9. Policy Package Management#
9.1. Folders#
9.1.1. How to create a folder hierarchy#
REQUEST:
{
"id": 1,
"method": "set",
"params": [
{
"data": [
{
"name": "folder_001",
"subobj": [
{
"name": "folder_002",
"subobj": [
{
"name": "folder_003",
"subobj": [
{
"name": "folder_004",
"type": "folder"
}
],
"type": "folder"
}
],
"type": "folder"
}
],
"type": "folder"
}
],
"url": "pm/pkg/adom/demo_001"
}
],
"session": 46811
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "pm/pkg/adom/demo_001"
}
],
"session": 46811
}
9.1.2. How to move a folder?#
REQUEST:
{
"id": 1,
"method": "exec",
"params": [
{
"url": "/securityconsole/package/move",
"data": {
"adom": "demo_001",
"pkg": "italy",
"dst_parent": "world/emea",
"dst_name": "italy"
}
}
],
"session": 11111,
}
9.1.3. How to delete a folder?#
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "delete",
"params": [
{
"url": "/pm/pkg/adom/demo/foobar"
}
],
"session": "NlLwCb+SB5wikMi1MPdTOnRtWOg6gM9z36yMMttHuWPZKoWW4Ia7/B/pGUjZMr4uZGqrw7J9aBImePfl9eZhbw==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/adom/demo/foobar"
}
]
}
9.2. Policy Packages#
9.2.1. How to create a policy package?#
We create policy package pp.003 in adom DEMO:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "add",
"params": [
{
"data": {
"name": "pp.003",
"package settings": {
"central-nat": "disable",
"consolidated-firewall-mode": "disable",
"fwpolicy-implicit-log": "disable",
"fwpolicy6-implicit-log": "disable",
"ngfw-mode": "profile-based"
},
"type": "pkg"
},
"url": "/pm/pkg/adom/DEMO"
}
],
"session": "4VUbMWg40/hOwzHt5/BRKRIbaAd0MBkTwprdFs4iG+w8QPSwyoa/MVrwHtVV7oQ463ifbp1I30eZ9FSluYtJuQ==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/adom/DEMO"
}
]
}
Starting with FMG 7.0.1 (#708471), the response will also contain the pkg oid.
9.2.2. How to get the list of Policy Package?#
Following example shows how to get the list of Policy Packages in the demo ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"url": "/pm/pkg/adom/demo"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"data": [
{
"name": "default",
"obj ver": 13,
"oid": 4971,
"package settings": {
"central-nat": 0,
"consolidated-firewall-mode": 0,
"fwpolicy-implicit-log": 0,
"fwpolicy6-implicit-log": 0,
"hitc-taskid": 0,
"hitc-timestamp": 0,
"ngfw-mode": 0,
"policy-offload-level": 0
},
"type": "pkg"
},
{
"name": "fgt-742-001",
"obj ver": 5,
"oid": 6584,
"package settings": {
"central-nat": 0,
"consolidated-firewall-mode": 0,
"fwpolicy-implicit-log": 0,
"fwpolicy6-implicit-log": 0,
"hitc-taskid": 0,
"hitc-timestamp": 0,
"ngfw-mode": 0,
"policy-offload-level": 0
},
"type": "pkg"
},
{
"name": "ppkg_001",
"obj ver": 6,
"oid": 10850,
"package settings": {
"central-nat": 0,
"consolidated-firewall-mode": 0,
"fwpolicy-implicit-log": 0,
"fwpolicy6-implicit-log": 0,
"hitc-taskid": 0,
"hitc-timestamp": 0,
"ngfw-mode": 0,
"policy-offload-level": 0
},
"scope member": [
{
"name": "dc_emea_dev_001",
"vdom": "root"
},
{
"name": "dc_emea_dev_002",
"vdom": "root"
},
{
"name": "dc_emea_dev_003",
"vdom": "root"
}
],
"type": "pkg"
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/adom/demo"
}
]
}
Note
You can observe that when the Policy Package is assigned to managed devices, then FortiManager returns the
scope memberattribute
9.2.3. How to get a single Policy Package?#
Following example returns the details of the ppkg_001 Policy Package from
the demo ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"url": "/pm/pkg/adom/demo/ppkg_001"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"data": {
"name": "ppkg_001",
"obj ver": 6,
"oid": 10850,
"package settings": {
"central-nat": 0,
"consolidated-firewall-mode": 0,
"fwpolicy-implicit-log": 0,
"fwpolicy6-implicit-log": 0,
"hitc-taskid": 0,
"hitc-timestamp": 0,
"ngfw-mode": 0,
"policy-offload-level": 0
},
"scope member": [
{
"name": "dc_emea_dev_001",
"vdom": "root"
},
{
"name": "dc_emea_dev_002",
"vdom": "root"
},
{
"name": "dc_emea_dev_003",
"vdom": "root"
}
],
"type": "pkg"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/adom/demo/ppkg_001"
}
]
}
Note
By default, FortiManager returns the Installation Targets of the Policy Package via the
scope memberattribute
9.2.4. How to get the Installation Targets of a Policy Package?#
See How to get the list of Policy Package? or How to get a single Policy Package?
9.2.5. How to assign a device to a Policy Package?#
We want to assign device hub1 to policy package hubs.pp in ADOM
DEMO_007.
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "add",
"params": [
{
"data": {
"name": "hub1",
"vdom": "root"
},
"url": "/pm/pkg/adom/DEMO_007/hubs.pp/scope member"
}
],
"session": "RNBTLp49bHV+yvRAw1FRGkvjURd7V13+GtS8Vk8KQ/VFZ4gPrIfGd4f09nrKk6ppw9QCUj1C1CbZz4d7/e7GmA==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/adom/DEMO_007/hubs.pp/scope member"
}
]
}
9.2.6. Policy Package Installation#
9.2.6.1. How to install a Policy Package?#
To install the branches Policy Package from ADOM demo:
{
"id": 3,
"method": "exec",
"params": [
{
"data": {
"adom": "demo",
"adom_rev_comments": "Changes from SR #01233",
"adom_rev_name": "ADOM Revision #01233",
"dev_rev_comments": "sr_01233",
"flags": [
"none"
],
"pkg": "branches"
},
"url": "/securityconsole/install/package"
}
],
"session": "{{session}}"
}
Note
There’s not
scopeattribute; it means that the Policy Package will be install against all the assigned Installation Targetsadom_rev_commentswill be used as a comment for the created ADOM Revisionadom_rev_namewill be used as the name for the created ADOM Revisiondev_rev_commentswill be used as the comment for the created Device Revision (see section Device revisions)
{
"id": 3,
"result": [
{
"data": {
"task": 3468
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/package"
}
]
}
9.2.6.2. How to install a Policy Package against a device?#
It is required to add the scope attribute:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "exec",
"params": [
{
"data": {
"adom": "DEMO",
"flags": [
"none"
],
"pkg": "pp.branches",
"scope": [
{
"name": "branch2_fgt",
"vdom": "root"
}
]
},
"url": "/securityconsole/install/package"
}
],
"session": "3xJ+a4TrhW5fSFSy3AQixRxRnINFsQhvOMXiSMVC1ryEMVZQ/enwiTasPzY9X1e64KT/UoTdl8lfory4wXub4A==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"task": 536
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/package"
}
]
}
Note
The
scopeattribute is a list, hence it could contains multiple devices or device groups.The devices/device groups listed in the
scopeshould belong to the list of assigned installation targets for this Policy Package.- The membership could be indirect or direct:
Direct membership means the device listed in the
scopeattribute is also in the installation targets list of the Policy Package.Indirect membership means the device listed in the
scopeattribute is a member of a device group or of a nested device group of a device group present in the installation targets list of the policy package .For instance, if the installation targets list of the Policy Package is having device group
branches, then you can use devicebranch_001in thescopeattribute if it belongs to this device group or one of its nested device groups.
9.2.6.3. How to install a Policy Package against a Device Group?#
We have Policy Package pp_france in foldler france which is in turn in
folder emea.
Policy Package pp_france is having device group france and device
test-001 as installation targets.
Goal is to install Policy Package pp_france against device group france
only.
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "exec",
"params": [
{
"data": {
"adom": "root",
"flags": [
"none"
],
"pkg": "emea/france/pp_france",
"scope": [
{
"name": "france"
}
]
},
"url": "/securityconsole/install/package"
}
],
"session": "Of286Bft82otZnCz6da2+FEskUyY6q4Opnyd1/nkpAoEMem7osWNVkU0XEGC24lIobP43qxJsmmnqUVGd88Cqw==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"task": 148
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/package"
}
]
}
#02764941 is stating that when the scope is just having a name attribute, it is considered a device group.
If device group france is in a device group emea, we can just use the full path in the name attribute:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "exec",
"params": [
{
"data": {
"adom": "root",
"flags": [
"none"
],
"pkg": "emea/france/pp_france",
"scope": [
{
"name": "emea/france"
}
]
},
"url": "/securityconsole/install/package"
}
],
"session": "Of286Bft82otZnCz6da2+FEskUyY6q4Opnyd1/nkpAoEMem7osWNVkU0XEGC24lIobP43qxJsmmnqUVGd88Cqw==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"task": 148
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/package"
}
]
}
9.2.6.4. How to install a policy package located in a folder?#
To install policy package pp_corporate placed in folder /duts/emea,
from ADOM adom_dut:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "exec",
"params": [
{
"data": {
"adom": "adom_dut",
"flags": [
"none"
],
"pkg": "duts/emea/pp_corporate",
"scope": [
{
"name": "fgt_dut1",
"vdom": "root"
}
]
},
"url": "/securityconsole/install/package"
}
],
"session": "za3jFQLMS8vEoQzyoby34nnzKHz6kF7Di1DDyLEID0P2wj09hzdofc09CDocYgZCQ7wT1nlEtzRxAtykowfuEw==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"task": 1273
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/package"
}
]
}
9.2.6.5. How to install a policy package against a device’s device db only?#
Why would we need this?
It could be because we prefer to review definitive configuration offline, i.e. from fortimanager database.
To achieve this, we can use the copy_only flag.
It will take pending changes from ADOM DB and will copy them in the target’s
device db.
In below example we trigger the copy operation against managed device
branch12 considering the pending security changes from policy package
pp_branches in ADOM demo:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "exec",
"params": [
{
"data": {
"adom": "DB",
"flags": [
"copy_only"
],
"pkg": "pp.003",
"scope": [
{
"name": "branch12",
"vdom": "root"
}
]
},
"url": "/securityconsole/install/package"
}
],
"session": "o9m+9/oQ101vfDhLYU3WkKa1YJR6p3nA0NFVmuBKw3JxgFYtD7Y3FekxTuMNZ1TgG8gslO6g/gzZtvVIKPZQnmtQETm7OABp",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"task": 133
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/package"
}
]
}
9.2.6.6. How to install a policy package against an offline device?#
This is for when the ADOM is configured with Auto-Push Policy Packages When Device Back Online enabled:
It’s a three steps process:
First we need to trigger a copy operation
REQUEST:
{ "id": 3, "method": "exec", "params": [ { "data": { "adom": "knock_39363", "adom_rev_name": "dut_fgt_34_235_2022-4-6-20-2-51", "flags": [ "generate_rev", "preview" ], "pkg": "dut_fgt_34_235", "scope": [ { "name": "dut_fgt_34_235", "vdom": "root" } ] }, "url": "/securityconsole/install/package" } ], "session": "2D7yrlIbNRf/1kt9B+ame4T2G/RFfW2DGboxzrV6xa50olO2utVGM0c7fQtkblrBtt57m8l3x3651mH2hiQ2eg==" }
RESPONSE:
{ "id": 3, "result": [ { "data": { "task": 148 }, "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/install/package" } ] }
Note
Of course, we need to monitor the returned task’s progress
Then we commit!
REQUEST:
{ "id": 4, "method": "exec", "params": [ { "data": { "adom": "knock_39363", "scope": [ { "name": "dut_fgt_34_235", "vdom": "root" } ] }, "url": "/securityconsole/package/commit" } ], "session": "2D7yrlIbNRf/1kt9B+ame4T2G/RFfW2DGboxzrV6xa50olO2utVGM0c7fQtkblrBtt57m8l3x3651mH2hiQ2eg==" }
RESPONSE:
{ "id": 4, "result": [ { "data": { "task": 149 }, "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/package/commit" } ] }
Then we can cancel the install
REQUEST:
{ "id": 5, "method": "exec", "params": [ { "data": { "adom": "knock_39363" }, "url": "/securityconsole/package/cancel/install" } ], "session": "2D7yrlIbNRf/1kt9B+ame4T2G/RFfW2DGboxzrV6xa50olO2utVGM0c7fQtkblrBtt57m8l3x3651mH2hiQ2eg==" }
RESPONSE:
{ "id": 5, "result": [ { "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/package/cancel/install" } ] }
9.2.6.7. How to install multiple policy packages against multiple devices?#
Using a single API call, it is possible to install multiple policy packages to
different devices by using the reinstall operation.
Below example is installing policy package ppkg_hubs and ppkg_branches
against devices fgt_00_1 and fgt_01_1 respectively (in ADOM demo):
REQUEST:
{
"id": 3,
"method": "exec",
"params": [
{
"data": {
"adom": "demo",
"flags": [
"generate_rev"
],
"target": [
{
"pkg": "ppkg_hubs",
"scope": {
"name": "fgt_00_1",
"vdom": "root"
}
},
{
"pkg": "ppkg_branches",
"scope": {
"name": "fgt_01_1",
"vdom": "root"
}
}
]
},
"url": "/securityconsole/reinstall/package"
}
],
"session": "is4k5yJ0zojKcdpHdovj/jc74ROm39WD/lN4VuxRFDGrlCJev4O8M/R2mdbj9dXoiEu30PO2FzRCc7vFL1dEDQ=="
}
RESPONSE:
{
"id": 3,
"result": [
{
"data": {
"task": 595
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/reinstall/package"
}
]
}
If you look at the generated task, you will see that FMG will proceed with a
sequential install. Considering the above example, it will first install policy
package ppkg_hubs against device "fgt_00_1" and then will install
policy package ppkg_branches against device fgt_01_1.
9.2.6.8. How to reinstall a policy package against a device group?#
As usual, when you consider a Device Group, you still have to use the scope
but this time only with the name attribute (i.e. vdom attribute should be omitted)
The following example shows how to reinstall the ppkg_001 Policy Package from the demo``ADOM agains the ``grp_001 Device Group:
{
"method": "exec",
"params": [
{
"data": {
"adom": "demo",
"flags": [
"none"
],
"extflags": 0,
"target": [
{
"pkg": "ppkg_001",
"scope": [
{
"name": "grp_001"
}
]
}
]
},
"url": "/securityconsole/reinstall/package"
}
],
"session": "{{session}}",
}
{
"result": [
{
"data": {
"task": 4140
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/reinstall/package"
}
]
}
In this case, FortiManager will proceed with a parallel policy package installation for all the device group’s members.
However, should you have two or more target elements in the above API request, then like for the How to install multiple policy packages against multiple devices? case seen in the previous section, FortiManager will go with a sequential installation for them.
9.2.6.9. How to reinstall multiple policy packages against multiple devices in parallel?#
In that case, we have to replicate the Re-install Policy mechanism from GUI.
It’s a three steps process:
Trigger the reinstall in preview mode:
This time we use the same API request as in How to install
multiple policy packages against multiple devices? but we use the preview
flag:
REQUEST:
{
"method": "exec",
"params": [
{
"data": {
"adom": "{{adom}}",
"flags": [
"preview"
],
"extflags": 0,
"target": [
{
"pkg": "ppkg_dut_fgt_1",
"scope": [
{
"name": "dut_fgt_1",
"vdom": "root"
}
]
},
{
"pkg": "ppkg_dut_fgt_2",
"scope": [
{
"name": "dut_fgt_2",
"vdom": "root"
}
]
}
]
},
"url": "/securityconsole/reinstall/package"
}
],
"session": "{{session_id}}",
"verbose": 1
}
RESPONSE:
{
"result": [
{
"data": {
"task": 4149
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/reinstall/package"
}
]
}
Commit the changes against the concerned devices
REQUEST:
{
"method": "exec",
"params": [
{
"data": {
"adom": "{{adom}}",
"scope": [
{
"name": "dut_fgt_1",
"vdom": "root"
},
{
"name": "dut_fgt_2",
"vdom": "root"
}
]
},
"url": "/securityconsole/package/commit"
}
],
"session": "{{session_id}}",
"verbose": 1
}
RESPONSE:
{
"result": [
{
"data": {
"task": 4150
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/package/commit"
}
]
}
Cancel the install operation
REQUEST:
{
"id": 1,
"method": "exec",
"params": [
{
"data": {
"adom": "{{adom}}"
},
"url": "/securityconsole/package/cancel/install"
}
],
"session": "{{session_id}}"
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/package/cancel/install"
}
]
}
9.2.6.10. How to schedule a policy package install?#
The following example demonstrates how to schedule a policy package installation
for he ppkg_001 policy package in the demo``ADOM. The policy package
will be installed on the ``dev_001 and dev_002 managed devices.
{
"id": 3,
"method": "add",
"params": [
{
"data": {
"adom_rev_name": "scheduled_install_ppkg_001",
"datetime": "2022-10-27 23:24",
"scope": [
{
"name": "dev_001",
"vdom": "root"
},
{
"name": "dev_002",
"vdom": "root"
}
]
},
"url": "/pm/pkg/adom/demo/ppkg_001/schedule"
}
],
"session": "{{session}}"
}
Note
The datetime attribute specifies the date and time when the policy
package install will be triggered.
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/adom/demo/ppkg_001/schedule"
}
]
}
9.2.6.11. How to batch install Policy Packages?#
Caught in #1286068, FortiManager 8.0.1.
This is for when you want to install multiple policy packages being in the same of different ADOMs!
… warning:
TO BE TESTED.
{
"method": "exec",
"params": [
{
"url": "/securityconsole/batch/install/package",
"data": {
"adom": "demo",
"flags": [
"preview",
"generate_rev"
],
"adom_rev_name": "revision_2026-06-04-02-25-56-CEST",
"adom_rev_comments": "",
"target": [
{
"adom": "demo",
"pkg": "pkg_001",
"scope": [
{
"name": "dev_001",
"vdom": "root"
}
]
},
{
"adom": "demo",
"pkg": "pkg_002",
"scope": [
{
"name": "dev_002",
"vdom": "root"
}
]
},
{
"adom": "demo",
"pkg": "pkg_003",
"scope": [
{
"name": "dev_003",
"vdom": "root"
}
]
}
]
}
}
],
"id": "3341cdf2-174a-40c5-95cc-66395eb16509"
}
9.2.6.12. How to check for a scheduled policy package installation?#
The following example shows how to retrieve the schedule information for
the ppkg_001 policy package in the demo ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"fields": [
"name",
"schedule"
],
"filter": [
"name",
"==",
"ppkg_001"
],
"option": [
"schedule"
],
"url": "/pm/pkg/adom/demo"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"data": [
{
"name": "ppkg_001",
"oid": 7131,
"schedule": {
"adom_rev_name": "scheduled_install_ppkg_001",
"datetime": "2022-10-27 23:24",
"scope": [
{
"name": "dev_001",
"vdom": "root"
},
{
"name": "dev_002",
"vdom": "root"
}
]
}
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/adom/demo"
}
]
}
Note
The schedule option appears to apply only to the entire
pm/pkg/adom/{adom} table.
To narrow the output to the desired ppkg_001 policy package, a
filter attribute has been applied.
9.2.6.13. How to cancel a policy package scheduled install?#
The following example shows how to cancel a scheduled policy package
installation for the ppkg_001 policy package in the demo ADOM:
{
"id": 3,
"method": "delete",
"params": [
{
"url": "/pm/pkg/adom/demo/ppkg_001/schedule"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/adom/demo/ppkg_001/schedule"
}
]
}
9.2.7. How to copy a firewall policy?#
Here the word copy refers to the action of copying a firewall policy from ADOM DB to Device DB.
For more information see section How to copy objects?
Below example shows how to copy a firewall policy from the dc_helsinki ADOM
to the dut_fgt_10 managed device and its root VDOM:
{
"id": 3,
"method": "exec",
"params": [
{
"data": {
"adom": "dc_helsinki",
"category": 181,
"override_conflict": 1,
"query_only": 0,
"scope": [
{
"name": "dut_fgt_10",
"vdom": "root"
}
],
"src_list": [
{
"oid": 4835
}
]
},
"url": "/securityconsole/install/global"
}
],
"session": "{{session}"
}
Note
181is the category ID for thefirewall policy4835is the policy OID of the firewall policy we want to copyWe don’t have to specify the policy package name, the policy OID is unique
See section How to copy objects?; it describes how to get those category ID and OID
{
"id": 3,
"result": [
{
"data": {
"task": 1355
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/global"
}
]
}
9.2.8. Policy Package Status#
Note
9.2.8.1. How to get the status of all Policy Packages in an ADOM?#
The following example shows how to get the Policy Package status for all policy
package in the demo ADOM:
{
"id": 1,
"method": "get",
"params": [
{
"url": "/pm/config/adom/demo/_package/status"
}
],
"session": "{{session}}",
"verbose": 1
}
{
"id": 3,
"result": [
{
"data": [
{
"dev": "dev_001",
"pkg": "folder_001/folder_002/pkg_001",
"status": "modified",
"vdom": "root"
},
{
"dev": "dev_002",
"pkg": "folder_001/folder_002/pkg_002",
"status": "modified",
"vdom": "root"
},
{
"dev": "dev_003",
"pkg": "folder_001/folder_002/pkg_003",
"status": "modified",
"vdom": "root"
},
{
"dev": "dev_004",
"pkg": "pkg_004",
"status": "installed",
"vdom": "root"
},
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/_package/status"
}
]
}
Note
FortiManager onlys returns the status of assigned Policy Packages which have been already installed
It shows the full path of the Policy Package. For instance, Policy Package
pkg_001topkg_003are in thefolder_002folder which in turn is in thefolder_002folder. But thepkg_004Policy Package is in the implicitrootfolder.It also returns the
status. In this output all Policy Package are with themodifiedstatus. It means that they contains changes not yet pushed to theit assigtned managed devices
9.2.8.2. How to get the status of a specific Policy Package?#
The following examples shows how to get the Policy Package status for the
pkg_001 Policy Package located in the folder_001/folder_002 folder in
the demo ADOM.
{
"id": 6,
"method": "get",
"params": [
{
"url": "/pm/config/adom/demo/pkg/folder_001/folder_002/pkg_001/_package/status"
}
],
"session": "{{session}}",
"verbose": 1
}
{
"id": 6,
"result": [
{
"data": [
{
"dev": "dev_001",
"pkg": "folder_001/folder_002/pkg_001",
"status": "modified",
"vdom": "root"
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/folder_001/folder_002/pkg_001/_package/status"
}
]
}
Important
This is the response you get when you enter a wrong path for the Policy Package:
{ "id": 6, "result": [ { "status": { "code": -6, "message": "Invalid url" }, "url": "/pm/config/adom/emea/pkg/wrong/path/pkg_001/_package/status" } ], "session": 34540 }
This is the response you get when you specify a Policy Package name which is not assigned or has never been installed:
{ "id": 6, "result": [ { "status": { "code": 0, "message": "OK" }, "url": "/pm/config/adom/demo/pkg/default/_package/status" } ] }
9.2.8.3. How to get the status of a specific Policy Package using a filter?#
Caught in #1071099.
The following example shows how to get the status of the ppkg_001 Policy
Package in the folder_001/folder_002 folder of the demo ADOM and using a
filter:
{
"id": 4,
"method": "get",
"params": [
{
"filter": [
"pkg",
"==",
[
"folder_001",
"folder_002",
"ppkg_001"
]
],
"url": "/pm/config/adom/demo/_package/status"
}
],
"session": "{{session}}",
"verbose": 1
}
Note
The
filterattribute contains a search criteria for thepkgattribute. It has to be strictly equal to the specified pathThe path in this case is a list where each element are representing the path.
{
"id": 4,
"result": [
{
"data": [
{
"dev": "dev_001",
"pkg": "folder_001/folder_002/ppkg_001",
"status": "modified",
"vdom": "root"
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/_package/status"
}
]
}
Important
In the past (before FortiManager 7.6.1), filters could be applied using either of the following formats:
Intuitive with slashes:
[ "pkg", "==", "folder_001/folder_002/ppkg_001" ]
Less intuitive with spaces:
[ "pkg", "==", "folder_001 folder_002 ppkg_001" ]
However, folder or Policy Package names might contain slashes or spaces, making these approaches problematic. This is why the new format is now preferred.
Tip
As an alternative to the filter based on the
pkgattribute, you can consider using theoidone:[ "oid", "==", "1234" ]
9.2.8.4. How to get list of Policy Packages according to their status?#
What if you need to get the list of all Policy Packages assigned to your managed
devices, but only the ones matching a very specific status? Like the ones that
are in the modified status which means they shoud be re-installed?
The following example shows how to get all the assigned Policy Packages from the
demo ADOM which are with the modified status:
{
"id": 3,
"method": "get",
"params": [
{
"filter": [
"status",
"==",
"modified"
],
"url": "/pm/config/adom/knock_75362/_package/status/"
}
],
"session": "{{session}}",
"verbose": 1
}
{
"id": 3,
"result": [
{
"data": [
{
"dev": "dev_001",
"pkg": "ppkg_001",
"status": "modified",
"vdom": "root"
},
{
"dev": "dev_002",
"pkg": "ppkg_001",
"status": "modified",
"vdom": "root"
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/_package/status/"
}
]
}
Note
This output shows that there is only one Policy Package - ppkg_001
- with the modified status.
It is in the modified status for the dev_001 and dev_002
managed devices. The dev_001 Policy Package could also have been
assigned to the dev_003 managed device, but it is not in the
modified status (maybe the FortiManager administrator re-installed
the ppkg_001 Policy Package for the dev_003 managed device).
This demo ADOM could be with other assigned Policy Packages like
ppkg_002, ppkg_003, etc., but they are definitely not in the
modified status.
9.2.9. How to figure out whether interface pair view are supported by a type of policies?#
Caught in #0601320.
For instance, if one of the policy is having source or destination
interface set to any, section view mode isn’t supported.
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "get",
"params": [
{
"fields": [
"srcintf",
"dstintf"
],
"url": "/pm/config/adom/TEST/pkg/emea/spain/pp.fw/_query/interface_pair_view/firewall/policy"
}
],
"session": "JDr9djBNCnlYSOnS3dc/SmaReOUbJtwseckMQnIPkL6BvVdb+8rJnO3vxnSED/Xa27E2Xki8jr/k3JYh4FCpIYSY5/0JIjvF",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"interface_pair_view": 1,
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/TEST/pkg/emea/spain/pp.fw/_query/interface_pair_view/firewall/policy"
}
]
}
Returned attribute interface_pair_view is 1 meaning we can use
the interface pair view mode in the mentioned policy package.
Other FortiManager API endpoints are possible:
/pm/config/adom/TEST/pkg/<pkg>/_query/interface_pair_view/firewall/proxy-policy
/pm/config/adom/TEST/pkg/<pkg>/_query/interface_pair_view/firewall/security-policy
Note
For policies in Policy Block, while the endpoint is:
/pm/config/adom/<adom>/pblock/<pblock>/firewall/policy
then you still need to use this endpoint when you want to get the interface pair view feasability:
/pm/config/adom/<adom>/pkg/Policy Blocks/<pblock>/_query/interface_pair_view/firewall/policy
9.2.10. How to clone a Policy Package?#
REQUEST:
{
"id": 1,
"result": [
{
"data": {
"task": 62
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/package/clone"
}
]
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"task": 62
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/package/clone"
}
]
}
9.2.11. How to trigger an install preview for a single device?#
When you install a Policy Package, the FortiManager UI lets you select an Install Preview action in order to review the CLI that will be pushed down to the managed devices.
This section describes how to operate this Install Preview action by using the API.
It’s a four steps process:
Trigger the Policy Package Install in preview mode
Trigger the Install Preview
Collect the Install Preview output
Cancel the Policy Package install process. Should you want to proceed with the install, then commit the preview.
9.2.11.1. Step #1: Trigger the Policy Package Install in preview mode#
The following example shows how to trigger the install of the ppkg_001 Policy Package against the dev_001 device in the demo ADOM:
{
"id": 1,
"method": "exec",
"params": [
{
"data": {
"adom": "demo",
"adom_rev_comments": "Test [1]",
"adom_rev_name": "Revision [1]",
"flags": [
"preview"
],
"pkg": "ppkg_001",
"scope": [
{
"name": "dev_001",
"vdom": "root"
}
]
},
"url": "/securityconsole/install/package"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"data": {
"task": 69
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/package"
}
]
}
Note
You have to track the progress of the returned task id
69Once the task is completed, you can proceed with next step
9.2.11.2. Step #2: Trigger the Install Preview#
The following example shows how to trigger an install device preview operation for the dev_001 device in the demo ADOM:
{
"id": 1,
"method": "exec",
"params": [
{
"data": {
"adom": "demo",
"device": "dev_001",
"flags": [
"none"
],
"vdoms": [
"root"
]
},
"url": "/securityconsole/install/preview"
}
],
"session": "{{session}}"
}
Note
Attribute
flagscould benoneorjsonIt determines the nature of the output produced in the preview report
nonemeans CLI formatjsonmeans JSON format
Warning
There is a bug (#0713778) where using:
"flags": "json"
or:
"flags": ["json"]
doesn’t work: the preview report is still CLI based.
The solution is to use this form:
"flags": 1
Note
To be verified: #1162796 is stating it should be with double quotes:
"flags": "1"
{
"id": 1,
"result": [
{
"data": {
"task": 70
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/preview"
}
]
}
Note
You have to track the progress of the returned task id
70Once the task is completed, you can proceed with next step
9.2.11.3. Step #3: Collect the Install Preview output#
The following example shows how to obtain the Install Preview output for the dev_001 device in the demo ADOM:
{
"id": 1,
"method": "exec",
"params": [
{
"data": {
"adom": "demo",
"device": "dev_001"
},
"url": "/securityconsole/preview/result"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"data": {
"message": "config system dns\n set primary 8.8.8.8\n unset secondary\nend\nconfig firewall address\n edit \"host_001\"\n set uuid 09ce3330-b06e-51ea-6497-48f76b1e8626\n set color 3\n set subnet 10.0.0.1 255.255.255.255\n next\nend\nconfig system dhcp server\n edit 1\n set status disable\n set dns-service default\n set ntp-service default\n set default-gateway 172.16.2.102\n set netmask 255.255.255.0\n set interface \"port3\"\n config ip-range\n edit 1\n set start-ip 172.16.2.1\n set end-ip 172.16.2.101\n next\n edit 2\n set start-ip 172.16.2.103\n set end-ip 172.16.2.254\n next\n end\n set timezone-option default\n next\nend\nconfig firewall policy\n edit 1\n set srcaddr \"host_001\"\n next\nend\n"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/preview/result"
}
]
}
Note
In the output returned by the
messageattribute, FortiManager reported pending changes coming from ADOM DB (objects & policies) but also from Device DBWhen you trigger an install preview for a device only, it will only expose the pending changes coming from the corresponding device’s Device DB (see How to get an Install Preview for a single device?)
9.2.11.4. Step #4: Cancel the Policy Package install process#
The following example shows how to cancel a Policy Package Installation:
{
"id": 1,
"method": "exec",
"params": [
{
"data": {
"adom": "demo"
},
"url": "/securityconsole/package/cancel/install"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/package/cancel/install"
}
]
}
9.2.11.5. Step #4: or… commit the preview#
TBD.
{
"id": 1,
"method": "exec",
"session": "{{session}}",
"params": [
{
"url": "/securityconsole/package/commit",
"data": {
"adom": "demo",
"scope": [
{
"name": "fgt_001",
"vdom": "root"
}
]
}
}
],
"session": "{{session}}"
}
9.2.12. How to trigger an install preview for multiple devices?#
Starting with FortiManager 7.4.4/7.6.0 (#1027482), it is possible to trigger an Install Preview operation for multiple devices.
The per-device Install Preview tasks will be done in parellel.
It’s a three steps process:
Trigger the Policy Package Install in preview mode, this time by specifying multple devices
Trigger the Install Preview, again by specifying multiple target devices
Collect the Install Preview output, again by specifying multiple target devices
9.2.12.1. Step #1: Trigger the Policy Package Install in preview mode for multiple devices#
The following example shows how to trigger the install of the ppkg_001 Policy Package against the dev_001, dev_002 and dev_003 devices in
the demo ADOM:
{
"id": 3,
"method": "exec",
"params": [
{
"data": {
"adom": "demo",
"flags": [
"preview",
],
"pkg": "ppkg_001",
"scope": [
{
"name": "dev_001",
"vdom": "root"
},
{
"name": "dev_002",
"vdom": "root"
},
{
"name": "dev_003",
"vdom": "root"
}
]
},
"url": "/securityconsole/install/package"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"data": {
"task": 1062
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/package"
}
]
}
Note
You have to track the progress of the returned task id
1062Once the task is completed, you can proceed with next step
9.2.12.2. Step #2: Trigger an install preview for multiple devices#
The following example shows how to trigger an install device preview operation for the dev_001, dev_002 and dev_003 devices in the demo ADOM:
{
"id": 3,
"method": "exec",
"params": [
{
"data": {
"adom": "demo",
"flags": ["none"],
"scope": [
{
"name": "dev_001",
"vdom": "root"
},
{
"name": "dev_002",
"vdom": "root"
},
{
"name": "dev_003",
"vdom": "root"
}
]
},
"url": "/securityconsole/install/preview"
}
],
"session": "{{session}}"
}
Note
Attribute
flagscould benoneorjsonIt determines the nature of the output produced in the preview report
nonemeans CLI formatjsonmeans JSON format
Warning
There is a bug (#0713778) where using:
"flags": "json"
or:
"flags": ["json"]
doesn’t work: the preview report is still CLI based.
The solution is to use this form:
"flags": 1
{
"id": 3,
"result": [
{
"data": {
"task": 1063
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/preview"
}
]
}
Note
You have to track the progress of the returned task id
1063Once the task is completed, you can proceed with next step
9.2.12.3. Step #3: Collect the install device preview output#
The following example shows how to obtain the Install Preview output for the dev_001, dev_002 and dev_003 devices in the demo ADOM:
{
"id": 4,
"method": "exec",
"params": [
{
"data": {
"adom": "demo",
"scope": [
{
"name": "dev_001",
"vdom": "root"
},
{
"name": "dev_002",
"vdom": "root"
},
{
"name": "dev_003",
"vdom": "root"
}
]
},
"url": "/securityconsole/preview/result"
}
],
"session": "{{session}}"
}
Click to expand
{
"id": 5,
"result": [
{
"data": {
"message": "[{ \"name\": \"fgt_001\", \"oid\": 34872, \"result\": \"=== Preview result ===\\n{ \\\"result\\\": [{ \\\"data\\\": [{ \\\"data\\\": [{ \\\"category\\\": 8, \\\"data\\\": [{ \\\"aggregate-type\\\": 0, \\\"algorithm\\\": 2, \\\"alias\\\": { \\\"n\\\": \\\"ul_isp1\\\"}, \\\"allowaccess\\\": { \\\"n\\\": 23, \\\"o\\\": 0}, \\\"ap-discover\\\": 1, \\\"arpforward\\\": 1, \\\"atm-protocol\\\": 0, \\\"auth-cert\\\": [], \\\"auth-type\\\": 4, \\\"auto-auth-extension-device\\\": 0, \\\"bandwidth-measure-time\\\": 0, \\\"bfd\\\": 0, \\\"bfd-desired-min-tx\\\": 250, \\\"bfd-detect-mult\\\": 3, \\\"bfd-required-min-rx\\\": 250, \\\"broadcast-forward\\\": 0, \\\"captive-portal\\\": 0, \\\"color\\\": 0, \\\"dedicated-to\\\": 0, \\\"defaultgw\\\": 1, \\\"description\\\": \\\"\\\", \\\"device-identification\\\": 0, \\\"device-user-identification\\\": 1, \\\"dhcp-classless-route-addition\\\": 0, \\\"dhcp-relay-agent-option\\\": 1, \\\"dhcp-relay-interface\\\": [], \\\"dhcp-relay-interface-select-method\\\": 0, \\\"dhcp-relay-ip\\\": [], \\\"dhcp-relay-link-selection\\\": \\\"0.0.0.0\\\", \\\"dhcp-relay-request-all-server\\\": 0, \\\"dhcp-relay-service\\\": 0, \\\"dhcp-relay-type\\\": 0, \\\"dhcp-renew-time\\\": 0, \\\"diff_flag\\\": 2, \\\"disc-retry-timeout\\\": 1, \\\"disconnect-threshold\\\": 0, \\\"distance\\\": 5, \\\"dns-server-override\\\": 1, \\\"dns-server-protocol\\\": 1, \\\"drop-fragment\\\": 0, \\\"drop-overlapped-fragment\\\": 0, \\\"eap-ca-cert\\\": [], \\\"eap-method\\\": 0, \\\"eap-password\\\": \\\"******\\\", \\\"eap-supplicant\\\": 0, \\\"eap-user-cert\\\": [], \\\"egress-cos\\\": 0, \\\"egress-shaping-profile\\\": [], \\\"estimated-downstream-bandwidth\\\": 0, \\\"estimated-upstream-bandwidth\\\": 0, \\\"explicit-ftp-proxy\\\": 0, \\\"explicit-web-proxy\\\": 0, \\\"external\\\": 0, \\\"fail-action-on-extender\\\": 0, \\\"fail-alert-interfaces\\\": [], \\\"fail-alert-method\\\": 1, \\\"fail-detect\\\": 0, \\\"fail-detect-option\\\": 2, \\\"fortilink\\\": 0, \\\"fortilink-neighbor-detect\\\": 1, \\\"fortilink-split-interface\\\": 1, \\\"forward-domain\\\": 0, \\\"gateway-address\\\": \\\"0.0.0.0\\\", \\\"gi-gk\\\": 0, \\\"gwaddr\\\": \\\"0.0.0.0\\\", \\\"icmp-accept-redirect\\\": 1, \\\"icmp-send-redirect\\\": 1, \\\"ident-accept\\\": 0, \\\"idle-timeout\\\": 0, \\\"ike-saml-server\\\": [], \\\"inbandwidth\\\": 0, \\\"ingress-cos\\\": 0, \\\"ingress-shaping-profile\\\": [], \\\"ingress-spillover-threshold\\\": 0, \\\"interconnect-profile\\\": 1, \\\"interface\\\": [], \\\"internal\\\": 0, \\\"ip\\\": [\\\"0.0.0.0\\\", \\\"0.0.0.0\\\"], \\\"ip-managed-by-fortiipam\\\": 0, \\\"ipmac\\\": 0, \\\"ips-sniffer-mode\\\": 0, \\\"ipunnumbered\\\": \\\"0.0.0.0\\\", \\\"l2forward\\\": 0, \\\"l2tp-client\\\": 0, \\\"lacp-ha-secondary\\\": 1, \\\"lacp-ha-slave\\\": 1, \\\"lacp-mode\\\": 2, \\\"lacp-speed\\\": 0, \\\"lcp-echo-interval\\\": 5, \\\"lcp-max-echo-fails\\\": 3, \\\"link-up-delay\\\": 50, \\\"lldp-network-policy\\\": [], \\\"lldp-reception\\\": 3, \\\"lldp-transmission\\\": 2, \\\"managed-subnetwork-size\\\": 256, \\\"management-ip\\\": [\\\"0.0.0.0\\\", \\\"0.0.0.0\\\"], \\\"measured-downstream-bandwidth\\\": 0, \\\"measured-upstream-bandwidth\\\": 0, \\\"member\\\": [], \\\"min-links\\\": 1, \\\"min-links-down\\\": 0, \\\"mode\\\": 0, \\\"monitor-bandwidth\\\": 0, \\\"mtu\\\": 1500, \\\"mtu-override\\\": 0, \\\"mux-type\\\": 0, \\\"name\\\": \\\"port2\\\", \\\"ndiscforward\\\": 1, \\\"netbios-forward\\\": 0, \\\"netflow-sampler\\\": 0, \\\"np-qos-profile\\\": 0, \\\"outbandwidth\\\": 0, \\\"padt-retry-timeout\\\": 1, \\\"password\\\": \\\"******\\\", \\\"phy-mode\\\": 0, \\\"poe\\\": 1, \\\"polling-interval\\\": 20, \\\"pppoe-unnumbered-negotiate\\\": 1, \\\"pptp-auth-type\\\": 4, \\\"pptp-client\\\": 0, \\\"pptp-password\\\": \\\"******\\\", \\\"pptp-server-ip\\\": \\\"0.0.0.0\\\", \\\"pptp-timeout\\\": 0, \\\"preserve-session-route\\\": 0, \\\"priority\\\": 1, \\\"priority-override\\\": 1, \\\"proxy-captive-portal\\\": 0, \\\"pvc-atm-qos\\\": 1, \\\"pvc-chan\\\": 0, \\\"pvc-crc\\\": 2, \\\"pvc-pcr\\\": 0, \\\"pvc-scr\\\": 0, \\\"pvc-vlan-id\\\": 7, \\\"pvc-vlan-rx-id\\\": 7, \\\"pvc-vlan-rx-op\\\": 1, \\\"pvc-vlan-tx-id\\\": 7, \\\"pvc-vlan-tx-op\\\": 3, \\\"reachable-time\\\": 30000, \\\"remote-ip\\\": [\\\"0.0.0.0\\\", \\\"0.0.0.0\\\"], \\\"replacemsg-override-group\\\": [], \\\"retransmission\\\": 1, \\\"ring-rx\\\": 0, \\\"ring-tx\\\": 0, \\\"role\\\": 3, \\\"sample-direction\\\": 3, \\\"sample-rate\\\": 2000, \\\"secondary-IP\\\": 0, \\\"security-8021x-dynamic-vlan-id\\\": 0, \\\"security-8021x-mode\\\": 0, \\\"security-exempt-list\\\": [], \\\"security-groups\\\": [], \\\"security-mac-auth-bypass\\\": 0, \\\"security-mode\\\": 1, \\\"sflow-sampler\\\": 0, \\\"sfp-dsl\\\": 0, \\\"sfp-dsl-adsl-fallback\\\": 0, \\\"sfp-dsl-autodetect\\\": 1, \\\"sfp-dsl-mac\\\": \\\"00:00:00:00:00:00\\\", \\\"snmp-index\\\": 107, \\\"speed\\\": 1, \\\"spillover-threshold\\\": 0, \\\"src-check\\\": 1, \\\"status\\\": 1, \\\"stp\\\": 0, \\\"stp-ha-secondary\\\": 2, \\\"stpforward\\\": 0, \\\"stpforward-mode\\\": 0, \\\"subst\\\": 0, \\\"substitute-dst-mac\\\": \\\"00:00:00:00:00:00\\\", \\\"sw-algorithm\\\": 3, \\\"swc-first-create\\\": 0, \\\"switch-controller-access-vlan\\\": 0, \\\"switch-controller-arp-inspection\\\": 0, \\\"switch-controller-dhcp-snooping\\\": 0, \\\"switch-controller-dhcp-snooping-option82\\\": 0, \\\"switch-controller-dhcp-snooping-verify-mac\\\": 0, \\\"switch-controller-dynamic\\\": [], \\\"switch-controller-feature\\\": 0, \\\"switch-controller-igmp-snooping\\\": 0, \\\"switch-controller-igmp-snooping-fast-leave\\\": 0, \\\"switch-controller-igmp-snooping-proxy\\\": 0, \\\"switch-controller-iot-scanning\\\": 0, \\\"switch-controller-learning-limit\\\": 0, \\\"switch-controller-mgmt-vlan\\\": 4094, \\\"switch-controller-nac\\\": [], \\\"switch-controller-netflow-collect\\\": 0, \\\"switch-controller-rspan-mode\\\": 0, \\\"switch-controller-source-ip\\\": 1, \\\"switch-controller-traffic-policy\\\": [], \\\"system-id\\\": \\\"00:00:00:00:00:00\\\", \\\"system-id-type\\\": 1, \\\"tc-mode\\\": 0, \\\"tcp-mss\\\": 0, \\\"timestamp\\\": 1716507207, \\\"trunk\\\": 0, \\\"trust-ip-1\\\": [\\\"0.0.0.0\\\", \\\"0.0.0.0\\\"], \\\"trust-ip-2\\\": [\\\"0.0.0.0\\\", \\\"0.0.0.0\\\"], \\\"trust-ip-3\\\": [\\\"0.0.0.0\\\", \\\"0.0.0.0\\\"], \\\"trust-ip6-1\\\": \\\"::\\\\\\/0\\\", \\\"trust-ip6-2\\\": \\\"::\\\\\\/0\\\", \\\"trust-ip6-3\\\": \\\"::\\\\\\/0\\\", \\\"type\\\": 0, \\\"user\\\": \\\"devops\\\", \\\"vci\\\": 35, \\\"vdom\\\": [\\\"\\\\\\\"root\\\\\\\"\\\"], \\\"vectoring\\\": 1, \\\"vlan-protocol\\\": 0, \\\"vlanforward\\\": 0, \\\"vlanid\\\": 0, \\\"vpi\\\": 0, \\\"vrf\\\": 0, \\\"vrrp-virtual-mac\\\": 0, \\\"wccp\\\": 0, \\\"weight\\\": 0, \\\"wifi-5g-threshold\\\": \\\"-78\\\", \\\"wifi-acl\\\": 0, \\\"wifi-ap-band\\\": 0, \\\"wifi-auth\\\": 0, \\\"wifi-auto-connect\\\": 1, \\\"wifi-auto-save\\\": 0, \\\"wifi-broadcast-ssid\\\": 1, \\\"wifi-dns-server1\\\": \\\"0.0.0.0\\\", \\\"wifi-dns-server2\\\": \\\"0.0.0.0\\\", \\\"wifi-encrypt\\\": 1, \\\"wifi-fragment-threshold\\\": 2346, \\\"wifi-gateway\\\": \\\"0.0.0.0\\\", \\\"wifi-key\\\": \\\"******\\\", \\\"wifi-keyindex\\\": 1, \\\"wifi-mac-filter\\\": 0, \\\"wifi-passphrase\\\": \\\"******\\\", \\\"wifi-radius-server\\\": [], \\\"wifi-rts-threshold\\\": 2346, \\\"wifi-security\\\": 9, \\\"wifi-ssid\\\": \\\"fortinet\\\", \\\"wins-ip\\\": \\\"0.0.0.0\\\"}]}], \\\"diff_flag\\\": 2, \\\"vdom\\\": \\\"global\\\"}, { \\\"data\\\": [{ \\\"category\\\": 2223, \\\"data\\\": [{ \\\"cos-queue\\\": 0, \\\"description\\\": \\\"Rate control for quarantined traffic\\\", \\\"diff_flag\\\": 3, \\\"guaranteed-bandwidth\\\": 163840, \\\"guaranteed-burst\\\": 8192, \\\"id\\\": 1, \\\"maximum-burst\\\": 163840, \\\"name\\\": \\\"quarantine\\\", \\\"policer-status\\\": 1, \\\"timestamp\\\": 1716507207, \\\"type\\\": 1, \\\"user\\\": \\\"devops\\\"}, { \\\"cos-queue\\\": 0, \\\"description\\\": \\\"Rate control for sniffer mirrored traffic\\\", \\\"diff_flag\\\": 3, \\\"guaranteed-bandwidth\\\": 50000, \\\"guaranteed-burst\\\": 8192, \\\"id\\\": 2, \\\"maximum-burst\\\": 163840, \\\"name\\\": \\\"sniffer\\\", \\\"policer-status\\\": 1, \\\"timestamp\\\": 1716507207, \\\"type\\\": 1, \\\"user\\\": \\\"devops\\\"}]}, { \\\"category\\\": 140, \\\"data\\\": [{ \\\"associated-interface\\\": [\\\"any\\\"], \\\"clearpass-spt\\\": 0, \\\"color\\\": 0, \\\"diff_flag\\\": 3, \\\"dirty\\\": 2, \\\"fabric-object\\\": 0, \\\"list\\\": null, \\\"name\\\": \\\"EMS_ALL_UNKNOWN_CLIENTS\\\", \\\"node-ip-only\\\": 0, \\\"obj-type\\\": 9, \\\"sub-type\\\": 3, \\\"tagging\\\": null, \\\"timestamp\\\": 1716507207, \\\"type\\\": 15, \\\"user\\\": \\\"devops\\\", \\\"uuid\\\": \\\"9012e90a-7a9a-51ee-b72b-f422d629c203\\\"}, { \\\"associated-interface\\\": [\\\"any\\\"], \\\"clearpass-spt\\\": 0, \\\"color\\\": 0, \\\"diff_flag\\\": 3, \\\"dirty\\\": 2, \\\"fabric-object\\\": 0, \\\"list\\\": null, \\\"name\\\": \\\"EMS_ALL_UNMANAGEABLE_CLIENTS\\\", \\\"node-ip-only\\\": 0, \\\"obj-type\\\": 9, \\\"sub-type\\\": 3, \\\"tagging\\\": null, \\\"timestamp\\\": 1716507207, \\\"type\\\": 15, \\\"user\\\": \\\"devops\\\", \\\"uuid\\\": \\\"9012d71c-7a9a-51ee-9809-c8aa6b444624\\\"}]}, { \\\"category\\\": 1563, \\\"data\\\": [{ \\\"allowlist\\\": 0, \\\"block-blocklisted-certificates\\\": 1, \\\"caname\\\": [\\\"Fortinet_CA_SSL\\\"], \\\"comment\\\": \\\"Read-only profile that does no inspection.\\\", \\\"diff_flag\\\": 2, \\\"mapi-over-https\\\": 0, \\\"name\\\": \\\"no-inspection\\\", \\\"rpc-over-https\\\": 0, \\\"server-cert\\\": [], \\\"server-cert-mode\\\": 0, \\\"ssl-anomaly-log\\\": 1, \\\"ssl-exemption-ip-rating\\\": 1, \\\"ssl-exemption-log\\\": 0, \\\"ssl-handshake-log\\\": 0, \\\"ssl-negotiation-log\\\": { \\\"n\\\": 1, \\\"o\\\": 0}, \\\"ssl-server-cert-log\\\": 0, \\\"supported-alpn\\\": 3, \\\"timestamp\\\": 1716507207, \\\"untrusted-caname\\\": [\\\"Fortinet_CA_Untrusted\\\"], \\\"use-ssl-server\\\": 0, \\\"user\\\": \\\"devops\\\"}]}, { \\\"category\\\": 181, \\\"data\\\": [{ \\\"action\\\": 1, \\\"anti-replay\\\": 1, \\\"application-list\\\": [], \\\"auth-cert\\\": [], \\\"auth-path\\\": 0, \\\"auto-asic-offload\\\": 1, \\\"av-profile\\\": [\\\"\\\\\\\"av_profile_001\\\\\\\"\\\"], \\\"block-notification\\\": 0, \\\"captive-portal-exempt\\\": 0, \\\"capture-packet\\\": 0, \\\"cgn-eif\\\": 0, \\\"cgn-eim\\\": 0, \\\"cgn-resource-quota\\\": 16, \\\"cgn-session-quota\\\": 16777215, \\\"cifs-profile\\\": [], \\\"comments\\\": { \\\"n\\\": \\\"Test #003\\\", \\\"o\\\": \\\"Test #001\\\"}, \\\"custom-log-fields\\\": [], \\\"decrypted-traffic-mirror\\\": [], \\\"delay-tcp-npu-session\\\": 0, \\\"diff_flag\\\": 2, \\\"diffserv-copy\\\": 0, \\\"diffserv-forward\\\": 0, \\\"diffserv-reverse\\\": 0, \\\"diffservcode-forward\\\": \\\"000000\\\", \\\"diffservcode-rev\\\": \\\"000000\\\", \\\"disclaimer\\\": 0, \\\"dlp-profile\\\": [], \\\"dnsfilter-profile\\\": [], \\\"dsri\\\": 0, \\\"dstaddr\\\": [\\\"\\\\\\\"host_101\\\\\\\"\\\"], \\\"dstaddr-negate\\\": 0, \\\"dstaddr6\\\": [], \\\"dstaddr6-negate\\\": 0, \\\"dstintf\\\": [\\\"\\\\\\\"port1\\\\\\\"\\\"], \\\"dynamic-shaping\\\": 0, \\\"email-collect\\\": 0, \\\"emailfilter-profile\\\": [], \\\"fec\\\": 0, \\\"file-filter-profile\\\": [], \\\"firewall-session-dirty\\\": 0, \\\"fixedport\\\": 0, \\\"fsso-agent-for-ntlm\\\": [], \\\"fsso-groups\\\": [], \\\"geoip-anycast\\\": 0, \\\"geoip-match\\\": 0, \\\"global-label\\\": \\\"Project #1\\\", \\\"groups\\\": [], \\\"gtp-profile\\\": [], \\\"http-policy-redirect\\\": 0, \\\"icap-profile\\\": [], \\\"identity-based-route\\\": [], \\\"inbound\\\": 0, \\\"inspection-mode\\\": 1, \\\"internet-service\\\": 0, \\\"internet-service-custom\\\": [], \\\"internet-service-custom-group\\\": [], \\\"internet-service-group\\\": [], \\\"internet-service-name\\\": [], \\\"internet-service-negate\\\": 0, \\\"internet-service-src\\\": 0, \\\"internet-service-src-custom\\\": [], \\\"internet-service-src-custom-group\\\": [], \\\"internet-service-src-group\\\": [], \\\"internet-service-src-name\\\": [], \\\"internet-service-src-negate\\\": 0, \\\"internet-service6\\\": 0, \\\"internet-service6-custom\\\": [], \\\"internet-service6-custom-group\\\": [], \\\"internet-service6-group\\\": [], \\\"internet-service6-name\\\": [], \\\"internet-service6-negate\\\": 0, \\\"internet-service6-src\\\": 0, \\\"internet-service6-src-custom\\\": [], \\\"internet-service6-src-custom-group\\\": [], \\\"internet-service6-src-group\\\": [], \\\"internet-service6-src-name\\\": [], \\\"internet-service6-src-negate\\\": 0, \\\"ip-version-type\\\": \\\"ipv4\\\", \\\"ippool\\\": 0, \\\"ips-sensor\\\": [], \\\"ips-voip-filter\\\": [], \\\"label\\\": \\\"Project #1\\\", \\\"logtraffic\\\": 2, \\\"logtraffic-start\\\": 0, \\\"match-vip\\\": 1, \\\"match-vip-only\\\": 0, \\\"name\\\": \\\"Policy_001\\\", \\\"nat\\\": 0, \\\"nat46\\\": 0, \\\"nat64\\\": 0, \\\"natinbound\\\": 0, \\\"natip\\\": [\\\"0.0.0.0\\\", \\\"0.0.0.0\\\"], \\\"natoutbound\\\": 0, \\\"network-service-dynamic\\\": [], \\\"network-service-src-dynamic\\\": [], \\\"np-acceleration\\\": 1, \\\"ntlm\\\": 0, \\\"ntlm-enabled-browsers\\\": [], \\\"ntlm-guest\\\": 0, \\\"obj seq\\\": 0, \\\"outbound\\\": 1, \\\"passive-wan-health-measurement\\\": 0, \\\"per-ip-shaper\\\": [], \\\"permit-any-host\\\": 0, \\\"permit-stun-host\\\": 0, \\\"pfcp-profile\\\": [], \\\"policy-behaviour-type\\\": \\\"standard\\\", \\\"policy-expiry\\\": 0, \\\"policy-expiry-date\\\": [\\\"0000-00-00\\\", \\\"00:00:00\\\"], \\\"policy-offload\\\": 1, \\\"policyid\\\": 1, \\\"poolname\\\": [], \\\"poolname6\\\": [], \\\"profile-group\\\": [], \\\"profile-protocol-options\\\": [\\\"default\\\"], \\\"profile-type\\\": 0, \\\"radius-mac-auth-bypass\\\": 0, \\\"replacemsg-override-group\\\": [], \\\"reputation-direction\\\": 2, \\\"reputation-direction6\\\": 42, \\\"reputation-minimum\\\": 0, \\\"reputation-minimum6\\\": 0, \\\"rtp-addr\\\": [], \\\"rtp-nat\\\": 0, \\\"schedule\\\": [\\\"\\\\\\\"always\\\\\\\"\\\"], \\\"schedule-timeout\\\": 0, \\\"sctp-filter-profile\\\": [], \\\"send-deny-packet\\\": 0, \\\"service\\\": [\\\"\\\\\\\"ALL\\\\\\\"\\\"], \\\"service-negate\\\": 0, \\\"session-ttl\\\": \\\"0\\\", \\\"sgt\\\": [], \\\"sgt-check\\\": 0, \\\"src-vendor-mac\\\": [], \\\"srcaddr\\\": [\\\"\\\\\\\"host_001\\\\\\\"\\\"], \\\"srcaddr-negate\\\": 0, \\\"srcaddr6\\\": [], \\\"srcaddr6-negate\\\": 0, \\\"srcintf\\\": [\\\"\\\\\\\"port2\\\\\\\"\\\"], \\\"ssh-filter-profile\\\": [], \\\"ssh-policy-redirect\\\": 0, \\\"ssl-ssh-profile\\\": [\\\"no-inspection\\\"], \\\"status\\\": 1, \\\"tcp-mss-receiver\\\": 0, \\\"tcp-mss-sender\\\": 0, \\\"tcp-session-without-syn\\\": 2, \\\"tcp-timeout-pid\\\": [], \\\"timeout-send-rst\\\": 0, \\\"timestamp\\\": 1716507207, \\\"tos\\\": \\\"0x00\\\", \\\"tos-mask\\\": \\\"0x00\\\", \\\"tos-negate\\\": 0, \\\"traffic-shaper\\\": [], \\\"traffic-shaper-reverse\\\": [], \\\"udp-timeout-pid\\\": [], \\\"user\\\": \\\"devops\\\", \\\"users\\\": [], \\\"utm-status\\\": 1, \\\"uuid\\\": \\\"0f84c644-cab0-51ee-57fd-17a89439cf9d\\\", \\\"videofilter-profile\\\": [], \\\"vlan-cos-fwd\\\": 255, \\\"vlan-cos-rev\\\": 255, \\\"voip-profile\\\": [], \\\"vpntunnel\\\": [], \\\"waf-profile\\\": [], \\\"wanopt\\\": 0, \\\"wanopt-detection\\\": 1, \\\"wanopt-passive-opt\\\": 0, \\\"wanopt-peer\\\": [], \\\"wanopt-profile\\\": [], \\\"wccp\\\": 0, \\\"webcache\\\": 0, \\\"webcache-https\\\": 0, \\\"webfilter-profile\\\": [], \\\"webproxy-forward-server\\\": [], \\\"webproxy-profile\\\": [], \\\"ztna-device-ownership\\\": 0, \\\"ztna-ems-tag\\\": [], \\\"ztna-geo-tag\\\": [], \\\"ztna-policy-redirect\\\": 0, \\\"ztna-status\\\": 0, \\\"ztna-tags-match-logic\\\": 0}]}], \\\"diff_flag\\\": 2, \\\"vdom\\\": \\\"root\\\"}]}]}\"}, { \"name\": \"fgt_002\", \"oid\": 35009, \"result\": \"=== Preview result ===\\n{ \\\"result\\\": [{ \\\"data\\\": [{ \\\"data\\\": [{ \\\"category\\\": 2223, \\\"data\\\": [{ \\\"cos-queue\\\": 0, \\\"description\\\": \\\"Rate control for quarantined traffic\\\", \\\"diff_flag\\\": 3, \\\"guaranteed-bandwidth\\\": 163840, \\\"guaranteed-burst\\\": 8192, \\\"id\\\": 1, \\\"maximum-burst\\\": 163840, \\\"name\\\": \\\"quarantine\\\", \\\"policer-status\\\": 1, \\\"timestamp\\\": 1716507209, \\\"type\\\": 1, \\\"user\\\": \\\"devops\\\"}, { \\\"cos-queue\\\": 0, \\\"description\\\": \\\"Rate control for sniffer mirrored traffic\\\", \\\"diff_flag\\\": 3, \\\"guaranteed-bandwidth\\\": 50000, \\\"guaranteed-burst\\\": 8192, \\\"id\\\": 2, \\\"maximum-burst\\\": 163840, \\\"name\\\": \\\"sniffer\\\", \\\"policer-status\\\": 1, \\\"timestamp\\\": 1716507209, \\\"type\\\": 1, \\\"user\\\": \\\"devops\\\"}]}, { \\\"category\\\": 140, \\\"data\\\": [{ \\\"associated-interface\\\": [\\\"any\\\"], \\\"clearpass-spt\\\": 0, \\\"color\\\": 0, \\\"diff_flag\\\": 3, \\\"dirty\\\": 2, \\\"fabric-object\\\": 0, \\\"list\\\": null, \\\"name\\\": \\\"EMS_ALL_UNKNOWN_CLIENTS\\\", \\\"node-ip-only\\\": 0, \\\"obj-type\\\": 9, \\\"route-tag\\\": 0, \\\"sub-type\\\": 3, \\\"tagging\\\": null, \\\"timestamp\\\": 1716507209, \\\"type\\\": 15, \\\"user\\\": \\\"devops\\\", \\\"uuid\\\": \\\"d5770b1e-c984-51ee-6b42-10ce7f9a3166\\\"}, { \\\"associated-interface\\\": [\\\"any\\\"], \\\"clearpass-spt\\\": 0, \\\"color\\\": 0, \\\"diff_flag\\\": 3, \\\"dirty\\\": 2, \\\"fabric-object\\\": 0, \\\"list\\\": null, \\\"name\\\": \\\"EMS_ALL_UNMANAGEABLE_CLIENTS\\\", \\\"node-ip-only\\\": 0, \\\"obj-type\\\": 9, \\\"route-tag\\\": 0, \\\"sub-type\\\": 3, \\\"tagging\\\": null, \\\"timestamp\\\": 1716507209, \\\"type\\\": 15, \\\"user\\\": \\\"devops\\\", \\\"uuid\\\": \\\"d57711ea-c984-51ee-f38d-edcd3007fe0c\\\"}]}, { \\\"category\\\": 181, \\\"data\\\": [{ \\\"action\\\": 1, \\\"anti-replay\\\": 1, \\\"application-list\\\": [], \\\"auth-cert\\\": [], \\\"auth-path\\\": 0, \\\"auto-asic-offload\\\": 1, \\\"av-profile\\\": [\\\"\\\\\\\"av_profile_001\\\\\\\"\\\"], \\\"block-notification\\\": 0, \\\"captive-portal-exempt\\\": 0, \\\"capture-packet\\\": 0, \\\"casb-profile\\\": [], \\\"cgn-eif\\\": 0, \\\"cgn-eim\\\": 0, \\\"cgn-resource-quota\\\": 16, \\\"cgn-session-quota\\\": 16777215, \\\"cifs-profile\\\": [], \\\"comments\\\": { \\\"n\\\": \\\"Test #003\\\", \\\"o\\\": \\\"Test #001\\\"}, \\\"custom-log-fields\\\": [], \\\"decrypted-traffic-mirror\\\": [], \\\"delay-tcp-npu-session\\\": 0, \\\"diameter-filter-profile\\\": [], \\\"diff_flag\\\": 2, \\\"diffserv-copy\\\": 0, \\\"diffserv-forward\\\": 0, \\\"diffserv-reverse\\\": 0, \\\"diffservcode-forward\\\": \\\"000000\\\", \\\"diffservcode-rev\\\": \\\"000000\\\", \\\"disclaimer\\\": 0, \\\"dlp-profile\\\": [], \\\"dnsfilter-profile\\\": [], \\\"dsri\\\": 0, \\\"dstaddr\\\": [\\\"\\\\\\\"host_101\\\\\\\"\\\"], \\\"dstaddr-negate\\\": 0, \\\"dstaddr6\\\": [], \\\"dstaddr6-negate\\\": 0, \\\"dstintf\\\": [\\\"\\\\\\\"port1\\\\\\\"\\\"], \\\"dynamic-shaping\\\": 0, \\\"email-collect\\\": 0, \\\"emailfilter-profile\\\": [], \\\"fec\\\": 0, \\\"file-filter-profile\\\": [], \\\"firewall-session-dirty\\\": 0, \\\"fixedport\\\": 0, \\\"fsso-agent-for-ntlm\\\": [], \\\"fsso-groups\\\": [], \\\"geoip-anycast\\\": 0, \\\"geoip-match\\\": 0, \\\"global-label\\\": \\\"Project #1\\\", \\\"groups\\\": [], \\\"gtp-profile\\\": [], \\\"http-policy-redirect\\\": 0, \\\"icap-profile\\\": [], \\\"identity-based-route\\\": [], \\\"inbound\\\": 0, \\\"inspection-mode\\\": 1, \\\"internet-service\\\": 0, \\\"internet-service-custom\\\": [], \\\"internet-service-custom-group\\\": [], \\\"internet-service-group\\\": [], \\\"internet-service-name\\\": [], \\\"internet-service-negate\\\": 0, \\\"internet-service-src\\\": 0, \\\"internet-service-src-custom\\\": [], \\\"internet-service-src-custom-group\\\": [], \\\"internet-service-src-group\\\": [], \\\"internet-service-src-name\\\": [], \\\"internet-service-src-negate\\\": 0, \\\"internet-service6\\\": 0, \\\"internet-service6-custom\\\": [], \\\"internet-service6-custom-group\\\": [], \\\"internet-service6-group\\\": [], \\\"internet-service6-name\\\": [], \\\"internet-service6-negate\\\": 0, \\\"internet-service6-src\\\": 0, \\\"internet-service6-src-custom\\\": [], \\\"internet-service6-src-custom-group\\\": [], \\\"internet-service6-src-group\\\": [], \\\"internet-service6-src-name\\\": [], \\\"internet-service6-src-negate\\\": 0, \\\"ip-version-type\\\": \\\"ipv4\\\", \\\"ippool\\\": 0, \\\"ips-sensor\\\": [], \\\"ips-voip-filter\\\": [], \\\"label\\\": \\\"Project #1\\\", \\\"logtraffic\\\": 2, \\\"logtraffic-start\\\": 0, \\\"match-vip\\\": 1, \\\"match-vip-only\\\": 0, \\\"name\\\": \\\"Policy_001\\\", \\\"nat\\\": 0, \\\"nat46\\\": 0, \\\"nat64\\\": 0, \\\"natinbound\\\": 0, \\\"natip\\\": [\\\"0.0.0.0\\\", \\\"0.0.0.0\\\"], \\\"natoutbound\\\": 0, \\\"network-service-dynamic\\\": [], \\\"network-service-src-dynamic\\\": [], \\\"np-acceleration\\\": 1, \\\"ntlm\\\": 0, \\\"ntlm-enabled-browsers\\\": [], \\\"ntlm-guest\\\": 0, \\\"obj seq\\\": 0, \\\"outbound\\\": 1, \\\"passive-wan-health-measurement\\\": 0, \\\"pcp-inbound\\\": 0, \\\"pcp-outbound\\\": 0, \\\"pcp-poolname\\\": [], \\\"per-ip-shaper\\\": [], \\\"permit-any-host\\\": 0, \\\"permit-stun-host\\\": 0, \\\"pfcp-profile\\\": [], \\\"policy-behaviour-type\\\": \\\"standard\\\", \\\"policy-expiry\\\": 0, \\\"policy-expiry-date\\\": [\\\"0000-00-00\\\", \\\"00:00:00\\\"], \\\"policy-offload\\\": 1, \\\"policyid\\\": 1, \\\"poolname\\\": [], \\\"poolname6\\\": [], \\\"port-preserve\\\": 1, \\\"profile-group\\\": [], \\\"profile-protocol-options\\\": [\\\"default\\\"], \\\"profile-type\\\": 0, \\\"radius-mac-auth-bypass\\\": 0, \\\"replacemsg-override-group\\\": [], \\\"reputation-direction\\\": 2, \\\"reputation-direction6\\\": 42, \\\"reputation-minimum\\\": 0, \\\"reputation-minimum6\\\": 0, \\\"rtp-addr\\\": [], \\\"rtp-nat\\\": 0, \\\"schedule\\\": [\\\"\\\\\\\"always\\\\\\\"\\\"], \\\"schedule-timeout\\\": 0, \\\"sctp-filter-profile\\\": [], \\\"send-deny-packet\\\": 0, \\\"service\\\": [\\\"\\\\\\\"ALL\\\\\\\"\\\"], \\\"service-negate\\\": 0, \\\"session-ttl\\\": \\\"0\\\", \\\"sgt\\\": [], \\\"sgt-check\\\": 0, \\\"src-vendor-mac\\\": [], \\\"srcaddr\\\": [\\\"\\\\\\\"host_001\\\\\\\"\\\"], \\\"srcaddr-negate\\\": 0, \\\"srcaddr6\\\": [], \\\"srcaddr6-negate\\\": 0, \\\"srcintf\\\": [\\\"\\\\\\\"port2\\\\\\\"\\\"], \\\"ssh-filter-profile\\\": [], \\\"ssh-policy-redirect\\\": 0, \\\"ssl-ssh-profile\\\": [\\\"no-inspection\\\"], \\\"status\\\": 1, \\\"tcp-mss-receiver\\\": 0, \\\"tcp-mss-sender\\\": 0, \\\"tcp-session-without-syn\\\": 2, \\\"tcp-timeout-pid\\\": [], \\\"timeout-send-rst\\\": 0, \\\"timestamp\\\": 1716507210, \\\"tos\\\": \\\"0x00\\\", \\\"tos-mask\\\": \\\"0x00\\\", \\\"tos-negate\\\": 0, \\\"traffic-shaper\\\": [], \\\"traffic-shaper-reverse\\\": [], \\\"udp-timeout-pid\\\": [], \\\"user\\\": \\\"devops\\\", \\\"users\\\": [], \\\"utm-status\\\": 1, \\\"uuid\\\": \\\"0f84c644-cab0-51ee-57fd-17a89439cf9d\\\", \\\"videofilter-profile\\\": [], \\\"virtual-patch-profile\\\": [], \\\"vlan-cos-fwd\\\": 255, \\\"vlan-cos-rev\\\": 255, \\\"voip-profile\\\": [], \\\"vpntunnel\\\": [], \\\"waf-profile\\\": [], \\\"wanopt\\\": 0, \\\"wanopt-detection\\\": 1, \\\"wanopt-passive-opt\\\": 0, \\\"wanopt-peer\\\": [], \\\"wanopt-profile\\\": [], \\\"wccp\\\": 0, \\\"webcache\\\": 0, \\\"webcache-https\\\": 0, \\\"webfilter-profile\\\": [], \\\"webproxy-forward-server\\\": [], \\\"webproxy-profile\\\": [], \\\"ztna-device-ownership\\\": 0, \\\"ztna-ems-tag\\\": [], \\\"ztna-ems-tag-secondary\\\": [], \\\"ztna-geo-tag\\\": [], \\\"ztna-policy-redirect\\\": 0, \\\"ztna-status\\\": 0, \\\"ztna-tags-match-logic\\\": 0}]}], \\\"diff_flag\\\": 2, \\\"vdom\\\": \\\"root\\\"}]}]}\"}, { \"name\": \"dev_003\", \"oid\": 35145, \"result\": \"=== Preview result ===\\n{ \\\"result\\\": [{ \\\"data\\\": [{ \\\"data\\\": [{ \\\"category\\\": 2223, \\\"data\\\": [{ \\\"cos-queue\\\": 0, \\\"description\\\": \\\"Rate control for quarantined traffic\\\", \\\"diff_flag\\\": 3, \\\"guaranteed-bandwidth\\\": 163840, \\\"guaranteed-burst\\\": 8192, \\\"id\\\": 1, \\\"maximum-burst\\\": 163840, \\\"name\\\": \\\"quarantine\\\", \\\"policer-status\\\": 1, \\\"timestamp\\\": 1716507208, \\\"type\\\": 1, \\\"user\\\": \\\"devops\\\"}, { \\\"cos-queue\\\": 0, \\\"description\\\": \\\"Rate control for sniffer mirrored traffic\\\", \\\"diff_flag\\\": 3, \\\"guaranteed-bandwidth\\\": 50000, \\\"guaranteed-burst\\\": 8192, \\\"id\\\": 2, \\\"maximum-burst\\\": 163840, \\\"name\\\": \\\"sniffer\\\", \\\"policer-status\\\": 1, \\\"timestamp\\\": 1716507208, \\\"type\\\": 1, \\\"user\\\": \\\"devops\\\"}]}, { \\\"category\\\": 140, \\\"data\\\": [{ \\\"associated-interface\\\": [\\\"any\\\"], \\\"clearpass-spt\\\": 0, \\\"color\\\": 0, \\\"diff_flag\\\": 3, \\\"dirty\\\": 2, \\\"fabric-object\\\": 0, \\\"list\\\": null, \\\"name\\\": \\\"EMS_ALL_UNKNOWN_CLIENTS\\\", \\\"node-ip-only\\\": 0, \\\"obj-type\\\": 9, \\\"route-tag\\\": 0, \\\"sub-type\\\": 3, \\\"tagging\\\": null, \\\"timestamp\\\": 1716507208, \\\"type\\\": 15, \\\"user\\\": \\\"devops\\\", \\\"uuid\\\": \\\"1cc03850-0211-51ef-8b32-de8d14b976f2\\\"}, { \\\"associated-interface\\\": [\\\"any\\\"], \\\"clearpass-spt\\\": 0, \\\"color\\\": 0, \\\"diff_flag\\\": 3, \\\"dirty\\\": 2, \\\"fabric-object\\\": 0, \\\"list\\\": null, \\\"name\\\": \\\"EMS_ALL_UNMANAGEABLE_CLIENTS\\\", \\\"node-ip-only\\\": 0, \\\"obj-type\\\": 9, \\\"route-tag\\\": 0, \\\"sub-type\\\": 3, \\\"tagging\\\": null, \\\"timestamp\\\": 1716507208, \\\"type\\\": 15, \\\"user\\\": \\\"devops\\\", \\\"uuid\\\": \\\"1cc07a18-0211-51ef-35ca-7644b7d6b20d\\\"}]}, { \\\"category\\\": 181, \\\"data\\\": [{ \\\"action\\\": 1, \\\"anti-replay\\\": 1, \\\"application-list\\\": [], \\\"auth-cert\\\": [], \\\"auth-path\\\": 0, \\\"auto-asic-offload\\\": 1, \\\"av-profile\\\": [\\\"\\\\\\\"av_profile_001\\\\\\\"\\\"], \\\"block-notification\\\": 0, \\\"captive-portal-exempt\\\": 0, \\\"capture-packet\\\": 0, \\\"casb-profile\\\": [], \\\"cgn-eif\\\": 0, \\\"cgn-eim\\\": 0, \\\"cgn-resource-quota\\\": 16, \\\"cgn-session-quota\\\": 16777215, \\\"cifs-profile\\\": [], \\\"comments\\\": { \\\"n\\\": \\\"Test #003\\\", \\\"o\\\": \\\"Test #001\\\"}, \\\"custom-log-fields\\\": [], \\\"decrypted-traffic-mirror\\\": [], \\\"delay-tcp-npu-session\\\": 0, \\\"diameter-filter-profile\\\": [], \\\"diff_flag\\\": 2, \\\"diffserv-copy\\\": 0, \\\"diffserv-forward\\\": 0, \\\"diffserv-reverse\\\": 0, \\\"diffservcode-forward\\\": \\\"000000\\\", \\\"diffservcode-rev\\\": \\\"000000\\\", \\\"disclaimer\\\": 0, \\\"dlp-profile\\\": [], \\\"dnsfilter-profile\\\": [], \\\"dsri\\\": 0, \\\"dstaddr\\\": [\\\"\\\\\\\"host_101\\\\\\\"\\\"], \\\"dstaddr-negate\\\": 0, \\\"dstaddr6\\\": [], \\\"dstaddr6-negate\\\": 0, \\\"dstintf\\\": [\\\"\\\\\\\"port1\\\\\\\"\\\"], \\\"dynamic-shaping\\\": 0, \\\"email-collect\\\": 0, \\\"emailfilter-profile\\\": [], \\\"fec\\\": 0, \\\"file-filter-profile\\\": [], \\\"firewall-session-dirty\\\": 0, \\\"fixedport\\\": 0, \\\"fsso-agent-for-ntlm\\\": [], \\\"fsso-groups\\\": [], \\\"geoip-anycast\\\": 0, \\\"geoip-match\\\": 0, \\\"global-label\\\": \\\"Project #1\\\", \\\"groups\\\": [], \\\"gtp-profile\\\": [], \\\"http-policy-redirect\\\": 0, \\\"icap-profile\\\": [], \\\"identity-based-route\\\": [], \\\"inbound\\\": 0, \\\"inspection-mode\\\": 1, \\\"internet-service\\\": 0, \\\"internet-service-custom\\\": [], \\\"internet-service-custom-group\\\": [], \\\"internet-service-group\\\": [], \\\"internet-service-name\\\": [], \\\"internet-service-negate\\\": 0, \\\"internet-service-src\\\": 0, \\\"internet-service-src-custom\\\": [], \\\"internet-service-src-custom-group\\\": [], \\\"internet-service-src-group\\\": [], \\\"internet-service-src-name\\\": [], \\\"internet-service-src-negate\\\": 0, \\\"internet-service6\\\": 0, \\\"internet-service6-custom\\\": [], \\\"internet-service6-custom-group\\\": [], \\\"internet-service6-group\\\": [], \\\"internet-service6-name\\\": [], \\\"internet-service6-negate\\\": 0, \\\"internet-service6-src\\\": 0, \\\"internet-service6-src-custom\\\": [], \\\"internet-service6-src-custom-group\\\": [], \\\"internet-service6-src-group\\\": [], \\\"internet-service6-src-name\\\": [], \\\"internet-service6-src-negate\\\": 0, \\\"ip-version-type\\\": \\\"ipv4\\\", \\\"ippool\\\": 0, \\\"ips-sensor\\\": [], \\\"ips-voip-filter\\\": [], \\\"label\\\": \\\"Project #1\\\", \\\"logtraffic\\\": 2, \\\"logtraffic-start\\\": 0, \\\"match-vip\\\": 1, \\\"match-vip-only\\\": 0, \\\"name\\\": \\\"Policy_001\\\", \\\"nat\\\": 0, \\\"nat46\\\": 0, \\\"nat64\\\": 0, \\\"natinbound\\\": 0, \\\"natip\\\": [\\\"0.0.0.0\\\", \\\"0.0.0.0\\\"], \\\"natoutbound\\\": 0, \\\"network-service-dynamic\\\": [], \\\"network-service-src-dynamic\\\": [], \\\"np-acceleration\\\": 1, \\\"ntlm\\\": 0, \\\"ntlm-enabled-browsers\\\": [], \\\"ntlm-guest\\\": 0, \\\"obj seq\\\": 0, \\\"outbound\\\": 1, \\\"passive-wan-health-measurement\\\": 0, \\\"pcp-inbound\\\": 0, \\\"pcp-outbound\\\": 0, \\\"pcp-poolname\\\": [], \\\"per-ip-shaper\\\": [], \\\"permit-any-host\\\": 0, \\\"permit-stun-host\\\": 0, \\\"pfcp-profile\\\": [], \\\"policy-behaviour-type\\\": \\\"standard\\\", \\\"policy-expiry\\\": 0, \\\"policy-expiry-date\\\": [\\\"0000-00-00\\\", \\\"00:00:00\\\"], \\\"policy-offload\\\": 1, \\\"policyid\\\": 1, \\\"poolname\\\": [], \\\"poolname6\\\": [], \\\"port-preserve\\\": 1, \\\"profile-group\\\": [], \\\"profile-protocol-options\\\": [\\\"default\\\"], \\\"profile-type\\\": 0, \\\"radius-mac-auth-bypass\\\": 0, \\\"replacemsg-override-group\\\": [], \\\"reputation-direction\\\": 2, \\\"reputation-direction6\\\": 42, \\\"reputation-minimum\\\": 0, \\\"reputation-minimum6\\\": 0, \\\"rtp-addr\\\": [], \\\"rtp-nat\\\": 0, \\\"schedule\\\": [\\\"\\\\\\\"always\\\\\\\"\\\"], \\\"schedule-timeout\\\": 0, \\\"sctp-filter-profile\\\": [], \\\"send-deny-packet\\\": 0, \\\"service\\\": [\\\"\\\\\\\"ALL\\\\\\\"\\\"], \\\"service-negate\\\": 0, \\\"session-ttl\\\": \\\"0\\\", \\\"sgt\\\": [], \\\"sgt-check\\\": 0, \\\"src-vendor-mac\\\": [], \\\"srcaddr\\\": [\\\"\\\\\\\"host_001\\\\\\\"\\\"], \\\"srcaddr-negate\\\": 0, \\\"srcaddr6\\\": [], \\\"srcaddr6-negate\\\": 0, \\\"srcintf\\\": [\\\"\\\\\\\"port2\\\\\\\"\\\"], \\\"ssh-filter-profile\\\": [], \\\"ssh-policy-redirect\\\": 0, \\\"ssl-ssh-profile\\\": [\\\"no-inspection\\\"], \\\"status\\\": 1, \\\"tcp-mss-receiver\\\": 0, \\\"tcp-mss-sender\\\": 0, \\\"tcp-session-without-syn\\\": 2, \\\"tcp-timeout-pid\\\": [], \\\"timeout-send-rst\\\": 0, \\\"timestamp\\\": 1716507209, \\\"tos\\\": \\\"0x00\\\", \\\"tos-mask\\\": \\\"0x00\\\", \\\"tos-negate\\\": 0, \\\"traffic-shaper\\\": [], \\\"traffic-shaper-reverse\\\": [], \\\"udp-timeout-pid\\\": [], \\\"user\\\": \\\"devops\\\", \\\"users\\\": [], \\\"utm-status\\\": 1, \\\"uuid\\\": \\\"0f84c644-cab0-51ee-57fd-17a89439cf9d\\\", \\\"videofilter-profile\\\": [], \\\"virtual-patch-profile\\\": [], \\\"vlan-cos-fwd\\\": 255, \\\"vlan-cos-rev\\\": 255, \\\"voip-profile\\\": [], \\\"vpntunnel\\\": [], \\\"waf-profile\\\": [], \\\"wanopt\\\": 0, \\\"wanopt-detection\\\": 1, \\\"wanopt-passive-opt\\\": 0, \\\"wanopt-peer\\\": [], \\\"wanopt-profile\\\": [], \\\"wccp\\\": 0, \\\"webcache\\\": 0, \\\"webcache-https\\\": 0, \\\"webfilter-profile\\\": [], \\\"webproxy-forward-server\\\": [], \\\"webproxy-profile\\\": [], \\\"ztna-device-ownership\\\": 0, \\\"ztna-ems-tag\\\": [], \\\"ztna-ems-tag-secondary\\\": [], \\\"ztna-geo-tag\\\": [], \\\"ztna-policy-redirect\\\": 0, \\\"ztna-status\\\": 0, \\\"ztna-tags-match-logic\\\": 0}]}], \\\"diff_flag\\\": 2, \\\"vdom\\\": \\\"root\\\"}]}]}\"}]"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/preview/result"
}
]
}
Note
The Install Preview ouput for multiple devices is placed in
messageattribute.
9.2.13. How to get the Policy Package hitcount?#
Caught in #0673650 (and applicable to FMG 6.4.7+ and FMG 7.0.3+).
Hitcount refers to the set of attributes linked to a firewall policy that maintain several utilization information like the Last Used, First Use, Packets, Bytes, etc. as shown below:
Getting the hitcount details is an on demand action that requires three steps.
The following example shows how to get the policy hitcount information for the
firewall policies in the ppkg_001 Policy Package of the demo ADOM:
Step #1: Trigger the hitcount refresh
{ "id": 1, "method": "exec", "params": [ { "data": { "adom": "demo", "pkg": "ppkg_001" }, "url": "/sys/hitcount" } ], "session": "{{session}}", }
{ "id": 1, "result": [ { "status": { "code": 0, "message": "OK" }, "taskid": 217, "url": "/sys/hitcount" } ] }
Note
You need to remember the returned
taskidvalue for the next step
Step #2: Monitor the task!
As usual, when FortiManager returns a
taskid, you have to monitor the task and wait for its successfull completion{ "id": 7, "method": "get", "params": [ { "url": "/task/task/217" } ], "session": "{{session}}", "verbose": 1 }
{ "id": 7, "result": [ { "data": { "adom": 32718, "end_tm": 1723443374, "flags": 0, "id": 1496, "line": [ { "detail": "update adom hitcount succeed", "end_tm": 1723443374, "err": 0, "history": [ { "detail": "2024-08-12 08:16:06:", "name": "retrieve hitcount for adom/package (demo/ppkg_001)", "percent": 0, "state": 0, "vdom": null }, { "detail": "2024-08-12 08:16:08:start to update adom hitcount", "name": "retrieve hitcount for adom/package (demo/ppkg_001)", "percent": 1, "state": 1, "vdom": null }, { "detail": "2024-08-12 08:16:14:update adom hitcount in progress", "name": "retrieve hitcount for adom/package (demo/ppkg_001)", "percent": 90, "state": 1, "vdom": null }, { "detail": "2024-08-12 08:16:14:update adom hitcount succeed", "name": "retrieve hitcount for adom/package (demo/ppkg_001)", "percent": 100, "state": 4, "vdom": null } ], "ip": "", "name": "retrieve hitcount for adom/package (demo/ppkg_001)", "oid": 0, "percent": 100, "poid": 0, "start_tm": 1723443366, "state": "done", "vdom": "" } ], "num_done": 1, "num_err": 0, "num_lines": 1, "num_warn": 0, "percent": 100, "pid": 0, "src": "device manager", "start_tm": 1723443366, "state": "done", "title": "get hitcount for policy package ppkg_001", "tot_percent": 100, "user": "devops" }, "status": { "code": 0, "message": "OK" }, "url": "/task/task/217" } ] }
Step #3 - Collect the result
{ "id": 4, "method": "exec", "params": [ { "data": { "taskid": 217 }, "url": "/sys/task/result" } ], "session": "{{session}}" }
{ "id": 4, "result": [ { "data": { "firewall policy": [ { "byte": 2266808, "dstintf": "any", "first_hit": 1702099572, "first_session": 0, "hitcount": 6911, "last_hit": 1702145401, "last_session": 0, "name": "Implicit Deny", "pkts": 6911, "policyid": 0, "sesscount": 0, "srcintf": "any" }, { "byte": 198373, "dstintf": "WAN1", "first_hit": 1701085009, "first_session": 1701085009, "hitcount": 380, "last_hit": 1702981443, "last_session": 1702981443, "name": "Generic_Internet", "pkts": 1534, "policyid": 2, "sesscount": 0, "srcintf": "vl_lan", "uuid": "2654008a-896d-51ee-e595-b22bf9abffc0" }, { "byte": 0, "dstintf": "HUB1", "first_hit": 0, "first_session": 0, "hitcount": 0, "last_hit": 0, "last_session": 0, "name": "Health Check Access", "pkts": 0, "policyid": 1071741826, "sesscount": 0, "srcintf": "Branch-Lo", "uuid": "9ac943e0-7d1e-51ee-42fb-fe716908a3d9" } ], "firewall policy6": [], "firewall proxy-policy": [ { "byte": 0, "dstintf": "any", "first_hit": 0, "first_session": 0, "hitcount": 0, "last_hit": 0, "last_session": 0, "name": "Implicit Deny", "pkts": 0, "policyid": 0, "sesscount": 0, "srcintf": "any" } ], "firewall security-policy": [], "global footer policy": [], "global header policy": [] }, "status": { "code": 0, "message": "OK" }, "taskid": 217, "url": "/sys/task/result" } ] }
Note
If you’re getting the following response:
{ "id": 4, "result": [ { "status": { "code": -10, "message": "The data is invalid for selected url" }, "taskid": 217, "url": "/sys/task/result" } ] }
then it probably means the task is still on-going.
Please proceed with step #2!
Starting with FortiManager 7.4.1, the Last Used (i.e, _last_hit attribute)
can be maintained as it is in FortiManager side, even if it gets reset on the
FortiGate side (caught in #0910402).
It’s configurable with the following FortiManager CLI:
config system global
set save-last-hit-in-adomdb enable
end
Note
Default value for
save-last-hit-in-adomdbisdisable
Furthermore, the _last_hit attribute can be retrieved by getting the
firewall policies.
For instance, to get the last_hit attribute for firewall policies in the sites_BRANCH_PPKG Policy Package from the production ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"fields": [
"name",
"policyid",
"_last_hit"
],
"loadsub": 0,
"url": "/pm/config/adom/production/pkg/sites_BRANCH_PPKG/firewall/policy"
}
],
"session": "{{session}}",
"verbose": 1
}
{
"id": 3,
"result": [
{
"data": [
{
"_last_hit": 0,
"obj seq": 1,
"oid": 5460,
"policyid": 1
},
{
"_last_hit": 1705003857,
"name": "Generic_Internet",
"obj seq": 2,
"oid": 5784,
"policyid": 2
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/production/pkg/sites_BRANCH_PPKG/firewall/policy"
}
]
}
Note
The
_last_hitis returned in epoch format
However, to get an up to date Last Used information, you still have to trigger a hitcount refresh by using the /sys/hitcount JSON RPC url described above.
9.2.14. How to get the policy package checksum?#
Idea is to be able to detect whether a policy package has been modified or not.
The good news, is that there’s nothing special to do.
It is just enough to get the policy package and look at the returned obj
ver attribute:
REQUEST:
{
"id": 1,
"method": "get",
"params": [
{
"url": "pm/pkg/adom/CUSTOMER_001/FGT60D-001"
}
],
"session": "6iOnXClkXrGNFaLSHv3P18vdC0K3detcN+CAfvcwPRJjd0i54+WYRimlIclzP1i4W+/KZAvg16NGDoOT3Z7gmg==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"name": "FGT60D-001",
"obj ver": 4,
"oid": 955,
"type": "pkg"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "pm/pkg/adom/CUSTOMER_001/FGT60D-001"
}
]
}
We can also use the option chksum as documented in section Option chksum.
With FMG 5.6.0-INTERIM build 1510, we can also retrieve a checksum value using following request:
REQUEST:
{
"id": 1,
"method": "get",
"params": [
{
"url": "pm/config/adom/CM-LAB-001/pkg/PP_EXAMPLE/policy/package/settings"
}
],
"session": "5jZjkRrZBtpgEDR1G9RiPBKjEiNG/9+zwKZNnzFsvfsbSAie70YEA4ilLhabdGrVLqXvpUGyDdeuv7iV4+SgsA==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"central-nat": "disable",
"checksum": "1494203765-161359940",
"fwpolicy-implicit-log": "disable",
"fwpolicy6-implicit-log": "disable"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "pm/config/adom/CM-LAB-001/pkg/PP_EXAMPLE/policy/package/settings"
}
]
}
9.2.15. Policy Package Revision#
9.2.15.1. How to get the list of changes made on a Policy Package?#
The following example shows how to get all the changes made on the ppkg_001
Policy Package from the demo ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"url": "/pm/config/adom/demo/_objrev/pkg/ppkg_001/firewall/policy"
}
],
"session": "{{session}}",
"verbose": 1
}
{ "id": 3, "result": [ { "data": [ { "act": 2, "category": 181, "config": "{ \"_byte\": 0, \"_first_hit\": 0, \"_first_session\": 0, \"_global-dst-intf\": null, \"_global-label-color\": 0, \"_global-src-intf\": null, \"_global-vpn\": [ ], \"_global-vpn-tgt\": 0, \"_hitcount\": 0, \"_label-color\": 0, \"_last_hit\": 0, \"_last_session\": 0, \"_pkts\": 0, \"_sesscount\": 0, \"action\": 0, \"anti-replay\": 1, \"application-list\": [ ], \"auth-cert\": [ ], \"auth-path\": 0, \"auth-redirect-addr\": null, \"auto-asic-offload\": 1, \"av-profile\": [ ], \"block-notification\": 0, \"captive-portal-exempt\": 0, \"capture-packet\": 0, \"casb-profile\": [ ], \"cgn-eif\": 0, \"cgn-eim\": 0, \"cgn-log-server-grp\": null, \"cgn-resource-quota\": 16, \"cgn-session-quota\": 16777215, \"cifs-profile\": [ ], \"comments\": null, \"custom-log-fields\": [ ], \"decrypted-traffic-mirror\": [ ], \"delay-tcp-npu-session\": 0, \"diameter-filter-profile\": [ ], \"diffserv-copy\": 0, \"diffserv-forward\": 0, \"diffserv-reverse\": 0, \"diffservcode-forward\": \"000000\", \"diffservcode-rev\": \"000000\", \"disclaimer\": 0, \"dlp-profile\": [ ], \"dnsfilter-profile\": [ ], \"dsri\": 0, \"dstaddr\": [ \"all\" ], \"dstaddr-negate\": 0, \"dstaddr6\": [ ], \"dstaddr6-negate\": 0, \"dstintf\": [ \"any\" ], \"dynamic-shaping\": 0, \"email-collect\": 0, \"emailfilter-profile\": [ ], \"fec\": 0, \"file-filter-profile\": [ ], \"firewall-session-dirty\": 0, \"fixedport\": 0, \"fsso-agent-for-ntlm\": [ ], \"fsso-groups\": [ ], \"geoip-anycast\": 0, \"geoip-match\": 0, \"global-label\": null, \"groups\": [ ], \"gtp-profile\": [ ], \"http-policy-redirect\": 0, \"icap-profile\": [ ], \"identity-based-route\": [ ], \"inbound\": 0, \"inspection-mode\": 1, \"internet-service\": 0, \"internet-service-custom\": [ ], \"internet-service-custom-group\": [ ], \"internet-service-group\": [ ], \"internet-service-name\": [ ], \"internet-service-negate\": 0, \"internet-service-src\": 0, \"internet-service-src-custom\": [ ], \"internet-service-src-custom-group\": [ ], \"internet-service-src-group\": [ ], \"internet-service-src-name\": [ ], \"internet-service-src-negate\": 0, \"internet-service6\": 0, \"internet-service6-custom\": [ ], \"internet-service6-custom-group\": [ ], \"internet-service6-group\": [ ], \"internet-service6-name\": [ ], \"internet-service6-negate\": 0, \"internet-service6-src\": 0, \"internet-service6-src-custom\": [ ], \"internet-service6-src-custom-group\": [ ], \"internet-service6-src-group\": [ ], \"internet-service6-src-name\": [ ], \"internet-service6-src-negate\": 0, \"ip-version-type\": \"ipv4\", \"ippool\": 0, \"ips-sensor\": [ ], \"ips-voip-filter\": [ ], \"label\": null, \"logtraffic\": 2, \"logtraffic-start\": 0, \"match-vip\": 1, \"match-vip-only\": 0, \"name\": null, \"nat\": 0, \"nat46\": 0, \"nat64\": 0, \"natinbound\": 0, \"natip\": [ \"0.0.0.0\", \"0.0.0.0\" ], \"natoutbound\": 0, \"network-service-dynamic\": [ ], \"network-service-src-dynamic\": [ ], \"np-acceleration\": 1, \"ntlm\": 0, \"ntlm-enabled-browsers\": [ ], \"ntlm-guest\": 0, \"oid\": 11296, \"outbound\": 1, \"passive-wan-health-measurement\": 0, \"pcp-inbound\": 0, \"pcp-outbound\": 0, \"pcp-poolname\": [ ], \"per-ip-shaper\": [ ], \"permit-any-host\": 0, \"permit-stun-host\": 0, \"pfcp-profile\": [ ], \"policy-behaviour-type\": \"standard\", \"policy-expiry\": 0, \"policy-expiry-date\": \"0000-00-00 00:00:00\", \"policy-expiry-date-utc\": null, \"policy-offload\": 1, \"policyid\": 1, \"poolname\": [ ], \"poolname6\": [ ], \"profile-group\": [ ], \"profile-protocol-options\": [ \"default\" ], \"profile-type\": 0, \"radius-mac-auth-bypass\": 0, \"redirect-url\": null, \"replacemsg-override-group\": [ ], \"reputation-direction\": 2, \"reputation-direction6\": 42, \"reputation-minimum\": 0, \"reputation-minimum6\": 0, \"rtp-addr\": [ ], \"rtp-nat\": 0, \"schedule\": [ \"always\" ], \"schedule-timeout\": 0, \"sctp-filter-profile\": [ ], \"send-deny-packet\": 0, \"service\": [ \"ALL\" ], \"service-negate\": 0, \"session-ttl\": \"0\", \"sgt\": [ ], \"sgt-check\": 0, \"src-vendor-mac\": [ ], \"srcaddr\": [ \"all\" ], \"srcaddr-negate\": 0, \"srcaddr6\": [ ], \"srcaddr6-negate\": 0, \"srcintf\": [ \"any\" ], \"ssh-filter-profile\": [ ], \"ssh-policy-redirect\": 0, \"ssl-ssh-profile\": [ \"no-inspection\" ], \"status\": 1, \"tcp-mss-receiver\": 0, \"tcp-mss-sender\": 0, \"tcp-session-without-syn\": 2, \"tcp-timeout-pid\": [ ], \"timeout-send-rst\": 0, \"tos\": \"0x00\", \"tos-mask\": \"0x00\", \"tos-negate\": 0, \"traffic-shaper\": [ ], \"traffic-shaper-reverse\": [ ], \"udp-timeout-pid\": [ ], \"users\": [ ], \"utm-status\": 0, \"uuid\": \"44d742cc-cef2-51ee-71ef-68f2fe808584\", \"videofilter-profile\": [ ], \"virtual-patch-profile\": [ ], \"vlan-cos-fwd\": 255, \"vlan-cos-rev\": 255, \"vlan-filter\": null, \"voip-profile\": [ ], \"vpn_dst_node\": null, \"vpn_src_node\": null, \"vpntunnel\": [ ], \"waf-profile\": [ ], \"wanopt\": 0, \"wanopt-detection\": 1, \"wanopt-passive-opt\": 0, \"wanopt-peer\": [ ], \"wanopt-profile\": [ ], \"wccp\": 0, \"webcache\": 0, \"webcache-https\": 0, \"webfilter-profile\": [ ], \"webproxy-forward-server\": [ ], \"webproxy-profile\": [ ], \"ztna-device-ownership\": 0, \"ztna-ems-tag\": [ ], \"ztna-ems-tag-secondary\": [ ], \"ztna-geo-tag\": [ ], \"ztna-policy-redirect\": 0, \"ztna-status\": 0, \"ztna-tags-match-logic\": 0 }", "flags": 0, "key": "1", "note": "", "oid": 0, "pkg_oid": 11294, "timestamp": 1708325042, "user": "admin" }, { "act": 3, "category": 181, "config": "{ \"_byte\": 0, \"_first_hit\": 0, \"_first_session\": 0, \"_global-dst-intf\": null, \"_global-label-color\": 0, \"_global-src-intf\": null, \"_global-vpn\": [ ], \"_global-vpn-tgt\": 0, \"_hitcount\": 0, \"_label-color\": 0, \"_last_hit\": 0, \"_last_session\": 0, \"_pkts\": 0, \"_sesscount\": 0, \"action\": 1, \"anti-replay\": 1, \"application-list\": [ ], \"auth-cert\": [ ], \"auth-path\": 0, \"auth-redirect-addr\": null, \"auto-asic-offload\": 1, \"av-profile\": [ ], \"block-notification\": 0, \"captive-portal-exempt\": 0, \"capture-packet\": 0, \"casb-profile\": [ ], \"cgn-eif\": 0, \"cgn-eim\": 0, \"cgn-log-server-grp\": null, \"cgn-resource-quota\": 16, \"cgn-session-quota\": 16777215, \"cifs-profile\": [ ], \"comments\": null, \"custom-log-fields\": [ ], \"decrypted-traffic-mirror\": [ ], \"delay-tcp-npu-session\": 0, \"diameter-filter-profile\": [ ], \"diffserv-copy\": 0, \"diffserv-forward\": 0, \"diffserv-reverse\": 0, \"diffservcode-forward\": \"000000\", \"diffservcode-rev\": \"000000\", \"disclaimer\": 0, \"dlp-profile\": [ ], \"dnsfilter-profile\": [ ], \"dsri\": 0, \"dstaddr\": [ \"host_102\" ], \"dstaddr-negate\": 0, \"dstaddr6\": [ ], \"dstaddr6-negate\": 0, \"dstintf\": [ \"wan\" ], \"dynamic-shaping\": 0, \"email-collect\": 0, \"emailfilter-profile\": [ ], \"fec\": 0, \"file-filter-profile\": [ ], \"firewall-session-dirty\": 0, \"fixedport\": 0, \"fsso-agent-for-ntlm\": [ ], \"fsso-groups\": [ ], \"geoip-anycast\": 0, \"geoip-match\": 0, \"global-label\": null, \"groups\": [ ], \"gtp-profile\": [ ], \"http-policy-redirect\": 0, \"icap-profile\": [ ], \"identity-based-route\": [ ], \"inbound\": 0, \"inspection-mode\": 1, \"internet-service\": 0, \"internet-service-custom\": [ ], \"internet-service-custom-group\": [ ], \"internet-service-group\": [ ], \"internet-service-name\": [ ], \"internet-service-negate\": 0, \"internet-service-src\": 0, \"internet-service-src-custom\": [ ], \"internet-service-src-custom-group\": [ ], \"internet-service-src-group\": [ ], \"internet-service-src-name\": [ ], \"internet-service-src-negate\": 0, \"internet-service6\": 0, \"internet-service6-custom\": [ ], \"internet-service6-custom-group\": [ ], \"internet-service6-group\": [ ], \"internet-service6-name\": [ ], \"internet-service6-negate\": 0, \"internet-service6-src\": 0, \"internet-service6-src-custom\": [ ], \"internet-service6-src-custom-group\": [ ], \"internet-service6-src-group\": [ ], \"internet-service6-src-name\": [ ], \"internet-service6-src-negate\": 0, \"ip-version-type\": \"ipv4\", \"ippool\": 0, \"ips-sensor\": [ ], \"ips-voip-filter\": [ ], \"label\": null, \"logtraffic\": 2, \"logtraffic-start\": 0, \"match-vip\": 1, \"match-vip-only\": 0, \"name\": \"\", \"nat\": 0, \"nat46\": 0, \"nat64\": 0, \"natinbound\": 0, \"natip\": [ \"0.0.0.0\", \"0.0.0.0\" ], \"natoutbound\": 0, \"network-service-dynamic\": [ ], \"network-service-src-dynamic\": [ ], \"np-acceleration\": 1, \"ntlm\": 0, \"ntlm-enabled-browsers\": [ ], \"ntlm-guest\": 0, \"oid\": 11298, \"outbound\": 1, \"passive-wan-health-measurement\": 0, \"pcp-inbound\": 0, \"pcp-outbound\": 0, \"pcp-poolname\": [ ], \"per-ip-shaper\": [ ], \"permit-any-host\": 0, \"permit-stun-host\": 0, \"pfcp-profile\": [ ], \"policy-behaviour-type\": \"standard\", \"policy-expiry\": 0, \"policy-expiry-date\": \"0000-00-00 00:00:00\", \"policy-expiry-date-utc\": null, \"policy-offload\": 1, \"policyid\": 3, \"poolname\": [ ], \"poolname6\": [ ], \"profile-group\": [ ], \"profile-protocol-options\": [ \"default\" ], \"profile-type\": 0, \"radius-mac-auth-bypass\": 0, \"redirect-url\": null, \"replacemsg-override-group\": [ ], \"reputation-direction\": 2, \"reputation-direction6\": 42, \"reputation-minimum\": 0, \"reputation-minimum6\": 0, \"rtp-addr\": [ ], \"rtp-nat\": 0, \"schedule\": [ \"always\" ], \"schedule-timeout\": 0, \"sctp-filter-profile\": [ ], \"send-deny-packet\": 0, \"service\": [ \"ALL\" ], \"service-negate\": 0, \"session-ttl\": \"0\", \"sgt\": [ ], \"sgt-check\": 0, \"src-vendor-mac\": [ ], \"srcaddr\": [ \"host_002\", \"host_001\" ], \"srcaddr-negate\": 0, \"srcaddr6\": [ ], \"srcaddr6-negate\": 0, \"srcintf\": [ \"lan\" ], \"ssh-filter-profile\": [ ], \"ssh-policy-redirect\": 0, \"ssl-ssh-profile\": [ \"no-inspection\" ], \"status\": 1, \"tcp-mss-receiver\": 0, \"tcp-mss-sender\": 0, \"tcp-session-without-syn\": 2, \"tcp-timeout-pid\": [ ], \"timeout-send-rst\": 0, \"tos\": \"0x00\", \"tos-mask\": \"0x00\", \"tos-negate\": 0, \"traffic-shaper\": [ ], \"traffic-shaper-reverse\": [ ], \"udp-timeout-pid\": [ ], \"users\": [ ], \"utm-status\": 0, \"uuid\": \"4828b014-cef2-51ee-2ab3-cce3da14bded\", \"videofilter-profile\": [ ], \"virtual-patch-profile\": [ ], \"vlan-cos-fwd\": 255, \"vlan-cos-rev\": 255, \"vlan-filter\": null, \"voip-profile\": [ ], \"vpn_dst_node\": null, \"vpn_src_node\": null, \"vpntunnel\": [ ], \"waf-profile\": [ ], \"wanopt\": 0, \"wanopt-detection\": 1, \"wanopt-passive-opt\": 0, \"wanopt-peer\": [ ], \"wanopt-profile\": [ ], \"wccp\": 0, \"webcache\": 0, \"webcache-https\": 0, \"webfilter-profile\": [ ], \"webproxy-forward-server\": [ ], \"webproxy-profile\": [ ], \"ztna-device-ownership\": 0, \"ztna-ems-tag\": [ ], \"ztna-ems-tag-secondary\": [ ], \"ztna-geo-tag\": [ ], \"ztna-policy-redirect\": 0, \"ztna-status\": 0, \"ztna-tags-match-logic\": 0 }", "flags": 0, "key": "3", "note": "", "oid": 11298, "pkg_oid": 11294, "timestamp": 1708325089, "user": "admin" }, { "act": 1, "category": 181, "config": "{ \"_byte\": 0, \"_first_hit\": 0, \"_first_session\": 0, \"_global-label-color\": 0, \"_global-vpn\": [ ], \"_global-vpn-tgt\": 0, \"_hitcount\": 0, \"_label-color\": 0, \"_last_hit\": 0, \"_last_session\": 0, \"_pkts\": 0, \"_sesscount\": 0, \"action\": 0, \"anti-replay\": 1, \"application-list\": [ ], \"auth-cert\": [ ], \"auth-path\": 0, \"auto-asic-offload\": 1, \"av-profile\": [ ], \"block-notification\": 0, \"captive-portal-exempt\": 0, \"capture-packet\": 0, \"casb-profile\": [ ], \"cgn-eif\": 0, \"cgn-eim\": 0, \"cgn-resource-quota\": 16, \"cgn-session-quota\": 16777215, \"cifs-profile\": [ ], \"custom-log-fields\": [ ], \"decrypted-traffic-mirror\": [ ], \"delay-tcp-npu-session\": 0, \"diameter-filter-profile\": [ ], \"diffserv-copy\": 0, \"diffserv-forward\": 0, \"diffserv-reverse\": 0, \"diffservcode-forward\": \"000000\", \"diffservcode-rev\": \"000000\", \"disclaimer\": 0, \"dlp-profile\": [ ], \"dnsfilter-profile\": [ ], \"dsri\": 0, \"dstaddr\": [ \"all\" ], \"dstaddr-negate\": 0, \"dstaddr6\": [ ], \"dstaddr6-negate\": 0, \"dstintf\": [ \"wan\" ], \"dynamic-shaping\": 0, \"email-collect\": 0, \"emailfilter-profile\": [ ], \"fec\": 0, \"file-filter-profile\": [ ], \"firewall-session-dirty\": 0, \"fixedport\": 0, \"fsso-agent-for-ntlm\": [ ], \"fsso-groups\": [ ], \"geoip-anycast\": 0, \"geoip-match\": 0, \"groups\": [ ], \"gtp-profile\": [ ], \"http-policy-redirect\": 0, \"icap-profile\": [ ], \"identity-based-route\": [ ], \"inbound\": 0, \"inspection-mode\": 1, \"internet-service\": 0, \"internet-service-custom\": [ ], \"internet-service-custom-group\": [ ], \"internet-service-group\": [ ], \"internet-service-name\": [ ], \"internet-service-negate\": 0, \"internet-service-src\": 0, \"internet-service-src-custom\": [ ], \"internet-service-src-custom-group\": [ ], \"internet-service-src-group\": [ ], \"internet-service-src-name\": [ ], \"internet-service-src-negate\": 0, \"internet-service6\": 0, \"internet-service6-custom\": [ ], \"internet-service6-custom-group\": [ ], \"internet-service6-group\": [ ], \"internet-service6-name\": [ ], \"internet-service6-negate\": 0, \"internet-service6-src\": 0, \"internet-service6-src-custom\": [ ], \"internet-service6-src-custom-group\": [ ], \"internet-service6-src-group\": [ ], \"internet-service6-src-name\": [ ], \"internet-service6-src-negate\": 0, \"ip-version-type\": \"ipv4\", \"ippool\": 0, \"ips-sensor\": [ ], \"ips-voip-filter\": [ ], \"logtraffic\": 2, \"logtraffic-start\": 0, \"match-vip\": 1, \"match-vip-only\": 0, \"nat\": 0, \"nat46\": 0, \"nat64\": 0, \"natinbound\": 0, \"natip\": [ \"0.0.0.0\", \"0.0.0.0\" ], \"natoutbound\": 0, \"network-service-dynamic\": [ ], \"network-service-src-dynamic\": [ ], \"np-acceleration\": 1, \"ntlm\": 0, \"ntlm-enabled-browsers\": [ ], \"ntlm-guest\": 0, \"oid\": 11307, \"outbound\": 1, \"passive-wan-health-measurement\": 0, \"pcp-inbound\": 0, \"pcp-outbound\": 0, \"pcp-poolname\": [ ], \"per-ip-shaper\": [ ], \"permit-any-host\": 0, \"permit-stun-host\": 0, \"pfcp-profile\": [ ], \"policy-behaviour-type\": \"standard\", \"policy-expiry\": 0, \"policy-expiry-date\": \"0000-00-00 00:00:00\", \"policy-offload\": 1, \"policyid\": 12, \"poolname\": [ ], \"poolname6\": [ ], \"profile-group\": [ ], \"profile-protocol-options\": [ \"default\" ], \"profile-type\": 0, \"radius-mac-auth-bypass\": 0, \"replacemsg-override-group\": [ ], \"reputation-direction\": 2, \"reputation-direction6\": 42, \"reputation-minimum\": 0, \"reputation-minimum6\": 0, \"rtp-addr\": [ ], \"rtp-nat\": 0, \"schedule\": [ \"always\" ], \"schedule-timeout\": 0, \"sctp-filter-profile\": [ ], \"send-deny-packet\": 0, \"service\": [ \"ALL\" ], \"service-negate\": 0, \"session-ttl\": \"0\", \"sgt\": [ ], \"sgt-check\": 0, \"src-vendor-mac\": [ ], \"srcaddr\": [ \"all\" ], \"srcaddr-negate\": 0, \"srcaddr6\": [ ], \"srcaddr6-negate\": 0, \"srcintf\": [ \"lan\" ], \"ssh-filter-profile\": [ ], \"ssh-policy-redirect\": 0, \"ssl-ssh-profile\": [ \"no-inspection\" ], \"status\": 0, \"tcp-mss-receiver\": 0, \"tcp-mss-sender\": 0, \"tcp-session-without-syn\": 2, \"tcp-timeout-pid\": [ ], \"timeout-send-rst\": 0, \"tos\": \"0x00\", \"tos-mask\": \"0x00\", \"tos-negate\": 0, \"traffic-shaper\": [ ], \"traffic-shaper-reverse\": [ ], \"udp-timeout-pid\": [ ], \"users\": [ ], \"utm-status\": 0, \"uuid\": \"a027db5a-cef2-51ee-313e-00ee89b1203e\", \"videofilter-profile\": [ ], \"virtual-patch-profile\": [ ], \"vlan-cos-fwd\": 255, \"vlan-cos-rev\": 255, \"voip-profile\": [ ], \"vpn_dst_node\": null, \"vpn_src_node\": null, \"vpntunnel\": [ ], \"waf-profile\": [ ], \"wanopt\": 0, \"wanopt-detection\": 1, \"wanopt-passive-opt\": 0, \"wanopt-peer\": [ ], \"wanopt-profile\": [ ], \"wccp\": 0, \"webcache\": 0, \"webcache-https\": 0, \"webfilter-profile\": [ ], \"webproxy-forward-server\": [ ], \"webproxy-profile\": [ ], \"ztna-device-ownership\": 0, \"ztna-ems-tag\": [ ], \"ztna-ems-tag-secondary\": [ ], \"ztna-geo-tag\": [ ], \"ztna-policy-redirect\": 0, \"ztna-status\": 0, \"ztna-tags-match-logic\": 0 }", "flags": 0, "key": "12", "note": "", "oid": 11307, "pkg_oid": 11294, "timestamp": 1708325195, "user": "admin" } ], "status": { "code": 0, "message": "OK" }, "url": "/pm/config/adom/demo/_objrev/pkg/ppkg_001/firewall/policy" } ] }
Note
For each change the
actis giving you the nature of the change:Value
meaning
1New policy created
2Existing policy deleted
3Existing policy modified
The
keyattribute is thepolicyidThe
configattribute is a copy of the firewall policy containing the changeFortiManager returns an ordered list of changes; the first item is the first change
9.2.15.2. Can we revert a Policy Package from a specific changes?#
You can only revert a firewall policy provided it does exist (see How to revert a firewall policy from a past changes?
9.3. Policy Blocks#
9.3.1. How to create a Policy Block?#
{
"id": 1,
"method": "add",
"params": [
{
"data": {
"name": "ppb_002",
"package settings": {
"central-nat": "disable",
"consolidated-firewall-mode": "disable",
"fwpolicy-implicit-log": "disable",
"fwpolicy6-implicit-log": "disable",
"ngfw-mode": "profile-based"
},
"type": "pkg"
},
"url": "/pm/pblock/adom/DEMO_014/"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pblock/adom/DEMO_014/"
}
]
}
9.3.2. How to add a policy in a Policy Block?#
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "add",
"params": [
{
"data": {
"action": "accept",
"dstaddr": [
"all"
],
"dstintf": [
"any"
],
"logtraffic": "utm",
"logtraffic-start": "disable",
"name": "Policy_002",
"schedule": [
"always"
],
"service": [
"ALL"
],
"srcaddr": [
"all"
],
"srcintf": [
"any"
]
},
"url": "/pm/config/adom/DEMO_014/pblock/ppb_001/firewall/policy"
}
],
"session": "0ZY5z0s/JngkUaryMxPtobzfWQwDekg5dW2E04a1oib0bOxmYoqsev/QRq1wn/K1XG2Fl2yeXim+UF2C3pCq6w==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"policyid": 1071741828
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/DEMO_014/pblock/ppb_001/firewall/policy"
}
]
}
9.3.3. How to insert a Policy Block in a Policy Package?#
You can use the before and after attribute followed by the policyid
of the firewall policy.
The following request inserts the ppb_001 Policy Block before the firewall policy with policyid 2 in the pp.device1 Policy Package
from the DEMO_014 ADOM:
{
"id": 3,
"method": "add",
"params": [
{
"before": "2",
"data": {
"_policy_block": "ppb_001"
},
"url": "/pm/config/adom/DEMO_014/pkg/pp.device1/firewall/policy"
}
],
"session": "{{session}}"
}
Warning
The
policyidhas to be passed as a string!
9.3.4. How to where used a Policy Block?#
This is for when you want to get the list of Policy Packages (and relative policyid of the Policy Packages’ firewall policies) referencing the given
Policy Block.
For instance, to where used the pblk_001 Policy Block from the demo
ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"option": [
"where_used"
],
"url": "/pm/pblock/adom/demo/pblk_001"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"data": {
"name": "pblk_001",
"oid": 5276,
"package settings": {
"central-nat": 0,
"consolidated-firewall-mode": 0,
"fwpolicy-implicit-log": 0,
"fwpolicy6-implicit-log": 0,
"hitc-taskid": 0,
"hitc-timestamp": 0,
"ngfw-mode": 0,
"policy-offload-level": 0
},
"type": "pblock",
"where_used": [
{
"data": [
{
"category": 181,
"mapping_name": "firewall policy",
"mattr": "policyid",
"mkey": "110",
"pkg": {
"name": "ppkg_001",
"oid": 6079
}
},
{
"category": 181,
"mapping_name": "firewall policy",
"mattr": "policyid",
"mkey": "3",
"pkg": {
"name": "ppkg_002",
"oid": 6181
}
}
],
"root": {
"name": "demo",
"oid": 165
}
}
]
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pblock/adom/demo/pblk_001"
}
]
}
Note
The response indicates that the pblk_001 Policy Block is used in the
ppkg_001andppkg_002Policy PackagesThe relative
policyidis given by themkeyattributeIt is
110in theppkg_001Policy Package and3in theppkg_002Policy PackageIt means that next firewall policy that will get created in the
ppkg_001andppkg_002Policy Packages will be111and4respectively
9.3.5. How to clone a firewall policy from a Policy Package to a Policy Block?#
Why would you need to perform such clone operation?
It is just how the FortiManager GUI is implementing the copy & paste operation:
FortiManager administrator right-clicks and copy a firewall policy from a Policy Package
Then he right-clicks and paste it in a Policy Block
The above process is triggering two FortiManager JSON RPC API calls:
A clone operation
A move operation
9.3.5.1. Clone operation#
To clone firewall policy with policyid 1 from the ppkg_001 Policy
Package into the sites_HBLK Policy Block from the dc_emea ADOM:
{
"id": 3,
"method": "clone",
"params": [
{
"data": {
"name": "New_Policy_Name",
"new parent": "pblock/sites_HBLK"
},
"url": "/pm/config/adom/dc_emea/pkg/ppkg_001/firewall/policy/1"
}
],
"session": "{{session}}"
}
Note
Cloned firewall policy will have its
nameattribute set withNew_Policy_Name
{
"id": 3,
"result": [
{
"data": {
"policyid": 1071741830
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/dc_emea/pkg/ppkg_001/firewall/policy/1"
}
]
}
Note
The FortiManager returns the
policyidof the cloned firewall policy:1071741830The cloned firewall policy is located at the end of the firewall policy list
9.3.5.2. Move operation#
To cloned firewall policy has been placed at the end of the firewall policy list in the Policy Block.
To move the cloned firewall policy with policyid 1071741830 above the firewall policy with policyid 1071741828, both being in the sites_HBLK Policy Block of the dc_emea ADOM:
{
"id": 3,
"method": "move",
"params": [
{
"option": "before",
"target": "1071741828",
"url": "pm/config/adom/dc_emea/pblock/sites_HBLK/firewall/policy/1071741830"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"data": {
"policyid": 1071741830
},
"status": {
"code": 0,
"message": "OK"
},
"url": "pm/config/adom/dc_emea/pblock/sites_HBLK/firewall/policy/1071741830"
}
]
}
Note
FortiManager confirms the success of the
moveoperation by returning thepolicyidof the moved firewall policy (1071741830)
9.4. Firewall Policies#
The firewall policies are included in the Policy Package. The corresponding API endpoint is:
/pm/config/adom/{adom}/pkg/{pkg}/firewall/policy
where:
adomis the ADOM name.pkgis the Policy Package name.
9.4.1. How to get a firewall policy based on its position?#
When you get a table like the firewall policy table, FortiManager is returning a
list. Then, like with every lists, to get a specific list element you have to
use an index. Considering the index of the first element in a list is 0, to
get the Nth element you need to use the N- 1 index.
This section shows how you can use the range attribute which is working as
explained below:
9.4.1.1. How to get the first firewall policy?#
The following example shows how to get the 1st firewall policy from the
ppkg_001 Policy Package in the demo ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"fields": [
"policyid",
"name"
],
"loadsub": 0,
"range": [
0,
1
],
"url": "/pm/config/adom/demo/pkg/ppkg_001/firewall/policy"
}
],
"session": "{{session}}",
"verbose": 1
}
Note
0in therangeattribute means you’re asking for the first element of the returned list. Then the1means you’re asking for only 1 element.
{
"id": 3,
"result": [
{
"data": [
{
"name": "Policy_0019",
"obj seq": 1,
"oid": 5667,
"policyid": 9
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/ppkg_001/firewall/policy"
}
]
}
Note
policyidaren’t telling you the policy position. As you can see in the response above, the first policy is with apolicyidof 9
9.4.1.2. How to get the nth firewall policy?#
The following example shows how to get the 5th firewall policy from the
ppkg_001 Policy Package in the demo ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"fields": [
"policyid",
"name"
],
"loadsub": 0,
"range": [
4,
1
],
"url": "/pm/config/adom/demo/pkg/ppkg_001/firewall/policy"
}
],
"session": "{{session}}",
"verbose": 1
}
Note
4in therangeattribute means you’re asking for the 5th element of the returned list (don’t forget that the first element index is0). Then the1means you’re asking for only 1 element.
{
"id": 3,
"result": [
{
"data": [
{
"name": "Policy_005",
"obj seq": 5,
"oid": 5689,
"policyid": 22
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/ppkg_001/firewall/policy"
}
]
}
9.4.1.3. How to get the last firewall policy?#
First you need to get the total number of firewall policies. The following
example shows how to get the number of firewall policy from the ppkg_001
Policy Package in the demo ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"option": [
"count"
],
"url": "/pm/config/adom/demo/pkg/ppkg_001/firewall/policy"
}
],
"session": "{{session}}",
"verbose": 1
}
{
"id": 3,
"result": [
{
"data": 18,
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/ppkg_001/firewall/policy"
}
]
}
In the example above, you have 18 firewall policy. It means that the last policy
is having the index 17.
The following example shows how to get the 17th firewall policy (hence the last)
from the ppkg_001 Policy Package in the demo ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"fields": [
"policyid",
"name"
],
"loadsub": 0,
"range": [
17,
1
],
"url": "/pm/config/adom/demo/pkg/ppkg_001/firewall/policy"
}
],
"session": "{{session}}",
"verbose": 1
}
Note
4in therangeattribute means you’re asking for the 5th element of the returned list (don’t forget that the first element index is0). Then the1means you’re asking for only 1 element.
{
"id": 3,
"result": [
{
"data": [
{
"name": "Policy_018",
"obj seq": 18,
"oid": 5699,
"policyid": 32
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/ppkg_001/firewall/policy"
}
]
}
9.4.2. How to get the default values for a firewall policy?#
This is when you plan to suggest default values in an application you’re developping and where you offer to add a new firewall policy.
You can get the firewall policy table of a Policy Package using the object template attribute.
To get the default value for a firewall policy in the pp.003 Policy Package from the DEMO ADOM:
{
"id": 1,
"method": "get",
"params": [
{
"object template": 1,
"url": "/pm/config/adom/DEMO/pkg/pp.003/firewall/policy/"
}
],
"session": "{{session}}",
"verbose": 1
}
9.4.3. How to add a firewall policy?#
To add a new firewall policy in the dut_fgt_02 Policy Package from the dc_amer ADOM:
{
"id": 3,
"method": "add",
"params": [
{
"data": {
"action": "accept",
"dstaddr": [
"host_001",
"host_002"
],
"dstintf": [
"internal1",
"internal2"
],
"logtraffic": "all",
"schedule": "always",
"service": [
"FTP",
"HTTPS"
],
"srcaddr": [
"host_003",
"host_004"
],
"srcintf": [
"internal3",
"internal4"
],
"status": "enable"
},
"url": "/pm/config/adom/dc_amer/pkg/dut_fgt_02/firewall/policy"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"data": {
"policyid": 2
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/dc_amer/pkg/dut_fgt_02/firewall/policy"
}
]
}
Note
FortiManager returns the
policyidof the created policy.
If a specific policyid is required, and provided it isn’t already used,
then you can specify it:
{
"id": 3,
"method": "add",
"params": [
{
"data": {
"action": "accept",
"dstaddr": [
"host_001",
"host_002"
],
"dstintf": [
"internal1",
"internal2"
],
"logtraffic": "all",
"policyid": 10,
"schedule": "always",
"service": [
"FTP",
"HTTPS"
],
"srcaddr": [
"host_003",
"host_004"
],
"srcintf": [
"internal3",
"internal4"
],
"status": "enable"
},
"url": "/pm/config/adom/dc_amer/pkg/dut_fgt_02/firewall/policy"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"data": {
"policyid": 10
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/dc_amer/pkg/dut_fgt_02/firewall/policy"
}
]
}
9.4.4. How to delete a firewall policy?#
TBD.
9.4.5. How to delete multiple firewall policies?#
The below example shows how to delete multiple firewall policies by combining in
a single API call the delete and filter operation:
{
"id": 3,
"method": "delete",
"params": [
{
"url": "pm/config/adom/dc_amer/pkg/dut_fgt_2/firewall/policy",
"confirm": 1,
"filter": [
"policyid",
"in",
1,2,3,
]
}
],
"session": "{{session}}"
}
{
"result": [
{
"data": null,
"id": 3,
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/dc_amer/pkg/dut_fgt_02/firewall/policy"
}
]
}
9.4.6. How to purge all firewall policies?#
The following example shows you how to purge all firewall policies from the ppkg_001 Policy Package in the demo ADOM:
{
"id": 3,
"method": "delete",
"params": [
{
"confirm": 1,
"url": "/pm/config/adom/demo/pkg/ppkg_001/firewall/policy"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/ppkg_001/firewall/policy"
}
]
}
9.4.7. How to update a firewall policy?#
9.4.7.1. Update elements of an existing firewall policy#
You just need to specify in the JSON RPC body the elements you want to update:
REQUEST:
{
"id": 3,
"method": "update",
"params": [
{
"data": {
"ips-sensor": "default",
"name": "Project_XXX_Traffic",
"nat": "enable",
"utm-status": "enable"
},
"url": "/pm/config/adom/dc_amer/pkg/dut_fgt_02/firewall/policy/10"
}
],
"session": "EnRb2hecAsLL/i6DwUZ0WpibwI5a4KC58vm7ta1IivNT4Gwjqhp5sXUG+3YmdwIvnTlkdltTtHYzxSrOBbTcxg=="
}
RESPONSE:
{
"id": 3,
"result": [
{
"data": {
"policyid": 10
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/dc_amer/pkg/dut_fgt_02/firewall/policy/10"
}
]
}
9.4.7.2. How to update a specific field without overwriting it?#
The goal is just to add new srcaddr elements of a specific policy without
overwriting the existing ones.
For instance, if srcaddr is set with:
[
"host_001",
"host_002"
]
then after this API request, it will be with:
[
"host_001",
"host_002",
"host_005",
"host_006"
]
REQUEST:
{
"id": 3,
"method": "add",
"params": [
{
"data": [
"host_005",
"host_006"
],
"url": "/pm/config/adom/dc_amer/pkg/dut_fgt_02/firewall/policy/10/srcaddr"
}
],
"session": "RI6Bcs0YtRnh8dJoVsNqmV4A8+CNQZEyFIO5bZafv8xWMykF6ySvFSoitQld49G1bG3Sfug6h1LKmdR/1jt3uw=="
}
RESPONSE:
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/dc_amer/pkg/dut_fgt_02/firewall/policy/10/srcaddr"
}
]
}
9.4.8. How to move a firewall policy?#
Considering we know the policyid of the source policy and the policyid
of the destination policy (i.e., the destination location), we can use the move
operation.
This request is moving policyid 3 after policyid 4 (for policy
package pp.003 of ADOM demo):
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "move",
"params": [
{
"option": "after",
"target": "4",
"url": "/pm/config/adom/demo/pkg/pp.003/firewall/policy/3"
}
],
"session": "tAgknLN52psfVRRYxPcGgWM45/i1OkEQ8bcnBc2LMyNThEmZfqY6h2C5h0IqDsEMX5p3+wjoKuRdodehh10zLUw+iEXyxwio",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"policyid": 3
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom//pkg/pp.003/firewall/policy/3"
}
]
}
9.4.9. How to insert a policy?#
Three options are available:
Use the
addandmoveoperationsYou add a policy, it gets automatically placed at the last position
You move the policy to the desired location
Using the
object positionattribute to specify the desired locationUsing the
beforeandafterattributes
Those three alternatives are described below.
9.4.9.1. Use the add and move operations#
To add a new firewall policy, please review How to add a firewall policy?
To move a firewall policy, please review: How to move a firewall policy?
9.4.9.2. Use the object position attribute#
Caught in #0306003.
To insert a new firewall policy after the firewall policy with policyid
13 in the pp.001 Policy Package from the DEMO ADOM:
{
"id": 1,
"method": "add",
"params": [
{
"data": {
"action": "accept",
"dstaddr": [
"host_001"
],
"dstintf": [
"ul_isp1"
],
"logtraffic": "all",
"name": "This is a test!",
"object position": [
"after",
"13"
],
"schedule": [
"always"
],
"service": [
"FTP"
],
"srcaddr": [
"host_002"
],
"srcintf": [
"lan"
]
},
"url": "/pm/config/adom/DEMO/pkg/pp.001/firewall/policy"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"data": {
"policyid": 51
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/DEMO/pkg/pp.001/firewall/policy"
}
]
}
Note
policyid51is the policy id of the newly created firewall policy
9.4.9.3. Using the before and after attributes#
A new way of placing a firewall policy has been observed.
It consists in adding attribute before or after placed outside of the
data block.
To insert a new firewall policy before the firewall policy with policyid
3 in the pp.001 Policy Package from the DEMO ADOM:
{
"id": 1,
"method": "add",
"params": [
{
"before": "3",
"data": {
"action": "accept",
"dstaddr": [
"all"
],
"dstintf": [
"dmz"
],
"ips-sensor": "all_default",
"logtraffic": "all",
"name": "Test_001",
"profile-protocol-options": [
"default"
],
"schedule": [
"always"
],
"service": [
"ALL"
],
"srcaddr": [
"all"
],
"srcintf": [
"wan"
],
"ssl-ssh-profile": [
"no-inspection"
],
"utm-status": "enable"
},
"url": "/pm/config/adom/DEMO/pkg/pp.001/firewall/policy"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"data": {
"policyid": 52
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/DEMO/pkg/pp.001/firewall/policy"
}
]
}
Note
policyid52is the policy id of the newly created firewall policy
9.4.10. How to insert a policy in an existing section?#
This section explains how to insert a new policy into an existing section. The new policy will be added at the end of the section.
The process requires two API calls:
Retrieve the
policyidof the last policy in the section.Add the new policy after the retrieved
policyid.
Retrieve the
policyidof the last policy in the sectionThe example below shows how to get the policyid of the last policy of the section named
Project #2in theppkg_001Policy Package from thedemoADOM:{ "id": 3, "method": "get", "params": [ { "fields": [ "policyid", "name", "global-label" ], "filter": [ "global-label", "==", "Project #2" ], "loadsub": 0, "range": [ 0, 1 ], "sortings": [ { "policyid": -1 } ], "url": "/pm/config/adom/demo/pkg/ppkg_001/firewall/policy" } ], "session": "{{session}}" }
Note
The
filterattribute is used to get the policies of the section namedProject #2The
sortingsattribute is used to sort the policies in descending order of theirpolicyidattributeThe
rangeattribute is used to get the first policy of the sorted list
{ "id": 3, "result": [ { "data": [ { "global-label": "Project #2", "obj seq": 21, "oid": 6363, "policyid": 101 } ], "status": { "code": 0, "message": "OK" }, "url": "/pm/config/adom/demo/pkg/ppkg_001/firewall/policy" } ] }
Note
The policyid of the last policy in the section named
Project #2is101
Add the new policy after the last policy of the section
The example below shows how to add a new policy after the last policy of the section named
Project #2in theppkg_001Policy Package from thedemoADOM:{ "id": 4, "method": "set", "params": [ { "data": { "action": "accept", "dstaddr": [ "host_001", "host_002" ], "dstintf": [ "wan" ], "global-label": "Project #2", "logtraffic": "all", "object position": [ "after", "101" ], "schedule": "always", "service": [ "FTP", "HTTPS" ], "srcaddr": [ "host_003", "host_004" ], "srcintf": [ "lan" ], "status": "enable" }, "url": "/pm/config/adom/demo/pkg/ppkg_001/firewall/policy" } ], "session": "{{session}}" }
Note
The
object positionattribute is used to specify the position of the new policy.
{ "id": 3, "result": [ { "data": { "policyid": 102 }, "status": { "code": 0, "message": "OK" }, "url": "/pm/config/adom/demo/pkg/ppkg_001/firewall/policy" } ] }
Note
The policyid of the newly created policy is
102
9.4.11. How to clone a policy?#
Cloning a policy doesn’t require to specify the destination
policyid since it is auto-generated.
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "clone",
"params": [
{
"url": "/pm/config/adom/DEMO_013/pkg/pp.hub1/firewall/policy/1"
}
],
"session": "ngFWU2SEY8rBX368VnxURvNKOfncqe7i5GWjOomUkeNrZPzBs/rhclDiyvNL825baHw+Sjq3z0YmV01imbg16Q==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"policyid": 4
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/DEMO_013/pkg/pp.hub1/firewall/policy/1"
}
]
}
But we can also force a specific policyid if required:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "clone",
"params": [
{
"data": {
"policyid": 111
},
"url": "/pm/config/adom/DEMO_013/pkg/pp.hub1/firewall/policy/1"
}
],
"session": "LmM3A03tHkgNxRJiSRxCMCrcqzZCBZYJKiZRfJDlJ1d5JTk3hrIlLqZITXTdAwJX4yToHOQ0NRojwHP6DEZX0Q==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"policyid": 111
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/DEMO_013/pkg/pp.hub1/firewall/policy/1"
}
]
}
9.4.12. How to insert a section title for a firewall policy?#
The following example shows how to insert a section title for the firewall
policy with policyid 1 in the ppkg_001 Policy Package from the
demo ADOM:
{
"id": 3,
"method": "set",
"params": [
{
"data": {
"name": "Project #001",
"_global-label-color": 22
},
"url": "pm/config/adom/demo/pkg/ppkg_001/firewall/policy/1/section value"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "pm/config/adom/demo/pkg/ppkg_001/firewall/policy/1/section value"
}
]
}
You can also use this more traditional method:
{
"id": 3,
"method": "set",
"params": [
{
"data": {
"_global-label-color": 22,
"global-label": "Project #001"
},
"url": "/pm/config/adom/demo/pkg/ppkg_001/firewall/policy/1"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"data": {
"policyid": 1
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/ppkg_001/firewall/policy/1"
}
]
}
9.4.13. How to get the section title of a policy?#
The section title is saved in the global-label attribute of each policies:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "get",
"params": [
{
"fields": [
"name",
"policyid",
"global-label"
],
"loadsub": 0,
"url": "/pm/config/adom/DEMO_014/pkg/pp.device1/firewall/policy"
}
],
"session": "CHaKn3hVODf8U3cz1PByenpgjjeFTlwgtDj8b163pVqiaNW7JnUk+IMnVPVi90Jf+lxcpib6HLJPhislBJlPwg==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": [
{
"obj seq": 1,
"policyid": 1
},
{
"global-label": "Project #001",
"obj seq": 2,
"policyid": 4
},
{
"global-label": "Project #001",
"obj seq": 3,
"policyid": 5
},
{
"global-label": "Project #001",
"obj seq": 4,
"policyid": 2
},
{
"global-label": "Project #001",
"obj seq": 5,
"policyid": 3
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/DEMO_014/pkg/pp.device1/firewall/policy"
}
]
}
In this output, we can see that policy #1 (ie. "obj seq": 1) isn’t
having any section title while all other policies are in a section
title named Project #001.
9.4.14. How to insert a section title for a consolidated policy?#
Caught in #0597802.
REQUEST:
{
"id": 4,
"method": "set",
"params": [
{
"url": "pm/config/adom/root/pkg/pkg1/firewall/consolidated/policy/2/section value",
"data": {
"name": "section 1"
}
}
]
}
RESPONSE:
TBD
9.4.15. How to get creation and modification timestamps along with the owner of the change?#
We need to pass the extra info option.
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "get",
"params": [
{
"fields": [
"policyid"
],
"loadsub": 0,
"option": [
"extra info"
],
"url": "/pm/config/adom/TEST/pkg/pp.001/firewall/policy"
}
],
"session": "8DvhCgFU4hHlb2yaTj89lH0Yx1muBZYEtkAqfCstMKzolG0wsXSCkHrUn4/ZoClSBrGjruJ5ey6aZP6OjZ3pwxhUNUj0Lyzi",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": [
{
"_created timestamp": 1584462465,
"_last-modified-by": "admin",
"_modified timestamp": 1584462794,
"obj seq": 1,
"obj ver": 4,
"policyid": 1
},
{
"_created timestamp": 1584462465,
"_last-modified-by": "admin",
"_modified timestamp": 1584462465,
"obj seq": 2,
"obj ver": 1,
"policyid": 2
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/TEST/pkg/pp.001/firewall/policy"
}
]
}
It should work for all objects with timestamp/owner change support. For instance, we can also get same information for the firewall addresses:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "get",
"params": [
{
"fields": [
"name"
],
"loadsub": 0,
"option": [
"extra info"
],
"url": "/pm/config/adom/TEST/obj/firewall/address"
}
],
"session": "zGBZ3O/1FRg8fW+pObix36eCH4aUBabYbNqzCMtW3sG3hXAfhtNJMvSZg5atCfjR7hbXrYPcsOmZTD5O/w6htwbVzTZOSep9",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": [
{
"_created timestamp": 1584462001,
"_last-modified-by": "admin",
"_modified timestamp": 1584462001,
"name": "FABRIC_DEVICE",
"obj ver": 1
},
{
"_created timestamp": 1584462001,
"_last-modified-by": "admin",
"_modified timestamp": 1584462001,
"name": "FIREWALL_AUTH_PORTAL_ADDRESS",
"obj ver": 1
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/TEST/obj/firewall/address"
}
]
}
9.4.16. How to get the meta-fields for policies?#
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "get",
"params": [
{
"fields": [
"policyid",
"meta fields"
],
"loadsub": 0,
"option": [
"get meta"
],
"url": "/pm/config/adom/TEST/pkg/pp.001/firewall/policy"
}
],
"session": "MUhOUM7HF72aAOx9qSmnjeRie3pBjtNPrOhN15/VPC+NxVuILkXFCLAbTPlIgqF/vWQ9uyBtTuV3RmD14xXoP9dLTMLWoqyJ",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": [
{
"meta fields": {
"change_type": "temporary"
},
"obj seq": 1,
"policyid": 1
},
{
"meta fields": {
"change_type": ""
},
"obj seq": 2,
"policyid": 2
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/TEST/pkg/pp.001/firewall/policy"
}
]
}
9.4.17. How to do a policy lookup?#
When we debug the fortimanager while operating the policy lookup from its UI:
diagnose debug service sys 255
diagnose debug enable
diagnose debug timestamp enable
to lookup for a policy matching the following criterias:
Device/VDOM
branch1_fgtSource Interface
vl_lanProtocol
IPProtocol Number
6Source
Empty
Destination
8.8.8.8
we can see two operations:
Fortimanager is first doing a route lookup!
REQUEST:
{
"id": "9cd0139f-1713-4b57-b5f4-48a74f53baee",
"method": "exec",
"params": [
{
"data": {
"action": "get",
"resource": "/api/v2/monitor/router/lookup/select?&destination=8.8.8.8&ipv6=0",
"target": [
"adom/DEMO/device/branch1_fgt"
]
},
"target start": 1,
"url": "sys/proxy/json"
}
],
"session": 11017
}
RESPONSE:
{
"id": "2e65b687-2d69-42c8-a716-a0ebb07162c0",
"result": [
{
"data": [
{
"response": {
"action": "select",
"build": 8348,
"http_method": "GET",
"name": "lookup",
"path": "router",
"results": {
"gateway": "0.0.0.0",
"interface": "ol_mpls_0",
"network": "0.0.0.0/0",
"success": true
},
"serial": "FGVM04REDACTED73",
"status": "success",
"vdom": "root",
"version": "v6.2.3"
},
"status": {
"code": 0,
"message": "OK"
},
"target": "branch1_fgt"
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "sys/proxy/json"
}
]
}
And we assume that because there are existing routes, fortimanager proceeds with the next step.
It does the policy lookup!
REQUEST:
{
"id": "9bddbb32-7a3f-4547-af43-cb9812c9fc81",
"method": "exec",
"params": [
{
"data": {
"action": "get",
"resource": "/api/v2/monitor/firewall/policy-lookup/select?&srcintf=vl_lan&protocol=6&protocol_number=6&sourceip=&sourceport=&dest=8.8.8.8&destport=0",
"target": [
"adom/DEMO/device/branch1_fgt"
]
},
"target start": 1,
"url": "sys/proxy/json"
}
],
"session": 11017
}
RESPONSE:
{
"id": "9bddbb32-7a3f-4547-af43-cb9812c9fc81",
"result": [
{
"data": [
{
"response": {
"action": "select",
"build": 8348,
"http_method": "GET",
"name": "policy-lookup",
"path": "firewall",
"results": {
"success": false
},
"serial": "FGVM04REDACTED73",
"status": "success",
"vdom": "root",
"version": "v6.2.3"
},
"status": {
"code": 0,
"message": "OK"
},
"target": "branch1_fgt"
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "sys/proxy/json"
}
]
}
Well, we don’t have a match, but at least we can see how the policy lookup was done by fortimanager :-)
9.4.18. Operating the firewall policy Install On column#
This is about replacing the default Installation Targets value of the Install On column by one or more managed devices or device groups.
To operate the Install On column of a firewall policy, recent FortiManager versions offer the following capabilities:
You can click the pen icon to select specific devices or device groups; you can only select devices or device groups being part of the Policy Package’s installation targets
You can right-click and select:
Edit Install On, and in this case, you can select specific devices or device groups; you can only select devices or device groups being part of the Policy Package’s installation targets
Set Install On To Default, and in this case all, devices and devices group set in the Policy Package’s installation targets will be considered
Set Install On To None, and in this case, this firewall policy won’t used at all
In the following screenshot, the pp_branches Policy Package is shared with
some managed devices:
Policy ID 1 will be installed on all managed devices specified in the installation targets list of this policy package (i.e. set to Default).
Policy ID 2 won’t be installed since its Install On column is empty (i.e. set to None)
Policy ID 2 will be installed on device
branch11only.
9.4.18.1. How to get the existing values for the Install On column?#
You just have to pass the option scope member when getting the firewall
policies information.
It works when getting the firewall policy table.
For instance, to get the first three firewall policies from the ppkg_001
Policy Package in the dc_jani ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"fields": [
"name",
"policyid",
"comments"
],
"loadsub": 0,
"option": [
"scope member"
],
"range": [
0,
3
],
"url": "/pm/config/adom/dc_jani/pkg/pkg_001/firewall/policy"
}
],
"session": "{{session}}",
"verbose": 1
}
{
"id": 3,
"result": [
{
"data": [
{
"comments": "Install On: dev_003, dev_004",
"name": "Policy_001",
"obj flags": 16,
"obj seq": 1,
"oid": 5916,
"policyid": 1,
"scope member": [
{
"name": "dev_003",
"vdom": "root"
},
{
"name": "dev_004",
"vdom": "root"
}
]
},
{
"comments": "Install On: Installation Targets (Default)",
"name": "Policy_002",
"obj seq": 2,
"oid": 5917,
"policyid": 2
},
{
"comments": "Install On: None",
"name": "Policy_003",
"obj seq": 3,
"oid": 5918,
"policyid": 3,
"scope member": []
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/dc_jani/pkg/pkg_001/firewall/policy"
}
]
}
This output shows the FortiManager behavior when it returns firewall policies with specific devices, the Default, or the None target in the Install On column.
There is a
scope membershowing up when the policy is having its cell Install On set with managed devices and/or device groups (see firewall policy withpolicyid1)There’s no
scope memberreturned when the firewall policy is having its cell Install On set with Default (see firewall policy withpolicyid2)There is an empty
scope memberreturned when the firewall policy is having its cell Install On set to None (see firewall policy withpolicyid3)
Note
With FortiManager 6, when the Install On cell was set with None, then the
response was not having any scope member returned.
In that case, how could you figure out whether you were in the Default Installation Targets situation or the None one?
You add to check for the presence of the obj flags attribute (see
#0305108).
When you’re in the Default Installation Targets case, this is what you should get:
[...]
"obj flags": 16,
[...]
Here the "obj flags": 16 confirms there’s a scope member but since,
it is using the Default value, it is not showing up.
Hence, it’s normal not to have any scope member returned.
You could interprete the above output as:
[...]
"scope member": null,
[...]
When you’re in the None case, this is what we should get:
[...]
[...]
Here the absence of "obj flags": 16 clearly indicates there is no scope
member at all.
Hence, it’s normal not to have the scope member nor the obj flags.
You could interprete the above output as:
[...]
"scope member": [],
[...]
The empty array clearly shows the scope member is empty (i.e. None).
You will have to wait for FortiManager 7.0.11/7.2.5/7.4.3 (#0953665) to get a more meaningful response.
It also works when getting a specific firewall policy by policyid.
For instance, to firewall policy with policyid 3, from the ppkg_001
Policy Package in the dc_jani ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"fields": [
"name",
"policyid",
"comments"
],
"loadsub": 0,
"option": [
"scope member"
],
"url": "/pm/config/adom/dc_jani/pkg/pkg_001/firewall/policy/3"
}
],
"session": "{{session}}",
"verbose": 1
}
{
"id": 3,
"result": [
{
"data": {
"comments": "Install On: None",
"name": "Policy_003",
"obj flags": 16,
"obj seq": 3,
"oid": 5918,
"policyid": 3,
"scope member": []
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/dc_jani/pkg/pkg_001/firewall/policy/3"
}
]
}
Note
In this case, firewall policy with
policyid3is having its Install On column set to NoneNow an explicit empty
scope memberlist is returned
9.4.18.2. How to change the Install On column?#
Now that you know how to get the Install On value for any situations, let’s see how to change it.
You want the branch11 managed device to be the unique target for policy ID 2.
With FortiManager version lesser than 6.0, the very first time (i.e. when we
replace the default Installation Targets value by a specific managed device),
we have to use method set or update:
{
"id": 1,
"method": "set",
"params": [
{
"data": [
{
"name": "branch11",
"vdom": "root"
}
],
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
],
"session": "{{session}}"
}
Note
You just need to append the
scope memberat the end of the main URL to operate the Install On column
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
]
}
You can review your Policy Package with the FortiManager GUI, policy seq #2 (i.e. policyid 2) should have branch11 showing up in the Install On column.
But if you keep using update or set to add additional managed devices,
we’re going to overwrite the existing list of managed devices placed in the
scope member table.
So once default Installation Target value is replaced by one or multiple
managed devices (i.e. the scope member table has been created) we can keep
adding additional managed devices on top of the existing ones, by using the
method add.
Starting with FMG 6.0.0, it is possible to use method add even when the
Install On column is having its default value (i.e. Installation Targets) -
(#0482431).
Now that you have added branch11 in the Install Column of policy ID 2, add additional devices.
You need to use the add method with the devices (one or multiple) you want to add:
{
"id": 1,
"method": "add",
"params": [
{
"data": [
{
"name": "branch12",
"vdom": "root"
}
],
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
]
}
Policy seq #2 is now having branch11 and branch12 under column Install
On.
It’s possible to add multiple firewalls:
{
"id": 1,
"method": "add",
"params": [
{
"data": [
{
"name": "branch13",
"vdom": "root"
},
{
"name": "branch14",
"vdom": "root"
}
],
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
]
}
Policy seq #2 is now having branch11, branch12, branch13 and
branch14 under column Install On.
To delete a specific target from the scope member table, you can use the
method delete:
{
"id": 1,
"method": "delete",
"params": [
{
"data": [
{
"name": "branch14",
"vdom": "root"
}
],
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
]
}
Policy seq #2 is now having branch11, branch12 and branch13 under
column Install On.
It’s possible to delete multiple firewalls:
{
"id": 1,
"method": "delete",
"params": [
{
"data": [
{
"name": "branch12",
"vdom": "root"
},
{
"name": "branch13",
"vdom": "root"
}
],
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
]
}
Policy seq #2 is now having branch11 under column Install On.
To set Install On to None (i.e. to empty the cell), you can use the method
set with an empty list:
{
"id": 1,
"method": "set",
"params": [
{
"data": [
{}
],
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
]
}
To get back the default value of Install On (i.e. Installation Targets), you
just need to unset:
{
"id": 1,
"method": "unset",
"params": [
{
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/pp_branches/firewall/policy/2/scope member"
}
]
}
9.4.19. How to get the firewall policies along with used object definitions?#
When you just get the firewall policies, FortiManager just return something like:
[...]
"srcaddr": ["object1", "object2", ...]
[...]
But you don’t get what’s behind objects object1 and object2.
Should you want to get object definitions at the time you get the firewall
policies, just use the expand datasrc as shown below:
{
"id": 1,
"method": "get",
"params": [
{
"expand datasrc": [
{
"datasrc": [
{
"fields": [
"name",
"subnet",
"comment",
"color"
],
"obj type": "firewall address"
}
],
"name": "srcaddr"
},
{
"datasrc": [
{
"fields": [
"name",
"subnet",
"comment",
"color"
],
"obj type": "firewall address"
}
],
"name": "dstaddr"
},
{
"datasrc": [
{
"fields": [
"name",
"description",
"wildcar",
"wildcard-intf",
"default-mapping",
"defmap-intf",
"color"
],
"obj type": "dynamic interface"
}
],
"name": "srcintf"
},
{
"datasrc": [
{
"fields": [
"name",
"description",
"wildcar",
"wildcard-intf",
"default-mapping",
"defmap-intf",
"color"
],
"obj type": "dynamic interface"
}
],
"name": "dstintf"
},
{
"datasrc": [
{
"fields": [
"name",
"tcp-portrange",
"color",
"comment"
],
"obj type": "firewall service custom"
}
],
"name": "service"
},
{
"datasrc": [
{
"fields": [
"name",
"day",
"color"
],
"obj type": "firewall schedule recurring"
}
],
"name": "schedule"
},
{
"datasrc": [
{
"obj type": "ips sensor"
}
],
"name": "ips-sensor"
},
{
"datasrc": [
{
"obj type": "webfilter profile"
}
],
"name": "webfilter-profile"
}
],
"fields": [
"name",
"policyid",
"srcintf",
"dstintf",
"srcaddr",
"dstaddr",
"service",
"action",
"schedule",
"utm-status",
"logtraffic-start",
"webfilter-profile",
"ips-sensor",
"global-label",
"comments"
],
"loadsub": 0,
"range": null,
"url": "/pm/config/adom/deutsche_bank_benchmark/pkg/ppkg_001/firewall/policy/"
}
],
"session": "qk4LfxNkgZuewjwk7mp4Vt4e+f2OJR3Bvo/xdj73PN5pul8AZq7a58qp4LJ+DwvJHIvT1r17SAoGYjKyTueJGw==",
"verbose": 1
}
{
"id": 1,
"result": [
{
"data": [
{
"action": "accept",
"comments": "Created with FMG API",
"dstaddr": [
{
"color": 28,
"comment": "Created with FMG API",
"name": "tc_004_dst_000001",
"obj type": "firewall address",
"subnet": [
"10.0.0.1",
"255.255.255.255"
]
}
],
"dstintf": [
{
"color": 16,
"default-mapping": "enable",
"defmap-intf": "wan",
"description": "Created with FortiManager Ansible",
"name": "wan",
"obj type": "dynamic interface",
"wildcard-intf": "wan"
}
],
"global-label": "Project #1",
"ips-sensor": [
{
"_baseline": [],
"block-malicious-url": "disable",
"comment": "Prevent critical attacks.",
"extended-log": "disable",
"name": "default",
"obj type": "ips sensor",
"replacemsg-group": [],
"scan-botnet-connections": "disable"
}
],
"logtraffic-start": "enable",
"name": "Policy_000001",
"obj seq": 1,
"policyid": 1,
"schedule": [
{
"color": 0,
"day": [
"sunday",
"monday",
"tuesday",
"wednesday",
"thursday",
"friday",
"saturday"
],
"name": "always",
"obj type": "firewall schedule recurring"
}
],
"service": [
{
"color": 0,
"comment": null,
"name": "ALL",
"obj seq": 1,
"obj type": "firewall service custom",
"tcp-portrange": [],
"unset attrs": [
"icmptype",
"icmpcode"
]
}
],
"srcaddr": [
{
"color": 18,
"comment": "Created with FMG API",
"name": "tc_004_src_000001",
"obj type": "firewall address",
"subnet": [
"10.0.0.1",
"255.255.255.255"
]
}
],
"srcintf": [
{
"color": 6,
"default-mapping": "enable",
"defmap-intf": "lan",
"description": "Created with FortiManager Ansible",
"name": "lan",
"obj type": "dynamic interface",
"wildcard-intf": "lan"
}
],
"utm-status": "enable",
"webfilter-profile": [
{
"comment": "Default web filtering.",
"extended-log": "disable",
"https-replacemsg": "enable",
"log-all-url": "disable",
"name": "default",
"obj type": "webfilter profile",
"options": null,
"ovrd-perm": null,
"post-action": "normal",
"replacemsg-group": [],
"web-content-log": "enable",
"web-extended-all-action-log": "disable",
"web-filter-activex-log": "enable",
"web-filter-applet-log": "enable",
"web-filter-command-block-log": "enable",
"web-filter-cookie-log": "enable",
"web-filter-cookie-removal-log": "enable",
"web-filter-js-log": "enable",
"web-filter-jscript-log": "enable",
"web-filter-referer-log": "enable",
"web-filter-unknown-log": "enable",
"web-filter-vbs-log": "enable",
"web-ftgd-err-log": "enable",
"web-ftgd-quota-usage": "enable",
"web-invalid-domain-log": "enable",
"web-url-log": "enable",
"wisp": "disable",
"wisp-algorithm": "auto-learning",
"wisp-servers": [],
"youtube-channel-status": "disable"
}
]
},
[...]
As you can see, it’s quite a tedious process because you need to specify not
only all the fields (like srcaddr, dstaddr, srcintf, etc.) you want
details for but also all the expected object types (like firewall address,
firewall addrgrp, etc.) you require details on.
Starting with FortiManager 7.6.1 you can just get the firewall policy with the
get referred object map option (#1072681) as shown in the following example:
{
"id": 3,
"method": "get",
"params": [
{
"option": [
"get referred object map"
],
"url": "/pm/config/adom/demo/pkg/pkg_001/firewall/policy/1"
}
],
"session": "{{session}}",
"verbose": 1
}
Click to expand
{
"id": 3,
"result": [
{
"data": {
"_byte": 0,
"_first_hit": 0,
"_first_session": 0,
"_global-dst-intf": null,
"_global-label-color": 2,
"_global-src-intf": null,
"_global-vpn": [],
"_global-vpn-tgt": null,
"_hitcount": 0,
"_label-color": 0,
"_last_hit": 0,
"_last_session": 0,
"_pkts": 0,
"_sesscount": 0,
"action": "accept",
"anti-replay": "enable",
"application-list": [
"default"
],
"auto-asic-offload": "enable",
"av-profile": [],
"block-notification": "disable",
"captive-portal-exempt": "disable",
"capture-packet": "disable",
"cgn-resource-quota": 16,
"cgn-session-quota": 16777215,
"cgn-sw-eif-ctrl": "disable",
"custom-log-fields": [],
"delay-tcp-npu-session": "disable",
"diameter-filter-profile": [],
"diffserv-copy": "disable",
"diffserv-forward": "disable",
"diffserv-reverse": "disable",
"disclaimer": "disable",
"dlp-profile": [],
"dnsfilter-profile": [],
"dsri": "disable",
"dstaddr": [
"host_101",
"grp_ab"
],
"dstaddr-negate": "disable",
"dstaddr6": [],
"dstaddr6-negate": "disable",
"dstintf": [
"wan"
],
"dynamic-shaping": "disable",
"email-collect": "disable",
"emailfilter-profile": [],
"fec": "disable",
"file-filter-profile": [],
"fsso-agent-for-ntlm": [],
"fsso-groups": [],
"geoip-anycast": "disable",
"geoip-match": "physical-location",
"global-label": "Project #1",
"groups": [],
"internet-service": "disable",
"internet-service-src": "disable",
"internet-service-src-name": [],
"internet-service6": "disable",
"internet-service6-src": "disable",
"ip-version-type": "ipv4",
"ips-sensor": [],
"ips-voip-filter": [],
"label": "Project #1",
"log-http-transaction": "disable",
"logtraffic": "all",
"logtraffic-start": "disable",
"match-vip": "enable",
"match-vip-only": "disable",
"name": "Policy_001",
"nat": "disable",
"nat46": "disable",
"nat64": "disable",
"natip": [
"0.0.0.0",
"0.0.0.0"
],
"np-acceleration": "enable",
"obj seq": 1,
"oid": 5829,
"passive-wan-health-measurement": "disable",
"pcp-inbound": "disable",
"pcp-outbound": "disable",
"pcp-poolname": [],
"per-ip-shaper": [],
"permit-any-host": "disable",
"policy-behaviour-type": "standard",
"policy-expiry": "disable",
"policy-expiry-date": "0000-00-00 00:00:00",
"policy-expiry-date-utc": null,
"policyid": 1,
"port-preserve": "enable",
"profile-protocol-options": [
"default"
],
"profile-type": "single",
"radius-ip-auth-bypass": "disable",
"radius-mac-auth-bypass": "disable",
"referred object map": {
"application/list": [
{
"app-replacemsg": "enable",
"comment": "Monitor all applications.",
"control-default-network-services": "disable",
"deep-app-inspection": "enable",
"default-network-services": null,
"enforce-default-app-port": "disable",
"entries": [
{
"action": "pass",
"application": [],
"behavior": [
"all"
],
"category": [],
"exclusion": [],
"id": 1,
"log": "enable",
"log-packet": "disable",
"obj seq": 1,
"oid": 3564,
"parameters": null,
"per-ip-shaper": [],
"popularity": [
"1",
"2",
"3",
"4",
"5"
],
"protocols": [
"all"
],
"quarantine": "none",
"quarantine-expiry": "5m",
"quarantine-log": "enable",
"rate-count": 0,
"rate-duration": 60,
"rate-mode": "continuous",
"rate-track": "none",
"risk": [],
"session-ttl": 0,
"shaper": [],
"shaper-reverse": [],
"technology": [
"all"
],
"vendor": [
"all"
]
}
],
"extended-log": "disable",
"force-inclusion-ssl-di-sigs": "disable",
"name": "default",
"oid": 3563,
"options": "allow-dns",
"other-application-action": "pass",
"other-application-log": "disable",
"p2p-block-list": null,
"replacemsg-group": [],
"unknown-application-action": "pass",
"unknown-application-log": "disable"
}
],
"dynamic/certificate/local": [
{
"description": null,
"dynamic_mapping": null,
"name": "Fortinet_CA_SSL",
"oid": 5344
},
{
"description": null,
"dynamic_mapping": null,
"name": "Fortinet_CA_Untrusted",
"oid": 5345
}
],
"dynamic/interface": [
{
"color": 0,
"default-mapping": "enable",
"defmap-intf": "port2",
"defmap-intrazone-deny": null,
"defmap-zonemember": [],
"description": "added by creating adom",
"dynamic_mapping": null,
"egress-shaping-profile": [],
"ingress-shaping-profile": [],
"name": "lan",
"oid": 3129,
"platform_mapping": [
{
"egress-shaping-profile": [],
"intf-zone": "lan",
"name": "FortiGateRugged-70F",
"oid": 3130
},
{
"egress-shaping-profile": [],
"intf-zone": "lan",
"name": "FortiGateRugged-70F-3G4G",
"oid": 3141
}
],
"single-intf": "enable",
"wildcard": "disable",
"wildcard-intf": null,
"zone-only": "disable"
},
{
"color": 0,
"default-mapping": "enable",
"defmap-intf": "port1",
"defmap-intrazone-deny": "disable",
"defmap-zonemember": [],
"description": "added by creating adom",
"dynamic_mapping": null,
"egress-shaping-profile": [],
"ingress-shaping-profile": [],
"name": "wan",
"oid": 112,
"platform_mapping": [
{
"egress-shaping-profile": [],
"intf-zone": "wan",
"intrazone-deny": "disable",
"name": "FortiGate-40F",
"oid": 113
},
{
"egress-shaping-profile": [],
"intf-zone": "wan",
"intrazone-deny": "disable",
"name": "FortiGate-40F-3G4G",
"oid": 121
},
{
"egress-shaping-profile": [],
"intf-zone": "wan",
"intrazone-deny": "disable",
"name": "FortiWiFi-40F",
"oid": 3147
},
{
"egress-shaping-profile": [],
"intf-zone": "wan",
"intrazone-deny": "disable",
"name": "FortiWiFi-40F-3G4G",
"oid": 3154
}
],
"single-intf": "enable",
"wildcard": "disable",
"wildcard-intf": null,
"zone-only": "disable"
}
],
"firewall/address": [
{
"_image-base64": null,
"allow-routing": "disable",
"associated-interface": [
"any"
],
"clearpass-spt": "unknown",
"color": 9,
"comment": null,
"dirty": "dirty",
"dynamic_mapping": null,
"fabric-object": "disable",
"hw-model": null,
"hw-vendor": null,
"list": null,
"name": "host_001",
"node-ip-only": "disable",
"obj-tag": null,
"obj-type": "ip",
"oid": 5527,
"organization": null,
"os": null,
"policy-group": null,
"route-tag": 0,
"subnet": [
"21.103.33.206",
"255.255.255.255"
],
"subnet-name": null,
"sw-version": null,
"tag-detection-level": null,
"tag-type": null,
"tagging": null,
"type": "ipmask",
"uuid": "9ca639b8-771c-51ef-6788-2dfe06e592df"
},
{
"_image-base64": null,
"allow-routing": "disable",
"associated-interface": [
"any"
],
"clearpass-spt": "unknown",
"color": 7,
"comment": "This is a change",
"dirty": "dirty",
"dynamic_mapping": null,
"fabric-object": "disable",
"hw-model": null,
"hw-vendor": null,
"list": null,
"name": "host_002",
"node-ip-only": "disable",
"obj-tag": null,
"obj-type": "ip",
"oid": 5528,
"organization": null,
"os": null,
"policy-group": null,
"route-tag": 0,
"subnet": [
"157.112.175.196",
"255.255.255.255"
],
"subnet-name": null,
"sw-version": null,
"tag-detection-level": null,
"tag-type": null,
"tagging": null,
"type": "ipmask",
"uuid": "9caa2802-771c-51ef-60cd-54a46be4666b"
},
{
"_image-base64": null,
"allow-routing": "disable",
"associated-interface": [
"any"
],
"clearpass-spt": "unknown",
"color": 32,
"comment": null,
"dirty": "dirty",
"dynamic_mapping": null,
"fabric-object": "disable",
"hw-model": null,
"hw-vendor": null,
"list": null,
"name": "host_003",
"node-ip-only": "disable",
"obj-tag": null,
"obj-type": "ip",
"oid": 5529,
"organization": null,
"os": null,
"policy-group": null,
"route-tag": 0,
"subnet": [
"47.61.8.231",
"255.255.255.255"
],
"subnet-name": null,
"sw-version": null,
"tag-detection-level": null,
"tag-type": null,
"tagging": null,
"type": "ipmask",
"uuid": "9caab40c-771c-51ef-ab7f-99d5fe4018ff"
},
{
"_image-base64": null,
"allow-routing": "disable",
"associated-interface": [
"any"
],
"clearpass-spt": "unknown",
"color": 9,
"comment": null,
"dirty": "dirty",
"dynamic_mapping": null,
"fabric-object": "disable",
"hw-model": null,
"hw-vendor": null,
"list": null,
"name": "host_004",
"node-ip-only": "disable",
"obj-tag": null,
"obj-type": "ip",
"oid": 5530,
"organization": null,
"os": null,
"policy-group": null,
"route-tag": 0,
"subnet": [
"120.63.87.108",
"255.255.255.255"
],
"subnet-name": null,
"sw-version": null,
"tag-detection-level": null,
"tag-type": null,
"tagging": null,
"type": "ipmask",
"uuid": "9caafeee-771c-51ef-6502-25519b568d79"
},
{
"_image-base64": null,
"allow-routing": "disable",
"associated-interface": [
"any"
],
"clearpass-spt": "unknown",
"color": 2,
"comment": null,
"dirty": "dirty",
"dynamic_mapping": null,
"fabric-object": "disable",
"hw-model": null,
"hw-vendor": null,
"list": null,
"name": "host_005",
"node-ip-only": "disable",
"obj-tag": null,
"obj-type": "ip",
"oid": 5531,
"organization": null,
"os": null,
"policy-group": null,
"route-tag": 0,
"subnet": [
"110.128.128.181",
"255.255.255.255"
],
"subnet-name": null,
"sw-version": null,
"tag-detection-level": null,
"tag-type": null,
"tagging": null,
"type": "ipmask",
"uuid": "9cab354e-771c-51ef-6c0a-f737f60ca843"
},
{
"_image-base64": null,
"allow-routing": "disable",
"associated-interface": [
"any"
],
"clearpass-spt": "unknown",
"color": 5,
"comment": null,
"dirty": "dirty",
"dynamic_mapping": null,
"fabric-object": "disable",
"hw-model": null,
"hw-vendor": null,
"list": null,
"name": "host_006",
"node-ip-only": "disable",
"obj-tag": null,
"obj-type": "ip",
"oid": 5532,
"organization": null,
"os": null,
"policy-group": null,
"route-tag": 0,
"subnet": [
"8.97.206.227",
"255.255.255.255"
],
"subnet-name": null,
"sw-version": null,
"tag-detection-level": null,
"tag-type": null,
"tagging": null,
"type": "ipmask",
"uuid": "9cab6726-771c-51ef-37c1-57fcd757d248"
},
{
"_image-base64": null,
"allow-routing": "disable",
"associated-interface": [
"any"
],
"clearpass-spt": "unknown",
"color": 2,
"comment": null,
"dirty": "dirty",
"dynamic_mapping": null,
"fabric-object": "disable",
"hw-model": null,
"hw-vendor": null,
"list": null,
"name": "host_101",
"node-ip-only": "disable",
"obj-tag": null,
"obj-type": "ip",
"oid": 5627,
"organization": null,
"os": null,
"policy-group": null,
"route-tag": 0,
"subnet": [
"88.240.225.7",
"255.255.255.255"
],
"subnet-name": null,
"sw-version": null,
"tag-detection-level": null,
"tag-type": null,
"tagging": null,
"type": "ipmask",
"uuid": "9cbddae6-771c-51ef-7053-502bbf80d022"
}
],
"firewall/addrgrp": [
{
"_image-base64": null,
"allow-routing": "disable",
"category": "default",
"color": 0,
"comment": null,
"dynamic_mapping": null,
"exclude": "disable",
"exclude-member": [],
"fabric-object": "disable",
"member": [
"host_001",
"host_002",
"host_003"
],
"name": "grp_a",
"oid": 6075,
"tagging": null,
"type": "default",
"uuid": "ad10d1fa-803b-51ef-fea9-e2358ffbff9f"
},
{
"_image-base64": null,
"allow-routing": "disable",
"category": "default",
"color": 0,
"comment": null,
"dynamic_mapping": null,
"exclude": "disable",
"exclude-member": [],
"fabric-object": "disable",
"member": [
"grp_b",
"grp_a"
],
"name": "grp_ab",
"oid": 6077,
"tagging": null,
"type": "default",
"uuid": "c610450a-803b-51ef-56b9-f5ee2b3929d4"
},
{
"_image-base64": null,
"allow-routing": "disable",
"category": "default",
"color": 0,
"comment": null,
"dynamic_mapping": null,
"exclude": "disable",
"exclude-member": [],
"fabric-object": "disable",
"member": [
"host_004",
"host_005",
"host_006"
],
"name": "grp_b",
"oid": 6076,
"tagging": null,
"type": "default",
"uuid": "bbee4090-803b-51ef-4714-ef244f0d9bdf"
}
],
"firewall/profile-protocol-options": [
{
"cifs": {
"domain-controller": [],
"oid": 4335,
"oversize-limit": 10,
"ports": [
445
],
"scan-bzip2": "enable",
"server-credential-type": "none",
"server-keytab": null,
"status": "enable",
"tcp-window-maximum": 8388608,
"tcp-window-minimum": 131072,
"tcp-window-size": 262144,
"tcp-window-type": "auto-tuning",
"uncompressed-nest-limit": 12,
"uncompressed-oversize-limit": 10
},
"comment": "All default services.",
"dns": {
"oid": 4333,
"ports": [
53
],
"status": "enable"
},
"ftp": {
"comfort-amount": 1,
"comfort-interval": 10,
"explicit-ftp-tls": "disable",
"inspect-all": "disable",
"oid": 4327,
"options": "splice",
"oversize-limit": 10,
"ports": [
21
],
"scan-bzip2": "enable",
"ssl-offloaded": "no",
"status": "enable",
"stream-based-uncompressed-limit": 0,
"tcp-window-maximum": 8388608,
"tcp-window-minimum": 131072,
"tcp-window-size": 262144,
"tcp-window-type": "auto-tuning",
"uncompressed-nest-limit": 12,
"uncompressed-oversize-limit": 10
},
"http": {
"address-ip-rating": "enable",
"block-page-status-code": 403,
"comfort-amount": 1,
"comfort-interval": 10,
"domain-fronting": "block",
"h2c": "disable",
"inspect-all": "disable",
"oid": 4326,
"oversize-limit": 10,
"ports": [
80
],
"proxy-after-tcp-handshake": "disable",
"range-block": "disable",
"retry-count": 0,
"scan-bzip2": "enable",
"ssl-offloaded": "no",
"status": "enable",
"stream-based-uncompressed-limit": 0,
"streaming-content-bypass": "enable",
"strip-x-forwarded-for": "disable",
"switching-protocols": "bypass",
"tcp-window-maximum": 8388608,
"tcp-window-minimum": 131072,
"tcp-window-size": 262144,
"tcp-window-type": "auto-tuning",
"tunnel-non-http": "enable",
"uncompressed-nest-limit": 12,
"uncompressed-oversize-limit": 10,
"unknown-content-encoding": "block",
"unknown-http-version": "reject",
"unset attrs": [
"options",
"post-lang"
],
"verify-dns-for-policy-matching": "enable"
},
"imap": {
"inspect-all": "disable",
"oid": 4328,
"options": "fragmail",
"oversize-limit": 10,
"ports": [
143
],
"proxy-after-tcp-handshake": "disable",
"scan-bzip2": "enable",
"ssl-offloaded": "no",
"status": "enable",
"uncompressed-nest-limit": 12,
"uncompressed-oversize-limit": 10
},
"mail-signature": {
"oid": 4332,
"status": "disable"
},
"mapi": {
"oid": 4334,
"options": "fragmail",
"oversize-limit": 10,
"ports": [
135
],
"scan-bzip2": "enable",
"status": "enable",
"uncompressed-nest-limit": 12,
"uncompressed-oversize-limit": 10
},
"name": "default",
"nntp": {
"inspect-all": "disable",
"oid": 4331,
"options": "splice",
"oversize-limit": 10,
"ports": [
119
],
"proxy-after-tcp-handshake": "disable",
"scan-bzip2": "enable",
"status": "enable",
"uncompressed-nest-limit": 12,
"uncompressed-oversize-limit": 10
},
"oid": 4325,
"oversize-log": "disable",
"pop3": {
"inspect-all": "disable",
"oid": 4329,
"options": "fragmail",
"oversize-limit": 10,
"ports": [
110
],
"proxy-after-tcp-handshake": "disable",
"scan-bzip2": "enable",
"ssl-offloaded": "no",
"status": "enable",
"uncompressed-nest-limit": 12,
"uncompressed-oversize-limit": 10
},
"replacemsg-group": [],
"rpc-over-http": "disable",
"smtp": {
"inspect-all": "disable",
"oid": 4330,
"options": [
"fragmail",
"splice"
],
"oversize-limit": 10,
"ports": [
25
],
"proxy-after-tcp-handshake": "disable",
"scan-bzip2": "enable",
"server-busy": "disable",
"ssl-offloaded": "no",
"status": "enable",
"uncompressed-nest-limit": 12,
"uncompressed-oversize-limit": 10
},
"ssh": {
"comfort-amount": 1,
"comfort-interval": 10,
"oid": 4336,
"oversize-limit": 10,
"scan-bzip2": "enable",
"ssl-offloaded": "no",
"stream-based-uncompressed-limit": 0,
"tcp-window-maximum": 8388608,
"tcp-window-minimum": 131072,
"tcp-window-size": 262144,
"tcp-window-type": "auto-tuning",
"uncompressed-nest-limit": 12,
"uncompressed-oversize-limit": 10
},
"switching-protocols-log": "disable"
}
],
"firewall/schedule/recurring": [
{
"color": 0,
"day": [
"sunday",
"monday",
"tuesday",
"wednesday",
"thursday",
"friday",
"saturday"
],
"end": "00:00",
"fabric-object": "disable",
"name": "always",
"oid": 4322,
"start": "00:00",
"uuid": "10473272-770f-51ef-2dfd-8afbe74b9071"
}
],
"firewall/service/category": [
{
"comment": "General services.",
"fabric-object": "disable",
"name": "General",
"obj seq": 1,
"oid": 3427,
"uuid": "10262ca8-770f-51ef-dba0-5a20b3c513ae"
}
],
"firewall/service/custom": [
{
"app-category": [],
"app-service-type": "disable",
"application": [],
"category": [
"General"
],
"color": 0,
"comment": null,
"fabric-object": "disable",
"fqdn": null,
"helper": "auto",
"iprange": "0.0.0.0",
"name": "ALL",
"obj seq": 1,
"oid": 3437,
"protocol": "IP",
"protocol-number": 0,
"proxy": "disable",
"tcp-rst-timer": 0,
"udp-portrange": [],
"uuid": "102762da-770f-51ef-b08b-bc9b7d703b20"
}
],
"firewall/ssl-ssh-profile": [
{
"allowlist": "disable",
"block-blocklisted-certificates": "enable",
"caname": [
"Fortinet_CA_SSL"
],
"comment": "Read-only profile that does no inspection.",
"dot": {
"cert-validation-failure": "block",
"cert-validation-timeout": "allow",
"client-certificate": "bypass",
"expired-server-cert": "block",
"oid": 4436,
"proxy-after-tcp-handshake": "disable",
"quic": "inspect",
"revoked-server-cert": "block",
"sni-server-cert-check": "enable",
"status": "disable",
"unsupported-ssl-cipher": "allow",
"unsupported-ssl-negotiation": "allow",
"unsupported-ssl-version": "block",
"untrusted-server-cert": "allow"
},
"ech-outer-sni": null,
"ftps": {
"cert-validation-failure": "block",
"cert-validation-timeout": "allow",
"client-certificate": "bypass",
"expired-server-cert": "block",
"min-allowed-ssl-version": "tls-1.1",
"oid": 4431,
"revoked-server-cert": "block",
"sni-server-cert-check": "enable",
"status": "disable",
"unsupported-ssl-cipher": "allow",
"unsupported-ssl-negotiation": "allow",
"unsupported-ssl-version": "block",
"untrusted-server-cert": "allow"
},
"https": {
"cert-probe-failure": "allow",
"cert-validation-failure": "block",
"cert-validation-timeout": "allow",
"client-certificate": "bypass",
"encrypted-client-hello": "block",
"expired-server-cert": "block",
"min-allowed-ssl-version": "tls-1.1",
"oid": 4430,
"proxy-after-tcp-handshake": "disable",
"quic": "bypass",
"revoked-server-cert": "block",
"sni-server-cert-check": "enable",
"status": "disable",
"unsupported-ssl-cipher": "allow",
"unsupported-ssl-negotiation": "allow",
"unsupported-ssl-version": "block",
"untrusted-server-cert": "allow"
},
"imaps": {
"cert-validation-failure": "block",
"cert-validation-timeout": "allow",
"client-certificate": "inspect",
"expired-server-cert": "block",
"oid": 4432,
"proxy-after-tcp-handshake": "disable",
"revoked-server-cert": "block",
"sni-server-cert-check": "enable",
"status": "disable",
"unsupported-ssl-cipher": "allow",
"unsupported-ssl-negotiation": "allow",
"unsupported-ssl-version": "block",
"untrusted-server-cert": "allow"
},
"name": "no-inspection",
"oid": 4428,
"pop3s": {
"cert-validation-failure": "block",
"cert-validation-timeout": "allow",
"client-certificate": "inspect",
"expired-server-cert": "block",
"oid": 4433,
"proxy-after-tcp-handshake": "disable",
"revoked-server-cert": "block",
"sni-server-cert-check": "enable",
"status": "disable",
"unsupported-ssl-cipher": "allow",
"unsupported-ssl-negotiation": "allow",
"unsupported-ssl-version": "block",
"untrusted-server-cert": "allow"
},
"smtps": {
"cert-validation-failure": "block",
"cert-validation-timeout": "allow",
"client-certificate": "inspect",
"expired-server-cert": "block",
"oid": 4434,
"proxy-after-tcp-handshake": "disable",
"revoked-server-cert": "block",
"sni-server-cert-check": "enable",
"status": "disable",
"unsupported-ssl-cipher": "allow",
"unsupported-ssl-negotiation": "allow",
"unsupported-ssl-version": "block",
"untrusted-server-cert": "allow"
},
"ssh": {
"inspect-all": "disable",
"oid": 4435,
"ports": [
22
],
"proxy-after-tcp-handshake": "disable",
"ssh-algorithm": "compatible",
"ssh-tun-policy-check": "disable",
"status": "disable",
"unsupported-version": "bypass"
},
"ssl": {
"cert-probe-failure": "allow",
"client-certificate": "bypass",
"encrypted-client-hello": "block",
"inspect-all": "disable",
"min-allowed-ssl-version": "tls-1.1",
"oid": 4429,
"unsupported-ssl-cipher": "allow",
"unsupported-ssl-negotiation": "allow",
"unsupported-ssl-version": "block"
},
"ssl-anomaly-log": "enable",
"ssl-exempt": null,
"ssl-exemption-ip-rating": "enable",
"ssl-exemption-log": "disable",
"ssl-handshake-log": "disable",
"ssl-negotiation-log": "enable",
"ssl-server": null,
"ssl-server-cert-log": "disable",
"supported-alpn": "all"
}
]
},
"replacemsg-override-group": [],
"reputation-minimum": 0,
"reputation-minimum6": 0,
"rtp-nat": "disable",
"schedule": [
"always"
],
"schedule-timeout": "disable",
"sctp-filter-profile": [],
"service": [
"ALL"
],
"service-negate": "disable",
"session-ttl": "0",
"sgt": [],
"sgt-check": "disable",
"src-vendor-mac": [],
"srcaddr": [
"host_001"
],
"srcaddr-negate": "disable",
"srcaddr6": [],
"srcaddr6-negate": "disable",
"srcintf": [
"lan"
],
"ssl-ssh-profile": [
"no-inspection"
],
"status": "enable",
"tcp-mss-receiver": 0,
"tcp-mss-sender": 0,
"tcp-session-without-syn": "disable",
"timeout-send-rst": "disable",
"tos": "0x00",
"tos-mask": "0x00",
"tos-negate": "disable",
"traffic-shaper": [],
"traffic-shaper-reverse": [],
"users": [],
"utm-status": "enable",
"uuid": "3be6bd5c-771f-51ef-6b7a-ba0ec27ac141",
"virtual-patch-profile": [],
"vlan-cos-fwd": 255,
"vlan-cos-rev": 255,
"vlan-filter": null,
"voip-profile": [],
"vpn_dst_node": null,
"vpn_src_node": null,
"wccp": "disable",
"webcache-https": "disable",
"webfilter-profile": []
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/pkg_001/firewall/policy/1"
}
]
}
Note
Look for the
referrer object mapsub-table.You can also use the “cli config” option as shown below:
{ "method": "get", "params": [ { "url": "pm/config/adom/demo/pkg/pkg_001/firewall/policy/1", "option": ["get referred object map", "cli config"] } ] }
9.4.20. Partial Install#
9.4.20.1. Legacy Partial Install API#
9.4.20.1.1. How to partial install a firewall policy?#
The idea behind the partial installation mechanism is to install a very specific object (could be a firewall policy, a firewall address, a firewall address group with members, an UTM profiles, etc.) but not the other pending changes!
The partial installation is mainly for objects maintained in ADOM DB.
To enable it:
config system global
set partial-install enable
set partial-install-force enable
set partial-install-rev enable
end
where:
partial-install:Value
Description
enableEnable the partial installation mechanism
disableDisable the partial installation mechanism
partial-install-force:Value
Description
enableForce the installation of the targetd object along with the pending changes in Device DB
disableIf any pending changes are detected in Device DB, partial installation will be stopped. If no change are detected in Device DB, then partial installation will work normally
partial-install-rev:Value
Description
enableCreate an ADOM Revision
disableDon’t create an ADOM Revision
It is possible to partial install most of the objects maintained in the FortiManager’s ADOM DB.
The generic request is:
{
"id": 1,
"method": "exec",
"params": [
{
"data": {
"adom": "{{adom}}",
"scope": [
{
"name": "{{device}}",
"vdom": "{{vdom}}"
},
{"...", "..."}
],
"target": [
"{{ target }}"
]
},
"url": "/securityconsole/install/objects"
}
],
"session": "{{session}}",
}
where {{ target }} should be replaced by a FortiManager JSON RPC API url.
The partial installation works as defined below:
If the target does exist on the managed device, FortiManager will update it.
If the target doesn’t exist on the managed devices, FortiManager will install it.
If the target is an object with members (think about a firewall address group) and some of the members don’t exist on the managed devices, they will be automatically installed.
The following example shows the generic REQUEST format to partial install a firewall policy:
{
"id": 1,
"method": "exec",
"params": [
{
"data": {
"adom": "{{adom}}",
"scope": [
{
"name": "{{device}}",
"vdom": "{{vdom}}"
}
],
"target": [
"/pm/config/adom/{{adom}}/pkg/{{pkg}}/firewall/policy/{{policyid}}"
]
},
"url": "/securityconsole/install/objects"
}
],
"session": "{{session}}",
}
{
"id": 1,
"result": [
{
"data": {
"task": 184
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/objects"
}
]
}
Note
New or updated objects belonging to the targeted
policyidobject will be automatically added or updated.
The rest of this section describes the partial install behavior for different cases.
Update of the policy’s properties only
This is the situation before the test:
One policy package with 100 policies already installed on the managed device.
The
commentsofpolicyid5was modified (new comment isTest #005).No other pending changes in ADOM DB.
The partial install is performed against the
policyid5.
This is the installation output we got from FortiManager GUI:
Starting log (Run on device) Start installing dev_001 $ config firewall policy dev_001 (policy) $ edit 5 dev_001 (5) $ set comments "Test #005" dev_001 (5) $ next dev_001 (policy) $ end ---> generating verification report <--- done generating verification report install finished
Conclusion
As expected, the updated
comments- only - is sent to the managed device
Update of the policy’s properties + new existing objects
This is the situation before the test:
One policy package with 100 policies already installed on the managed device
The
commentsofpolicyid5was modified (new comment isTest #006)Firewall addresse
host_105already used in some of the 99 other policies (hence aleady existing in managed device) have been added in thedstaddrofpolicyid5The partial install is performed against the
policyid5
This is the installation output we got from FortiManager GUI:
Starting log (Run on device) Start installing dev_001 $ config firewall policy dev_001 (policy) $ edit 5 dev_001 (5) $ set dstaddr "host_004" "host_105" dev_001 (5) $ set comments "Test #006" dev_001 (5) $ next dev_001 (policy) $ end ---> generating verification report <--- done generating verification report install finished
Conclusion
As expected, the updated
commentsis sent to the managed device
As expected, the reference (i.e., name only) of the firewall address
host_105is added in thedstaddr
New objects added in firewall policy + other ADOM DB pending changes
This is the situation before the test:
One policy package with 100 policies already installed on the managed device
New firewall address created:
host_201and placed assrcaddrofpolicyid5Other pending changes in ADOM DB (other policies from same policy package have been modified for instance)
The partial install is performed against the
policyid5
This is the installation output we got from FortiManager GUI:
Starting log (Run on device) Start installing dev_001 $ config firewall address dev_001 (address) $ edit "host_201" dev_001 (host_201) $ set uuid edf0802e-dc52-51ec-eead-9a86a08a872a dev_001 (host_201) $ set color 17 dev_001 (host_201) $ set subnet 145.124.204.58 255.255.255.255 dev_001 (host_201) $ next dev_001 (address) $ end dev_001 $ config firewall policy dev_001 (policy) $ edit 5 dev_001 (5) $ set srcaddr "host_005" "host_201" dev_001 (5) $ next dev_001 (policy) $ end ---> generating verification report <--- done generating verification report install finished
Conclusions
FortiManager is really in charge! It detected a new firewall address had to be installed on the managed device:
host_201Once the new firewall address is installed, it can be referenced and added as
srcaddrAs expected, other pending changes haven’t been installed!
New more complexe objects added + other ADOM DB pending changes
This is the situation before the test:
One policy package with 100 policies already installed on the managed device
New firewall addresses created:
host_202andhost_203New firewall address group created:
grp_host_20xMembers arehost_202andhost_203Firewall address group
grp_host_20xadded asdstaddrofpolicyid5New IPS profile created:
ips_profile_001New profile group created:
profile_group_001ips_profile_001IPS profile and some other UTM profiles added in theprofile_group_001Profile Groupprofile_group_001Profile Group added inpolicyid5The partial install is performed against the
policyid5
This is the installation output we got from FortiManager GUI:
Starting log (Run on device) Start installing dev_001 $ config firewall address dev_001 (address) $ edit "host_202" dev_001 (host_202) $ set uuid 347190b0-dc53-51ec-137e-2a05a016d500 dev_001 (host_202) $ set color 17 dev_001 (host_202) $ set subnet 145.124.202.58 255.255.255.255 dev_001 (host_202) $ next dev_001 (address) $ edit "host_203" dev_001 (host_203) $ set uuid 3c63b8a2-dc53-51ec-634e-3872e5836416 dev_001 (host_203) $ set color 17 dev_001 (host_203) $ set subnet 145.123.202.58 255.255.255.255 dev_001 (host_203) $ next dev_001 (address) $ end dev_001 $ config firewall addrgrp dev_001 (addrgrp) $ edit "grp_host_20x" dev_001 (grp_host_20x) $ set uuid 469eec38-dc53-51ec-4fcc-3e14b47114a4 dev_001 (grp_host_20x) $ set member "host_202" "host_203" dev_001 (grp_host_20x) $ set color 18 dev_001 (grp_host_20x) $ next dev_001 (addrgrp) $ end dev_001 $ config ips sensor dev_001 (sensor) $ edit "ips_profile_001" dev_001 (ips_profile_001) $ set comment "Prevent critical attacks." dev_001 (ips_profile_001) $ config entries dev_001 (entries) $ edit 1 dev_001 (1) $ set severity medium high critical dev_001 (1) $ next dev_001 (entries) $ end dev_001 (ips_profile_001) $ next dev_001 (sensor) $ end dev_001 $ config firewall profile-group dev_001 (profile-group) $ edit "profile_group_001" dev_001 (profile_group_001) $ set ips-sensor "ips_profile_001" dev_001 (profile_group_001) $ set application-list "default" dev_001 (profile_group_001) $ next dev_001 (profile-group) $ end dev_001 $ config firewall policy dev_001 (policy) $ edit 5 dev_001 (5) $ set dstaddr "grp_host_20x" "host_004" "host_105" dev_001 (5) $ set utm-status enable dev_001 (5) $ set profile-type group dev_001 (5) $ set profile-group "profile_group_001" dev_001 (5) $ next dev_001 (policy) $ end ---> generating verification report <--- done generating verification report install finished
Conclusions
All new objects have been successfully sent to the managed device
Only
policyid5changes have been sent as expectedOther pending changes haven ‘t been installed!
Partial Install New Firewall Policy
This is the situation before the test:
One policy package with 100 policies already installed on the managed device
A new firewall policy is created, referencing existing (
host_004andhost_104) and new object (host_204)This new firewall policy has been placed between firewall policies with
policyid5and6The partial install is performed against this new firewall policy
This is the installation output we got from FortiManager GUI:
Starting log (Run on device) Start installing dev_001 $ config firewall address dev_001 (address) $ edit "host_204" dev_001 (host_204) $ set uuid dadfea46-dc53-51ec-dee7-d0e7acd6a7da dev_001 (host_204) $ set color 17 dev_001 (host_204) $ set subnet 145.123.202.54 255.255.255.255 dev_001 (host_204) $ next dev_001 (address) $ end dev_001 $ config firewall policy dev_001 (policy) $ edit 101 dev_001 (101) $ set uuid ae0d8f6e-dc53-51ec-af49-7683cdf87a8d dev_001 (101) $ set action accept dev_001 (101) $ set srcintf "port1" dev_001 (101) $ set dstintf "port2" dev_001 (101) $ set srcaddr "host_104" dev_001 (101) $ set dstaddr "host_004" "host_204" dev_001 (101) $ set schedule "always" dev_001 (101) $ set service "ALL" dev_001 (101) $ set logtraffic all dev_001 (101) $ set label "Project #1" dev_001 (101) $ set global-label "Project #1" dev_001 (101) $ next dev_001 (policy) $ end ---> generating verification report <--- done generating verification report install finished
Conclusions
Partial install also works for new firewall policy!
Warning
New firewall policy has been pushed to managed device and has been placed at the end of the existing firewall policies!
This is not conform to what has been configured in FortiManager: new firewall policy should have been placed between firewall policies with
policyid5and6!The legacy partial install doesn’t support pushing a new firewall policy at a specific position
You have to consider the partial install v2 (see New Partial Install API).
9.4.20.1.2. How to trigger an install preview for a partial install?#
Following example describes how to trigger an install prefiew for the partial
installation of the used host_001 firewall address in the dc_amies ADOM.
It’s a three steps process.
You have to trigger the Partial Install
Below example start the Partial Install process against the host_001
firewall address from the dc_amiens ADOM.
You are expected to know what’s the target device; here it is dut_fgt_02 and
its root VDOM.
You also have to specify the preview flag.
{
"id": 1,
"method": "exec",
"params": [
{
"data": {
"adom": "dc_amiens",
"flags": [
"preview"
],
"scope": [
{
"name": "dut_fgt_02",
"vdom": "root"
}
],
"target": [
"/pm/config/adom/dc_amiens/obj/firewall/address/host_001"
]
},
"url": "/securityconsole/install/objects"
}
],
"session": 4902
}
{
"id": 1,
"result": [
{
"data": {
"task": 1244
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/objects"
}
]
}
You are given a task ID that you have to monitor.
Then you need to explicitely ask for a preview report
You just need to specify the target device (dc_fgt_02).
FortiManager will manage to collect the preview information generated via
previous step.
{
"method": "exec",
"params": [
{
"data": {
"adom": "dc_amiens",
"device": "dc_fgt_02",
},
"url": "/securityconsole/install/preview"
}
],
"session": 4902
}
{
"result": [
{
"data": {
"task": 1245
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/install/preview"
}
]
}
You’re also given a task ID that you have to monitor.
Finally, you can obtain the preview report
{
"method": "exec",
"params": [
{
"data": {
"adom": "dc_amiens",
"device": "dut_fgt_02",
"flags": 1024
},
"url": "/securityconsole/preview/result"
}
],
"session": 4902
}
{
"result": [
{
"data": {
"message": "config firewall address\n edit \"host_001\"\n set comment \"Test #001\"\n next\nend\n"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/preview/result"
}
]
}
9.4.21. New Partial Install API#
Note
The new Partial Install API is also named Partial Install v2
9.4.21.1. Introducing the new partial install API#
Starting with FMG 7.4.1, a new partial install API has been implemented.
The former one (see Legacy Partial Install API) is still available.
9.4.21.2. New Partial Install API JSON RPC payload#
This is the generic JSON RPC payload for the new Partial Install API:
{
"method": "exec",
"params": [
{
"data": {
"adom": "<adom>",
"objects": [
["<action>", "<object>", "<relative_position>", "<position>"],
["<other action lines>"]
],
"scope": [
{
"name": "<device>",
"vdom": "<vdom>"
}
],
"flags": <value>,
},
"url": "securityconsole/install/objects/v2"
}
],
"session": "<session>"
}
where:
Item |
Value |
||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
||||||||||
|
Is the object to partial install (a firewall address, a firewall policy, etc.) |
||||||||||
|
Indicate how to place the object with regard to specified This argument is applicable for when action is Possible values are For |
||||||||||
|
Indicate after/before which element to partial install the selected object |
||||||||||
|
Can contains a list of actions! It is possible to combine multiple partial install operations in a single API call |
||||||||||
|
Can have two values
|
Example:
{
"method": "exec",
"params": [
{
"data": {
"adom": "root",
"objects": [
["add", "pkg/default/firewall/policy/8", "before", "1"],
["update", "obj/firewall/address/Addr_1", "", ""],
["delete", "pkg/default/firewall/policy/3", "", ""],
["move", "pkg/default/firewall/policy/6", "after", "3"]
],
"flags": 0
},
"url": "securityconsole/install/objects/v2"
}
],
"session": 52904,
}
In the above example a partial install (flags is 0) is made to:
Add new firewall policy with
policyid8before existing firewall policy withpolicyid1Update existing
Addr_1firewall addressDelete existing firewall policy
policyid3Move existing firewall policy with
policyid6after existing firewall policy withpolicyid3
9.4.21.3. Enable Partial Install#
Enter the following command to enable to Partial Install mechanism:
config system global
set partial-install enable
end
Note
No need to enable the
partial-install-forceNew Partial Install API will only push selected objects and won’t consider the network and system setting changes pending in Device DB
9.4.21.4. Partial install to only install the instructed changes#
Unlike the Legacy Partial Install API, the new Partial Install API will only push selected objects and won’t consider the network and system setting changes pending in Device DB.
The feature has been implemented in FortiManager 7.4.1 (#875715).
9.4.21.4.1. Partial install of a used/updated firewall address#
Preparation
Update the
host_111firewall addressThis object is already used by one of the firewall policy installed in the
dev_001managed deviceIt’s former IP address was
162.148.54.193/255.255.255.255It’s new IP address is
1.1.1.1/255.255.255.255
In FortiManager GUI, from Device Manager, add a new static route in the
dev_001managed device:config router static edit 2 set dst 10.0.1.0 255.255.255.0 set gateway 172.16.65.1 set device port1 next end
Note
You’re now in a situation where you have both ADOM DB (
host_111) and Device DB (dev_001router.statictable) pending changes
Trigger a new partial install
{ "id": 3, "method": "exec", "params": [ { "data": { "adom": "root", "flags": 0, "objects": [ [ "update", "obj/firewall/address/host_111", "", "" ] ], "scope": [ { "name": "dev_001", "vdom": "root" } ] }, "url": "/securityconsole/install/objects/v2" } ], "session": "{{session}}" }
Note
The
scopeblock is optionalIf not used, FortiManager will manage to figure out what are the managed devices using this object
Action is
updatebecause it’s an existing but updated firewall address
{ "id": 3, "result": [ { "data": { "task": 13 }, "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/install/objects/v2" } ] }
The task completed successfully
This is the View Installation Log output:
Starting log (Run on device) Start installing dev_001 $ config firewall address dev_001 (address) $ edit "host_111" dev_001 (host_111) $ set subnet 1.1.1.1 255.255.255.255 dev_001 (host_111) $ next dev_001 (address) $ end ---> generating verification report <--- done generating verification report install finished
Conclusion
As expected, FortiManager only installed the selected and updated
host_111firewall addressPending static route wasn’t installed against the
dev_001managed device
9.4.21.4.2. Partial install of an used/updated firewall policy with new/used/updated firewall addresses#
Preparation
Create the
host_201firewall addressconfig firewall address edit host_201 set subnet 21.103.33.206/32 set color 9 next endNavigate to the
ppkg_001policy packageEdit policy seq #2 (
policyidshould be2as well)Add
host_201(new object) in the Source columnAdd
host_006(used object) in the Destination column
The
dev_001managed device still has the static route pointing to10. 0.1.0/24created earlier
Note
You’re now in a situation where you have both ADOM DB (
host_201firewall address and modifiedppkg_001Policy Package) and Device DB (dev_001router.statictable) pending changes
Trigger a new partial install
{ "id": 3, "method": "exec", "params": [ { "data": { "adom": "root", "flags": 0, "objects": [ [ "update", "pkg/ppkg_001/firewall/policy/2", "", "" ] ], "scope": [ { "name": "dev_001", "vdom": "root" } ] }, "url": "/securityconsole/install/objects/v2" } ], "session": "{{session}}" }
Note
objectsaction isupdatebecause it’s an existing but updated firewall policy
{ "id": 2, "result": [ { "data": { "task": 14 }, "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/install/objects/v2" } ] }
The task completed successfully
This is the View Installation Log output:
Starting log (Run on device) Start installing FGVM04TM23004347 $ config firewall address FGVM04TM23004347 (address) $ edit "host_201" FGVM04TM23004347 (host_201) $ set uuid 347c4a0c-5847-51ee-d296-f1b66bde8f41 FGVM04TM23004347 (host_201) $ set color 10 FGVM04TM23004347 (host_201) $ set subnet 21.103.33.206 255.255.255.255 FGVM04TM23004347 (host_201) $ next FGVM04TM23004347 (address) $ end FGVM04TM23004347 $ config firewall policy FGVM04TM23004347 (policy) $ edit 2 FGVM04TM23004347 (2) $ set srcaddr "host_002" "host_201" FGVM04TM23004347 (2) $ set dstaddr "host_006" "host_102" FGVM04TM23004347 (2) $ next FGVM04TM23004347 (policy) $ end ---> generating verification report <--- done generating verification report install finished
Conclusion
As expected, FortiManager only installed the selected and updated
policyid2Pending static route wasn’t installed against the
dev_001managed device
9.4.21.5. Partial install to support install + move policy#
The Legacy Partial Install API was supporting to partial install a new firewall policy created within a Policy Package at a specific position in the existing list of firewall policies.
However, this new policy was successfully created in the managed device, but at the last position. See Partial Install New Firewall Policy.
The new Partial Install API now support to specify the placement details.
The feature has been implemented in FortiManager 7.4.1 (#875716).
9.4.21.5.1. Partial install of a new policy with new/used/updated firewall addresses#
Preparation
Create the
host_202firewall addressconfig firewall address edit host_202 set subnet 22.103.33.206/32 set color 9 next endEdit the
host_003firewall addressFormer IP address was:
47.61.8.231/255.255.255.255New IP address is:
1.1.1.1/32
Create the
grp_001firewall address group withhost_050andhost_51address groupClone the
defaultIPS profile intoips_profile_001- Edit the cloned
ips_profile_001 Click Create New
Enable Packet logging
Set Status to Enable
- Edit the cloned
Navigate to the
ppkg_001policy packageInsert a new firewall policy after policy seq #10 (
policyidshould be10as well)Newly inserted policy shows up with
policyid101and with seq #11Enable it
Set Name column to
Policy_101In the Source column, add firewall addresses: -
host_202(new firewall address) -host_001(used firewall address)In the Destination column, add: -
host_003(updated firewall address) -grp_001(new firewall address group of used firewall addresses)Set Action to Accept
Add
ips_sensor_001IPS profile in the Security Profiles column
This is the resulting new firewall policy:
The
dev_001managed device still has the static route pointing to10.0.1.0/24created earlier
Trigger partial install
{ "id": 3, "method": "exec", "params": [ { "data": { "adom": "demo", "flags": 0, "objects": [ [ "add", "pkg/ppkg_001/firewall/policy/101", "after", "10" ] ], "scope": [ { "name": "dev_001", "vdom": "root" } ] }, "url": "/securityconsole/install/objects/v2" } ], "session": "{{session}}" }
Note
Action is
addbecause it’s a new firewall policy
{ "id": 3, "result": [ { "data": { "task": 15 }, "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/install/objects/v2" } ] }
The task completed successfully
This is the View Installation Log output:
Starting log (Run on device) Start installing dev_001 $ config firewall address dev_001 (address) $ edit "host_003" dev_001 (host_003) $ set subnet 1.1.1.1 255.255.255.255 dev_001 (host_003) $ next dev_001 (address) $ edit "host_202" dev_001 (host_202) $ set uuid 4f701070-584a-51ee-a929-d2686f6d80d5 dev_001 (host_202) $ set color 30 dev_001 (host_202) $ set subnet 22.103.33.206 255.255.255.255 dev_001 (host_202) $ next dev_001 (address) $ end dev_001 $ config firewall addrgrp dev_001 (addrgrp) $ edit "grp_001" dev_001 (grp_001) $ set uuid 6dc5814a-584a-51ee-d6c7-da84f06b12a3 dev_001 (grp_001) $ set member "host_050" "host_051" dev_001 (grp_001) $ set color 30 dev_001 (grp_001) $ next dev_001 (addrgrp) $ end dev_001 $ config ips sensor dev_001 (sensor) $ edit "ips_profile_001" dev_001 (ips_profile_001) $ set comment "Prevent critical attacks." dev_001 (ips_profile_001) $ config entries dev_001 (entries) $ edit 1 dev_001 (1) $ set severity medium high critical dev_001 (1) $ next dev_001 (entries) $ edit 2 dev_001 (2) $ set status enable dev_001 (2) $ set log-packet enable dev_001 (2) $ next dev_001 (entries) $ end dev_001 (ips_profile_001) $ next dev_001 (sensor) $ end dev_001 $ config firewall policy dev_001 (policy) $ edit 101 dev_001 (101) $ set name "Policy_101" dev_001 (101) $ set uuid a045d39a-584a-51ee-4ca0-ca6a56de0f60 dev_001 (101) $ set action accept dev_001 (101) $ set srcintf "port2" dev_001 (101) $ set dstintf "port1" dev_001 (101) $ set srcaddr "host_001" "host_202" dev_001 (101) $ set dstaddr "host_003" "grp_001" dev_001 (101) $ set schedule "always" dev_001 (101) $ set service "ALL" dev_001 (101) $ set utm-status enable dev_001 (101) $ set logtraffic all dev_001 (101) $ set label "Project #1" dev_001 (101) $ set global-label "Project #1" node_check_object fail! for global-label Project #1 value parse error before 'Project #1' Command fail. Return code -7 dev_001 (101) $ set ips-sensor "ips_profile_001" dev_001 (101) $ next dev_001 (policy) $ move 101 after 10 dev_001 (policy) $ end ---> generating verification report <--- done generating verification report install finished
Conclusion
As expected, FortiManager only installed the new firewall policy and all its new and updated objects, at the correct location
This is same firewall policy seen from FortiGate GUI:
Pending static route wasn’t installed against the
dev_001managed device
9.4.21.5.2. Partial install of a deleted firewall policy#
Preparation
Navigate to the
ppkg_001policy packageDelete firewall policy seq #11 (
policyidshould be101)The
dev_001managed device still has the static route pointing to10.0.1.0/24created earlier
Trigger partial install
{ "id": 3, "method": "exec", "params": [ { "data": { "adom": "demo", "flags": 0, "objects": [ [ "delete", "pkg/ppkg_001/firewall/policy/101", "", "" ] ], "scope": [ { "name": "dev_001", "vdom": "root" } ] }, "url": "/securityconsole/install/objects/v2" } ], "session": "{{session}}" }
Note
Action is
deletebecause it’s non existing (just deleted) firewall policy
{ "id": 3, "result": [ { "data": { "task": 16 }, "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/install/objects/v2" } ] }
The task completed successfully
This is the View Installation Log output:
Starting log (Run on device) Start installing dev_001 $ config firewall policy dev_001 (policy) $ delete 101 dev_001 (policy) $ end ---> generating verification report <--- done generating verification report install finished
Conclusion
As expected, FortiManager only deleted the selected firewall policy
FortiManager didn’t delete the now unused: -
host_202firewall address -grp_001firewall address group -ips_profile_001IPS profileThey will be removed during a normal Policy Package install
Pending static route wasn’t installed against the
dev_001managed device
9.4.21.5.3. Partial install of an updated policy#
The selected policy seq #2 (policyid should be 2) is the only one to use
the host_201 firewall address.
The host_201 firewall address will be removed from the selected policy (but
not deleted from the ADOM DB).
Goal is the observe the partial install behavior: will it delete the unused
host_201 firewall address from the managed device?
Preparation
Navigate to the
ppkg_001policy packageRemove the
host_201firewall address from the Source column of policy seq #2 (policyidshould be2)The
dev_001managed device still has the static route pointing to10.0.1.0/24created earlier
Trigger partial install
{ "id": 3, "method": "exec", "params": [ { "data": { "adom": "demo", "flags": 0, "objects": [ [ "update", "pkg/ppkg_001/firewall/policy/2", "", "" ] ], "scope": [ { "name": "dev_001", "vdom": "root" } ] }, "url": "/securityconsole/install/objects/v2" } ], "session": "{{session}}" }
Note
Action is
updatebecause it’s an existing but updated firewall policy{ "id": 3, "result": [ { "data": { "task": 17 }, "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/install/objects/v2" } ] }
The task completed successfully
This is the View Installation Log output:
Starting log (Run on device) Start installing dev_001 $ config firewall policy dev_001 (policy) $ edit 2 dev_001 (2) $ set srcaddr "host_002" dev_001 (2) $ next dev_001 (policy) $ end ---> generating verification report <--- done generating verification report install finished
Conclusion
As expected, FortiManager updated the selected firewall policy by removing the
host_201firewall addressFortiManager didn’t delete the now unused: -
host_201firewall addressIt will be removed during a normal Policy Package install
Pending static route wasn’t installed against the
dev_001managed device
9.4.21.6. Add support to preview partial install#
The feature has been implemented in FortiManager 7.4.0 (#862628).
9.4.21.6.1. Preview of a partial install of an updated policy#
Preparation
Clone the
ips_profile_001intoips_profile_004Create the
grp_004firewall address group withhost_056andhost_57address groupNavigate to the
ppkg_001policy packageEdit policy seq #6 (
policyidshould be6) - Add back thehost_201firewall address in the Source column - Add thegrp_004firewall address group in the Destination column - Add theips_profile_004IPS profileThe
dev_001managed device still has the static route pointing to10.0.1.0/24created earlier
Trigger partial install with the preview option
Step #1: Trigger the partial install with the preview option
{ "id": 3, "method": "exec", "params": [ { "data": { "adom": "demo", "flags": 2, "objects": [ [ "update", "pkg/ppkg_001/firewall/policy/6", "", "" ] ], "scope": [ { "name": "dev_001", "vdom": "root" } ] }, "url": "/securityconsole/install/objects/v2" } ], "session": "{{session}}" }
Note
flagsis set with2which meanspreviewbecause it is just required to previewNo other install action will be done
{ "id": 3, "result": [ { "data": { "task": 20 }, "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/install/objects/v2" } ] }
Step #2: Once the returned task is completed, get the preview result
{ "id": 4, "method": "exec", "params": [ { "data": { "adom": "demo", "device": "dev_001" }, "url": "/securityconsole/preview/result" } ], "session": "{{session}}" }
{ "id": 4, "result": [ { "data": { "message": "config firewall addrgrp\n edit \"grp_004\"\n set uuid 919cb4be-5852-51ee-65f5-c09937fa4f54\n set member \"host_056\" \"host_057\"\n set color 24\n next\nend\nconfig ips sensor\n edit \"ips_profile_004\"\n set comment \"Prevent critical attacks.\"\n config entries\n edit 1\n set severity medium high critical\n next\n edit 2\n set status enable\n set log-packet enable\n next\n end\n next\nend\nconfig firewall policy\n edit 6\n set srcaddr \"host_006\" \"host_201\"\n set dstaddr \"host_106\" \"grp_004\"\n set utm-status enable\n set ips-sensor \"ips_profile_004\"\n next\nend\n" }, "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/preview/result" } ] }
Conclusion
As expected, FortiManager produced a preview of the requested partial install operation
Pending static route wasn’t installation wasn’t part of the preview result
9.4.22. Firewall Policy Revision#
9.4.22.1. How to get list of changes mage in a firewall policy?#
Following example shows how to obtain the list of changes made on firewall policy with policyid 14 in the ppkg_001 Policy Package from the demo ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"url": "/pm/config/adom/demo/_objrev/pkg/ppkg_001/firewall/policy/14"
}
],
"session": "{{session}}",
"verbose": 1
}
{ "id": 3, "result": [ { "data": [ { "act": 1, "category": 181, "config": "{ \"_byte\": 0, \"_first_hit\": 0, \"_first_session\": 0, \"_global-label-color\": 0, \"_global-vpn\": [ ], \"_global-vpn-tgt\": 0, \"_hitcount\": 0, \"_label-color\": 0, \"_last_hit\": 0, \"_last_session\": 0, \"_pkts\": 0, \"_sesscount\": 0, \"action\": 1, \"anti-replay\": 1, \"application-list\": [ ], \"auth-cert\": [ ], \"auth-path\": 0, \"auto-asic-offload\": 1, \"av-profile\": [ ], \"block-notification\": 0, \"captive-portal-exempt\": 0, \"capture-packet\": 0, \"casb-profile\": [ ], \"cgn-eif\": 0, \"cgn-eim\": 0, \"cgn-resource-quota\": 16, \"cgn-session-quota\": 16777215, \"cifs-profile\": [ ], \"custom-log-fields\": [ ], \"decrypted-traffic-mirror\": [ ], \"delay-tcp-npu-session\": 0, \"diameter-filter-profile\": [ ], \"diffserv-copy\": 0, \"diffserv-forward\": 0, \"diffserv-reverse\": 0, \"diffservcode-forward\": \"000000\", \"diffservcode-rev\": \"000000\", \"disclaimer\": 0, \"dlp-profile\": [ ], \"dnsfilter-profile\": [ ], \"dsri\": 0, \"dstaddr\": [ \"all\" ], \"dstaddr-negate\": 0, \"dstaddr6\": [ ], \"dstaddr6-negate\": 0, \"dstintf\": [ \"any\" ], \"dynamic-shaping\": 0, \"email-collect\": 0, \"emailfilter-profile\": [ ], \"fec\": 0, \"file-filter-profile\": [ ], \"firewall-session-dirty\": 0, \"fixedport\": 0, \"fsso-agent-for-ntlm\": [ ], \"fsso-groups\": [ ], \"geoip-anycast\": 0, \"geoip-match\": 0, \"groups\": [ ], \"gtp-profile\": [ ], \"http-policy-redirect\": 0, \"icap-profile\": [ ], \"identity-based-route\": [ ], \"inbound\": 0, \"inspection-mode\": 1, \"internet-service\": 0, \"internet-service-custom\": [ ], \"internet-service-custom-group\": [ ], \"internet-service-group\": [ ], \"internet-service-name\": [ ], \"internet-service-negate\": 0, \"internet-service-src\": 0, \"internet-service-src-custom\": [ ], \"internet-service-src-custom-group\": [ ], \"internet-service-src-group\": [ ], \"internet-service-src-name\": [ ], \"internet-service-src-negate\": 0, \"internet-service6\": 0, \"internet-service6-custom\": [ ], \"internet-service6-custom-group\": [ ], \"internet-service6-group\": [ ], \"internet-service6-name\": [ ], \"internet-service6-negate\": 0, \"internet-service6-src\": 0, \"internet-service6-src-custom\": [ ], \"internet-service6-src-custom-group\": [ ], \"internet-service6-src-group\": [ ], \"internet-service6-src-name\": [ ], \"internet-service6-src-negate\": 0, \"ip-version-type\": \"ipv4\", \"ippool\": 0, \"ips-sensor\": [ ], \"ips-voip-filter\": [ ], \"logtraffic\": 2, \"logtraffic-start\": 0, \"match-vip\": 1, \"match-vip-only\": 0, \"name\": \"Policy_001\", \"nat\": 0, \"nat46\": 0, \"nat64\": 0, \"natinbound\": 0, \"natip\": [ \"0.0.0.0\", \"0.0.0.0\" ], \"natoutbound\": 0, \"network-service-dynamic\": [ ], \"network-service-src-dynamic\": [ ], \"np-acceleration\": 1, \"ntlm\": 0, \"ntlm-enabled-browsers\": [ ], \"ntlm-guest\": 0, \"oid\": 11310, \"outbound\": 1, \"passive-wan-health-measurement\": 0, \"pcp-inbound\": 0, \"pcp-outbound\": 0, \"pcp-poolname\": [ ], \"per-ip-shaper\": [ ], \"permit-any-host\": 0, \"permit-stun-host\": 0, \"pfcp-profile\": [ ], \"policy-behaviour-type\": \"standard\", \"policy-expiry\": 0, \"policy-expiry-date\": \"0000-00-00 00:00:00\", \"policy-offload\": 1, \"policyid\": 14, \"poolname\": [ ], \"poolname6\": [ ], \"profile-group\": [ ], \"profile-protocol-options\": [ \"default\" ], \"profile-type\": 0, \"radius-mac-auth-bypass\": 0, \"replacemsg-override-group\": [ ], \"reputation-direction\": 2, \"reputation-direction6\": 42, \"reputation-minimum\": 0, \"reputation-minimum6\": 0, \"rtp-addr\": [ ], \"rtp-nat\": 0, \"schedule\": [ \"always\" ], \"schedule-timeout\": 0, \"sctp-filter-profile\": [ ], \"send-deny-packet\": 0, \"service\": [ \"ALL\" ], \"service-negate\": 0, \"session-ttl\": \"0\", \"sgt\": [ ], \"sgt-check\": 0, \"src-vendor-mac\": [ ], \"srcaddr\": [ \"all\" ], \"srcaddr-negate\": 0, \"srcaddr6\": [ ], \"srcaddr6-negate\": 0, \"srcintf\": [ \"any\" ], \"ssh-filter-profile\": [ ], \"ssh-policy-redirect\": 0, \"ssl-ssh-profile\": [ \"no-inspection\" ], \"status\": 1, \"tcp-mss-receiver\": 0, \"tcp-mss-sender\": 0, \"tcp-session-without-syn\": 2, \"tcp-timeout-pid\": [ ], \"timeout-send-rst\": 0, \"tos\": \"0x00\", \"tos-mask\": \"0x00\", \"tos-negate\": 0, \"traffic-shaper\": [ ], \"traffic-shaper-reverse\": [ ], \"udp-timeout-pid\": [ ], \"users\": [ ], \"utm-status\": 0, \"uuid\": \"64abdc74-cef8-51ee-c4f6-b99de54c6f1a\", \"videofilter-profile\": [ ], \"virtual-patch-profile\": [ ], \"vlan-cos-fwd\": 255, \"vlan-cos-rev\": 255, \"voip-profile\": [ ], \"vpn_dst_node\": null, \"vpn_src_node\": null, \"vpntunnel\": [ ], \"waf-profile\": [ ], \"wanopt\": 0, \"wanopt-detection\": 1, \"wanopt-passive-opt\": 0, \"wanopt-peer\": [ ], \"wanopt-profile\": [ ], \"wccp\": 0, \"webcache\": 0, \"webcache-https\": 0, \"webfilter-profile\": [ ], \"webproxy-forward-server\": [ ], \"webproxy-profile\": [ ], \"ztna-device-ownership\": 0, \"ztna-ems-tag\": [ ], \"ztna-ems-tag-secondary\": [ ], \"ztna-geo-tag\": [ ], \"ztna-policy-redirect\": 0, \"ztna-status\": 0, \"ztna-tags-match-logic\": 0 }", "flags": 0, "key": "14", "note": "", "oid": 11310, "pkg_oid": 11294, "timestamp": 1708327673, "user": "admin" }, { "act": 3, "category": 181, "config": "{ \"_byte\": 0, \"_first_hit\": 0, \"_first_session\": 0, \"_global-dst-intf\": null, \"_global-label-color\": 0, \"_global-src-intf\": null, \"_global-vpn\": [ ], \"_global-vpn-tgt\": 0, \"_hitcount\": 0, \"_label-color\": 0, \"_last_hit\": 0, \"_last_session\": 0, \"_pkts\": 0, \"_sesscount\": 0, \"action\": 1, \"anti-replay\": 1, \"application-list\": [ ], \"auth-cert\": [ ], \"auth-path\": 0, \"auth-redirect-addr\": null, \"auto-asic-offload\": 1, \"av-profile\": [ ], \"block-notification\": 0, \"captive-portal-exempt\": 0, \"capture-packet\": 0, \"casb-profile\": [ ], \"cgn-eif\": 0, \"cgn-eim\": 0, \"cgn-log-server-grp\": null, \"cgn-resource-quota\": 16, \"cgn-session-quota\": 16777215, \"cifs-profile\": [ ], \"comments\": null, \"custom-log-fields\": [ ], \"decrypted-traffic-mirror\": [ ], \"delay-tcp-npu-session\": 0, \"diameter-filter-profile\": [ ], \"diffserv-copy\": 0, \"diffserv-forward\": 0, \"diffserv-reverse\": 0, \"diffservcode-forward\": \"000000\", \"diffservcode-rev\": \"000000\", \"disclaimer\": 0, \"dlp-profile\": [ ], \"dnsfilter-profile\": [ ], \"dsri\": 0, \"dstaddr\": [ \"all\" ], \"dstaddr-negate\": 0, \"dstaddr6\": [ ], \"dstaddr6-negate\": 0, \"dstintf\": [ \"any\" ], \"dynamic-shaping\": 0, \"email-collect\": 0, \"emailfilter-profile\": [ ], \"fec\": 0, \"file-filter-profile\": [ ], \"firewall-session-dirty\": 0, \"fixedport\": 0, \"fsso-agent-for-ntlm\": [ ], \"fsso-groups\": [ ], \"geoip-anycast\": 0, \"geoip-match\": 0, \"global-label\": null, \"groups\": [ ], \"gtp-profile\": [ ], \"http-policy-redirect\": 0, \"icap-profile\": [ ], \"identity-based-route\": [ ], \"inbound\": 0, \"inspection-mode\": 1, \"internet-service\": 0, \"internet-service-custom\": [ ], \"internet-service-custom-group\": [ ], \"internet-service-group\": [ ], \"internet-service-name\": [ ], \"internet-service-negate\": 0, \"internet-service-src\": 0, \"internet-service-src-custom\": [ ], \"internet-service-src-custom-group\": [ ], \"internet-service-src-group\": [ ], \"internet-service-src-name\": [ ], \"internet-service-src-negate\": 0, \"internet-service6\": 0, \"internet-service6-custom\": [ ], \"internet-service6-custom-group\": [ ], \"internet-service6-group\": [ ], \"internet-service6-name\": [ ], \"internet-service6-negate\": 0, \"internet-service6-src\": 0, \"internet-service6-src-custom\": [ ], \"internet-service6-src-custom-group\": [ ], \"internet-service6-src-group\": [ ], \"internet-service6-src-name\": [ ], \"internet-service6-src-negate\": 0, \"ip-version-type\": \"ipv4\", \"ippool\": 0, \"ips-sensor\": [ ], \"ips-voip-filter\": [ ], \"label\": null, \"logtraffic\": 2, \"logtraffic-start\": 0, \"match-vip\": 1, \"match-vip-only\": 0, \"name\": \"Policy_001\", \"nat\": 0, \"nat46\": 0, \"nat64\": 0, \"natinbound\": 0, \"natip\": [ \"0.0.0.0\", \"0.0.0.0\" ], \"natoutbound\": 0, \"network-service-dynamic\": [ ], \"network-service-src-dynamic\": [ ], \"np-acceleration\": 1, \"ntlm\": 0, \"ntlm-enabled-browsers\": [ ], \"ntlm-guest\": 0, \"oid\": 11310, \"outbound\": 1, \"passive-wan-health-measurement\": 0, \"pcp-inbound\": 0, \"pcp-outbound\": 0, \"pcp-poolname\": [ ], \"per-ip-shaper\": [ ], \"permit-any-host\": 0, \"permit-stun-host\": 0, \"pfcp-profile\": [ ], \"policy-behaviour-type\": \"standard\", \"policy-expiry\": 0, \"policy-expiry-date\": \"0000-00-00 00:00:00\", \"policy-expiry-date-utc\": null, \"policy-offload\": 1, \"policyid\": 14, \"poolname\": [ ], \"poolname6\": [ ], \"profile-group\": [ ], \"profile-protocol-options\": [ \"default\" ], \"profile-type\": 0, \"radius-mac-auth-bypass\": 0, \"redirect-url\": null, \"replacemsg-override-group\": [ ], \"reputation-direction\": 2, \"reputation-direction6\": 42, \"reputation-minimum\": 0, \"reputation-minimum6\": 0, \"rtp-addr\": [ ], \"rtp-nat\": 0, \"schedule\": [ \"always\" ], \"schedule-timeout\": 0, \"sctp-filter-profile\": [ ], \"send-deny-packet\": 0, \"service\": [ \"INFO_ADDRESS\" ], \"service-negate\": 0, \"session-ttl\": \"0\", \"sgt\": [ ], \"sgt-check\": 0, \"src-vendor-mac\": [ ], \"srcaddr\": [ \"all\" ], \"srcaddr-negate\": 0, \"srcaddr6\": [ ], \"srcaddr6-negate\": 0, \"srcintf\": [ \"any\" ], \"ssh-filter-profile\": [ ], \"ssh-policy-redirect\": 0, \"ssl-ssh-profile\": [ \"no-inspection\" ], \"status\": 1, \"tcp-mss-receiver\": 0, \"tcp-mss-sender\": 0, \"tcp-session-without-syn\": 2, \"tcp-timeout-pid\": [ ], \"timeout-send-rst\": 0, \"tos\": \"0x00\", \"tos-mask\": \"0x00\", \"tos-negate\": 0, \"traffic-shaper\": [ ], \"traffic-shaper-reverse\": [ ], \"udp-timeout-pid\": [ ], \"users\": [ ], \"utm-status\": 0, \"uuid\": \"64abdc74-cef8-51ee-c4f6-b99de54c6f1a\", \"videofilter-profile\": [ ], \"virtual-patch-profile\": [ ], \"vlan-cos-fwd\": 255, \"vlan-cos-rev\": 255, \"vlan-filter\": null, \"voip-profile\": [ ], \"vpn_dst_node\": null, \"vpn_src_node\": null, \"vpntunnel\": [ ], \"waf-profile\": [ ], \"wanopt\": 0, \"wanopt-detection\": 1, \"wanopt-passive-opt\": 0, \"wanopt-peer\": [ ], \"wanopt-profile\": [ ], \"wccp\": 0, \"webcache\": 0, \"webcache-https\": 0, \"webfilter-profile\": [ ], \"webproxy-forward-server\": [ ], \"webproxy-profile\": [ ], \"ztna-device-ownership\": 0, \"ztna-ems-tag\": [ ], \"ztna-ems-tag-secondary\": [ ], \"ztna-geo-tag\": [ ], \"ztna-policy-redirect\": 0, \"ztna-status\": 0, \"ztna-tags-match-logic\": 0 }", "flags": 0, "key": "14", "note": "", "oid": 11310, "pkg_oid": 11294, "timestamp": 1708327690, "user": "admin" } ], "status": { "code": 0, "message": "OK" }, "url": "/pm/config/adom/demo/_objrev/pkg/ppkg_001/firewall/policy/14" } ] }
Note
For each change the
actis giving you the nature of the change:Value
meaning
1New policy created
2Existing policy deleted
Note
Not sure you will be able to see this one…
3Existing policy modified
The
keyattribute is thepolicyidThe
configattribute is a copy of the firewall policy containing the changeFortiManager returns an ordered list of changes; the first item is the first change
9.4.22.2. How to revert a firewall policy from a past changes?#
There’s no specific revert API endpoint.
It’s on you to capture the config attribute of a past change by looking at the list of changes for a firewall policy (see How to get list of changes mage in a firewall policy?) and then to update that same firewall policy.
Following example is considering the output from section How to get list of changes mage in a firewall policy?. It will revert the firewall policy with the config saved when it was just created:
{
"id": 4,
"method": "update",
"params": [
{
"data": {
"_byte": 0,
"_first_hit": 0,
"_first_session": 0,
"_global-label-color": 0,
"_global-vpn": [],
"_global-vpn-tgt": 0,
"_hitcount": 0,
"_label-color": 0,
"_last_hit": 0,
"_last_session": 0,
"_pkts": 0,
"_sesscount": 0,
"action": 1,
"anti-replay": 1,
"application-list": [],
"auth-cert": [],
"auth-path": 0,
"auto-asic-offload": 1,
"av-profile": [],
"block-notification": 0,
"captive-portal-exempt": 0,
"capture-packet": 0,
"casb-profile": [],
"cgn-eif": 0,
"cgn-eim": 0,
"cgn-resource-quota": 16,
"cgn-session-quota": 16777215,
"cifs-profile": [],
"custom-log-fields": [],
"decrypted-traffic-mirror": [],
"delay-tcp-npu-session": 0,
"diameter-filter-profile": [],
"diffserv-copy": 0,
"diffserv-forward": 0,
"diffserv-reverse": 0,
"diffservcode-forward": "000000",
"diffservcode-rev": "000000",
"disclaimer": 0,
"dlp-profile": [],
"dnsfilter-profile": [],
"dsri": 0,
"dstaddr": [
"all"
],
"dstaddr-negate": 0,
"dstaddr6": [],
"dstaddr6-negate": 0,
"dstintf": [
"any"
],
"dynamic-shaping": 0,
"email-collect": 0,
"emailfilter-profile": [],
"fec": 0,
"file-filter-profile": [],
"firewall-session-dirty": 0,
"fixedport": 0,
"fsso-agent-for-ntlm": [],
"fsso-groups": [],
"geoip-anycast": 0,
"geoip-match": 0,
"groups": [],
"gtp-profile": [],
"http-policy-redirect": 0,
"icap-profile": [],
"identity-based-route": [],
"inbound": 0,
"inspection-mode": 1,
"internet-service": 0,
"internet-service-custom": [],
"internet-service-custom-group": [],
"internet-service-group": [],
"internet-service-name": [],
"internet-service-negate": 0,
"internet-service-src": 0,
"internet-service-src-custom": [],
"internet-service-src-custom-group": [],
"internet-service-src-group": [],
"internet-service-src-name": [],
"internet-service-src-negate": 0,
"internet-service6": 0,
"internet-service6-custom": [],
"internet-service6-custom-group": [],
"internet-service6-group": [],
"internet-service6-name": [],
"internet-service6-negate": 0,
"internet-service6-src": 0,
"internet-service6-src-custom": [],
"internet-service6-src-custom-group": [],
"internet-service6-src-group": [],
"internet-service6-src-name": [],
"internet-service6-src-negate": 0,
"ip-version-type": "ipv4",
"ippool": 0,
"ips-sensor": [],
"ips-voip-filter": [],
"logtraffic": 2,
"logtraffic-start": 0,
"match-vip": 1,
"match-vip-only": 0,
"name": "Policy_001",
"nat": 0,
"nat46": 0,
"nat64": 0,
"natinbound": 0,
"natip": [
"0.0.0.0",
"0.0.0.0"
],
"natoutbound": 0,
"network-service-dynamic": [],
"network-service-src-dynamic": [],
"np-acceleration": 1,
"ntlm": 0,
"ntlm-enabled-browsers": [],
"ntlm-guest": 0,
"outbound": 1,
"passive-wan-health-measurement": 0,
"pcp-inbound": 0,
"pcp-outbound": 0,
"pcp-poolname": [],
"per-ip-shaper": [],
"permit-any-host": 0,
"permit-stun-host": 0,
"pfcp-profile": [],
"policy-behaviour-type": "standard",
"policy-expiry": 0,
"policy-expiry-date": "0000-00-00 00:00:00",
"policy-offload": 1,
"policyid": 14,
"poolname": [],
"poolname6": [],
"profile-group": [],
"profile-protocol-options": [
"default"
],
"profile-type": 0,
"radius-mac-auth-bypass": 0,
"replacemsg-override-group": [],
"reputation-direction": 2,
"reputation-direction6": 42,
"reputation-minimum": 0,
"reputation-minimum6": 0,
"rtp-addr": [],
"rtp-nat": 0,
"schedule": [
"always"
],
"schedule-timeout": 0,
"sctp-filter-profile": [],
"send-deny-packet": 0,
"service": [
"ALL"
],
"service-negate": 0,
"session-ttl": "0",
"sgt": [],
"sgt-check": 0,
"src-vendor-mac": [],
"srcaddr": [
"all"
],
"srcaddr-negate": 0,
"srcaddr6": [],
"srcaddr6-negate": 0,
"srcintf": [
"any"
],
"ssh-filter-profile": [],
"ssh-policy-redirect": 0,
"ssl-ssh-profile": [
"no-inspection"
],
"status": 1,
"tcp-mss-receiver": 0,
"tcp-mss-sender": 0,
"tcp-session-without-syn": 2,
"tcp-timeout-pid": [],
"timeout-send-rst": 0,
"tos": "0x00",
"tos-mask": "0x00",
"tos-negate": 0,
"traffic-shaper": [],
"traffic-shaper-reverse": [],
"udp-timeout-pid": [],
"users": [],
"utm-status": 0,
"uuid": "64abdc74-cef8-51ee-c4f6-b99de54c6f1a",
"videofilter-profile": [],
"virtual-patch-profile": [],
"vlan-cos-fwd": 255,
"vlan-cos-rev": 255,
"voip-profile": [],
"vpn_dst_node": null,
"vpn_src_node": null,
"vpntunnel": [],
"waf-profile": [],
"wanopt": 0,
"wanopt-detection": 1,
"wanopt-passive-opt": 0,
"wanopt-peer": [],
"wanopt-profile": [],
"wccp": 0,
"webcache": 0,
"webcache-https": 0,
"webfilter-profile": [],
"webproxy-forward-server": [],
"webproxy-profile": [],
"ztna-device-ownership": 0,
"ztna-ems-tag": [],
"ztna-ems-tag-secondary": [],
"ztna-geo-tag": [],
"ztna-policy-redirect": 0,
"ztna-status": 0,
"ztna-tags-match-logic": 0
},
"revision note": "Revert from create time",
"url": "/pm/config/adom/demo/pkg/ppkg_001/firewall/policy"
}
],
"session": "{{session}}"
}
Note
Don’t use the
oidattribute or you will probably get an error like:{ "id": 4, "result": [ { "status": { "code": -10, "message": "The data is invalid for selected url" }, "url": "/pm/config/adom/demo/pkg/ppkg_001/firewall/policy" } ] }
As a best practice, think about adding a
revision note
{
"id": 4,
"result": [
{
"data": {
"policyid": 14
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/ppkg_001/firewall/policy"
}
]
}
9.5. Local-in Firewall Policies#
The local-in firewall policies are included in the Policy Package. The corresponding API endpoint is:
/pm/config/adom/{adom}/pkg/{pkg}/firewall/local-in-policy
where:
adomis the ADOM name.pkgis the Policy Package name.
9.5.1. How to get the local-in firewall policies?#
The following example shows how to get the local-in firewall policies in the
pkg_01 Policy Package in the demo ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"url": "/pm/config/adom/demo/pkg/pkg_001/firewall/local-in-policy"
}
],
"session": "{{session}}",
"verbose": 1
}
{
"id": 15,
"result": [
{
"data": [
{
"action": "accept",
"comments": "Local-in policy #01",
"dstaddr": [
"host_002"
],
"dstaddr-negate": "disable",
"ha-mgmt-intf-only": "disable",
"internet-service-src": "disable",
"internet-service-src-fortiguard": [],
"internet-service-src-negate": "disable",
"intf": [
"any"
],
"obj seq": 1,
"oid": 42696,
"policyid": 2,
"schedule": [
"always"
],
"service": [
"ALL"
],
"service-negate": "disable",
"srcaddr": [
"host_001"
],
"srcaddr-negate": "disable",
"status": "enable",
"uuid": "a3104378-d0f0-51f0-ac3f-47c142a54a50",
"virtual-patch": "disable"
},
{
"action": "accept",
"comments": "Local-in policy #02",
"dstaddr": [
"host_004"
],
"dstaddr-negate": "disable",
"ha-mgmt-intf-only": "disable",
"internet-service-src": "disable",
"internet-service-src-fortiguard": [],
"internet-service-src-negate": "disable",
"intf": [
"any"
],
"obj seq": 2,
"oid": 42697,
"policyid": 3,
"schedule": [
"always"
],
"service": [
"ALL"
],
"service-negate": "disable",
"srcaddr": [
"host_003"
],
"srcaddr-negate": "disable",
"status": "enable",
"uuid": "c324634e-d102-51f0-6569-1d1cb2b09e82",
"virtual-patch": "disable"
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/pkg_001/firewall/local-in-policy"
}
]
}
Should you want to get the local-in policy with the policy ID 3:
{
"id": 3,
"method": "get",
"params": [
{
"url": "/pm/config/adom/demo/pkg/pkg_001/firewall/local-in-policy/3"
}
],
"session": "{{session}}",
"verbose": 1
}
{
"id": 19,
"result": [
{
"data": {
"action": "accept",
"comments": "Local-in policy #02",
"dstaddr": [
"host_004"
],
"dstaddr-negate": "disable",
"ha-mgmt-intf-only": "disable",
"internet-service-src": "disable",
"internet-service-src-fortiguard": [],
"internet-service-src-negate": "disable",
"intf": [
"any"
],
"obj seq": 2,
"oid": 42697,
"policyid": 3,
"schedule": [
"always"
],
"service": [
"ALL"
],
"service-negate": "disable",
"srcaddr": [
"host_003"
],
"srcaddr-negate": "disable",
"status": "enable",
"uuid": "c324634e-d102-51f0-6569-1d1cb2b09e82",
"virtual-patch": "disable"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/pkg_001/firewall/local-in-policy/3"
}
]
}
You could also have used the filter attribute:
{
"id": 3,
"method": "get",
"params": [
{
"filter": [
"policyid",
"==",
3
],
"url": "/pm/config/adom/demo/pkg/pkg_001/firewall/local-in-policy"
}
],
"session": "{{session}}",
"verbose": 1
}
{
"id": 23,
"result": [
{
"data": [
{
"action": "accept",
"comments": "Local-in policy #02",
"dstaddr": [
"host_004"
],
"dstaddr-negate": "disable",
"ha-mgmt-intf-only": "disable",
"internet-service-src": "disable",
"internet-service-src-fortiguard": [],
"internet-service-src-negate": "disable",
"intf": [
"any"
],
"obj seq": 2,
"oid": 42697,
"policyid": 3,
"schedule": [
"always"
],
"service": [
"ALL"
],
"service-negate": "disable",
"srcaddr": [
"host_003"
],
"srcaddr-negate": "disable",
"status": "enable",
"uuid": "c324634e-d102-51f0-6569-1d1cb2b09e82",
"virtual-patch": "disable"
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/pkg_001/firewall/local-in-policy"
}
]
}
9.5.2. How to add a local-in firewall policy?#
The following example shows how to add a local-in firewall policy in the
pkg_001 Policy Package in the demo ADOM:
{
"id": 3,
"method": "add",
"params": [
{
"data": {
"action": "accept",
"comments": "Local-in policy #03",
"dstaddr": [
"host_006"
],
"intf": [
"any"
],
"schedule": [
"always"
],
"service": [
"ALL"
],
"srcaddr": [
"host_005"
],
"status": "enable"
},
"url": "/pm/config/adom/demo/pkg/pkg_001/firewall/local-in-policy"
}
],
"session": "{{session}}",
}
{
"id": 39,
"result": [
{
"data": {
"policyid": 4
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/pkg_001/firewall/local-in-policy"
}
]
}
Note
The new local-in policy has been assigned the policy ID 4. It got
added at the end of the existing local-in policies.
To add the local-in policy at a specific position, use the before or
after attribute. The following example shows how to add a local-in firewall
policy before the local-in policy with policy ID 4:
{
"id": 3,
"method": "add",
"params": [
{
"before": "4",
"data": {
"action": "accept",
"comments": "Local-in policy #04",
"dstaddr": [
"host_008"
],
"intf": [
"any"
],
"schedule": [
"always"
],
"service": [
"ALL"
],
"srcaddr": [
"host_007"
],
"status": "enable"
},
"url": "/pm/config/adom/demo/pkg/pkg_001/firewall/local-in-policy"
}
],
"session": "{{session}}"
}
Warning
The
beforeattribute is outside of thedatablock.The value is the policy ID of the local-in policy before which the new local-in policy will be added and it has to be a string.
{
"id": 47,
"result": [
{
"data": {
"policyid": 7
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/pkg_001/firewall/local-in-policy"
}
]
}
9.5.3. How to delete a local-in firewall policy?#
The following example shows how to delete the local-in firewall policy with the policy ID 7 in the pkg_001 Policy Package
in the demo:
{
"id": 3,
"method": "delete",
"params": [
{
"url": "/pm/config/adom/demo/pkg/pkg_001/firewall/local-in-policy/7"
}
],
"session": "{{session}}"
}
{
"id": 51,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/pkg_001/firewall/local-in-policy/7"
}
]
}
9.6. Global Policies & objects#
9.6.1. How to create a global policy package?#
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "add",
"params": [
{
"data": {
"name": "g_pp_003",
"type": "pkg"
},
"url": "/pm/pkg/global"
}
],
"session": "YS8S4z10DL1D1lWXA2RrS5H48Pl8gJWtWZ9jm8SsMOHBriZ92czufaVtR7pFjCmKYQT3B652Wgie5nlUbLEobQ==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/global"
}
]
}
9.6.2. How to add ADOMs as Global Policy Package targets?#
The following example shows how to add the demo_001 and demo_002 ADOMs as targets of the g_ppkg_001 Global Policy Package:
{
"id": 1,
"method": "add",
"params": [
{
"data": [
{
"name": "demo_001"
},
{
"name": "demo_002"
}
],
"url": "/pm/pkg/global/g_pppk_001/scope member"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/global/g_ppkg_001/scope member"
}
]
}
Note
Existing list of target ADOMs won’t be overwritten
If there was the
demo_003ADOM as target before thisaddoperation, then the definitive list of targets will be thedemo_001,demo_002anddemo_003ADOMs
9.6.3. How to get ADOMs from the Global Policy Package targets?#
The following example shows how to get the ADOM targets of the g_ppkg_001 Global Policy Package:
{
"id": 3,
"method": "get",
"params": [
{
"url": "/pm/pkg/global/g_ppkg_001"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"data": {
"name": "g_ppkg_001",
"obj ver": 0,
"oid": 5623,
"package settings": {
"central-nat": 0,
"consolidated-firewall-mode": 0,
"fwpolicy-implicit-log": 0,
"fwpolicy6-implicit-log": 0,
"hitc-taskid": 0,
"hitc-timestamp": 0,
"ngfw-mode": 0,
"policy-offload-level": 0
},
"scope member": [
{
"name": "demo_001"
},
{
"name": "demo_002"
},
{
"name": "demo_003"
}
],
"type": "pkg"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/global/g_ppkg_001"
}
]
}
9.6.4. How to delete ADOMs from the Global Policy Package targets?#
The following example shows how to delete the demo_001 and demo_002 ADOMs targets of the g_ppkg_001 Global Policy Package:
{
"id": 3,
"method": "delete",
"params": [
{
"data": [
{
"name": "demo_001"
},
{
"name": "demo_002"
}
],
"url": "/pm/pkg/global/g_ppkg_001/scope member"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/pkg/global/g_ppkg_001/scope member"
}
]
}
Note
Existing list of target ADOMs won’t be overwritten
If there was the
demo_001,demo_002anddemo_003ADOMs as target before thisdeleteoperation, then the definitive list of targets will be thedemo_001ADOM
9.6.5. How to trigger an assign Global Policy Package?#
The following example shows how to trigger an assign operation of the
g_ppkg_001 Global Policy Package against the demo_001 and demo_002 ADOMs:
{
"id": 3,
"method": "exec",
"params": [
{
"data": {
"flags": [
"none"
],
"pkg": "g_ppkg_001",
"target": [
{
"adom": "demo_001"
},
{
"adom": "demo_002"
}
]
},
"url": "/securityconsole/assign/package"
}
],
"session": "{{session}}"
}
Note
noneis the default flag to copy global policies and its used objects onlyUse flag
cp_all_objsif you want to copy policies and all objects, even the unused ones
Tip
Should you want to trigger an assign followed by an install, just add the flag
copy_assigned_pkg, for instance:"flags": ["cp_all_obs", "copy_assigned_pkg"],
will copy policies and all objects to target ADOMs, and will also trigger a policy package install.
{
"id": 3,
"result": [
{
"data": {
"task": 201
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/assign/package"
}
]
}
Note
As usual, when a task is returned, you have to monitor it by getting
task/task/<task_id>
9.6.6. How to trigger an assign global policy package with exclusion?#
Consider that the demo ADOM is with three Policy Packages: ppkg_001 to ppkg_003.
The following example shows how to trigger an assign operation of the g_ppkg_001 Global Policy against the demo ADOM but only for its ppkg_001 Policy Package:
{
"id": 3,
"method": "exec",
"params": [
{
"data": {
"flags": [
"none"
],
"pkg": "g_ppkg_001",
"target": [
{
"adom": "demo",
"excluded": "enable",
"pkg": [
"ppkg_002",
"ppkg_003"
]
}
]
},
"url": "/securityconsole/assign/package"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"data": {
"task": 13
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/assign/package"
}
]
}
9.6.7. How to trigger an unassign Global Policy Package?#
The following example shows how to trigger an unassign operation for the g_ppkg_001 Global Policy Package and the demo ADOM, one of its current targets:
{
"id": 1,
"method": "exec",
"params": [
{
"data": {
"flags": [
"unassign"
],
"pkg": "g_ppkg_001",
"target": [
{
"adom": "demo"
}
]
},
"url": "/securityconsole/assign/package"
}
],
"session": "{{session}}"
}
{
"id": 1,
"result": [
{
"data": {
"task": 14
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/assign/package"
}
]
}
9.7. How to get the assignment status for Global Policy Packages?#
The following example shows how to get the assignement status for the Global Policy Packages:
{
"id": 3,
"method": "get",
"params": [
{
"url": "/pm/config/global/_package/status"
}
],
"session": "{{session}}",
"verbose": 1
}
{
"id": 3,
"result": [
{
"data": [
{
"adom": "demo",
"flags": 0,
"pkg": "g_pkg_001",
"status": "installed",
"stype": 0,
"type": 1
},
{
"adom": "demo",
"flags": 0,
"pkg": "g_pkg_002",
"status": "installed",
"stype": 0,
"type": 1
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/global/_package/status"
}
]
}
9.8. How to get the Policy Packages with Global Policy Packages?#
The following example demonstrates how to get the list of Policy Packages in
demo ADOM which have received Global Policy Packages:
{
"id": 3,
"method": "get",
"params": [
{
"url": "/pm/config/adom/demo/_adom/options"
}
],
"session": "{{session}}",
"verbose": 1
}
{
"id": 3,
"result": [
{
"data": [
{
"assign_excluded": "disable",
"assign_name": "g_pkg_002",
"name": "__gpkg__6111",
"oid": 537523,
"pkg list": [
{
"name": "pkg_002",
"oid": 537517
}
],
"specify_assign_pkg_list": "enable"
},
{
"assign_excluded": "disable",
"assign_name": "g_pkg_001",
"name": "__gpkg__6113",
"oid": 537533,
"pkg list": [
{
"name": "pkg_001",
"oid": 537519
}
],
"specify_assign_pkg_list": "enable"
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/_adom/options"
}
]
}
Note
This output shows that two Policy Packages - pkg_001 and
pkg_002 have received the g_pkg_001 and g_pkg_002 Global
Policy Packages respectively.
9.9. Central DNAT#
9.9.1. How to get central dnat policies?#
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "get",
"params": [
{
"url": "/pm/config/adom/demo/pkg/ppkg_001/central/dnat"
}
],
"session": "dDKFLWDRqlQs6gSZwkUB2EPNYVyDL7JZYJ2OcfZgLFwGvtQwjvsx6XlQGuX6lQTdg2v2Jyysu+3avjaPfzw19w==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": [
{
"name": [
"tc_004_vip_001"
],
"obj seq": 1
},
{
"name": [
"tc_004_vip_002"
],
"obj seq": 2
},
{
"name": [
"tc_004_vip_003"
],
"obj seq": 3
},
{
"name": [
"tc_004_vip_008"
],
"obj seq": 4
},
{
"name": [
"tc_004_vip_004"
],
"obj seq": 5
},
{
"name": [
"tc_004_vip_005"
],
"obj seq": 6
},
{
"name": [
"tc_004_vip_006"
],
"obj seq": 7
},
{
"name": [
"tc_004_vip_007"
],
"obj seq": 8
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/ppkg_001/central/dnat"
}
]
}
9.9.2. How to add central dnat policies?#
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "set",
"params": [
{
"data": [
{
"name": [
"tc_004_vip_009"
]
},
{
"name": [
"tc_004_vip_010"
]
}
],
"url": "/pm/config/adom/demo/pkg/ppkg_001/central/dnat"
}
],
"session": "dDKFLWDRqlQs6gSZwkUB2EPNYVyDL7JZYJ2OcfZgLFwGvtQwjvsx6XlQGuX6lQTdg2v2Jyysu+3avjaPfzw19w==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/pkg/ppkg_001/central/dnat"
}
]
}
9.10. How to trigger an Import Configuration?#
The Import Configuration is when you need to copy objects from Device DB to ADOM DB. This operation is a strict offline operation! The managed devices don’t need to be connected or even to be real. You can perform an import configuration against connected or offline managed devices and also against model devices.
It’s a three-step process where the list of attributes and their corresponding values must be used very carefully.
Collect the firewall policies, interfaces and zones
This step involves collecting the list of firewall policies to be imported along with the used system interfaces, system zones, and/or system sdwan zones.
The interfaces and zones will be used when creating the per-device mapping in the corresponding normalized interfaces.
The following example shows how to collect the firewall policies and interfaces for the
dev_001managed device that will then imported in theppkg_001Policy Package in thedemoADOM:{ "id": 1, "method": "exec", "params": [ { "data": { "add_mappings": "enable", "adom": "demo", "dst_name": "ppkg_001", "dst_parent": 0, "if_all_objs": "none", "if_all_policy": "enable", "import_action": "policy_search", "position": "top", "name": "dev_001", "vdom": "root" }, "url": "/securityconsole/import/dev/objs" } ], "session": "{{session}}" }
Note
You could replace the
nameandvdomattributes with:"scope": [ { "name": "dev_001", "vdom": "root" } ]
The important attributes are:
import_actionwhich set topolicy_search. This is to search for firewall policies to be imported.if_all_policywhich is set toenable.add_mappingswhich is set toenable. This is important to create the per-device mapping in the normalized interfaces.positionandif_all_objsattributes can’t be explained yet.dst_parentis set to0to import in therootfolder of the Policy Package tree.. You could set it to a specific folder ID should you want to import in a specific folder.
{ "id": 1, "result": [ { "data": { "task": 2518 }, "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/import/dev/objs" } ] }
Note
Don’t forget to monitor the progress of the returned
task.Collect the objects
This step involves collecting the list of objects to be imported.
The following example shows how to collect the objects for the
dev_001managed devicedev_001that will then imported in theppkg_001Policy Package in thedemoADOM:{ "id": 7, "method": "exec", "params": [ { "data": { "add_mappings": "enable", "adom": "demo", "dst_name": "ppkg_001", "dst_parent": 0, "if_all_objs": "all", "if_all_policy": "disable", "import_action": "obj_search", "name": "dev_001", "position": "top", "vdom": "root" }, "url": "/securityconsole/import/dev/objs" } ], "session": "{{session}}" }
Note
You could replace the
nameandvdomattributes with:"scope": [ { "name": "dev_001", "vdom": "root" } ]
The important attributes are:
import_actionwhich set toobj_search. This is to search for firewall policies to be imported.if_all_objswhich is set toall. It has to be set withall!if_all_policywhich is set todisable.add_mappingswhich is set toenable. This is important to create the per-device mapping for applicable objects.
positionandif_all_objsattributes can’t be explained yet.{ "id": 7, "result": [ { "data": { "task": 2519 }, "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/import/dev/objs" } ] }
Note
Don’t forget to monitor the progress of the returned
task.Perform the import configuration
This step effectively perform the import configuration. It imports firewall policies and objects collected in the two previous steps and also perform the corresponding per-device mapping.
The following example shows how to perform the import configuration for the
dev_001managed device. The firewall policies and objects will be imported within theppkg_001Policy Package in thedemoADOM:{ "id": 10, "method": "exec", "params": [ { "data": { "add_mappings": "enable", "adom": "demo", "dst_name": "ppkg_001", "dst_parent": 0, "if_all_objs": "filter", "if_all_policy": "enable", "import_action": "do", "name": "dev_001", "position": "top", "vdom": "root" }, "url": "/securityconsole/import/dev/objs" } ], "session": "{{session}}" }
Note
You could replace the
nameandvdomattributes with:"scope": [ { "name": "dev_001", "vdom": "root" } ]
The important attributes are:
import_actionwhich set todo.if_all_objswhich is set tofilter. It means to only import used objects; the one used in the firewall policies of thedev_001managed devices. If you use theallvalue, used and unused objects will be imported.if_all_policywhich is set toenable.positionattribute can’t be explained yet.
{ "id": 10, "result": [ { "data": { "task": 2520 }, "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/import/dev/objs" } ] }
Note
Don’t forget to monitor the progress of the returned
task.
9.10.1. Per-device mapping considerations#
9.10.1.1. For normalized interfaces#
If your dev_001 managed device is with firewall policies using system
interface port1 and system zone (or system sdwan zone) z_underlay, then
you will get one normalized interface named port1 with a new per-device
mapping for dev_001:port1 and a second normalized interface named
z_underlay with a new per-device mapping for dev_001:z_underlay.
If normalized interfaces port1 and z_underlay don’t exist they will be
created with their per-device mapping as described in the paragraph above.
If your dev_001 managed device is with firewall policies using the
z_ul_001 system zone made of the port1 and port2 system interfaces
and your dev_002 managed device is with firewall policies using the
z_ul_002 system zone made of the same port1 and port2 system
interfaces then you will still end with two distinct z_ul_001 and
z_ul_002 normalized interfaces with the dev_001:z_ul_001 and
dev_002:z_ul_002 respective per-device mapping. There’s no API method to
tell you you could just end with the z_ul normalized interfaces the two
dev_001:z_ul_001 and dev_002:z_ul_002 respective per-device mapping.
9.10.1.2. For objects with per-device mapping support#
If your dev_001 managed device is with firewall policies using the
addr_001 firewall address with IP address 10.0.0.1 and your dev_002
managed device is firewall policies using the same name addr_001 firewall
address but with a different IP address 10.0.0.2 then you will end with a
single addr_001 firewall address.
If addr_001 wasn’t existing before the import configuration operation, it
will be created with main IP address 10.0.0.1 (provided the import
configuration is trigered against the dev_001 managed device first) and the
dev_002:10.0.0.2 per-device mapping entry.
If addr_001 was existing before the import configuration operation, it will
be updated with the two dev_001:10.0.0.1 and dev_002:10.0.0.2 per-device
mapping entries.
9.10.1.3. For objects without per-device mapping support#
FortiManager will always take the FortiGate value.
For instance if your dev_001 managed device is with firewall policies using
the ips_sensor_001 IPS sensor with a single rule and your dev_002
managed device is with firewall policies using the same name ips_sensor_001
but with two complete different rules, then you will end with a single
ips_sensor_001 IPS sensor.
This sensor will contain the configuration of the managed device that
was used in the most recent import configuration operation. For instance, it
will have two rules if the dev_002 managed device was the one used in the
most recent import configuration operation.