fortios-xutils 0.4.2

fortios-xutils

Very experimental miscellaneous and extra utilities for fortios (fortigate).

Features

• Parse and dump a structured JSON file from fortios CLI’s “show *configuration” outputs

• Search an item or items from JSON files generated as a parsed result from fortios CLI’s “show *configuration” outputs, using JMESPath query

• Collect nework information from the JSON files and generate a structured JSON files gives that network information

• Compose multiple network JSON files into a network file

• Analyze and dump firewall policy table as a pandas data for further analysis

• Search firewall policy matches given ip address

• Find the network paths from network JSON file by ip address (src and dst) to figure out which firewall nodes to configure

CLI Usage

See fortios_xutils –help.

ssato@x1-carbon-gen6% PYTHONPATH=src python3 ./src/fortios_xutils/cli.py --help
Usage: cli.py [OPTIONS] COMMAND [ARGS]...

  CLI frontend entrypoint.

Options:
  -v, --verbose
  --help         Show this message and exit.

Commands:
  firewall-policy-save    Make and save firewall policy table...
  firewall-policy-search  Search firewall policy table generated by...
  network-collect         Make and save network data collected from the
                          JSON...

  network-compose         Compose network files collected from the
                          fortigate...

  network-find-paths      Search paths from the source `src_ip` to the...
  parse                   Parse fortigate CLI's "show *configuration*...
  search                  Search an item or items from JSON file generated...
ssato@x1-carbon-gen6% for sc in parse search network-collect network-compose firewall-policy-save firewall-policy-search; do echo "# $sc"; PYTHONPATH=src python3 ./src/fortios_xutils/cli.py $sc --help; done
# parse
Usage: cli.py parse [OPTIONS] [FILEPATHS]...

  Parse fortigate CLI's "show *configuration* outputs and generate a
  structured JSON file. FILEPATHS is a list of file paths or a glob pattern
  gives that.

  Examples:

      $ fortios_xutils parse -O /tmp/0 \
      > tests/res/show_configs/fortigate_cli_show_sample_*.txt
      $ ls /tmp/0
      fortigate-01  fortigate-02
      $ ls /tmp/0/fortigate-01:
      all.json                         firewall_address.json
      firewall_addrgrp.json            firewall_policy.json
      firewall_service_category.json   firewall_service_custom.json
      firewall_service_group.json      metadata.json
      system_global.json               system_interface.json
      system_object-tagging.json       system_replacemsg-group.json
      system_settings.json
      $ jq '.' /tmp/0/fortigate-01/system_interface.json
      [
        {
          "edit": "dmz",
          "vdom": "root",
          "status": "down",
          "type": "physical",
          "role": "dmz",
          "snmp-index": "1"
        },
        {
          "edit": "port1",
          "vdom": "root",
          "ip": [
            "192.168.122.10",
            "255.255.255.0"
          ],
              ... (snip) ...

Options:
  -O, --outdir TEXT  Output dir to save parsed results [out/ relative to input
                     filepath]

  --help             Show this message and exit.
# search
Usage: cli.py search [OPTIONS] [FILEPATHS]...

  Search an item or items from JSON file generated previously by 'parse' sub
  command. FILEPATHS is a list of file paths or a glob pattern gives that.

  Examples:

      $ # List ip addresses of system interfaces.
      $ fortios_xutils search \
      > -P "configs[?config=='system interface'].edits[].ip" \
      > tests/res/parsed/fortigate-01/all.json
      [
          [
              "192.168.122.10",
              "255.255.255.0"
          ],
          [
              "192.168.1.10",
              "255.255.255.0"
          ]
      ]
      $

Options:
  -P, --path TEXT  JMESPath expression to query
  --help           Show this message and exit.
# network-collect
Usage: cli.py network-collect [OPTIONS] [FILEPATHS]...

  Collect and save network data from the parsed and structured fortigate's
  configuration files in JSON formats. FILEPATHS is a list of path of the
  JSON file, the parsed results of fortigate CLI's "show \*configuration"
  outputs.

  Examples:

      $ fortios_xutils network-collect tests/res/parsed/*/all.json
      $ head -n 10 tests/res/parsed/fortigate-01/networks.yml
      metadata:
        type: metadata
        input: tests/res/parsed/fortigate-01/all.json
        prefix: 24
        timestamp: 2020-05-12_04_58_57
        version: '1.0'
      nodes:
      - id: fortigate-01
        name: fortigate-01
        type: firewall
      $

Options:
  -O, --outdir TEXT  Dir to save results
  -P, --prefix TEXT  Max network prefix [24]
  --help             Show this message and exit.
# network-compose
Usage: cli.py network-compose [OPTIONS] [FILEPATHS]...

  Compose network files collected from the fortigate CLI's configurations
  from multiple fortigate hosts using the preivous network-collect command,
  into a network file.

  Examples:

      $ fortios_xutils network-compose \
      > tests/res/parsed/fortigate-0*/networks.yml \
      > -o tests/res/networks/all.yml
      $ head -n 10 tests/res/networks/all.yml
      metadata:
        inputs:
        - tests/res/parsed/fortigate-01/all.json
        - tests/res/parsed/fortigate-02/all.json
        timestamp: 2020-05-12_05_02_49
        version: '1.0'
      nodes:
      - id: fortigate-01
        name: fortigate-01
        type: firewall
      $

Options:
  -o, --outpath TEXT  Path of the outpath file to save network JSON data
  --help              Show this message and exit.
# firewall-policy-save
Usage: cli.py firewall-policy-save [OPTIONS] [FILEPATHS]...

  Make and save firewall policy table (:class:`pandas.DataFrame` object).

  Examples:

      $ fortios_xutils firewall-policy-save \
      > -o /tmp/0/test.pickle.gz \
      > tests/res/parsed/fortigate-01/all.json
      $ file /tmp/0/test.pickle.gz
      /tmp/0/test.pickle.gz: gzip compressed data, was "test.pickle"  ...
      $

Options:
  -O, --outdir TEXT  Dir to save results [same dir input files exist]
  --help             Show this message and exit.
# firewall-policy-search
Usage: cli.py firewall-policy-search [OPTIONS] FILEPATH

  Search firewall policy table generated by 'firewall-policy-save' command,
  by ip address. FILEPATH is a file path to the pandas dataframe file
  generated by 'firewall-policy-save' command.

  Examples:

      $ fortios_xutils firewall-policy-search \
      > --ip 192.168.122.3 /tmp/0/test.pickle.gz
      [
        {
          "edit": "20",
          "name": "Monitor_Servers_02",
          "uuid": "3da73baa-dacb-48cb-852c-c4be245b4609",
          "srcintf": "port1",
          "dstintf": "",
          "srcaddr": "host_192.168.122.1",
          "dstaddr": "network_192.168.122.0/24",
          "action": "accept",
          "schedule": "always",
          "service": [
            "HTTPS",
            "HTTP"
          ],
          "inspection-mode": "",
          "nat": "",
          "srcaddrs": [
            "192.168.122.1/32"
          ],
          "dstaddrs": [
            "192.168.122.0/24"
          ],
          "comments": ""
        }
      ]

Options:
  -i, --ip TEXT  Specify an IP address to search
  --help         Show this message and exit.
ssato@x1-carbon-gen6%