From e99815e9f57f1dddc02d220c62ea3667489c3522 Mon Sep 17 00:00:00 2001 From: Benjamin Jolivot Date: Tue, 9 May 2017 14:51:19 +0200 Subject: [PATCH] Fortios file only mode + integration tests (#23275) * WIP file_mode * WIP * Add file_mode + integration tests * fix pep8 * Update doc fragments Create mutualy_exclusive param Fix yamllint problem in tests * Add aliases file + main playbook for fortios * Install pyfg before running tests * Install pyfg before running tests in role * Remove pre_task as it's done in roles * Force pyFG minimal version for python3 * role_path not role_dir :( * Change requirements * Specify Error type when error on import * Bug in pygf library with python 2.5 (PR is waiting https://github.com/spotify/pyfg/pull/19) * Bad requirement format * still bad format -_-' * remove test/integration/fortios.py (auto generated by tests) missing new lines at end of file * pyFG is now fixed in 0.50 --- lib/ansible/module_utils/fortios.py | 106 +- .../utils/module_docs_fragments/fortios.py | 19 +- .../targets/fortios_ipv4_policy/aliases | 1 + .../files/default_config.conf | 3134 +++++++++++++++++ .../files/requirements.txt | 1 + .../fortios_ipv4_policy/tasks/main.yml | 7 + .../tasks/test_indempotency.yml | 68 + .../fortios_ipv4_policy/tasks/test_params.yml | 74 + 8 files changed, 3368 insertions(+), 42 deletions(-) create mode 100644 test/integration/targets/fortios_ipv4_policy/aliases create mode 100644 test/integration/targets/fortios_ipv4_policy/files/default_config.conf create mode 100644 test/integration/targets/fortios_ipv4_policy/files/requirements.txt create mode 100644 test/integration/targets/fortios_ipv4_policy/tasks/main.yml create mode 100644 test/integration/targets/fortios_ipv4_policy/tasks/test_indempotency.yml create mode 100644 test/integration/targets/fortios_ipv4_policy/tasks/test_params.yml diff --git a/lib/ansible/module_utils/fortios.py b/lib/ansible/module_utils/fortios.py index 883f815ed22..8ce32eadf06 100644 --- a/lib/ansible/module_utils/fortios.py +++ b/lib/ansible/module_utils/fortios.py @@ -38,13 +38,15 @@ try: from pyFG import FortiOS, FortiConfig from pyFG.exceptions import CommandExecutionException, FailedCommit HAS_PYFG=True -except: +except ImportError: HAS_PYFG=False fortios_argument_spec = dict( - host = dict(required=True ), - username = dict(required=True ), - password = dict(required=True, type='str', no_log=True ), + file_mode = dict(type='bool', default=False), + config_file = dict(type='path'), + host = dict( ), + username = dict( ), + password = dict(type='str', no_log=True ), timeout = dict(type='int', default=60), vdom = dict(type='str', default=None ), backup = dict(type='bool', default=False), @@ -53,9 +55,16 @@ fortios_argument_spec = dict( ) fortios_required_if = [ + ['file_mode', False, ['host', 'username', 'password']], + ['file_mode', True, ['config_file']], ['backup', True , ['backup_path'] ], ] +fortios_mutually_exclusive = [ + ['config_file', 'host'], + ['config_file', 'username'], + ['config_file', 'password'] +] fortios_error_codes = { '-3':"Object not found", @@ -96,39 +105,55 @@ class AnsibleFortios(object): def _connect(self): - host = self.module.params['host'] - username = self.module.params['username'] - password = self.module.params['password'] - timeout = self.module.params['timeout'] - vdom = self.module.params['vdom'] + if self.module.params['file_mode']: + self.forti_device = FortiOS('') + else: + host = self.module.params['host'] + username = self.module.params['username'] + password = self.module.params['password'] + timeout = self.module.params['timeout'] + vdom = self.module.params['vdom'] - self.forti_device = FortiOS(host, username=username, password=password, timeout=timeout, vdom=vdom) + self.forti_device = FortiOS(host, username=username, password=password, timeout=timeout, vdom=vdom) - try: - self.forti_device.open() - except Exception: - e = get_exception() - self.module.fail_json(msg='Error connecting device. %s' % e) + try: + self.forti_device.open() + except Exception: + e = get_exception() + self.module.fail_json(msg='Error connecting device. %s' % e) def load_config(self, path): - self._connect() self.path = path - #get config - try: - self.forti_device.load_config(path=path) - self.result['running_config'] = self.forti_device.running_config.to_text() - except Exception: - self.forti_device.close() - e = get_exception() - self.module.fail_json(msg='Error reading running config. %s' % e) + self._connect() + #load in file_mode + if self.module.params['file_mode']: + try: + f = open(self.module.params['config_file'], 'r') + running = f.read() + f.close() + except IOError: + e = get_exception() + self.module.fail_json(msg='Error reading configuration file. %s' % e) + self.forti_device.load_config(config_text=running, path = path) - #backup if needed - if self.module.params['backup']: - backup(self.module, self.result['running_config']) + else: + #get config + try: + self.forti_device.load_config(path=path) + except Exception: + self.forti_device.close() + e = get_exception() + self.module.fail_json(msg='Error reading running config. %s' % e) + #set configs in object + self.result['running_config'] = self.forti_device.running_config.to_text() self.candidate_config = self.forti_device.candidate_config + #backup if needed + if self.module.params['backup']: + backup(self.module, self.forti_device.running_config.to_text()) + def apply_changes(self): change_string = self.forti_device.compare_config() @@ -138,16 +163,25 @@ class AnsibleFortios(object): #Commit if not check mode if change_string and not self.module.check_mode: - try: - self.forti_device.commit() - except FailedCommit: - #Something's wrong (rollback is automatic) - self.forti_device.close() - e = get_exception() - error_list = self.get_error_infos(e) - self.module.fail_json(msg_error_list=error_list, msg="Unable to commit change, check your args, the error was %s" % e.message ) + if self.module.params['file_mode']: + try: + f = open(self.module.params['config_file'], 'w') + f.write(self.candidate_config.to_text()) + f.close + except IOError: + e = get_exception() + self.module.fail_json(msg='Error writing configuration file. %s' % e) + else: + try: + self.forti_device.commit() + except FailedCommit: + #Something's wrong (rollback is automatic) + self.forti_device.close() + e = get_exception() + error_list = self.get_error_infos(e) + self.module.fail_json(msg_error_list=error_list, msg="Unable to commit change, check your args, the error was %s" % e.message ) - self.forti_device.close() + self.forti_device.close() self.module.exit_json(**self.result) diff --git a/lib/ansible/utils/module_docs_fragments/fortios.py b/lib/ansible/utils/module_docs_fragments/fortios.py index 53d7aac9468..e1e5f8c2a42 100644 --- a/lib/ansible/utils/module_docs_fragments/fortios.py +++ b/lib/ansible/utils/module_docs_fragments/fortios.py @@ -23,18 +23,25 @@ class ModuleDocFragment(object): # Standard files documentation fragment DOCUMENTATION = """ options: + file_mode: + description: + - Don't connect to any device, only use I(config_file) as input and Output. + default: false + type: bool + version_added: "2.4" + config_file: + description: + - Path to configuration file. Required when I(file_mode) is True. + version_added: "2.4" host: description: - - Specifies the DNS hostname or IP address for connecting to the remote fortios device. - required: true + - Specifies the DNS hostname or IP address for connecting to the remote fortios device. Required when I(file_mode) is False. username: description: - - Configures the username used to authenticate to the remote device. - required: true + - Configures the username used to authenticate to the remote device. Required when I(file_mode) is True. password: description: - - Specifies the password used to authenticate to the remote device. - required: true + - Specifies the password used to authenticate to the remote device. Required when I(file_mode) is True. timeout: description: - Timeout in seconds for connecting to the remote device. diff --git a/test/integration/targets/fortios_ipv4_policy/aliases b/test/integration/targets/fortios_ipv4_policy/aliases new file mode 100644 index 00000000000..4485d761629 --- /dev/null +++ b/test/integration/targets/fortios_ipv4_policy/aliases @@ -0,0 +1 @@ +posix/ci/group1 diff --git a/test/integration/targets/fortios_ipv4_policy/files/default_config.conf b/test/integration/targets/fortios_ipv4_policy/files/default_config.conf new file mode 100644 index 00000000000..c2935d84772 --- /dev/null +++ b/test/integration/targets/fortios_ipv4_policy/files/default_config.conf @@ -0,0 +1,3134 @@ + config system global + set timezone 04 + set admintimeout 480 + set admin-server-cert "Fortinet_Firmware" + set fgd-alert-subscription advisory latest-threat + set hostname "FortiGate-VM64-HV" + end + config system accprofile + edit prof_admin + set vpngrp read-write + set updategrp read-write + set utmgrp read-write + set routegrp read-write + set wifi read-write + set sysgrp read-write + set loggrp read-write + set mntgrp read-write + set netgrp read-write + set admingrp read-write + set wanoptgrp read-write + set fwgrp read-write + set authgrp read-write + set endpoint-control-grp read-write + next + end + config system interface + edit port1 + set ip 192.168.137.154 255.255.255.0 + set type physical + set allowaccess ping https ssh http fgfm + set vdom "root" + next + edit port2 + set type physical + set vdom "root" + next + edit port3 + set type physical + set vdom "root" + next + edit port4 + set type physical + set vdom "root" + next + edit port5 + set type physical + set vdom "root" + next + edit port6 + set type physical + set vdom "root" + next + edit port7 + set type physical + set vdom "root" + next + edit port8 + set type physical + set vdom "root" + next + edit ssl.root + set alias "SSL VPN interface" + set type tunnel + set vdom "root" + next + end + config system custom-language + edit en + set filename "en" + next + edit fr + set filename "fr" + next + edit sp + set filename "sp" + next + edit pg + set filename "pg" + next + edit x-sjis + set filename "x-sjis" + next + edit big5 + set filename "big5" + next + edit GB2312 + set filename "GB2312" + next + edit euc-kr + set filename "euc-kr" + next + end + config system admin + edit admin + set accprofile "super_admin" + set vdom "root" + config dashboard-tabs + edit 1 + set name "Status" + next + end + config dashboard + edit 1 + set column 1 + set tab-id 1 + next + edit 2 + set column 1 + set widget-type licinfo + set tab-id 1 + next + edit 3 + set column 1 + set widget-type jsconsole + set tab-id 1 + next + edit 4 + set column 2 + set widget-type sysres + set tab-id 1 + next + edit 5 + set column 2 + set widget-type gui-features + set tab-id 1 + next + edit 6 + set column 2 + set top-n 10 + set widget-type alert + set tab-id 1 + next + end + next + end + config system ha + set override disable + end + config system dns + set primary 208.91.112.53 + set secondary 208.91.112.52 + end + config system replacemsg-image + edit logo_fnet + set image-base64 '' + set image-type gif + next + edit logo_fguard_wf + set image-base64 '' + set image-type gif + next + edit logo_fw_auth + set image-base64 '' + set image-type png + next + edit logo_v2_fnet + set image-base64 '' + set image-type png + next + edit logo_v2_fguard_wf + set image-base64 '' + set image-type png + next + edit logo_v2_fguard_app + set image-base64 '' + set image-type png + next + end + config system replacemsg mail email-block + end + config system replacemsg mail email-dlp-subject + end + config system replacemsg mail email-dlp-ban + end + config system replacemsg mail email-filesize + end + config system replacemsg mail partial + end + config system replacemsg mail smtp-block + end + config system replacemsg mail smtp-filesize + end + config system replacemsg http bannedword + end + config system replacemsg http url-block + end + config system replacemsg http urlfilter-err + end + config system replacemsg http infcache-block + end + config system replacemsg http http-block + end + config system replacemsg http http-filesize + end + config system replacemsg http http-dlp-ban + end + config system replacemsg http http-archive-block + end + config system replacemsg http http-contenttypeblock + end + config system replacemsg http https-invalid-cert-block + end + config system replacemsg http http-client-block + end + config system replacemsg http http-client-filesize + end + config system replacemsg http http-client-bannedword + end + config system replacemsg http http-post-block + end + config system replacemsg http http-client-archive-block + end + config system replacemsg http switching-protocols-block + end + config system replacemsg webproxy deny + end + config system replacemsg webproxy user-limit + end + config system replacemsg webproxy auth-challenge + end + config system replacemsg webproxy auth-login-fail + end + config system replacemsg webproxy auth-authorization-fail + end + config system replacemsg webproxy http-err + end + config system replacemsg webproxy auth-ip-blackout + end + config system replacemsg ftp ftp-dl-blocked + end + config system replacemsg ftp ftp-dl-filesize + end + config system replacemsg ftp ftp-dl-dlp-ban + end + config system replacemsg ftp ftp-explicit-banner + end + config system replacemsg ftp ftp-dl-archive-block + end + config system replacemsg nntp nntp-dl-blocked + end + config system replacemsg nntp nntp-dl-filesize + end + config system replacemsg nntp nntp-dlp-subject + end + config system replacemsg nntp nntp-dlp-ban + end + config system replacemsg fortiguard-wf ftgd-block + end + config system replacemsg fortiguard-wf http-err + end + config system replacemsg fortiguard-wf ftgd-ovrd + end + config system replacemsg fortiguard-wf ftgd-quota + end + config system replacemsg fortiguard-wf ftgd-warning + end + config system replacemsg spam ipblocklist + end + config system replacemsg spam smtp-spam-dnsbl + end + config system replacemsg spam smtp-spam-feip + end + config system replacemsg spam smtp-spam-helo + end + config system replacemsg spam smtp-spam-emailblack + end + config system replacemsg spam smtp-spam-mimeheader + end + config system replacemsg spam reversedns + end + config system replacemsg spam smtp-spam-bannedword + end + config system replacemsg spam smtp-spam-ase + end + config system replacemsg spam submit + end + config system replacemsg im im-file-xfer-block + end + config system replacemsg im im-file-xfer-name + end + config system replacemsg im im-file-xfer-infected + end + config system replacemsg im im-file-xfer-size + end + config system replacemsg im im-dlp + end + config system replacemsg im im-dlp-ban + end + config system replacemsg im im-voice-chat-block + end + config system replacemsg im im-video-chat-block + end + config system replacemsg im im-photo-share-block + end + config system replacemsg im im-long-chat-block + end + config system replacemsg alertmail alertmail-virus + end + config system replacemsg alertmail alertmail-block + end + config system replacemsg alertmail alertmail-nids-event + end + config system replacemsg alertmail alertmail-crit-event + end + config system replacemsg alertmail alertmail-disk-full + end + config system replacemsg admin pre_admin-disclaimer-text + end + config system replacemsg admin post_admin-disclaimer-text + end + config system replacemsg auth auth-disclaimer-page-1 + end + config system replacemsg auth auth-disclaimer-page-2 + end + config system replacemsg auth auth-disclaimer-page-3 + end + config system replacemsg auth auth-reject-page + end + config system replacemsg auth auth-login-page + end + config system replacemsg auth auth-login-failed-page + end + config system replacemsg auth auth-token-login-page + end + config system replacemsg auth auth-token-login-failed-page + end + config system replacemsg auth auth-success-msg + end + config system replacemsg auth auth-challenge-page + end + config system replacemsg auth auth-keepalive-page + end + config system replacemsg auth auth-portal-page + end + config system replacemsg auth auth-password-page + end + config system replacemsg auth auth-fortitoken-page + end + config system replacemsg auth auth-next-fortitoken-page + end + config system replacemsg auth auth-email-token-page + end + config system replacemsg auth auth-sms-token-page + end + config system replacemsg auth auth-email-harvesting-page + end + config system replacemsg auth auth-email-failed-page + end + config system replacemsg auth auth-cert-passwd-page + end + config system replacemsg auth auth-guest-print-page + end + config system replacemsg auth auth-guest-email-page + end + config system replacemsg auth auth-success-page + end + config system replacemsg auth auth-block-notification-page + end + config system replacemsg sslvpn sslvpn-login + end + config system replacemsg sslvpn sslvpn-limit + end + config system replacemsg sslvpn hostcheck-error + end + config system replacemsg ec endpt-download-portal + end + config system replacemsg ec endpt-download-portal-mac + end + config system replacemsg ec endpt-download-portal-ios + end + config system replacemsg ec endpt-download-portal-aos + end + config system replacemsg ec endpt-download-portal-other + end + config system replacemsg device-detection-portal device-detection-failure + end + config system replacemsg nac-quar nac-quar-virus + end + config system replacemsg nac-quar nac-quar-dos + end + config system replacemsg nac-quar nac-quar-ips + end + config system replacemsg nac-quar nac-quar-dlp + end + config system replacemsg nac-quar nac-quar-admin + end + config system replacemsg traffic-quota per-ip-shaper-block + end + config system replacemsg utm virus-html + end + config system replacemsg utm virus-text + end + config system replacemsg utm dlp-html + end + config system replacemsg utm dlp-text + end + config system replacemsg utm appblk-html + end + config vpn certificate ca + end + config vpn certificate local + edit Fortinet_CA_SSLProxy + set private-key "-----BEGIN ENCRYPTED PRIVATE KEY----- + set password ENC eRZ5UNnzW1eAAJn+reDWnDdgQZ1yxFr7z+rp0lzCeKX64OiaEcBKwGIzocIf5y5p37siqf1bPHwEMWkvISqQSXKT8JijvaLtA/oNlqTw8GwglMlW390JTckMS7v60mVQ2Jj1Ng9q4xi2dXKpVGXqYnpc1nDSApGqHTwpL/lgc1+HLh0CQvn4zQpIs8//4hVscjqz0g== + set certificate "-----BEGIN CERTIFICATE----- + set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates." + next + edit Fortinet_SSLProxy + set private-key "-----BEGIN ENCRYPTED PRIVATE KEY----- + set password ENC JGQ1Psth3oHimOP5bRUzt+zfBA5PlPBXZj6xLvqp7JILLBa6Der02qjotGI4UnaKAGSad7uEkPKLq2ePjzBy/Rc/E55FJO8OjffWzIOgpT1jYMmw8IOuAlB50weCRpzMowrLT+FKFF53SxG+oe5n4EaoiqR92WZsXzOTFpNdSFXyvggt/lmOz4Zm08AMD3sWFWg/ZA== + set certificate "-----BEGIN CERTIFICATE----- + next + end + config user device-category + edit ipad + next + edit iphone + next + edit gaming-console + next + edit blackberry-phone + next + edit blackberry-playbook + next + edit linux-pc + next + edit mac + next + edit windows-pc + next + edit android-phone + next + edit android-tablet + next + edit media-streaming + next + edit windows-phone + next + edit windows-tablet + next + edit fortinet-device + next + edit ip-phone + next + edit router-nat-device + next + edit printer + next + edit other-network-device + next + edit collected-emails + next + edit all + next + end + config system session-sync + end + config system fortiguard + set webfilter-sdns-server-ip "208.91.112.220" + end + config ips global + set default-app-cat-mask 18446744073474670591 + end + config ips dbinfo + set version 1 + end + config gui console + end + config system session-helper + edit 1 + set protocol 6 + set name pptp + set port 1723 + next + edit 2 + set protocol 6 + set name h323 + set port 1720 + next + edit 3 + set protocol 17 + set name ras + set port 1719 + next + edit 4 + set protocol 6 + set name tns + set port 1521 + next + edit 5 + set protocol 17 + set name tftp + set port 69 + next + edit 6 + set protocol 6 + set name rtsp + set port 554 + next + edit 7 + set protocol 6 + set name rtsp + set port 7070 + next + edit 8 + set protocol 6 + set name rtsp + set port 8554 + next + edit 9 + set protocol 6 + set name ftp + set port 21 + next + edit 10 + set protocol 6 + set name mms + set port 1863 + next + edit 11 + set protocol 6 + set name pmap + set port 111 + next + edit 12 + set protocol 17 + set name pmap + set port 111 + next + edit 13 + set protocol 17 + set name sip + set port 5060 + next + edit 14 + set protocol 17 + set name dns-udp + set port 53 + next + edit 15 + set protocol 6 + set name rsh + set port 514 + next + edit 16 + set protocol 6 + set name rsh + set port 512 + next + edit 17 + set protocol 6 + set name dcerpc + set port 135 + next + edit 18 + set protocol 17 + set name dcerpc + set port 135 + next + edit 19 + set protocol 17 + set name mgcp + set port 2427 + next + edit 20 + set protocol 17 + set name mgcp + set port 2727 + next + end + config system auto-install + set auto-install-config enable + set auto-install-image enable + end + config system ntp + set ntpsync enable + set syncinterval 60 + end + config system settings + end + config firewall address + edit SSLVPN_TUNNEL_ADDR1 + set type iprange + set end-ip 10.212.134.210 + set start-ip 10.212.134.200 + next + edit all + next + edit none + set subnet 0.0.0.0 255.255.255.255 + next + edit apple + set type fqdn + set fqdn "*.apple.com" + next + edit dropbox.com + set type fqdn + set fqdn "*.dropbox.com" + next + edit Gotomeeting + set type fqdn + set fqdn "*.gotomeeting.com" + next + edit icloud + set type fqdn + set fqdn "*.icloud.com" + next + edit itunes + set type fqdn + set fqdn "*itunes.apple.com" + next + edit android + set type fqdn + set fqdn "*.android.com" + next + edit skype + set type fqdn + set fqdn "*.messenger.live.com" + next + edit swscan.apple.com + set type fqdn + set fqdn "swscan.apple.com" + next + edit update.microsoft.com + set type fqdn + set fqdn "update.microsoft.com" + next + edit appstore + set type fqdn + set fqdn "*.appstore.com" + next + edit eease + set type fqdn + set fqdn "*.eease.com" + next + edit google-drive + set type fqdn + set fqdn "*drive.google.com" + next + edit google-play + set type fqdn + set fqdn "play.google.com" + next + edit google-play2 + set type fqdn + set fqdn "*.ggpht.com" + next + edit google-play3 + set type fqdn + set fqdn "*.books.google.com" + next + edit microsoft + set type fqdn + set fqdn "*.microsoft.com" + next + edit adobe + set type fqdn + set fqdn "*.adobe.com" + next + edit Adobe Login + set type fqdn + set fqdn "*.adobelogin.com" + next + edit fortinet + set type fqdn + set fqdn "*.fortinet.com" + next + edit googleapis.com + set type fqdn + set fqdn "*.googleapis.com" + next + edit citrix + set type fqdn + set fqdn "*.citrixonline.com" + next + edit verisign + set type fqdn + set fqdn "*.verisign.com" + next + edit Windows update 2 + set type fqdn + set fqdn "*.windowsupdate.com" + next + edit *.live.com + set type fqdn + set fqdn "*.live.com" + next + edit auth.gfx.ms + set type fqdn + set fqdn "auth.gfx.ms" + next + edit autoupdate.opera.com + set type fqdn + set fqdn "autoupdate.opera.com" + next + edit softwareupdate.vmware.com + set type fqdn + set fqdn "softwareupdate.vmware.com" + next + edit firefox update server + set type fqdn + set fqdn "aus*.mozilla.org" + next + end + config firewall multicast-address + edit all + set end-ip 239.255.255.255 + set start-ip 224.0.0.0 + next + edit all_hosts + set end-ip 224.0.0.1 + set start-ip 224.0.0.1 + next + edit all_routers + set end-ip 224.0.0.2 + set start-ip 224.0.0.2 + next + edit Bonjour + set end-ip 224.0.0.251 + set start-ip 224.0.0.251 + next + edit EIGRP + set end-ip 224.0.0.10 + set start-ip 224.0.0.10 + next + edit OSPF + set end-ip 224.0.0.6 + set start-ip 224.0.0.5 + next + end + config firewall address6 + edit SSLVPN_TUNNEL_IPv6_ADDR1 + set ip6 fdff:ffff::/120 + next + edit all + next + edit none + set ip6 ::/128 + next + end + config firewall service category + edit General + set comment "General services." + next + edit Web Access + set comment "Web access." + next + edit File Access + set comment "File access." + next + edit Email + set comment "Email services." + next + edit Network Services + set comment "Network services." + next + edit Authentication + set comment "Authentication service." + next + edit Remote Access + set comment "Remote access." + next + edit Tunneling + set comment "Tunneling service." + next + edit VoIP, Messaging & Other Applications + set comment "VoIP, messaging, and other applications." + next + edit Web Proxy + set comment "Explicit web proxy." + next + end + config firewall service custom + edit ALL + set category "General" + set protocol IP + next + edit ALL_TCP + set category "General" + set tcp-portrange 1-65535 + next + edit ALL_UDP + set category "General" + set udp-portrange 1-65535 + next + edit ALL_ICMP + set category "General" + set protocol ICMP + next + edit ALL_ICMP6 + set category "General" + set protocol ICMP6 + next + edit GRE + set category "Tunneling" + set protocol-number 47 + set protocol IP + next + edit AH + set category "Tunneling" + set protocol-number 51 + set protocol IP + next + edit ESP + set category "Tunneling" + set protocol-number 50 + set protocol IP + next + edit AOL + set visibility disable + set tcp-portrange 5190-5194 + next + edit BGP + set category "Network Services" + set tcp-portrange 179 + next + edit DHCP + set category "Network Services" + set udp-portrange 67-68 + next + edit DNS + set category "Network Services" + set udp-portrange 53 + set tcp-portrange 53 + next + edit FINGER + set visibility disable + set tcp-portrange 79 + next + edit FTP + set category "File Access" + set tcp-portrange 21 + next + edit FTP_GET + set category "File Access" + set tcp-portrange 21 + next + edit FTP_PUT + set category "File Access" + set tcp-portrange 21 + next + edit GOPHER + set visibility disable + set tcp-portrange 70 + next + edit H323 + set category "VoIP, Messaging & Other Applications" + set udp-portrange 1719 + set tcp-portrange 1720 1503 + next + edit HTTP + set category "Web Access" + set tcp-portrange 80 + next + edit HTTPS + set category "Web Access" + set tcp-portrange 443 + next + edit IKE + set category "Tunneling" + set udp-portrange 500 4500 + next + edit IMAP + set category "Email" + set tcp-portrange 143 + next + edit IMAPS + set category "Email" + set tcp-portrange 993 + next + edit Internet-Locator-Service + set visibility disable + set tcp-portrange 389 + next + edit IRC + set category "VoIP, Messaging & Other Applications" + set tcp-portrange 6660-6669 + next + edit L2TP + set category "Tunneling" + set udp-portrange 1701 + set tcp-portrange 1701 + next + edit LDAP + set category "Authentication" + set tcp-portrange 389 + next + edit NetMeeting + set visibility disable + set tcp-portrange 1720 + next + edit NFS + set category "File Access" + set udp-portrange 111 2049 + set tcp-portrange 111 2049 + next + edit NNTP + set visibility disable + set tcp-portrange 119 + next + edit NTP + set category "Network Services" + set udp-portrange 123 + set tcp-portrange 123 + next + edit OSPF + set category "Network Services" + set protocol-number 89 + set protocol IP + next + edit PC-Anywhere + set category "Remote Access" + set udp-portrange 5632 + set tcp-portrange 5631 + next + edit PING + set category "Network Services" + set protocol ICMP + set icmptype 8 + next + edit TIMESTAMP + set protocol ICMP + set visibility disable + set icmptype 13 + next + edit INFO_REQUEST + set protocol ICMP + set visibility disable + set icmptype 15 + next + edit INFO_ADDRESS + set protocol ICMP + set visibility disable + set icmptype 17 + next + edit ONC-RPC + set category "Remote Access" + set udp-portrange 111 + set tcp-portrange 111 + next + edit DCE-RPC + set category "Remote Access" + set udp-portrange 135 + set tcp-portrange 135 + next + edit POP3 + set category "Email" + set tcp-portrange 110 + next + edit POP3S + set category "Email" + set tcp-portrange 995 + next + edit PPTP + set category "Tunneling" + set tcp-portrange 1723 + next + edit QUAKE + set udp-portrange 26000 27000 27910 27960 + set visibility disable + next + edit RAUDIO + set udp-portrange 7070 + set visibility disable + next + edit REXEC + set visibility disable + set tcp-portrange 512 + next + edit RIP + set category "Network Services" + set udp-portrange 520 + next + edit RLOGIN + set visibility disable + set tcp-portrange 513:512-1023 + next + edit RSH + set visibility disable + set tcp-portrange 514:512-1023 + next + edit SCCP + set category "VoIP, Messaging & Other Applications" + set tcp-portrange 2000 + next + edit SIP + set category "VoIP, Messaging & Other Applications" + set udp-portrange 5060 + set tcp-portrange 5060 + next + edit SIP-MSNmessenger + set category "VoIP, Messaging & Other Applications" + set tcp-portrange 1863 + next + edit SAMBA + set category "File Access" + set tcp-portrange 139 + next + edit SMTP + set category "Email" + set tcp-portrange 25 + next + edit SMTPS + set category "Email" + set tcp-portrange 465 + next + edit SNMP + set category "Network Services" + set udp-portrange 161-162 + set tcp-portrange 161-162 + next + edit SSH + set category "Remote Access" + set tcp-portrange 22 + next + edit SYSLOG + set category "Network Services" + set udp-portrange 514 + next + edit TALK + set udp-portrange 517-518 + set visibility disable + next + edit TELNET + set category "Remote Access" + set tcp-portrange 23 + next + edit TFTP + set category "File Access" + set udp-portrange 69 + next + edit MGCP + set udp-portrange 2427 2727 + set visibility disable + next + edit UUCP + set visibility disable + set tcp-portrange 540 + next + edit VDOLIVE + set visibility disable + set tcp-portrange 7000-7010 + next + edit WAIS + set visibility disable + set tcp-portrange 210 + next + edit WINFRAME + set visibility disable + set tcp-portrange 1494 2598 + next + edit X-WINDOWS + set category "Remote Access" + set tcp-portrange 6000-6063 + next + edit PING6 + set protocol ICMP6 + set visibility disable + set icmptype 128 + next + edit MS-SQL + set category "VoIP, Messaging & Other Applications" + set tcp-portrange 1433 1434 + next + edit MYSQL + set category "VoIP, Messaging & Other Applications" + set tcp-portrange 3306 + next + edit RDP + set category "Remote Access" + set tcp-portrange 3389 + next + edit VNC + set category "Remote Access" + set tcp-portrange 5900 + next + edit DHCP6 + set category "Network Services" + set udp-portrange 546 547 + next + edit SQUID + set category "Tunneling" + set tcp-portrange 3128 + next + edit SOCKS + set category "Tunneling" + set udp-portrange 1080 + set tcp-portrange 1080 + next + edit WINS + set category "Remote Access" + set udp-portrange 1512 + set tcp-portrange 1512 + next + edit RADIUS + set category "Authentication" + set udp-portrange 1812 1813 + next + edit RADIUS-OLD + set udp-portrange 1645 1646 + set visibility disable + next + edit CVSPSERVER + set udp-portrange 2401 + set visibility disable + set tcp-portrange 2401 + next + edit AFS3 + set category "File Access" + set udp-portrange 7000-7009 + set tcp-portrange 7000-7009 + next + edit TRACEROUTE + set category "Network Services" + set udp-portrange 33434-33535 + next + edit RTSP + set category "VoIP, Messaging & Other Applications" + set udp-portrange 554 + set tcp-portrange 554 7070 8554 + next + edit MMS + set udp-portrange 1024-5000 + set visibility disable + set tcp-portrange 1755 + next + edit KERBEROS + set category "Authentication" + set udp-portrange 88 + set tcp-portrange 88 + next + edit LDAP_UDP + set category "Authentication" + set udp-portrange 389 + next + edit SMB + set category "File Access" + set tcp-portrange 445 + next + edit NONE + set visibility disable + set tcp-portrange 0 + next + edit webproxy + set category "Web Proxy" + set explicit-proxy enable + set protocol ALL + set tcp-portrange 0-65535:0-65535 + next + end + config firewall service group + edit Email Access + set member "DNS" "IMAP" "IMAPS" "POP3" "POP3S" "SMTP" "SMTPS" + next + edit Web Access + set member "DNS" "HTTP" "HTTPS" + next + edit Windows AD + set member "DCE-RPC" "DNS" "KERBEROS" "LDAP" "LDAP_UDP" "SAMBA" "SMB" + next + edit Exchange Server + set member "DCE-RPC" "DNS" "HTTPS" + next + end + config webfilter ftgd-local-cat + edit custom1 + set id 140 + next + edit custom2 + set id 141 + next + end + config ips sensor + edit default + set comment "Prevent critical attacks." + config entries + edit 1 + set severity medium high critical + next + end + next + edit all_default + set comment "All predefined signatures with default setting." + config entries + edit 1 + next + end + next + edit all_default_pass + set comment "All predefined signatures with PASS action." + config entries + edit 1 + set action pass + next + end + next + edit protect_http_server + set comment "Protect against HTTP server-side vulnerabilities." + config entries + edit 1 + set protocol HTTP + set location server + next + end + next + edit protect_email_server + set comment "Protect against email server-side vulnerabilities." + config entries + edit 1 + set protocol SMTP POP3 IMAP + set location server + next + end + next + edit protect_client + set comment "Protect against client-side vulnerabilities." + config entries + edit 1 + set location client + next + end + next + edit high_security + set comment "Blocks all Critical/High/Medium and some Low severity vulnerabilities" + config entries + edit 1 + set status enable + set action block + set severity medium high critical + next + edit 2 + set severity low + next + end + next + end + config firewall shaper traffic-shaper + edit high-priority + set per-policy enable + set maximum-bandwidth 1048576 + next + edit medium-priority + set priority medium + set per-policy enable + set maximum-bandwidth 1048576 + next + edit low-priority + set priority low + set per-policy enable + set maximum-bandwidth 1048576 + next + edit guarantee-100kbps + set guaranteed-bandwidth 100 + set maximum-bandwidth 1048576 + set per-policy enable + next + edit shared-1M-pipe + set maximum-bandwidth 1024 + next + end + config web-proxy global + set proxy-fqdn "default.fqdn" + end + config application list + edit default + set comment "Monitor all applications." + config entries + edit 1 + set action pass + next + end + next + edit block-p2p + config entries + edit 1 + set category 2 + next + end + next + edit monitor-p2p-and-media + config entries + edit 1 + set category 2 + set action pass + next + edit 2 + set category 5 + set action pass + next + end + next + end + config dlp filepattern + edit 1 + set name "builtin-patterns" + config entries + edit *.bat + next + edit *.com + next + edit *.dll + next + edit *.doc + next + edit *.exe + next + edit *.gz + next + edit *.hta + next + edit *.ppt + next + edit *.rar + next + edit *.scr + next + edit *.tar + next + edit *.tgz + next + edit *.vb? + next + edit *.wps + next + edit *.xl? + next + edit *.zip + next + edit *.pif + next + edit *.cpl + next + end + next + edit 2 + set name "all_executables" + config entries + edit bat + set file-type bat + set filter-type type + next + edit exe + set file-type exe + set filter-type type + next + edit elf + set file-type elf + set filter-type type + next + edit hta + set file-type hta + set filter-type type + next + end + next + end + config dlp fp-sensitivity + edit Private + next + edit Critical + next + edit Warning + next + end + config dlp sensor + edit default + set comment "Log a summary of email and web traffic." + set summary-proto smtp pop3 imap http-get http-post + next + end + config webfilter content + end + config webfilter urlfilter + end + config spamfilter bword + end + config spamfilter bwl + end + config spamfilter mheader + end + config spamfilter dnsbl + end + config spamfilter iptrust + end + config log threat-weight + config web + edit 1 + set category 26 + set level high + next + edit 2 + set category 61 + set level high + next + edit 3 + set category 86 + set level high + next + edit 4 + set category 1 + set level medium + next + edit 5 + set category 3 + set level medium + next + edit 6 + set category 4 + set level medium + next + edit 7 + set category 5 + set level medium + next + edit 8 + set category 6 + set level medium + next + edit 9 + set category 12 + set level medium + next + edit 10 + set category 59 + set level medium + next + edit 11 + set category 62 + set level medium + next + edit 12 + set category 83 + set level medium + next + edit 13 + set category 72 + next + edit 14 + set category 14 + next + end + config application + edit 1 + set category 2 + next + edit 2 + set category 6 + set level medium + next + edit 3 + set category 19 + set level critical + next + end + end + config icap profile + edit default + next + end + config user local + edit guest + set passwd ENC EntYbQ4nWAFLGsQz5QbIt8MIxko4Ms6Nm/9fMo/5+L7FJO42JRExvl705N++oKwIB0NvfdWaiqfZ/LGPDSOVqRZnqn4pUWOlNVE6yfGxbCZUIXTlcSL58A2ok3Yd428rHETuf7mNrOJMdVS1tfnrx5+92ofsXVzAn/kpKeJLrtBRWNfBQ1YplQ2FfEDCHHW27akz4g== + set type password + next + end + config user group + edit SSO_Guest_Users + next + edit Guest-group + set member "guest" + next + end + config user device-group + edit Mobile Devices + set member "android-phone" "android-tablet" "blackberry-phone" "blackberry-playbook" "ipad" "iphone" "windows-phone" "windows-tablet" + set comment "Phones, tablets, etc." + next + edit Network Devices + set member "fortinet-device" "other-network-device" "router-nat-device" + set comment "Routers, firewalls, gateways, etc." + next + edit Others + set member "gaming-console" "media-streaming" + set comment "Other devices." + next + end + config vpn ssl web host-check-software + edit FortiClient-AV + set guid "C86EC76D-5A4C-40E7-BD94-59358E544D81" + next + edit FortiClient-FW + set guid "528CB157-D384-4593-AAAA-E42DFF111CED" + set type fw + next + edit FortiClient-AV-Vista-Win7 + set guid "385618A6-2256-708E-3FB9-7E98B93F91F9" + next + edit FortiClient-FW-Vista-Win7 + set guid "006D9983-6839-71D6-14E6-D7AD47ECD682" + set type fw + next + edit AVG-Internet-Security-AV + set guid "17DDD097-36FF-435F-9E1B-52D74245D6BF" + next + edit AVG-Internet-Security-FW + set guid "8DECF618-9569-4340-B34A-D78D28969B66" + set type fw + next + edit AVG-Internet-Security-AV-Vista-Win7 + set guid "0C939084-9E57-CBDB-EA61-0B0C7F62AF82" + next + edit AVG-Internet-Security-FW-Vista-Win7 + set guid "34A811A1-D438-CA83-C13E-A23981B1E8F9" + set type fw + next + edit CA-Anti-Virus + set guid "17CFD1EA-56CF-40B5-A06B-BD3A27397C93" + next + edit CA-Internet-Security-AV + set guid "6B98D35F-BB76-41C0-876B-A50645ED099A" + next + edit CA-Internet-Security-FW + set guid "38102F93-1B6E-4922-90E1-A35D8DC6DAA3" + set type fw + next + edit CA-Internet-Security-AV-Vista-Win7 + set guid "3EED0195-0A4B-4EF3-CC4F-4F401BDC245F" + next + edit CA-Internet-Security-FW-Vista-Win7 + set guid "06D680B0-4024-4FAB-E710-E675E50F6324" + set type fw + next + edit CA-Personal-Firewall + set guid "14CB4B80-8E52-45EA-905E-67C1267B4160" + set type fw + next + edit F-Secure-Internet-Security-AV + set guid "E7512ED5-4245-4B4D-AF3A-382D3F313F15" + next + edit F-Secure-Internet-Security-FW + set guid "D4747503-0346-49EB-9262-997542F79BF4" + set type fw + next + edit F-Secure-Internet-Security-AV-Vista-Win7 + set guid "15414183-282E-D62C-CA37-EF24860A2F17" + next + edit F-Secure-Internet-Security-FW-Vista-Win7 + set guid "2D7AC0A6-6241-D774-E168-461178D9686C" + set type fw + next + edit Kaspersky-AV + set guid "2C4D4BC6-0793-4956-A9F9-E252435469C0" + next + edit Kaspersky-FW + set guid "2C4D4BC6-0793-4956-A9F9-E252435469C0" + set type fw + next + edit Kaspersky-AV-Vista-Win7 + set guid "AE1D740B-8F0F-D137-211D-873D44B3F4AE" + next + edit Kaspersky-FW-Vista-Win7 + set guid "9626F52E-C560-D06F-0A42-2E08BA60B3D5" + set type fw + next + edit McAfee-Internet-Security-Suite-AV + set guid "84B5EE75-6421-4CDE-A33A-DD43BA9FAD83" + next + edit McAfee-Internet-Security-Suite-FW + set guid "94894B63-8C7F-4050-BDA4-813CA00DA3E8" + set type fw + next + edit McAfee-Internet-Security-Suite-AV-Vista-Win7 + set guid "86355677-4064-3EA7-ABB3-1B136EB04637" + next + edit McAfee-Internet-Security-Suite-FW-Vista-Win7 + set guid "BE0ED752-0A0B-3FFF-80EC-B2269063014C" + set type fw + next + edit McAfee-Virus-Scan-Enterprise + set guid "918A2B0B-2C60-4016-A4AB-E868DEABF7F0" + next + edit Norton-360-2.0-AV + set guid "A5F1BC7C-EA33-4247-961C-0217208396C4" + next + edit Norton-360-2.0-FW + set guid "371C0A40-5A0C-4AD2-A6E5-69C02037FBF3" + set type fw + next + edit Norton-360-3.0-AV + set guid "E10A9785-9598-4754-B552-92431C1C35F8" + next + edit Norton-360-3.0-FW + set guid "7C21A4C9-F61F-4AC4-B722-A6E19C16F220" + set type fw + next + edit Norton-Internet-Security-AV + set guid "E10A9785-9598-4754-B552-92431C1C35F8" + next + edit Norton-Internet-Security-FW + set guid "7C21A4C9-F61F-4AC4-B722-A6E19C16F220" + set type fw + next + edit Norton-Internet-Security-AV-Vista-Win7 + set guid "88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855" + next + edit Norton-Internet-Security-FW-Vista-Win7 + set guid "B0F2DB13-C654-2E74-30D4-99C9310F0F2E" + set type fw + next + edit Symantec-Endpoint-Protection-AV + set guid "FB06448E-52B8-493A-90F3-E43226D3305C" + next + edit Symantec-Endpoint-Protection-FW + set guid "BE898FE3-CD0B-4014-85A9-03DB9923DDB6" + set type fw + next + edit Symantec-Endpoint-Protection-AV-Vista-Win7 + set guid "88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855" + next + edit Symantec-Endpoint-Protection-FW-Vista-Win7 + set guid "B0F2DB13-C654-2E74-30D4-99C9310F0F2E" + set type fw + next + edit Panda-Antivirus+Firewall-2008-AV + set guid "EEE2D94A-D4C1-421A-AB2C-2CE8FE51747A" + next + edit Panda-Antivirus+Firewall-2008-FW + set guid "7B090DC0-8905-4BAF-8040-FD98A41C8FB8" + set type fw + next + edit Panda-Internet-Security-AV + set guid "4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0" + next + edit Panda-Internet-Security-2006~2007-FW + set guid "4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0" + set type fw + next + edit Panda-Internet-Security-2008~2009-FW + set guid "7B090DC0-8905-4BAF-8040-FD98A41C8FB8" + set type fw + next + edit Sophos-Anti-Virus + set guid "3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD" + next + edit Sophos-Enpoint-Secuirty-and-Control-FW + set guid "0786E95E-326A-4524-9691-41EF88FB52EA" + set type fw + next + edit Sophos-Enpoint-Secuirty-and-Control-AV-Vista-Win7 + set guid "479CCF92-4960-B3E0-7373-BF453B467D2C" + next + edit Sophos-Enpoint-Secuirty-and-Control-FW-Vista-Win7 + set guid "7FA74EB7-030F-B2B8-582C-1670C5953A57" + set type fw + next + edit Trend-Micro-AV + set guid "7D2296BC-32CC-4519-917E-52E652474AF5" + next + edit Trend-Micro-FW + set guid "3E790E9E-6A5D-4303-A7F9-185EC20F3EB6" + set type fw + next + edit Trend-Micro-AV-Vista-Win7 + set guid "48929DFC-7A52-A34F-8351-C4DBEDBD9C50" + next + edit Trend-Micro-FW-Vista-Win7 + set guid "70A91CD9-303D-A217-A80E-6DEE136EDB2B" + set type fw + next + edit ZoneAlarm-AV + set guid "5D467B10-818C-4CAB-9FF7-6893B5B8F3CF" + next + edit ZoneAlarm-FW + set guid "829BDA32-94B3-44F4-8446-F8FCFF809F8B" + set type fw + next + edit ZoneAlarm-AV-Vista-Win7 + set guid "D61596DF-D219-341C-49B3-AD30538CBC5B" + next + edit ZoneAlarm-FW-Vista-Win7 + set guid "EE2E17FA-9876-3544-62EC-0405AD5FFB20" + set type fw + next + edit ESET-Smart-Security-AV + set guid "19259FAE-8396-A113-46DB-15B0E7DFA289" + next + edit ESET-Smart-Security-FW + set guid "211E1E8B-C9F9-A04B-6D84-BC85190CE5F2" + set type fw + next + end + config vpn ssl web portal + edit full-access + set web-mode enable + set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" + set page-layout double-column + set ip-pools "SSLVPN_TUNNEL_ADDR1" + set ipv6-tunnel-mode enable + set tunnel-mode enable + next + edit web-access + set web-mode enable + next + edit tunnel-access + set ip-pools "SSLVPN_TUNNEL_ADDR1" + set ipv6-tunnel-mode enable + set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" + set tunnel-mode enable + next + end + config vpn ssl settings + set servercert "self-sign" + set port 443 + end + config voip profile + edit default + set comment "Default VoIP profile." + next + edit strict + config sip + set malformed-header-max-forwards discard + set malformed-header-rack discard + set malformed-header-allow discard + set malformed-header-call-id discard + set malformed-header-sdp-v discard + set malformed-header-record-route discard + set malformed-header-contact discard + set malformed-header-sdp-s discard + set malformed-header-content-length discard + set malformed-header-sdp-z discard + set malformed-header-from discard + set malformed-header-route discard + set malformed-header-sdp-b discard + set malformed-header-sdp-c discard + set malformed-header-sdp-a discard + set malformed-header-sdp-o discard + set malformed-header-sdp-m discard + set malformed-header-sdp-k discard + set malformed-header-sdp-i discard + set malformed-header-to discard + set malformed-header-via discard + set malformed-header-sdp-t discard + set malformed-request-line discard + set malformed-header-sdp-r discard + set malformed-header-content-type discard + set malformed-header-expires discard + set malformed-header-rseq discard + set malformed-header-p-asserted-identity discard + set malformed-header-cseq discard + end + next + end + config webfilter profile + edit default + set comment "Default web filtering." + set post-action comfort + config ftgd-wf + config filters + edit 1 + set category 2 + set action warning + next + edit 2 + set category 7 + set action warning + next + edit 3 + set category 8 + set action warning + next + edit 4 + set category 9 + set action warning + next + edit 5 + set category 11 + set action warning + next + edit 6 + set category 12 + set action warning + next + edit 7 + set category 13 + set action warning + next + edit 8 + set category 14 + set action warning + next + edit 9 + set category 15 + set action warning + next + edit 10 + set category 16 + set action warning + next + edit 11 + set action warning + next + edit 12 + set category 57 + set action warning + next + edit 13 + set category 63 + set action warning + next + edit 14 + set category 64 + set action warning + next + edit 15 + set category 65 + set action warning + next + edit 16 + set category 66 + set action warning + next + edit 17 + set category 67 + set action warning + next + edit 18 + set category 26 + set action block + next + end + end + next + edit web-filter-flow + set comment "Flow-based web filter profile." + set inspection-mode flow-based + set post-action comfort + config ftgd-wf + config filters + edit 1 + set category 2 + next + edit 2 + set category 7 + next + edit 3 + set category 8 + next + edit 4 + set category 9 + next + edit 5 + set category 11 + next + edit 6 + set category 12 + next + edit 7 + set category 13 + next + edit 8 + set category 14 + next + edit 9 + set category 15 + next + edit 10 + set category 16 + next + edit 11 + next + edit 12 + set category 57 + next + edit 13 + set category 63 + next + edit 14 + set category 64 + next + edit 15 + set category 65 + next + edit 16 + set category 66 + next + edit 17 + set category 67 + next + edit 18 + set category 26 + set action block + next + end + end + next + edit monitor-all + set comment "Monitor and log all visited URLs, proxy-based." + set web-content-log disable + set web-filter-applet-log disable + set web-ftgd-err-log disable + set web-filter-jscript-log disable + set web-filter-activex-log disable + set web-filter-referer-log disable + set web-filter-js-log disable + set web-invalid-domain-log disable + set web-ftgd-quota-usage disable + set web-filter-command-block-log disable + set web-filter-vbs-log disable + set web-filter-unknown-log disable + set web-filter-cookie-log disable + set log-all-url enable + set web-filter-cookie-removal-log disable + set web-url-log disable + config ftgd-wf + config filters + edit 1 + set category 1 + next + edit 2 + set category 3 + next + edit 3 + set category 4 + next + edit 4 + set category 5 + next + edit 5 + set category 6 + next + edit 6 + set category 12 + next + edit 7 + set category 59 + next + edit 8 + set category 62 + next + edit 9 + set category 83 + next + edit 10 + set category 2 + next + edit 11 + set category 7 + next + edit 12 + set category 8 + next + edit 13 + set category 9 + next + edit 14 + set category 11 + next + edit 15 + set category 13 + next + edit 16 + set category 14 + next + edit 17 + set category 15 + next + edit 18 + set category 16 + next + edit 19 + set category 57 + next + edit 20 + set category 63 + next + edit 21 + set category 64 + next + edit 22 + set category 65 + next + edit 23 + set category 66 + next + edit 24 + set category 67 + next + edit 25 + set category 19 + next + edit 26 + set category 24 + next + edit 27 + set category 25 + next + edit 28 + set category 72 + next + edit 29 + set category 75 + next + edit 30 + set category 76 + next + edit 31 + set category 26 + next + edit 32 + set category 61 + next + edit 33 + set category 86 + next + edit 34 + set category 17 + next + edit 35 + set category 18 + next + edit 36 + set category 20 + next + edit 37 + set category 23 + next + edit 38 + set category 28 + next + edit 39 + set category 29 + next + edit 40 + set category 30 + next + edit 41 + set category 33 + next + edit 42 + set category 34 + next + edit 43 + set category 35 + next + edit 44 + set category 36 + next + edit 45 + set category 37 + next + edit 46 + set category 38 + next + edit 47 + set category 39 + next + edit 48 + set category 40 + next + edit 49 + set category 42 + next + edit 50 + set category 44 + next + edit 51 + set category 46 + next + edit 52 + set category 47 + next + edit 53 + set category 48 + next + edit 54 + set category 54 + next + edit 55 + set category 55 + next + edit 56 + set category 58 + next + edit 57 + set category 68 + next + edit 58 + set category 69 + next + edit 59 + set category 70 + next + edit 60 + set category 71 + next + edit 61 + set category 77 + next + edit 62 + set category 78 + next + edit 63 + set category 79 + next + edit 64 + set category 80 + next + edit 65 + set category 82 + next + edit 66 + set category 85 + next + edit 67 + set category 87 + next + edit 68 + set category 31 + next + edit 69 + set category 41 + next + edit 70 + set category 43 + next + edit 71 + set category 49 + next + edit 72 + set category 50 + next + edit 73 + set category 51 + next + edit 74 + set category 52 + next + edit 75 + set category 53 + next + edit 76 + set category 56 + next + edit 77 + set category 81 + next + edit 78 + set category 84 + next + edit 79 + next + end + end + next + edit flow-monitor-all + set comment "Monitor and log all visited URLs, flow-based." + set web-content-log disable + set web-filter-applet-log disable + set web-ftgd-err-log disable + set web-filter-command-block-log disable + set web-filter-jscript-log disable + set web-filter-activex-log disable + set web-filter-referer-log disable + set web-filter-js-log disable + set web-invalid-domain-log disable + set web-ftgd-quota-usage disable + set inspection-mode flow-based + set web-filter-vbs-log disable + set web-filter-unknown-log disable + set web-filter-cookie-log disable + set log-all-url enable + set web-filter-cookie-removal-log disable + set web-url-log disable + config ftgd-wf + config filters + edit 1 + set category 1 + next + edit 2 + set category 3 + next + edit 3 + set category 4 + next + edit 4 + set category 5 + next + edit 5 + set category 6 + next + edit 6 + set category 12 + next + edit 7 + set category 59 + next + edit 8 + set category 62 + next + edit 9 + set category 83 + next + edit 10 + set category 2 + next + edit 11 + set category 7 + next + edit 12 + set category 8 + next + edit 13 + set category 9 + next + edit 14 + set category 11 + next + edit 15 + set category 13 + next + edit 16 + set category 14 + next + edit 17 + set category 15 + next + edit 18 + set category 16 + next + edit 19 + set category 57 + next + edit 20 + set category 63 + next + edit 21 + set category 64 + next + edit 22 + set category 65 + next + edit 23 + set category 66 + next + edit 24 + set category 67 + next + edit 25 + set category 19 + next + edit 26 + set category 24 + next + edit 27 + set category 25 + next + edit 28 + set category 72 + next + edit 29 + set category 75 + next + edit 30 + set category 76 + next + edit 31 + set category 26 + next + edit 32 + set category 61 + next + edit 33 + set category 86 + next + edit 34 + set category 17 + next + edit 35 + set category 18 + next + edit 36 + set category 20 + next + edit 37 + set category 23 + next + edit 38 + set category 28 + next + edit 39 + set category 29 + next + edit 40 + set category 30 + next + edit 41 + set category 33 + next + edit 42 + set category 34 + next + edit 43 + set category 35 + next + edit 44 + set category 36 + next + edit 45 + set category 37 + next + edit 46 + set category 38 + next + edit 47 + set category 39 + next + edit 48 + set category 40 + next + edit 49 + set category 42 + next + edit 50 + set category 44 + next + edit 51 + set category 46 + next + edit 52 + set category 47 + next + edit 53 + set category 48 + next + edit 54 + set category 54 + next + edit 55 + set category 55 + next + edit 56 + set category 58 + next + edit 57 + set category 68 + next + edit 58 + set category 69 + next + edit 59 + set category 70 + next + edit 60 + set category 71 + next + edit 61 + set category 77 + next + edit 62 + set category 78 + next + edit 63 + set category 79 + next + edit 64 + set category 80 + next + edit 65 + set category 82 + next + edit 66 + set category 85 + next + edit 67 + set category 87 + next + edit 68 + set category 31 + next + edit 69 + set category 41 + next + edit 70 + set category 43 + next + edit 71 + set category 49 + next + edit 72 + set category 50 + next + edit 73 + set category 51 + next + edit 74 + set category 52 + next + edit 75 + set category 53 + next + edit 76 + set category 56 + next + edit 77 + set category 81 + next + edit 78 + set category 84 + next + edit 79 + next + end + end + next + edit block-security-risks + set comment "Block security risks." + config ftgd-wf + set options rate-server-ip + config filters + edit 1 + set category 26 + set action block + next + edit 2 + set category 61 + set action block + next + edit 3 + set category 86 + set action block + next + edit 4 + set action warning + next + end + end + next + end + config webfilter override + end + config webfilter override-user + end + config webfilter ftgd-warning + end + config webfilter ftgd-local-rating + end + config webfilter search-engine + edit google + set url "^\\/((custom|search|images|videosearch|webhp)\\?)" + set query "q=" + set safesearch-str "&safe=active" + set hostname ".*\\.google\\..*" + set safesearch url + next + edit yahoo + set url "^\\/search(\\/video|\\/images){0,1}(\\?|;)" + set query "p=" + set safesearch-str "&vm=r" + set hostname ".*\\.yahoo\\..*" + set safesearch url + next + edit bing + set url "^(\\/images|\\/videos)?(\\/search|\\/async|\\/asyncv2)\\?" + set query "q=" + set safesearch-str "&adlt=strict" + set hostname "www\\.bing\\.com" + set safesearch url + next + edit yandex + set url "^\\/((yand|images\\/|video\\/)(search)|search\\/)\\?" + set query "text=" + set safesearch-str "&family=yes" + set hostname "yandex\\..*" + set safesearch url + next + edit youtube + set safesearch header + set hostname ".*\\.youtube\\..*" + next + edit baidu + set url "^\\/s?\\?" + set query "wd=" + set hostname ".*\\.baidu\\.com" + next + edit baidu2 + set url "^\\/(ns|q|m|i|v)\\?" + set query "word=" + set hostname ".*\\.baidu\\.com" + next + edit baidu3 + set url "^\\/f\\?" + set query "kw=" + set hostname "tieba\\.baidu\\.com" + next + end + config antivirus profile + edit default + set comment "Scan files and block viruses." + config http + set options scan + end + config ftp + set options scan + end + config imap + set options scan + end + config pop3 + set options scan + end + config smtp + set options scan + end + next + end + config spamfilter profile + edit default + set comment "Malware and phishing URL filtering." + next + end + config wanopt settings + set host-id "default-id" + end + config wanopt profile + edit default + set comments "Default WANopt profile." + next + end + config firewall schedule recurring + edit always + set day sunday monday tuesday wednesday thursday friday saturday + next + edit none + set day none + next + end + config firewall profile-protocol-options + edit default + set comment "All default services." + config http + set ports 80 + end + config ftp + set ports 21 + set options splice + end + config imap + set ports 143 + set options fragmail + end + config mapi + set ports 135 + set options fragmail + end + config pop3 + set ports 110 + set options fragmail + end + config smtp + set ports 25 + set options fragmail splice + end + config nntp + set ports 119 + set options splice + end + config dns + set ports 53 + end + next + end + config firewall ssl-ssh-profile + edit deep-inspection + set comment "Deep inspection." + config https + set ports 443 + end + config ftps + set ports 990 + end + config imaps + set ports 993 + end + config pop3s + set ports 995 + end + config smtps + set ports 465 + end + config ssh + set ports 22 + end + config ssl-exempt + edit 1 + set fortiguard-category 31 + next + edit 2 + set fortiguard-category 33 + next + edit 3 + set fortiguard-category 87 + next + edit 4 + set type address + set address "apple" + next + edit 5 + set type address + set address "appstore" + next + edit 6 + set type address + set address "dropbox.com" + next + edit 7 + set type address + set address "Gotomeeting" + next + edit 8 + set type address + set address "icloud" + next + edit 9 + set type address + set address "itunes" + next + edit 10 + set type address + set address "android" + next + edit 11 + set type address + set address "skype" + next + edit 12 + set type address + set address "swscan.apple.com" + next + edit 13 + set type address + set address "update.microsoft.com" + next + edit 14 + set type address + set address "eease" + next + edit 15 + set type address + set address "google-drive" + next + edit 16 + set type address + set address "google-play" + next + edit 17 + set type address + set address "google-play2" + next + edit 18 + set type address + set address "google-play3" + next + edit 19 + set type address + set address "microsoft" + next + edit 20 + set type address + set address "adobe" + next + edit 21 + set type address + set address "Adobe Login" + next + edit 22 + set type address + set address "fortinet" + next + edit 23 + set type address + set address "googleapis.com" + next + edit 24 + set type address + set address "citrix" + next + edit 25 + set type address + set address "verisign" + next + edit 26 + set type address + set address "Windows update 2" + next + edit 27 + set type address + set address "*.live.com" + next + edit 28 + set type address + set address "auth.gfx.ms" + next + edit 29 + set type address + set address "autoupdate.opera.com" + next + edit 30 + set type address + set address "softwareupdate.vmware.com" + next + edit 31 + set type address + set address "firefox update server" + next + end + next + edit certificate-inspection + set comment "SSL handshake inspection." + config https + set status certificate-inspection + set ports 443 + end + config ftps + set status disable + set ports 990 + end + config imaps + set status disable + set ports 993 + end + config pop3s + set status disable + set ports 995 + end + config smtps + set status disable + set ports 465 + end + config ssh + set status disable + set ports 22 + end + next + end + config firewall identity-based-route + end + config firewall policy + end + config firewall local-in-policy + end + config firewall policy6 + end + config firewall local-in-policy6 + end + config firewall ttl-policy + end + config firewall policy64 + end + config firewall policy46 + end + config firewall explicit-proxy-policy + end + config firewall interface-policy + end + config firewall interface-policy6 + end + config firewall DoS-policy + end + config firewall DoS-policy6 + end + config firewall sniffer + end + config endpoint-control profile + edit default + config forticlient-winmac-settings + set forticlient-wf-profile "default" + end + config forticlient-android-settings + end + config forticlient-ios-settings + end + next + end + config wireless-controller wids-profile + edit default + set comment "Default WIDS profile." + set deauth-broadcast enable + set assoc-frame-flood enable + set invalid-mac-oui enable + set ap-scan enable + set eapol-logoff-flood enable + set long-duration-attack enable + set eapol-pre-fail-flood enable + set eapol-succ-flood enable + set eapol-start-flood enable + set wireless-bridge enable + set eapol-pre-succ-flood enable + set auth-frame-flood enable + set asleap-attack enable + set eapol-fail-flood enable + set spoofed-deauth enable + set weak-wep-iv enable + set null-ssid-probe-resp enable + next + edit default-wids-apscan-enabled + set ap-scan enable + next + end + config wireless-controller wtp-profile + edit FAP112B-default + set ap-country US + config platform + set type 112B + end + config radio-1 + set band 802.11n + end + config radio-2 + set mode disabled + end + next + edit FAP220B-default + set ap-country US + config radio-1 + set band 802.11n-5G + end + config radio-2 + set band 802.11n + end + next + edit FAP223B-default + set ap-country US + config platform + set type 223B + end + config radio-1 + set band 802.11n-5G + end + config radio-2 + set band 802.11n + end + next + edit FAP210B-default + set ap-country US + config platform + set type 210B + end + config radio-1 + set band 802.11n + end + config radio-2 + set mode disabled + end + next + edit FAP222B-default + set ap-country US + config platform + set type 222B + end + config radio-1 + set band 802.11n + end + config radio-2 + set band 802.11n-5G + end + next + edit FAP320B-default + set ap-country US + config platform + set type 320B + end + config radio-1 + set band 802.11n-5G + end + config radio-2 + set band 802.11n + end + next + edit FAP11C-default + set ap-country US + config platform + set type 11C + end + config radio-1 + set band 802.11n + end + config radio-2 + set mode disabled + end + next + edit FAP14C-default + set ap-country US + config platform + set type 14C + end + config radio-1 + set band 802.11n + end + config radio-2 + set mode disabled + end + next + edit FAP28C-default + set ap-country US + config platform + set type 28C + end + config radio-1 + set band 802.11n + end + config radio-2 + set mode disabled + end + next + edit FAP320C-default + set ap-country US + config platform + set type 320C + end + config radio-1 + set band 802.11n + end + config radio-2 + set band 802.11ac + end + next + edit FAP221C-default + set ap-country US + config platform + set type 221C + end + config radio-1 + set band 802.11n + end + config radio-2 + set band 802.11ac + end + next + edit FAP25D-default + set ap-country US + config platform + set type 25D + end + config radio-1 + set band 802.11n + end + config radio-2 + set mode disabled + end + next + edit FAP222C-default + set ap-country US + config platform + set type 222C + end + config radio-1 + set band 802.11n + end + config radio-2 + set band 802.11ac + end + next + edit FAP224D-default + set ap-country US + config platform + set type 224D + end + config radio-1 + set band 802.11n-5G + end + config radio-2 + set band 802.11n + end + next + edit FK214B-default + set ap-country US + config platform + set type 214B + end + config radio-1 + set band 802.11n + end + config radio-2 + set mode disabled + end + next + edit FAP21D-default + set ap-country US + config platform + set type 21D + end + config radio-1 + set band 802.11n + end + config radio-2 + set mode disabled + end + next + edit FAP24D-default + set ap-country US + config platform + set type 24D + end + config radio-1 + set band 802.11n + end + config radio-2 + set mode disabled + end + next + edit FAP112D-default + set ap-country US + config platform + set type 112D + end + config radio-1 + set band 802.11n + end + config radio-2 + set mode disabled + end + next + edit FAP223C-default + set ap-country US + config platform + set type 223C + end + config radio-1 + set band 802.11n + end + config radio-2 + set band 802.11ac + end + next + edit FAP321C-default + set ap-country US + config platform + set type 321C + end + config radio-1 + set band 802.11n + end + config radio-2 + set band 802.11ac + end + next + end + config log memory setting + set status enable + end + config router rip + config redistribute connected + end + config redistribute static + end + config redistribute ospf + end + config redistribute bgp + end + config redistribute isis + end + end + config router ripng + config redistribute connected + end + config redistribute static + end + config redistribute ospf + end + config redistribute bgp + end + config redistribute isis + end + end + config router ospf + config redistribute connected + end + config redistribute static + end + config redistribute rip + end + config redistribute bgp + end + config redistribute isis + end + end + config router ospf6 + config redistribute connected + end + config redistribute static + end + config redistribute rip + end + config redistribute bgp + end + config redistribute isis + end + end + config router bgp + config redistribute connected + end + config redistribute rip + end + config redistribute ospf + end + config redistribute static + end + config redistribute isis + end + config redistribute6 connected + end + config redistribute6 rip + end + config redistribute6 ospf + end + config redistribute6 static + end + config redistribute6 isis + end + end + config router isis + config redistribute connected + end + config redistribute rip + end + config redistribute ospf + end + config redistribute bgp + end + config redistribute static + end + end + config router multicast + end diff --git a/test/integration/targets/fortios_ipv4_policy/files/requirements.txt b/test/integration/targets/fortios_ipv4_policy/files/requirements.txt new file mode 100644 index 00000000000..7c67501df89 --- /dev/null +++ b/test/integration/targets/fortios_ipv4_policy/files/requirements.txt @@ -0,0 +1 @@ +pyfg>=0.50 \ No newline at end of file diff --git a/test/integration/targets/fortios_ipv4_policy/tasks/main.yml b/test/integration/targets/fortios_ipv4_policy/tasks/main.yml new file mode 100644 index 00000000000..64c8ac63ce2 --- /dev/null +++ b/test/integration/targets/fortios_ipv4_policy/tasks/main.yml @@ -0,0 +1,7 @@ +--- +- name: install required libraries + pip: + requirements: "{{ role_path }}/files/requirements.txt" + +- { include: test_indempotency.yml } +- { include: test_params.yml } diff --git a/test/integration/targets/fortios_ipv4_policy/tasks/test_indempotency.yml b/test/integration/targets/fortios_ipv4_policy/tasks/test_indempotency.yml new file mode 100644 index 00000000000..6dc7a239ca1 --- /dev/null +++ b/test/integration/targets/fortios_ipv4_policy/tasks/test_indempotency.yml @@ -0,0 +1,68 @@ +--- + - name: Add policy + fortios_ipv4_policy: + file_mode: true + config_file: "{{role_path}}/files/default_config.conf" + id: 42 + src_addr: all + dst_addr: all + policy_action: accept + service: ALL + state: present + register: add_policy + + - name: Assert + assert: + that: + - "add_policy.changed == true" + + - name: Add existing policy + fortios_ipv4_policy: + file_mode: true + config_file: "{{role_path}}/files/default_config.conf" + id: 42 + src_addr: all + dst_addr: all + policy_action: accept + service: ALL + state: present + register: add_policy + + - name: Assert + assert: + that: + - "add_policy.changed == false" + + - name: Delete existing policy + fortios_ipv4_policy: + file_mode: true + config_file: "{{role_path}}/files/default_config.conf" + id: 42 + src_addr: all + dst_addr: all + policy_action: accept + service: ALL + state: absent + register: del_policy + + - name: Assert + assert: + that: + - "del_policy.changed == true" + + - name: Delete not-existing policy + fortios_ipv4_policy: + file_mode: true + config_file: "{{role_path}}/files/default_config.conf" + id: 42 + src_addr: all + dst_addr: all + policy_action: accept + service: ALL + state: absent + register: del_policy + + - name: Assert + assert: + that: + - "del_policy.changed == false" diff --git a/test/integration/targets/fortios_ipv4_policy/tasks/test_params.yml b/test/integration/targets/fortios_ipv4_policy/tasks/test_params.yml new file mode 100644 index 00000000000..ba7f9be6841 --- /dev/null +++ b/test/integration/targets/fortios_ipv4_policy/tasks/test_params.yml @@ -0,0 +1,74 @@ +--- + - name: Forget id + fortios_ipv4_policy: + file_mode: true + config_file: "{{role_path}}/files/default_config.conf" + # id: 42 + src_addr: all + dst_addr: all + policy_action: accept + service: ALL + state: present + register: forget_id + ignore_errors: True + + - name: Forget src_addr + fortios_ipv4_policy: + file_mode: true + config_file: "{{role_path}}/files/default_config.conf" + id: 42 + # src_addr: all + dst_addr: all + policy_action: accept + service: ALL + state: present + register: forget_src_addr + ignore_errors: True + + - name: Forget dst_addr + fortios_ipv4_policy: + file_mode: true + config_file: "{{role_path}}/files/default_config.conf" + id: 42 + src_addr: all + # dst_addr: all + policy_action: accept + service: ALL + state: present + register: forget_dst_addr + ignore_errors: True + + - name: Forget policy_action + fortios_ipv4_policy: + file_mode: true + config_file: "{{role_path}}/files/default_config.conf" + id: 42 + src_addr: all + dst_addr: all + # policy_action: accept + service: ALL + state: present + register: forget_policy_action + ignore_errors: True + + - name: Forget service + fortios_ipv4_policy: + file_mode: true + config_file: "{{role_path}}/files/default_config.conf" + id: 42 + src_addr: all + dst_addr: all + policy_action: accept + # service: ALL + state: present + register: forget_service + ignore_errors: True + + - name: Verify that all previous test have failed + assert: + that: + - "forget_id.failed == True" + - "forget_src_addr.failed == True" + - "forget_dst_addr.failed == True" + - "forget_policy_action.failed == True" + - "forget_service.failed == True"