Create a JSON file that has common configuration shared between all the devices (like snmp and syslog settings, ddos profiles, etc).Populate IPAM with all the information about the new device(s), including interface IPs and some systems that firewall is protecting.At the end, the provisioning process looked like this: Since I wanted to avoid as much manual labor as possible, I ended up writing a bunch of automation around the provisioning as well. There are more examples available in the readme on github. To make a very simple script that calls to a Fortigate at IP 1.1.1.1 and queries and prints configuration of port1, download the fw_api_test.py file and create the following python script in the same folder. Hopefully I’ll have time to keep working on it and adding functionality. Please note that this code by no means is a full-baked solution, it was created for a very narrow use case and it does it fairly well. Fortinet’s library didn’t seem to do anything complicated, so I figured I could replicate it fairly easily (which ended up being mostly true).Yes, I could ssh with -L and do port forwarding, but it was much easier to ssh with -D and do socks proxy. I wanted to be able to use socks proxy for API calls.Fortinet’s library required python 2.7, there are some machines in my environment that only have 2.6 and I wanted flexibility to use them if needed.They do have a python library that you can use to make API calls, but I chose to write my own for the following reasons: Why write library myself, instead of using one by Fortinet?įortinet used to hide their APIs behind the paywall, but now you can get into its documentation if you know 2 people with e-mail addresses. Plus, more and more devices are starting to support it, so I decided that I could use some experience with it. REST API is not ideal, in fact it has shortcomings compared to CLI in Fortigate implementation, but I see it as a lesser of 2 evils. Yes, I could have used already built library, but I just don’t like the principle of it. Because I am tired of having to deal with different carriage return symbols between portX interfaces and mgmtX interfaces. Why REST?īecause I am tired of screen scraping. That’s the part I’ll concentrate on in this post. I already had automation that would generate configuration for all the devices by pulling IPAM (I may write a different post about that at a later time), so I just needed something to push that config to devices. Luckily for me, Fortigate did roll out pretty good API in the code 5.4, which can be used to configure most (if not all) of the parameters of the device. Lately I have been growing tired of using CLI to configure network devices, so when I was faced with the project to deploy about 100 of Fortigate firewalls, I have decided that I am not that interested in copy-pasting configs via CLI and I want to do something different.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |