From 753b26ccf9f7e090f784ca2b60f1d02b0979ebf9 Mon Sep 17 00:00:00 2001 From: Benjamin Jolivot Date: Tue, 1 Aug 2017 19:17:12 +0200 Subject: [PATCH] Manage Fortios/Fortigate Address (#21542) * New module fortios_address * Add module_utils required_if + fix Doc * Merge spec & required_if from module_utils * Fix pep8 * Py2.5 compat , cosmetic changes * Fix param timeout * Fortios_address module + integration tests * add netaddr library in requirements for integration tests * Pep8 problems * ANSIBLE_METADATA.version -> ANSIBLE_METADATA.metadata_version --- .../network/fortios/fortios_address.py | 304 ++ .../targets/fortios_address/aliases | 1 + .../fortios_address/files/default_config.conf | 3134 +++++++++++++++++ .../files/default_config.conf.backup | 3134 +++++++++++++++++ .../fortios_address/files/requirements.txt | 2 + .../targets/fortios_address/tasks/main.yml | 14 + .../tasks/test_indempotency.yml | 82 + .../tasks/test_params_state_absent.yml | 91 + .../tasks/test_params_state_present.yml | 86 + 9 files changed, 6848 insertions(+) create mode 100644 lib/ansible/modules/network/fortios/fortios_address.py create mode 100644 test/integration/targets/fortios_address/aliases create mode 100644 test/integration/targets/fortios_address/files/default_config.conf create mode 100644 test/integration/targets/fortios_address/files/default_config.conf.backup create mode 100644 test/integration/targets/fortios_address/files/requirements.txt create mode 100644 test/integration/targets/fortios_address/tasks/main.yml create mode 100644 test/integration/targets/fortios_address/tasks/test_indempotency.yml create mode 100644 test/integration/targets/fortios_address/tasks/test_params_state_absent.yml create mode 100644 test/integration/targets/fortios_address/tasks/test_params_state_present.yml diff --git a/lib/ansible/modules/network/fortios/fortios_address.py b/lib/ansible/modules/network/fortios/fortios_address.py new file mode 100644 index 00000000000..8b1439ecf03 --- /dev/null +++ b/lib/ansible/modules/network/fortios/fortios_address.py @@ -0,0 +1,304 @@ +#!/usr/bin/python +# +# Ansible module to manage IP addresses on fortios devices +# (c) 2016, Benjamin Jolivot +# +# This file is part of Ansible +# +# Ansible is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Ansible is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Ansible. If not, see . +# + +ANSIBLE_METADATA = { + 'status': ['preview'], + 'supported_by': 'community', + 'metadata_version': '1.0' +} + +DOCUMENTATION = """ +--- +module: fortios_address +version_added: "2.4" +author: "Benjamin Jolivot (@bjolivot)" +short_description: Manage fortios firewall address objects +description: + - This module provide management of firewall addresses on FortiOS devices. +extends_documentation_fragment: fortios +options: + state: + description: + - Specifies if address need to be added or deleted. + required: true + choices: ['present', 'absent'] + name: + description: + - Name of the address to add or delete. + required: true + type: + description: + - Type of the address. + choices: ['iprange', 'fqdn', 'ipmask', 'geography'] + value: + description: + - Address value, based on type. + If type=fqdn, somthing like www.google.com. + If type=ipmask, you can use simple ip (192.168.0.1), ip+mask (192.168.0.1 255.255.255.0) or CIDR (192.168.0.1/32). + start_ip: + description: + - First ip in range (used only with type=iprange). + end_ip: + description: + - Last ip in range (used only with type=iprange). + country: + description: + - 2 letter country code (like FR). + interface: + description: + - interface name the address apply to. + default: any + comment: + description: + - free text to describe address. +notes: + - This module requires netaddr python library. +""" + +EXAMPLES = """ +- name: Register french addresses + fortios_address: + host: 192.168.0.254 + username: admin + password: p4ssw0rd + state: present + name: "fromfrance" + type: geography + country: FR + comment: "French geoip address" + +- name: Register some fqdn + fortios_address: + host: 192.168.0.254 + username: admin + password: p4ssw0rd + state: present + name: "Ansible" + type: fqdn + value: www.ansible.com + comment: "Ansible website" + +- name: Register google DNS + fortios_address: + host: 192.168.0.254 + username: admin + password: p4ssw0rd + state: present + name: "google_dns" + type: ipmask + value: 8.8.8.8 + +""" + +RETURN = """ +firewall_address_config: + description: full firewall adresses config string. + returned: always + type: string +change_string: + description: The commands executed by the module. + returned: only if config changed + type: string +""" + +from ansible.module_utils.fortios import fortios_argument_spec, fortios_required_if +from ansible.module_utils.fortios import backup, AnsibleFortios + +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils.pycompat24 import get_exception + + +# check for netaddr lib +try: + from netaddr import IPNetwork + HAS_NETADDR = True +except: + HAS_NETADDR = False + + +# define valid country list for GEOIP address type +FG_COUNTRY_LIST = ( + 'ZZ', 'A1', 'A2', 'O1', 'AD', 'AE', 'AF', 'AG', 'AI', 'AL', 'AM', 'AN', 'AO', + 'AP', 'AQ', 'AR', 'AS', 'AT', 'AU', 'AW', 'AX', 'AZ', 'BA', 'BB', 'BD', 'BE', + 'BF', 'BG', 'BH', 'BI', 'BJ', 'BL', 'BM', 'BN', 'BO', 'BQ', 'BR', 'BS', 'BT', + 'BV', 'BW', 'BY', 'BZ', 'CA', 'CC', 'CD', 'CF', 'CG', 'CH', 'CI', 'CK', 'CL', + 'CM', 'CN', 'CO', 'CR', 'CU', 'CV', 'CW', 'CX', 'CY', 'CZ', 'DE', 'DJ', 'DK', + 'DM', 'DO', 'DZ', 'EC', 'EE', 'EG', 'EH', 'ER', 'ES', 'ET', 'EU', 'FI', 'FJ', + 'FK', 'FM', 'FO', 'FR', 'GA', 'GB', 'GD', 'GE', 'GF', 'GG', 'GH', 'GI', 'GL', + 'GM', 'GN', 'GP', 'GQ', 'GR', 'GS', 'GT', 'GU', 'GW', 'GY', 'HK', 'HM', 'HN', + 'HR', 'HT', 'HU', 'ID', 'IE', 'IL', 'IM', 'IN', 'IO', 'IQ', 'IR', 'IS', 'IT', + 'JE', 'JM', 'JO', 'JP', 'KE', 'KG', 'KH', 'KI', 'KM', 'KN', 'KP', 'KR', 'KW', + 'KY', 'KZ', 'LA', 'LB', 'LC', 'LI', 'LK', 'LR', 'LS', 'LT', 'LU', 'LV', 'LY', + 'MA', 'MC', 'MD', 'ME', 'MF', 'MG', 'MH', 'MK', 'ML', 'MM', 'MN', 'MO', 'MP', + 'MQ', 'MR', 'MS', 'MT', 'MU', 'MV', 'MW', 'MX', 'MY', 'MZ', 'NA', 'NC', 'NE', + 'NF', 'NG', 'NI', 'NL', 'NO', 'NP', 'NR', 'NU', 'NZ', 'OM', 'PA', 'PE', 'PF', + 'PG', 'PH', 'PK', 'PL', 'PM', 'PN', 'PR', 'PS', 'PT', 'PW', 'PY', 'QA', 'RE', + 'RO', 'RS', 'RU', 'RW', 'SA', 'SB', 'SC', 'SD', 'SE', 'SG', 'SH', 'SI', 'SJ', + 'SK', 'SL', 'SM', 'SN', 'SO', 'SR', 'SS', 'ST', 'SV', 'SX', 'SY', 'SZ', 'TC', + 'TD', 'TF', 'TG', 'TH', 'TJ', 'TK', 'TL', 'TM', 'TN', 'TO', 'TR', 'TT', 'TV', + 'TW', 'TZ', 'UA', 'UG', 'UM', 'US', 'UY', 'UZ', 'VA', 'VC', 'VE', 'VG', 'VI', + 'VN', 'VU', 'WF', 'WS', 'YE', 'YT', 'ZA', 'ZM', 'ZW' +) + + +def get_formated_ipaddr(input_ip): + """ + Format given ip address string to fortigate format (ip netmask) + Args: + * **ip_str** (string) : string representing ip address + accepted format: + - ip netmask (ex: 192.168.0.10 255.255.255.0) + - ip (ex: 192.168.0.10) + - CIDR (ex: 192.168.0.10/24) + + Returns: + formated ip if ip is valid (ex: "192.168.0.10 255.255.255.0") + False if ip is not valid + """ + try: + if " " in input_ip: + # ip netmask format + str_ip, str_netmask = input_ip.split(" ") + ip = IPNetwork(str_ip) + mask = IPNetwork(str_netmask) + return "%s %s" % (str_ip, str_netmask) + else: + ip = IPNetwork(input_ip) + return "%s %s" % (str(ip.ip), str(ip.netmask)) + except: + return False + + return False + + +def main(): + argument_spec = dict( + state=dict(required=True, choices=['present', 'absent']), + name=dict(required=True), + type=dict(choices=['iprange', 'fqdn', 'ipmask', 'geography'], default='ipmask'), + value=dict(), + start_ip=dict(), + end_ip=dict(), + country=dict(), + interface=dict(default='any'), + comment=dict(), + ) + + # merge argument_spec from module_utils/fortios.py + argument_spec.update(fortios_argument_spec) + + # Load module + module = AnsibleModule( + argument_spec=argument_spec, + required_if=fortios_required_if, + supports_check_mode=True, + ) + result = dict(changed=False) + + if not HAS_NETADDR: + module.fail_json(msg='Could not import the python library netaddr required by this module') + + # check params + if module.params['state'] == 'absent': + if module.params['type'] != "ipmask": + module.fail_json(msg='Invalid argument type=%s when state=absent' % module.params['type']) + if module.params['value'] is not None: + module.fail_json(msg='Invalid argument `value` when state=absent') + if module.params['start_ip'] is not None: + module.fail_json(msg='Invalid argument `start_ip` when state=absent') + if module.params['end_ip'] is not None: + module.fail_json(msg='Invalid argument `end_ip` when state=absent') + if module.params['country'] is not None: + module.fail_json(msg='Invalid argument `country` when state=absent') + if module.params['interface'] != "any": + module.fail_json(msg='Invalid argument `interface` when state=absent') + if module.params['comment'] is not None: + module.fail_json(msg='Invalid argument `comment` when state=absent') + else: + # state=present + # validate IP + if module.params['type'] == "ipmask": + formated_ip = get_formated_ipaddr(module.params['value']) + if formated_ip is not False: + module.params['value'] = get_formated_ipaddr(module.params['value']) + else: + module.fail_json(msg="Bad ip address format") + + # validate country + if module.params['type'] == "geography": + if module.params['country'] not in FG_COUNTRY_LIST: + module.fail_json(msg="Invalid country argument, need to be in `diagnose firewall ipgeo country-list`") + + # validate iprange + if module.params['type'] == "iprange": + if module.params['start_ip'] is None: + module.fail_json(msg="Missing argument 'start_ip' when type is iprange") + if module.params['end_ip'] is None: + module.fail_json(msg="Missing argument 'end_ip' when type is iprange") + + # init forti object + fortigate = AnsibleFortios(module) + + # Config path + config_path = 'firewall address' + + # load config + fortigate.load_config(config_path) + + # Absent State + if module.params['state'] == 'absent': + fortigate.candidate_config[config_path].del_block(module.params['name']) + + # Present state + if module.params['state'] == 'present': + # define address params + new_addr = fortigate.get_empty_configuration_block(module.params['name'], 'edit') + + if module.params['comment'] is not None: + new_addr.set_param('comment', '"%s"' % (module.params['comment'])) + + if module.params['type'] == 'iprange': + new_addr.set_param('type', 'iprange') + new_addr.set_param('start-ip', module.params['start_ip']) + new_addr.set_param('end-ip', module.params['end_ip']) + + if module.params['type'] == 'geography': + new_addr.set_param('type', 'geography') + new_addr.set_param('country', '"%s"' % (module.params['country'])) + + if module.params['interface'] != 'any': + new_addr.set_param('associated-interface', '"%s"' % (module.params['interface'])) + + if module.params['value'] is not None: + if module.params['type'] == 'fqdn': + new_addr.set_param('type', 'fqdn') + new_addr.set_param('fqdn', '"%s"' % (module.params['value'])) + if module.params['type'] == 'ipmask': + new_addr.set_param('subnet', module.params['value']) + + # add the new address object to the device + fortigate.add_block(module.params['name'], new_addr) + + # Apply changes (check mode is managed directly by the fortigate object) + fortigate.apply_changes() + +if __name__ == '__main__': + main() diff --git a/test/integration/targets/fortios_address/aliases b/test/integration/targets/fortios_address/aliases new file mode 100644 index 00000000000..4485d761629 --- /dev/null +++ b/test/integration/targets/fortios_address/aliases @@ -0,0 +1 @@ +posix/ci/group1 diff --git a/test/integration/targets/fortios_address/files/default_config.conf b/test/integration/targets/fortios_address/files/default_config.conf new file mode 100644 index 00000000000..2d2343ab2ff --- /dev/null +++ b/test/integration/targets/fortios_address/files/default_config.conf @@ -0,0 +1,3134 @@ + config system global + set timezone 04 + set admintimeout 480 + set admin-server-cert "Fortinet_Firmware" + set fgd-alert-subscription advisory latest-threat + set hostname "FortiGate-VM64-HV" + end + config system accprofile + edit prof_admin + set vpngrp read-write + set utmgrp read-write + set authgrp read-write + set wifi read-write + set sysgrp read-write + set loggrp read-write + set mntgrp read-write + set netgrp read-write + set admingrp read-write + set fwgrp read-write + set wanoptgrp read-write + set updategrp read-write + set routegrp read-write + set endpoint-control-grp read-write + next + end + config system interface + edit port1 + set ip 192.168.137.154 255.255.255.0 + set type physical + set vdom "root" + set allowaccess ping https ssh http fgfm + next + edit port2 + set type physical + set vdom "root" + next + edit port3 + set type physical + set vdom "root" + next + edit port4 + set type physical + set vdom "root" + next + edit port5 + set type physical + set vdom "root" + next + edit port6 + set type physical + set vdom "root" + next + edit port7 + set type physical + set vdom "root" + next + edit port8 + set type physical + set vdom "root" + next + edit ssl.root + set alias "SSL VPN interface" + set type tunnel + set vdom "root" + next + end + config system custom-language + edit en + set filename "en" + next + edit fr + set filename "fr" + next + edit sp + set filename "sp" + next + edit pg + set filename "pg" + next + edit x-sjis + set filename "x-sjis" + next + edit big5 + set filename "big5" + next + edit GB2312 + set filename "GB2312" + next + edit euc-kr + set filename "euc-kr" + next + end + config system admin + edit admin + set accprofile "super_admin" + set vdom "root" + config dashboard-tabs + edit 1 + set name "Status" + next + end + config dashboard + edit 1 + set column 1 + set tab-id 1 + next + edit 2 + set column 1 + set widget-type licinfo + set tab-id 1 + next + edit 3 + set column 1 + set widget-type jsconsole + set tab-id 1 + next + edit 4 + set column 2 + set widget-type sysres + set tab-id 1 + next + edit 5 + set column 2 + set widget-type gui-features + set tab-id 1 + next + edit 6 + set column 2 + set top-n 10 + set widget-type alert + set tab-id 1 + next + end + next + end + config system ha + set override disable + end + config system dns + set primary 208.91.112.53 + set secondary 208.91.112.52 + end + config system replacemsg-image + edit logo_fnet + set image-base64 '' + set image-type gif + next + edit logo_fguard_wf + set image-base64 '' + set image-type gif + next + edit logo_fw_auth + set image-base64 '' + set image-type png + next + edit logo_v2_fnet + set image-base64 '' + set image-type png + next + edit logo_v2_fguard_wf + set image-base64 '' + set image-type png + next + edit logo_v2_fguard_app + set image-base64 '' + set image-type png + next + end + config system replacemsg mail email-block + end + config system replacemsg mail email-dlp-subject + end + config system replacemsg mail email-dlp-ban + end + config system replacemsg mail email-filesize + end + config system replacemsg mail partial + end + config system replacemsg mail smtp-block + end + config system replacemsg mail smtp-filesize + end + config system replacemsg http bannedword + end + config system replacemsg http url-block + end + config system replacemsg http urlfilter-err + end + config system replacemsg http infcache-block + end + config system replacemsg http http-block + end + config system replacemsg http http-filesize + end + config system replacemsg http http-dlp-ban + end + config system replacemsg http http-archive-block + end + config system replacemsg http http-contenttypeblock + end + config system replacemsg http https-invalid-cert-block + end + config system replacemsg http http-client-block + end + config system replacemsg http http-client-filesize + end + config system replacemsg http http-client-bannedword + end + config system replacemsg http http-post-block + end + config system replacemsg http http-client-archive-block + end + config system replacemsg http switching-protocols-block + end + config system replacemsg webproxy deny + end + config system replacemsg webproxy user-limit + end + config system replacemsg webproxy auth-challenge + end + config system replacemsg webproxy auth-login-fail + end + config system replacemsg webproxy auth-authorization-fail + end + config system replacemsg webproxy http-err + end + config system replacemsg webproxy auth-ip-blackout + end + config system replacemsg ftp ftp-dl-blocked + end + config system replacemsg ftp ftp-dl-filesize + end + config system replacemsg ftp ftp-dl-dlp-ban + end + config system replacemsg ftp ftp-explicit-banner + end + config system replacemsg ftp ftp-dl-archive-block + end + config system replacemsg nntp nntp-dl-blocked + end + config system replacemsg nntp nntp-dl-filesize + end + config system replacemsg nntp nntp-dlp-subject + end + config system replacemsg nntp nntp-dlp-ban + end + config system replacemsg fortiguard-wf ftgd-block + end + config system replacemsg fortiguard-wf http-err + end + config system replacemsg fortiguard-wf ftgd-ovrd + end + config system replacemsg fortiguard-wf ftgd-quota + end + config system replacemsg fortiguard-wf ftgd-warning + end + config system replacemsg spam ipblocklist + end + config system replacemsg spam smtp-spam-dnsbl + end + config system replacemsg spam smtp-spam-feip + end + config system replacemsg spam smtp-spam-helo + end + config system replacemsg spam smtp-spam-emailblack + end + config system replacemsg spam smtp-spam-mimeheader + end + config system replacemsg spam reversedns + end + config system replacemsg spam smtp-spam-bannedword + end + config system replacemsg spam smtp-spam-ase + end + config system replacemsg spam submit + end + config system replacemsg im im-file-xfer-block + end + config system replacemsg im im-file-xfer-name + end + config system replacemsg im im-file-xfer-infected + end + config system replacemsg im im-file-xfer-size + end + config system replacemsg im im-dlp + end + config system replacemsg im im-dlp-ban + end + config system replacemsg im im-voice-chat-block + end + config system replacemsg im im-video-chat-block + end + config system replacemsg im im-photo-share-block + end + config system replacemsg im im-long-chat-block + end + config system replacemsg alertmail alertmail-virus + end + config system replacemsg alertmail alertmail-block + end + config system replacemsg alertmail alertmail-nids-event + end + config system replacemsg alertmail alertmail-crit-event + end + config system replacemsg alertmail alertmail-disk-full + end + config system replacemsg admin pre_admin-disclaimer-text + end + config system replacemsg admin post_admin-disclaimer-text + end + config system replacemsg auth auth-disclaimer-page-1 + end + config system replacemsg auth auth-disclaimer-page-2 + end + config system replacemsg auth auth-disclaimer-page-3 + end + config system replacemsg auth auth-reject-page + end + config system replacemsg auth auth-login-page + end + config system replacemsg auth auth-login-failed-page + end + config system replacemsg auth auth-token-login-page + end + config system replacemsg auth auth-token-login-failed-page + end + config system replacemsg auth auth-success-msg + end + config system replacemsg auth auth-challenge-page + end + config system replacemsg auth auth-keepalive-page + end + config system replacemsg auth auth-portal-page + end + config system replacemsg auth auth-password-page + end + config system replacemsg auth auth-fortitoken-page + end + config system replacemsg auth auth-next-fortitoken-page + end + config system replacemsg auth auth-email-token-page + end + config system replacemsg auth auth-sms-token-page + end + config system replacemsg auth auth-email-harvesting-page + end + config system replacemsg auth auth-email-failed-page + end + config system replacemsg auth auth-cert-passwd-page + end + config system replacemsg auth auth-guest-print-page + end + config system replacemsg auth auth-guest-email-page + end + config system replacemsg auth auth-success-page + end + config system replacemsg auth auth-block-notification-page + end + config system replacemsg sslvpn sslvpn-login + end + config system replacemsg sslvpn sslvpn-limit + end + config system replacemsg sslvpn hostcheck-error + end + config system replacemsg ec endpt-download-portal + end + config system replacemsg ec endpt-download-portal-mac + end + config system replacemsg ec endpt-download-portal-ios + end + config system replacemsg ec endpt-download-portal-aos + end + config system replacemsg ec endpt-download-portal-other + end + config system replacemsg device-detection-portal device-detection-failure + end + config system replacemsg nac-quar nac-quar-virus + end + config system replacemsg nac-quar nac-quar-dos + end + config system replacemsg nac-quar nac-quar-ips + end + config system replacemsg nac-quar nac-quar-dlp + end + config system replacemsg nac-quar nac-quar-admin + end + config system replacemsg traffic-quota per-ip-shaper-block + end + config system replacemsg utm virus-html + end + config system replacemsg utm virus-text + end + config system replacemsg utm dlp-html + end + config system replacemsg utm dlp-text + end + config system replacemsg utm appblk-html + end + config vpn certificate ca + end + config vpn certificate local + edit Fortinet_CA_SSLProxy + set private-key "-----BEGIN ENCRYPTED PRIVATE KEY----- + set password ENC eRZ5UNnzW1eAAJn+reDWnDdgQZ1yxFr7z+rp0lzCeKX64OiaEcBKwGIzocIf5y5p37siqf1bPHwEMWkvISqQSXKT8JijvaLtA/oNlqTw8GwglMlW390JTckMS7v60mVQ2Jj1Ng9q4xi2dXKpVGXqYnpc1nDSApGqHTwpL/lgc1+HLh0CQvn4zQpIs8//4hVscjqz0g== + set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates." + set certificate "-----BEGIN CERTIFICATE----- + next + edit Fortinet_SSLProxy + set private-key "-----BEGIN ENCRYPTED PRIVATE KEY----- + set password ENC JGQ1Psth3oHimOP5bRUzt+zfBA5PlPBXZj6xLvqp7JILLBa6Der02qjotGI4UnaKAGSad7uEkPKLq2ePjzBy/Rc/E55FJO8OjffWzIOgpT1jYMmw8IOuAlB50weCRpzMowrLT+FKFF53SxG+oe5n4EaoiqR92WZsXzOTFpNdSFXyvggt/lmOz4Zm08AMD3sWFWg/ZA== + set certificate "-----BEGIN CERTIFICATE----- + next + end + config user device-category + edit ipad + next + edit iphone + next + edit gaming-console + next + edit blackberry-phone + next + edit blackberry-playbook + next + edit linux-pc + next + edit mac + next + edit windows-pc + next + edit android-phone + next + edit android-tablet + next + edit media-streaming + next + edit windows-phone + next + edit windows-tablet + next + edit fortinet-device + next + edit ip-phone + next + edit router-nat-device + next + edit printer + next + edit other-network-device + next + edit collected-emails + next + edit all + next + end + config system session-sync + end + config system fortiguard + set webfilter-sdns-server-ip "208.91.112.220" + end + config ips global + set default-app-cat-mask 18446744073474670591 + end + config ips dbinfo + set version 1 + end + config gui console + end + config system session-helper + edit 1 + set protocol 6 + set name pptp + set port 1723 + next + edit 2 + set protocol 6 + set name h323 + set port 1720 + next + edit 3 + set protocol 17 + set name ras + set port 1719 + next + edit 4 + set protocol 6 + set name tns + set port 1521 + next + edit 5 + set protocol 17 + set name tftp + set port 69 + next + edit 6 + set protocol 6 + set name rtsp + set port 554 + next + edit 7 + set protocol 6 + set name rtsp + set port 7070 + next + edit 8 + set protocol 6 + set name rtsp + set port 8554 + next + edit 9 + set protocol 6 + set name ftp + set port 21 + next + edit 10 + set protocol 6 + set name mms + set port 1863 + next + edit 11 + set protocol 6 + set name pmap + set port 111 + next + edit 12 + set protocol 17 + set name pmap + set port 111 + next + edit 13 + set protocol 17 + set name sip + set port 5060 + next + edit 14 + set protocol 17 + set name dns-udp + set port 53 + next + edit 15 + set protocol 6 + set name rsh + set port 514 + next + edit 16 + set protocol 6 + set name rsh + set port 512 + next + edit 17 + set protocol 6 + set name dcerpc + set port 135 + next + edit 18 + set protocol 17 + set name dcerpc + set port 135 + next + edit 19 + set protocol 17 + set name mgcp + set port 2427 + next + edit 20 + set protocol 17 + set name mgcp + set port 2727 + next + end + config system auto-install + set auto-install-config enable + set auto-install-image enable + end + config system ntp + set ntpsync enable + set syncinterval 60 + end + config system settings + end + config firewall address + edit SSLVPN_TUNNEL_ADDR1 + set type iprange + set end-ip 10.212.134.210 + set start-ip 10.212.134.200 + next + edit all + next + edit none + set subnet 0.0.0.0 255.255.255.255 + next + edit apple + set type fqdn + set fqdn "*.apple.com" + next + edit dropbox.com + set type fqdn + set fqdn "*.dropbox.com" + next + edit Gotomeeting + set type fqdn + set fqdn "*.gotomeeting.com" + next + edit icloud + set type fqdn + set fqdn "*.icloud.com" + next + edit itunes + set type fqdn + set fqdn "*itunes.apple.com" + next + edit android + set type fqdn + set fqdn "*.android.com" + next + edit skype + set type fqdn + set fqdn "*.messenger.live.com" + next + edit swscan.apple.com + set type fqdn + set fqdn "swscan.apple.com" + next + edit update.microsoft.com + set type fqdn + set fqdn "update.microsoft.com" + next + edit appstore + set type fqdn + set fqdn "*.appstore.com" + next + edit eease + set type fqdn + set fqdn "*.eease.com" + next + edit google-drive + set type fqdn + set fqdn "*drive.google.com" + next + edit google-play + set type fqdn + set fqdn "play.google.com" + next + edit google-play2 + set type fqdn + set fqdn "*.ggpht.com" + next + edit google-play3 + set type fqdn + set fqdn "*.books.google.com" + next + edit microsoft + set type fqdn + set fqdn "*.microsoft.com" + next + edit adobe + set type fqdn + set fqdn "*.adobe.com" + next + edit Adobe Login + set type fqdn + set fqdn "*.adobelogin.com" + next + edit fortinet + set type fqdn + set fqdn "*.fortinet.com" + next + edit googleapis.com + set type fqdn + set fqdn "*.googleapis.com" + next + edit citrix + set type fqdn + set fqdn "*.citrixonline.com" + next + edit verisign + set type fqdn + set fqdn "*.verisign.com" + next + edit Windows update 2 + set type fqdn + set fqdn "*.windowsupdate.com" + next + edit *.live.com + set type fqdn + set fqdn "*.live.com" + next + edit auth.gfx.ms + set type fqdn + set fqdn "auth.gfx.ms" + next + edit autoupdate.opera.com + set type fqdn + set fqdn "autoupdate.opera.com" + next + edit softwareupdate.vmware.com + set type fqdn + set fqdn "softwareupdate.vmware.com" + next + edit firefox update server + set type fqdn + set fqdn "aus*.mozilla.org" + next + end + config firewall multicast-address + edit all + set end-ip 239.255.255.255 + set start-ip 224.0.0.0 + next + edit all_hosts + set end-ip 224.0.0.1 + set start-ip 224.0.0.1 + next + edit all_routers + set end-ip 224.0.0.2 + set start-ip 224.0.0.2 + next + edit Bonjour + set end-ip 224.0.0.251 + set start-ip 224.0.0.251 + next + edit EIGRP + set end-ip 224.0.0.10 + set start-ip 224.0.0.10 + next + edit OSPF + set end-ip 224.0.0.6 + set start-ip 224.0.0.5 + next + end + config firewall address6 + edit SSLVPN_TUNNEL_IPv6_ADDR1 + set ip6 fdff:ffff::/120 + next + edit all + next + edit none + set ip6 ::/128 + next + end + config firewall service category + edit General + set comment "General services." + next + edit Web Access + set comment "Web access." + next + edit File Access + set comment "File access." + next + edit Email + set comment "Email services." + next + edit Network Services + set comment "Network services." + next + edit Authentication + set comment "Authentication service." + next + edit Remote Access + set comment "Remote access." + next + edit Tunneling + set comment "Tunneling service." + next + edit VoIP, Messaging & Other Applications + set comment "VoIP, messaging, and other applications." + next + edit Web Proxy + set comment "Explicit web proxy." + next + end + config firewall service custom + edit ALL + set category "General" + set protocol IP + next + edit ALL_TCP + set category "General" + set tcp-portrange 1-65535 + next + edit ALL_UDP + set category "General" + set udp-portrange 1-65535 + next + edit ALL_ICMP + set category "General" + set protocol ICMP + next + edit ALL_ICMP6 + set category "General" + set protocol ICMP6 + next + edit GRE + set category "Tunneling" + set protocol-number 47 + set protocol IP + next + edit AH + set category "Tunneling" + set protocol-number 51 + set protocol IP + next + edit ESP + set category "Tunneling" + set protocol-number 50 + set protocol IP + next + edit AOL + set visibility disable + set tcp-portrange 5190-5194 + next + edit BGP + set category "Network Services" + set tcp-portrange 179 + next + edit DHCP + set category "Network Services" + set udp-portrange 67-68 + next + edit DNS + set category "Network Services" + set udp-portrange 53 + set tcp-portrange 53 + next + edit FINGER + set visibility disable + set tcp-portrange 79 + next + edit FTP + set category "File Access" + set tcp-portrange 21 + next + edit FTP_GET + set category "File Access" + set tcp-portrange 21 + next + edit FTP_PUT + set category "File Access" + set tcp-portrange 21 + next + edit GOPHER + set visibility disable + set tcp-portrange 70 + next + edit H323 + set category "VoIP, Messaging & Other Applications" + set udp-portrange 1719 + set tcp-portrange 1720 1503 + next + edit HTTP + set category "Web Access" + set tcp-portrange 80 + next + edit HTTPS + set category "Web Access" + set tcp-portrange 443 + next + edit IKE + set category "Tunneling" + set udp-portrange 500 4500 + next + edit IMAP + set category "Email" + set tcp-portrange 143 + next + edit IMAPS + set category "Email" + set tcp-portrange 993 + next + edit Internet-Locator-Service + set visibility disable + set tcp-portrange 389 + next + edit IRC + set category "VoIP, Messaging & Other Applications" + set tcp-portrange 6660-6669 + next + edit L2TP + set category "Tunneling" + set udp-portrange 1701 + set tcp-portrange 1701 + next + edit LDAP + set category "Authentication" + set tcp-portrange 389 + next + edit NetMeeting + set visibility disable + set tcp-portrange 1720 + next + edit NFS + set category "File Access" + set udp-portrange 111 2049 + set tcp-portrange 111 2049 + next + edit NNTP + set visibility disable + set tcp-portrange 119 + next + edit NTP + set category "Network Services" + set udp-portrange 123 + set tcp-portrange 123 + next + edit OSPF + set category "Network Services" + set protocol-number 89 + set protocol IP + next + edit PC-Anywhere + set category "Remote Access" + set udp-portrange 5632 + set tcp-portrange 5631 + next + edit PING + set category "Network Services" + set protocol ICMP + set icmptype 8 + next + edit TIMESTAMP + set protocol ICMP + set visibility disable + set icmptype 13 + next + edit INFO_REQUEST + set protocol ICMP + set visibility disable + set icmptype 15 + next + edit INFO_ADDRESS + set protocol ICMP + set visibility disable + set icmptype 17 + next + edit ONC-RPC + set category "Remote Access" + set udp-portrange 111 + set tcp-portrange 111 + next + edit DCE-RPC + set category "Remote Access" + set udp-portrange 135 + set tcp-portrange 135 + next + edit POP3 + set category "Email" + set tcp-portrange 110 + next + edit POP3S + set category "Email" + set tcp-portrange 995 + next + edit PPTP + set category "Tunneling" + set tcp-portrange 1723 + next + edit QUAKE + set udp-portrange 26000 27000 27910 27960 + set visibility disable + next + edit RAUDIO + set udp-portrange 7070 + set visibility disable + next + edit REXEC + set visibility disable + set tcp-portrange 512 + next + edit RIP + set category "Network Services" + set udp-portrange 520 + next + edit RLOGIN + set visibility disable + set tcp-portrange 513:512-1023 + next + edit RSH + set visibility disable + set tcp-portrange 514:512-1023 + next + edit SCCP + set category "VoIP, Messaging & Other Applications" + set tcp-portrange 2000 + next + edit SIP + set category "VoIP, Messaging & Other Applications" + set udp-portrange 5060 + set tcp-portrange 5060 + next + edit SIP-MSNmessenger + set category "VoIP, Messaging & Other Applications" + set tcp-portrange 1863 + next + edit SAMBA + set category "File Access" + set tcp-portrange 139 + next + edit SMTP + set category "Email" + set tcp-portrange 25 + next + edit SMTPS + set category "Email" + set tcp-portrange 465 + next + edit SNMP + set category "Network Services" + set udp-portrange 161-162 + set tcp-portrange 161-162 + next + edit SSH + set category "Remote Access" + set tcp-portrange 22 + next + edit SYSLOG + set category "Network Services" + set udp-portrange 514 + next + edit TALK + set udp-portrange 517-518 + set visibility disable + next + edit TELNET + set category "Remote Access" + set tcp-portrange 23 + next + edit TFTP + set category "File Access" + set udp-portrange 69 + next + edit MGCP + set udp-portrange 2427 2727 + set visibility disable + next + edit UUCP + set visibility disable + set tcp-portrange 540 + next + edit VDOLIVE + set visibility disable + set tcp-portrange 7000-7010 + next + edit WAIS + set visibility disable + set tcp-portrange 210 + next + edit WINFRAME + set visibility disable + set tcp-portrange 1494 2598 + next + edit X-WINDOWS + set category "Remote Access" + set tcp-portrange 6000-6063 + next + edit PING6 + set protocol ICMP6 + set visibility disable + set icmptype 128 + next + edit MS-SQL + set category "VoIP, Messaging & Other Applications" + set tcp-portrange 1433 1434 + next + edit MYSQL + set category "VoIP, Messaging & Other Applications" + set tcp-portrange 3306 + next + edit RDP + set category "Remote Access" + set tcp-portrange 3389 + next + edit VNC + set category "Remote Access" + set tcp-portrange 5900 + next + edit DHCP6 + set category "Network Services" + set udp-portrange 546 547 + next + edit SQUID + set category "Tunneling" + set tcp-portrange 3128 + next + edit SOCKS + set category "Tunneling" + set udp-portrange 1080 + set tcp-portrange 1080 + next + edit WINS + set category "Remote Access" + set udp-portrange 1512 + set tcp-portrange 1512 + next + edit RADIUS + set category "Authentication" + set udp-portrange 1812 1813 + next + edit RADIUS-OLD + set udp-portrange 1645 1646 + set visibility disable + next + edit CVSPSERVER + set udp-portrange 2401 + set visibility disable + set tcp-portrange 2401 + next + edit AFS3 + set category "File Access" + set udp-portrange 7000-7009 + set tcp-portrange 7000-7009 + next + edit TRACEROUTE + set category "Network Services" + set udp-portrange 33434-33535 + next + edit RTSP + set category "VoIP, Messaging & Other Applications" + set udp-portrange 554 + set tcp-portrange 554 7070 8554 + next + edit MMS + set udp-portrange 1024-5000 + set visibility disable + set tcp-portrange 1755 + next + edit KERBEROS + set category "Authentication" + set udp-portrange 88 + set tcp-portrange 88 + next + edit LDAP_UDP + set category "Authentication" + set udp-portrange 389 + next + edit SMB + set category "File Access" + set tcp-portrange 445 + next + edit NONE + set visibility disable + set tcp-portrange 0 + next + edit webproxy + set category "Web Proxy" + set explicit-proxy enable + set protocol ALL + set tcp-portrange 0-65535:0-65535 + next + end + config firewall service group + edit Email Access + set member "DNS" "IMAP" "IMAPS" "POP3" "POP3S" "SMTP" "SMTPS" + next + edit Web Access + set member "DNS" "HTTP" "HTTPS" + next + edit Windows AD + set member "DCE-RPC" "DNS" "KERBEROS" "LDAP" "LDAP_UDP" "SAMBA" "SMB" + next + edit Exchange Server + set member "DCE-RPC" "DNS" "HTTPS" + next + end + config webfilter ftgd-local-cat + edit custom1 + set id 140 + next + edit custom2 + set id 141 + next + end + config ips sensor + edit default + set comment "Prevent critical attacks." + config entries + edit 1 + set severity medium high critical + next + end + next + edit all_default + set comment "All predefined signatures with default setting." + config entries + edit 1 + next + end + next + edit all_default_pass + set comment "All predefined signatures with PASS action." + config entries + edit 1 + set action pass + next + end + next + edit protect_http_server + set comment "Protect against HTTP server-side vulnerabilities." + config entries + edit 1 + set protocol HTTP + set location server + next + end + next + edit protect_email_server + set comment "Protect against email server-side vulnerabilities." + config entries + edit 1 + set protocol SMTP POP3 IMAP + set location server + next + end + next + edit protect_client + set comment "Protect against client-side vulnerabilities." + config entries + edit 1 + set location client + next + end + next + edit high_security + set comment "Blocks all Critical/High/Medium and some Low severity vulnerabilities" + config entries + edit 1 + set status enable + set action block + set severity medium high critical + next + edit 2 + set severity low + next + end + next + end + config firewall shaper traffic-shaper + edit high-priority + set per-policy enable + set maximum-bandwidth 1048576 + next + edit medium-priority + set priority medium + set per-policy enable + set maximum-bandwidth 1048576 + next + edit low-priority + set priority low + set per-policy enable + set maximum-bandwidth 1048576 + next + edit guarantee-100kbps + set guaranteed-bandwidth 100 + set maximum-bandwidth 1048576 + set per-policy enable + next + edit shared-1M-pipe + set maximum-bandwidth 1024 + next + end + config web-proxy global + set proxy-fqdn "default.fqdn" + end + config application list + edit default + set comment "Monitor all applications." + config entries + edit 1 + set action pass + next + end + next + edit block-p2p + config entries + edit 1 + set category 2 + next + end + next + edit monitor-p2p-and-media + config entries + edit 1 + set category 2 + set action pass + next + edit 2 + set category 5 + set action pass + next + end + next + end + config dlp filepattern + edit 1 + set name "builtin-patterns" + config entries + edit *.bat + next + edit *.com + next + edit *.dll + next + edit *.doc + next + edit *.exe + next + edit *.gz + next + edit *.hta + next + edit *.ppt + next + edit *.rar + next + edit *.scr + next + edit *.tar + next + edit *.tgz + next + edit *.vb? + next + edit *.wps + next + edit *.xl? + next + edit *.zip + next + edit *.pif + next + edit *.cpl + next + end + next + edit 2 + set name "all_executables" + config entries + edit bat + set file-type bat + set filter-type type + next + edit exe + set file-type exe + set filter-type type + next + edit elf + set file-type elf + set filter-type type + next + edit hta + set file-type hta + set filter-type type + next + end + next + end + config dlp fp-sensitivity + edit Private + next + edit Critical + next + edit Warning + next + end + config dlp sensor + edit default + set comment "Log a summary of email and web traffic." + set summary-proto smtp pop3 imap http-get http-post + next + end + config webfilter content + end + config webfilter urlfilter + end + config spamfilter bword + end + config spamfilter bwl + end + config spamfilter mheader + end + config spamfilter dnsbl + end + config spamfilter iptrust + end + config log threat-weight + config web + edit 1 + set category 26 + set level high + next + edit 2 + set category 61 + set level high + next + edit 3 + set category 86 + set level high + next + edit 4 + set category 1 + set level medium + next + edit 5 + set category 3 + set level medium + next + edit 6 + set category 4 + set level medium + next + edit 7 + set category 5 + set level medium + next + edit 8 + set category 6 + set level medium + next + edit 9 + set category 12 + set level medium + next + edit 10 + set category 59 + set level medium + next + edit 11 + set category 62 + set level medium + next + edit 12 + set category 83 + set level medium + next + edit 13 + set category 72 + next + edit 14 + set category 14 + next + end + config application + edit 1 + set category 2 + next + edit 2 + set category 6 + set level medium + next + edit 3 + set category 19 + set level critical + next + end + end + config icap profile + edit default + next + end + config user local + edit guest + set passwd ENC EntYbQ4nWAFLGsQz5QbIt8MIxko4Ms6Nm/9fMo/5+L7FJO42JRExvl705N++oKwIB0NvfdWaiqfZ/LGPDSOVqRZnqn4pUWOlNVE6yfGxbCZUIXTlcSL58A2ok3Yd428rHETuf7mNrOJMdVS1tfnrx5+92ofsXVzAn/kpKeJLrtBRWNfBQ1YplQ2FfEDCHHW27akz4g== + set type password + next + end + config user group + edit SSO_Guest_Users + next + edit Guest-group + set member "guest" + next + end + config user device-group + edit Mobile Devices + set member "android-phone" "android-tablet" "blackberry-phone" "blackberry-playbook" "ipad" "iphone" "windows-phone" "windows-tablet" + set comment "Phones, tablets, etc." + next + edit Network Devices + set member "fortinet-device" "other-network-device" "router-nat-device" + set comment "Routers, firewalls, gateways, etc." + next + edit Others + set member "gaming-console" "media-streaming" + set comment "Other devices." + next + end + config vpn ssl web host-check-software + edit FortiClient-AV + set guid "C86EC76D-5A4C-40E7-BD94-59358E544D81" + next + edit FortiClient-FW + set guid "528CB157-D384-4593-AAAA-E42DFF111CED" + set type fw + next + edit FortiClient-AV-Vista-Win7 + set guid "385618A6-2256-708E-3FB9-7E98B93F91F9" + next + edit FortiClient-FW-Vista-Win7 + set guid "006D9983-6839-71D6-14E6-D7AD47ECD682" + set type fw + next + edit AVG-Internet-Security-AV + set guid "17DDD097-36FF-435F-9E1B-52D74245D6BF" + next + edit AVG-Internet-Security-FW + set guid "8DECF618-9569-4340-B34A-D78D28969B66" + set type fw + next + edit AVG-Internet-Security-AV-Vista-Win7 + set guid "0C939084-9E57-CBDB-EA61-0B0C7F62AF82" + next + edit AVG-Internet-Security-FW-Vista-Win7 + set guid "34A811A1-D438-CA83-C13E-A23981B1E8F9" + set type fw + next + edit CA-Anti-Virus + set guid "17CFD1EA-56CF-40B5-A06B-BD3A27397C93" + next + edit CA-Internet-Security-AV + set guid "6B98D35F-BB76-41C0-876B-A50645ED099A" + next + edit CA-Internet-Security-FW + set guid "38102F93-1B6E-4922-90E1-A35D8DC6DAA3" + set type fw + next + edit CA-Internet-Security-AV-Vista-Win7 + set guid "3EED0195-0A4B-4EF3-CC4F-4F401BDC245F" + next + edit CA-Internet-Security-FW-Vista-Win7 + set guid "06D680B0-4024-4FAB-E710-E675E50F6324" + set type fw + next + edit CA-Personal-Firewall + set guid "14CB4B80-8E52-45EA-905E-67C1267B4160" + set type fw + next + edit F-Secure-Internet-Security-AV + set guid "E7512ED5-4245-4B4D-AF3A-382D3F313F15" + next + edit F-Secure-Internet-Security-FW + set guid "D4747503-0346-49EB-9262-997542F79BF4" + set type fw + next + edit F-Secure-Internet-Security-AV-Vista-Win7 + set guid "15414183-282E-D62C-CA37-EF24860A2F17" + next + edit F-Secure-Internet-Security-FW-Vista-Win7 + set guid "2D7AC0A6-6241-D774-E168-461178D9686C" + set type fw + next + edit Kaspersky-AV + set guid "2C4D4BC6-0793-4956-A9F9-E252435469C0" + next + edit Kaspersky-FW + set guid "2C4D4BC6-0793-4956-A9F9-E252435469C0" + set type fw + next + edit Kaspersky-AV-Vista-Win7 + set guid "AE1D740B-8F0F-D137-211D-873D44B3F4AE" + next + edit Kaspersky-FW-Vista-Win7 + set guid "9626F52E-C560-D06F-0A42-2E08BA60B3D5" + set type fw + next + edit McAfee-Internet-Security-Suite-AV + set guid "84B5EE75-6421-4CDE-A33A-DD43BA9FAD83" + next + edit McAfee-Internet-Security-Suite-FW + set guid "94894B63-8C7F-4050-BDA4-813CA00DA3E8" + set type fw + next + edit McAfee-Internet-Security-Suite-AV-Vista-Win7 + set guid "86355677-4064-3EA7-ABB3-1B136EB04637" + next + edit McAfee-Internet-Security-Suite-FW-Vista-Win7 + set guid "BE0ED752-0A0B-3FFF-80EC-B2269063014C" + set type fw + next + edit McAfee-Virus-Scan-Enterprise + set guid "918A2B0B-2C60-4016-A4AB-E868DEABF7F0" + next + edit Norton-360-2.0-AV + set guid "A5F1BC7C-EA33-4247-961C-0217208396C4" + next + edit Norton-360-2.0-FW + set guid "371C0A40-5A0C-4AD2-A6E5-69C02037FBF3" + set type fw + next + edit Norton-360-3.0-AV + set guid "E10A9785-9598-4754-B552-92431C1C35F8" + next + edit Norton-360-3.0-FW + set guid "7C21A4C9-F61F-4AC4-B722-A6E19C16F220" + set type fw + next + edit Norton-Internet-Security-AV + set guid "E10A9785-9598-4754-B552-92431C1C35F8" + next + edit Norton-Internet-Security-FW + set guid "7C21A4C9-F61F-4AC4-B722-A6E19C16F220" + set type fw + next + edit Norton-Internet-Security-AV-Vista-Win7 + set guid "88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855" + next + edit Norton-Internet-Security-FW-Vista-Win7 + set guid "B0F2DB13-C654-2E74-30D4-99C9310F0F2E" + set type fw + next + edit Symantec-Endpoint-Protection-AV + set guid "FB06448E-52B8-493A-90F3-E43226D3305C" + next + edit Symantec-Endpoint-Protection-FW + set guid "BE898FE3-CD0B-4014-85A9-03DB9923DDB6" + set type fw + next + edit Symantec-Endpoint-Protection-AV-Vista-Win7 + set guid "88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855" + next + edit Symantec-Endpoint-Protection-FW-Vista-Win7 + set guid "B0F2DB13-C654-2E74-30D4-99C9310F0F2E" + set type fw + next + edit Panda-Antivirus+Firewall-2008-AV + set guid "EEE2D94A-D4C1-421A-AB2C-2CE8FE51747A" + next + edit Panda-Antivirus+Firewall-2008-FW + set guid "7B090DC0-8905-4BAF-8040-FD98A41C8FB8" + set type fw + next + edit Panda-Internet-Security-AV + set guid "4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0" + next + edit Panda-Internet-Security-2006~2007-FW + set guid "4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0" + set type fw + next + edit Panda-Internet-Security-2008~2009-FW + set guid "7B090DC0-8905-4BAF-8040-FD98A41C8FB8" + set type fw + next + edit Sophos-Anti-Virus + set guid "3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD" + next + edit Sophos-Enpoint-Secuirty-and-Control-FW + set guid "0786E95E-326A-4524-9691-41EF88FB52EA" + set type fw + next + edit Sophos-Enpoint-Secuirty-and-Control-AV-Vista-Win7 + set guid "479CCF92-4960-B3E0-7373-BF453B467D2C" + next + edit Sophos-Enpoint-Secuirty-and-Control-FW-Vista-Win7 + set guid "7FA74EB7-030F-B2B8-582C-1670C5953A57" + set type fw + next + edit Trend-Micro-AV + set guid "7D2296BC-32CC-4519-917E-52E652474AF5" + next + edit Trend-Micro-FW + set guid "3E790E9E-6A5D-4303-A7F9-185EC20F3EB6" + set type fw + next + edit Trend-Micro-AV-Vista-Win7 + set guid "48929DFC-7A52-A34F-8351-C4DBEDBD9C50" + next + edit Trend-Micro-FW-Vista-Win7 + set guid "70A91CD9-303D-A217-A80E-6DEE136EDB2B" + set type fw + next + edit ZoneAlarm-AV + set guid "5D467B10-818C-4CAB-9FF7-6893B5B8F3CF" + next + edit ZoneAlarm-FW + set guid "829BDA32-94B3-44F4-8446-F8FCFF809F8B" + set type fw + next + edit ZoneAlarm-AV-Vista-Win7 + set guid "D61596DF-D219-341C-49B3-AD30538CBC5B" + next + edit ZoneAlarm-FW-Vista-Win7 + set guid "EE2E17FA-9876-3544-62EC-0405AD5FFB20" + set type fw + next + edit ESET-Smart-Security-AV + set guid "19259FAE-8396-A113-46DB-15B0E7DFA289" + next + edit ESET-Smart-Security-FW + set guid "211E1E8B-C9F9-A04B-6D84-BC85190CE5F2" + set type fw + next + end + config vpn ssl web portal + edit full-access + set web-mode enable + set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" + set page-layout double-column + set ip-pools "SSLVPN_TUNNEL_ADDR1" + set ipv6-tunnel-mode enable + set tunnel-mode enable + next + edit web-access + set web-mode enable + next + edit tunnel-access + set ip-pools "SSLVPN_TUNNEL_ADDR1" + set ipv6-tunnel-mode enable + set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" + set tunnel-mode enable + next + end + config vpn ssl settings + set servercert "self-sign" + set port 443 + end + config voip profile + edit default + set comment "Default VoIP profile." + next + edit strict + config sip + set malformed-header-max-forwards discard + set malformed-header-rack discard + set malformed-header-allow discard + set malformed-header-call-id discard + set malformed-header-sdp-v discard + set malformed-header-record-route discard + set malformed-header-contact discard + set malformed-header-sdp-s discard + set malformed-header-content-length discard + set malformed-header-sdp-z discard + set malformed-header-from discard + set malformed-header-route discard + set malformed-header-sdp-b discard + set malformed-header-sdp-c discard + set malformed-header-sdp-a discard + set malformed-header-sdp-o discard + set malformed-header-sdp-m discard + set malformed-header-sdp-k discard + set malformed-header-sdp-i discard + set malformed-header-to discard + set malformed-header-via discard + set malformed-header-sdp-t discard + set malformed-request-line discard + set malformed-header-sdp-r discard + set malformed-header-content-type discard + set malformed-header-expires discard + set malformed-header-rseq discard + set malformed-header-p-asserted-identity discard + set malformed-header-cseq discard + end + next + end + config webfilter profile + edit default + set comment "Default web filtering." + set post-action comfort + config ftgd-wf + config filters + edit 1 + set category 2 + set action warning + next + edit 2 + set category 7 + set action warning + next + edit 3 + set category 8 + set action warning + next + edit 4 + set category 9 + set action warning + next + edit 5 + set category 11 + set action warning + next + edit 6 + set category 12 + set action warning + next + edit 7 + set category 13 + set action warning + next + edit 8 + set category 14 + set action warning + next + edit 9 + set category 15 + set action warning + next + edit 10 + set category 16 + set action warning + next + edit 11 + set action warning + next + edit 12 + set category 57 + set action warning + next + edit 13 + set category 63 + set action warning + next + edit 14 + set category 64 + set action warning + next + edit 15 + set category 65 + set action warning + next + edit 16 + set category 66 + set action warning + next + edit 17 + set category 67 + set action warning + next + edit 18 + set category 26 + set action block + next + end + end + next + edit web-filter-flow + set comment "Flow-based web filter profile." + set inspection-mode flow-based + set post-action comfort + config ftgd-wf + config filters + edit 1 + set category 2 + next + edit 2 + set category 7 + next + edit 3 + set category 8 + next + edit 4 + set category 9 + next + edit 5 + set category 11 + next + edit 6 + set category 12 + next + edit 7 + set category 13 + next + edit 8 + set category 14 + next + edit 9 + set category 15 + next + edit 10 + set category 16 + next + edit 11 + next + edit 12 + set category 57 + next + edit 13 + set category 63 + next + edit 14 + set category 64 + next + edit 15 + set category 65 + next + edit 16 + set category 66 + next + edit 17 + set category 67 + next + edit 18 + set category 26 + set action block + next + end + end + next + edit monitor-all + set comment "Monitor and log all visited URLs, proxy-based." + set web-content-log disable + set web-filter-applet-log disable + set web-ftgd-err-log disable + set web-filter-command-block-log disable + set web-filter-jscript-log disable + set web-filter-activex-log disable + set web-filter-referer-log disable + set web-filter-js-log disable + set web-invalid-domain-log disable + set web-ftgd-quota-usage disable + set web-filter-vbs-log disable + set web-filter-unknown-log disable + set web-filter-cookie-log disable + set log-all-url enable + set web-filter-cookie-removal-log disable + set web-url-log disable + config ftgd-wf + config filters + edit 1 + set category 1 + next + edit 2 + set category 3 + next + edit 3 + set category 4 + next + edit 4 + set category 5 + next + edit 5 + set category 6 + next + edit 6 + set category 12 + next + edit 7 + set category 59 + next + edit 8 + set category 62 + next + edit 9 + set category 83 + next + edit 10 + set category 2 + next + edit 11 + set category 7 + next + edit 12 + set category 8 + next + edit 13 + set category 9 + next + edit 14 + set category 11 + next + edit 15 + set category 13 + next + edit 16 + set category 14 + next + edit 17 + set category 15 + next + edit 18 + set category 16 + next + edit 19 + set category 57 + next + edit 20 + set category 63 + next + edit 21 + set category 64 + next + edit 22 + set category 65 + next + edit 23 + set category 66 + next + edit 24 + set category 67 + next + edit 25 + set category 19 + next + edit 26 + set category 24 + next + edit 27 + set category 25 + next + edit 28 + set category 72 + next + edit 29 + set category 75 + next + edit 30 + set category 76 + next + edit 31 + set category 26 + next + edit 32 + set category 61 + next + edit 33 + set category 86 + next + edit 34 + set category 17 + next + edit 35 + set category 18 + next + edit 36 + set category 20 + next + edit 37 + set category 23 + next + edit 38 + set category 28 + next + edit 39 + set category 29 + next + edit 40 + set category 30 + next + edit 41 + set category 33 + next + edit 42 + set category 34 + next + edit 43 + set category 35 + next + edit 44 + set category 36 + next + edit 45 + set category 37 + next + edit 46 + set category 38 + next + edit 47 + set category 39 + next + edit 48 + set category 40 + next + edit 49 + set category 42 + next + edit 50 + set category 44 + next + edit 51 + set category 46 + next + edit 52 + set category 47 + next + edit 53 + set category 48 + next + edit 54 + set category 54 + next + edit 55 + set category 55 + next + edit 56 + set category 58 + next + edit 57 + set category 68 + next + edit 58 + set category 69 + next + edit 59 + set category 70 + next + edit 60 + set category 71 + next + edit 61 + set category 77 + next + edit 62 + set category 78 + next + edit 63 + set category 79 + next + edit 64 + set category 80 + next + edit 65 + set category 82 + next + edit 66 + set category 85 + next + edit 67 + set category 87 + next + edit 68 + set category 31 + next + edit 69 + set category 41 + next + edit 70 + set category 43 + next + edit 71 + set category 49 + next + edit 72 + set category 50 + next + edit 73 + set category 51 + next + edit 74 + set category 52 + next + edit 75 + set category 53 + next + edit 76 + set category 56 + next + edit 77 + set category 81 + next + edit 78 + set category 84 + next + edit 79 + next + end + end + next + edit flow-monitor-all + set comment "Monitor and log all visited URLs, flow-based." + set web-content-log disable + set web-filter-applet-log disable + set web-ftgd-err-log disable + set web-filter-jscript-log disable + set web-filter-activex-log disable + set web-filter-referer-log disable + set web-filter-js-log disable + set web-invalid-domain-log disable + set inspection-mode flow-based + set web-ftgd-quota-usage disable + set web-filter-command-block-log disable + set web-filter-vbs-log disable + set web-filter-unknown-log disable + set web-filter-cookie-log disable + set log-all-url enable + set web-filter-cookie-removal-log disable + set web-url-log disable + config ftgd-wf + config filters + edit 1 + set category 1 + next + edit 2 + set category 3 + next + edit 3 + set category 4 + next + edit 4 + set category 5 + next + edit 5 + set category 6 + next + edit 6 + set category 12 + next + edit 7 + set category 59 + next + edit 8 + set category 62 + next + edit 9 + set category 83 + next + edit 10 + set category 2 + next + edit 11 + set category 7 + next + edit 12 + set category 8 + next + edit 13 + set category 9 + next + edit 14 + set category 11 + next + edit 15 + set category 13 + next + edit 16 + set category 14 + next + edit 17 + set category 15 + next + edit 18 + set category 16 + next + edit 19 + set category 57 + next + edit 20 + set category 63 + next + edit 21 + set category 64 + next + edit 22 + set category 65 + next + edit 23 + set category 66 + next + edit 24 + set category 67 + next + edit 25 + set category 19 + next + edit 26 + set category 24 + next + edit 27 + set category 25 + next + edit 28 + set category 72 + next + edit 29 + set category 75 + next + edit 30 + set category 76 + next + edit 31 + set category 26 + next + edit 32 + set category 61 + next + edit 33 + set category 86 + next + edit 34 + set category 17 + next + edit 35 + set category 18 + next + edit 36 + set category 20 + next + edit 37 + set category 23 + next + edit 38 + set category 28 + next + edit 39 + set category 29 + next + edit 40 + set category 30 + next + edit 41 + set category 33 + next + edit 42 + set category 34 + next + edit 43 + set category 35 + next + edit 44 + set category 36 + next + edit 45 + set category 37 + next + edit 46 + set category 38 + next + edit 47 + set category 39 + next + edit 48 + set category 40 + next + edit 49 + set category 42 + next + edit 50 + set category 44 + next + edit 51 + set category 46 + next + edit 52 + set category 47 + next + edit 53 + set category 48 + next + edit 54 + set category 54 + next + edit 55 + set category 55 + next + edit 56 + set category 58 + next + edit 57 + set category 68 + next + edit 58 + set category 69 + next + edit 59 + set category 70 + next + edit 60 + set category 71 + next + edit 61 + set category 77 + next + edit 62 + set category 78 + next + edit 63 + set category 79 + next + edit 64 + set category 80 + next + edit 65 + set category 82 + next + edit 66 + set category 85 + next + edit 67 + set category 87 + next + edit 68 + set category 31 + next + edit 69 + set category 41 + next + edit 70 + set category 43 + next + edit 71 + set category 49 + next + edit 72 + set category 50 + next + edit 73 + set category 51 + next + edit 74 + set category 52 + next + edit 75 + set category 53 + next + edit 76 + set category 56 + next + edit 77 + set category 81 + next + edit 78 + set category 84 + next + edit 79 + next + end + end + next + edit block-security-risks + set comment "Block security risks." + config ftgd-wf + set options rate-server-ip + config filters + edit 1 + set category 26 + set action block + next + edit 2 + set category 61 + set action block + next + edit 3 + set category 86 + set action block + next + edit 4 + set action warning + next + end + end + next + end + config webfilter override + end + config webfilter override-user + end + config webfilter ftgd-warning + end + config webfilter ftgd-local-rating + end + config webfilter search-engine + edit google + set url "^\\/((custom|search|images|videosearch|webhp)\\?)" + set query "q=" + set safesearch url + set hostname ".*\\.google\\..*" + set safesearch-str "&safe=active" + next + edit yahoo + set url "^\\/search(\\/video|\\/images){0,1}(\\?|;)" + set query "p=" + set safesearch url + set hostname ".*\\.yahoo\\..*" + set safesearch-str "&vm=r" + next + edit bing + set url "^(\\/images|\\/videos)?(\\/search|\\/async|\\/asyncv2)\\?" + set query "q=" + set safesearch url + set hostname "www\\.bing\\.com" + set safesearch-str "&adlt=strict" + next + edit yandex + set url "^\\/((yand|images\\/|video\\/)(search)|search\\/)\\?" + set query "text=" + set safesearch url + set hostname "yandex\\..*" + set safesearch-str "&family=yes" + next + edit youtube + set safesearch header + set hostname ".*\\.youtube\\..*" + next + edit baidu + set url "^\\/s?\\?" + set query "wd=" + set hostname ".*\\.baidu\\.com" + next + edit baidu2 + set url "^\\/(ns|q|m|i|v)\\?" + set query "word=" + set hostname ".*\\.baidu\\.com" + next + edit baidu3 + set url "^\\/f\\?" + set query "kw=" + set hostname "tieba\\.baidu\\.com" + next + end + config antivirus profile + edit default + set comment "Scan files and block viruses." + config http + set options scan + end + config ftp + set options scan + end + config imap + set options scan + end + config pop3 + set options scan + end + config smtp + set options scan + end + next + end + config spamfilter profile + edit default + set comment "Malware and phishing URL filtering." + next + end + config wanopt settings + set host-id "default-id" + end + config wanopt profile + edit default + set comments "Default WANopt profile." + next + end + config firewall schedule recurring + edit always + set day sunday monday tuesday wednesday thursday friday saturday + next + edit none + set day none + next + end + config firewall profile-protocol-options + edit default + set comment "All default services." + config http + set ports 80 + end + config ftp + set ports 21 + set options splice + end + config imap + set ports 143 + set options fragmail + end + config mapi + set ports 135 + set options fragmail + end + config pop3 + set ports 110 + set options fragmail + end + config smtp + set ports 25 + set options fragmail splice + end + config nntp + set ports 119 + set options splice + end + config dns + set ports 53 + end + next + end + config firewall ssl-ssh-profile + edit deep-inspection + set comment "Deep inspection." + config https + set ports 443 + end + config ftps + set ports 990 + end + config imaps + set ports 993 + end + config pop3s + set ports 995 + end + config smtps + set ports 465 + end + config ssh + set ports 22 + end + config ssl-exempt + edit 1 + set fortiguard-category 31 + next + edit 2 + set fortiguard-category 33 + next + edit 3 + set fortiguard-category 87 + next + edit 4 + set type address + set address "apple" + next + edit 5 + set type address + set address "appstore" + next + edit 6 + set type address + set address "dropbox.com" + next + edit 7 + set type address + set address "Gotomeeting" + next + edit 8 + set type address + set address "icloud" + next + edit 9 + set type address + set address "itunes" + next + edit 10 + set type address + set address "android" + next + edit 11 + set type address + set address "skype" + next + edit 12 + set type address + set address "swscan.apple.com" + next + edit 13 + set type address + set address "update.microsoft.com" + next + edit 14 + set type address + set address "eease" + next + edit 15 + set type address + set address "google-drive" + next + edit 16 + set type address + set address "google-play" + next + edit 17 + set type address + set address "google-play2" + next + edit 18 + set type address + set address "google-play3" + next + edit 19 + set type address + set address "microsoft" + next + edit 20 + set type address + set address "adobe" + next + edit 21 + set type address + set address "Adobe Login" + next + edit 22 + set type address + set address "fortinet" + next + edit 23 + set type address + set address "googleapis.com" + next + edit 24 + set type address + set address "citrix" + next + edit 25 + set type address + set address "verisign" + next + edit 26 + set type address + set address "Windows update 2" + next + edit 27 + set type address + set address "*.live.com" + next + edit 28 + set type address + set address "auth.gfx.ms" + next + edit 29 + set type address + set address "autoupdate.opera.com" + next + edit 30 + set type address + set address "softwareupdate.vmware.com" + next + edit 31 + set type address + set address "firefox update server" + next + end + next + edit certificate-inspection + set comment "SSL handshake inspection." + config https + set status certificate-inspection + set ports 443 + end + config ftps + set status disable + set ports 990 + end + config imaps + set status disable + set ports 993 + end + config pop3s + set status disable + set ports 995 + end + config smtps + set status disable + set ports 465 + end + config ssh + set status disable + set ports 22 + end + next + end + config firewall identity-based-route + end + config firewall policy + end + config firewall local-in-policy + end + config firewall policy6 + end + config firewall local-in-policy6 + end + config firewall ttl-policy + end + config firewall policy64 + end + config firewall policy46 + end + config firewall explicit-proxy-policy + end + config firewall interface-policy + end + config firewall interface-policy6 + end + config firewall DoS-policy + end + config firewall DoS-policy6 + end + config firewall sniffer + end + config endpoint-control profile + edit default + config forticlient-winmac-settings + set forticlient-wf-profile "default" + end + config forticlient-android-settings + end + config forticlient-ios-settings + end + next + end + config wireless-controller wids-profile + edit default + set comment "Default WIDS profile." + set deauth-broadcast enable + set assoc-frame-flood enable + set invalid-mac-oui enable + set ap-scan enable + set long-duration-attack enable + set eapol-logoff-flood enable + set eapol-succ-flood enable + set eapol-start-flood enable + set eapol-fail-flood enable + set wireless-bridge enable + set eapol-pre-succ-flood enable + set auth-frame-flood enable + set asleap-attack enable + set eapol-pre-fail-flood enable + set spoofed-deauth enable + set weak-wep-iv enable + set null-ssid-probe-resp enable + next + edit default-wids-apscan-enabled + set ap-scan enable + next + end + config wireless-controller wtp-profile + edit FAP112B-default + set ap-country US + config platform + set type 112B + end + config radio-1 + set band 802.11n + end + config radio-2 + set mode disabled + end + next + edit FAP220B-default + set ap-country US + config radio-1 + set band 802.11n-5G + end + config radio-2 + set band 802.11n + end + next + edit FAP223B-default + set ap-country US + config platform + set type 223B + end + config radio-1 + set band 802.11n-5G + end + config radio-2 + set band 802.11n + end + next + edit FAP210B-default + set ap-country US + config platform + set type 210B + end + config radio-1 + set band 802.11n + end + config radio-2 + set mode disabled + end + next + edit FAP222B-default + set ap-country US + config platform + set type 222B + end + config radio-1 + set band 802.11n + end + config radio-2 + set band 802.11n-5G + end + next + edit FAP320B-default + set ap-country US + config platform + set type 320B + end + config radio-1 + set band 802.11n-5G + end + config radio-2 + set band 802.11n + end + next + edit FAP11C-default + set ap-country US + config platform + set type 11C + end + config radio-1 + set band 802.11n + end + config radio-2 + set mode disabled + end + next + edit FAP14C-default + set ap-country US + config platform + set type 14C + end + config radio-1 + set band 802.11n + end + config radio-2 + set mode disabled + end + next + edit FAP28C-default + set ap-country US + config platform + set type 28C + end + config radio-1 + set band 802.11n + end + config radio-2 + set mode disabled + end + next + edit FAP320C-default + set ap-country US + config platform + set type 320C + end + config radio-1 + set band 802.11n + end + config radio-2 + set band 802.11ac + end + next + edit FAP221C-default + set ap-country US + config platform + set type 221C + end + config radio-1 + set band 802.11n + end + config radio-2 + set band 802.11ac + end + next + edit FAP25D-default + set ap-country US + config platform + set type 25D + end + config radio-1 + set band 802.11n + end + config radio-2 + set mode disabled + end + next + edit FAP222C-default + set ap-country US + config platform + set type 222C + end + config radio-1 + set band 802.11n + end + config radio-2 + set band 802.11ac + end + next + edit FAP224D-default + set ap-country US + config platform + set type 224D + end + config radio-1 + set band 802.11n-5G + end + config radio-2 + set band 802.11n + end + next + edit FK214B-default + set ap-country US + config platform + set type 214B + end + config radio-1 + set band 802.11n + end + config radio-2 + set mode disabled + end + next + edit FAP21D-default + set ap-country US + config platform + set type 21D + end + config radio-1 + set band 802.11n + end + config radio-2 + set mode disabled + end + next + edit FAP24D-default + set ap-country US + config platform + set type 24D + end + config radio-1 + set band 802.11n + end + config radio-2 + set mode disabled + end + next + edit FAP112D-default + set ap-country US + config platform + set type 112D + end + config radio-1 + set band 802.11n + end + config radio-2 + set mode disabled + end + next + edit FAP223C-default + set ap-country US + config platform + set type 223C + end + config radio-1 + set band 802.11n + end + config radio-2 + set band 802.11ac + end + next + edit FAP321C-default + set ap-country US + config platform + set type 321C + end + config radio-1 + set band 802.11n + end + config radio-2 + set band 802.11ac + end + next + end + config log memory setting + set status enable + end + config router rip + config redistribute connected + end + config redistribute static + end + config redistribute ospf + end + config redistribute bgp + end + config redistribute isis + end + end + config router ripng + config redistribute connected + end + config redistribute static + end + config redistribute ospf + end + config redistribute bgp + end + config redistribute isis + end + end + config router ospf + config redistribute connected + end + config redistribute static + end + config redistribute rip + end + config redistribute bgp + end + config redistribute isis + end + end + config router ospf6 + config redistribute connected + end + config redistribute static + end + config redistribute rip + end + config redistribute bgp + end + config redistribute isis + end + end + config router bgp + config redistribute connected + end + config redistribute rip + end + config redistribute ospf + end + config redistribute static + end + config redistribute isis + end + config redistribute6 connected + end + config redistribute6 rip + end + config redistribute6 ospf + end + config redistribute6 static + end + config redistribute6 isis + end + end + config router isis + config redistribute connected + end + config redistribute rip + end + config redistribute ospf + end + config redistribute bgp + end + config redistribute static + end + end + config router multicast + end diff --git a/test/integration/targets/fortios_address/files/default_config.conf.backup b/test/integration/targets/fortios_address/files/default_config.conf.backup new file mode 100644 index 00000000000..c2935d84772 --- /dev/null +++ b/test/integration/targets/fortios_address/files/default_config.conf.backup @@ -0,0 +1,3134 @@ + config system global + set timezone 04 + set admintimeout 480 + set admin-server-cert "Fortinet_Firmware" + set fgd-alert-subscription advisory latest-threat + set hostname "FortiGate-VM64-HV" + end + config system accprofile + edit prof_admin + set vpngrp read-write + set updategrp read-write + set utmgrp read-write + set routegrp read-write + set wifi read-write + set sysgrp read-write + set loggrp read-write + set mntgrp read-write + set netgrp read-write + set admingrp read-write + set wanoptgrp read-write + set fwgrp read-write + set authgrp read-write + set endpoint-control-grp read-write + next + end + config system interface + edit port1 + set ip 192.168.137.154 255.255.255.0 + set type physical + set allowaccess ping https ssh http fgfm + set vdom "root" + next + edit port2 + set type physical + set vdom "root" + next + edit port3 + set type physical + set vdom "root" + next + edit port4 + set type physical + set vdom "root" + next + edit port5 + set type physical + set vdom "root" + next + edit port6 + set type physical + set vdom "root" + next + edit port7 + set type physical + set vdom "root" + next + edit port8 + set type physical + set vdom "root" + next + edit ssl.root + set alias "SSL VPN interface" + set type tunnel + set vdom "root" + next + end + config system custom-language + edit en + set filename "en" + next + edit fr + set filename "fr" + next + edit sp + set filename "sp" + next + edit pg + set filename "pg" + next + edit x-sjis + set filename "x-sjis" + next + edit big5 + set filename "big5" + next + edit GB2312 + set filename "GB2312" + next + edit euc-kr + set filename "euc-kr" + next + end + config system admin + edit admin + set accprofile "super_admin" + set vdom "root" + config dashboard-tabs + edit 1 + set name "Status" + next + end + config dashboard + edit 1 + set column 1 + set tab-id 1 + next + edit 2 + set column 1 + set widget-type licinfo + set tab-id 1 + next + edit 3 + set column 1 + set widget-type jsconsole + set tab-id 1 + next + edit 4 + set column 2 + set widget-type sysres + set tab-id 1 + next + edit 5 + set column 2 + set widget-type gui-features + set tab-id 1 + next + edit 6 + set column 2 + set top-n 10 + set widget-type alert + set tab-id 1 + next + end + next + end + config system ha + set override disable + end + config system dns + set primary 208.91.112.53 + set secondary 208.91.112.52 + end + config system replacemsg-image + edit logo_fnet + set image-base64 '' + set image-type gif + next + edit logo_fguard_wf + set image-base64 '' + set image-type gif + next + edit logo_fw_auth + set image-base64 '' + set image-type png + next + edit logo_v2_fnet + set image-base64 '' + set image-type png + next + edit logo_v2_fguard_wf + set image-base64 '' + set image-type png + next + edit logo_v2_fguard_app + set image-base64 '' + set image-type png + next + end + config system replacemsg mail email-block + end + config system replacemsg mail email-dlp-subject + end + config system replacemsg mail email-dlp-ban + end + config system replacemsg mail email-filesize + end + config system replacemsg mail partial + end + config system replacemsg mail smtp-block + end + config system replacemsg mail smtp-filesize + end + config system replacemsg http bannedword + end + config system replacemsg http url-block + end + config system replacemsg http urlfilter-err + end + config system replacemsg http infcache-block + end + config system replacemsg http http-block + end + config system replacemsg http http-filesize + end + config system replacemsg http http-dlp-ban + end + config system replacemsg http http-archive-block + end + config system replacemsg http http-contenttypeblock + end + config system replacemsg http https-invalid-cert-block + end + config system replacemsg http http-client-block + end + config system replacemsg http http-client-filesize + end + config system replacemsg http http-client-bannedword + end + config system replacemsg http http-post-block + end + config system replacemsg http http-client-archive-block + end + config system replacemsg http switching-protocols-block + end + config system replacemsg webproxy deny + end + config system replacemsg webproxy user-limit + end + config system replacemsg webproxy auth-challenge + end + config system replacemsg webproxy auth-login-fail + end + config system replacemsg webproxy auth-authorization-fail + end + config system replacemsg webproxy http-err + end + config system replacemsg webproxy auth-ip-blackout + end + config system replacemsg ftp ftp-dl-blocked + end + config system replacemsg ftp ftp-dl-filesize + end + config system replacemsg ftp ftp-dl-dlp-ban + end + config system replacemsg ftp ftp-explicit-banner + end + config system replacemsg ftp ftp-dl-archive-block + end + config system replacemsg nntp nntp-dl-blocked + end + config system replacemsg nntp nntp-dl-filesize + end + config system replacemsg nntp nntp-dlp-subject + end + config system replacemsg nntp nntp-dlp-ban + end + config system replacemsg fortiguard-wf ftgd-block + end + config system replacemsg fortiguard-wf http-err + end + config system replacemsg fortiguard-wf ftgd-ovrd + end + config system replacemsg fortiguard-wf ftgd-quota + end + config system replacemsg fortiguard-wf ftgd-warning + end + config system replacemsg spam ipblocklist + end + config system replacemsg spam smtp-spam-dnsbl + end + config system replacemsg spam smtp-spam-feip + end + config system replacemsg spam smtp-spam-helo + end + config system replacemsg spam smtp-spam-emailblack + end + config system replacemsg spam smtp-spam-mimeheader + end + config system replacemsg spam reversedns + end + config system replacemsg spam smtp-spam-bannedword + end + config system replacemsg spam smtp-spam-ase + end + config system replacemsg spam submit + end + config system replacemsg im im-file-xfer-block + end + config system replacemsg im im-file-xfer-name + end + config system replacemsg im im-file-xfer-infected + end + config system replacemsg im im-file-xfer-size + end + config system replacemsg im im-dlp + end + config system replacemsg im im-dlp-ban + end + config system replacemsg im im-voice-chat-block + end + config system replacemsg im im-video-chat-block + end + config system replacemsg im im-photo-share-block + end + config system replacemsg im im-long-chat-block + end + config system replacemsg alertmail alertmail-virus + end + config system replacemsg alertmail alertmail-block + end + config system replacemsg alertmail alertmail-nids-event + end + config system replacemsg alertmail alertmail-crit-event + end + config system replacemsg alertmail alertmail-disk-full + end + config system replacemsg admin pre_admin-disclaimer-text + end + config system replacemsg admin post_admin-disclaimer-text + end + config system replacemsg auth auth-disclaimer-page-1 + end + config system replacemsg auth auth-disclaimer-page-2 + end + config system replacemsg auth auth-disclaimer-page-3 + end + config system replacemsg auth auth-reject-page + end + config system replacemsg auth auth-login-page + end + config system replacemsg auth auth-login-failed-page + end + config system replacemsg auth auth-token-login-page + end + config system replacemsg auth auth-token-login-failed-page + end + config system replacemsg auth auth-success-msg + end + config system replacemsg auth auth-challenge-page + end + config system replacemsg auth auth-keepalive-page + end + config system replacemsg auth auth-portal-page + end + config system replacemsg auth auth-password-page + end + config system replacemsg auth auth-fortitoken-page + end + config system replacemsg auth auth-next-fortitoken-page + end + config system replacemsg auth auth-email-token-page + end + config system replacemsg auth auth-sms-token-page + end + config system replacemsg auth auth-email-harvesting-page + end + config system replacemsg auth auth-email-failed-page + end + config system replacemsg auth auth-cert-passwd-page + end + config system replacemsg auth auth-guest-print-page + end + config system replacemsg auth auth-guest-email-page + end + config system replacemsg auth auth-success-page + end + config system replacemsg auth auth-block-notification-page + end + config system replacemsg sslvpn sslvpn-login + end + config system replacemsg sslvpn sslvpn-limit + end + config system replacemsg sslvpn hostcheck-error + end + config system replacemsg ec endpt-download-portal + end + config system replacemsg ec endpt-download-portal-mac + end + config system replacemsg ec endpt-download-portal-ios + end + config system replacemsg ec endpt-download-portal-aos + end + config system replacemsg ec endpt-download-portal-other + end + config system replacemsg device-detection-portal device-detection-failure + end + config system replacemsg nac-quar nac-quar-virus + end + config system replacemsg nac-quar nac-quar-dos + end + config system replacemsg nac-quar nac-quar-ips + end + config system replacemsg nac-quar nac-quar-dlp + end + config system replacemsg nac-quar nac-quar-admin + end + config system replacemsg traffic-quota per-ip-shaper-block + end + config system replacemsg utm virus-html + end + config system replacemsg utm virus-text + end + config system replacemsg utm dlp-html + end + config system replacemsg utm dlp-text + end + config system replacemsg utm appblk-html + end + config vpn certificate ca + end + config vpn certificate local + edit Fortinet_CA_SSLProxy + set private-key "-----BEGIN ENCRYPTED PRIVATE KEY----- + set password ENC eRZ5UNnzW1eAAJn+reDWnDdgQZ1yxFr7z+rp0lzCeKX64OiaEcBKwGIzocIf5y5p37siqf1bPHwEMWkvISqQSXKT8JijvaLtA/oNlqTw8GwglMlW390JTckMS7v60mVQ2Jj1Ng9q4xi2dXKpVGXqYnpc1nDSApGqHTwpL/lgc1+HLh0CQvn4zQpIs8//4hVscjqz0g== + set certificate "-----BEGIN CERTIFICATE----- + set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates." + next + edit Fortinet_SSLProxy + set private-key "-----BEGIN ENCRYPTED PRIVATE KEY----- + set password ENC JGQ1Psth3oHimOP5bRUzt+zfBA5PlPBXZj6xLvqp7JILLBa6Der02qjotGI4UnaKAGSad7uEkPKLq2ePjzBy/Rc/E55FJO8OjffWzIOgpT1jYMmw8IOuAlB50weCRpzMowrLT+FKFF53SxG+oe5n4EaoiqR92WZsXzOTFpNdSFXyvggt/lmOz4Zm08AMD3sWFWg/ZA== + set certificate "-----BEGIN CERTIFICATE----- + next + end + config user device-category + edit ipad + next + edit iphone + next + edit gaming-console + next + edit blackberry-phone + next + edit blackberry-playbook + next + edit linux-pc + next + edit mac + next + edit windows-pc + next + edit android-phone + next + edit android-tablet + next + edit media-streaming + next + edit windows-phone + next + edit windows-tablet + next + edit fortinet-device + next + edit ip-phone + next + edit router-nat-device + next + edit printer + next + edit other-network-device + next + edit collected-emails + next + edit all + next + end + config system session-sync + end + config system fortiguard + set webfilter-sdns-server-ip "208.91.112.220" + end + config ips global + set default-app-cat-mask 18446744073474670591 + end + config ips dbinfo + set version 1 + end + config gui console + end + config system session-helper + edit 1 + set protocol 6 + set name pptp + set port 1723 + next + edit 2 + set protocol 6 + set name h323 + set port 1720 + next + edit 3 + set protocol 17 + set name ras + set port 1719 + next + edit 4 + set protocol 6 + set name tns + set port 1521 + next + edit 5 + set protocol 17 + set name tftp + set port 69 + next + edit 6 + set protocol 6 + set name rtsp + set port 554 + next + edit 7 + set protocol 6 + set name rtsp + set port 7070 + next + edit 8 + set protocol 6 + set name rtsp + set port 8554 + next + edit 9 + set protocol 6 + set name ftp + set port 21 + next + edit 10 + set protocol 6 + set name mms + set port 1863 + next + edit 11 + set protocol 6 + set name pmap + set port 111 + next + edit 12 + set protocol 17 + set name pmap + set port 111 + next + edit 13 + set protocol 17 + set name sip + set port 5060 + next + edit 14 + set protocol 17 + set name dns-udp + set port 53 + next + edit 15 + set protocol 6 + set name rsh + set port 514 + next + edit 16 + set protocol 6 + set name rsh + set port 512 + next + edit 17 + set protocol 6 + set name dcerpc + set port 135 + next + edit 18 + set protocol 17 + set name dcerpc + set port 135 + next + edit 19 + set protocol 17 + set name mgcp + set port 2427 + next + edit 20 + set protocol 17 + set name mgcp + set port 2727 + next + end + config system auto-install + set auto-install-config enable + set auto-install-image enable + end + config system ntp + set ntpsync enable + set syncinterval 60 + end + config system settings + end + config firewall address + edit SSLVPN_TUNNEL_ADDR1 + set type iprange + set end-ip 10.212.134.210 + set start-ip 10.212.134.200 + next + edit all + next + edit none + set subnet 0.0.0.0 255.255.255.255 + next + edit apple + set type fqdn + set fqdn "*.apple.com" + next + edit dropbox.com + set type fqdn + set fqdn "*.dropbox.com" + next + edit Gotomeeting + set type fqdn + set fqdn "*.gotomeeting.com" + next + edit icloud + set type fqdn + set fqdn "*.icloud.com" + next + edit itunes + set type fqdn + set fqdn "*itunes.apple.com" + next + edit android + set type fqdn + set fqdn "*.android.com" + next + edit skype + set type fqdn + set fqdn "*.messenger.live.com" + next + edit swscan.apple.com + set type fqdn + set fqdn "swscan.apple.com" + next + edit update.microsoft.com + set type fqdn + set fqdn "update.microsoft.com" + next + edit appstore + set type fqdn + set fqdn "*.appstore.com" + next + edit eease + set type fqdn + set fqdn "*.eease.com" + next + edit google-drive + set type fqdn + set fqdn "*drive.google.com" + next + edit google-play + set type fqdn + set fqdn "play.google.com" + next + edit google-play2 + set type fqdn + set fqdn "*.ggpht.com" + next + edit google-play3 + set type fqdn + set fqdn "*.books.google.com" + next + edit microsoft + set type fqdn + set fqdn "*.microsoft.com" + next + edit adobe + set type fqdn + set fqdn "*.adobe.com" + next + edit Adobe Login + set type fqdn + set fqdn "*.adobelogin.com" + next + edit fortinet + set type fqdn + set fqdn "*.fortinet.com" + next + edit googleapis.com + set type fqdn + set fqdn "*.googleapis.com" + next + edit citrix + set type fqdn + set fqdn "*.citrixonline.com" + next + edit verisign + set type fqdn + set fqdn "*.verisign.com" + next + edit Windows update 2 + set type fqdn + set fqdn "*.windowsupdate.com" + next + edit *.live.com + set type fqdn + set fqdn "*.live.com" + next + edit auth.gfx.ms + set type fqdn + set fqdn "auth.gfx.ms" + next + edit autoupdate.opera.com + set type fqdn + set fqdn "autoupdate.opera.com" + next + edit softwareupdate.vmware.com + set type fqdn + set fqdn "softwareupdate.vmware.com" + next + edit firefox update server + set type fqdn + set fqdn "aus*.mozilla.org" + next + end + config firewall multicast-address + edit all + set end-ip 239.255.255.255 + set start-ip 224.0.0.0 + next + edit all_hosts + set end-ip 224.0.0.1 + set start-ip 224.0.0.1 + next + edit all_routers + set end-ip 224.0.0.2 + set start-ip 224.0.0.2 + next + edit Bonjour + set end-ip 224.0.0.251 + set start-ip 224.0.0.251 + next + edit EIGRP + set end-ip 224.0.0.10 + set start-ip 224.0.0.10 + next + edit OSPF + set end-ip 224.0.0.6 + set start-ip 224.0.0.5 + next + end + config firewall address6 + edit SSLVPN_TUNNEL_IPv6_ADDR1 + set ip6 fdff:ffff::/120 + next + edit all + next + edit none + set ip6 ::/128 + next + end + config firewall service category + edit General + set comment "General services." + next + edit Web Access + set comment "Web access." + next + edit File Access + set comment "File access." + next + edit Email + set comment "Email services." + next + edit Network Services + set comment "Network services." + next + edit Authentication + set comment "Authentication service." + next + edit Remote Access + set comment "Remote access." + next + edit Tunneling + set comment "Tunneling service." + next + edit VoIP, Messaging & Other Applications + set comment "VoIP, messaging, and other applications." + next + edit Web Proxy + set comment "Explicit web proxy." + next + end + config firewall service custom + edit ALL + set category "General" + set protocol IP + next + edit ALL_TCP + set category "General" + set tcp-portrange 1-65535 + next + edit ALL_UDP + set category "General" + set udp-portrange 1-65535 + next + edit ALL_ICMP + set category "General" + set protocol ICMP + next + edit ALL_ICMP6 + set category "General" + set protocol ICMP6 + next + edit GRE + set category "Tunneling" + set protocol-number 47 + set protocol IP + next + edit AH + set category "Tunneling" + set protocol-number 51 + set protocol IP + next + edit ESP + set category "Tunneling" + set protocol-number 50 + set protocol IP + next + edit AOL + set visibility disable + set tcp-portrange 5190-5194 + next + edit BGP + set category "Network Services" + set tcp-portrange 179 + next + edit DHCP + set category "Network Services" + set udp-portrange 67-68 + next + edit DNS + set category "Network Services" + set udp-portrange 53 + set tcp-portrange 53 + next + edit FINGER + set visibility disable + set tcp-portrange 79 + next + edit FTP + set category "File Access" + set tcp-portrange 21 + next + edit FTP_GET + set category "File Access" + set tcp-portrange 21 + next + edit FTP_PUT + set category "File Access" + set tcp-portrange 21 + next + edit GOPHER + set visibility disable + set tcp-portrange 70 + next + edit H323 + set category "VoIP, Messaging & Other Applications" + set udp-portrange 1719 + set tcp-portrange 1720 1503 + next + edit HTTP + set category "Web Access" + set tcp-portrange 80 + next + edit HTTPS + set category "Web Access" + set tcp-portrange 443 + next + edit IKE + set category "Tunneling" + set udp-portrange 500 4500 + next + edit IMAP + set category "Email" + set tcp-portrange 143 + next + edit IMAPS + set category "Email" + set tcp-portrange 993 + next + edit Internet-Locator-Service + set visibility disable + set tcp-portrange 389 + next + edit IRC + set category "VoIP, Messaging & Other Applications" + set tcp-portrange 6660-6669 + next + edit L2TP + set category "Tunneling" + set udp-portrange 1701 + set tcp-portrange 1701 + next + edit LDAP + set category "Authentication" + set tcp-portrange 389 + next + edit NetMeeting + set visibility disable + set tcp-portrange 1720 + next + edit NFS + set category "File Access" + set udp-portrange 111 2049 + set tcp-portrange 111 2049 + next + edit NNTP + set visibility disable + set tcp-portrange 119 + next + edit NTP + set category "Network Services" + set udp-portrange 123 + set tcp-portrange 123 + next + edit OSPF + set category "Network Services" + set protocol-number 89 + set protocol IP + next + edit PC-Anywhere + set category "Remote Access" + set udp-portrange 5632 + set tcp-portrange 5631 + next + edit PING + set category "Network Services" + set protocol ICMP + set icmptype 8 + next + edit TIMESTAMP + set protocol ICMP + set visibility disable + set icmptype 13 + next + edit INFO_REQUEST + set protocol ICMP + set visibility disable + set icmptype 15 + next + edit INFO_ADDRESS + set protocol ICMP + set visibility disable + set icmptype 17 + next + edit ONC-RPC + set category "Remote Access" + set udp-portrange 111 + set tcp-portrange 111 + next + edit DCE-RPC + set category "Remote Access" + set udp-portrange 135 + set tcp-portrange 135 + next + edit POP3 + set category "Email" + set tcp-portrange 110 + next + edit POP3S + set category "Email" + set tcp-portrange 995 + next + edit PPTP + set category "Tunneling" + set tcp-portrange 1723 + next + edit QUAKE + set udp-portrange 26000 27000 27910 27960 + set visibility disable + next + edit RAUDIO + set udp-portrange 7070 + set visibility disable + next + edit REXEC + set visibility disable + set tcp-portrange 512 + next + edit RIP + set category "Network Services" + set udp-portrange 520 + next + edit RLOGIN + set visibility disable + set tcp-portrange 513:512-1023 + next + edit RSH + set visibility disable + set tcp-portrange 514:512-1023 + next + edit SCCP + set category "VoIP, Messaging & Other Applications" + set tcp-portrange 2000 + next + edit SIP + set category "VoIP, Messaging & Other Applications" + set udp-portrange 5060 + set tcp-portrange 5060 + next + edit SIP-MSNmessenger + set category "VoIP, Messaging & Other Applications" + set tcp-portrange 1863 + next + edit SAMBA + set category "File Access" + set tcp-portrange 139 + next + edit SMTP + set category "Email" + set tcp-portrange 25 + next + edit SMTPS + set category "Email" + set tcp-portrange 465 + next + edit SNMP + set category "Network Services" + set udp-portrange 161-162 + set tcp-portrange 161-162 + next + edit SSH + set category "Remote Access" + set tcp-portrange 22 + next + edit SYSLOG + set category "Network Services" + set udp-portrange 514 + next + edit TALK + set udp-portrange 517-518 + set visibility disable + next + edit TELNET + set category "Remote Access" + set tcp-portrange 23 + next + edit TFTP + set category "File Access" + set udp-portrange 69 + next + edit MGCP + set udp-portrange 2427 2727 + set visibility disable + next + edit UUCP + set visibility disable + set tcp-portrange 540 + next + edit VDOLIVE + set visibility disable + set tcp-portrange 7000-7010 + next + edit WAIS + set visibility disable + set tcp-portrange 210 + next + edit WINFRAME + set visibility disable + set tcp-portrange 1494 2598 + next + edit X-WINDOWS + set category "Remote Access" + set tcp-portrange 6000-6063 + next + edit PING6 + set protocol ICMP6 + set visibility disable + set icmptype 128 + next + edit MS-SQL + set category "VoIP, Messaging & Other Applications" + set tcp-portrange 1433 1434 + next + edit MYSQL + set category "VoIP, Messaging & Other Applications" + set tcp-portrange 3306 + next + edit RDP + set category "Remote Access" + set tcp-portrange 3389 + next + edit VNC + set category "Remote Access" + set tcp-portrange 5900 + next + edit DHCP6 + set category "Network Services" + set udp-portrange 546 547 + next + edit SQUID + set category "Tunneling" + set tcp-portrange 3128 + next + edit SOCKS + set category "Tunneling" + set udp-portrange 1080 + set tcp-portrange 1080 + next + edit WINS + set category "Remote Access" + set udp-portrange 1512 + set tcp-portrange 1512 + next + edit RADIUS + set category "Authentication" + set udp-portrange 1812 1813 + next + edit RADIUS-OLD + set udp-portrange 1645 1646 + set visibility disable + next + edit CVSPSERVER + set udp-portrange 2401 + set visibility disable + set tcp-portrange 2401 + next + edit AFS3 + set category "File Access" + set udp-portrange 7000-7009 + set tcp-portrange 7000-7009 + next + edit TRACEROUTE + set category "Network Services" + set udp-portrange 33434-33535 + next + edit RTSP + set category "VoIP, Messaging & Other Applications" + set udp-portrange 554 + set tcp-portrange 554 7070 8554 + next + edit MMS + set udp-portrange 1024-5000 + set visibility disable + set tcp-portrange 1755 + next + edit KERBEROS + set category "Authentication" + set udp-portrange 88 + set tcp-portrange 88 + next + edit LDAP_UDP + set category "Authentication" + set udp-portrange 389 + next + edit SMB + set category "File Access" + set tcp-portrange 445 + next + edit NONE + set visibility disable + set tcp-portrange 0 + next + edit webproxy + set category "Web Proxy" + set explicit-proxy enable + set protocol ALL + set tcp-portrange 0-65535:0-65535 + next + end + config firewall service group + edit Email Access + set member "DNS" "IMAP" "IMAPS" "POP3" "POP3S" "SMTP" "SMTPS" + next + edit Web Access + set member "DNS" "HTTP" "HTTPS" + next + edit Windows AD + set member "DCE-RPC" "DNS" "KERBEROS" "LDAP" "LDAP_UDP" "SAMBA" "SMB" + next + edit Exchange Server + set member "DCE-RPC" "DNS" "HTTPS" + next + end + config webfilter ftgd-local-cat + edit custom1 + set id 140 + next + edit custom2 + set id 141 + next + end + config ips sensor + edit default + set comment "Prevent critical attacks." + config entries + edit 1 + set severity medium high critical + next + end + next + edit all_default + set comment "All predefined signatures with default setting." + config entries + edit 1 + next + end + next + edit all_default_pass + set comment "All predefined signatures with PASS action." + config entries + edit 1 + set action pass + next + end + next + edit protect_http_server + set comment "Protect against HTTP server-side vulnerabilities." + config entries + edit 1 + set protocol HTTP + set location server + next + end + next + edit protect_email_server + set comment "Protect against email server-side vulnerabilities." + config entries + edit 1 + set protocol SMTP POP3 IMAP + set location server + next + end + next + edit protect_client + set comment "Protect against client-side vulnerabilities." + config entries + edit 1 + set location client + next + end + next + edit high_security + set comment "Blocks all Critical/High/Medium and some Low severity vulnerabilities" + config entries + edit 1 + set status enable + set action block + set severity medium high critical + next + edit 2 + set severity low + next + end + next + end + config firewall shaper traffic-shaper + edit high-priority + set per-policy enable + set maximum-bandwidth 1048576 + next + edit medium-priority + set priority medium + set per-policy enable + set maximum-bandwidth 1048576 + next + edit low-priority + set priority low + set per-policy enable + set maximum-bandwidth 1048576 + next + edit guarantee-100kbps + set guaranteed-bandwidth 100 + set maximum-bandwidth 1048576 + set per-policy enable + next + edit shared-1M-pipe + set maximum-bandwidth 1024 + next + end + config web-proxy global + set proxy-fqdn "default.fqdn" + end + config application list + edit default + set comment "Monitor all applications." + config entries + edit 1 + set action pass + next + end + next + edit block-p2p + config entries + edit 1 + set category 2 + next + end + next + edit monitor-p2p-and-media + config entries + edit 1 + set category 2 + set action pass + next + edit 2 + set category 5 + set action pass + next + end + next + end + config dlp filepattern + edit 1 + set name "builtin-patterns" + config entries + edit *.bat + next + edit *.com + next + edit *.dll + next + edit *.doc + next + edit *.exe + next + edit *.gz + next + edit *.hta + next + edit *.ppt + next + edit *.rar + next + edit *.scr + next + edit *.tar + next + edit *.tgz + next + edit *.vb? + next + edit *.wps + next + edit *.xl? + next + edit *.zip + next + edit *.pif + next + edit *.cpl + next + end + next + edit 2 + set name "all_executables" + config entries + edit bat + set file-type bat + set filter-type type + next + edit exe + set file-type exe + set filter-type type + next + edit elf + set file-type elf + set filter-type type + next + edit hta + set file-type hta + set filter-type type + next + end + next + end + config dlp fp-sensitivity + edit Private + next + edit Critical + next + edit Warning + next + end + config dlp sensor + edit default + set comment "Log a summary of email and web traffic." + set summary-proto smtp pop3 imap http-get http-post + next + end + config webfilter content + end + config webfilter urlfilter + end + config spamfilter bword + end + config spamfilter bwl + end + config spamfilter mheader + end + config spamfilter dnsbl + end + config spamfilter iptrust + end + config log threat-weight + config web + edit 1 + set category 26 + set level high + next + edit 2 + set category 61 + set level high + next + edit 3 + set category 86 + set level high + next + edit 4 + set category 1 + set level medium + next + edit 5 + set category 3 + set level medium + next + edit 6 + set category 4 + set level medium + next + edit 7 + set category 5 + set level medium + next + edit 8 + set category 6 + set level medium + next + edit 9 + set category 12 + set level medium + next + edit 10 + set category 59 + set level medium + next + edit 11 + set category 62 + set level medium + next + edit 12 + set category 83 + set level medium + next + edit 13 + set category 72 + next + edit 14 + set category 14 + next + end + config application + edit 1 + set category 2 + next + edit 2 + set category 6 + set level medium + next + edit 3 + set category 19 + set level critical + next + end + end + config icap profile + edit default + next + end + config user local + edit guest + set passwd ENC EntYbQ4nWAFLGsQz5QbIt8MIxko4Ms6Nm/9fMo/5+L7FJO42JRExvl705N++oKwIB0NvfdWaiqfZ/LGPDSOVqRZnqn4pUWOlNVE6yfGxbCZUIXTlcSL58A2ok3Yd428rHETuf7mNrOJMdVS1tfnrx5+92ofsXVzAn/kpKeJLrtBRWNfBQ1YplQ2FfEDCHHW27akz4g== + set type password + next + end + config user group + edit SSO_Guest_Users + next + edit Guest-group + set member "guest" + next + end + config user device-group + edit Mobile Devices + set member "android-phone" "android-tablet" "blackberry-phone" "blackberry-playbook" "ipad" "iphone" "windows-phone" "windows-tablet" + set comment "Phones, tablets, etc." + next + edit Network Devices + set member "fortinet-device" "other-network-device" "router-nat-device" + set comment "Routers, firewalls, gateways, etc." + next + edit Others + set member "gaming-console" "media-streaming" + set comment "Other devices." + next + end + config vpn ssl web host-check-software + edit FortiClient-AV + set guid "C86EC76D-5A4C-40E7-BD94-59358E544D81" + next + edit FortiClient-FW + set guid "528CB157-D384-4593-AAAA-E42DFF111CED" + set type fw + next + edit FortiClient-AV-Vista-Win7 + set guid "385618A6-2256-708E-3FB9-7E98B93F91F9" + next + edit FortiClient-FW-Vista-Win7 + set guid "006D9983-6839-71D6-14E6-D7AD47ECD682" + set type fw + next + edit AVG-Internet-Security-AV + set guid "17DDD097-36FF-435F-9E1B-52D74245D6BF" + next + edit AVG-Internet-Security-FW + set guid "8DECF618-9569-4340-B34A-D78D28969B66" + set type fw + next + edit AVG-Internet-Security-AV-Vista-Win7 + set guid "0C939084-9E57-CBDB-EA61-0B0C7F62AF82" + next + edit AVG-Internet-Security-FW-Vista-Win7 + set guid "34A811A1-D438-CA83-C13E-A23981B1E8F9" + set type fw + next + edit CA-Anti-Virus + set guid "17CFD1EA-56CF-40B5-A06B-BD3A27397C93" + next + edit CA-Internet-Security-AV + set guid "6B98D35F-BB76-41C0-876B-A50645ED099A" + next + edit CA-Internet-Security-FW + set guid "38102F93-1B6E-4922-90E1-A35D8DC6DAA3" + set type fw + next + edit CA-Internet-Security-AV-Vista-Win7 + set guid "3EED0195-0A4B-4EF3-CC4F-4F401BDC245F" + next + edit CA-Internet-Security-FW-Vista-Win7 + set guid "06D680B0-4024-4FAB-E710-E675E50F6324" + set type fw + next + edit CA-Personal-Firewall + set guid "14CB4B80-8E52-45EA-905E-67C1267B4160" + set type fw + next + edit F-Secure-Internet-Security-AV + set guid "E7512ED5-4245-4B4D-AF3A-382D3F313F15" + next + edit F-Secure-Internet-Security-FW + set guid "D4747503-0346-49EB-9262-997542F79BF4" + set type fw + next + edit F-Secure-Internet-Security-AV-Vista-Win7 + set guid "15414183-282E-D62C-CA37-EF24860A2F17" + next + edit F-Secure-Internet-Security-FW-Vista-Win7 + set guid "2D7AC0A6-6241-D774-E168-461178D9686C" + set type fw + next + edit Kaspersky-AV + set guid "2C4D4BC6-0793-4956-A9F9-E252435469C0" + next + edit Kaspersky-FW + set guid "2C4D4BC6-0793-4956-A9F9-E252435469C0" + set type fw + next + edit Kaspersky-AV-Vista-Win7 + set guid "AE1D740B-8F0F-D137-211D-873D44B3F4AE" + next + edit Kaspersky-FW-Vista-Win7 + set guid "9626F52E-C560-D06F-0A42-2E08BA60B3D5" + set type fw + next + edit McAfee-Internet-Security-Suite-AV + set guid "84B5EE75-6421-4CDE-A33A-DD43BA9FAD83" + next + edit McAfee-Internet-Security-Suite-FW + set guid "94894B63-8C7F-4050-BDA4-813CA00DA3E8" + set type fw + next + edit McAfee-Internet-Security-Suite-AV-Vista-Win7 + set guid "86355677-4064-3EA7-ABB3-1B136EB04637" + next + edit McAfee-Internet-Security-Suite-FW-Vista-Win7 + set guid "BE0ED752-0A0B-3FFF-80EC-B2269063014C" + set type fw + next + edit McAfee-Virus-Scan-Enterprise + set guid "918A2B0B-2C60-4016-A4AB-E868DEABF7F0" + next + edit Norton-360-2.0-AV + set guid "A5F1BC7C-EA33-4247-961C-0217208396C4" + next + edit Norton-360-2.0-FW + set guid "371C0A40-5A0C-4AD2-A6E5-69C02037FBF3" + set type fw + next + edit Norton-360-3.0-AV + set guid "E10A9785-9598-4754-B552-92431C1C35F8" + next + edit Norton-360-3.0-FW + set guid "7C21A4C9-F61F-4AC4-B722-A6E19C16F220" + set type fw + next + edit Norton-Internet-Security-AV + set guid "E10A9785-9598-4754-B552-92431C1C35F8" + next + edit Norton-Internet-Security-FW + set guid "7C21A4C9-F61F-4AC4-B722-A6E19C16F220" + set type fw + next + edit Norton-Internet-Security-AV-Vista-Win7 + set guid "88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855" + next + edit Norton-Internet-Security-FW-Vista-Win7 + set guid "B0F2DB13-C654-2E74-30D4-99C9310F0F2E" + set type fw + next + edit Symantec-Endpoint-Protection-AV + set guid "FB06448E-52B8-493A-90F3-E43226D3305C" + next + edit Symantec-Endpoint-Protection-FW + set guid "BE898FE3-CD0B-4014-85A9-03DB9923DDB6" + set type fw + next + edit Symantec-Endpoint-Protection-AV-Vista-Win7 + set guid "88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855" + next + edit Symantec-Endpoint-Protection-FW-Vista-Win7 + set guid "B0F2DB13-C654-2E74-30D4-99C9310F0F2E" + set type fw + next + edit Panda-Antivirus+Firewall-2008-AV + set guid "EEE2D94A-D4C1-421A-AB2C-2CE8FE51747A" + next + edit Panda-Antivirus+Firewall-2008-FW + set guid "7B090DC0-8905-4BAF-8040-FD98A41C8FB8" + set type fw + next + edit Panda-Internet-Security-AV + set guid "4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0" + next + edit Panda-Internet-Security-2006~2007-FW + set guid "4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0" + set type fw + next + edit Panda-Internet-Security-2008~2009-FW + set guid "7B090DC0-8905-4BAF-8040-FD98A41C8FB8" + set type fw + next + edit Sophos-Anti-Virus + set guid "3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD" + next + edit Sophos-Enpoint-Secuirty-and-Control-FW + set guid "0786E95E-326A-4524-9691-41EF88FB52EA" + set type fw + next + edit Sophos-Enpoint-Secuirty-and-Control-AV-Vista-Win7 + set guid "479CCF92-4960-B3E0-7373-BF453B467D2C" + next + edit Sophos-Enpoint-Secuirty-and-Control-FW-Vista-Win7 + set guid "7FA74EB7-030F-B2B8-582C-1670C5953A57" + set type fw + next + edit Trend-Micro-AV + set guid "7D2296BC-32CC-4519-917E-52E652474AF5" + next + edit Trend-Micro-FW + set guid "3E790E9E-6A5D-4303-A7F9-185EC20F3EB6" + set type fw + next + edit Trend-Micro-AV-Vista-Win7 + set guid "48929DFC-7A52-A34F-8351-C4DBEDBD9C50" + next + edit Trend-Micro-FW-Vista-Win7 + set guid "70A91CD9-303D-A217-A80E-6DEE136EDB2B" + set type fw + next + edit ZoneAlarm-AV + set guid "5D467B10-818C-4CAB-9FF7-6893B5B8F3CF" + next + edit ZoneAlarm-FW + set guid "829BDA32-94B3-44F4-8446-F8FCFF809F8B" + set type fw + next + edit ZoneAlarm-AV-Vista-Win7 + set guid "D61596DF-D219-341C-49B3-AD30538CBC5B" + next + edit ZoneAlarm-FW-Vista-Win7 + set guid "EE2E17FA-9876-3544-62EC-0405AD5FFB20" + set type fw + next + edit ESET-Smart-Security-AV + set guid "19259FAE-8396-A113-46DB-15B0E7DFA289" + next + edit ESET-Smart-Security-FW + set guid "211E1E8B-C9F9-A04B-6D84-BC85190CE5F2" + set type fw + next + end + config vpn ssl web portal + edit full-access + set web-mode enable + set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" + set page-layout double-column + set ip-pools "SSLVPN_TUNNEL_ADDR1" + set ipv6-tunnel-mode enable + set tunnel-mode enable + next + edit web-access + set web-mode enable + next + edit tunnel-access + set ip-pools "SSLVPN_TUNNEL_ADDR1" + set ipv6-tunnel-mode enable + set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" + set tunnel-mode enable + next + end + config vpn ssl settings + set servercert "self-sign" + set port 443 + end + config voip profile + edit default + set comment "Default VoIP profile." + next + edit strict + config sip + set malformed-header-max-forwards discard + set malformed-header-rack discard + set malformed-header-allow discard + set malformed-header-call-id discard + set malformed-header-sdp-v discard + set malformed-header-record-route discard + set malformed-header-contact discard + set malformed-header-sdp-s discard + set malformed-header-content-length discard + set malformed-header-sdp-z discard + set malformed-header-from discard + set malformed-header-route discard + set malformed-header-sdp-b discard + set malformed-header-sdp-c discard + set malformed-header-sdp-a discard + set malformed-header-sdp-o discard + set malformed-header-sdp-m discard + set malformed-header-sdp-k discard + set malformed-header-sdp-i discard + set malformed-header-to discard + set malformed-header-via discard + set malformed-header-sdp-t discard + set malformed-request-line discard + set malformed-header-sdp-r discard + set malformed-header-content-type discard + set malformed-header-expires discard + set malformed-header-rseq discard + set malformed-header-p-asserted-identity discard + set malformed-header-cseq discard + end + next + end + config webfilter profile + edit default + set comment "Default web filtering." + set post-action comfort + config ftgd-wf + config filters + edit 1 + set category 2 + set action warning + next + edit 2 + set category 7 + set action warning + next + edit 3 + set category 8 + set action warning + next + edit 4 + set category 9 + set action warning + next + edit 5 + set category 11 + set action warning + next + edit 6 + set category 12 + set action warning + next + edit 7 + set category 13 + set action warning + next + edit 8 + set category 14 + set action warning + next + edit 9 + set category 15 + set action warning + next + edit 10 + set category 16 + set action warning + next + edit 11 + set action warning + next + edit 12 + set category 57 + set action warning + next + edit 13 + set category 63 + set action warning + next + edit 14 + set category 64 + set action warning + next + edit 15 + set category 65 + set action warning + next + edit 16 + set category 66 + set action warning + next + edit 17 + set category 67 + set action warning + next + edit 18 + set category 26 + set action block + next + end + end + next + edit web-filter-flow + set comment "Flow-based web filter profile." + set inspection-mode flow-based + set post-action comfort + config ftgd-wf + config filters + edit 1 + set category 2 + next + edit 2 + set category 7 + next + edit 3 + set category 8 + next + edit 4 + set category 9 + next + edit 5 + set category 11 + next + edit 6 + set category 12 + next + edit 7 + set category 13 + next + edit 8 + set category 14 + next + edit 9 + set category 15 + next + edit 10 + set category 16 + next + edit 11 + next + edit 12 + set category 57 + next + edit 13 + set category 63 + next + edit 14 + set category 64 + next + edit 15 + set category 65 + next + edit 16 + set category 66 + next + edit 17 + set category 67 + next + edit 18 + set category 26 + set action block + next + end + end + next + edit monitor-all + set comment "Monitor and log all visited URLs, proxy-based." + set web-content-log disable + set web-filter-applet-log disable + set web-ftgd-err-log disable + set web-filter-jscript-log disable + set web-filter-activex-log disable + set web-filter-referer-log disable + set web-filter-js-log disable + set web-invalid-domain-log disable + set web-ftgd-quota-usage disable + set web-filter-command-block-log disable + set web-filter-vbs-log disable + set web-filter-unknown-log disable + set web-filter-cookie-log disable + set log-all-url enable + set web-filter-cookie-removal-log disable + set web-url-log disable + config ftgd-wf + config filters + edit 1 + set category 1 + next + edit 2 + set category 3 + next + edit 3 + set category 4 + next + edit 4 + set category 5 + next + edit 5 + set category 6 + next + edit 6 + set category 12 + next + edit 7 + set category 59 + next + edit 8 + set category 62 + next + edit 9 + set category 83 + next + edit 10 + set category 2 + next + edit 11 + set category 7 + next + edit 12 + set category 8 + next + edit 13 + set category 9 + next + edit 14 + set category 11 + next + edit 15 + set category 13 + next + edit 16 + set category 14 + next + edit 17 + set category 15 + next + edit 18 + set category 16 + next + edit 19 + set category 57 + next + edit 20 + set category 63 + next + edit 21 + set category 64 + next + edit 22 + set category 65 + next + edit 23 + set category 66 + next + edit 24 + set category 67 + next + edit 25 + set category 19 + next + edit 26 + set category 24 + next + edit 27 + set category 25 + next + edit 28 + set category 72 + next + edit 29 + set category 75 + next + edit 30 + set category 76 + next + edit 31 + set category 26 + next + edit 32 + set category 61 + next + edit 33 + set category 86 + next + edit 34 + set category 17 + next + edit 35 + set category 18 + next + edit 36 + set category 20 + next + edit 37 + set category 23 + next + edit 38 + set category 28 + next + edit 39 + set category 29 + next + edit 40 + set category 30 + next + edit 41 + set category 33 + next + edit 42 + set category 34 + next + edit 43 + set category 35 + next + edit 44 + set category 36 + next + edit 45 + set category 37 + next + edit 46 + set category 38 + next + edit 47 + set category 39 + next + edit 48 + set category 40 + next + edit 49 + set category 42 + next + edit 50 + set category 44 + next + edit 51 + set category 46 + next + edit 52 + set category 47 + next + edit 53 + set category 48 + next + edit 54 + set category 54 + next + edit 55 + set category 55 + next + edit 56 + set category 58 + next + edit 57 + set category 68 + next + edit 58 + set category 69 + next + edit 59 + set category 70 + next + edit 60 + set category 71 + next + edit 61 + set category 77 + next + edit 62 + set category 78 + next + edit 63 + set category 79 + next + edit 64 + set category 80 + next + edit 65 + set category 82 + next + edit 66 + set category 85 + next + edit 67 + set category 87 + next + edit 68 + set category 31 + next + edit 69 + set category 41 + next + edit 70 + set category 43 + next + edit 71 + set category 49 + next + edit 72 + set category 50 + next + edit 73 + set category 51 + next + edit 74 + set category 52 + next + edit 75 + set category 53 + next + edit 76 + set category 56 + next + edit 77 + set category 81 + next + edit 78 + set category 84 + next + edit 79 + next + end + end + next + edit flow-monitor-all + set comment "Monitor and log all visited URLs, flow-based." + set web-content-log disable + set web-filter-applet-log disable + set web-ftgd-err-log disable + set web-filter-command-block-log disable + set web-filter-jscript-log disable + set web-filter-activex-log disable + set web-filter-referer-log disable + set web-filter-js-log disable + set web-invalid-domain-log disable + set web-ftgd-quota-usage disable + set inspection-mode flow-based + set web-filter-vbs-log disable + set web-filter-unknown-log disable + set web-filter-cookie-log disable + set log-all-url enable + set web-filter-cookie-removal-log disable + set web-url-log disable + config ftgd-wf + config filters + edit 1 + set category 1 + next + edit 2 + set category 3 + next + edit 3 + set category 4 + next + edit 4 + set category 5 + next + edit 5 + set category 6 + next + edit 6 + set category 12 + next + edit 7 + set category 59 + next + edit 8 + set category 62 + next + edit 9 + set category 83 + next + edit 10 + set category 2 + next + edit 11 + set category 7 + next + edit 12 + set category 8 + next + edit 13 + set category 9 + next + edit 14 + set category 11 + next + edit 15 + set category 13 + next + edit 16 + set category 14 + next + edit 17 + set category 15 + next + edit 18 + set category 16 + next + edit 19 + set category 57 + next + edit 20 + set category 63 + next + edit 21 + set category 64 + next + edit 22 + set category 65 + next + edit 23 + set category 66 + next + edit 24 + set category 67 + next + edit 25 + set category 19 + next + edit 26 + set category 24 + next + edit 27 + set category 25 + next + edit 28 + set category 72 + next + edit 29 + set category 75 + next + edit 30 + set category 76 + next + edit 31 + set category 26 + next + edit 32 + set category 61 + next + edit 33 + set category 86 + next + edit 34 + set category 17 + next + edit 35 + set category 18 + next + edit 36 + set category 20 + next + edit 37 + set category 23 + next + edit 38 + set category 28 + next + edit 39 + set category 29 + next + edit 40 + set category 30 + next + edit 41 + set category 33 + next + edit 42 + set category 34 + next + edit 43 + set category 35 + next + edit 44 + set category 36 + next + edit 45 + set category 37 + next + edit 46 + set category 38 + next + edit 47 + set category 39 + next + edit 48 + set category 40 + next + edit 49 + set category 42 + next + edit 50 + set category 44 + next + edit 51 + set category 46 + next + edit 52 + set category 47 + next + edit 53 + set category 48 + next + edit 54 + set category 54 + next + edit 55 + set category 55 + next + edit 56 + set category 58 + next + edit 57 + set category 68 + next + edit 58 + set category 69 + next + edit 59 + set category 70 + next + edit 60 + set category 71 + next + edit 61 + set category 77 + next + edit 62 + set category 78 + next + edit 63 + set category 79 + next + edit 64 + set category 80 + next + edit 65 + set category 82 + next + edit 66 + set category 85 + next + edit 67 + set category 87 + next + edit 68 + set category 31 + next + edit 69 + set category 41 + next + edit 70 + set category 43 + next + edit 71 + set category 49 + next + edit 72 + set category 50 + next + edit 73 + set category 51 + next + edit 74 + set category 52 + next + edit 75 + set category 53 + next + edit 76 + set category 56 + next + edit 77 + set category 81 + next + edit 78 + set category 84 + next + edit 79 + next + end + end + next + edit block-security-risks + set comment "Block security risks." + config ftgd-wf + set options rate-server-ip + config filters + edit 1 + set category 26 + set action block + next + edit 2 + set category 61 + set action block + next + edit 3 + set category 86 + set action block + next + edit 4 + set action warning + next + end + end + next + end + config webfilter override + end + config webfilter override-user + end + config webfilter ftgd-warning + end + config webfilter ftgd-local-rating + end + config webfilter search-engine + edit google + set url "^\\/((custom|search|images|videosearch|webhp)\\?)" + set query "q=" + set safesearch-str "&safe=active" + set hostname ".*\\.google\\..*" + set safesearch url + next + edit yahoo + set url "^\\/search(\\/video|\\/images){0,1}(\\?|;)" + set query "p=" + set safesearch-str "&vm=r" + set hostname ".*\\.yahoo\\..*" + set safesearch url + next + edit bing + set url "^(\\/images|\\/videos)?(\\/search|\\/async|\\/asyncv2)\\?" + set query "q=" + set safesearch-str "&adlt=strict" + set hostname "www\\.bing\\.com" + set safesearch url + next + edit yandex + set url "^\\/((yand|images\\/|video\\/)(search)|search\\/)\\?" + set query "text=" + set safesearch-str "&family=yes" + set hostname "yandex\\..*" + set safesearch url + next + edit youtube + set safesearch header + set hostname ".*\\.youtube\\..*" + next + edit baidu + set url "^\\/s?\\?" + set query "wd=" + set hostname ".*\\.baidu\\.com" + next + edit baidu2 + set url "^\\/(ns|q|m|i|v)\\?" + set query "word=" + set hostname ".*\\.baidu\\.com" + next + edit baidu3 + set url "^\\/f\\?" + set query "kw=" + set hostname "tieba\\.baidu\\.com" + next + end + config antivirus profile + edit default + set comment "Scan files and block viruses." + config http + set options scan + end + config ftp + set options scan + end + config imap + set options scan + end + config pop3 + set options scan + end + config smtp + set options scan + end + next + end + config spamfilter profile + edit default + set comment "Malware and phishing URL filtering." + next + end + config wanopt settings + set host-id "default-id" + end + config wanopt profile + edit default + set comments "Default WANopt profile." + next + end + config firewall schedule recurring + edit always + set day sunday monday tuesday wednesday thursday friday saturday + next + edit none + set day none + next + end + config firewall profile-protocol-options + edit default + set comment "All default services." + config http + set ports 80 + end + config ftp + set ports 21 + set options splice + end + config imap + set ports 143 + set options fragmail + end + config mapi + set ports 135 + set options fragmail + end + config pop3 + set ports 110 + set options fragmail + end + config smtp + set ports 25 + set options fragmail splice + end + config nntp + set ports 119 + set options splice + end + config dns + set ports 53 + end + next + end + config firewall ssl-ssh-profile + edit deep-inspection + set comment "Deep inspection." + config https + set ports 443 + end + config ftps + set ports 990 + end + config imaps + set ports 993 + end + config pop3s + set ports 995 + end + config smtps + set ports 465 + end + config ssh + set ports 22 + end + config ssl-exempt + edit 1 + set fortiguard-category 31 + next + edit 2 + set fortiguard-category 33 + next + edit 3 + set fortiguard-category 87 + next + edit 4 + set type address + set address "apple" + next + edit 5 + set type address + set address "appstore" + next + edit 6 + set type address + set address "dropbox.com" + next + edit 7 + set type address + set address "Gotomeeting" + next + edit 8 + set type address + set address "icloud" + next + edit 9 + set type address + set address "itunes" + next + edit 10 + set type address + set address "android" + next + edit 11 + set type address + set address "skype" + next + edit 12 + set type address + set address "swscan.apple.com" + next + edit 13 + set type address + set address "update.microsoft.com" + next + edit 14 + set type address + set address "eease" + next + edit 15 + set type address + set address "google-drive" + next + edit 16 + set type address + set address "google-play" + next + edit 17 + set type address + set address "google-play2" + next + edit 18 + set type address + set address "google-play3" + next + edit 19 + set type address + set address "microsoft" + next + edit 20 + set type address + set address "adobe" + next + edit 21 + set type address + set address "Adobe Login" + next + edit 22 + set type address + set address "fortinet" + next + edit 23 + set type address + set address "googleapis.com" + next + edit 24 + set type address + set address "citrix" + next + edit 25 + set type address + set address "verisign" + next + edit 26 + set type address + set address "Windows update 2" + next + edit 27 + set type address + set address "*.live.com" + next + edit 28 + set type address + set address "auth.gfx.ms" + next + edit 29 + set type address + set address "autoupdate.opera.com" + next + edit 30 + set type address + set address "softwareupdate.vmware.com" + next + edit 31 + set type address + set address "firefox update server" + next + end + next + edit certificate-inspection + set comment "SSL handshake inspection." + config https + set status certificate-inspection + set ports 443 + end + config ftps + set status disable + set ports 990 + end + config imaps + set status disable + set ports 993 + end + config pop3s + set status disable + set ports 995 + end + config smtps + set status disable + set ports 465 + end + config ssh + set status disable + set ports 22 + end + next + end + config firewall identity-based-route + end + config firewall policy + end + config firewall local-in-policy + end + config firewall policy6 + end + config firewall local-in-policy6 + end + config firewall ttl-policy + end + config firewall policy64 + end + config firewall policy46 + end + config firewall explicit-proxy-policy + end + config firewall interface-policy + end + config firewall interface-policy6 + end + config firewall DoS-policy + end + config firewall DoS-policy6 + end + config firewall sniffer + end + config endpoint-control profile + edit default + config forticlient-winmac-settings + set forticlient-wf-profile "default" + end + config forticlient-android-settings + end + config forticlient-ios-settings + end + next + end + config wireless-controller wids-profile + edit default + set comment "Default WIDS profile." + set deauth-broadcast enable + set assoc-frame-flood enable + set invalid-mac-oui enable + set ap-scan enable + set eapol-logoff-flood enable + set long-duration-attack enable + set eapol-pre-fail-flood enable + set eapol-succ-flood enable + set eapol-start-flood enable + set wireless-bridge enable + set eapol-pre-succ-flood enable + set auth-frame-flood enable + set asleap-attack enable + set eapol-fail-flood enable + set spoofed-deauth enable + set weak-wep-iv enable + set null-ssid-probe-resp enable + next + edit default-wids-apscan-enabled + set ap-scan enable + next + end + config wireless-controller wtp-profile + edit FAP112B-default + set ap-country US + config platform + set type 112B + end + config radio-1 + set band 802.11n + end + config radio-2 + set mode disabled + end + next + edit FAP220B-default + set ap-country US + config radio-1 + set band 802.11n-5G + end + config radio-2 + set band 802.11n + end + next + edit FAP223B-default + set ap-country US + config platform + set type 223B + end + config radio-1 + set band 802.11n-5G + end + config radio-2 + set band 802.11n + end + next + edit FAP210B-default + set ap-country US + config platform + set type 210B + end + config radio-1 + set band 802.11n + end + config radio-2 + set mode disabled + end + next + edit FAP222B-default + set ap-country US + config platform + set type 222B + end + config radio-1 + set band 802.11n + end + config radio-2 + set band 802.11n-5G + end + next + edit FAP320B-default + set ap-country US + config platform + set type 320B + end + config radio-1 + set band 802.11n-5G + end + config radio-2 + set band 802.11n + end + next + edit FAP11C-default + set ap-country US + config platform + set type 11C + end + config radio-1 + set band 802.11n + end + config radio-2 + set mode disabled + end + next + edit FAP14C-default + set ap-country US + config platform + set type 14C + end + config radio-1 + set band 802.11n + end + config radio-2 + set mode disabled + end + next + edit FAP28C-default + set ap-country US + config platform + set type 28C + end + config radio-1 + set band 802.11n + end + config radio-2 + set mode disabled + end + next + edit FAP320C-default + set ap-country US + config platform + set type 320C + end + config radio-1 + set band 802.11n + end + config radio-2 + set band 802.11ac + end + next + edit FAP221C-default + set ap-country US + config platform + set type 221C + end + config radio-1 + set band 802.11n + end + config radio-2 + set band 802.11ac + end + next + edit FAP25D-default + set ap-country US + config platform + set type 25D + end + config radio-1 + set band 802.11n + end + config radio-2 + set mode disabled + end + next + edit FAP222C-default + set ap-country US + config platform + set type 222C + end + config radio-1 + set band 802.11n + end + config radio-2 + set band 802.11ac + end + next + edit FAP224D-default + set ap-country US + config platform + set type 224D + end + config radio-1 + set band 802.11n-5G + end + config radio-2 + set band 802.11n + end + next + edit FK214B-default + set ap-country US + config platform + set type 214B + end + config radio-1 + set band 802.11n + end + config radio-2 + set mode disabled + end + next + edit FAP21D-default + set ap-country US + config platform + set type 21D + end + config radio-1 + set band 802.11n + end + config radio-2 + set mode disabled + end + next + edit FAP24D-default + set ap-country US + config platform + set type 24D + end + config radio-1 + set band 802.11n + end + config radio-2 + set mode disabled + end + next + edit FAP112D-default + set ap-country US + config platform + set type 112D + end + config radio-1 + set band 802.11n + end + config radio-2 + set mode disabled + end + next + edit FAP223C-default + set ap-country US + config platform + set type 223C + end + config radio-1 + set band 802.11n + end + config radio-2 + set band 802.11ac + end + next + edit FAP321C-default + set ap-country US + config platform + set type 321C + end + config radio-1 + set band 802.11n + end + config radio-2 + set band 802.11ac + end + next + end + config log memory setting + set status enable + end + config router rip + config redistribute connected + end + config redistribute static + end + config redistribute ospf + end + config redistribute bgp + end + config redistribute isis + end + end + config router ripng + config redistribute connected + end + config redistribute static + end + config redistribute ospf + end + config redistribute bgp + end + config redistribute isis + end + end + config router ospf + config redistribute connected + end + config redistribute static + end + config redistribute rip + end + config redistribute bgp + end + config redistribute isis + end + end + config router ospf6 + config redistribute connected + end + config redistribute static + end + config redistribute rip + end + config redistribute bgp + end + config redistribute isis + end + end + config router bgp + config redistribute connected + end + config redistribute rip + end + config redistribute ospf + end + config redistribute static + end + config redistribute isis + end + config redistribute6 connected + end + config redistribute6 rip + end + config redistribute6 ospf + end + config redistribute6 static + end + config redistribute6 isis + end + end + config router isis + config redistribute connected + end + config redistribute rip + end + config redistribute ospf + end + config redistribute bgp + end + config redistribute static + end + end + config router multicast + end diff --git a/test/integration/targets/fortios_address/files/requirements.txt b/test/integration/targets/fortios_address/files/requirements.txt new file mode 100644 index 00000000000..1511d26b94a --- /dev/null +++ b/test/integration/targets/fortios_address/files/requirements.txt @@ -0,0 +1,2 @@ +pyfg>=0.50 +netaddr \ No newline at end of file diff --git a/test/integration/targets/fortios_address/tasks/main.yml b/test/integration/targets/fortios_address/tasks/main.yml new file mode 100644 index 00000000000..9073da1bc6f --- /dev/null +++ b/test/integration/targets/fortios_address/tasks/main.yml @@ -0,0 +1,14 @@ +--- +- name: install required libraries + pip: + requirements: "{{ role_path }}/files/requirements.txt" + become: True + +- name: copy backup config file to config file + copy: + src: "{{ role_path }}/files/default_config.conf.backup" + dest: "{{ role_path }}/files/default_config.conf" + +- { include: test_indempotency.yml } +- { include: test_params_state_absent.yml } +- { include: test_params_state_present.yml } diff --git a/test/integration/targets/fortios_address/tasks/test_indempotency.yml b/test/integration/targets/fortios_address/tasks/test_indempotency.yml new file mode 100644 index 00000000000..1c3666cb7f6 --- /dev/null +++ b/test/integration/targets/fortios_address/tasks/test_indempotency.yml @@ -0,0 +1,82 @@ +--- + - name: Add address + fortios_address: + file_mode: true + config_file: "{{role_path}}/files/default_config.conf" + name: github + value: 192.30.253.113 + state: present + register: add_addr + + - name: Assert + assert: + that: + - "add_addr.changed == true" + + - name: Add the same address + fortios_address: + file_mode: true + config_file: "{{role_path}}/files/default_config.conf" + name: github + value: 192.30.253.113 + state: present + register: add_addr + + - name: Assert + assert: + that: + - "add_addr.changed == false" + + - name: change value + fortios_address: + file_mode: true + config_file: "{{role_path}}/files/default_config.conf" + name: github + value: 192.1.2.3 + state: present + register: change_addr + + - name: Assert + assert: + that: + - "change_addr.changed == true" + + - name: change value second time + fortios_address: + file_mode: true + config_file: "{{role_path}}/files/default_config.conf" + name: github + value: 192.1.2.3 + state: present + register: change_addr + + - name: Assert + assert: + that: + - "change_addr.changed == false" + + - name: Delete existing address + fortios_address: + file_mode: true + config_file: "{{role_path}}/files/default_config.conf" + name: github + state: absent + register: del_addr + + - name: Assert + assert: + that: + - "del_addr.changed == true" + + - name: Delete same existing address + fortios_address: + file_mode: true + config_file: "{{role_path}}/files/default_config.conf" + name: github + state: absent + register: del_addr + + - name: Assert + assert: + that: + - "del_addr.changed == false" diff --git a/test/integration/targets/fortios_address/tasks/test_params_state_absent.yml b/test/integration/targets/fortios_address/tasks/test_params_state_absent.yml new file mode 100644 index 00000000000..02e0c3dee1a --- /dev/null +++ b/test/integration/targets/fortios_address/tasks/test_params_state_absent.yml @@ -0,0 +1,91 @@ +--- +# Check made for absent state + - name: missing name + fortios_address: + file_mode: true + config_file: "{{role_path}}/files/default_config.conf" + state: absent + register: missing_name + ignore_errors: True + + - name: not wanted type fqdn + fortios_address: + file_mode: true + config_file: "{{role_path}}/files/default_config.conf" + name: some name + state: absent + type: fqdn + register: unwanted_fqdn + ignore_errors: True + + - name: not wanted type geography + fortios_address: + file_mode: true + config_file: "{{role_path}}/files/default_config.conf" + name: some name + state: absent + type: geography + register: unwanted_geography + ignore_errors: True + + - name: not wanted param start_ip + fortios_address: + file_mode: true + config_file: "{{role_path}}/files/default_config.conf" + name: some name + state: absent + start_ip: 10.1.1.1 + register: unwanted_start_ip + ignore_errors: True + + - name: not wanted param end_ip + fortios_address: + file_mode: true + config_file: "{{role_path}}/files/default_config.conf" + name: some name + state: absent + end_ip: 10.1.1.1 + register: unwanted_end_ip + ignore_errors: True + + - name: not wanted param country + fortios_address: + file_mode: true + config_file: "{{role_path}}/files/default_config.conf" + name: some name + state: absent + country: FR + register: unwanted_country + ignore_errors: True + + - name: not wanted param comment + fortios_address: + file_mode: true + config_file: "{{role_path}}/files/default_config.conf" + name: some name + state: absent + comment: blabla + register: unwanted_comment + ignore_errors: True + + - name: not wanted param value + fortios_address: + file_mode: true + config_file: "{{role_path}}/files/default_config.conf" + name: some name + state: absent + value: blabla + register: unwanted_value + ignore_errors: True + + - name: Verify that all previous test have failed + assert: + that: + - "missing_name.failed == True" + - "unwanted_fqdn.failed == True" + - "unwanted_geography.failed == True" + - "unwanted_start_ip.failed == True" + - "unwanted_end_ip.failed == True" + - "unwanted_country.failed == True" + - "unwanted_comment.failed == True" + - "unwanted_value.failed == True" diff --git a/test/integration/targets/fortios_address/tasks/test_params_state_present.yml b/test/integration/targets/fortios_address/tasks/test_params_state_present.yml new file mode 100644 index 00000000000..67fd6fb838e --- /dev/null +++ b/test/integration/targets/fortios_address/tasks/test_params_state_present.yml @@ -0,0 +1,86 @@ +--- +# Check made for present state +# type ipmask + - name: missing name + fortios_address: + file_mode: true + config_file: "{{role_path}}/files/default_config.conf" + state: present + value: blabla + register: missing_name + ignore_errors: True + + - name: missing value + fortios_address: + file_mode: true + config_file: "{{role_path}}/files/default_config.conf" + state: present + name: blabla + register: missing_value + ignore_errors: True + + - name: bad ip mask value + fortios_address: + file_mode: true + config_file: "{{role_path}}/files/default_config.conf" + state: present + name: blabla + value: pwet + register: bad_ipmask + ignore_errors: True + +# type geography + - name: missing country + fortios_address: + file_mode: true + config_file: "{{role_path}}/files/default_config.conf" + state: present + name: blabla + type: geography + register: missing_country + ignore_errors: True + + - name: bad country + fortios_address: + file_mode: true + config_file: "{{role_path}}/files/default_config.conf" + state: present + name: blabla + type: geography + country: FRA + register: bad_country + ignore_errors: True + +# type iprange + - name: missing start_ip + fortios_address: + file_mode: true + config_file: "{{role_path}}/files/default_config.conf" + state: present + name: blabla + type: iprange + end_ip: 10.10.10.10 + register: missing_sart_ip + ignore_errors: True + + - name: missing end_ip + fortios_address: + file_mode: true + config_file: "{{role_path}}/files/default_config.conf" + state: present + name: blabla + type: iprange + start_ip: 10.10.10.10 + register: missing_end_ip + ignore_errors: True + + - name: Verify that all previous test have failed + assert: + that: + - "missing_name.failed == True" + - "missing_value.failed == True" + - "bad_ipmask.failed == True" + - "missing_country.failed == True" + - "bad_country.failed == True" + - "missing_sart_ip.failed == True" + - "missing_end_ip.failed == True"