update the
host_111firewall addressThis object is already used by one of the firewall policy installed in the
dev_001managed deviceIt’s former IP address was
162.148.54.193/255.255.255.255It’s new IP address is
1.1.1.1/255.255.255.255
In FortiManager GUI, from Device Manager, add a new static route in the
dev_001managed device:config router static edit 2 set dst 10.0.1.0 255.255.255.0 set gateway 172.16.65.1 set device port1 next end
Note
You’re now in a situation where you have both ADOM DB (
host_111) and Device DB (dev_001router.statictable) pending changes
Trigger a new partial install
{ "id": 3, "method": "exec", "params": [ { "data": { "adom": "root", "flags": 0, "objects": [ [ "update", "obj/firewall/address/host_111", "", "" ] ], "scope": [ { "name": "dev_001", "vdom": "root" } ] }, "url": "/securityconsole/install/objects/v2" } ], "session": "{{session}}" }
Note
The
scopeblock is optionalIf not used, FortiManager will manage to figure out what are the managed devices using this object
Action is
updatebecause it’s an existing but updated firewall address
{ "id": 3, "result": [ { "data": { "task": 13 }, "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/install/objects/v2" } ] }
The task completed successfully
This is the View Installation Log output:
Starting log (Run on device) Start installing dev_001 $ config firewall address dev_001 (address) $ edit "host_111" dev_001 (host_111) $ set subnet 1.1.1.1 255.255.255.255 dev_001 (host_111) $ next dev_001 (address) $ end ---> generating verification report <--- done generating verification report install finished
Conclusion
As expected, FortiManager only installed the selected and updated
host_111firewall addressPending static route wasn’t installed against the
dev_001managed device
9.4.19.4.2. Partial install of an used/updated firewall policy with new/used/updated firewall addresses#
Preparation
Create the
host_201firewall addressconfig firewall address edit host_201 set subnet 21.103.33.206/32 set color 9 next endNavigate to the
ppkg_001policy packageEdit policy seq #2 (
policyidshould be2as well)Add
host_201(new object) in the Source columnAdd
host_006(used object) in the Destination column
The
dev_001managed device still has the static route pointing to10. 0.1.0/24created earlier
Note
You’re now in a situation where you have both ADOM DB (
host_201firewall address and modifiedppkg_001Policy Package) and Device DB (dev_001router.statictable) pending changes
Trigger a new partial install
{ "id": 3, "method": "exec", "params": [ { "data": { "adom": "root", "flags": 0, "objects": [ [ "update", "pkg/ppkg_001/firewall/policy/2", "", "" ] ], "scope": [ { "name": "dev_001", "vdom": "root" } ] }, "url": "/securityconsole/install/objects/v2" } ], "session": "{{session}}" }
Note
objectsaction isupdatebecause it’s an existing but updated firewall policy
{ "id": 2, "result": [ { "data": { "task": 14 }, "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/install/objects/v2" } ] }
The task completed successfully
This is the View Installation Log output:
Starting log (Run on device) Start installing FGVM04TM23004347 $ config firewall address FGVM04TM23004347 (address) $ edit "host_201" FGVM04TM23004347 (host_201) $ set uuid 347c4a0c-5847-51ee-d296-f1b66bde8f41 FGVM04TM23004347 (host_201) $ set color 10 FGVM04TM23004347 (host_201) $ set subnet 21.103.33.206 255.255.255.255 FGVM04TM23004347 (host_201) $ next FGVM04TM23004347 (address) $ end FGVM04TM23004347 $ config firewall policy FGVM04TM23004347 (policy) $ edit 2 FGVM04TM23004347 (2) $ set srcaddr "host_002" "host_201" FGVM04TM23004347 (2) $ set dstaddr "host_006" "host_102" FGVM04TM23004347 (2) $ next FGVM04TM23004347 (policy) $ end ---> generating verification report <--- done generating verification report install finished
Conclusion
As expected, FortiManager only installed the selected and updated
policyid2Pending static route wasn’t installed against the
dev_001managed device
9.4.19.5. Partial install to support install + move policy#
The Legacy Partial Install API was supporting to partial install a new firewall policy created within a Policy Package at a specific position in the existing list of firewall policies.
However, this new policy was successfully created in the managed device, but at the last position. See Partial Install New Firewall Policy.
The new Partial Install API now support to specify the placement details.
The feature has been implemented in FortiManager 7.4.1 (#875716).
9.4.19.5.1. Partial install of a new policy with new/used/updated firewall addresses#
Preparation
Create the
host_202firewall addressconfig firewall address edit host_202 set subnet 22.103.33.206/32 set color 9 next endEdit the
host_003firewall addressFormer IP address was:
47.61.8.231/255.255.255.255New IP address is:
1.1.1.1/32
Create the
grp_001firewall address group withhost_050andhost_51address groupClone the
defaultIPS profile intoips_profile_001- Edit the cloned
ips_profile_001 Click Create New
Enable Packet logging
Set Status to Enable
- Edit the cloned
Navigate to the
ppkg_001policy packageInsert a new firewall policy after policy seq #10 (
policyidshould be10as well)Newly inserted policy shows up with
policyid101and with seq #11Enable it
Set Name column to
Policy_101In the Source column, add firewall addresses: -
host_202(new firewall address) -host_001(used firewall address)In the Destination column, add: -
host_003(updated firewall address) -grp_001(new firewall address group of used firewall addresses)Set Action to Accept
Add
ips_sensor_001IPS profile in the Security Profiles column
This is the resulting new firewall policy:
The
dev_001managed device still has the static route pointing to10.0.1.0/24created earlier
Trigger partial install
{ "id": 3, "method": "exec", "params": [ { "data": { "adom": "demo", "flags": 0, "objects": [ [ "add", "pkg/ppkg_001/firewall/policy/101", "after", "10" ] ], "scope": [ { "name": "dev_001", "vdom": "root" } ] }, "url": "/securityconsole/install/objects/v2" } ], "session": "{{session}}" }
Note
Action is
addbecause it’s a new firewall policy
{ "id": 3, "result": [ { "data": { "task": 15 }, "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/install/objects/v2" } ] }
The task completed successfully
This is the View Installation Log output:
Starting log (Run on device) Start installing dev_001 $ config firewall address dev_001 (address) $ edit "host_003" dev_001 (host_003) $ set subnet 1.1.1.1 255.255.255.255 dev_001 (host_003) $ next dev_001 (address) $ edit "host_202" dev_001 (host_202) $ set uuid 4f701070-584a-51ee-a929-d2686f6d80d5 dev_001 (host_202) $ set color 30 dev_001 (host_202) $ set subnet 22.103.33.206 255.255.255.255 dev_001 (host_202) $ next dev_001 (address) $ end dev_001 $ config firewall addrgrp dev_001 (addrgrp) $ edit "grp_001" dev_001 (grp_001) $ set uuid 6dc5814a-584a-51ee-d6c7-da84f06b12a3 dev_001 (grp_001) $ set member "host_050" "host_051" dev_001 (grp_001) $ set color 30 dev_001 (grp_001) $ next dev_001 (addrgrp) $ end dev_001 $ config ips sensor dev_001 (sensor) $ edit "ips_profile_001" dev_001 (ips_profile_001) $ set comment "Prevent critical attacks." dev_001 (ips_profile_001) $ config entries dev_001 (entries) $ edit 1 dev_001 (1) $ set severity medium high critical dev_001 (1) $ next dev_001 (entries) $ edit 2 dev_001 (2) $ set status enable dev_001 (2) $ set log-packet enable dev_001 (2) $ next dev_001 (entries) $ end dev_001 (ips_profile_001) $ next dev_001 (sensor) $ end dev_001 $ config firewall policy dev_001 (policy) $ edit 101 dev_001 (101) $ set name "Policy_101" dev_001 (101) $ set uuid a045d39a-584a-51ee-4ca0-ca6a56de0f60 dev_001 (101) $ set action accept dev_001 (101) $ set srcintf "port2" dev_001 (101) $ set dstintf "port1" dev_001 (101) $ set srcaddr "host_001" "host_202" dev_001 (101) $ set dstaddr "host_003" "grp_001" dev_001 (101) $ set schedule "always" dev_001 (101) $ set service "ALL" dev_001 (101) $ set utm-status enable dev_001 (101) $ set logtraffic all dev_001 (101) $ set label "Project #1" dev_001 (101) $ set global-label "Project #1" node_check_object fail! for global-label Project #1 value parse error before 'Project #1' Command fail. Return code -7 dev_001 (101) $ set ips-sensor "ips_profile_001" dev_001 (101) $ next dev_001 (policy) $ move 101 after 10 dev_001 (policy) $ end ---> generating verification report <--- done generating verification report install finished
Conclusion
As expected, FortiManager only installed the new firewall policy and all its new and updated objects, at the correct location
This is same firewall policy seen from FortiGate GUI:
Pending static route wasn’t installed against the
dev_001managed device
9.4.19.5.2. Partial install of a deleted firewall policy#
Preparation
Navigate to the
ppkg_001policy packageDelete firewall policy seq #11 (
policyidshould be101)The
dev_001managed device still has the static route pointing to10.0.1.0/24created earlier
Trigger partial install
{ "id": 3, "method": "exec", "params": [ { "data": { "adom": "demo", "flags": 0, "objects": [ [ "delete", "pkg/ppkg_001/firewall/policy/101", "", "" ] ], "scope": [ { "name": "dev_001", "vdom": "root" } ] }, "url": "/securityconsole/install/objects/v2" } ], "session": "{{session}}" }
Note
Action is
deletebecause it’s non existing (just deleted) firewall policy
{ "id": 3, "result": [ { "data": { "task": 16 }, "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/install/objects/v2" } ] }
The task completed successfully
This is the View Installation Log output:
Starting log (Run on device) Start installing dev_001 $ config firewall policy dev_001 (policy) $ delete 101 dev_001 (policy) $ end ---> generating verification report <--- done generating verification report install finished
Conclusion
As expected, FortiManager only deleted the selected firewall policy
FortiManager didn’t delete the now unused: -
host_202firewall address -grp_001firewall address group -ips_profile_001IPS profileThey will be removed during a normal Policy Package install
Pending static route wasn’t installed against the
dev_001managed device
9.4.19.5.3. Partial install of an updated policy#
The selected policy seq #2 (policyid should be 2) is the only one to use
the host_201 firewall address.
The host_201 firewall address will be removed from the selected policy (but
not deleted from the ADOM DB).
Goal is the observe the partial install behavior: will it delete the unused
host_201 firewall address from the managed device?
Preparation
Navigate to the
ppkg_001policy packageRemove the
host_201firewall address from the Source column of policy seq #2 (policyidshould be2)The
dev_001managed device still has the static route pointing to10.0.1.0/24created earlier
Trigger partial install
{ "id": 3, "method": "exec", "params": [ { "data": { "adom": "demo", "flags": 0, "objects": [ [ "update", "pkg/ppkg_001/firewall/policy/2", "", "" ] ], "scope": [ { "name": "dev_001", "vdom": "root" } ] }, "url": "/securityconsole/install/objects/v2" } ], "session": "{{session}}" }
Note
Action is
updatebecause it’s an existing but updated firewall policy{ "id": 3, "result": [ { "data": { "task": 17 }, "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/install/objects/v2" } ] }
The task completed successfully
This is the View Installation Log output:
Starting log (Run on device) Start installing dev_001 $ config firewall policy dev_001 (policy) $ edit 2 dev_001 (2) $ set srcaddr "host_002" dev_001 (2) $ next dev_001 (policy) $ end ---> generating verification report <--- done generating verification report install finished
Conclusion
As expected, FortiManager updated the selected firewall policy by removing the
host_201firewall addressFortiManager didn’t delete the now unused: -
host_201firewall addressIt will be removed during a normal Policy Package install
Pending static route wasn’t installed against the
dev_001managed device
9.4.19.6. Add support to preview partial install#
The feature has been implemented in FortiManager 7.4.0 (#862628).
9.4.19.6.1. Preview of a partial install of an updated policy#
Preparation
Clone the
ips_profile_001intoips_profile_004Create the
grp_004firewall address group withhost_056andhost_57address groupNavigate to the
ppkg_001policy packageEdit policy seq #6 (
policyidshould be6) - Add back thehost_201firewall address in the Source column - Add thegrp_004firewall address group in the Destination column - Add theips_profile_004IPS profileThe
dev_001managed device still has the static route pointing to10.0.1.0/24created earlier
Trigger partial install with the preview option
Step #1: Trigger the partial install with the preview option
{ "id": 3, "method": "exec", "params": [ { "data": { "adom": "demo", "flags": 2, "objects": [ [ "update", "pkg/ppkg_001/firewall/policy/6", "", "" ] ], "scope": [ { "name": "dev_001", "vdom": "root" } ] }, "url": "/securityconsole/install/objects/v2" } ], "session": "{{session}}" }
Note
flagsis set with2which meanspreviewbecause it is just required to previewNo other install action will be done
{ "id": 3, "result": [ { "data": { "task": 20 }, "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/install/objects/v2" } ] }
Step #2: Once the returned task is completed, get the preview result
{ "id": 4, "method": "exec", "params": [ { "data": { "adom": "demo", "device": "dev_001" }, "url": "/securityconsole/preview/result" } ], "session": "{{session}}" }
{ "id": 4, "result": [ { "data": { "message": "config firewall addrgrp\n edit \"grp_004\"\n set uuid 919cb4be-5852-51ee-65f5-c09937fa4f54\n set member \"host_056\" \"host_057\"\n set color 24\n next\nend\nconfig ips sensor\n edit \"ips_profile_004\"\n set comment \"Prevent critical attacks.\"\n config entries\n edit 1\n set severity medium high critical\n next\n edit 2\n set status enable\n set log-packet enable\n next\n end\n next\nend\nconfig firewall policy\n edit 6\n set srcaddr \"host_006\" \"host_201\"\n set dstaddr \"host_106\" \"grp_004\"\n set utm-status enable\n set ips-sensor \"ips_profile_004\"\n next\nend\n" }, "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/preview/result" } ] }
Conclusion
As expected, FortiManager produced a preview of the requested partial install operation
Pending static route wasn’t installation wasn’t part of the preview result
9.4.20. Firewall Policy Revision#
9.4.20.1. How to get list of changes mage in a firewall policy?#
Following example shows how to obtain the list of changes made on firewall policy with policyid 14 in the ppkg_001 Policy Package from the demo ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"url": "/pm/config/adom/demo/_objrev/pkg/ppkg_001/firewall/policy/14"
}
],
"session": "{{session}}",
"verbose": 1
}
{ "id": 3, "result": [ { "data": [ { "act": 1, "category": 181, "config": "{ \"_byte\": 0, \"_first_hit\": 0, \"_first_session\": 0, \"_global-label-color\": 0, \"_global-vpn\": [ ], \"_global-vpn-tgt\": 0, \"_hitcount\": 0, \"_label-color\": 0, \"_last_hit\": 0, \"_last_session\": 0, \"_pkts\": 0, \"_sesscount\": 0, \"action\": 1, \"anti-replay\": 1, \"application-list\": [ ], \"auth-cert\": [ ], \"auth-path\": 0, \"auto-asic-offload\": 1, \"av-profile\": [ ], \"block-notification\": 0, \"captive-portal-exempt\": 0, \"capture-packet\": 0, \"casb-profile\": [ ], \"cgn-eif\": 0, \"cgn-eim\": 0, \"cgn-resource-quota\": 16, \"cgn-session-quota\": 16777215, \"cifs-profile\": [ ], \"custom-log-fields\": [ ], \"decrypted-traffic-mirror\": [ ], \"delay-tcp-npu-session\": 0, \"diameter-filter-profile\": [ ], \"diffserv-copy\": 0, \"diffserv-forward\": 0, \"diffserv-reverse\": 0, \"diffservcode-forward\": \"000000\", \"diffservcode-rev\": \"000000\", \"disclaimer\": 0, \"dlp-profile\": [ ], \"dnsfilter-profile\": [ ], \"dsri\": 0, \"dstaddr\": [ \"all\" ], \"dstaddr-negate\": 0, \"dstaddr6\": [ ], \"dstaddr6-negate\": 0, \"dstintf\": [ \"any\" ], \"dynamic-shaping\": 0, \"email-collect\": 0, \"emailfilter-profile\": [ ], \"fec\": 0, \"file-filter-profile\": [ ], \"firewall-session-dirty\": 0, \"fixedport\": 0, \"fsso-agent-for-ntlm\": [ ], \"fsso-groups\": [ ], \"geoip-anycast\": 0, \"geoip-match\": 0, \"groups\": [ ], \"gtp-profile\": [ ], \"http-policy-redirect\": 0, \"icap-profile\": [ ], \"identity-based-route\": [ ], \"inbound\": 0, \"inspection-mode\": 1, \"internet-service\": 0, \"internet-service-custom\": [ ], \"internet-service-custom-group\": [ ], \"internet-service-group\": [ ], \"internet-service-name\": [ ], \"internet-service-negate\": 0, \"internet-service-src\": 0, \"internet-service-src-custom\": [ ], \"internet-service-src-custom-group\": [ ], \"internet-service-src-group\": [ ], \"internet-service-src-name\": [ ], \"internet-service-src-negate\": 0, \"internet-service6\": 0, \"internet-service6-custom\": [ ], \"internet-service6-custom-group\": [ ], \"internet-service6-group\": [ ], \"internet-service6-name\": [ ], \"internet-service6-negate\": 0, \"internet-service6-src\": 0, \"internet-service6-src-custom\": [ ], \"internet-service6-src-custom-group\": [ ], \"internet-service6-src-group\": [ ], \"internet-service6-src-name\": [ ], \"internet-service6-src-negate\": 0, \"ip-version-type\": \"ipv4\", \"ippool\": 0, \"ips-sensor\": [ ], \"ips-voip-filter\": [ ], \"logtraffic\": 2, \"logtraffic-start\": 0, \"match-vip\": 1, \"match-vip-only\": 0, \"name\": \"Policy_001\", \"nat\": 0, \"nat46\": 0, \"nat64\": 0, \"natinbound\": 0, \"natip\": [ \"0.0.0.0\", \"0.0.0.0\" ], \"natoutbound\": 0, \"network-service-dynamic\": [ ], \"network-service-src-dynamic\": [ ], \"np-acceleration\": 1, \"ntlm\": 0, \"ntlm-enabled-browsers\": [ ], \"ntlm-guest\": 0, \"oid\": 11310, \"outbound\": 1, \"passive-wan-health-measurement\": 0, \"pcp-inbound\": 0, \"pcp-outbound\": 0, \"pcp-poolname\": [ ], \"per-ip-shaper\": [ ], \"permit-any-host\": 0, \"permit-stun-host\": 0, \"pfcp-profile\": [ ], \"policy-behaviour-type\": \"standard\", \"policy-expiry\": 0, \"policy-expiry-date\": \"0000-00-00 00:00:00\", \"policy-offload\": 1, \"policyid\": 14, \"poolname\": [ ], \"poolname6\": [ ], \"profile-group\": [ ], \"profile-protocol-options\": [ \"default\" ], \"profile-type\": 0, \"radius-mac-auth-bypass\": 0, \"replacemsg-override-group\": [ ], \"reputation-direction\": 2, \"reputation-direction6\": 42, \"reputation-minimum\": 0, \"reputation-minimum6\": 0, \"rtp-addr\": [ ], \"rtp-nat\": 0, \"schedule\": [ \"always\" ], \"schedule-timeout\": 0, \"sctp-filter-profile\": [ ], \"send-deny-packet\": 0, \"service\": [ \"ALL\" ], \"service-negate\": 0, \"session-ttl\": \"0\", \"sgt\": [ ], \"sgt-check\": 0, \"src-vendor-mac\": [ ], \"srcaddr\": [ \"all\" ], \"srcaddr-negate\": 0, \"srcaddr6\": [ ], \"srcaddr6-negate\": 0, \"srcintf\": [ \"any\" ], \"ssh-filter-profile\": [ ], \"ssh-policy-redirect\": 0, \"ssl-ssh-profile\": [ \"no-inspection\" ], \"status\": 1, \"tcp-mss-receiver\": 0, \"tcp-mss-sender\": 0, \"tcp-session-without-syn\": 2, \"tcp-timeout-pid\": [ ], \"timeout-send-rst\": 0, \"tos\": \"0x00\", \"tos-mask\": \"0x00\", \"tos-negate\": 0, \"traffic-shaper\": [ ], \"traffic-shaper-reverse\": [ ], \"udp-timeout-pid\": [ ], \"users\": [ ], \"utm-status\": 0, \"uuid\": \"64abdc74-cef8-51ee-c4f6-b99de54c6f1a\", \"videofilter-profile\": [ ], \"virtual-patch-profile\": [ ], \"vlan-cos-fwd\": 255, \"vlan-cos-rev\": 255, \"voip-profile\": [ ], \"vpn_dst_node\": null, \"vpn_src_node\": null, \"vpntunnel\": [ ], \"waf-profile\": [ ], \"wanopt\": 0, \"wanopt-detection\": 1, \"wanopt-passive-opt\": 0, \"wanopt-peer\": [ ], \"wanopt-profile\": [ ], \"wccp\": 0, \"webcache\": 0, \"webcache-https\": 0, \"webfilter-profile\": [ ], \"webproxy-forward-server\": [ ], \"webproxy-profile\": [ ], \"ztna-device-ownership\": 0, \"ztna-ems-tag\": [ ], \"ztna-ems-tag-secondary\": [ ], \"ztna-geo-tag\": [ ], \"ztna-policy-redirect\": 0, \"ztna-status\": 0, \"ztna-tags-match-logic\": 0 }", "flags": 0, "key": "14", "note": "", "oid": 11310, "pkg_oid": 11294, "timestamp": 1708327673, "user": "admin" }, { "act": 3, "category": 181, "config": "{ \"_byte\": 0, \"_first_hit\": 0, \"_first_session\": 0, \"_global-dst-intf\": null, \"_global-label-color\": 0, \"_global-src-intf\": null, \"_global-vpn\": [ ], \"_global-vpn-tgt\": 0, \"_hitcount\": 0, \"_label-color\": 0, \"_last_hit\": 0, \"_last_session\": 0, \"_pkts\": 0, \"_sesscount\": 0, \"action\": 1, \"anti-replay\": 1, \"application-list\": [ ], \"auth-cert\": [ ], \"auth-path\": 0, \"auth-redirect-addr\": null, \"auto-asic-offload\": 1, \"av-profile\": [ ], \"block-notification\": 0, \"captive-portal-exempt\": 0, \"capture-packet\": 0, \"casb-profile\": [ ], \"cgn-eif\": 0, \"cgn-eim\": 0, \"cgn-log-server-grp\": null, \"cgn-resource-quota\": 16, \"cgn-session-quota\": 16777215, \"cifs-profile\": [ ], \"comments\": null, \"custom-log-fields\": [ ], \"decrypted-traffic-mirror\": [ ], \"delay-tcp-npu-session\": 0, \"diameter-filter-profile\": [ ], \"diffserv-copy\": 0, \"diffserv-forward\": 0, \"diffserv-reverse\": 0, \"diffservcode-forward\": \"000000\", \"diffservcode-rev\": \"000000\", \"disclaimer\": 0, \"dlp-profile\": [ ], \"dnsfilter-profile\": [ ], \"dsri\": 0, \"dstaddr\": [ \"all\" ], \"dstaddr-negate\": 0, \"dstaddr6\": [ ], \"dstaddr6-negate\": 0, \"dstintf\": [ \"any\" ], \"dynamic-shaping\": 0, \"email-collect\": 0, \"emailfilter-profile\": [ ], \"fec\": 0, \"file-filter-profile\": [ ], \"firewall-session-dirty\": 0, \"fixedport\": 0, \"fsso-agent-for-ntlm\": [ ], \"fsso-groups\": [ ], \"geoip-anycast\": 0, \"geoip-match\": 0, \"global-label\": null, \"groups\": [ ], \"gtp-profile\": [ ], \"http-policy-redirect\": 0, \"icap-profile\": [ ], \"identity-based-route\": [ ], \"inbound\": 0, \"inspection-mode\": 1, \"internet-service\": 0, \"internet-service-custom\": [ ], \"internet-service-custom-group\": [ ], \"internet-service-group\": [ ], \"internet-service-name\": [ ], \"internet-service-negate\": 0, \"internet-service-src\": 0, \"internet-service-src-custom\": [ ], \"internet-service-src-custom-group\": [ ], \"internet-service-src-group\": [ ], \"internet-service-src-name\": [ ], \"internet-service-src-negate\": 0, \"internet-service6\": 0, \"internet-service6-custom\": [ ], \"internet-service6-custom-group\": [ ], \"internet-service6-group\": [ ], \"internet-service6-name\": [ ], \"internet-service6-negate\": 0, \"internet-service6-src\": 0, \"internet-service6-src-custom\": [ ], \"internet-service6-src-custom-group\": [ ], \"internet-service6-src-group\": [ ], \"internet-service6-src-name\": [ ], \"internet-service6-src-negate\": 0, \"ip-version-type\": \"ipv4\", \"ippool\": 0, \"ips-sensor\": [ ], \"ips-voip-filter\": [ ], \"label\": null, \"logtraffic\": 2, \"logtraffic-start\": 0, \"match-vip\": 1, \"match-vip-only\": 0, \"name\": \"Policy_001\", \"nat\": 0, \"nat46\": 0, \"nat64\": 0, \"natinbound\": 0, \"natip\": [ \"0.0.0.0\", \"0.0.0.0\" ], \"natoutbound\": 0, \"network-service-dynamic\": [ ], \"network-service-src-dynamic\": [ ], \"np-acceleration\": 1, \"ntlm\": 0, \"ntlm-enabled-browsers\": [ ], \"ntlm-guest\": 0, \"oid\": 11310, \"outbound\": 1, \"passive-wan-health-measurement\": 0, \"pcp-inbound\": 0, \"pcp-outbound\": 0, \"pcp-poolname\": [ ], \"per-ip-shaper\": [ ], \"permit-any-host\": 0, \"permit-stun-host\": 0, \"pfcp-profile\": [ ], \"policy-behaviour-type\": \"standard\", \"policy-expiry\": 0, \"policy-expiry-date\": \"0000-00-00 00:00:00\", \"policy-expiry-date-utc\": null, \"policy-offload\": 1, \"policyid\": 14, \"poolname\": [ ], \"poolname6\": [ ], \"profile-group\": [ ], \"profile-protocol-options\": [ \"default\" ], \"profile-type\": 0, \"radius-mac-auth-bypass\": 0, \"redirect-url\": null, \"replacemsg-override-group\": [ ], \"reputation-direction\": 2, \"reputation-direction6\": 42, \"reputation-minimum\": 0, \"reputation-minimum6\": 0, \"rtp-addr\": [ ], \"rtp-nat\": 0, \"schedule\": [ \"always\" ], \"schedule-timeout\": 0, \"sctp-filter-profile\": [ ], \"send-deny-packet\": 0, \"service\": [ \"INFO_ADDRESS\" ], \"service-negate\": 0, \"session-ttl\": \"0\", \"sgt\": [ ], \"sgt-check\": 0, \"src-vendor-mac\": [ ], \"srcaddr\": [ \"all\" ], \"srcaddr-negate\": 0, \"srcaddr6\": [ ], \"srcaddr6-negate\": 0, \"srcintf\": [ \"any\" ], \"ssh-filter-profile\": [ ], \"ssh-policy-redirect\": 0, \"ssl-ssh-profile\": [ \"no-inspection\" ], \"status\": 1, \"tcp-mss-receiver\": 0, \"tcp-mss-sender\": 0, \"tcp-session-without-syn\": 2, \"tcp-timeout-pid\": [ ], \"timeout-send-rst\": 0, \"tos\": \"0x00\", \"tos-mask\": \"0x00\", \"tos-negate\": 0, \"traffic-shaper\": [ ], \"traffic-shaper-reverse\": [ ], \"udp-timeout-pid\": [ ], \"users\": [ ], \"utm-status\": 0, \"uuid\": \"64abdc74-cef8-51ee-c4f6-b99de54c6f1a\", \"videofilter-profile\": [ ], \"virtual-patch-profile\": [ ], \"vlan-cos-fwd\": 255, \"vlan-cos-rev\": 255, \"vlan-filter\": null, \"voip-profile\": [ ], \"vpn_dst_node\": null, \"vpn_src_node\": null, \"vpntunnel\": [ ], \"waf-profile\": [ ], \"wanopt\": 0, \"wanopt-detection\": 1, \"wanopt-passive-opt\": 0, \"wanopt-peer\": [ ], \"wanopt-profile\": [ ], \"wccp\": 0, \"webcache\": 0, \"webcache-https\": 0, \"webfilter-profile\": [ ], \"webproxy-forward-server\": [ ], \"webproxy-profile\": [ ], \"ztna-device-ownership\": 0, \"ztna-ems-tag\": [ ], \"ztna-ems-tag-secondary\": [ ], \"ztna-geo-tag\": [ ], \"ztna-policy-redirect\": 0, \"ztna-status\": 0, \"ztna-tags-match-logic\": 0 }", "flags": 0, "key": "14", "note": "", "oid": 11310, "pkg_oid": 11294, "timestamp": 1708327690, "user": "admin" } ], "status": { "code": 0, "message": "OK" }, "url": "/pm/config/adom/demo/_objrev/pkg/ppkg_001/firewall/policy/14" } ] }
Note
For each change the
actis giving you the nature of the change:Value
meaning
1New policy created
2Existing policy deleted
Note
Not sure you will be able to see this one…
3Existing policy modified
The
keyattribute is thepolicyidThe
configattribute is a copy of the firewall policy containing the changeFortiManager returns an ordered list of changes; the first item is the first change
9.4.20.2. How to revert a firewall policy from a past changes?#
There’s no specific revert API endpoint.
It’s on you to capture the config attribute of a past change by looking at the list of changes for a firewall policy (see How to get list of changes mage in a firewall policy?) and then to update that same firewall policy.
Following example is considering the output from section How to get list of changes mage in a firewall policy?. It will revert the firewall policy with the config saved when it was just created:
{
"id": 4,
"method": "update",
"params": [
{
"data": {
"_byte": 0,
"_first_hit": 0,
"_first_session": 0,
"_global-label-color": 0,
"_global-vpn": [],
"_global-vpn-tgt": 0,
"_hitcount": 0,
"_label-color": 0,
"_last_hit": 0,
"_last_session": 0,
"_pkts": 0,
"_sesscount": 0,
"action": 1,
"anti-replay": 1,
"application-list": [],
"auth-cert": [],
"auth-path": 0,
"auto-asic-offload": 1,
"av-profile": [],
"block-notification": 0,
"captive-portal-exempt": 0,
"capture-packet": 0,
"casb-profile": [],
"cgn-eif": 0,
"cgn-eim": 0,
"cgn-resource-quota": 16,
"cgn-session-quota": 16777215,
"cifs-profile": [],
"custom-log-fields": [],
"decrypted-traffic-mirror": [],
"delay-tcp-npu-session": 0,
"diameter-filter-profile": [],
"diffserv-copy": 0,
"diffserv-forward": 0,
"diffserv-reverse": 0,
"diffservcode-forward": "000000",
"diffservcode-rev": "000000",
"disclaimer": 0,
"dlp-profile": [],
"dnsfilter-profile": [],
"dsri": 0,
"dstaddr": [
"all"
],
"dstaddr-negate": 0,
"dstaddr6": [],
"dstaddr6-negate": 0,
"dstintf": [
"any"
],
"dynamic-shaping": 0,
"email-collect": 0,
"emailfilter-profile": [],
"fec": 0,
"file-filter-profile": [],
"firewall-session-dirty": 0,
"fixedport": 0,
"fsso-agent-for-ntlm": [],
"fsso-groups": [],
"geoip-anycast": 0,
"geoip-match": 0,
"groups": [],
"gtp-profile": [],
"http-policy-redirect": 0,
"icap-profile": [],
"identity-based-route": [],
"inbound": 0,
"inspection-mode": 1,
"internet-service": 0,
"internet-service-custom": [],
"internet-service-custom-group": [],
"internet-service-group": [],
"internet-service-name": [],
"internet-service-negate": 0,
"internet-service-src": 0,
"internet-service-src-custom": [],
"internet-service-src-custom-group": [],
"internet-service-src-group": [],
"internet-service-src-name": [],
"internet-service-src-negate": 0,
"internet-service6": 0,
"internet-service6-custom": [],
"internet-service6-custom-group": [],
"internet-service6-group": [],
"internet-service6-name": [],
"internet-service6-negate": 0,
"internet-service6-src": 0,
"internet-service6-src-custom": [],
"internet-service6-src-custom-group": [],
"internet-service6-src-group": [],
"internet-service6-src-name": [],
"internet-service6-src-negate": 0,
"ip-version-type": "ipv4",
"ippool": 0,
"ips-sensor": [],
"ips-voip-filter": [],
"logtraffic": 2,
"logtraffic-start": 0,
"match-vip": 1,
"match-vip-only": 0,
"name": "Policy_001",
"nat": 0,
"nat46": 0,
"nat64": 0,
"natinbound": 0,
"natip": [
"0.0.0.0",
"0.0.0.0"
],
"natoutbound": 0,
"network-service-dynamic": [],
"network-service-src-dynamic": [],
"np-acceleration": 1,
"ntlm": 0,
"ntlm-enabled-browsers": [],
"ntlm-guest": 0,
"outbound": 1,
"passive-wan-health-measurement": 0,
"pcp-inbound": 0,
"pcp-outbound": 0,
"pcp-poolname": [],
"per-ip-shaper": [],
"permit-any-host": 0,
"permit-stun-host": 0,
"pfcp-profile": [],
"policy-behaviour-type": "standard",
"policy-expiry": 0,
"policy-expiry-date": "0000-00-00 00:00:00",
"policy-offload": 1,
"policyid": 14,
"poolname": [],
"poolname6": [],
"profile-group": [],
"profile-protocol-options": [
"default"
],
"profile-type": 0,
"radius-mac-auth-bypass": 0,
"replacemsg-override-group": [],
"reputation-direction": 2,
"reputation-direction6": 42,
"reputation-minimum": 0,
"reputation-minimum6": 0,
"rtp-addr": [],
"rtp-nat": 0,
"schedule": [
"always"
],
"schedule-timeout": 0,
"sctp-filter-profile": [],
"send-deny-packet": 0,
"service": [
"ALL"
],
"service-negate": 0,
"session-ttl": "0",
"sgt": [],
"sgt-check": 0,
"src-vendor-mac": [],
"srcaddr": [
"all"
],
"srcaddr-negate": 0,
"srcaddr6": [],
"srcaddr6-negate": 0,
"srcintf": [
"any"
],
"ssh-filter-profile": [],
"ssh-policy-redirect": 0,
"ssl-ssh-profile": [
"no-inspection"
],
"status": 1,
"tcp-mss-receiver": 0,
"tcp-mss-sender": 0,
"tcp-session-without-syn": 2,
"tcp-timeout-pid": [],
"timeout-send-rst": 0,
"tos": "0x00",
"tos-mask": "0x00",
"tos-negate": 0,
"traffic-shaper": [],
"traffic-shaper-reverse": [],
"udp-timeout-pid": [],
"users": [],
"utm-status": 0,
"uuid": "64abdc74-cef8-51ee-c4f6-b99de54c6f1a",
"videofilter-profile": [],
"virtual-patch-profile": [],
"vlan-cos-fwd": 255,
"vlan-cos-rev": 255,
"voip-profile": [],
"vpn_dst_node": null,
"vpn_src_node": null,
"vpntunnel": [],
"waf-profile": [],
"wanopt": 0,
"wanopt-detection": 1,
"wanopt-passive-opt": 0,
"wanopt-peer": [],
"wanopt-profile": [],
"wccp": 0,
"webcache": 0,
"webcache-https": 0,
"webfilter-profile": [],
"webproxy-forward-server": [],
"webproxy-profile": [],
"ztna-device-ownership": 0,
"ztna-ems-tag": [],
"ztna-ems-tag-secondary": [],
"ztna-geo-tag": [],
"ztna-policy-redirect": 0,
"ztna-status": 0,
"ztna-tags-match-logic": 0
},
"revision note": "Revert from create time",
"url": "/pm/config/adom/demo/pkg/ppkg_001/firewall/policy"
}
],
"session": "{{session}}"
}
Note
Don’t use the
oidattribute or you will probably get an error like:{ "id": 4, "result": [ { "status": { "code": -10, "message": "The data is invalid for selected url" }, "url": "/pm/config/adom/demo/pkg/ppkg_001/firewall/policy" } ] }
As a best practice, think about adding a
revision note
{
"id": 4,
"result": [
{
"data": {
"policyid": 14
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/ppkg_001/firewall/policy"
}
]
}
9.5. Global Policies & objects#
9.5.1. How to create a global policy package?#
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "add",
"params": [
{
"data": {
"name": "g_pp_003",
"type": "pkg"
},
"url": "/pm/pkg/global"
}
],
"session": "YS8S4z10DL1D1lWXA2RrS5H48Pl8gJWtWZ9jm8SsMOHBriZ92czufaVtR7pFjCmKYQT3B652Wgie5nlUbLEobQ==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/global"
}
]
}
9.5.2. How to add ADOMs as Global Policy Package targets?#
The following example shows how to add the demo_001 and demo_002 ADOMs as targets of the g_ppkg_001 Global Policy Package:
{
"id": 1,
"method": "add",
"params": [
{
"data": [
{
"name": "demo_001"
},
{
"name": "demo_002"
}
],
"url": "/pm/pkg/global/g_pppk_001/scope member"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/global/g_ppkg_001/scope member"
}
]
}
Note
Existing list of target ADOMs won’t be overwritten
If there was the
demo_003ADOM as target before thisaddoperation, then the definitive list of targets will be thedemo_001,demo_002anddemo_003ADOMs
9.5.3. How to get ADOMs from the Global Policy Package targets?#
The following example shows how to get the ADOM targets of the g_ppkg_001 Global Policy Package:
{
"id": 3,
"method": "get",
"params": [
{
"url": "/pm/pkg/global/g_ppkg_001"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"data": {
"name": "g_ppkg_001",
"obj ver": 0,
"oid": 5623,
"package settings": {
"central-nat": 0,
"consolidated-firewall-mode": 0,
"fwpolicy-implicit-log": 0,
"fwpolicy6-implicit-log": 0,
"hitc-taskid": 0,
"hitc-timestamp": 0,
"ngfw-mode": 0,
"policy-offload-level": 0
},
"scope member": [
{
"name": "demo_001"
},
{
"name": "demo_002"
},
{
"name": "demo_003"
}
],
"type": "pkg"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/global/g_ppkg_001"
}
]
}
9.5.4. How to delete ADOMs from the Global Policy Package targets?#
The following example shows how to delete the demo_001 and demo_002 ADOMs targets of the g_ppkg_001 Global Policy Package:
{
"id": 3,
"method": "delete",
"params": [
{
"data": [
{
"name": "demo_001"
},
{
"name": "demo_002"
}
],
"url": "/pm/pkg/global/g_ppkg_001/scope member"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/global/g_ppkg_001/scope member"
}
]
}
Note
Existing list of target ADOMs won’t be overwritten
If there was the
demo_001,demo_002anddemo_003ADOMs as target before thisdeleteoperation, then the definitive list of targets will be thedemo_001ADOM
9.5.5. How to trigger an assign Global Policy Package?#
The following example shows how to trigger an assign operation of the
g_ppkg_001 Global Policy Package against the demo_001 and demo_002 ADOMs:
{
"id": 3,
"method": "exec",
"params": [
{
"data": {
"flags": [
"none"
],
"pkg": "g_ppkg_001",
"target": [
{
"adom": "demo_001"
},
{
"adom": "demo_002"
}
]
},
"url": "/securityconsole/assign/package"
}
],
"session": "{{session}}"
}
Note
noneis the default flag to copy global policies and its used objects onlyUse flag
cp_all_objsif you want to copy policies and all objects, even the unused ones
Tip
Should you want to trigger an assign followed by an install, just add the flag
copy_assigned_pkg, for instance:"flags": ["cp_all_obs", "copy_assigned_pkg"],
will copy policies and all objects to target ADOMs, and will also trigger a policy package install.
{
"id": 3,
"result": [
{
"data": {
"task": 201
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/assign/package"
}
]
}
Note
As usual, when a task is returned, you have to monitor it by getting
task/task/<task_id>
9.5.6. How to trigger an assign global policy package with exclusion?#
Consider that the demo ADOM is with three Policy Packages: ppkg_001 to ppkg_003.
The following example shows how to trigger an assign operation of the g_ppkg_001 Global Policy against the demo ADOM but only for its ppkg_001 Policy Package:
{
"id": 3,
"method": "exec",
"params": [
{
"data": {
"flags": [
"none"
],
"pkg": "g_ppkg_001",
"target": [
{
"adom": "demo",
"excluded": "enable",
"pkg": [
"ppkg_002",
"ppkg_003"
]
}
]
},
"url": "/securityconsole/assign/package"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"data": {
"task": 13
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/assign/package"
}
]
}
9.5.7. How to trigger an unassign Global Policy Package?#
The following example shows how to trigger an unassign operation for the g_ppkg_001 Global Policy Package and the demo ADOM, one of its current targets:
{
"id": 1,
"method": "exec",
"params": [
{
"data": {
"flags": [
"unassign"
],
"pkg": "g_ppkg_001",
"target": [
{
"adom": "demo"
}
]
},
"url": "/securityconsole/assign/package"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"data": {
"task": 14
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/assign/package"
}
]
}
9.6. How to get ADOM options?#
We don’t know what is this one doing yet…
We discovered it during a debug of a FMG 7.0.1-INTERIM build 0080:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "get",
"params": [
{
"url": "/pm/config/adom/demo/_adom/options"
}
],
"session": "TSigtab+3M9+fLF6QNdSxvkXUPShX97W5/VhKV4R1xb95WKYP8dfG/sEr8wsYfoiHUXqxZEWjnXwMalYShTFMg==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"pkg list": []
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/_adom/options"
}
]
}
9.7. Central DNAT#
9.7.1. How to get central dnat policies?#
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "get",
"params": [
{
"url": "/pm/config/adom/demo/pkg/ppkg_001/central/dnat"
}
],
"session": "dDKFLWDRqlQs6gSZwkUB2EPNYVyDL7JZYJ2OcfZgLFwGvtQwjvsx6XlQGuX6lQTdg2v2Jyysu+3avjaPfzw19w==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": [
{
"name": [
"tc_004_vip_001"
],
"obj seq": 1
},
{
"name": [
"tc_004_vip_002"
],
"obj seq": 2
},
{
"name": [
"tc_004_vip_003"
],
"obj seq": 3
},
{
"name": [
"tc_004_vip_008"
],
"obj seq": 4
},
{
"name": [
"tc_004_vip_004"
],
"obj seq": 5
},
{
"name": [
"tc_004_vip_005"
],
"obj seq": 6
},
{
"name": [
"tc_004_vip_006"
],
"obj seq": 7
},
{
"name": [
"tc_004_vip_007"
],
"obj seq": 8
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/ppkg_001/central/dnat"
}
]
}
9.7.2. How to add central dnat policies?#
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "set",
"params": [
{
"data": [
{
"name": [
"tc_004_vip_009"
]
},
{
"name": [
"tc_004_vip_010"
]
}
],
"url": "/pm/config/adom/demo/pkg/ppkg_001/central/dnat"
}
],
"session": "dDKFLWDRqlQs6gSZwkUB2EPNYVyDL7JZYJ2OcfZgLFwGvtQwjvsx6XlQGuX6lQTdg2v2Jyysu+3avjaPfzw19w==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/ppkg_001/central/dnat"
}
]
}
9.8. How to Import Policy in a policy package?#
It’s a three steps process:
Perform the dynamic interfaces mapping
REQUEST:
{ "id": ANY-NUMBER, "method": "exec", "params": [ { "data": { "adom": "ADOM-NAME", "dst_name": "PACKAGE-NAME", "if_all_policy": "enable", "import_action": "policy_search", "name": "DEVICE-NAME", "vdom": "root", "if_all_objs": "none", "add_mappings": "enable" }, "url": "/securityconsole/import/dev/objs" } ], "session": "SESSION-ID" }
Note
Please note the
import_actionset topolicy_search, and theadd_mappingsset toenable.Perform dynamic objects mappings
REQUEST:
{ "id": 16, "method": "exec", "params": [ { "data": { "adom": "ADOM-NAME", "dst_name": "PACKAGE-NAME", "if_all_policy": "enable", "import_action": "obj_search", "name": "DEVICE-NAME", "vdom": "root", "if_all_objs": "none", "add_mappings": "enable" }, "url": "/securityconsole/import/dev/objs" } ], "session": "SESSION-ID" }
This time
import_actionwas set toobj_search.Importing policies and dependent dynamic interfaces and objects
REQUEST:
{ "id": ANY-NUMBER, "method": "exec", "params": [ { "data": { "adom": "ADOM-NAME", "dst_name": "PACKAGE-NAME", "if_all_policy": "enable", "import_action": "do", "name": "DEVICE-NAME", "vdom": "root", "if_all_objs": "filter" }, "url": "/securityconsole/import/dev/objs" } ], "session": "SESSION-ID" }