Archive | March 2015

Bulk Fortigate configuration backup

Continuing on from the previous post with bulk management of firewalls, in particular Fortigates.  The following shows a basic script which after enabling SCP transfers on your device, utilizes pscp.exe to backup multiple Fortigate firewall configs.

This script gets the current date, creates a folder under your Backup Path with the date, connects to each firewall in your CSV file (just as the previous post) and uses pscp.exe to backup the config file (fgt-config).  It then renames the fgt-config output file to the IP of your firewall and appends the date to the file name.  I am utilizing the echo y command at the front of the command to accept the untrusted certificate error at first connection.  In a production environment you may wish to re-evaluate this option!

Note, while the transcript option is present, due to a bug in PowerShell you do not get a whole lot of info out of running cmd applications from PowerShell.  I’ll look at a work around for this and update in the near future.

backup-config2
————————————————————————————
$Firewalls = get-content .\firewalls.csv
$Date = Get-Date -Format “dd-MM-yyyy”
$Username = “firewallusername”
$Password = “firewallpassword”
$BackupPath = “E:\Firewall-Config-Backups”
New-Item $BackupPath\$Date\ -type directory
Start-Transcript -path $BackupPath\$Date\$Date.log -append

foreach ($Firewall in $Firewalls){

echo y | .\pscp.exe -l $Username -pw $Password -v “$Firewall::fgt-config” $BackupPath\$Date\ | out-host -verbose
rename-item -path $BackupPath\$Date\fgt-config -newname $BackupPath\$Date\$Firewall-$Date.conf

}

Stop-Transcript
————————————————————————————

Here’s what your final screen output should look like:

backup-config-new

Using Powershell for bulk SSH commands on Fortigate firewalls, etc.

I’ve been working with a customer with a large stack of Fortigate firewalls.  Quite frequently there is a requirement to run commands against some or all of the firewalls.  While config management can be performed via the FortiManager, after trialling it we realized there were simply too many limitations for their requirements.  Thankfully bulk commands can be performed with this handy PowerShell SSH Module:
http://www.powershelladmin.com/wiki/SSH_from_PowerShell_using_the_SSH.NET_library.  As an example, I’ve built a quick power shell script as an example of how this can be used.

1.) Populate a list of your firewall IP addresses in a CSV firewall called Firewalls.csv.
firewall-ips
2.) Example: Enable SCP on Fortigate firewalls (to be used in a running config backups, etc.)
Import-Module .\SSH-Sessions.psd1
$Firewalls = get-content .\firewalls.csv
$Username = “firewallusername”
$Password = “firewallpassword”
foreach ($Firewall in $Firewalls){
New-SshSession $Firewall -Username $Username -Password $Password
Invoke-SshCommand $Firewall -command ‘config system global
set admin-scp enable
end’
}

firewall-enablescp

Note: In a production environment you would want to a) Use Cert based authentication or b) Encrypt your User/Name password (or perhaps prompt for a credential when script is ran).  It goes without saying – backup your firewall config before you make any changes! 🙂

In my next post I’ll cover using pscp.exe to backup your firewall config in a PowerShell script.