9. Policy Package Management#
9.1. Folders#
9.1.1. How to create a folder hierarchy#
REQUEST:
{
"id": 1,
"method": "set",
"params": [
{
"data": [
{
"name": "folder_001",
"subobj": [
{
"name": "folder_002",
"subobj": [
{
"name": "folder_003",
"subobj": [
{
"name": "folder_004",
"type": "folder"
}
],
"type": "folder"
}
],
"type": "folder"
}
],
"type": "folder"
}
],
"url": "pm/pkg/adom/demo_001"
}
],
"session": 46811
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "pm/pkg/adom/demo_001"
}
],
"session": 46811
}
9.1.2. How to move a folder?#
REQUEST:
{
"id": 1,
"method": "exec",
"params": [
{
"url": "/securityconsole/package/move",
"data": {
"adom": "demo_001",
"pkg": "italy",
"dst_parent": "world/emea",
"dst_name": "italy"
}
}
],
"session": 11111,
}
9.1.3. How to delete a folder?#
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "delete",
"params": [
{
"url": "/pm/pkg/adom/demo/foobar"
}
],
"session": "NlLwCb+SB5wikMi1MPdTOnRtWOg6gM9z36yMMttHuWPZKoWW4Ia7/B/pGUjZMr4uZGqrw7J9aBImePfl9eZhbw==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/adom/demo/foobar"
}
]
}
9.2. Policy Packages#
9.2.1. How to create a policy package?#
We create policy package pp.003
in adom DEMO
:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "add",
"params": [
{
"data": {
"name": "pp.003",
"package settings": {
"central-nat": "disable",
"consolidated-firewall-mode": "disable",
"fwpolicy-implicit-log": "disable",
"fwpolicy6-implicit-log": "disable",
"ngfw-mode": "profile-based"
},
"type": "pkg"
},
"url": "/pm/pkg/adom/DEMO"
}
],
"session": "4VUbMWg40/hOwzHt5/BRKRIbaAd0MBkTwprdFs4iG+w8QPSwyoa/MVrwHtVV7oQ463ifbp1I30eZ9FSluYtJuQ==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/adom/DEMO"
}
]
}
Starting with FMG 7.0.1 (#708471), the response will also contain the pkg oid
.
9.2.2. How to get the list of Policy Package?#
Following example shows how to get the list of Policy Packages in the demo
ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"url": "/pm/pkg/adom/demo"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"data": [
{
"name": "default",
"obj ver": 13,
"oid": 4971,
"package settings": {
"central-nat": 0,
"consolidated-firewall-mode": 0,
"fwpolicy-implicit-log": 0,
"fwpolicy6-implicit-log": 0,
"hitc-taskid": 0,
"hitc-timestamp": 0,
"ngfw-mode": 0,
"policy-offload-level": 0
},
"type": "pkg"
},
{
"name": "fgt-742-001",
"obj ver": 5,
"oid": 6584,
"package settings": {
"central-nat": 0,
"consolidated-firewall-mode": 0,
"fwpolicy-implicit-log": 0,
"fwpolicy6-implicit-log": 0,
"hitc-taskid": 0,
"hitc-timestamp": 0,
"ngfw-mode": 0,
"policy-offload-level": 0
},
"type": "pkg"
},
{
"name": "ppkg_001",
"obj ver": 6,
"oid": 10850,
"package settings": {
"central-nat": 0,
"consolidated-firewall-mode": 0,
"fwpolicy-implicit-log": 0,
"fwpolicy6-implicit-log": 0,
"hitc-taskid": 0,
"hitc-timestamp": 0,
"ngfw-mode": 0,
"policy-offload-level": 0
},
"scope member": [
{
"name": "dc_emea_dev_001",
"vdom": "root"
},
{
"name": "dc_emea_dev_002",
"vdom": "root"
},
{
"name": "dc_emea_dev_003",
"vdom": "root"
}
],
"type": "pkg"
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/adom/demo"
}
]
}
Note
You can observe that when the Policy Package is assigned to managed devices, then FortiManager returns the
scope member
attribute
9.2.3. How to get a single Policy Package?#
Following example returns the details of the ppkg_001
Policy Package from
the demo
ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"url": "/pm/pkg/adom/demo/ppkg_001"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"data": {
"name": "ppkg_001",
"obj ver": 6,
"oid": 10850,
"package settings": {
"central-nat": 0,
"consolidated-firewall-mode": 0,
"fwpolicy-implicit-log": 0,
"fwpolicy6-implicit-log": 0,
"hitc-taskid": 0,
"hitc-timestamp": 0,
"ngfw-mode": 0,
"policy-offload-level": 0
},
"scope member": [
{
"name": "dc_emea_dev_001",
"vdom": "root"
},
{
"name": "dc_emea_dev_002",
"vdom": "root"
},
{
"name": "dc_emea_dev_003",
"vdom": "root"
}
],
"type": "pkg"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/adom/demo/ppkg_001"
}
]
}
Note
By default, FortiManager returns the Installation Targets of the Policy Package via the
scope member
attribute
9.2.4. How to get the Installation Targets of a Policy Package?#
See How to get the list of Policy Package? or How to get a single Policy Package?
9.2.5. How to assign a device to a Policy Package?#
We want to assign device hub1
to policy package hubs.pp
in ADOM
DEMO_007
.
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "add",
"params": [
{
"data": {
"name": "hub1",
"vdom": "root"
},
"url": "/pm/pkg/adom/DEMO_007/hubs.pp/scope member"
}
],
"session": "RNBTLp49bHV+yvRAw1FRGkvjURd7V13+GtS8Vk8KQ/VFZ4gPrIfGd4f09nrKk6ppw9QCUj1C1CbZz4d7/e7GmA==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/adom/DEMO_007/hubs.pp/scope member"
}
]
}
9.2.6. Policy Package Installation#
9.2.6.1. How to install a Policy Package?#
To install the branches
Policy Package from ADOM demo
:
{
"id": 3,
"method": "exec",
"params": [
{
"data": {
"adom": "demo",
"adom_rev_comments": "Changes from SR #01233",
"adom_rev_name": "ADOM Revision #01233",
"dev_rev_comments": "sr_01233",
"flags": [
"none"
],
"pkg": "branches"
},
"url": "/securityconsole/install/package"
}
],
"session": "{{session}}"
}
Note
There’s not
scope
attribute; it means that the Policy Package will be install against all the assigned Installation Targetsadom_rev_comments
will be used as a comment for the created ADOM Revisionadom_rev_name
will be used as the name for the created ADOM Revisiondev_rev_comments
will be used as the comment for the created Device Revision (see section Device revisions)
{
"id": 3,
"result": [
{
"data": {
"task": 3468
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/package"
}
]
}
9.2.6.2. How to install a Policy Package against a device?#
It is required to add the scope
attribute:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "exec",
"params": [
{
"data": {
"adom": "DEMO",
"flags": [
"none"
],
"pkg": "pp.branches",
"scope": [
{
"name": "branch2_fgt",
"vdom": "root"
}
]
},
"url": "/securityconsole/install/package"
}
],
"session": "3xJ+a4TrhW5fSFSy3AQixRxRnINFsQhvOMXiSMVC1ryEMVZQ/enwiTasPzY9X1e64KT/UoTdl8lfory4wXub4A==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"task": 536
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/package"
}
]
}
Note
The
scope
attribute is a list, hence it could contains multiple devices or device groups.The devices/device groups listed in the
scope
should belong to the list of assigned installation targets for this Policy Package.- The membership could be indirect or direct:
Direct membership means the device listed in the
scope
attribute is also in the installation targets list of the Policy Package.Indirect membership means the device listed in the
scope
attribute is a member of a device group or of a nested device group of a device group present in the installation targets list of the policy package .For instance, if the installation targets list of the Policy Package is having device group
branches
, then you can use devicebranch_001
in thescope
attribute if it belongs to this device group or one of its nested device groups.
9.2.6.3. How to install a Policy Package against a Device Group?#
We have Policy Package pp_france
in foldler france
which is in turn in
folder emea
.
Policy Package pp_france
is having device group france
and device
test-001
as installation targets.
Goal is to install Policy Package pp_france
against device group france
only.
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "exec",
"params": [
{
"data": {
"adom": "root",
"flags": [
"none"
],
"pkg": "emea/france/pp_france",
"scope": [
{
"name": "france"
}
]
},
"url": "/securityconsole/install/package"
}
],
"session": "Of286Bft82otZnCz6da2+FEskUyY6q4Opnyd1/nkpAoEMem7osWNVkU0XEGC24lIobP43qxJsmmnqUVGd88Cqw==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"task": 148
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/package"
}
]
}
#02764941 is stating that when the scope is just having a name
attribute, it is considered a device group.
If device group france
is in a device group emea
, we can just use the full path in the name
attribute:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "exec",
"params": [
{
"data": {
"adom": "root",
"flags": [
"none"
],
"pkg": "emea/france/pp_france",
"scope": [
{
"name": "emea/france"
}
]
},
"url": "/securityconsole/install/package"
}
],
"session": "Of286Bft82otZnCz6da2+FEskUyY6q4Opnyd1/nkpAoEMem7osWNVkU0XEGC24lIobP43qxJsmmnqUVGd88Cqw==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"task": 148
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/package"
}
]
}
9.2.6.4. How to install a policy package located in a folder?#
To install policy package pp_corporate
placed in folder /duts/emea
,
from ADOM adom_dut
:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "exec",
"params": [
{
"data": {
"adom": "adom_dut",
"flags": [
"none"
],
"pkg": "duts/emea/pp_corporate",
"scope": [
{
"name": "fgt_dut1",
"vdom": "root"
}
]
},
"url": "/securityconsole/install/package"
}
],
"session": "za3jFQLMS8vEoQzyoby34nnzKHz6kF7Di1DDyLEID0P2wj09hzdofc09CDocYgZCQ7wT1nlEtzRxAtykowfuEw==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"task": 1273
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/package"
}
]
}
9.2.6.5. How to install a policy package against a device’s device db only?#
Why would we need this?
It could be because we prefer to review definitive configuration offline, i.e. from fortimanager database.
To achieve this, we can use the copy_only
flag.
It will take pending changes from ADOM DB and will copy them in the target’s
device db.
In below example we trigger the copy operation against managed device
branch12
considering the pending security changes from policy package
pp_branches
in ADOM demo
:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "exec",
"params": [
{
"data": {
"adom": "DB",
"flags": [
"copy_only"
],
"pkg": "pp.003",
"scope": [
{
"name": "branch12",
"vdom": "root"
}
]
},
"url": "/securityconsole/install/package"
}
],
"session": "o9m+9/oQ101vfDhLYU3WkKa1YJR6p3nA0NFVmuBKw3JxgFYtD7Y3FekxTuMNZ1TgG8gslO6g/gzZtvVIKPZQnmtQETm7OABp",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"task": 133
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/package"
}
]
}
9.2.6.6. How to install a policy package against an offline device?#
This is for when the ADOM is configured with Auto-Push Policy Packages When Device Back Online enabled:
It’s a three steps process:
First we need to trigger a copy operation
REQUEST:
{ "id": 3, "method": "exec", "params": [ { "data": { "adom": "knock_39363", "adom_rev_name": "dut_fgt_34_235_2022-4-6-20-2-51", "flags": [ "generate_rev", "preview" ], "pkg": "dut_fgt_34_235", "scope": [ { "name": "dut_fgt_34_235", "vdom": "root" } ] }, "url": "/securityconsole/install/package" } ], "session": "2D7yrlIbNRf/1kt9B+ame4T2G/RFfW2DGboxzrV6xa50olO2utVGM0c7fQtkblrBtt57m8l3x3651mH2hiQ2eg==" }
RESPONSE:
{ "id": 3, "result": [ { "data": { "task": 148 }, "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/install/package" } ] }
Note
Of course, we need to monitor the returned task’s progress
Then we commit!
REQUEST:
{ "id": 4, "method": "exec", "params": [ { "data": { "adom": "knock_39363", "scope": [ { "name": "dut_fgt_34_235", "vdom": "root" } ] }, "url": "/securityconsole/package/commit" } ], "session": "2D7yrlIbNRf/1kt9B+ame4T2G/RFfW2DGboxzrV6xa50olO2utVGM0c7fQtkblrBtt57m8l3x3651mH2hiQ2eg==" }
RESPONSE:
{ "id": 4, "result": [ { "data": { "task": 149 }, "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/package/commit" } ] }
Then we can cancel the install
REQUEST:
{ "id": 5, "method": "exec", "params": [ { "data": { "adom": "knock_39363" }, "url": "/securityconsole/package/cancel/install" } ], "session": "2D7yrlIbNRf/1kt9B+ame4T2G/RFfW2DGboxzrV6xa50olO2utVGM0c7fQtkblrBtt57m8l3x3651mH2hiQ2eg==" }
RESPONSE:
{ "id": 5, "result": [ { "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/package/cancel/install" } ] }
9.2.6.7. How to install multiple policy packages against multiple devices?#
Using a single API call, it is possible to install multiple policy packages to
different devices by using the reinstall
operation.
Below example is installing policy package ppkg_hubs
and ppkg_branches
against devices fgt_00_1
and fgt_01_1
respectively (in ADOM demo
):
REQUEST:
{
"id": 3,
"method": "exec",
"params": [
{
"data": {
"adom": "demo",
"flags": [
"generate_rev"
],
"target": [
{
"pkg": "ppkg_hubs",
"scope": {
"name": "fgt_00_1",
"vdom": "root"
}
},
{
"pkg": "ppkg_branches",
"scope": {
"name": "fgt_01_1",
"vdom": "root"
}
}
]
},
"url": "/securityconsole/reinstall/package"
}
],
"session": "is4k5yJ0zojKcdpHdovj/jc74ROm39WD/lN4VuxRFDGrlCJev4O8M/R2mdbj9dXoiEu30PO2FzRCc7vFL1dEDQ=="
}
RESPONSE:
{
"id": 3,
"result": [
{
"data": {
"task": 595
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/reinstall/package"
}
]
}
If you look at the generated task, you will see that FMG will proceed with a
sequential install. Considering the above example, it will first install policy
package ppkg_hubs
against device "fgt_00_1"
and then will install
policy package ppkg_branches
against device fgt_01_1
.
9.2.6.8. How to reinstall a policy package against a device group?#
As usual, when you consider a Device Group, you still have to use the scope
but this time only with the name
attribute (i.e. vdom
attribute should be omitted)
The following example shows how to reinstall the ppkg_001
Policy Package from the demo``ADOM agains the ``grp_001
Device Group:
{
"method": "exec",
"params": [
{
"data": {
"adom": "demo",
"flags": [
"none"
],
"extflags": 0,
"target": [
{
"pkg": "ppkg_001",
"scope": [
{
"name": "grp_001"
}
]
}
]
},
"url": "/securityconsole/reinstall/package"
}
],
"session": "{{session}}",
}
{
"result": [
{
"data": {
"task": 4140
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/reinstall/package"
}
]
}
In this case, FortiManager will proceed with a parallel policy package installation for all the device group’s members.
However, should you have two or more target
elements in the above API request, then like for the How to install multiple policy packages against multiple devices? case seen in the previous section, FortiManager will go with a sequential installation for them.
9.2.6.9. How to reinstall multiple policy packages against multiple devices in parallel?#
In that case, we have to replicate the Re-install Policy mechanism from GUI.
It’s a three steps process:
Trigger the reinstall in preview mode:
This time we use the same API request as in How to install
multiple policy packages against multiple devices? but we use the preview
flag:
REQUEST:
{
"method": "exec",
"params": [
{
"data": {
"adom": "{{adom}}",
"flags": [
"preview"
],
"extflags": 0,
"target": [
{
"pkg": "ppkg_dut_fgt_1",
"scope": [
{
"name": "dut_fgt_1",
"vdom": "root"
}
]
},
{
"pkg": "ppkg_dut_fgt_2",
"scope": [
{
"name": "dut_fgt_2",
"vdom": "root"
}
]
}
]
},
"url": "/securityconsole/reinstall/package"
}
],
"session": "{{session_id}}",
"verbose": 1
}
RESPONSE:
{
"result": [
{
"data": {
"task": 4149
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/reinstall/package"
}
]
}
Commit the changes against the concerned devices
REQUEST:
{
"method": "exec",
"params": [
{
"data": {
"adom": "{{adom}}",
"scope": [
{
"name": "dut_fgt_1",
"vdom": "root"
},
{
"name": "dut_fgt_2",
"vdom": "root"
}
]
},
"url": "/securityconsole/package/commit"
}
],
"session": "{{session_id}}",
"verbose": 1
}
RESPONSE:
{
"result": [
{
"data": {
"task": 4150
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/package/commit"
}
]
}
Cancel the install operation
REQUEST:
{
"id": 1,
"method": "exec",
"params": [
{
"data": {
"adom": "{{adom}}"
},
"url": "/securityconsole/package/cancel/install"
}
],
"session": "{{session_id}}"
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/package/cancel/install"
}
]
}
9.2.7. How to copy a firewall policy?#
Here the word copy refers to the action of copying a firewall policy from ADOM DB to Device DB.
For more information see section How to copy objects?
Below example shows how to copy a firewall policy from the dc_helsinki
ADOM
to the dut_fgt_10
managed device and its root
VDOM:
{
"id": 3,
"method": "exec",
"params": [
{
"data": {
"adom": "dc_helsinki",
"category": 181,
"override_conflict": 1,
"query_only": 0,
"scope": [
{
"name": "dut_fgt_10",
"vdom": "root"
}
],
"src_list": [
{
"oid": 4835
}
]
},
"url": "/securityconsole/install/global"
}
],
"session": "{{session}"
}
Note
181
is the category ID for thefirewall policy
4835
is the policy OID of the firewall policy we want to copyWe don’t have to specify the policy package name, the policy OID is unique
See section How to copy objects?; it describes how to get those category ID and OID
{
"id": 3,
"result": [
{
"data": {
"task": 1355
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/global"
}
]
}
9.2.8. Scheduling operations for policy package#
9.2.8.1. How to schedule a policy package install?#
To schedule a policy package install for policy package pp_001
from ADOM
adom_72_001
against two of its installation targets (adom_72_001_dev_001
and adom_72_001_dev_002
, and their respective root
VDOMs):
REQUEST:
{
"id": 3,
"method": "add",
"params": [
{
"data": {
"adom_rev_name": "scheduled_install_pp_001",
"datetime": "2022-10-27 23:24",
"scope": [
{
"name": "adom_72_001_dev_001",
"vdom": "root"
},
{
"name": "adom_72_001_dev_002",
"vdom": "root"
}
]
},
"url": "/pm/pkg/adom/adom_72_001/pp_001/schedule"
}
],
"session": "GorqROcoKWFpFT1pTDoxC1VICdiSmSxDm+nWGfs1UvBg8NsQwlSFQ0oShWHKZ0iOf1lWC172lODt0gq86lmdpA=="
}
RESPONSE:
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/adom/adom_72_001/pp_001/schedule"
}
]
}
9.2.8.2. How to check for a scheduled policy package installation?#
To obtain the schedule information for policy package pp_001
from ADOM
adom_72_001
:
REQUEST:
{
"id": 3,
"method": "get",
"params": [
{
"fields": [
"name",
"schedule"
],
"filter": [
"name",
"==",
"pp_001"
],
"option": [
"schedule"
],
"url": "/pm/pkg/adom/adom_72_001"
}
],
"session": "bN0lF16C5n3JhtmrB85zE3IZHJeazCTMs16RbfGxVO6mLnKEbBKFS53CpIbB0pe9RebYYaxP6IWDOSS4Bnx1/g=="
}
RESPONSE:
{
"id": 3,
"result": [
{
"data": [
{
"name": "pp_001",
"oid": 7131,
"schedule": {
"adom_rev_name": "pp_001_2022-10-23-22-56-49",
"datetime": "2022-10-23 23:56",
"scope": [
{
"name": "adom_72_001_dev_001",
"vdom": "root"
},
{
"name": "adom_72_001_dev_002",
"vdom": "root"
}
]
}
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/adom/adom_72_001"
}
]
}
Note
The
schedule
option seems to work only for the entirepm/pkg/adom/{adom}
table.This is why the
filter
has been used to limit the output to the desiredpp_001
policy package.
9.2.8.3. How to cancel a policy package scheduled install?#
To cancel the policy package scheduled install for policy package pp_001
from ADOM adom_72_001
:
REQUEST:
{
"id": 3,
"method": "delete",
"params": [
{
"url": "/pm/pkg/adom/adom_72_001/pp_001/schedule"
}
],
"session": "DTepc/8+5+SD3IOwZE/1fVlMMTx1OZA227E8qL+2R+UK7+wW00aUxBQQ80Ptqnb5He5RRJYKBjam9f2SXJ6gOw=="
}
RESPONSE:
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/adom/adom_72_001/pp_001/schedule"
}
]
}
9.2.9. How to get the status of all policy packages in an ADOM?#
To get policy package status for all policy package in ADOM TEST
:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "get",
"params": [
{
"url": "/pm/config/adom/TEST/_package/status"
}
],
"session": "zGecPX8WgrXs3Hx0gkZOW36iBAg8g+151Z64dD1q52D448Jm5pZxaSPf9fgx+BXGyYQ/8AzmRAKGgicCrzLk022CDSRIo5qL",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": [
{
"dev": "fr_device_001",
"pkg": "emea/france/pp.fw",
"status": "installed",
"vdom": "root"
},
{
"dev": "sp_device_001",
"pkg": "emea/spain/pp.fw",
"status": "installed",
"vdom": "root"
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/TEST/_package/status"
}
]
}
9.2.10. How to get the status of a specific policy package?#
To get the policy package status of policy package pp.fw
placed in policy
package folder emea/spain
in ADOM TEST
:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "get",
"params": [
{
"url": "/pm/config/adom/TEST/pkg/emea/spain/pp.fw/_package/status"
}
],
"session": "aHWQmCRzK68XQoEu/7kBNI4Sn3jfqtSkItg0h8ysZwUCg58bpMYwDnNZe6rDSNcYg1as84XmyRb0+5B+9CcFgtxnFBsR9Em0",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": [
{
"dev": "sp_device_001",
"pkg": "emea/spain/pp.fw",
"status": "installed",
"vdom": "root"
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/TEST/pkg/emea/spain/pp.fw/_package/status"
}
]
}
9.2.11. How to figure out whether interface pair view are supported by a type of policies?#
Caught in #0601320.
For instance, if one of the policy is having source or destination
interface set to any
, section view mode isn’t supported.
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "get",
"params": [
{
"fields": [
"srcintf",
"dstintf"
],
"url": "/pm/config/adom/TEST/pkg/emea/spain/pp.fw/_query/interface_pair_view/firewall/policy"
}
],
"session": "JDr9djBNCnlYSOnS3dc/SmaReOUbJtwseckMQnIPkL6BvVdb+8rJnO3vxnSED/Xa27E2Xki8jr/k3JYh4FCpIYSY5/0JIjvF",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"interface_pair_view": 1,
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/TEST/pkg/emea/spain/pp.fw/_query/interface_pair_view/firewall/policy"
}
]
}
Returned attribute interface_pair_view
is 1
meaning we can use
the interface pair view mode in the mentioned policy package.
Other FortiManager API endpoints are possible:
/pm/config/adom/TEST/pkg/<pkg>/_query/interface_pair_view/firewall/proxy-policy
/pm/config/adom/TEST/pkg/<pkg>/_query/interface_pair_view/firewall/security-policy
Note
For policies in Policy Block, while the endpoint is:
/pm/config/adom/<adom>/pblock/<pblock>/firewall/policy
then you still need to use this endpoint when you want to get the interface pair view feasability:
/pm/config/adom/<adom>/pkg/Policy Blocks/<pblock>/_query/interface_pair_view/firewall/policy
9.2.12. How to clone a Policy Package?#
REQUEST:
{
"id": 1,
"result": [
{
"data": {
"task": 62
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/package/clone"
}
]
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"task": 62
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/package/clone"
}
]
}
9.2.13. How to trigger an install preview?#
When you install a policy package, the FortiManager UI lets you select an Install Preview action in order to review the CLI that will be pushed down to the managed devices.
We explain here how to operate this Install Preview action by using the API.
It’s a four steps process:
We have to start a policy package install process in preview mode
We have to ask for the preview generation
We need to collect the preview output
We need to cancel the install policy package process
We have to start a policy package install process in preview mode
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "exec",
"params": [
{
"data": {
"adom": "customer_001",
"adom_rev_comments": "Test [1]",
"adom_rev_name": "Revision [1]",
"flags": [
"preview"
],
"pkg": "pp.dut_fgt2",
"scope": [
{
"name": "dut_fgt2",
"vdom": "root"
}
]
},
"url": "/securityconsole/install/package"
}
],
"session": "TFWLZCzMyiukI25p2kEmmrv7TO9wHkLHWph8rouoG1TCYeojlUx6OVXqn0wyZ1mymYdRfH2n7JvNEJWONzm1Jg==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"task": 69
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/package"
}
]
}
Here you have to track the progress of the returned task id 69
(you can get
/task/task/69)
Once the task is completed, you can proceed with step 2.
We have to ask for the preview generation
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "exec",
"params": [
{
"data": {
"adom": "customer_001",
"device": "dut_fgt2",
"flags": [
"none"
],
"vdoms": [
"root"
]
},
"url": "/securityconsole/install/preview"
}
],
"session": "6a5HWsj6o0L5da8oTZB26wapTtrMlsQxmNt24mWeL/80VRqy5OdbM6kntlkrX7L3rsw9rbRK1rqZvLlfXTCIKw==",
"verbose": 1
}
Note
Attribute flags
could be none
or json
.
It determines the nature of the output produced in the preview report: CLI
based when it is none
and obviously JSON based when it is json
.
There is a bug (#0713778) where using:
"flags": "json"
or:
"flags": ["json"]
doesn’t work: the preview report is still CLI based.
The solution is to use this form:
"flags": 1
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"task": 70
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/preview"
}
]
}
Here you have to track the progress of the returned task id 70
(you can get
/task/task/70)
Once the task is completed, you can proceed with step 3.
We need to collect the preview output
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "exec",
"params": [
{
"data": {
"adom": "customer_001",
"device": "dut_fgt2"
},
"url": "/securityconsole/preview/result"
}
],
"session": "6a5HWsj6o0L5da8oTZB26wapTtrMlsQxmNt24mWeL/80VRqy5OdbM6kntlkrX7L3rsw9rbRK1rqZvLlfXTCIKw==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"message": "config system dns\n set primary 8.8.8.8\n unset secondary\nend\nconfig firewall address\n edit \"host_001\"\n set uuid 09ce3330-b06e-51ea-6497-48f76b1e8626\n set color 3\n set subnet 10.0.0.1 255.255.255.255\n next\nend\nconfig system dhcp server\n edit 1\n set status disable\n set dns-service default\n set ntp-service default\n set default-gateway 172.16.2.102\n set netmask 255.255.255.0\n set interface \"port3\"\n config ip-range\n edit 1\n set start-ip 172.16.2.1\n set end-ip 172.16.2.101\n next\n edit 2\n set start-ip 172.16.2.103\n set end-ip 172.16.2.254\n next\n end\n set timezone-option default\n next\nend\nconfig firewall policy\n edit 1\n set srcaddr \"host_001\"\n next\nend\n"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/preview/result"
}
]
}
Note
Here FortiManager will report pending changes coming from ADOM DB (objects & policies) but also from Device DB (when you trigger an install preview for a device only, it will only expose the pending changes coming from the corresponding device’s Device DB.
We need to cancel the install policy package process
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "exec",
"params": [
{
"data": {
"adom": "customer_001"
},
"url": "/securityconsole/package/cancel/install"
}
],
"session": "6a5HWsj6o0L5da8oTZB26wapTtrMlsQxmNt24mWeL/80VRqy5OdbM6kntlkrX7L3rsw9rbRK1rqZvLlfXTCIKw==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/package/cancel/install"
}
]
}
9.2.14. How to get the Policy Package hitcount?#
Caught in #0673650 (and applicable to FMG 6.4.7+ and FMG 7.0.3+).
Hitcount refers to the set of attributes linked to a firewall policy that maintain several utilization information like the Last Used, First Use, Packets, Bytes, etc. as shown below:
Getting the hitcount details is an on demand action that requires two steps.
For instance, to get the policy hitcount for firewall policies in the
ppkg_001
Policy Package of the demo
ADOM:
Step #1: Trigger the hitcount refresh
{ "id": 1, "method": "exec", "params": [ { "data": { "adom": "demo", "pkg": "ppkg_001" }, "url": "/sys/hitcount" } ], "session": "{{session}}", }
{ "id": 1, "result": [ { "status": { "code": 0, "message": "OK" }, "taskid": 217, "url": "/sys/hitcount" } ] }
Note
You need to remember the returned
taskid
value for the next step
Step #2 - Collect the result
{ "id": 4, "method": "exec", "params": [ { "data": { "taskid": 217 }, "url": "/sys/task/result" } ], "session": "{{session}}" }
{ "id": 4, "result": [ { "data": { "firewall policy": [ { "byte": 2266808, "dstintf": "any", "first_hit": 1702099572, "first_session": 0, "hitcount": 6911, "last_hit": 1702145401, "last_session": 0, "name": "Implicit Deny", "pkts": 6911, "policyid": 0, "sesscount": 0, "srcintf": "any" }, { "byte": 198373, "dstintf": "WAN1", "first_hit": 1701085009, "first_session": 1701085009, "hitcount": 380, "last_hit": 1702981443, "last_session": 1702981443, "name": "Generic_Internet", "pkts": 1534, "policyid": 2, "sesscount": 0, "srcintf": "vl_lan", "uuid": "2654008a-896d-51ee-e595-b22bf9abffc0" }, { "byte": 0, "dstintf": "HUB1", "first_hit": 0, "first_session": 0, "hitcount": 0, "last_hit": 0, "last_session": 0, "name": "Health Check Access", "pkts": 0, "policyid": 1071741826, "sesscount": 0, "srcintf": "Branch-Lo", "uuid": "9ac943e0-7d1e-51ee-42fb-fe716908a3d9" } ], "firewall policy6": [], "firewall proxy-policy": [ { "byte": 0, "dstintf": "any", "first_hit": 0, "first_session": 0, "hitcount": 0, "last_hit": 0, "last_session": 0, "name": "Implicit Deny", "pkts": 0, "policyid": 0, "sesscount": 0, "srcintf": "any" } ], "firewall security-policy": [], "global footer policy": [], "global header policy": [] }, "status": { "code": 0, "message": "OK" }, "taskid": 541, "url": "/sys/task/result" } ] }
Starting with FortiManager 7.4.1, the Last Used (i.e, _last_hit
attribute)
can be maintained as it is in FortiManager side, even if it gets reset on the
FortiGate side (caught in #0910402).
It’s configurable with the following FortiManager CLI:
config system global
set save-last-hit-in-adomdb enable
end
Note
Default value for
save-last-hit-in-adomdb
isdisable
Furthermore, the _last_hit
attribute can be retrieved by getting the
firewall policies.
For instance, to get the last_hit
attribute for firewall policies in the sites_BRANCH_PPKG
Policy Package from the production
ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"fields": [
"name",
"policyid",
"_last_hit"
],
"loadsub": 0,
"url": "/pm/config/adom/production/pkg/sites_BRANCH_PPKG/firewall/policy"
}
],
"session": "{{session}}",
"verbose": 1
}
{
"id": 3,
"result": [
{
"data": [
{
"_last_hit": 0,
"obj seq": 1,
"oid": 5460,
"policyid": 1
},
{
"_last_hit": 1705003857,
"name": "Generic_Internet",
"obj seq": 2,
"oid": 5784,
"policyid": 2
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/production/pkg/sites_BRANCH_PPKG/firewall/policy"
}
]
}
Note
The
_last_hit
is returned in epoch format
However, to get an up to date Last Used information, you still have to trigger a hitcount refresh by using the /sys/hitcount
JSON RPC url described above.
9.2.15. How to get the policy package checksum?#
Idea is to be able to detect whether a policy package has been modified or not.
The good news, is that there’s nothing special to do.
It is just enough to get the policy package and look at the returned obj
ver
attribute:
REQUEST:
{
"id": 1,
"method": "get",
"params": [
{
"url": "pm/pkg/adom/CUSTOMER_001/FGT60D-001"
}
],
"session": "6iOnXClkXrGNFaLSHv3P18vdC0K3detcN+CAfvcwPRJjd0i54+WYRimlIclzP1i4W+/KZAvg16NGDoOT3Z7gmg==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"name": "FGT60D-001",
"obj ver": 4,
"oid": 955,
"type": "pkg"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "pm/pkg/adom/CUSTOMER_001/FGT60D-001"
}
]
}
We can also use the option chksum
as documented in section Option chksum.
With FMG 5.6.0-INTERIM build 1510, we can also retrieve a checksum value using following request:
REQUEST:
{
"id": 1,
"method": "get",
"params": [
{
"url": "pm/config/adom/CM-LAB-001/pkg/PP_EXAMPLE/policy/package/settings"
}
],
"session": "5jZjkRrZBtpgEDR1G9RiPBKjEiNG/9+zwKZNnzFsvfsbSAie70YEA4ilLhabdGrVLqXvpUGyDdeuv7iV4+SgsA==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"central-nat": "disable",
"checksum": "1494203765-161359940",
"fwpolicy-implicit-log": "disable",
"fwpolicy6-implicit-log": "disable"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "pm/config/adom/CM-LAB-001/pkg/PP_EXAMPLE/policy/package/settings"
}
]
}
9.2.16. Policy Package Revision#
9.2.16.1. How to get the list of changes made on a Policy Package?#
The following example shows how to get all the changes made on the ppkg_001
Policy Package from the demo
ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"url": "/pm/config/adom/demo/_objrev/pkg/ppkg_001/firewall/policy"
}
],
"session": "{{session}}",
"verbose": 1
}
{ "id": 3, "result": [ { "data": [ { "act": 2, "category": 181, "config": "{ \"_byte\": 0, \"_first_hit\": 0, \"_first_session\": 0, \"_global-dst-intf\": null, \"_global-label-color\": 0, \"_global-src-intf\": null, \"_global-vpn\": [ ], \"_global-vpn-tgt\": 0, \"_hitcount\": 0, \"_label-color\": 0, \"_last_hit\": 0, \"_last_session\": 0, \"_pkts\": 0, \"_sesscount\": 0, \"action\": 0, \"anti-replay\": 1, \"application-list\": [ ], \"auth-cert\": [ ], \"auth-path\": 0, \"auth-redirect-addr\": null, \"auto-asic-offload\": 1, \"av-profile\": [ ], \"block-notification\": 0, \"captive-portal-exempt\": 0, \"capture-packet\": 0, \"casb-profile\": [ ], \"cgn-eif\": 0, \"cgn-eim\": 0, \"cgn-log-server-grp\": null, \"cgn-resource-quota\": 16, \"cgn-session-quota\": 16777215, \"cifs-profile\": [ ], \"comments\": null, \"custom-log-fields\": [ ], \"decrypted-traffic-mirror\": [ ], \"delay-tcp-npu-session\": 0, \"diameter-filter-profile\": [ ], \"diffserv-copy\": 0, \"diffserv-forward\": 0, \"diffserv-reverse\": 0, \"diffservcode-forward\": \"000000\", \"diffservcode-rev\": \"000000\", \"disclaimer\": 0, \"dlp-profile\": [ ], \"dnsfilter-profile\": [ ], \"dsri\": 0, \"dstaddr\": [ \"all\" ], \"dstaddr-negate\": 0, \"dstaddr6\": [ ], \"dstaddr6-negate\": 0, \"dstintf\": [ \"any\" ], \"dynamic-shaping\": 0, \"email-collect\": 0, \"emailfilter-profile\": [ ], \"fec\": 0, \"file-filter-profile\": [ ], \"firewall-session-dirty\": 0, \"fixedport\": 0, \"fsso-agent-for-ntlm\": [ ], \"fsso-groups\": [ ], \"geoip-anycast\": 0, \"geoip-match\": 0, \"global-label\": null, \"groups\": [ ], \"gtp-profile\": [ ], \"http-policy-redirect\": 0, \"icap-profile\": [ ], \"identity-based-route\": [ ], \"inbound\": 0, \"inspection-mode\": 1, \"internet-service\": 0, \"internet-service-custom\": [ ], \"internet-service-custom-group\": [ ], \"internet-service-group\": [ ], \"internet-service-name\": [ ], \"internet-service-negate\": 0, \"internet-service-src\": 0, \"internet-service-src-custom\": [ ], \"internet-service-src-custom-group\": [ ], \"internet-service-src-group\": [ ], \"internet-service-src-name\": [ ], \"internet-service-src-negate\": 0, \"internet-service6\": 0, \"internet-service6-custom\": [ ], \"internet-service6-custom-group\": [ ], \"internet-service6-group\": [ ], \"internet-service6-name\": [ ], \"internet-service6-negate\": 0, \"internet-service6-src\": 0, \"internet-service6-src-custom\": [ ], \"internet-service6-src-custom-group\": [ ], \"internet-service6-src-group\": [ ], \"internet-service6-src-name\": [ ], \"internet-service6-src-negate\": 0, \"ip-version-type\": \"ipv4\", \"ippool\": 0, \"ips-sensor\": [ ], \"ips-voip-filter\": [ ], \"label\": null, \"logtraffic\": 2, \"logtraffic-start\": 0, \"match-vip\": 1, \"match-vip-only\": 0, \"name\": null, \"nat\": 0, \"nat46\": 0, \"nat64\": 0, \"natinbound\": 0, \"natip\": [ \"0.0.0.0\", \"0.0.0.0\" ], \"natoutbound\": 0, \"network-service-dynamic\": [ ], \"network-service-src-dynamic\": [ ], \"np-acceleration\": 1, \"ntlm\": 0, \"ntlm-enabled-browsers\": [ ], \"ntlm-guest\": 0, \"oid\": 11296, \"outbound\": 1, \"passive-wan-health-measurement\": 0, \"pcp-inbound\": 0, \"pcp-outbound\": 0, \"pcp-poolname\": [ ], \"per-ip-shaper\": [ ], \"permit-any-host\": 0, \"permit-stun-host\": 0, \"pfcp-profile\": [ ], \"policy-behaviour-type\": \"standard\", \"policy-expiry\": 0, \"policy-expiry-date\": \"0000-00-00 00:00:00\", \"policy-expiry-date-utc\": null, \"policy-offload\": 1, \"policyid\": 1, \"poolname\": [ ], \"poolname6\": [ ], \"profile-group\": [ ], \"profile-protocol-options\": [ \"default\" ], \"profile-type\": 0, \"radius-mac-auth-bypass\": 0, \"redirect-url\": null, \"replacemsg-override-group\": [ ], \"reputation-direction\": 2, \"reputation-direction6\": 42, \"reputation-minimum\": 0, \"reputation-minimum6\": 0, \"rtp-addr\": [ ], \"rtp-nat\": 0, \"schedule\": [ \"always\" ], \"schedule-timeout\": 0, \"sctp-filter-profile\": [ ], \"send-deny-packet\": 0, \"service\": [ \"ALL\" ], \"service-negate\": 0, \"session-ttl\": \"0\", \"sgt\": [ ], \"sgt-check\": 0, \"src-vendor-mac\": [ ], \"srcaddr\": [ \"all\" ], \"srcaddr-negate\": 0, \"srcaddr6\": [ ], \"srcaddr6-negate\": 0, \"srcintf\": [ \"any\" ], \"ssh-filter-profile\": [ ], \"ssh-policy-redirect\": 0, \"ssl-ssh-profile\": [ \"no-inspection\" ], \"status\": 1, \"tcp-mss-receiver\": 0, \"tcp-mss-sender\": 0, \"tcp-session-without-syn\": 2, \"tcp-timeout-pid\": [ ], \"timeout-send-rst\": 0, \"tos\": \"0x00\", \"tos-mask\": \"0x00\", \"tos-negate\": 0, \"traffic-shaper\": [ ], \"traffic-shaper-reverse\": [ ], \"udp-timeout-pid\": [ ], \"users\": [ ], \"utm-status\": 0, \"uuid\": \"44d742cc-cef2-51ee-71ef-68f2fe808584\", \"videofilter-profile\": [ ], \"virtual-patch-profile\": [ ], \"vlan-cos-fwd\": 255, \"vlan-cos-rev\": 255, \"vlan-filter\": null, \"voip-profile\": [ ], \"vpn_dst_node\": null, \"vpn_src_node\": null, \"vpntunnel\": [ ], \"waf-profile\": [ ], \"wanopt\": 0, \"wanopt-detection\": 1, \"wanopt-passive-opt\": 0, \"wanopt-peer\": [ ], \"wanopt-profile\": [ ], \"wccp\": 0, \"webcache\": 0, \"webcache-https\": 0, \"webfilter-profile\": [ ], \"webproxy-forward-server\": [ ], \"webproxy-profile\": [ ], \"ztna-device-ownership\": 0, \"ztna-ems-tag\": [ ], \"ztna-ems-tag-secondary\": [ ], \"ztna-geo-tag\": [ ], \"ztna-policy-redirect\": 0, \"ztna-status\": 0, \"ztna-tags-match-logic\": 0 }", "flags": 0, "key": "1", "note": "", "oid": 0, "pkg_oid": 11294, "timestamp": 1708325042, "user": "admin" }, { "act": 3, "category": 181, "config": "{ \"_byte\": 0, \"_first_hit\": 0, \"_first_session\": 0, \"_global-dst-intf\": null, \"_global-label-color\": 0, \"_global-src-intf\": null, \"_global-vpn\": [ ], \"_global-vpn-tgt\": 0, \"_hitcount\": 0, \"_label-color\": 0, \"_last_hit\": 0, \"_last_session\": 0, \"_pkts\": 0, \"_sesscount\": 0, \"action\": 1, \"anti-replay\": 1, \"application-list\": [ ], \"auth-cert\": [ ], \"auth-path\": 0, \"auth-redirect-addr\": null, \"auto-asic-offload\": 1, \"av-profile\": [ ], \"block-notification\": 0, \"captive-portal-exempt\": 0, \"capture-packet\": 0, \"casb-profile\": [ ], \"cgn-eif\": 0, \"cgn-eim\": 0, \"cgn-log-server-grp\": null, \"cgn-resource-quota\": 16, \"cgn-session-quota\": 16777215, \"cifs-profile\": [ ], \"comments\": null, \"custom-log-fields\": [ ], \"decrypted-traffic-mirror\": [ ], \"delay-tcp-npu-session\": 0, \"diameter-filter-profile\": [ ], \"diffserv-copy\": 0, \"diffserv-forward\": 0, \"diffserv-reverse\": 0, \"diffservcode-forward\": \"000000\", \"diffservcode-rev\": \"000000\", \"disclaimer\": 0, \"dlp-profile\": [ ], \"dnsfilter-profile\": [ ], \"dsri\": 0, \"dstaddr\": [ \"host_102\" ], \"dstaddr-negate\": 0, \"dstaddr6\": [ ], \"dstaddr6-negate\": 0, \"dstintf\": [ \"wan\" ], \"dynamic-shaping\": 0, \"email-collect\": 0, \"emailfilter-profile\": [ ], \"fec\": 0, \"file-filter-profile\": [ ], \"firewall-session-dirty\": 0, \"fixedport\": 0, \"fsso-agent-for-ntlm\": [ ], \"fsso-groups\": [ ], \"geoip-anycast\": 0, \"geoip-match\": 0, \"global-label\": null, \"groups\": [ ], \"gtp-profile\": [ ], \"http-policy-redirect\": 0, \"icap-profile\": [ ], \"identity-based-route\": [ ], \"inbound\": 0, \"inspection-mode\": 1, \"internet-service\": 0, \"internet-service-custom\": [ ], \"internet-service-custom-group\": [ ], \"internet-service-group\": [ ], \"internet-service-name\": [ ], \"internet-service-negate\": 0, \"internet-service-src\": 0, \"internet-service-src-custom\": [ ], \"internet-service-src-custom-group\": [ ], \"internet-service-src-group\": [ ], \"internet-service-src-name\": [ ], \"internet-service-src-negate\": 0, \"internet-service6\": 0, \"internet-service6-custom\": [ ], \"internet-service6-custom-group\": [ ], \"internet-service6-group\": [ ], \"internet-service6-name\": [ ], \"internet-service6-negate\": 0, \"internet-service6-src\": 0, \"internet-service6-src-custom\": [ ], \"internet-service6-src-custom-group\": [ ], \"internet-service6-src-group\": [ ], \"internet-service6-src-name\": [ ], \"internet-service6-src-negate\": 0, \"ip-version-type\": \"ipv4\", \"ippool\": 0, \"ips-sensor\": [ ], \"ips-voip-filter\": [ ], \"label\": null, \"logtraffic\": 2, \"logtraffic-start\": 0, \"match-vip\": 1, \"match-vip-only\": 0, \"name\": \"\", \"nat\": 0, \"nat46\": 0, \"nat64\": 0, \"natinbound\": 0, \"natip\": [ \"0.0.0.0\", \"0.0.0.0\" ], \"natoutbound\": 0, \"network-service-dynamic\": [ ], \"network-service-src-dynamic\": [ ], \"np-acceleration\": 1, \"ntlm\": 0, \"ntlm-enabled-browsers\": [ ], \"ntlm-guest\": 0, \"oid\": 11298, \"outbound\": 1, \"passive-wan-health-measurement\": 0, \"pcp-inbound\": 0, \"pcp-outbound\": 0, \"pcp-poolname\": [ ], \"per-ip-shaper\": [ ], \"permit-any-host\": 0, \"permit-stun-host\": 0, \"pfcp-profile\": [ ], \"policy-behaviour-type\": \"standard\", \"policy-expiry\": 0, \"policy-expiry-date\": \"0000-00-00 00:00:00\", \"policy-expiry-date-utc\": null, \"policy-offload\": 1, \"policyid\": 3, \"poolname\": [ ], \"poolname6\": [ ], \"profile-group\": [ ], \"profile-protocol-options\": [ \"default\" ], \"profile-type\": 0, \"radius-mac-auth-bypass\": 0, \"redirect-url\": null, \"replacemsg-override-group\": [ ], \"reputation-direction\": 2, \"reputation-direction6\": 42, \"reputation-minimum\": 0, \"reputation-minimum6\": 0, \"rtp-addr\": [ ], \"rtp-nat\": 0, \"schedule\": [ \"always\" ], \"schedule-timeout\": 0, \"sctp-filter-profile\": [ ], \"send-deny-packet\": 0, \"service\": [ \"ALL\" ], \"service-negate\": 0, \"session-ttl\": \"0\", \"sgt\": [ ], \"sgt-check\": 0, \"src-vendor-mac\": [ ], \"srcaddr\": [ \"host_002\", \"host_001\" ], \"srcaddr-negate\": 0, \"srcaddr6\": [ ], \"srcaddr6-negate\": 0, \"srcintf\": [ \"lan\" ], \"ssh-filter-profile\": [ ], \"ssh-policy-redirect\": 0, \"ssl-ssh-profile\": [ \"no-inspection\" ], \"status\": 1, \"tcp-mss-receiver\": 0, \"tcp-mss-sender\": 0, \"tcp-session-without-syn\": 2, \"tcp-timeout-pid\": [ ], \"timeout-send-rst\": 0, \"tos\": \"0x00\", \"tos-mask\": \"0x00\", \"tos-negate\": 0, \"traffic-shaper\": [ ], \"traffic-shaper-reverse\": [ ], \"udp-timeout-pid\": [ ], \"users\": [ ], \"utm-status\": 0, \"uuid\": \"4828b014-cef2-51ee-2ab3-cce3da14bded\", \"videofilter-profile\": [ ], \"virtual-patch-profile\": [ ], \"vlan-cos-fwd\": 255, \"vlan-cos-rev\": 255, \"vlan-filter\": null, \"voip-profile\": [ ], \"vpn_dst_node\": null, \"vpn_src_node\": null, \"vpntunnel\": [ ], \"waf-profile\": [ ], \"wanopt\": 0, \"wanopt-detection\": 1, \"wanopt-passive-opt\": 0, \"wanopt-peer\": [ ], \"wanopt-profile\": [ ], \"wccp\": 0, \"webcache\": 0, \"webcache-https\": 0, \"webfilter-profile\": [ ], \"webproxy-forward-server\": [ ], \"webproxy-profile\": [ ], \"ztna-device-ownership\": 0, \"ztna-ems-tag\": [ ], \"ztna-ems-tag-secondary\": [ ], \"ztna-geo-tag\": [ ], \"ztna-policy-redirect\": 0, \"ztna-status\": 0, \"ztna-tags-match-logic\": 0 }", "flags": 0, "key": "3", "note": "", "oid": 11298, "pkg_oid": 11294, "timestamp": 1708325089, "user": "admin" }, { "act": 1, "category": 181, "config": "{ \"_byte\": 0, \"_first_hit\": 0, \"_first_session\": 0, \"_global-label-color\": 0, \"_global-vpn\": [ ], \"_global-vpn-tgt\": 0, \"_hitcount\": 0, \"_label-color\": 0, \"_last_hit\": 0, \"_last_session\": 0, \"_pkts\": 0, \"_sesscount\": 0, \"action\": 0, \"anti-replay\": 1, \"application-list\": [ ], \"auth-cert\": [ ], \"auth-path\": 0, \"auto-asic-offload\": 1, \"av-profile\": [ ], \"block-notification\": 0, \"captive-portal-exempt\": 0, \"capture-packet\": 0, \"casb-profile\": [ ], \"cgn-eif\": 0, \"cgn-eim\": 0, \"cgn-resource-quota\": 16, \"cgn-session-quota\": 16777215, \"cifs-profile\": [ ], \"custom-log-fields\": [ ], \"decrypted-traffic-mirror\": [ ], \"delay-tcp-npu-session\": 0, \"diameter-filter-profile\": [ ], \"diffserv-copy\": 0, \"diffserv-forward\": 0, \"diffserv-reverse\": 0, \"diffservcode-forward\": \"000000\", \"diffservcode-rev\": \"000000\", \"disclaimer\": 0, \"dlp-profile\": [ ], \"dnsfilter-profile\": [ ], \"dsri\": 0, \"dstaddr\": [ \"all\" ], \"dstaddr-negate\": 0, \"dstaddr6\": [ ], \"dstaddr6-negate\": 0, \"dstintf\": [ \"wan\" ], \"dynamic-shaping\": 0, \"email-collect\": 0, \"emailfilter-profile\": [ ], \"fec\": 0, \"file-filter-profile\": [ ], \"firewall-session-dirty\": 0, \"fixedport\": 0, \"fsso-agent-for-ntlm\": [ ], \"fsso-groups\": [ ], \"geoip-anycast\": 0, \"geoip-match\": 0, \"groups\": [ ], \"gtp-profile\": [ ], \"http-policy-redirect\": 0, \"icap-profile\": [ ], \"identity-based-route\": [ ], \"inbound\": 0, \"inspection-mode\": 1, \"internet-service\": 0, \"internet-service-custom\": [ ], \"internet-service-custom-group\": [ ], \"internet-service-group\": [ ], \"internet-service-name\": [ ], \"internet-service-negate\": 0, \"internet-service-src\": 0, \"internet-service-src-custom\": [ ], \"internet-service-src-custom-group\": [ ], \"internet-service-src-group\": [ ], \"internet-service-src-name\": [ ], \"internet-service-src-negate\": 0, \"internet-service6\": 0, \"internet-service6-custom\": [ ], \"internet-service6-custom-group\": [ ], \"internet-service6-group\": [ ], \"internet-service6-name\": [ ], \"internet-service6-negate\": 0, \"internet-service6-src\": 0, \"internet-service6-src-custom\": [ ], \"internet-service6-src-custom-group\": [ ], \"internet-service6-src-group\": [ ], \"internet-service6-src-name\": [ ], \"internet-service6-src-negate\": 0, \"ip-version-type\": \"ipv4\", \"ippool\": 0, \"ips-sensor\": [ ], \"ips-voip-filter\": [ ], \"logtraffic\": 2, \"logtraffic-start\": 0, \"match-vip\": 1, \"match-vip-only\": 0, \"nat\": 0, \"nat46\": 0, \"nat64\": 0, \"natinbound\": 0, \"natip\": [ \"0.0.0.0\", \"0.0.0.0\" ], \"natoutbound\": 0, \"network-service-dynamic\": [ ], \"network-service-src-dynamic\": [ ], \"np-acceleration\": 1, \"ntlm\": 0, \"ntlm-enabled-browsers\": [ ], \"ntlm-guest\": 0, \"oid\": 11307, \"outbound\": 1, \"passive-wan-health-measurement\": 0, \"pcp-inbound\": 0, \"pcp-outbound\": 0, \"pcp-poolname\": [ ], \"per-ip-shaper\": [ ], \"permit-any-host\": 0, \"permit-stun-host\": 0, \"pfcp-profile\": [ ], \"policy-behaviour-type\": \"standard\", \"policy-expiry\": 0, \"policy-expiry-date\": \"0000-00-00 00:00:00\", \"policy-offload\": 1, \"policyid\": 12, \"poolname\": [ ], \"poolname6\": [ ], \"profile-group\": [ ], \"profile-protocol-options\": [ \"default\" ], \"profile-type\": 0, \"radius-mac-auth-bypass\": 0, \"replacemsg-override-group\": [ ], \"reputation-direction\": 2, \"reputation-direction6\": 42, \"reputation-minimum\": 0, \"reputation-minimum6\": 0, \"rtp-addr\": [ ], \"rtp-nat\": 0, \"schedule\": [ \"always\" ], \"schedule-timeout\": 0, \"sctp-filter-profile\": [ ], \"send-deny-packet\": 0, \"service\": [ \"ALL\" ], \"service-negate\": 0, \"session-ttl\": \"0\", \"sgt\": [ ], \"sgt-check\": 0, \"src-vendor-mac\": [ ], \"srcaddr\": [ \"all\" ], \"srcaddr-negate\": 0, \"srcaddr6\": [ ], \"srcaddr6-negate\": 0, \"srcintf\": [ \"lan\" ], \"ssh-filter-profile\": [ ], \"ssh-policy-redirect\": 0, \"ssl-ssh-profile\": [ \"no-inspection\" ], \"status\": 0, \"tcp-mss-receiver\": 0, \"tcp-mss-sender\": 0, \"tcp-session-without-syn\": 2, \"tcp-timeout-pid\": [ ], \"timeout-send-rst\": 0, \"tos\": \"0x00\", \"tos-mask\": \"0x00\", \"tos-negate\": 0, \"traffic-shaper\": [ ], \"traffic-shaper-reverse\": [ ], \"udp-timeout-pid\": [ ], \"users\": [ ], \"utm-status\": 0, \"uuid\": \"a027db5a-cef2-51ee-313e-00ee89b1203e\", \"videofilter-profile\": [ ], \"virtual-patch-profile\": [ ], \"vlan-cos-fwd\": 255, \"vlan-cos-rev\": 255, \"voip-profile\": [ ], \"vpn_dst_node\": null, \"vpn_src_node\": null, \"vpntunnel\": [ ], \"waf-profile\": [ ], \"wanopt\": 0, \"wanopt-detection\": 1, \"wanopt-passive-opt\": 0, \"wanopt-peer\": [ ], \"wanopt-profile\": [ ], \"wccp\": 0, \"webcache\": 0, \"webcache-https\": 0, \"webfilter-profile\": [ ], \"webproxy-forward-server\": [ ], \"webproxy-profile\": [ ], \"ztna-device-ownership\": 0, \"ztna-ems-tag\": [ ], \"ztna-ems-tag-secondary\": [ ], \"ztna-geo-tag\": [ ], \"ztna-policy-redirect\": 0, \"ztna-status\": 0, \"ztna-tags-match-logic\": 0 }", "flags": 0, "key": "12", "note": "", "oid": 11307, "pkg_oid": 11294, "timestamp": 1708325195, "user": "admin" } ], "status": { "code": 0, "message": "OK" }, "url": "/pm/config/adom/demo/_objrev/pkg/ppkg_001/firewall/policy" } ] }
Note
For each change the
act
is giving you the nature of the change:Value
meaning
1
New policy created
2
Existing policy deleted
3
Existing policy modified
The
key
attribute is thepolicyid
The
config
attribute is a copy of the firewall policy containing the changeFortiManager returns an ordered list of changes; the first item is the first change
9.2.16.2. Can we revert a Policy Package from a specific changes?#
You can only revert a firewall policy provided it does exist (see How to revert a firewall policy from a past changes?
9.3. Policy Blocks#
9.3.1. How to create a Policy Block?#
{
"id": 1,
"method": "add",
"params": [
{
"data": {
"name": "ppb_002",
"package settings": {
"central-nat": "disable",
"consolidated-firewall-mode": "disable",
"fwpolicy-implicit-log": "disable",
"fwpolicy6-implicit-log": "disable",
"ngfw-mode": "profile-based"
},
"type": "pkg"
},
"url": "/pm/pblock/adom/DEMO_014/"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pblock/adom/DEMO_014/"
}
]
}
9.3.2. How to add a policy in a Policy Block?#
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "add",
"params": [
{
"data": {
"action": "accept",
"dstaddr": [
"all"
],
"dstintf": [
"any"
],
"logtraffic": "utm",
"logtraffic-start": "disable",
"name": "Policy_002",
"schedule": [
"always"
],
"service": [
"ALL"
],
"srcaddr": [
"all"
],
"srcintf": [
"any"
]
},
"url": "/pm/config/adom/DEMO_014/pblock/ppb_001/firewall/policy"
}
],
"session": "0ZY5z0s/JngkUaryMxPtobzfWQwDekg5dW2E04a1oib0bOxmYoqsev/QRq1wn/K1XG2Fl2yeXim+UF2C3pCq6w==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"policyid": 1071741828
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/DEMO_014/pblock/ppb_001/firewall/policy"
}
]
}
9.3.3. How to insert a Policy Block in a Policy Package?#
You can use the before
and after
attribute followed by the policyid
of the firewall policy.
The following request inserts the ppb_001
Policy Block before the firewall policy with policyid
2
in the pp.device1
Policy Package
from the DEMO_014
ADOM:
{
"id": 3,
"method": "add",
"params": [
{
"before": "2",
"data": {
"_policy_block": "ppb_001"
},
"url": "/pm/config/adom/DEMO_014/pkg/pp.device1/firewall/policy"
}
],
"session": "{{session}}"
}
Warning
The
policyid
has to be passed as a string!
9.3.4. How to where used a Policy Block?#
This is for when you want to get the list of Policy Packages (and relative policyid
the Policy Packages’ firewall policies) referencing the given
Policy Block.
For instance, to where used the sites_HBLK
Policy Block from the dc_emea
ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"option": [
"where_used"
],
"url": "/pm/pblock/adom/dc_emea/sites_HBLK"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"data": {
"name": "sites_HBLK",
"oid": 5276,
"package settings": {
"central-nat": 0,
"consolidated-firewall-mode": 0,
"fwpolicy-implicit-log": 0,
"fwpolicy6-implicit-log": 0,
"hitc-taskid": 0,
"hitc-timestamp": 0,
"ngfw-mode": 0,
"policy-offload-level": 0
},
"type": "pblock",
"where_used": [
{
"data": [
{
"category": 181,
"mapping_name": "firewall policy",
"mattr": "policyid",
"mkey": "110",
"pkg": {
"name": "ppkg_001",
"oid": 6079
}
},
{
"category": 181,
"mapping_name": "firewall policy",
"mattr": "policyid",
"mkey": "3",
"pkg": {
"name": "ppkg_002",
"oid": 6181
}
}
],
"root": {
"name": "dc_emea",
"oid": 165
}
}
]
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pblock/adom/dc_emea/sites_HBLK"
}
]
}
Note
The response indicates that the sites_HBLK Policy Block is used in the
ppkg_001
andppkg_002
Policy PackagesThe relative
policyid
is given by themkey
attributeIt is
110
in theppkg_001
Policy Package and3
in theppkg_002
Policy PackageIt means that next firewall policy that will get created in the
ppkg_001
andppkg_002
Policy Packages will be111
and4
respectively
9.3.5. How to clone a firewall policy from a Policy Package to a Policy Block?#
Why would you need to perform such clone operation?
It is just how the FortiManager GUI is implementing the copy & paste operation:
FortiManager administrator right-clicks and copy a firewall policy from a Policy Package
Then he right-clicks and paste it in a Policy Block
The above process is triggering two FortiManager JSON RPC API calls:
A clone operation
A move operation
9.3.5.1. Clone operation#
To clone firewall policy with policyid
1
from the ppkg_001
Policy
Package into the sites_HBLK
Policy Block from the dc_emea
ADOM:
{
"id": 3,
"method": "clone",
"params": [
{
"data": {
"name": "New_Policy_Name",
"new parent": "pblock/sites_HBLK"
},
"url": "/pm/config/adom/dc_emea/pkg/ppkg_001/firewall/policy/1"
}
],
"session": "{{session}}"
}
Note
Cloned firewall policy will have its
name
attribute set withNew_Policy_Name
{
"id": 3,
"result": [
{
"data": {
"policyid": 1071741830
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/dc_emea/pkg/ppkg_001/firewall/policy/1"
}
]
}
Note
The FortiManager returns the
policyid
of the cloned firewall policy:1071741830
The cloned firewall policy is located at the end of the firewall policy list
9.3.5.2. Move operation#
To cloned firewall policy has been placed at the end of the firewall policy list in the Policy Block.
To move the cloned firewall policy with policyid
1071741830
above the firewall policy with policyid
1071741828
, both being in the sites_HBLK
Policy Block of the dc_emea
ADOM:
{
"id": 3,
"method": "move",
"params": [
{
"option": "before",
"target": "1071741828",
"url": "pm/config/adom/dc_emea/pblock/sites_HBLK/firewall/policy/1071741830"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"data": {
"policyid": 1071741830
},
"status": {
"code": 0,
"message": "OK"
},
"url": "pm/config/adom/dc_emea/pblock/sites_HBLK/firewall/policy/1071741830"
}
]
}
Note
FortiManager confirms the success of the
move
operation by returning thepolicyid
of the moved firewall policy (1071741830
)
9.4. Firewall Policies#
9.4.1. How to get the default values for a firewall policy?#
This is when you plan to suggest default values in an application you’re developping and where you offer to add a new firewall policy.
You can get the firewall policy table of a Policy Package using the object template
attribute.
To get the default value for a firewall policy in the pp.003
Policy Package from the DEMO
ADOM:
{
"id": 1,
"method": "get",
"params": [
{
"object template": 1,
"url": "/pm/config/adom/DEMO/pkg/pp.003/firewall/policy/"
}
],
"session": "{{session}}",
"verbose": 1
}
9.4.2. How to add a firewall policy?#
To add a new firewall policy in the dut_fgt_02
Policy Package from the dc_amer
ADOM:
{
"id": 3,
"method": "add",
"params": [
{
"data": {
"action": "accept",
"dstaddr": [
"host_001",
"host_002"
],
"dstintf": [
"internal1",
"internal2"
],
"logtraffic": "all",
"schedule": "always",
"service": [
"FTP",
"HTTPS"
],
"srcaddr": [
"host_003",
"host_004"
],
"srcintf": [
"internal3",
"internal4"
],
"status": "enable"
},
"url": "/pm/config/adom/dc_amer/pkg/dut_fgt_02/firewall/policy"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"data": {
"policyid": 2
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/dc_amer/pkg/dut_fgt_02/firewall/policy"
}
]
}
Note
FortiManager returns the
policyid
of the created policy.
If a specific policyid
is required, and provided it isn’t already used,
then you can specify it:
{
"id": 3,
"method": "add",
"params": [
{
"data": {
"action": "accept",
"dstaddr": [
"host_001",
"host_002"
],
"dstintf": [
"internal1",
"internal2"
],
"logtraffic": "all",
"policyid": 10,
"schedule": "always",
"service": [
"FTP",
"HTTPS"
],
"srcaddr": [
"host_003",
"host_004"
],
"srcintf": [
"internal3",
"internal4"
],
"status": "enable"
},
"url": "/pm/config/adom/dc_amer/pkg/dut_fgt_02/firewall/policy"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"data": {
"policyid": 10
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/dc_amer/pkg/dut_fgt_02/firewall/policy"
}
]
}
9.4.3. How to delete a firewall policy?#
TBD.
9.4.4. How to delete multiple firewall policies?#
The below example shows how to delete multiple firewall policies by combining in
a single API call the delete
and filter
operation:
{
"id": 3,
"method": "delete",
"params": [
{
"url": "pm/config/adom/dc_amer/pkg/dut_fgt_2/firewall/policy",
"confirm": 1,
"filter": [
"policyid",
"in",
1,2,3,
]
}
],
"session": "{{session}}"
}
{
"result": [
{
"data": null,
"id": 3,
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/dc_amer/pkg/dut_fgt_02/firewall/policy"
}
]
}
9.4.5. How to purge all firewall policies?#
The following example shows you how to purge all firewall policies from the ppkg_001
Policy Package in the demo
ADOM:
{
"id": 3,
"method": "delete",
"params": [
{
"confirm": 1,
"url": "/pm/config/adom/demo/pkg/ppkg_001/firewall/policy"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/ppkg_001/firewall/policy"
}
]
}
9.4.6. How to update a firewall policy?#
9.4.6.1. Update elements of an existing firewall policy#
You just need to specify in the JSON RPC body the elements you want to update:
REQUEST:
{
"id": 3,
"method": "update",
"params": [
{
"data": {
"ips-sensor": "default",
"name": "Project_XXX_Traffic",
"nat": "enable",
"utm-status": "enable"
},
"url": "/pm/config/adom/dc_amer/pkg/dut_fgt_02/firewall/policy/10"
}
],
"session": "EnRb2hecAsLL/i6DwUZ0WpibwI5a4KC58vm7ta1IivNT4Gwjqhp5sXUG+3YmdwIvnTlkdltTtHYzxSrOBbTcxg=="
}
RESPONSE:
{
"id": 3,
"result": [
{
"data": {
"policyid": 10
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/dc_amer/pkg/dut_fgt_02/firewall/policy/10"
}
]
}
9.4.6.2. How to update a specific field without overwriting it?#
The goal is just to add new srcaddr
elements of a specific policy without
overwriting the existing ones.
For instance, if srcaddr
is set with:
[
"host_001",
"host_002"
]
then after this API request, it will be with:
[
"host_001",
"host_002",
"host_005",
"host_006"
]
REQUEST:
{
"id": 3,
"method": "add",
"params": [
{
"data": [
"host_005",
"host_006"
],
"url": "/pm/config/adom/dc_amer/pkg/dut_fgt_02/firewall/policy/10/srcaddr"
}
],
"session": "RI6Bcs0YtRnh8dJoVsNqmV4A8+CNQZEyFIO5bZafv8xWMykF6ySvFSoitQld49G1bG3Sfug6h1LKmdR/1jt3uw=="
}
RESPONSE:
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/dc_amer/pkg/dut_fgt_02/firewall/policy/10/srcaddr"
}
]
}
9.4.7. How to move a firewall policy?#
Considering we know the policyid
of the source policy and the policyid
of the destination policy (i.e., the destination location), we can use the move
operation.
This request is moving policyid
3
after policyid
4
(for policy
package pp.003
of ADOM demo
):
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "move",
"params": [
{
"option": "after",
"target": "4",
"url": "/pm/config/adom/demo/pkg/pp.003/firewall/policy/3"
}
],
"session": "tAgknLN52psfVRRYxPcGgWM45/i1OkEQ8bcnBc2LMyNThEmZfqY6h2C5h0IqDsEMX5p3+wjoKuRdodehh10zLUw+iEXyxwio",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"policyid": 3
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom//pkg/pp.003/firewall/policy/3"
}
]
}
9.4.8. How to insert a policy?#
Three options are available:
Use the
add
andmove
operationsYou add a policy, it gets automatically placed at the last position
You move the policy to the desired location
Using the
object position
attribute to specify the desired locationUsing the
before
andafter
attributes
Those three alternatives are described below.
9.4.8.1. Use the add
and move
operations#
To add a new firewall policy, please review How to add a firewall policy?
To move a firewall policy, please review: How to move a firewall policy?
9.4.8.2. Use the object position
attribute#
Caught in #0306003.
To insert a new firewall policy after the firewall policy with policyid
13
in the pp.001
Policy Package from the DEMO
ADOM:
{
"id": 1,
"method": "add",
"params": [
{
"data": {
"action": "accept",
"dstaddr": [
"host_001"
],
"dstintf": [
"ul_isp1"
],
"logtraffic": "all",
"name": "This is a test!",
"object position": [
"after",
"13"
],
"schedule": [
"always"
],
"service": [
"FTP"
],
"srcaddr": [
"host_002"
],
"srcintf": [
"lan"
]
},
"url": "/pm/config/adom/DEMO/pkg/pp.001/firewall/policy"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"data": {
"policyid": 51
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/DEMO/pkg/pp.001/firewall/policy"
}
]
}
Note
policyid
51
is the policy id of the newly created firewall policy
9.4.8.3. Using the before
and after
attributes#
A new way of placing a new firewall policy has been observed.
It consists in adding attribute before
or after
placed outside of the
data
block.
To insert a new firewall policy before the firewall policy with policyid
3
in the pp.001
Policy Package from the DEMO
ADOM:
{
"id": 1,
"method": "add",
"params": [
{
"before": "3",
"data": {
"action": "accept",
"dstaddr": [
"all"
],
"dstintf": [
"dmz"
],
"ips-sensor": "all_default",
"logtraffic": "all",
"name": "Test_001",
"profile-protocol-options": [
"default"
],
"schedule": [
"always"
],
"service": [
"ALL"
],
"srcaddr": [
"all"
],
"srcintf": [
"wan"
],
"ssl-ssh-profile": [
"no-inspection"
],
"utm-status": "enable"
},
"url": "/pm/config/adom/DEMO/pkg/pp.001/firewall/policy"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"data": {
"policyid": 52
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/DEMO/pkg/pp.001/firewall/policy"
}
]
}
Note
policyid
52
is the policy id of the newly created firewall policy
9.4.9. How to clone a policy?#
Cloning a policy doesn’t require to specify the destination
policyid
since it is auto-generated.
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "clone",
"params": [
{
"url": "/pm/config/adom/DEMO_013/pkg/pp.hub1/firewall/policy/1"
}
],
"session": "ngFWU2SEY8rBX368VnxURvNKOfncqe7i5GWjOomUkeNrZPzBs/rhclDiyvNL825baHw+Sjq3z0YmV01imbg16Q==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"policyid": 4
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/DEMO_013/pkg/pp.hub1/firewall/policy/1"
}
]
}
But we can also force a specific policyid
if required:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "clone",
"params": [
{
"data": {
"policyid": 111
},
"url": "/pm/config/adom/DEMO_013/pkg/pp.hub1/firewall/policy/1"
}
],
"session": "LmM3A03tHkgNxRJiSRxCMCrcqzZCBZYJKiZRfJDlJ1d5JTk3hrIlLqZITXTdAwJX4yToHOQ0NRojwHP6DEZX0Q==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"policyid": 111
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/DEMO_013/pkg/pp.hub1/firewall/policy/1"
}
]
}
9.4.10. How to insert a section title for a firewall policy?#
REQUEST:
{
"id": 1,
"method": "set",
"params": [
{
"data": {
"name": "Project #001"
},
"url": "pm/config/adom/DEMO_014/pkg\/pp.device1/firewall/policy/4/section value"
}
],
"session": 12841
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "pm/config/adom/DEMO_014/pkg/pp.device1/firewall/policy/4/section value"
}
]
}
9.4.11. How to get the section title of a policy?#
The section title is saved in the global-label
attribute of each policies:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "get",
"params": [
{
"fields": [
"name",
"policyid",
"global-label"
],
"loadsub": 0,
"url": "/pm/config/adom/DEMO_014/pkg/pp.device1/firewall/policy"
}
],
"session": "CHaKn3hVODf8U3cz1PByenpgjjeFTlwgtDj8b163pVqiaNW7JnUk+IMnVPVi90Jf+lxcpib6HLJPhislBJlPwg==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": [
{
"obj seq": 1,
"policyid": 1
},
{
"global-label": "Project #001",
"obj seq": 2,
"policyid": 4
},
{
"global-label": "Project #001",
"obj seq": 3,
"policyid": 5
},
{
"global-label": "Project #001",
"obj seq": 4,
"policyid": 2
},
{
"global-label": "Project #001",
"obj seq": 5,
"policyid": 3
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/DEMO_014/pkg/pp.device1/firewall/policy"
}
]
}
In this output, we can see that policy #1 (ie. "obj seq": 1
) isn’t
having any section title while all other policies are in a section
title named Project #001
.
9.4.12. How to insert a section title for a consolidated policy?#
Caught in #0597802.
REQUEST:
{
"id": 4,
"method": "set",
"params": [
{
"url": "pm/config/adom/root/pkg/pkg1/firewall/consolidated/policy/2/section value",
"data": {
"name": "section 1"
}
}
]
}
RESPONSE:
TBD
9.4.13. How to get creation and modification timestamps along with the owner of the change?#
We need to pass the extra info
option.
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "get",
"params": [
{
"fields": [
"policyid"
],
"loadsub": 0,
"option": [
"extra info"
],
"url": "/pm/config/adom/TEST/pkg/pp.001/firewall/policy"
}
],
"session": "8DvhCgFU4hHlb2yaTj89lH0Yx1muBZYEtkAqfCstMKzolG0wsXSCkHrUn4/ZoClSBrGjruJ5ey6aZP6OjZ3pwxhUNUj0Lyzi",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": [
{
"_created timestamp": 1584462465,
"_last-modified-by": "admin",
"_modified timestamp": 1584462794,
"obj seq": 1,
"obj ver": 4,
"policyid": 1
},
{
"_created timestamp": 1584462465,
"_last-modified-by": "admin",
"_modified timestamp": 1584462465,
"obj seq": 2,
"obj ver": 1,
"policyid": 2
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/TEST/pkg/pp.001/firewall/policy"
}
]
}
It should work for all objects with timestamp/owner change support. For instance, we can also get same information for the firewall addresses:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "get",
"params": [
{
"fields": [
"name"
],
"loadsub": 0,
"option": [
"extra info"
],
"url": "/pm/config/adom/TEST/obj/firewall/address"
}
],
"session": "zGBZ3O/1FRg8fW+pObix36eCH4aUBabYbNqzCMtW3sG3hXAfhtNJMvSZg5atCfjR7hbXrYPcsOmZTD5O/w6htwbVzTZOSep9",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": [
{
"_created timestamp": 1584462001,
"_last-modified-by": "admin",
"_modified timestamp": 1584462001,
"name": "FABRIC_DEVICE",
"obj ver": 1
},
{
"_created timestamp": 1584462001,
"_last-modified-by": "admin",
"_modified timestamp": 1584462001,
"name": "FIREWALL_AUTH_PORTAL_ADDRESS",
"obj ver": 1
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/TEST/obj/firewall/address"
}
]
}
9.4.14. How to get the meta-fields for policies?#
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "get",
"params": [
{
"fields": [
"policyid",
"meta fields"
],
"loadsub": 0,
"option": [
"get meta"
],
"url": "/pm/config/adom/TEST/pkg/pp.001/firewall/policy"
}
],
"session": "MUhOUM7HF72aAOx9qSmnjeRie3pBjtNPrOhN15/VPC+NxVuILkXFCLAbTPlIgqF/vWQ9uyBtTuV3RmD14xXoP9dLTMLWoqyJ",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": [
{
"meta fields": {
"change_type": "temporary"
},
"obj seq": 1,
"policyid": 1
},
{
"meta fields": {
"change_type": ""
},
"obj seq": 2,
"policyid": 2
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/TEST/pkg/pp.001/firewall/policy"
}
]
}
9.4.15. How to do a policy lookup?#
When we debug the fortimanager while operating the policy lookup from its UI:
diagnose debug service sys 255
diagnose debug enable
diagnose debug timestamp enable
to lookup for a policy matching the following criterias:
Device/VDOM
branch1_fgt
Source Interface
vl_lan
Protocol
IP
Protocol Number
6
Source
Empty
Destination
8.8.8.8
we can see two operations:
Fortimanager is first doing a route lookup!
REQUEST:
{
"id": "9cd0139f-1713-4b57-b5f4-48a74f53baee",
"method": "exec",
"params": [
{
"data": {
"action": "get",
"resource": "/api/v2/monitor/router/lookup/select?&destination=8.8.8.8&ipv6=0",
"target": [
"adom/DEMO/device/branch1_fgt"
]
},
"target start": 1,
"url": "sys/proxy/json"
}
],
"session": 11017
}
RESPONSE:
{
"id": "2e65b687-2d69-42c8-a716-a0ebb07162c0",
"result": [
{
"data": [
{
"response": {
"action": "select",
"build": 8348,
"http_method": "GET",
"name": "lookup",
"path": "router",
"results": {
"gateway": "0.0.0.0",
"interface": "ol_mpls_0",
"network": "0.0.0.0/0",
"success": true
},
"serial": "FGVM04REDACTED73",
"status": "success",
"vdom": "root",
"version": "v6.2.3"
},
"status": {
"code": 0,
"message": "OK"
},
"target": "branch1_fgt"
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "sys/proxy/json"
}
]
}
And we assume that because there are existing routes, fortimanager proceeds with the next step.
It does the policy lookup!
REQUEST:
{
"id": "9bddbb32-7a3f-4547-af43-cb9812c9fc81",
"method": "exec",
"params": [
{
"data": {
"action": "get",
"resource": "/api/v2/monitor/firewall/policy-lookup/select?&srcintf=vl_lan&protocol=6&protocol_number=6&sourceip=&sourceport=&dest=8.8.8.8&destport=0",
"target": [
"adom/DEMO/device/branch1_fgt"
]
},
"target start": 1,
"url": "sys/proxy/json"
}
],
"session": 11017
}
RESPONSE:
{
"id": "9bddbb32-7a3f-4547-af43-cb9812c9fc81",
"result": [
{
"data": [
{
"response": {
"action": "select",
"build": 8348,
"http_method": "GET",
"name": "policy-lookup",
"path": "firewall",
"results": {
"success": false
},
"serial": "FGVM04REDACTED73",
"status": "success",
"vdom": "root",
"version": "v6.2.3"
},
"status": {
"code": 0,
"message": "OK"
},
"target": "branch1_fgt"
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "sys/proxy/json"
}
]
}
Well, we don’t have a match, but at least we can see how the policy lookup was done by fortimanager :-)
9.4.16. Operating the firewall policy Install On column#
This is about replacing the default Installation Targets value of the Install On column by one or more managed devices or device groups.
To operate the Install On column of a firewall policy, recent FortiManager versions offer the following capabilities:
You can click the pen icon to select specific devices or device groups; you can only select devices or device groups being part of the Policy Package’s installation targets
You can right-click and select:
Edit Install On, and in this case, you can select specific devices or device groups; you can only select devices or device groups being part of the Policy Package’s installation targets
Set Install On To Default, and in this case all, devices and devices group set in the Policy Package’s installation targets will be considered
Set Install On To None, and in this case, this firewall policy won’t used at all
In the following screenshot, the pp_branches
Policy Package is shared with
some managed devices:
Policy ID 1 will be installed on all managed devices specified in the installation targets list of this policy package (i.e. set to Default).
Policy ID 2 won’t be installed since its Install On column is empty (i.e. set to None)
Policy ID 2 will be installed on device
branch11
only.
9.4.16.1. How to get the existing values for the Install On column?#
You just have to pass the option scope member
when getting the firewall
policies information.
It works when getting the firewall policy table.
For instance, to get the first three firewall policies from the ppkg_001
Policy Package in the dc_jani
ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"fields": [
"name",
"policyid",
"comments"
],
"loadsub": 0,
"option": [
"scope member"
],
"range": [
0,
3
],
"url": "/pm/config/adom/dc_jani/pkg/pkg_001/firewall/policy"
}
],
"session": "{{session}}",
"verbose": 1
}
{
"id": 3,
"result": [
{
"data": [
{
"comments": "Install On: dev_003, dev_004",
"name": "Policy_001",
"obj flags": 16,
"obj seq": 1,
"oid": 5916,
"policyid": 1,
"scope member": [
{
"name": "dev_003",
"vdom": "root"
},
{
"name": "dev_004",
"vdom": "root"
}
]
},
{
"comments": "Install On: Installation Targets (Default)",
"name": "Policy_002",
"obj seq": 2,
"oid": 5917,
"policyid": 2
},
{
"comments": "Install On: None",
"name": "Policy_003",
"obj seq": 3,
"oid": 5918,
"policyid": 3,
"scope member": []
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/dc_jani/pkg/pkg_001/firewall/policy"
}
]
}
This output shows the FortiManager behavior when it returns firewall policies with specific devices, the Default, or the None target in the Install On column.
There is a
scope member
showing up when the policy is having its cell Install On set with managed devices and/or device groups (see firewall policy withpolicyid
1
)There’s no
scope member
returned when the firewall policy is having its cell Install On set with Default (see firewall policy withpolicyid
2
)There is an empty
scope member
returned when the firewall policy is having its cell Install On set to None (see firewall policy withpolicyid
3
)
Note
With FortiManager 6, when the Install On cell was set with None, then the
response was not having any scope member
returned.
In that case, how could you figure out whether you were in the Default Installation Targets situation or the None one?
You add to check for the presence of the obj flags
attribute (see
#0305108).
When you’re in the Default Installation Targets case, this is what you should get:
[...]
"obj flags": 16,
[...]
Here the "obj flags": 16
confirms there’s a scope member
but since,
it is using the Default value, it is not showing up.
Hence, it’s normal not to have any scope member
returned.
You could interprete the above output as:
[...]
"scope member": null,
[...]
When you’re in the None case, this is what we should get:
[...]
[...]
Here the absence of "obj flags": 16
clearly indicates there is no scope
member
at all.
Hence, it’s normal not to have the scope member
nor the obj flags
.
You could interprete the above output as:
[...]
"scope member": [],
[...]
The empty array clearly shows the scope member
is empty (i.e. None).
You will have to wait for FortiManager 7.0.11/7.2.5/7.4.3 (#0953665) to get a more meaningful response.
It also works when getting a specific firewall policy by policyid
.
For instance, to firewall policy with policyid
3
, from the ppkg_001
Policy Package in the dc_jani
ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"fields": [
"name",
"policyid",
"comments"
],
"loadsub": 0,
"option": [
"scope member"
],
"url": "/pm/config/adom/dc_jani/pkg/pkg_001/firewall/policy/3"
}
],
"session": "{{session}}",
"verbose": 1
}
{
"id": 3,
"result": [
{
"data": {
"comments": "Install On: None",
"name": "Policy_003",
"obj flags": 16,
"obj seq": 3,
"oid": 5918,
"policyid": 3,
"scope member": []
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/dc_jani/pkg/pkg_001/firewall/policy/3"
}
]
}
Note
In this case, firewall policy with
policyid
3
is having its Install On column set to NoneNow an explicit empty
scope member
list is returned
9.4.16.2. How to change the Install On column?#
Now that you know how to get the Install On value for any situations, let’s see how to change it.
You want the branch11
managed device to be the unique target for policy ID 2.
With FortiManager version lesser than 6.0, the very first time (i.e. when we
replace the default Installation Targets value by a specific managed device),
we have to use method set
or update
:
{
"id": 1,
"method": "set",
"params": [
{
"data": [
{
"name": "branch11",
"vdom": "root"
}
],
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
],
"session": "{{session}}"
}
Note
You just need to append the
scope member
at the end of the main URL to operate the Install On column
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
]
}
You can review your Policy Package with the FortiManager GUI, policy seq #2 (i.e. policyid
2) should have branch11
showing up in the Install On column.
But if you keep using update
or set
to add additional managed devices,
we’re going to overwrite the existing list of managed devices placed in the
scope member
table.
So once default Installation Target value is replaced by one or multiple
managed devices (i.e. the scope member
table has been created) we can keep
adding additional managed devices on top of the existing ones, by using the
method add
.
Starting with FMG 6.0.0, it is possible to use method add
even when the
Install On column is having its default value (i.e. Installation Targets) -
(#0482431).
Now that you have added branch11
in the Install Column of policy ID 2, add additional devices.
You need to use the add
method with the devices (one or multiple) you want to add:
{
"id": 1,
"method": "add",
"params": [
{
"data": [
{
"name": "branch12",
"vdom": "root"
}
],
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
]
}
Policy seq #2 is now having branch11
and branch12
under column Install
On.
It’s possible to add multiple firewalls:
{
"id": 1,
"method": "add",
"params": [
{
"data": [
{
"name": "branch13",
"vdom": "root"
},
{
"name": "branch14",
"vdom": "root"
}
],
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
]
}
Policy seq #2 is now having branch11
, branch12
, branch13
and
branch14
under column Install On.
To delete a specific target from the scope member
table, you can use the
method delete
:
{
"id": 1,
"method": "delete",
"params": [
{
"data": [
{
"name": "branch14",
"vdom": "root"
}
],
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
]
}
Policy seq #2 is now having branch11
, branch12
and branch13
under
column Install On.
It’s possible to delete multiple firewalls:
{
"id": 1,
"method": "delete",
"params": [
{
"data": [
{
"name": "branch12",
"vdom": "root"
},
{
"name": "branch13",
"vdom": "root"
}
],
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
]
}
Policy seq #2 is now having branch11
under column Install On.
To set Install On to None (i.e. to empty the cell), you can use the method
set
with an empty list:
{
"id": 1,
"method": "set",
"params": [
{
"data": [
{}
],
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
]
}
To get back the default value of Install On (i.e. Installation Targets), you
just need to unset
:
{
"id": 1,
"method": "unset",
"params": [
{
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
]
}
9.4.17. How to get the firewall policies along with used object definitions?#
When you just get the firewall policies, FortiManager just return something like:
[...]
"srcaddr": ["object1", "object2", ...]
[...]
But you don’t get what’s behind objects object1
and object2
.
Should you want to get object definitions at the time you get the firewall
policies, just use the expand datasrc
as shown below:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "get",
"params": [
{
"expand datasrc": [
{
"datasrc": [
{
"fields": [
"name",
"subnet",
"comment",
"color"
],
"obj type": "firewall address"
}
],
"name": "srcaddr"
},
{
"datasrc": [
{
"fields": [
"name",
"subnet",
"comment",
"color"
],
"obj type": "firewall address"
}
],
"name": "dstaddr"
},
{
"datasrc": [
{
"fields": [
"name",
"subnet",
"comment",
"color"
],
"obj type": "firewall address"
}
],
"name": "dstaddr"
},
{
"datasrc": [
{
"fields": [
"name",
"description",
"wildcar",
"wildcard-intf",
"default-mapping",
"defmap-intf",
"color"
],
"obj type": "dynamic interface"
}
],
"name": "srcintf"
},
{
"datasrc": [
{
"fields": [
"name",
"description",
"wildcar",
"wildcard-intf",
"default-mapping",
"defmap-intf",
"color"
],
"obj type": "dynamic interface"
}
],
"name": "dstintf"
},
{
"datasrc": [
{
"fields": [
"name",
"tcp-portrange",
"color",
"comment"
],
"obj type": "firewall service custom"
}
],
"name": "service"
},
{
"datasrc": [
{
"fields": [
"name",
"day",
"color"
],
"obj type": "firewall schedule recurring"
}
],
"name": "schedule"
},
{
"datasrc": [
{
"obj type": "ips sensor"
}
],
"name": "ips-sensor"
},
{
"datasrc": [
{
"obj type": "webfilter profile"
}
],
"name": "webfilter-profile"
}
],
"fields": [
"name",
"policyid",
"srcintf",
"dstintf",
"srcaddr",
"dstaddr",
"service",
"action",
"schedule",
"utm-status",
"logtraffic-start",
"webfilter-profile",
"ips-sensor",
"global-label",
"comments"
],
"loadsub": 0,
"range": null,
"url": "/pm/config/adom/deutsche_bank_benchmark/pkg/ppkg_001/firewall/policy/"
}
],
"session": "qk4LfxNkgZuewjwk7mp4Vt4e+f2OJR3Bvo/xdj73PN5pul8AZq7a58qp4LJ+DwvJHIvT1r17SAoGYjKyTueJGw==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": [
{
"action": "accept",
"comments": "Created with FMG API",
"dstaddr": [
{
"color": 28,
"comment": "Created with FMG API",
"name": "tc_004_dst_000001",
"obj type": "firewall address",
"subnet": [
"10.0.0.1",
"255.255.255.255"
]
}
],
"dstintf": [
{
"color": 16,
"default-mapping": "enable",
"defmap-intf": "wan",
"description": "Created with FortiManager Ansible",
"name": "wan",
"obj type": "dynamic interface",
"wildcard-intf": "wan"
}
],
"global-label": "Project #1",
"ips-sensor": [
{
"_baseline": [],
"block-malicious-url": "disable",
"comment": "Prevent critical attacks.",
"extended-log": "disable",
"name": "default",
"obj type": "ips sensor",
"replacemsg-group": [],
"scan-botnet-connections": "disable"
}
],
"logtraffic-start": "enable",
"name": "Policy_000001",
"obj seq": 1,
"policyid": 1,
"schedule": [
{
"color": 0,
"day": [
"sunday",
"monday",
"tuesday",
"wednesday",
"thursday",
"friday",
"saturday"
],
"name": "always",
"obj type": "firewall schedule recurring"
}
],
"service": [
{
"color": 0,
"comment": null,
"name": "ALL",
"obj seq": 1,
"obj type": "firewall service custom",
"tcp-portrange": [],
"unset attrs": [
"icmptype",
"icmpcode"
]
}
],
"srcaddr": [
{
"color": 18,
"comment": "Created with FMG API",
"name": "tc_004_src_000001",
"obj type": "firewall address",
"subnet": [
"10.0.0.1",
"255.255.255.255"
]
}
],
"srcintf": [
{
"color": 6,
"default-mapping": "enable",
"defmap-intf": "lan",
"description": "Created with FortiManager Ansible",
"name": "lan",
"obj type": "dynamic interface",
"wildcard-intf": "lan"
}
],
"utm-status": "enable",
"webfilter-profile": [
{
"comment": "Default web filtering.",
"extended-log": "disable",
"https-replacemsg": "enable",
"log-all-url": "disable",
"name": "default",
"obj type": "webfilter profile",
"options": null,
"ovrd-perm": null,
"post-action": "normal",
"replacemsg-group": [],
"web-content-log": "enable",
"web-extended-all-action-log": "disable",
"web-filter-activex-log": "enable",
"web-filter-applet-log": "enable",
"web-filter-command-block-log": "enable",
"web-filter-cookie-log": "enable",
"web-filter-cookie-removal-log": "enable",
"web-filter-js-log": "enable",
"web-filter-jscript-log": "enable",
"web-filter-referer-log": "enable",
"web-filter-unknown-log": "enable",
"web-filter-vbs-log": "enable",
"web-ftgd-err-log": "enable",
"web-ftgd-quota-usage": "enable",
"web-invalid-domain-log": "enable",
"web-url-log": "enable",
"wisp": "disable",
"wisp-algorithm": "auto-learning",
"wisp-servers": [],
"youtube-channel-status": "disable"
}
]
},
[...]
9.4.18. Partial Install#
9.4.18.1. Legacy Partial Install API#
9.4.18.1.1. How to partial install a firewall policy?#
The idea behind the partial installation mechanism is to install a very specific object (could be a firewall policy, a firewall address, a firewall address group with members, an UTM profiles, etc.) but not the other pending changes!
The partial installation is mainly for objects maintained in ADOM DB.
To enable it:
config system global
set partial-install enable
set partial-install-force enable
set partial-install-rev enable
end
where:
partial-install
:Value
Description
enable
Enable the partial installation mechanism
disable
Disable the partial installation mechanism
partial-install-force
:Value
Description
enable
Force the installation of the targetd object along with the pending changes in Device DB
disable
If any pending changes are detected in Device DB, partial installation will be stopped. If no change are detected in Device DB, then partial installation will work normally
partial-install-rev
:Value
Description
enable
Create an ADOM Revision
disable
Don’t create an ADOM Revision
It is possible to partial install most of the objects maintained in the FortiManager’s ADOM DB.
The generic request is:
{
"id": 1,
"method": "exec",
"params": [
{
"data": {
"adom": "{{adom}}",
"scope": [
{
"name": "{{device}}",
"vdom": "{{vdom}}"
},
{"...", "..."}
],
"target": [
"{{ target }}"
]
},
"url": "/securityconsole/install/objects"
}
],
"session": "{{session}}",
}
where {{ target }}
should be replaced by a FortiManager JSON RPC API url
.
The partial installation works as defined below:
If the target does exist on the managed device, FortiManager will update it.
If the target doesn’t exist on the managed devices, FortiManager will install it.
If the target is an object with members (think about a firewall address group) and some of the members don’t exist on the managed devices, they will be automatically installed.
The following example shows the generic REQUEST format to partial install a firewall policy:
{
"id": 1,
"method": "exec",
"params": [
{
"data": {
"adom": "{{adom}}",
"scope": [
{
"name": "{{device}}",
"vdom": "{{vdom}}"
}
],
"target": [
"/pm/config/adom/{{adom}}/pkg/{{pkg}}/firewall/policy/{{policyid}}"
]
},
"url": "/securityconsole/install/objects"
}
],
"session": "{{session}}",
}
{
"id": 1,
"result": [
{
"data": {
"task": 184
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/objects"
}
]
}
Note
New or updated objects belonging to the targeted
policyid
object will be automatically added or updated.
The rest of this section describes the partial install behavior for different cases.
Update of the policy’s properties only
This is the situation before the test:
One policy package with 100 policies already installed on the managed device.
The
comments
ofpolicyid
5
was modified (new comment isTest #005
).No other pending changes in ADOM DB.
The partial install is performed against the
policyid
5
.
This is the installation output we got from FortiManager GUI:
Starting log (Run on device) Start installing dev_001 $ config firewall policy dev_001 (policy) $ edit 5 dev_001 (5) $ set comments "Test #005" dev_001 (5) $ next dev_001 (policy) $ end ---> generating verification report <--- done generating verification report install finished
Conclusion
As expected, the updated
comments
- only - is sent to the managed device
Update of the policy’s properties + new existing objects
This is the situation before the test:
One policy package with 100 policies already installed on the managed device
The
comments
ofpolicyid
5
was modified (new comment isTest #006
)Firewall addresse
host_105
already used in some of the 99 other policies (hence aleady existing in managed device) have been added in thedstaddr
ofpolicyid
5
The partial install is performed against the
policyid
5
This is the installation output we got from FortiManager GUI:
Starting log (Run on device) Start installing dev_001 $ config firewall policy dev_001 (policy) $ edit 5 dev_001 (5) $ set dstaddr "host_004" "host_105" dev_001 (5) $ set comments "Test #006" dev_001 (5) $ next dev_001 (policy) $ end ---> generating verification report <--- done generating verification report install finished
Conclusion
As expected, the updated
comments
is sent to the managed device
As expected, the reference (i.e., name only) of the firewall address
host_105
is added in thedstaddr
New objects added in firewall policy + other ADOM DB pending changes
This is the situation before the test:
One policy package with 100 policies already installed on the managed device
New firewall address created:
host_201
and placed assrcaddr
ofpolicyid
5
Other pending changes in ADOM DB (other policies from same policy package have been modified for instance)
The partial install is performed against the
policyid
5
This is the installation output we got from FortiManager GUI:
Starting log (Run on device) Start installing dev_001 $ config firewall address dev_001 (address) $ edit "host_201" dev_001 (host_201) $ set uuid edf0802e-dc52-51ec-eead-9a86a08a872a dev_001 (host_201) $ set color 17 dev_001 (host_201) $ set subnet 145.124.204.58 255.255.255.255 dev_001 (host_201) $ next dev_001 (address) $ end dev_001 $ config firewall policy dev_001 (policy) $ edit 5 dev_001 (5) $ set srcaddr "host_005" "host_201" dev_001 (5) $ next dev_001 (policy) $ end ---> generating verification report <--- done generating verification report install finished
Conclusions
FortiManager is really in charge! It detected a new firewall address had to be installed on the managed device:
host_201
Once the new firewall address is installed, it can be referenced and added as
srcaddr
As expected, other pending changes haven’t been installed!
New more complexe objects added + other ADOM DB pending changes
This is the situation before the test:
One policy package with 100 policies already installed on the managed device
New firewall addresses created:
host_202
andhost_203
New firewall address group created:
grp_host_20x
Members arehost_202
andhost_203
Firewall address group
grp_host_20x
added asdstaddr
ofpolicyid
5
New IPS profile created:
ips_profile_001
New profile group created:
profile_group_001
ips_profile_001
IPS profile and some other UTM profiles added in theprofile_group_001
Profile Groupprofile_group_001
Profile Group added inpolicyid
5
The partial install is performed against the
policyid
5
This is the installation output we got from FortiManager GUI:
Starting log (Run on device) Start installing dev_001 $ config firewall address dev_001 (address) $ edit "host_202" dev_001 (host_202) $ set uuid 347190b0-dc53-51ec-137e-2a05a016d500 dev_001 (host_202) $ set color 17 dev_001 (host_202) $ set subnet 145.124.202.58 255.255.255.255 dev_001 (host_202) $ next dev_001 (address) $ edit "host_203" dev_001 (host_203) $ set uuid 3c63b8a2-dc53-51ec-634e-3872e5836416 dev_001 (host_203) $ set color 17 dev_001 (host_203) $ set subnet 145.123.202.58 255.255.255.255 dev_001 (host_203) $ next dev_001 (address) $ end dev_001 $ config firewall addrgrp dev_001 (addrgrp) $ edit "grp_host_20x" dev_001 (grp_host_20x) $ set uuid 469eec38-dc53-51ec-4fcc-3e14b47114a4 dev_001 (grp_host_20x) $ set member "host_202" "host_203" dev_001 (grp_host_20x) $ set color 18 dev_001 (grp_host_20x) $ next dev_001 (addrgrp) $ end dev_001 $ config ips sensor dev_001 (sensor) $ edit "ips_profile_001" dev_001 (ips_profile_001) $ set comment "Prevent critical attacks." dev_001 (ips_profile_001) $ config entries dev_001 (entries) $ edit 1 dev_001 (1) $ set severity medium high critical dev_001 (1) $ next dev_001 (entries) $ end dev_001 (ips_profile_001) $ next dev_001 (sensor) $ end dev_001 $ config firewall profile-group dev_001 (profile-group) $ edit "profile_group_001" dev_001 (profile_group_001) $ set ips-sensor "ips_profile_001" dev_001 (profile_group_001) $ set application-list "default" dev_001 (profile_group_001) $ next dev_001 (profile-group) $ end dev_001 $ config firewall policy dev_001 (policy) $ edit 5 dev_001 (5) $ set dstaddr "grp_host_20x" "host_004" "host_105" dev_001 (5) $ set utm-status enable dev_001 (5) $ set profile-type group dev_001 (5) $ set profile-group "profile_group_001" dev_001 (5) $ next dev_001 (policy) $ end ---> generating verification report <--- done generating verification report install finished
Conclusions
All new objects have been successfully sent to the managed device
Only
policyid
5
changes have been sent as expectedOther pending changes haven ‘t been installed!
Partial Install New Firewall Policy
This is the situation before the test:
One policy package with 100 policies already installed on the managed device
A new firewall policy is created, referencing existing (
host_004
andhost_104
) and new object (host_204
)This new firewall policy has been placed between firewall policies with
policyid
5
and6
The partial install is performed against this new firewall policy
This is the installation output we got from FortiManager GUI:
Starting log (Run on device) Start installing dev_001 $ config firewall address dev_001 (address) $ edit "host_204" dev_001 (host_204) $ set uuid dadfea46-dc53-51ec-dee7-d0e7acd6a7da dev_001 (host_204) $ set color 17 dev_001 (host_204) $ set subnet 145.123.202.54 255.255.255.255 dev_001 (host_204) $ next dev_001 (address) $ end dev_001 $ config firewall policy dev_001 (policy) $ edit 101 dev_001 (101) $ set uuid ae0d8f6e-dc53-51ec-af49-7683cdf87a8d dev_001 (101) $ set action accept dev_001 (101) $ set srcintf "port1" dev_001 (101) $ set dstintf "port2" dev_001 (101) $ set srcaddr "host_104" dev_001 (101) $ set dstaddr "host_004" "host_204" dev_001 (101) $ set schedule "always" dev_001 (101) $ set service "ALL" dev_001 (101) $ set logtraffic all dev_001 (101) $ set label "Project #1" dev_001 (101) $ set global-label "Project #1" dev_001 (101) $ next dev_001 (policy) $ end ---> generating verification report <--- done generating verification report install finished
Conclusions
Partial install also works for new firewall policy!
Warning
New firewall policy has been pushed to managed device and has been placed at the end of the existing firewall policies!
This is not conform to what has been configured in FortiManager: new firewall policy should have been placed between firewall policies with
policyid
5
and6
!The legacy partial install doesn’t support pushing a new firewall policy at a specific position
You have to consider the partial install v2 (see New Partial Install API).
9.4.18.1.2. How to trigger an install preview for a partial install?#
Following example describes how to trigger an install prefiew for the partial
installation of the used host_001
firewall address in the dc_amies
ADOM.
It’s a three steps process.
You have to trigger the Partial Install
Below example start the Partial Install process against the host_001
firewall address from the dc_amiens
ADOM.
You are expected to know what’s the target device; here it is dut_fgt_02
and
its root
VDOM.
You also have to specify the preview
flag.
{
"id": 1,
"method": "exec",
"params": [
{
"data": {
"adom": "dc_amiens",
"flags": [
"preview"
],
"scope": [
{
"name": "dut_fgt_02",
"vdom": "root"
}
],
"target": [
"/pm/config/adom/dc_amiens/obj/firewall/address/host_001"
]
},
"url": "/securityconsole/install/objects"
}
],
"session": 4902
}
{
"id": 1,
"result": [
{
"data": {
"task": 1244
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/objects"
}
]
}
You are given a task ID that you have to monitor.
Then you need to explicitely ask for a preview report
You just need to specify the target device (dc_fgt_02
).
FortiManager will manage to collect the preview information generated via
previous step.
{
"method": "exec",
"params": [
{
"data": {
"adom": "dc_amiens",
"device": "dc_fgt_02",
},
"url": "/securityconsole/install/preview"
}
],
"session": 4902
}
{
"result": [
{
"data": {
"task": 1245
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/preview"
}
]
}
You’re also given a task ID that you have to monitor.
Finally, you can obtain the preview report
{
"method": "exec",
"params": [
{
"data": {
"adom": "dc_amiens",
"device": "dut_fgt_02",
"flags": 1024
},
"url": "/securityconsole/preview/result"
}
],
"session": 4902
}
{
"result": [
{
"data": {
"message": "config firewall address\n edit \"host_001\"\n set comment \"Test #001\"\n next\nend\n"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/preview/result"
}
]
}
9.4.19. New Partial Install API#
Note
The new Partial Install API is also named Partial Install v2
9.4.19.1. Introducing the new partial install API#
Starting with FMG 7.4.1, a new partial install API has been implemented.
The former one (see Legacy Partial Install API) is still available.
9.4.19.2. New Partial Install API JSON RPC payload#
This is the generic JSON RPC payload for the new Partial Install API:
{
"method": "exec",
"params": [
{
"data": {
"adom": "<adom>",
"objects": [
["<action>", "<object>", "<relative_position>", "<position>"],
["<other action lines>"]
],
"scope": [
{
"name": "<device>",
"vdom": "<vdom>"
}
],
"flags": <value>,
},
"url": "securityconsole/install/objects/v2"
}
],
"session": "<session>"
}
where:
Item |
Value |
||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
|
|
||||||||||
|
Is the object to partial install (a firewall address, a firewall policy, etc.) |
||||||||||
|
Indicate how to place the object with regard to specified This argument is applicable for when action is Possible values are For |
||||||||||
|
Indicate after/before which element to partial install the selected object |
||||||||||
|
Can contains a list of actions! It is possible to combine multiple partial install operations in a single API call |
||||||||||
|
Can have two values
|
Example:
{
"method": "exec",
"params": [
{
"data": {
"adom": "root",
"objects": [
["add", "pkg/default/firewall/policy/8", "before", "1"],
["update", "obj/firewall/address/Addr_1", "", ""],
["delete", "pkg/default/firewall/policy/3", "", ""],
["move", "pkg/default/firewall/policy/6", "after", "3"]
],
"flags": 0
},
"url": "securityconsole/install/objects/v2"
}
],
"session": 52904,
}
In the above example a partial install (flags
is 0
) is made to:
Add new firewall policy with
policyid
8
before existing firewall policy withpolicyid
1
Update existing
Addr_1
firewall addressDelete existing firewall policy
policyid
3
Move existing firewall policy with
policyid
6
after existing firewall policy withpolicyid
3
9.4.19.3. Enable Partial Install#
Enter the following command to enable to Partial Install mechanism:
config system global
set partial-install enable
end
Note
No need to enable the
partial-install-force
New Partial Install API will only push selected objects and won’t consider the network and system setting changes pending in Device DB
9.4.19.4. Partial install to only install the instructed changes#
Unlike the Legacy Partial Install API, the new Partial Install API will only push selected objects and won’t consider the network and system setting changes pending in Device DB.
The feature has been implemented in FortiManager 7.4.1 (#875715).
9.4.19.4.1. Partial install of a used/updated firewall address#
Preparation
Update the
host_111
firewall addressThis object is already used by one of the firewall policy installed in the
dev_001
managed deviceIt’s former IP address was
162.148.54.193/255.255.255.255
It’s new IP address is
1.1.1.1/255.255.255.255
In FortiManager GUI, from Device Manager, add a new static route in the
dev_001
managed device:config router static edit 2 set dst 10.0.1.0 255.255.255.0 set gateway 172.16.65.1 set device port1 next end
Note
You’re now in a situation where you have both ADOM DB (
host_111
) and Device DB (dev_001
router.static
table) pending changes
Trigger a new partial install
{ "id": 3, "method": "exec", "params": [ { "data": { "adom": "root", "flags": 0, "objects": [ [ "update", "obj/firewall/address/host_111", "", "" ] ], "scope": [ { "name": "dev_001", "vdom": "root" } ] }, "url": "/securityconsole/install/objects/v2" } ], "session": "{{session}}" }
Note
The
scope
block is optionalIf not used, FortiManager will manage to figure out what are the managed devices using this object
Action is
update
because it’s an existing but updated firewall address
{ "id": 3, "result": [ { "data": { "task": 13 }, "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/install/objects/v2" } ] }
The task completed successfully
This is the View Installation Log output:
Starting log (Run on device) Start installing dev_001 $ config firewall address dev_001 (address) $ edit "host_111" dev_001 (host_111) $ set subnet 1.1.1.1 255.255.255.255 dev_001 (host_111) $ next dev_001 (address) $ end ---> generating verification report <--- done generating verification report install finished
Conclusion
As expected, FortiManager only installed the selected and updated
host_111
firewall addressPending static route wasn’t installed against the
dev_001
managed device
9.4.19.4.2. Partial install of an used/updated firewall policy with new/used/updated firewall addresses#
Preparation
Create the
host_201
firewall addressconfig firewall address edit host_201 set subnet 21.103.33.206/32 set color 9 next end
Navigate to the
ppkg_001
policy packageEdit policy seq #2 (
policyid
should be2
as well)Add
host_201
(new object) in the Source columnAdd
host_006
(used object) in the Destination column
The
dev_001
managed device still has the static route pointing to10. 0.1.0/24
created earlier
Note
You’re now in a situation where you have both ADOM DB (
host_201
firewall address and modifiedppkg_001
Policy Package) and Device DB (dev_001
router.static
table) pending changes
Trigger a new partial install
{ "id": 3, "method": "exec", "params": [ { "data": { "adom": "root", "flags": 0, "objects": [ [ "update", "pkg/ppkg_001/firewall/policy/2", "", "" ] ], "scope": [ { "name": "dev_001", "vdom": "root" } ] }, "url": "/securityconsole/install/objects/v2" } ], "session": "{{session}}" }
Note
objects
action isupdate
because it’s an existing but updated firewall policy
{ "id": 2, "result": [ { "data": { "task": 14 }, "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/install/objects/v2" } ] }
The task completed successfully
This is the View Installation Log output:
Starting log (Run on device) Start installing FGVM04TM23004347 $ config firewall address FGVM04TM23004347 (address) $ edit "host_201" FGVM04TM23004347 (host_201) $ set uuid 347c4a0c-5847-51ee-d296-f1b66bde8f41 FGVM04TM23004347 (host_201) $ set color 10 FGVM04TM23004347 (host_201) $ set subnet 21.103.33.206 255.255.255.255 FGVM04TM23004347 (host_201) $ next FGVM04TM23004347 (address) $ end FGVM04TM23004347 $ config firewall policy FGVM04TM23004347 (policy) $ edit 2 FGVM04TM23004347 (2) $ set srcaddr "host_002" "host_201" FGVM04TM23004347 (2) $ set dstaddr "host_006" "host_102" FGVM04TM23004347 (2) $ next FGVM04TM23004347 (policy) $ end ---> generating verification report <--- done generating verification report install finished
Conclusion
As expected, FortiManager only installed the selected and updated
policyid
2
Pending static route wasn’t installed against the
dev_001
managed device
9.4.19.5. Partial install to support install + move policy#
The Legacy Partial Install API was supporting to partial install a new firewall policy created within a Policy Package at a specific position in the existing list of firewall policies.
However, this new policy was successfully created in the managed device, but at the last position. See Partial Install New Firewall Policy.
The new Partial Install API now support to specify the placement details.
The feature has been implemented in FortiManager 7.4.1 (#875716).
9.4.19.5.1. Partial install of a new policy with new/used/updated firewall addresses#
Preparation
Create the
host_202
firewall addressconfig firewall address edit host_202 set subnet 22.103.33.206/32 set color 9 next end
Edit the
host_003
firewall addressFormer IP address was:
47.61.8.231/255.255.255.255
New IP address is:
1.1.1.1/32
Create the
grp_001
firewall address group withhost_050
andhost_51
address groupClone the
default
IPS profile intoips_profile_001
- Edit the cloned
ips_profile_001
Click Create New
Enable Packet logging
Set Status to Enable
- Edit the cloned
Navigate to the
ppkg_001
policy packageInsert a new firewall policy after policy seq #10 (
policyid
should be10
as well)Newly inserted policy shows up with
policyid
101
and with seq #11Enable it
Set Name column to
Policy_101
In the Source column, add firewall addresses: -
host_202
(new firewall address) -host_001
(used firewall address)In the Destination column, add: -
host_003
(updated firewall address) -grp_001
(new firewall address group of used firewall addresses)Set Action to Accept
Add
ips_sensor_001
IPS profile in the Security Profiles column
This is the resulting new firewall policy:
The
dev_001
managed device still has the static route pointing to10.0.1.0/24
created earlier
Trigger partial install
{ "id": 3, "method": "exec", "params": [ { "data": { "adom": "demo", "flags": 0, "objects": [ [ "add", "pkg/ppkg_001/firewall/policy/101", "after", "10" ] ], "scope": [ { "name": "dev_001", "vdom": "root" } ] }, "url": "/securityconsole/install/objects/v2" } ], "session": "{{session}}" }
Note
Action is
add
because it’s a new firewall policy
{ "id": 3, "result": [ { "data": { "task": 15 }, "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/install/objects/v2" } ] }
The task completed successfully
This is the View Installation Log output:
Starting log (Run on device) Start installing dev_001 $ config firewall address dev_001 (address) $ edit "host_003" dev_001 (host_003) $ set subnet 1.1.1.1 255.255.255.255 dev_001 (host_003) $ next dev_001 (address) $ edit "host_202" dev_001 (host_202) $ set uuid 4f701070-584a-51ee-a929-d2686f6d80d5 dev_001 (host_202) $ set color 30 dev_001 (host_202) $ set subnet 22.103.33.206 255.255.255.255 dev_001 (host_202) $ next dev_001 (address) $ end dev_001 $ config firewall addrgrp dev_001 (addrgrp) $ edit "grp_001" dev_001 (grp_001) $ set uuid 6dc5814a-584a-51ee-d6c7-da84f06b12a3 dev_001 (grp_001) $ set member "host_050" "host_051" dev_001 (grp_001) $ set color 30 dev_001 (grp_001) $ next dev_001 (addrgrp) $ end dev_001 $ config ips sensor dev_001 (sensor) $ edit "ips_profile_001" dev_001 (ips_profile_001) $ set comment "Prevent critical attacks." dev_001 (ips_profile_001) $ config entries dev_001 (entries) $ edit 1 dev_001 (1) $ set severity medium high critical dev_001 (1) $ next dev_001 (entries) $ edit 2 dev_001 (2) $ set status enable dev_001 (2) $ set log-packet enable dev_001 (2) $ next dev_001 (entries) $ end dev_001 (ips_profile_001) $ next dev_001 (sensor) $ end dev_001 $ config firewall policy dev_001 (policy) $ edit 101 dev_001 (101) $ set name "Policy_101" dev_001 (101) $ set uuid a045d39a-584a-51ee-4ca0-ca6a56de0f60 dev_001 (101) $ set action accept dev_001 (101) $ set srcintf "port2" dev_001 (101) $ set dstintf "port1" dev_001 (101) $ set srcaddr "host_001" "host_202" dev_001 (101) $ set dstaddr "host_003" "grp_001" dev_001 (101) $ set schedule "always" dev_001 (101) $ set service "ALL" dev_001 (101) $ set utm-status enable dev_001 (101) $ set logtraffic all dev_001 (101) $ set label "Project #1" dev_001 (101) $ set global-label "Project #1" node_check_object fail! for global-label Project #1 value parse error before 'Project #1' Command fail. Return code -7 dev_001 (101) $ set ips-sensor "ips_profile_001" dev_001 (101) $ next dev_001 (policy) $ move 101 after 10 dev_001 (policy) $ end ---> generating verification report <--- done generating verification report install finished
Conclusion
9.4.19.5.2. Partial install of a deleted firewall policy#
Preparation
Navigate to the
ppkg_001
policy packageDelete firewall policy seq #11 (
policyid
should be101
)The
dev_001
managed device still has the static route pointing to10.0.1.0/24
created earlier
Trigger partial install
{ "id": 3, "method": "exec", "params": [ { "data": { "adom": "demo", "flags": 0, "objects": [ [ "delete", "pkg/ppkg_001/firewall/policy/101", "", "" ] ], "scope": [ { "name": "dev_001", "vdom": "root" } ] }, "url": "/securityconsole/install/objects/v2" } ], "session": "{{session}}" }
Note
Action is
delete
because it’s non existing (just deleted) firewall policy
{ "id": 3, "result": [ { "data": { "task": 16 }, "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/install/objects/v2" } ] }
The task completed successfully
This is the View Installation Log output:
Starting log (Run on device) Start installing dev_001 $ config firewall policy dev_001 (policy) $ delete 101 dev_001 (policy) $ end ---> generating verification report <--- done generating verification report install finished
Conclusion
As expected, FortiManager only deleted the selected firewall policy
FortiManager didn’t delete the now unused: -
host_202
firewall address -grp_001
firewall address group -ips_profile_001
IPS profileThey will be removed during a normal Policy Package install
Pending static route wasn’t installed against the
dev_001
managed device
9.4.19.5.3. Partial install of an updated policy#
The selected policy seq #2 (policyid
should be 2
) is the only one to use
the host_201
firewall address.
The host_201
firewall address will be removed from the selected policy (but
not deleted from the ADOM DB).
Goal is the observe the partial install behavior: will it delete the unused
host_201
firewall address from the managed device?
Preparation
Navigate to the
ppkg_001
policy packageRemove the
host_201
firewall address from the Source column of policy seq #2 (policyid
should be2
)The
dev_001
managed device still has the static route pointing to10.0.1.0/24
created earlier
Trigger partial install
{ "id": 3, "method": "exec", "params": [ { "data": { "adom": "demo", "flags": 0, "objects": [ [ "update", "pkg/ppkg_001/firewall/policy/2", "", "" ] ], "scope": [ { "name": "dev_001", "vdom": "root" } ] }, "url": "/securityconsole/install/objects/v2" } ], "session": "{{session}}" }
Note
Action is
update
because it’s an existing but updated firewall policy{ "id": 3, "result": [ { "data": { "task": 17 }, "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/install/objects/v2" } ] }
The task completed successfully
This is the View Installation Log output:
Starting log (Run on device) Start installing dev_001 $ config firewall policy dev_001 (policy) $ edit 2 dev_001 (2) $ set srcaddr "host_002" dev_001 (2) $ next dev_001 (policy) $ end ---> generating verification report <--- done generating verification report install finished
Conclusion
As expected, FortiManager updated the selected firewall policy by removing the
host_201
firewall addressFortiManager didn’t delete the now unused: -
host_201
firewall addressIt will be removed during a normal Policy Package install
Pending static route wasn’t installed against the
dev_001
managed device
9.4.19.6. Add support to preview partial install#
The feature has been implemented in FortiManager 7.4.0 (#862628).
9.4.19.6.1. Preview of a partial install of an updated policy#
Preparation
Clone the
ips_profile_001
intoips_profile_004
Create the
grp_004
firewall address group withhost_056
andhost_57
address groupNavigate to the
ppkg_001
policy packageEdit policy seq #6 (
policyid
should be6
) - Add back thehost_201
firewall address in the Source column - Add thegrp_004
firewall address group in the Destination column - Add theips_profile_004
IPS profileThe
dev_001
managed device still has the static route pointing to10.0.1.0/24
created earlier
Trigger partial install with the preview option
Step #1: Trigger the partial install with the preview option
{ "id": 3, "method": "exec", "params": [ { "data": { "adom": "demo", "flags": 2, "objects": [ [ "update", "pkg/ppkg_001/firewall/policy/6", "", "" ] ], "scope": [ { "name": "dev_001", "vdom": "root" } ] }, "url": "/securityconsole/install/objects/v2" } ], "session": "{{session}}" }
Note
flags
is set with2
which meanspreview
because it is just required to previewNo other install action will be done
{ "id": 3, "result": [ { "data": { "task": 20 }, "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/install/objects/v2" } ] }
Step #2: Once the returned task is completed, get the preview result
{ "id": 4, "method": "exec", "params": [ { "data": { "adom": "demo", "device": "dev_001" }, "url": "/securityconsole/preview/result" } ], "session": "{{session}}" }
{ "id": 4, "result": [ { "data": { "message": "config firewall addrgrp\n edit \"grp_004\"\n set uuid 919cb4be-5852-51ee-65f5-c09937fa4f54\n set member \"host_056\" \"host_057\"\n set color 24\n next\nend\nconfig ips sensor\n edit \"ips_profile_004\"\n set comment \"Prevent critical attacks.\"\n config entries\n edit 1\n set severity medium high critical\n next\n edit 2\n set status enable\n set log-packet enable\n next\n end\n next\nend\nconfig firewall policy\n edit 6\n set srcaddr \"host_006\" \"host_201\"\n set dstaddr \"host_106\" \"grp_004\"\n set utm-status enable\n set ips-sensor \"ips_profile_004\"\n next\nend\n" }, "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/preview/result" } ] }
Conclusion
As expected, FortiManager produced a preview of the requested partial install operation
Pending static route wasn’t installation wasn’t part of the preview result
9.4.20. Firewall Policy Revision#
9.4.20.1. How to get list of changes mage in a firewall policy?#
Following example shows how to obtain the list of changes made on firewall policy with policyid
14
in the ppkg_001
Policy Package from the demo
ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"url": "/pm/config/adom/demo/_objrev/pkg/ppkg_001/firewall/policy/14"
}
],
"session": "{{session}}",
"verbose": 1
}
{ "id": 3, "result": [ { "data": [ { "act": 1, "category": 181, "config": "{ \"_byte\": 0, \"_first_hit\": 0, \"_first_session\": 0, \"_global-label-color\": 0, \"_global-vpn\": [ ], \"_global-vpn-tgt\": 0, \"_hitcount\": 0, \"_label-color\": 0, \"_last_hit\": 0, \"_last_session\": 0, \"_pkts\": 0, \"_sesscount\": 0, \"action\": 1, \"anti-replay\": 1, \"application-list\": [ ], \"auth-cert\": [ ], \"auth-path\": 0, \"auto-asic-offload\": 1, \"av-profile\": [ ], \"block-notification\": 0, \"captive-portal-exempt\": 0, \"capture-packet\": 0, \"casb-profile\": [ ], \"cgn-eif\": 0, \"cgn-eim\": 0, \"cgn-resource-quota\": 16, \"cgn-session-quota\": 16777215, \"cifs-profile\": [ ], \"custom-log-fields\": [ ], \"decrypted-traffic-mirror\": [ ], \"delay-tcp-npu-session\": 0, \"diameter-filter-profile\": [ ], \"diffserv-copy\": 0, \"diffserv-forward\": 0, \"diffserv-reverse\": 0, \"diffservcode-forward\": \"000000\", \"diffservcode-rev\": \"000000\", \"disclaimer\": 0, \"dlp-profile\": [ ], \"dnsfilter-profile\": [ ], \"dsri\": 0, \"dstaddr\": [ \"all\" ], \"dstaddr-negate\": 0, \"dstaddr6\": [ ], \"dstaddr6-negate\": 0, \"dstintf\": [ \"any\" ], \"dynamic-shaping\": 0, \"email-collect\": 0, \"emailfilter-profile\": [ ], \"fec\": 0, \"file-filter-profile\": [ ], \"firewall-session-dirty\": 0, \"fixedport\": 0, \"fsso-agent-for-ntlm\": [ ], \"fsso-groups\": [ ], \"geoip-anycast\": 0, \"geoip-match\": 0, \"groups\": [ ], \"gtp-profile\": [ ], \"http-policy-redirect\": 0, \"icap-profile\": [ ], \"identity-based-route\": [ ], \"inbound\": 0, \"inspection-mode\": 1, \"internet-service\": 0, \"internet-service-custom\": [ ], \"internet-service-custom-group\": [ ], \"internet-service-group\": [ ], \"internet-service-name\": [ ], \"internet-service-negate\": 0, \"internet-service-src\": 0, \"internet-service-src-custom\": [ ], \"internet-service-src-custom-group\": [ ], \"internet-service-src-group\": [ ], \"internet-service-src-name\": [ ], \"internet-service-src-negate\": 0, \"internet-service6\": 0, \"internet-service6-custom\": [ ], \"internet-service6-custom-group\": [ ], \"internet-service6-group\": [ ], \"internet-service6-name\": [ ], \"internet-service6-negate\": 0, \"internet-service6-src\": 0, \"internet-service6-src-custom\": [ ], \"internet-service6-src-custom-group\": [ ], \"internet-service6-src-group\": [ ], \"internet-service6-src-name\": [ ], \"internet-service6-src-negate\": 0, \"ip-version-type\": \"ipv4\", \"ippool\": 0, \"ips-sensor\": [ ], \"ips-voip-filter\": [ ], \"logtraffic\": 2, \"logtraffic-start\": 0, \"match-vip\": 1, \"match-vip-only\": 0, \"name\": \"Policy_001\", \"nat\": 0, \"nat46\": 0, \"nat64\": 0, \"natinbound\": 0, \"natip\": [ \"0.0.0.0\", \"0.0.0.0\" ], \"natoutbound\": 0, \"network-service-dynamic\": [ ], \"network-service-src-dynamic\": [ ], \"np-acceleration\": 1, \"ntlm\": 0, \"ntlm-enabled-browsers\": [ ], \"ntlm-guest\": 0, \"oid\": 11310, \"outbound\": 1, \"passive-wan-health-measurement\": 0, \"pcp-inbound\": 0, \"pcp-outbound\": 0, \"pcp-poolname\": [ ], \"per-ip-shaper\": [ ], \"permit-any-host\": 0, \"permit-stun-host\": 0, \"pfcp-profile\": [ ], \"policy-behaviour-type\": \"standard\", \"policy-expiry\": 0, \"policy-expiry-date\": \"0000-00-00 00:00:00\", \"policy-offload\": 1, \"policyid\": 14, \"poolname\": [ ], \"poolname6\": [ ], \"profile-group\": [ ], \"profile-protocol-options\": [ \"default\" ], \"profile-type\": 0, \"radius-mac-auth-bypass\": 0, \"replacemsg-override-group\": [ ], \"reputation-direction\": 2, \"reputation-direction6\": 42, \"reputation-minimum\": 0, \"reputation-minimum6\": 0, \"rtp-addr\": [ ], \"rtp-nat\": 0, \"schedule\": [ \"always\" ], \"schedule-timeout\": 0, \"sctp-filter-profile\": [ ], \"send-deny-packet\": 0, \"service\": [ \"ALL\" ], \"service-negate\": 0, \"session-ttl\": \"0\", \"sgt\": [ ], \"sgt-check\": 0, \"src-vendor-mac\": [ ], \"srcaddr\": [ \"all\" ], \"srcaddr-negate\": 0, \"srcaddr6\": [ ], \"srcaddr6-negate\": 0, \"srcintf\": [ \"any\" ], \"ssh-filter-profile\": [ ], \"ssh-policy-redirect\": 0, \"ssl-ssh-profile\": [ \"no-inspection\" ], \"status\": 1, \"tcp-mss-receiver\": 0, \"tcp-mss-sender\": 0, \"tcp-session-without-syn\": 2, \"tcp-timeout-pid\": [ ], \"timeout-send-rst\": 0, \"tos\": \"0x00\", \"tos-mask\": \"0x00\", \"tos-negate\": 0, \"traffic-shaper\": [ ], \"traffic-shaper-reverse\": [ ], \"udp-timeout-pid\": [ ], \"users\": [ ], \"utm-status\": 0, \"uuid\": \"64abdc74-cef8-51ee-c4f6-b99de54c6f1a\", \"videofilter-profile\": [ ], \"virtual-patch-profile\": [ ], \"vlan-cos-fwd\": 255, \"vlan-cos-rev\": 255, \"voip-profile\": [ ], \"vpn_dst_node\": null, \"vpn_src_node\": null, \"vpntunnel\": [ ], \"waf-profile\": [ ], \"wanopt\": 0, \"wanopt-detection\": 1, \"wanopt-passive-opt\": 0, \"wanopt-peer\": [ ], \"wanopt-profile\": [ ], \"wccp\": 0, \"webcache\": 0, \"webcache-https\": 0, \"webfilter-profile\": [ ], \"webproxy-forward-server\": [ ], \"webproxy-profile\": [ ], \"ztna-device-ownership\": 0, \"ztna-ems-tag\": [ ], \"ztna-ems-tag-secondary\": [ ], \"ztna-geo-tag\": [ ], \"ztna-policy-redirect\": 0, \"ztna-status\": 0, \"ztna-tags-match-logic\": 0 }", "flags": 0, "key": "14", "note": "", "oid": 11310, "pkg_oid": 11294, "timestamp": 1708327673, "user": "admin" }, { "act": 3, "category": 181, "config": "{ \"_byte\": 0, \"_first_hit\": 0, \"_first_session\": 0, \"_global-dst-intf\": null, \"_global-label-color\": 0, \"_global-src-intf\": null, \"_global-vpn\": [ ], \"_global-vpn-tgt\": 0, \"_hitcount\": 0, \"_label-color\": 0, \"_last_hit\": 0, \"_last_session\": 0, \"_pkts\": 0, \"_sesscount\": 0, \"action\": 1, \"anti-replay\": 1, \"application-list\": [ ], \"auth-cert\": [ ], \"auth-path\": 0, \"auth-redirect-addr\": null, \"auto-asic-offload\": 1, \"av-profile\": [ ], \"block-notification\": 0, \"captive-portal-exempt\": 0, \"capture-packet\": 0, \"casb-profile\": [ ], \"cgn-eif\": 0, \"cgn-eim\": 0, \"cgn-log-server-grp\": null, \"cgn-resource-quota\": 16, \"cgn-session-quota\": 16777215, \"cifs-profile\": [ ], \"comments\": null, \"custom-log-fields\": [ ], \"decrypted-traffic-mirror\": [ ], \"delay-tcp-npu-session\": 0, \"diameter-filter-profile\": [ ], \"diffserv-copy\": 0, \"diffserv-forward\": 0, \"diffserv-reverse\": 0, \"diffservcode-forward\": \"000000\", \"diffservcode-rev\": \"000000\", \"disclaimer\": 0, \"dlp-profile\": [ ], \"dnsfilter-profile\": [ ], \"dsri\": 0, \"dstaddr\": [ \"all\" ], \"dstaddr-negate\": 0, \"dstaddr6\": [ ], \"dstaddr6-negate\": 0, \"dstintf\": [ \"any\" ], \"dynamic-shaping\": 0, \"email-collect\": 0, \"emailfilter-profile\": [ ], \"fec\": 0, \"file-filter-profile\": [ ], \"firewall-session-dirty\": 0, \"fixedport\": 0, \"fsso-agent-for-ntlm\": [ ], \"fsso-groups\": [ ], \"geoip-anycast\": 0, \"geoip-match\": 0, \"global-label\": null, \"groups\": [ ], \"gtp-profile\": [ ], \"http-policy-redirect\": 0, \"icap-profile\": [ ], \"identity-based-route\": [ ], \"inbound\": 0, \"inspection-mode\": 1, \"internet-service\": 0, \"internet-service-custom\": [ ], \"internet-service-custom-group\": [ ], \"internet-service-group\": [ ], \"internet-service-name\": [ ], \"internet-service-negate\": 0, \"internet-service-src\": 0, \"internet-service-src-custom\": [ ], \"internet-service-src-custom-group\": [ ], \"internet-service-src-group\": [ ], \"internet-service-src-name\": [ ], \"internet-service-src-negate\": 0, \"internet-service6\": 0, \"internet-service6-custom\": [ ], \"internet-service6-custom-group\": [ ], \"internet-service6-group\": [ ], \"internet-service6-name\": [ ], \"internet-service6-negate\": 0, \"internet-service6-src\": 0, \"internet-service6-src-custom\": [ ], \"internet-service6-src-custom-group\": [ ], \"internet-service6-src-group\": [ ], \"internet-service6-src-name\": [ ], \"internet-service6-src-negate\": 0, \"ip-version-type\": \"ipv4\", \"ippool\": 0, \"ips-sensor\": [ ], \"ips-voip-filter\": [ ], \"label\": null, \"logtraffic\": 2, \"logtraffic-start\": 0, \"match-vip\": 1, \"match-vip-only\": 0, \"name\": \"Policy_001\", \"nat\": 0, \"nat46\": 0, \"nat64\": 0, \"natinbound\": 0, \"natip\": [ \"0.0.0.0\", \"0.0.0.0\" ], \"natoutbound\": 0, \"network-service-dynamic\": [ ], \"network-service-src-dynamic\": [ ], \"np-acceleration\": 1, \"ntlm\": 0, \"ntlm-enabled-browsers\": [ ], \"ntlm-guest\": 0, \"oid\": 11310, \"outbound\": 1, \"passive-wan-health-measurement\": 0, \"pcp-inbound\": 0, \"pcp-outbound\": 0, \"pcp-poolname\": [ ], \"per-ip-shaper\": [ ], \"permit-any-host\": 0, \"permit-stun-host\": 0, \"pfcp-profile\": [ ], \"policy-behaviour-type\": \"standard\", \"policy-expiry\": 0, \"policy-expiry-date\": \"0000-00-00 00:00:00\", \"policy-expiry-date-utc\": null, \"policy-offload\": 1, \"policyid\": 14, \"poolname\": [ ], \"poolname6\": [ ], \"profile-group\": [ ], \"profile-protocol-options\": [ \"default\" ], \"profile-type\": 0, \"radius-mac-auth-bypass\": 0, \"redirect-url\": null, \"replacemsg-override-group\": [ ], \"reputation-direction\": 2, \"reputation-direction6\": 42, \"reputation-minimum\": 0, \"reputation-minimum6\": 0, \"rtp-addr\": [ ], \"rtp-nat\": 0, \"schedule\": [ \"always\" ], \"schedule-timeout\": 0, \"sctp-filter-profile\": [ ], \"send-deny-packet\": 0, \"service\": [ \"INFO_ADDRESS\" ], \"service-negate\": 0, \"session-ttl\": \"0\", \"sgt\": [ ], \"sgt-check\": 0, \"src-vendor-mac\": [ ], \"srcaddr\": [ \"all\" ], \"srcaddr-negate\": 0, \"srcaddr6\": [ ], \"srcaddr6-negate\": 0, \"srcintf\": [ \"any\" ], \"ssh-filter-profile\": [ ], \"ssh-policy-redirect\": 0, \"ssl-ssh-profile\": [ \"no-inspection\" ], \"status\": 1, \"tcp-mss-receiver\": 0, \"tcp-mss-sender\": 0, \"tcp-session-without-syn\": 2, \"tcp-timeout-pid\": [ ], \"timeout-send-rst\": 0, \"tos\": \"0x00\", \"tos-mask\": \"0x00\", \"tos-negate\": 0, \"traffic-shaper\": [ ], \"traffic-shaper-reverse\": [ ], \"udp-timeout-pid\": [ ], \"users\": [ ], \"utm-status\": 0, \"uuid\": \"64abdc74-cef8-51ee-c4f6-b99de54c6f1a\", \"videofilter-profile\": [ ], \"virtual-patch-profile\": [ ], \"vlan-cos-fwd\": 255, \"vlan-cos-rev\": 255, \"vlan-filter\": null, \"voip-profile\": [ ], \"vpn_dst_node\": null, \"vpn_src_node\": null, \"vpntunnel\": [ ], \"waf-profile\": [ ], \"wanopt\": 0, \"wanopt-detection\": 1, \"wanopt-passive-opt\": 0, \"wanopt-peer\": [ ], \"wanopt-profile\": [ ], \"wccp\": 0, \"webcache\": 0, \"webcache-https\": 0, \"webfilter-profile\": [ ], \"webproxy-forward-server\": [ ], \"webproxy-profile\": [ ], \"ztna-device-ownership\": 0, \"ztna-ems-tag\": [ ], \"ztna-ems-tag-secondary\": [ ], \"ztna-geo-tag\": [ ], \"ztna-policy-redirect\": 0, \"ztna-status\": 0, \"ztna-tags-match-logic\": 0 }", "flags": 0, "key": "14", "note": "", "oid": 11310, "pkg_oid": 11294, "timestamp": 1708327690, "user": "admin" } ], "status": { "code": 0, "message": "OK" }, "url": "/pm/config/adom/demo/_objrev/pkg/ppkg_001/firewall/policy/14" } ] }
Note
For each change the
act
is giving you the nature of the change:Value
meaning
1
New policy created
2
Existing policy deleted
Note
Not sure you will be able to see this one…
3
Existing policy modified
The
key
attribute is thepolicyid
The
config
attribute is a copy of the firewall policy containing the changeFortiManager returns an ordered list of changes; the first item is the first change
9.4.20.2. How to revert a firewall policy from a past changes?#
There’s no specific revert API endpoint.
It’s on you to capture the config
attribute of a past change by looking at the list of changes for a firewall policy (see How to get list of changes mage in a firewall policy?) and then to update
that same firewall policy.
Following example is considering the output from section How to get list of changes mage in a firewall policy?. It will revert the firewall policy with the config saved when it was just created:
{
"id": 4,
"method": "update",
"params": [
{
"data": {
"_byte": 0,
"_first_hit": 0,
"_first_session": 0,
"_global-label-color": 0,
"_global-vpn": [],
"_global-vpn-tgt": 0,
"_hitcount": 0,
"_label-color": 0,
"_last_hit": 0,
"_last_session": 0,
"_pkts": 0,
"_sesscount": 0,
"action": 1,
"anti-replay": 1,
"application-list": [],
"auth-cert": [],
"auth-path": 0,
"auto-asic-offload": 1,
"av-profile": [],
"block-notification": 0,
"captive-portal-exempt": 0,
"capture-packet": 0,
"casb-profile": [],
"cgn-eif": 0,
"cgn-eim": 0,
"cgn-resource-quota": 16,
"cgn-session-quota": 16777215,
"cifs-profile": [],
"custom-log-fields": [],
"decrypted-traffic-mirror": [],
"delay-tcp-npu-session": 0,
"diameter-filter-profile": [],
"diffserv-copy": 0,
"diffserv-forward": 0,
"diffserv-reverse": 0,
"diffservcode-forward": "000000",
"diffservcode-rev": "000000",
"disclaimer": 0,
"dlp-profile": [],
"dnsfilter-profile": [],
"dsri": 0,
"dstaddr": [
"all"
],
"dstaddr-negate": 0,
"dstaddr6": [],
"dstaddr6-negate": 0,
"dstintf": [
"any"
],
"dynamic-shaping": 0,
"email-collect": 0,
"emailfilter-profile": [],
"fec": 0,
"file-filter-profile": [],
"firewall-session-dirty": 0,
"fixedport": 0,
"fsso-agent-for-ntlm": [],
"fsso-groups": [],
"geoip-anycast": 0,
"geoip-match": 0,
"groups": [],
"gtp-profile": [],
"http-policy-redirect": 0,
"icap-profile": [],
"identity-based-route": [],
"inbound": 0,
"inspection-mode": 1,
"internet-service": 0,
"internet-service-custom": [],
"internet-service-custom-group": [],
"internet-service-group": [],
"internet-service-name": [],
"internet-service-negate": 0,
"internet-service-src": 0,
"internet-service-src-custom": [],
"internet-service-src-custom-group": [],
"internet-service-src-group": [],
"internet-service-src-name": [],
"internet-service-src-negate": 0,
"internet-service6": 0,
"internet-service6-custom": [],
"internet-service6-custom-group": [],
"internet-service6-group": [],
"internet-service6-name": [],
"internet-service6-negate": 0,
"internet-service6-src": 0,
"internet-service6-src-custom": [],
"internet-service6-src-custom-group": [],
"internet-service6-src-group": [],
"internet-service6-src-name": [],
"internet-service6-src-negate": 0,
"ip-version-type": "ipv4",
"ippool": 0,
"ips-sensor": [],
"ips-voip-filter": [],
"logtraffic": 2,
"logtraffic-start": 0,
"match-vip": 1,
"match-vip-only": 0,
"name": "Policy_001",
"nat": 0,
"nat46": 0,
"nat64": 0,
"natinbound": 0,
"natip": [
"0.0.0.0",
"0.0.0.0"
],
"natoutbound": 0,
"network-service-dynamic": [],
"network-service-src-dynamic": [],
"np-acceleration": 1,
"ntlm": 0,
"ntlm-enabled-browsers": [],
"ntlm-guest": 0,
"outbound": 1,
"passive-wan-health-measurement": 0,
"pcp-inbound": 0,
"pcp-outbound": 0,
"pcp-poolname": [],
"per-ip-shaper": [],
"permit-any-host": 0,
"permit-stun-host": 0,
"pfcp-profile": [],
"policy-behaviour-type": "standard",
"policy-expiry": 0,
"policy-expiry-date": "0000-00-00 00:00:00",
"policy-offload": 1,
"policyid": 14,
"poolname": [],
"poolname6": [],
"profile-group": [],
"profile-protocol-options": [
"default"
],
"profile-type": 0,
"radius-mac-auth-bypass": 0,
"replacemsg-override-group": [],
"reputation-direction": 2,
"reputation-direction6": 42,
"reputation-minimum": 0,
"reputation-minimum6": 0,
"rtp-addr": [],
"rtp-nat": 0,
"schedule": [
"always"
],
"schedule-timeout": 0,
"sctp-filter-profile": [],
"send-deny-packet": 0,
"service": [
"ALL"
],
"service-negate": 0,
"session-ttl": "0",
"sgt": [],
"sgt-check": 0,
"src-vendor-mac": [],
"srcaddr": [
"all"
],
"srcaddr-negate": 0,
"srcaddr6": [],
"srcaddr6-negate": 0,
"srcintf": [
"any"
],
"ssh-filter-profile": [],
"ssh-policy-redirect": 0,
"ssl-ssh-profile": [
"no-inspection"
],
"status": 1,
"tcp-mss-receiver": 0,
"tcp-mss-sender": 0,
"tcp-session-without-syn": 2,
"tcp-timeout-pid": [],
"timeout-send-rst": 0,
"tos": "0x00",
"tos-mask": "0x00",
"tos-negate": 0,
"traffic-shaper": [],
"traffic-shaper-reverse": [],
"udp-timeout-pid": [],
"users": [],
"utm-status": 0,
"uuid": "64abdc74-cef8-51ee-c4f6-b99de54c6f1a",
"videofilter-profile": [],
"virtual-patch-profile": [],
"vlan-cos-fwd": 255,
"vlan-cos-rev": 255,
"voip-profile": [],
"vpn_dst_node": null,
"vpn_src_node": null,
"vpntunnel": [],
"waf-profile": [],
"wanopt": 0,
"wanopt-detection": 1,
"wanopt-passive-opt": 0,
"wanopt-peer": [],
"wanopt-profile": [],
"wccp": 0,
"webcache": 0,
"webcache-https": 0,
"webfilter-profile": [],
"webproxy-forward-server": [],
"webproxy-profile": [],
"ztna-device-ownership": 0,
"ztna-ems-tag": [],
"ztna-ems-tag-secondary": [],
"ztna-geo-tag": [],
"ztna-policy-redirect": 0,
"ztna-status": 0,
"ztna-tags-match-logic": 0
},
"revision note": "Revert from create time",
"url": "/pm/config/adom/demo/pkg/ppkg_001/firewall/policy"
}
],
"session": "{{session}}"
}
Note
Don’t use the
oid
attribute or you will probably get an error like:{ "id": 4, "result": [ { "status": { "code": -10, "message": "The data is invalid for selected url" }, "url": "/pm/config/adom/demo/pkg/ppkg_001/firewall/policy" } ] }
As a best practice, think about adding a
revision note
{
"id": 4,
"result": [
{
"data": {
"policyid": 14
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/ppkg_001/firewall/policy"
}
]
}
9.5. Global Policies & objects#
9.5.1. How to create a global policy package?#
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "add",
"params": [
{
"data": {
"name": "g_pp_003",
"type": "pkg"
},
"url": "/pm/pkg/global"
}
],
"session": "YS8S4z10DL1D1lWXA2RrS5H48Pl8gJWtWZ9jm8SsMOHBriZ92czufaVtR7pFjCmKYQT3B652Wgie5nlUbLEobQ==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/global"
}
]
}
9.5.2. How to add ADOMs as Global Policy Package targets?#
The following example shows how to add the demo_001
and demo_002
ADOMs as targets of the g_ppkg_001
Global Policy Package:
{
"id": 1,
"method": "add",
"params": [
{
"data": [
{
"name": "demo_001"
},
{
"name": "demo_002"
}
],
"url": "/pm/pkg/global/g_pppk_001/scope member"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/global/g_ppkg_001/scope member"
}
]
}
Note
Existing list of target ADOMs won’t be overwritten
If there was the
demo_003
ADOM as target before thisadd
operation, then the definitive list of targets will be thedemo_001
,demo_002
anddemo_003
ADOMs
9.5.3. How to get ADOMs from the Global Policy Package targets?#
The following example shows how to get the ADOM targets of the g_ppkg_001
Global Policy Package:
{
"id": 3,
"method": "get",
"params": [
{
"url": "/pm/pkg/global/g_ppkg_001"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"data": {
"name": "g_ppkg_001",
"obj ver": 0,
"oid": 5623,
"package settings": {
"central-nat": 0,
"consolidated-firewall-mode": 0,
"fwpolicy-implicit-log": 0,
"fwpolicy6-implicit-log": 0,
"hitc-taskid": 0,
"hitc-timestamp": 0,
"ngfw-mode": 0,
"policy-offload-level": 0
},
"scope member": [
{
"name": "demo_001"
},
{
"name": "demo_002"
},
{
"name": "demo_003"
}
],
"type": "pkg"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/global/g_ppkg_001"
}
]
}
9.5.4. How to delete ADOMs from the Global Policy Package targets?#
The following example shows how to delete the demo_001
and demo_002
ADOMs targets of the g_ppkg_001
Global Policy Package:
{
"id": 3,
"method": "delete",
"params": [
{
"data": [
{
"name": "demo_001"
},
{
"name": "demo_002"
}
],
"url": "/pm/pkg/global/g_ppkg_001/scope member"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/global/g_ppkg_001/scope member"
}
]
}
Note
Existing list of target ADOMs won’t be overwritten
If there was the
demo_001
,demo_002
anddemo_003
ADOMs as target before thisdelete
operation, then the definitive list of targets will be thedemo_001
ADOM
9.5.5. How to trigger an assign Global Policy Package?#
The following example shows how to trigger an assign operation of the
g_ppkg_001
Global Policy Package against the demo_001
and demo_002
ADOMs:
{
"id": 3,
"method": "exec",
"params": [
{
"data": {
"flags": [
"none"
],
"pkg": "g_ppkg_001",
"target": [
{
"adom": "demo_001"
},
{
"adom": "demo_002"
}
]
},
"url": "/securityconsole/assign/package"
}
],
"session": "{{session}}"
}
Note
none
is the default flag to copy global policies and its used objects onlyUse flag
cp_all_objs
if you want to copy policies and all objects, even the unused ones
Tip
Should you want to trigger an assign followed by an install, just add the flag
copy_assigned_pkg
, for instance:"flags": ["cp_all_obs", "copy_assigned_pkg"],
will copy policies and all objects to target ADOMs, and will also trigger a policy package install.
{
"id": 3,
"result": [
{
"data": {
"task": 201
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/assign/package"
}
]
}
Note
As usual, when a task is returned, you have to monitor it by getting
task/task/<task_id>
9.5.6. How to trigger an assign global policy package with exclusion?#
Consider that the demo
ADOM is with three Policy Packages: ppkg_001
to ppkg_003
.
The following example shows how to trigger an assign operation of the g_ppkg_001
Global Policy against the demo
ADOM but only for its ppkg_001
Policy Package:
{
"id": 3,
"method": "exec",
"params": [
{
"data": {
"flags": [
"none"
],
"pkg": "g_ppkg_001",
"target": [
{
"adom": "demo",
"excluded": "enable",
"pkg": [
"ppkg_002",
"ppkg_003"
]
}
]
},
"url": "/securityconsole/assign/package"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"data": {
"task": 13
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/assign/package"
}
]
}
9.5.7. How to trigger an unassign Global Policy Package?#
The following example shows how to trigger an unassign operation for the g_ppkg_001
Global Policy Package and the demo
ADOM, one of its current targets:
{
"id": 1,
"method": "exec",
"params": [
{
"data": {
"flags": [
"unassign"
],
"pkg": "g_ppkg_001",
"target": [
{
"adom": "demo"
}
]
},
"url": "/securityconsole/assign/package"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"data": {
"task": 14
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/assign/package"
}
]
}
9.6. How to get ADOM options?#
We don’t know what is this one doing yet…
We discovered it during a debug of a FMG 7.0.1-INTERIM build 0080:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "get",
"params": [
{
"url": "/pm/config/adom/demo/_adom/options"
}
],
"session": "TSigtab+3M9+fLF6QNdSxvkXUPShX97W5/VhKV4R1xb95WKYP8dfG/sEr8wsYfoiHUXqxZEWjnXwMalYShTFMg==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"pkg list": []
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/_adom/options"
}
]
}
9.7. Central DNAT#
9.7.1. How to get central dnat policies?#
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "get",
"params": [
{
"url": "/pm/config/adom/demo/pkg/ppkg_001/central/dnat"
}
],
"session": "dDKFLWDRqlQs6gSZwkUB2EPNYVyDL7JZYJ2OcfZgLFwGvtQwjvsx6XlQGuX6lQTdg2v2Jyysu+3avjaPfzw19w==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": [
{
"name": [
"tc_004_vip_001"
],
"obj seq": 1
},
{
"name": [
"tc_004_vip_002"
],
"obj seq": 2
},
{
"name": [
"tc_004_vip_003"
],
"obj seq": 3
},
{
"name": [
"tc_004_vip_008"
],
"obj seq": 4
},
{
"name": [
"tc_004_vip_004"
],
"obj seq": 5
},
{
"name": [
"tc_004_vip_005"
],
"obj seq": 6
},
{
"name": [
"tc_004_vip_006"
],
"obj seq": 7
},
{
"name": [
"tc_004_vip_007"
],
"obj seq": 8
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/ppkg_001/central/dnat"
}
]
}
9.7.2. How to add central dnat policies?#
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "set",
"params": [
{
"data": [
{
"name": [
"tc_004_vip_009"
]
},
{
"name": [
"tc_004_vip_010"
]
}
],
"url": "/pm/config/adom/demo/pkg/ppkg_001/central/dnat"
}
],
"session": "dDKFLWDRqlQs6gSZwkUB2EPNYVyDL7JZYJ2OcfZgLFwGvtQwjvsx6XlQGuX6lQTdg2v2Jyysu+3avjaPfzw19w==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/ppkg_001/central/dnat"
}
]
}
9.8. How to Import Policy in a policy package?#
It’s a three steps process:
Perform the dynamic interfaces mapping
REQUEST:
{ "id": ANY-NUMBER, "method": "exec", "params": [ { "data": { "adom": "ADOM-NAME", "dst_name": "PACKAGE-NAME", "if_all_policy": "enable", "import_action": "policy_search", "name": "DEVICE-NAME", "vdom": "root", "if_all_objs": "none", "add_mappings": "enable" }, "url": "/securityconsole/import/dev/objs" } ], "session": "SESSION-ID" }
Note
Please note the
import_action
set topolicy_search
, and theadd_mappings
set toenable
.Perform dynamic objects mappings
REQUEST:
{ "id": 16, "method": "exec", "params": [ { "data": { "adom": "ADOM-NAME", "dst_name": "PACKAGE-NAME", "if_all_policy": "enable", "import_action": "obj_search", "name": "DEVICE-NAME", "vdom": "root", "if_all_objs": "none", "add_mappings": "enable" }, "url": "/securityconsole/import/dev/objs" } ], "session": "SESSION-ID" }
This time
import_action
was set toobj_search
.Importing policies and dependent dynamic interfaces and objects
REQUEST:
{ "id": ANY-NUMBER, "method": "exec", "params": [ { "data": { "adom": "ADOM-NAME", "dst_name": "PACKAGE-NAME", "if_all_policy": "enable", "import_action": "do", "name": "DEVICE-NAME", "vdom": "root", "if_all_objs": "filter" }, "url": "/securityconsole/import/dev/objs" } ], "session": "SESSION-ID" }