tools for FortiOS

From time to time I will add useful batch command files or scripts that deal with certain aspects of FortiOS, the operating system of FORTINET’s firewalls.

Copy-Left: feel free to use the scripts in your work as a firewall admin – as long as you retain the copyright notice to me and this website.


Using external blacklists

Use case: you have a list of IP addresses and want to import them into your Fortigate, and use them in a policy to block or allow traffic from or to these hosts (blacklist or whitelist).

Such a list can for instance be generated by hosts.deny.

The following script takes a text file with IP addresses and converts it to a FortiOS batch command file, ready to be imported as a ‘bulk command’ (System > Advanced > Configuration Scripts; in FortiOS 6.4+, use the user menu in the upper right corner, then Configuration > Scripts).

To circumvent certain object size limits the script will

  • parse the input for IP addresses and add them to an internal list
  • for each IP address, create a FOS address object
  • for each nnn addresses, create a FOS address group
  • create one or more FOS ‘super’ address group(s) (group of groups)

As the script cannot read the ‘live’ configuration from the FGT it will create a ‘purge’ batchfile to delete the imported address objects before importing new addresses.

usage: iplist2forti.exe [-h] [-m {s,m,l}] [-n MAXADDR] [-p PREVADDR] [-d] [-D] [-o CMDFNAME] [-s SPLITCOUNT] infile
Create (a lot of) address objects and groups from list for use in FortiOS.

positional arguments:
 infile                read IPs from <infile>

optional arguments:
 -h, --help            show this help message and exit
 -m {s,m,l}, --model {s,m,l}
                       FortiGate model: small (<FGT-100) / medium (<FGT-1000)
                       / large
 -n MAXADDR, --newest MAXADDR
                       use only newest/last <maxAddr> addresses from list
                       replace <prevAddr> old addresses
 -d, --dontresolve     skip non-numeric addresses (FQDNs) in input
 -D, --debug           print debug output
 -o CMDFNAME, --outfile CMDFNAME
                       write output to <cmdfname>
                       split output into <splitcount> parts

Download: (remove the .txt extension) and a sample hosts.deny file.

expected output: -ms -d -o out.txt hosts.deny

reading file "hosts.deny"...
        invalid IP (value): 4.5.337.0
        invalid IP (value):

    4057 IPs in file
     104 IPs skipped
     104 FQDNs skipped
    3953 IPs in 40 address groups of size 100
      40 address groups in 1 super group
specific for small Fortigate model

now import bulk command file "out_2201041407.txt"
refer to address group "sblockgroup000" in DENY policy
to get rid of these addresses, import "out_purge_2201041407.txt"
↑ back to top

Block traffic by country – All Countries address group

Sometimes it’s useful to block traffic by geolocation. In FortiOS v5 and newer, an address can have the “set type geography” setting to denote a dynamic object. It encompasses all IP addresses used by internet providers in a country. Of course, this is not 100% exact but it can help a lot to secure your traffic.

As assigned IP ranges change from time to time FortiGuard updates the internal list of address ranges for each country.

If you want to use this feature you create a new address object, preferably in the CLI, and add the type specifier:

config firewall address
   set type geography
   set country AQ

Unfortunately, there is no obvious relation between the country names you know and the country code FortiOS uses. There are 2 ways to cope with this:

  • you can type a ‘?’ instead of a country code to get the current list of codes
  • you can use my ‘all countries’ batch command files to create address objects for ALL countries at once

Additionally, an address group with all country address objects will be created.

The batch command file is available

and looks like this:

config firewall address
   edit geo_Reserved
      set type geography
      set country ZZ
   edit geo_Andorra
     set type geography
     set country AD
config firewall addrgrp
   edit all_countries
      set member geo_Reserved geo_Anonymous_Proxy geo_Satellite_Provider ...

An example how to use this new address group:

Say, you want to allow administrative access to your Fortigate from France only, assuming ‘wan1’ is the interface facing the WAN.

You would create 2 new ‘local-in’ policies for this (if you cannot see the menu item ‘Policy & Objects’ > ‘Local In Policy’, enable it in ‘System’ > ‘Feature Visibility’ > ‘Additional Features’ > ‘Local In Policy’ first):

config firewall local-in-policy
   edit 1
      set intf "wan1"
      set srcaddr "geo_France"
      set dstaddr "all"
      set action accept
      set service "ALL"
      set schedule "always"
   edit 2
      set intf "wan1"
      set srcaddr "all"
      set dstaddr "all"
      set action deny
      set service "ALL"
      set schedule "always"

Bug warning (2018-08-17):

If you happen to find one day that you cannot see any address objects anymore, and you have geolocation addresses defined, it might be due to a bug in FortiOS v5.2 and v5.4.

Fortinet has removed the “Asia-Pacific” and “Europe” country codes. If your address group still contains one of these, the address object page in the WebGUI will not be accessible anymore.

Fix: edit the address group in the CLI (“config firewall address group”) and delete these entries.

↑ back to top