Skip to main content

FortiGate

This Integration is part of the FortiGate Pack.#

FortiGate provides flawless convergence that can scale to any location: remote office, branch, campus, data center, and cloud. FortiGate always delivered on the concept of hybrid mesh firewalls with FortiManager for unified management and consistent security across complex hybrid environments. The Fortinet FortiOS operating system provides deep visibility and security across a variety of form factors. This integration was integrated and tested with version 7.2.5 of FortiGate.

Configure FortiGate in Cortex#

ParameterRequired
Server URL (e.g. https://192.168.0.1)True
Account usernameFalse
PasswordFalse
API KeyFalse
API KeyFalse
Trust any certificate (not secure)False
Use system proxy settingsFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

fortigate-list-firewall-address-ipv4s#


Retrieve firewall IPv4 addresses. Addresses define sources and destinations of network traffic and can be used in many functions such as firewall policies, ZTNA, etc.

Base Command#

fortigate-list-firewall-address-ipv4s

Input#

Argument NameDescriptionRequired
nameName of a specific address to return.Optional
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional
filter_fieldSpecifies the field to be searched, such as name or comment, to narrow down the search criteria within the objects. Fields must be written as they are in the raw_response. Reference to possible fields: https://docs.fortinet.com/document/fortigate/7.2.5/cli-reference/220620/config-firewall-address.Optional
filter_valueIndicates the value or partial value, for example Sales, that the API should look for within the specified field to find matching objects.Optional
format_fieldsComma-separated fields to format the API call to display certain information. Fields must be written as they are in the raw_response, for example: name or comment. Reference to possible fields: https://docs.fortinet.com/document/fortigate/7.2.5/cli-reference/220620/config-firewall-address.Optional

Context Output#

PathTypeDescription
Fortigate.Address.NameStringAddress name.
Fortigate.Address.SubnetStringIP address and subnet mask of address.
Fortigate.Address.StartIPStringFirst IP address (inclusive) in the range for the address.
Fortigate.Address.EndIPStringFinal IP address (inclusive) in the range for the address.
Fortigate.Address.FQDNStringFully Qualified Domain Name address.
Fortigate.Address.MACAddressesStringMultiple MAC address ranges <start>[-<end>] separated by a space.
Fortigate.Address.TypeStringType of the address. Can be: `ipmask`, `iprange`, `fqdn`, `geography`, `wildcard`, `dynamic`, `interface-subnet` or `mac`.
Fortigate.Address.FabricObjectStringSecurity Fabric global object setting. Can be `enable` or `disable`. If `enable`, the object is set as a security fabric-wide global object, otherwise the object is local to this security fabric member.
Fortigate.Address.AllowRoutingStringEnable/disable use of this address in the static route configuration.
Fortigate.Address.TaggingStringList of tags associated to the object.
Fortigate.Address.IPsStringList of IP addresses.
Fortigate.Address.SDNAddressTypeStringType of addresses to collect. Can be: `private`, `public`, or `all`.
Fortigate.Address.AssociatedInterfaceStringNetwork interface associated with the address.
Fortigate.Address.CommentStringThe object`s comment.
Fortigate.Address.DirtyStringWhether the object is clean.
Fortigate.Address.TagTypeStringTag type of dynamic address object.
Fortigate.Address.TagDetectionLevelStringTag detection level of dynamic address object.
Fortigate.Address.ObjectTypeStringIP or MAC address.
Fortigate.Address.InterfaceStringName of the interface whose IP address is to be used.
Fortigate.Address.FSSOGroupStringFortinet Single Sign-On group name.
Fortigate.Address.SDNStringSoftware-defined networking.
Fortigate.Address.SDNTagStringSoftware-defined networking tag.
Fortigate.Address.CacheTTLNumberDefines the minimal TTL of individual IP addresses in FQDN cache measured in seconds.
Fortigate.Address.CountryStringIP addresses associated to a specific country.
Fortigate.Address.ClearpassSPTStringSystem Posture Token value. Can be: `unknown`, `healthy`, `quarantine`, `checkup`, `transient` or `infected`.
Fortigate.Address.SubTypeStringSub-type of address. Can be: `sdn`, `clearpass-spt`, `fsso`, `ems-tag`, `fortivoice-tag`, `fortinac-tag`, `fortipolicy-tag` or `swc-tag`.
Fortigate.Address.UUIDStringUniversally Unique Identifier.
Fortigate.Address.ObjectTagStringTag of dynamic address object.
Fortigate.Address.VDOMStringVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units.

Command example#

!fortigate-list-firewall-address-ipv4s name=playbook-address-ipv4

Context Example#

{
"Fortigate": {
"Address": {
"AllowRouting": "disable",
"AssociatedInterface": "",
"CacheTTL": 0,
"ClearpassSPT": "unknown",
"Comment": "",
"Country": "IL",
"Dirty": "dirty",
"FabricObject": "disable",
"Interface": "",
"Name": "playbook-address-ipv4",
"ObjectType": "ip",
"SDN": "",
"SDNAddressType": "private",
"SubType": "sdn",
"TagDetectionLevel": "",
"TagType": "",
"Type": "geography",
"UUID": "d30118b0-aa22-51ee-8e1b-bd78f7129431",
"VDOM": "root"
}
}
}

Human Readable Output#

Firewall Address IPv4s#

NameDetailsTypeRoutable
playbook-address-ipv4ILgeographydisable

fortigate-create-firewall-address-ipv4#


Create firewall IPv4 addresses. Addresses define sources and destinations of network traffic and can be used in many functions such as firewall policies, ZTNA, etc. The command parameters can be used only in the following combinations: All-[vdom,name,comment,associated_interface], Subnet-[address,mask,allow_routing], IP Range-[start_ip,end_ip], FQDN-[fqdn,allow_routing], Geography-[country], Device (Mac Address)-[mac_addresses].

Base Command#

fortigate-create-firewall-address-ipv4

Input#

Argument NameDescriptionRequired
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional
nameThe name of the address to create.Required
addressThe IP address.Optional
maskThe subnet mask as an IP address. Default value: 255.255.255.255.Optional
fqdnFully Qualified Domain Name address.Optional
start_ipFirst IP address (inclusive) in the range for the address.Optional
end_ipFinal IP address (inclusive) in the range for the address.Optional
countryIP addresses associated to a specific country. Input must be according to the two-letter counter codes, for example: IL.Optional
mac_addressesComma-separated list of MAC addresses. Can be single or range. Range must be separated by -, for examlpe: 00:00:00:00:00:00 or 00:00:00:00:00:00-FF:FF:FF:FF:FF:FF.Optional
associated_interfaceNetwork interface associated with address.Optional
allow_routingEnable/disable use of this address in the static route configuration. Possible values are: enable, disable.Optional
commentA comment for the address.Optional

Context Output#

PathTypeDescription
Frotigate.Address.NameStringThe name of the updated address.
Frotigate.Address.IPAddressStringThe IP address.
Frotigate.Address.MaskStringThe subnet mask of the address.
Frotigate.Address.FQDNStringThe Fully Qualified Domain Name address.
Frotigate.Address.StartIPStringFirst IP address (inclusive) in the range for the address.
Frotigate.Address.EndIPStringFinal IP address (inclusive) in the range for the address.
Frotigate.Address.CountryStringIP addresses associated to a specific country.
Frotigate.Address.MACStringMAC addresses.

Command example#

!fortigate-create-firewall-address-ipv4 name=playbook-address-ipv4 country=IL

Context Example#

{
"Fortigate": {
"Address": {
"Country": "IL",
"Name": "playbook-address-ipv4"
}
}
}

Human Readable Output#

The firewall address 'playbook-address-ipv4' was successfully created.#

fortigate-update-firewall-address-ipv4#


Update firewall IPv4 addresses. Addresses define sources and destinations of network traffic and can be used in many functions such as firewall policies, ZTNA, etc. The command parameters can be used only in the following combinations: All-[vdom,name,comment,associated_interface,type], Subnet-[address,mask,allow_routing], IP Range-[start_ip,end_ip], FQDN-[fqdn,allow_routing], Geography-[country], Device (Mac Address)-[mac_addresses].

Base Command#

fortigate-update-firewall-address-ipv4

Input#

Argument NameDescriptionRequired
nameThe name of the address to update. Names can be retrieved with the command fortigate-list-firewall-address-ipv4s.Required
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional
addressThe IP address.Optional
maskThe subnet mask of the address.Optional
fqdnFully Qualified Domain Name address.Optional
start_ipFirst IP address (inclusive) in the range for the address.Optional
end_ipFinal IP address (inclusive) in the range for the address.Optional
countryIP addresses associated to a specific country. Input must be according to the two-letter counter codes, for example: IL.Optional
mac_addressesComma-separated list of MAC addresses. Can be single or range. Range must be separated by -, for example: 00:00:00:00:00:00 or 00:00:00:00:00:00-FF:FF:FF:FF:FF:FF.Optional
associated_interfaceNetwork interface associated with address.Optional
allow_routingEnable/disable use of this address in the static route configuration. Possible values are: enable, disable.Optional
commentA comment for the address.Optional

Context Output#

PathTypeDescription
Frotigate.Address.NameStringThe name of the created address.
Frotigate.Address.IPAddressStringThe IP address.
Frotigate.Address.MaskStringThe subnet mask of the address.
Frotigate.Address.FQDNStringThe Fully Qualified Domain Name address.
Frotigate.Address.StartIPStringFirst IP address (inclusive) in the range for the address.
Frotigate.Address.EndIPStringFinal IP address (inclusive) in the range for the address.
Frotigate.Address.CountryStringIP addresses associated to a specific country.
Frotigate.Address.MACStringMAC addresses.

Command example#

!fortigate-update-firewall-address-ipv4 name=playbook-address-ipv4 comment=helloworld

Context Example#

{
"Fortigate": {
"Address": {
"Name": "playbook-address-ipv4"
}
}
}

Human Readable Output#

The firewall address 'playbook-address-ipv4' was successfully updated.#

fortigate-delete-firewall-address-ipv4#


Delete firewall IPv4 addresses. Addresses define sources and destinations of network traffic and can be used in many functions such as firewall policies, ZTNA, etc.

Base Command#

fortigate-delete-firewall-address-ipv4

Input#

Argument NameDescriptionRequired
nameName of the address to delete. Names can be retrieved with the command fortigate-list-firewall-address-ipv4s.Required
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional

Context Output#

PathTypeDescription
Frotigate.Address.NameStringThe name of the deleted address.
Frotigate.Address.DeletedBooleanWhether the address was deleted.

Command example#

!fortigate-delete-firewall-address-ipv4 name=playbook-address-ipv4

Context Example#

{
"Fortigate": {
"Address": {
"Deleted": true,
"Name": "playbook-address-ipv4"
}
}
}

Human Readable Output#

The firewall address 'playbook-address-ipv4' was successfully deleted.#

fortigate-list-firewall-address-ipv6s#


Retrieve firewall IPv6 addresses. Addresses define sources and destinations of network traffic and can be used in many functions such as firewall policies, ZTNA, etc.

Base Command#

fortigate-list-firewall-address-ipv6s

Input#

Argument NameDescriptionRequired
nameName of a specific address to return.Optional
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional
filter_fieldSpecifies the field to be searched, such as name or comment, to narrow down the search criteria within the objects. Fields must be written as they are in the raw_response. Reference to possible fields: https://docs.fortinet.com/document/fortigate/7.2.5/cli-reference/223620/config-firewall-address6.Optional
filter_valueIndicates the value or partial value, for example Sales, that the API should look for within the specified field to find matching objects.Optional
format_fieldsComma-separated fields to format the API call to display certain information. Fields must be written as they are in the raw_response, for example: name or comment. Reference to possible fields: https://docs.fortinet.com/document/fortigate/7.2.5/cli-reference/223620/config-firewall-address6.Optional

Context Output#

PathTypeDescription
Fortigate.Address6.FabricObjectStringSecurity Fabric global object setting. Can be `enable` or `disable`. If `enable`, the object is set as a security fabric-wide global object, otherwise the object is local to this security fabric member.
Fortigate.Address6.SDNTagStringSoftware-defined networking tag.
Fortigate.Address6.TenantStringSpecifies the instance or environment in a multi-tenancy setup for configuring address objects.
Fortigate.Address6.HostTypeStringCan be a wildcard or a specific host address.
Fortigate.Address6.SubnetSegment.NameStringThe subnet segment name.
Fortigate.Address6.SubnetSegment.TypeStringThe subnet segment type. Can be a wildcard or a specific address.
Fortigate.Address6.SubnetSegment.ValueStringThe subnet segment value.
Fortigate.Address6.TemplateStringIPv6 address template.
Fortigate.Address6.CommentStringThe object`s comment.
Fortigate.Address6.TaggingStringList of tags associated to the object.
Fortigate.Address6.IPsStringList of IP addresses.
Fortigate.Address6.CountryStringIP addresses associated to a specific country.
Fortigate.Address6.FQDNStringFully Qualified Domain Name address.
Fortigate.Address6.StartIPStringFirst IP address (inclusive) in the range for the address.
Fortigate.Address6.EndIPStringFinal IP address (inclusive) in the range for the address.
Fortigate.Address6.IPv6StringIPv6 address prefix.
Fortigate.Address6.SDNStringSoftware-defined networking.
Fortigate.Address6.MACAddressesUnknownMultiple MAC address ranges <start>[-<end>] separated by a space.
Fortigate.Address6.TypeStringType of IPv6 address object. Can be: `ipprefix`, `iprange`, `fqdn`, `geography`, `dynamic`, `template`, `mac`.
Fortigate.Address6.UUIDStringUniversally Unique Identifier.
Fortigate.Address6.NameStringAddress name.
Fortigate.Address6.HostStringHost address.
Fortigate.Address6.CacheTTLNumberDefines the minimal TTL of individual IP addresses in FQDN cache measured in seconds.
Fortigate.Address6.VDOMStringVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units.

Command example#

!fortigate-list-firewall-address-ipv6s name=playbook-address-ipv6 comment=helloworld

Context Example#

{
"Fortigate": {
"Address6": {
"CacheTTL": 0,
"Comment": "",
"Country": "IL",
"EndIP": "::",
"FQDN": "",
"FabricObject": "disable",
"HostType": "any",
"Name": "playbook-address-ipv6",
"SDN": "",
"SDNTag": "",
"Template": "",
"Tenant": "",
"Type": "geography",
"UUID": "d827aafc-aa22-51ee-2088-2123aa731857",
"VDOM": "root"
}
}
}

Human Readable Output#

Firewall Address IPv6s#

NameDetailsType
playbook-address-ipv6ILgeography

fortigate-create-firewall-address-ipv6#


Create firewall IPv6 addresses. Addresses define sources and destinations of network traffic and can be used in many functions such as firewall policies, ZTNA, etc. The command parameters can be used only in the following combinations: All-[vdom,name,comment], Subnet-[address,mask], IP Range-[start_ip,end_ip], FQDN-[fqdn], Geography-[country], Fabric Connector Address-[sdn_connector], Device (Mac Address)-[mac_addresses].

Base Command#

fortigate-create-firewall-address-ipv6

Input#

Argument NameDescriptionRequired
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional
nameName of the address to create.Required
addressIPv6 address prefix. Can be in short form (e.g., 2001:db8::) or long form (e.g., 0000:0000:0000:0000:0000:0000:0000:0000).Optional
maskSubnet mask indicating the prefix length (format: xxx, range: 0-128).Optional
fqdnFully Qualified Domain Name address.Optional
start_ipFirst IP address (inclusive) in the range for the address.Optional
end_ipFinal IP address (inclusive) in the range for the address.Optional
countryIP addresses associated to a specific country. Input must be according to the two-letter counter codes, for example: IL.Optional
mac_addressesComma-separated list of MAC addresses. Can be single or range. Range must be separated by -, for example: 00:00:00:00:00:00 or 00:00:00:00:00:00-FF:FF:FF:FF:FF:FF.Optional
sdn_connectorSoftware-defined networking connector enables to interact with SDN controllers. For more information, go to: https://docs.fortinet.com/document/fortigate/7.2.5/administration-guide/753961/public-and-private-sdn-connectors.Optional
commentA comment for the address.Optional

Context Output#

PathTypeDescription
Frotigate.Address6.NameStringThe name of the updated address.
Frotigate.Address6.IPAddressStringThe IP address.
Frotigate.Address6.MaskStringThe subnet mask of the address.
Frotigate.Address6.FQDNStringThe Fully Qualified Domain Name address.
Frotigate.Address6.StartIPStringFirst IP address (inclusive) in the range for the address.
Frotigate.Address6.EndIPStringFinal IP address (inclusive) in the range for the address.
Frotigate.Address6.CountryStringIP addresses associated to a specific country.
Frotigate.Address6.MACStringMAC addresses.
Frotigate.Address6.SDNStringSoftware-defined networking.

Command example#

!fortigate-create-firewall-address-ipv6 name=playbook-address-ipv6 country=IL

Context Example#

{
"Fortigate": {
"Address6": {
"Country": "IL",
"Name": "playbook-address-ipv6"
}
}
}

Human Readable Output#

The firewall address 'playbook-address-ipv6' was successfully created.#

fortigate-update-firewall-address-ipv6#


Update firewall IPv6 addresses. Addresses define sources and destinations of network traffic and can be used in many functions such as firewall policies, ZTNA, etc. The command parameters can be used only in the following combinations: All-[vdom,name,comment,associated_interface], Subnet-[address,mask], IP Range-[start_ip,end_ip], FQDN-[fqdn], Geography-[country], Fabric Connector Address-[sdn_connector], Device (Mac Address)-[mac_addresses].

Base Command#

fortigate-update-firewall-address-ipv6

Input#

Argument NameDescriptionRequired
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional
nameName of the address to update. Names can be retrieved with the command fortigate-list-firewall-address-ipv6s.Required
typeThe type of the address to update. Possible values are: Subnet, IP Range, FQDN, Geography, Device (Mac Address), Fabric Connector Address.Optional
addressThe IP address.Optional
maskThe subnet mask of the address.Optional
fqdnFully Qualified Domain Name address.Optional
start_ipFirst IP address (inclusive) in the range for the address.Optional
end_ipFinal IP address (inclusive) in the range for the address.Optional
countryIP addresses associated to a specific country. Input must be according to the two-letter counter codes, for example: IL.Optional
mac_addressesComma-separated list of MAC addresses. Can be single or range. Range must be separated by -, for example: 00:00:00:00:00:00 or 00:00:00:00:00:00-FF:FF:FF:FF:FF:FF.Optional
sdn_connectorSoftware-defined networking connector enables to interact with SDN controllers. For more information, go to: https://docs.fortinet.com/document/fortigate/7.2.5/administration-guide/753961/public-and-private-sdn-connectors.Optional
commentA comment for the address.Optional

Context Output#

PathTypeDescription
Frotigate.Address6.NameStringThe name of the updated address.
Frotigate.Address6.IPAddressStringThe IP address.
Frotigate.Address6.MaskStringThe subnet mask of the address.
Frotigate.Address6.FQDNStringThe Fully Qualified Domain Name address.
Frotigate.Address6.StartIPStringFirst IP address (inclusive) in the range for the address.
Frotigate.Address6.EndIPStringFinal IP address (inclusive) in the range for the address.
Frotigate.Address6.CountryStringIP addresses associated to a specific country.
Frotigate.Address6.MACStringMAC addresses.
Frotigate.Address6.SDNStringSoftware-defined networking.

Command example#

!fortigate-update-firewall-address-ipv6 name=playbook-address-ipv6

Context Example#

{
"Fortigate": {
"Address6": {
"Name": "playbook-address-ipv6"
}
}
}

Human Readable Output#

The firewall address 'playbook-address-ipv6' was successfully updated.#

fortigate-delete-firewall-address-ipv6#


Delete firewall IPv6 addresses. Addresses define sources and destinations of network traffic and can be used in many functions such as firewall policies, ZTNA, etc.

Base Command#

fortigate-delete-firewall-address-ipv6

Input#

Argument NameDescriptionRequired
nameName of the address to delete. Names can be retrieved with the command fortigate-list-firewall-address-ipv6s.Required
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional

Context Output#

PathTypeDescription
Fortigate.Address6.NameStringThe name of the address.
Fortigate.Address6.DeletedBooleanWhether the address was deleted.

Command example#

!fortigate-delete-firewall-address-ipv6 name=playbook-address-ipv6

Context Example#

{
"Fortigate": {
"Address6": {
"Deleted": true,
"Name": "playbook-address-ipv6"
}
}
}

Human Readable Output#

The firewall address 'playbook-address-ipv6' was successfully deleted.#

fortigate-list-firewall-address-ipv4-multicasts#


Retrieve firewall IPv4 multicast addresses. Multicasting allows a single source to send data to multiple receivers efficiently, conserving bandwidth and minimizing network traffic. It is suitable for media streaming, news feeds, financial updates, and certain dynamic routing protocols like RIPv2, OSPF, and EIGRP.

Base Command#

fortigate-list-firewall-address-ipv4-multicasts

Input#

Argument NameDescriptionRequired
nameName of a specific address to return.Optional
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional
filter_fieldSpecifies the field to be searched, such as name or comment, to narrow down the search criteria within the objects. Fields must be written as they are in the raw_response. Reference to possible fields: https://docs.fortinet.com/document/fortigate/7.2.5/cli-reference/221620/config-firewall-multicast-address.Optional
filter_valueIndicates the value or partial value, for example Sales, that the API should look for within the specified field to find matching objects.Optional
format_fieldsComma-separated fields to format the API call to display certain information. Fields must be written as they are in the raw_response, for example: name or comment. Reference to possible fields: https://docs.fortinet.com/document/fortigate/7.2.5/cli-reference/221620/config-firewall-multicast-address.Optional

Context Output#

PathTypeDescription
Fortigate.AddressMulticast.TaggingStringList of tags associated to the object.
Fortigate.AddressMulticast.AssociatedInterfaceStringNetwork interface associated with address.
Fortigate.AddressMulticast.CommentStringThe object`s comment.
Fortigate.AddressMulticast.EndIPStringFinal IP address (inclusive) in the range for the address.
Fortigate.AddressMulticast.StartIPStringFirst IP address (inclusive) in the range for the address.
Fortigate.AddressMulticast.SubnetStringBroadcast address and subnet.
Fortigate.AddressMulticast.TypeStringType of the address multicast. Can be: `multicastrange` or `broadcastmask`.
Fortigate.AddressMulticast.NameStringAddress multicast name.
Fortigate.AddressMulticast.VDOMStringVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units.

Command example#

!fortigate-list-firewall-address-ipv4-multicasts name=playbook-address-ipv4-multicast

Context Example#

{
"Fortigate": {
"AddressMulticast": {
"AssociatedInterface": "",
"Comment": "",
"Name": "playbook-address-ipv4-multicast",
"Subnet": "0.0.0.0-0.0.0.0",
"Type": "broadcastmask",
"VDOM": "root"
}
}
}

Human Readable Output#

Firewall Address IPv4 Multicasts#

NameDetailsType
playbook-address-ipv4-multicast0.0.0.0-0.0.0.0broadcastmask

fortigate-create-firewall-address-ipv4-multicast#


Create firewall IPv4 multicast addresses. Multicasting allows a single source to send data to multiple receivers efficiently, conserving bandwidth and minimizing network traffic. It`s suitable for media streaming, news feeds, financial updates, and certain dynamic routing protocols like RIPv2, OSPF, and EIGRP.

Base Command#

fortigate-create-firewall-address-ipv4-multicast

Input#

Argument NameDescriptionRequired
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional
nameName of the address multicast to create.Required
commentA comment for the address.Optional
associated_interfaceNetwork interface associated with address.Optional
typeSpecifies the format of the multicast address. Possible values are: Broadcast Subnet, Multicast IP Range.Required
first_ipFor Broadcast Subnet, this is the network address. For Multicast IP Range, (inclusive) this is the beginning of the IP range.Required
final_ipFor Broadcast Subnet this should be the network mask as an IP address. For Multicast IP Range, (inclusive) this is the end of the IP range.Required

Context Output#

PathTypeDescription
Frotigate.AddressMulticast.NameStringThe name of the updated address multicast.
Frotigate.AddressMulticast.TypeStringSpecifies the format of the multicast address.
Frotigate.AddressMulticast.FirstIPStringFirst input IP address.
Frotigate.AddressMulticast.FinalIPStringFinal input IP address.

Command example#

!fortigate-create-firewall-address-ipv4-multicast name=playbook-address-ipv4-multicast type="Broadcast Subnet" first_ip=0.0.0.0 final_ip=0.0.0.0

Context Example#

{
"Fortigate": {
"AddressMulticast": {
"FinalIP": "0.0.0.0",
"FirstIP": "0.0.0.0",
"Name": "playbook-address-ipv4-multicast",
"Type": "Broadcast Subnet"
}
}
}

Human Readable Output#

The firewall address multicast IPv4 'playbook-address-ipv4-multicast' was successfully created.#

fortigate-update-firewall-address-ipv4-multicast#


Update firewall IPv4 multicast addresses. Multicasting allows a single source to send data to multiple receivers efficiently, conserving bandwidth and minimizing network traffic. It`s suitable for media streaming, news feeds, financial updates, and certain dynamic routing protocols like RIPv2, OSPF, and EIGRP.

Base Command#

fortigate-update-firewall-address-ipv4-multicast

Input#

Argument NameDescriptionRequired
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional
nameName of the address multicast to update. Names can be retrieved with the command fortigate-list-firewall-address-ipv4-multicasts.Required
commentA comment for the address.Optional
associated_interfaceNetwork interface associated with address.Optional
typeSpecifies the format of the multicast address. Possible values are: Broadcast Subnet, Multicast IP Range.Optional
first_ipFor 'Broadcast Subnet', this is the network address. For 'Multicast IP Range', (inclusive) this is the beginning of the IP range.Optional
final_ipFor 'Broadcast Subnet' this should be the network mask as an IP address. For Multicast IP Range, (inclusive) this is the end of the IP range.Optional

Context Output#

PathTypeDescription
Frotigate.AddressMulticast.NameStringThe name of the updated address multicast.
Frotigate.AddressMulticast.TypeStringSpecifies the format of the multicast address.
Frotigate.AddressMulticast.FirstIPStringFirst input IP address.
Frotigate.AddressMulticast.FinalIPStringFinal input IP address.

Command example#

!fortigate-update-firewall-address-ipv4-multicast name=playbook-address-ipv4-multicast comment=helloworld

Context Example#

{
"Fortigate": {
"AddressMulticast": {
"Name": "playbook-address-ipv4-multicast"
}
}
}

Human Readable Output#

The firewall address multicast IPv4 'playbook-address-ipv4-multicast' was successfully updated.#

fortigate-delete-firewall-address-ipv4-multicast#


Delete firewall IPv4 multicast addresses. Multicasting allows a single source to send data to multiple receivers efficiently, conserving bandwidth and minimizing network traffic. It is suitable for media streaming, news feeds, financial updates, and certain dynamic routing protocols like RIPv2, OSPF, and EIGRP.

Base Command#

fortigate-delete-firewall-address-ipv4-multicast

Input#

Argument NameDescriptionRequired
nameName of the address multicast to delete. Names can be retrieved with the command fortigate-list-firewall-address-ipv4-multicasts.Required
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional

Context Output#

PathTypeDescription
Fortigate.AddressMulticast.NameStringThe name of the address multicast.
Fortigate.AddressMulticast.DeletedBooleanWhether the address multicast was deleted.

Command example#

!fortigate-delete-firewall-address-ipv4-multicast name=playbook-address-ipv4-multicast

Context Example#

{
"Fortigate": {
"AddressMulticast": {
"Deleted": true,
"Name": "playbook-address-ipv4-multicast"
}
}
}

Human Readable Output#

The firewall address multicast IPv4 'playbook-address-ipv4-multicast' was successfully deleted.#

fortigate-list-firewall-address-ipv6-multicasts#


Retrieve firewall IPv6 multicast addresses. Multicasting allows a single source to send data to multiple receivers efficiently, conserving bandwidth and minimizing network traffic. It is suitable for media streaming, news feeds, financial updates, and certain dynamic routing protocols like RIPv2, OSPF, and EIGRP.

Base Command#

fortigate-list-firewall-address-ipv6-multicasts

Input#

Argument NameDescriptionRequired
nameName of a specific address multicast to return.Optional
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional
filter_fieldSpecifies the field to be searched, such as name or comment, to narrow down the search criteria within the objects. Fields must be written as they are in the raw_response. Reference to possible fields: https://docs.fortinet.com/document/fortigate/7.2.5/cli-reference/224620/config-firewall-multicast-address6.Optional
filter_valueIndicates the value or partial value, for example Sales, that the API should look for within the specified field to find matching objects.Optional
format_fieldsComma-separated fields to format the API call to display certain information. Fields must be written as they are in the raw_response, for example: name or comment. Reference to possible fields: https://docs.fortinet.com/document/fortigate/7.2.5/cli-reference/224620/config-firewall-multicast-address6.Optional

Context Output#

PathTypeDescription
Fortigate.Address6Multicast.TaggingStringList of tags associated to the object.
Fortigate.Address6Multicast.CommentStringThe object`s comment.
Fortigate.Address6Multicast.IPv6StringBroadcast address and subnet.
Fortigate.Address6Multicast.NameStringAddress multicast name.
Fortigate.Address6Multicast.VDOMStringVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units.

Command example#

!fortigate-list-firewall-address-ipv6-multicasts name=playbook-address-ipv6-multicast

Context Example#

{
"Fortigate": {
"Address6Multicast": {
"Comment": "",
"IPv6": "ff00::/8",
"Name": "playbook-address-ipv6-multicast",
"VDOM": "root"
}
}
}

Human Readable Output#

Firewall Address IPv6 Multicasts#

NameDetails
playbook-address-ipv6-multicastff00::/8

fortigate-create-firewall-address-ipv6-multicast#


Create firewall IPv6 multicast addresses. Multicasting allows a single source to send data to multiple receivers efficiently, conserving bandwidth and minimizing network traffic. It is suitable for media streaming, news feeds, financial updates, and certain dynamic routing protocols like RIPv2, OSPF, and EIGRP.

Base Command#

fortigate-create-firewall-address-ipv6-multicast

Input#

Argument NameDescriptionRequired
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional
nameName of the address multicast to create.Required
commentA comment for the address.Optional
addressIPv6 address prefix. Can be in short form (e.g., 2001:db8::) or long form (e.g., 0000:0000:0000:0000:0000:0000:0000:0000).Required
maskSubnet mask indicating the prefix length (format: xxx, range: 0-128).Required

Context Output#

PathTypeDescription
Frotigate.Address6Multicast.NameStringThe name of the updated address multicast.
Frotigate.Address6Multicast.IPAddressStringThe IP address.
Frotigate.Address6Multicast.MaskStringThe subnet mask of the address.

Command example#

!fortigate-create-firewall-address-ipv6-multicast name=playbook-address-ipv6-multicast address=ff00:: mask=8

Context Example#

{
"Fortigate": {
"Address6Multicast": {
"IPAddress": "ff00::",
"Mask": "8",
"Name": "playbook-address-ipv6-multicast"
}
}
}

Human Readable Output#

The firewall address multicast IPv6 'playbook-address-ipv6-multicast' was successfully created.#

fortigate-update-firewall-address-ipv6-multicast#


Update firewall IPv6 multicast addresses. Multicasting allows a single source to send data to multiple receivers efficiently, conserving bandwidth and minimizing network traffic. It is suitable for media streaming, news feeds, financial updates, and certain dynamic routing protocols like RIPv2, OSPF, and EIGRP.

Base Command#

fortigate-update-firewall-address-ipv6-multicast

Input#

Argument NameDescriptionRequired
nameName of the address multicast to update. Names can be retrieved with the command fortigate-list-firewall-address-ipv6-multicasts.Required
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional
commentA comment for the address.Optional
addressIPv6 address prefix. Can be in short form (e.g., 2001:db8::) or long form (e.g., 0000:0000:0000:0000:0000:0000:0000:0000).Optional
maskSubnet mask indicating the prefix length (format: xxx, range: 0-128).Optional

Context Output#

PathTypeDescription
Frotigate.Address6Multicast.NameStringThe name of the updated address multicast.
Frotigate.Address6Multicast.IPAddressStringThe IP address.
Frotigate.Address6Multicast.MaskStringThe subnet mask of the address.

Command example#

!fortigate-update-firewall-address-ipv6-multicast name=playbook-address-ipv6-multicast comment=helloworld

Context Example#

{
"Fortigate": {
"Address6Multicast": {
"Name": "playbook-address-ipv6-multicast"
}
}
}

Human Readable Output#

The firewall address multicast IPv6 'playbook-address-ipv6-multicast' was successfully updated.#

fortigate-delete-firewall-address-ipv6-multicast#


Delete firewall IPv6 multicast addresses. Multicasting allows a single source to send data to multiple receivers efficiently, conserving bandwidth and minimizing network traffic. It is suitable for media streaming, news feeds, financial updates, and certain dynamic routing protocols like RIPv2, OSPF, and EIGRP.

Base Command#

fortigate-delete-firewall-address-ipv6-multicast

Input#

Argument NameDescriptionRequired
nameName of the address multicast to delete. Names can be retrieved with the command fortigate-list-firewall-address-ipv6-multicasts.Required
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional

Context Output#

PathTypeDescription
Fortigate.Address6Multicast.NameStringThe name of the address multicast.
Fortigate.Address6Multicast.DeletedBooleanWhether the address multicast was deleted.

Command example#

!fortigate-delete-firewall-address-ipv6-multicast name=playbook-address-ipv6-multicast

Context Example#

{
"Fortigate": {
"Address6Multicast": {
"Deleted": true,
"Name": "playbook-address-ipv6-multicast"
}
}
}

Human Readable Output#

The firewall address multicast IPv6 'playbook-address-ipv6-multicast' was successfully deleted.#

fortigate-list-firewall-address-ipv4-groups#


Retrieve firewall IPv4 address groups. Address groups are designed for ease of use in the administration of the device.

Base Command#

fortigate-list-firewall-address-ipv4-groups

Input#

Argument NameDescriptionRequired
groupNameName of a specific address group to return.Optional
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional
filter_fieldSpecifies the field to be searched, such as name or comment, to narrow down the search criteria within the objects. Fields must be written as they are in the raw_response. Reference to possible fields: https://docs.fortinet.com/document/fortigate/7.2.5/cli-reference/225620/config-firewall-addrgrp.Optional
filter_valueIndicates the value or partial value, for example Sales, that the API should look for within the specified field to find matching objects.Optional
format_fieldsComma-separated fields to format the API call to display certain information. Fields must be written as they are in the raw_response, for example: name or comment. Reference to possible fields: https://docs.fortinet.com/document/fortigate/7.2.5/cli-reference/225620/config-firewall-addrgrp.Optional

Context Output#

PathTypeDescription
Frotigate.AddressGroup.FabricObjectStringSecurity Fabric global object setting. Can be `enable` or `disable`. If `enable`, the object is set as a security fabric-wide global object, otherwise the object is local to this security fabric member.
Frotigate.AddressGroup.AllowRoutingStringEnable/disable use of this address in the static route configuration.
Frotigate.AddressGroup.TaggingStringList of tags associated to the object.
Frotigate.AddressGroup.ExcludeMemberStringAddress name exclusion member.
Frotigate.AddressGroup.ExcludeStringEnable/disable address exclusion.
Frotigate.AddressGroup.CommentStringThe object`s comment.
Frotigate.AddressGroup.Member.NameStringAddress objects contained within the group.
Frotigate.AddressGroup.UUIDStringUniversally Unique Identifier.
Frotigate.AddressGroup.CategoryStringAddress group category. `default`: Default address group category (cannot be used as ztna-ems-tag/ztna-geo-tag in policy). `ztna-ems-tag`: Members must be ztna-ems-tag group or ems-tag address. Can be used as ztna-ems-tag in policy. `ztna-geo-tag`: Members must be ztna-geo-tag group or geographic address. Can be used as ztna-geo-tag in policy.
Frotigate.AddressGroup.TypeStringAddress group type. Default address group type (address may belong to multiple groups). Address folder group (members may not belong to any other group).
Frotigate.AddressGroup.NameStringAddress group name.
Fortigate.AddressGroup.VDOMStringVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units.

Command example#

!fortigate-list-firewall-address-ipv4-groups groupName=playbook-address-ipv4-group

Context Example#

{
"Fortigate": {
"AddressGroup": {
"AllowRouting": "disable",
"Category": "default",
"Comment": "",
"Exclude": "disable",
"FabricObject": "disable",
"Member": {
"Name": [
"playbook-address-ipv4-1"
]
},
"Name": "playbook-address-ipv4-group",
"Type": "default",
"UUID": "e7adb0ca-aa22-51ee-b304-c7fc8ce5e274",
"VDOM": "root"
}
}
}

Human Readable Output#

Firewall Address IPv4 Groups#

NameDetailsTypeRoutable
playbook-address-ipv4-groupplaybook-address-ipv4-1defaultdisable

fortigate-create-firewall-address-ipv4-group#


Create firewall IPv4 address groups. Address groups are designed for ease of use in the administration of the device.

Base Command#

fortigate-create-firewall-address-ipv4-group

Input#

Argument NameDescriptionRequired
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional
groupNameName of the address group to create.Required
typeAddress group type. group: Default address group type (address may belong to multiple groups). folder: Address folder group (members may not belong to any other group). Possible values are: group, folder. Default is group.Optional
addressComma-separated list of address names. Names can be retrieved with the commands fortigate-list-firewall-address-ipv4s, fortigate-list-firewall-address-ipv4-multicasts and fortigate-list-firewall-address-ipv4-groups.Optional
excluded_addressesComma-separated list of address names to exclude. Names can be retrieved with the commands fortigate-list-firewall-address-ipv4s, fortigate-list-firewall-address-ipv4-multicasts and fortigate-list-firewall-address-ipv4-groups.Optional
allow_routingEnable/disable use of this address in the static route configuration. Possible values are: enable, disable.Optional
commentA comment for the address group.Optional

Context Output#

PathTypeDescription
Fortigate.AddressGroup.NameStringThe address group name.
Fortigate.AddressGroup.AddressStringThe address group members.

Command example#

!fortigate-create-firewall-address-ipv4-group groupName=playbook-address-ipv4-group address=playbook-address-ipv4-1

Context Example#

{
"Fortigate": {
"AddressGroup": {
"Address": "playbook-address-ipv4-1",
"Name": "playbook-address-ipv4-group"
}
}
}

Human Readable Output#

The firewall address IPv4 group 'playbook-address-ipv4-group' was successfully created.#

fortigate-update-firewall-address-ipv4-group#


Update firewall IPv4 address groups. Address groups are designed for ease of use in the administration of the device. New members will override the existing members within the group incase of a conflict.

Base Command#

fortigate-update-firewall-address-ipv4-group

Input#

Argument NameDescriptionRequired
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional
groupNameName of the address group to update. Names can be retrieved with the command fortigate-list-firewall-address-ipv4-groups.Required
addressComma-separated list of address names. Names can be retrieved with the commands fortigate-list-firewall-address-ipv4s, fortigate-list-firewall-address-ipv4-multicasts and fortigate-list-firewall-address-ipv4-groups.Optional
excluded_addressesComma-separated list of address names to exclude. Names can be retrieved with the commands fortigate-list-firewall-address-ipv4s, fortigate-list-firewall-address-ipv4-multicasts and fortigate-list-firewall-address-ipv4-groups.Optional
allow_routingEnable/disable use of this address in the static route configuration. Possible values are: enable, disable.Optional
commentA comment for the address group.Optional
actionWhether to add or remove members or excluded_members from address group. Possible values are: add, remove.Optional

Context Output#

PathTypeDescription
Fortigate.AddressGroup.NameStringThe address group name.
Fortigate.AddressGroup.Address.NameStringThe address group members.
Frotigate.AddressGroup.UUIDStringUniversally Unique Identifier.

Command example#

!fortigate-update-firewall-address-ipv4-group groupName=playbook-address-ipv4-group address=playbook-address-ipv4-2 action=add

Context Example#

{
"Fortigate": {
"AddressGroup": {
"Address": {
"Name": [
"playbook-address-ipv4-1",
"playbook-address-ipv4-2"
]
},
"Name": "playbook-address-ipv4-group",
"UUID": "e7adb0ca-aa22-51ee-b304-c7fc8ce5e274"
}
}
}

Human Readable Output#

The firewall address IPv4 group 'playbook-address-ipv4-group' was successfully updated.#

fortigate-delete-firewall-address-ipv4-group#


Delete firewall IPv4 address groups. Address groups are designed for ease of use in the administration of the device.

Base Command#

fortigate-delete-firewall-address-ipv4-group

Input#

Argument NameDescriptionRequired
nameName of the address group to delete. Names can be retrieved with the command fortigate-list-firewall-address-ipv4-groups.Required
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional

Context Output#

PathTypeDescription
Fortigate.AddressGroup.NameStringThe name of the address group.
Fortigate.AddressGroup.DeletedBooleanWhether the address group was deleted.

Command example#

!fortigate-delete-firewall-address-ipv4-group name=playbook-address-ipv4-group

Context Example#

{
"Fortigate": {
"AddressGroup": {
"Deleted": true,
"Name": "playbook-address-ipv4-group"
}
}
}

Human Readable Output#

The firewall address IPv4 group 'playbook-address-ipv4-group' was successfully deleted.#

fortigate-list-firewall-address-ipv6-groups#


Retrieve firewall IPv6 address groups. Address groups are designed for ease of use in the administration of the device.

Base Command#

fortigate-list-firewall-address-ipv6-groups

Input#

Argument NameDescriptionRequired
nameName of a specific address group to return.Optional
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional
filter_fieldSpecifies the field to be searched, such as name or comment, to narrow down the search criteria within the objects. Fields must be written as they are in the raw_response. Reference to possible fields: https://docs.fortinet.com/document/fortigate/7.2.5/cli-reference/226620/config-firewall-addrgrp6.Optional
filter_valueIndicates the value or partial value, for example Sales, that the API should look for within the specified field to find matching objects.Optional
format_fieldsComma-separated fields to format the API call to display certain information. Fields must be written as they are in the raw_response, for example: name or comment. Reference to possible fields: https://docs.fortinet.com/document/fortigate/7.2.5/cli-reference/226620/config-firewall-addrgrp6.Optional

Context Output#

PathTypeDescription
Frotigate.Address6Group.FabricObjectStringSecurity Fabric global object setting. Can be `enable` or `disable`. If `enable`, the object is set as a security fabric-wide global object, otherwise the object is local to this security fabric member.
Frotigate.Address6Group.TaggingStringList of tags associated to the object.
Frotigate.Address6Group.Member.NameStringAddress objects contained within the group.
Frotigate.Address6Group.CommentStringThe object`s comment.
Frotigate.Address6Group.UUIDStringUniversally Unique Identifier.
Frotigate.Address6Group.NameStringAddress group name.
Fortigate.Address6Group.VDOMStringVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units.

Command example#

!fortigate-list-firewall-address-ipv6-groups name=playbook-address-ipv6-group

Context Example#

{
"Fortigate": {
"Address6Group": {
"Comment": "",
"FabricObject": "disable",
"Name": "playbook-address-ipv6-group",
"UUID": "ecd06d9a-aa22-51ee-a0a1-29b8ccdf7714",
"VDOM": "root"
}
}
}

Human Readable Output#

Firewall Address IPv6 Groups#

Name
playbook-address-ipv6-group

fortigate-create-firewall-address-ipv6-group#


Create firewall IPv6 address groups. Address groups are designed for ease of use in the administration of the device.

Base Command#

fortigate-create-firewall-address-ipv6-group

Input#

Argument NameDescriptionRequired
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional
nameName of the address group to create.Required
membersComma-separated list of address names. Names can be retrieved with the commands fortigate-list-firewall-address-ipv6s, fortigate-list-firewall-address-ipv6-multicasts and fortigate-list-firewall-address-ipv6-groups.Optional
commentA comment for the address group.Optional

Context Output#

PathTypeDescription
Fortigate.Address6Group.NameStringThe address group name.
Fortigate.Address6Group.AddressStringThe address group members.

Command example#

!fortigate-create-firewall-address-ipv6-group name=playbook-address-ipv6-group

Context Example#

{
"Fortigate": {
"Address6Group": {
"Address": null,
"Name": "playbook-address-ipv6-group"
}
}
}

Human Readable Output#

The firewall address IPv6 group 'playbook-address-ipv6-group' was successfully created.#

fortigate-update-firewall-address-ipv6-group#


Update firewall IPv6 address groups. Address groups are designed for ease of use in the administration of the device. New members will override the existing members within the group incase of a conflict.

Base Command#

fortigate-update-firewall-address-ipv6-group

Input#

Argument NameDescriptionRequired
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional
nameName of the address group to update. Names can be retrieved with the command fortigate-list-firewall-address-ipv6-groups.Required
membersComma-separated list of address names. Names can be retrieved with the commands fortigate-list-firewall-address-ipv6s, fortigate-list-firewall-address-ipv6-multicasts and fortigate-list-firewall-address-ipv6-groups.Optional
commentA comment for the address group.Optional
actionWhether to add or remove members from address group. Possible values are: add, remove.Optional

Context Output#

PathTypeDescription
Fortigate.Address6Group.NameStringThe address group name.
Fortigate.Address6Group.AddressStringThe address group members.

Command example#

!fortigate-update-firewall-address-ipv6-group name=playbook-address-ipv6-group members=playbook-address-ipv6-1 action=add

Context Example#

{
"Fortigate": {
"Address6Group": {
"Address": {
"Name": [
"playbook-address-ipv6-1"
]
},
"Name": "playbook-address-ipv6-group"
}
}
}

Human Readable Output#

The firewall address IPv6 group 'playbook-address-ipv6-group' was successfully updated.#

fortigate-delete-firewall-address-ipv6-group#


Delete firewall IPv6 address groups. Address groups are designed for ease of use in the administration of the device.

Base Command#

fortigate-delete-firewall-address-ipv6-group

Input#

Argument NameDescriptionRequired
nameName of the address group to delete. Names can be retrieved with the command fortigate-list-firewall-address-ipv6-groups.Required
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional

Context Output#

PathTypeDescription
Fortigate.Address6Group.NameStringThe name of the deleted address group.
Fortigate.Address6Group.DeletedBooleanWhether the address group was deleted.

Command example#

!fortigate-delete-firewall-address-ipv6-group name=playbook-address-ipv6-group

Context Example#

{
"Fortigate": {
"Address6Group": {
"Deleted": true,
"Name": "playbook-address-ipv6-group"
}
}
}

Human Readable Output#

The firewall address IPv6 group 'playbook-address-ipv6-group' was successfully deleted.#

fortigate-list-firewall-services#


Retrieve firewall services. A service is the combination of network protocols and port numbers that define traffic sources or destinations.

Base Command#

fortigate-list-firewall-services

Input#

Argument NameDescriptionRequired
serviceNameName of a specific service to return.Optional
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional
filter_fieldSpecifies the field to be searched, such as name or comment, to narrow down the search criteria within the objects. Fields must be written as they are in the raw_response. Reference to possible fields: https://docs.fortinet.com/document/fortigate/7.2.5/cli-reference/231620/config-firewall-service-custom.Optional
filter_valueIndicates the value or partial value, for example Sales, that the API should look for within the specified field to find matching objects.Optional
format_fieldsComma-separated fields to format the API call to display certain information. Fields must be written as they are in the raw_response, for example: name or comment. Reference to possible fields: https://docs.fortinet.com/document/fortigate/7.2.5/cli-reference/231620/config-firewall-service-custom.Optional

Context Output#

PathTypeDescription
Fortigate.Service.FabricObjectStringSecurity Fabric global object setting. Can be `enable` or `disable`. If `enable`, the object is set as a security fabric-wide global object, otherwise the object is local to this security fabric member.
Fortigate.Service.ApplicationNumberThe application ID.
Fortigate.Service.AppCategoryNumberApplication category ID.
Fortigate.Service.AppServiceTypeStringApplication service type. Can be: `disable`, `app-id` or `app-category`.
Fortigate.Service.CommentStringThe object`s comment.
Fortigate.Service.CheckResetRangeStringThe configuration type of ICMP error message verification.
Fortigate.Service.SessionTTLStringSession time to live.
Fortigate.Service.UDPIdleTimerNumberNumber of seconds before an idle UDP connection times out.
Fortigate.Service.TCPRSTTimerNumberSet the length of the TCP CLOSE state in seconds.
Fortigate.Service.TCPTimewaitTimerNumberSet the length of the TCP TIME-WAIT state in seconds.
Fortigate.Service.TCPHalfopenTimerNumberWait time to close a TCP session waiting for an unanswered open session packet.
Fortigate.Service.TCPHalfcloseTimerNumberWait time to close a TCP session waiting for an unanswered open session packet.
Fortigate.Service.Ports.SCTPStringMultiple SCTP port ranges.
Fortigate.Service.Ports.UDPStringMultiple UDP port ranges.
Fortigate.Service.Ports.TCPStringMultiple TCP port ranges.
Fortigate.Service.FQDNStringFully Qualified Domain Name address.
Fortigate.Service.IPRangeStringStart and end of the IP range associated with the service.
Fortigate.Service.HelperStringHelper protocol name.
Fortigate.Service.ProtocolStringProtocol type based on IANA numbers.
Fortigate.Service.CategoryStringThe service category.
Fortigate.Service.ProxyStringEnable/disable web proxy service.
Fortigate.Service.NameStringThe service name.
Fortigate.Service.ICMPCodeNumberICMP code.
Fortigate.Service.ICMPTypeNumberICMP type.
Fortigate.Service.ProtocolNumberNumberIP protocol number.
Fortigate.Service.VDOMStringVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units.

Command example#

!fortigate-list-firewall-services serviceName=playbook-service

Context Example#

{
"Fortigate": {
"Service": {
"AppServiceType": "disable",
"Category": "",
"CheckResetRange": "default",
"Comment": "",
"FQDN": "",
"FabricObject": "disable",
"Helper": "auto",
"IPRange": "0.0.0.0",
"Name": "playbook-service",
"Ports": {
"SCTP": "5-6",
"TCP": "1-2",
"UDP": "3-4"
},
"Protocol": "TCP/UDP/SCTP",
"Proxy": "disable",
"SessionTTL": "0",
"TCPHalfcloseTimer": 0,
"TCPHalfopenTimer": 0,
"TCPRSTTimer": 0,
"TCPTimewaitTimer": 0,
"UDPIdleTimer": 0,
"VDOM": "root"
}
}
}

Human Readable Output#

Firewall Services#

NameDetailsIP/FQDNProtocol
playbook-serviceTCP/1-2 UDP/3-4 SCTP/5-60.0.0.0TCP/UDP/SCTP

fortigate-create-firewall-service#


Create firewall services. A service is the combination of network protocols and port numbers that define traffic sources or destinations. The command parameters can be used only in the following combinations: All-[vdom,name,comment,category], TCP/UDP/SCTP-[(start_ip,end_ip or fqdn),tcpRange,udpRange,sctpRange], IP-[ip_protocol], ICMP/ICMP6-[icmp_version,icmp_code,icmp_type].

Base Command#

fortigate-create-firewall-service

Input#

Argument NameDescriptionRequired
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional
serviceNameName of the service to create.Required
commentA comment for the service.Optional
categoryService category.Optional
start_ipStart of the IP range associated with the service.Optional
end_ipEnd of the IP range associated with the service.Optional
fqdnFully Qualified Domain Name address.Optional
tcpRangeComma-separated list of TCP ports. Must be in the following template: {single} for example 5, {start}-{end} for example 1-50 or {start_source}-{end_source}:{start_destination}-{end_destinatinon} for example 1-3:6-9.Optional
udpRangeComma-separated list of TCP ports. Must be in the following template: {single} for example 5, {start}-{end} for example 1-50 or {start_source}-{end_source}:{start_destination}-{end_destinatinon} for example 1-3:6-9.Optional
sctpRangeComma-separated list of TCP ports. Must be in the following template: {single} for example 5, {start}-{end} for example 1-50 or {start_source}-{end_source}:{start_destination}-{end_destinatinon} for example 1-3:6-9.Optional
icmp_typeSpecifies the ICMP message type, defining the purpose or condition of the message.Optional
icmp_codeIdentifies the variant or additional information for the corresponding ICMP message type.Optional
icmp_versionDetermines the version of the Internet Control Message Protocol, either ICMP or ICMP6. Possible values are: ICMP, ICMP6.Optional
ip_protocolIP protocol number.Optional

Context Output#

PathTypeDescription
Fortigate.Service.Ports.SCTPStringMultiple SCTP port ranges.
Fortigate.Service.Ports.UDPStringMultiple UDP port ranges.
Fortigate.Service.Ports.TCPStringMultiple TCP port ranges.
Fortigate.Service.FQDNStringFully Qualified Domain Name address.
Fortigate.Service.StartIPStringStart of the IP range associated with the service.
Fortigate.Service.EndIPStringEnd of the IP range associated with the service.
Fortigate.Service.ICMPCodeNumberICMP code.
Fortigate.Service.ICMPTypeNumberICMP type.
Fortigate.Service.ProtocolNumberNumberIP protocol number.
Fortigate.Service.NameStringThe service name.

Command example#

!fortigate-create-firewall-service serviceName=playbook-service tcpRange=1-2 udpRange=3-4 sctpRange=5-6

Context Example#

{
"Fortigate": {
"Service": {
"Name": "playbook-service",
"Ports": {
"SCTP": "5-6",
"TCP": "1-2",
"UDP": "3-4"
}
}
}
}

Human Readable Output#

The firewall service 'playbook-service' was successfully created.#

fortigate-update-firewall-service#


Update firewall services. A service is the combination of network protocols and port numbers that define traffic sources or destinations. The command parameters can be used only in the following combinations: All-[vdom,name,comment,category], TCP/UDP/SCTP-[(start_ip,end_ip or fqdn),tcpRange,udpRange,sctpRange], IP-[ip_protocol], ICMP/ICMP6-[icmp_version,icmp_code,icmp_type].

Base Command#

fortigate-update-firewall-service

Input#

Argument NameDescriptionRequired
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional
nameName of the service to update. Names can be retrieved with the command fortigate-list-firewall-services.Required
commentA comment for the service.Optional
categoryService category.Optional
start_ipStart of the IP range associated with the service.Optional
end_ipEnd of the IP range associated with the service.Optional
fqdnFully Qualified Domain Name address.Optional
tcpRangeComma-separated list of TCP ports. Must be in the following template: {single} for example 5, {start}-{end} for example 1-50 or {start_source}-{end_source}:{start_destination}-{end_destinatinon} for example 1-3:6-9.Optional
udpRangeComma-separated list of TCP ports. Must be in the following template: {single} for example 5, {start}-{end} for example 1-50 or {start_source}-{end_source}:{start_destination}-{end_destinatinon} for example 1-3:6-9.Optional
sctpRangeComma-separated list of TCP ports. Must be in the following template: {single} for example 5, {start}-{end} for example 1-50 or {start_source}-{end_source}:{start_destination}-{end_destinatinon} for example 1-3:6-9.Optional
actionWhether to add or remove destination and source ports from TCP/UDP/SCTP. Possible values are: add, remove.Optional
icmp_typeSpecifies the ICMP message type, defining the purpose or condition of the message.Optional
icmp_codeIdentifies the variant or additional information for the corresponding ICMP message type.Optional
icmp_versionDetermines the version of the Internet Control Message Protocol, either ICMPv4 or ICMPv6. Possible values are: icmp4, icmp6.Optional
ip_protocolIP protocol number.Optional

Context Output#

PathTypeDescription
Fortigate.Service.Ports.SCTPStringMultiple SCTP port ranges.
Fortigate.Service.Ports.UDPStringMultiple UDP port ranges.
Fortigate.Service.Ports.TCPStringMultiple TCP port ranges.
Fortigate.Service.FQDNStringFully Qualified Domain Name address.
Fortigate.Service.IPRangeStringStart and end of the IP range associated with the service.
Fortigate.Service.ICMPCodeNumberICMP code.
Fortigate.Service.ICMPTypeNumberICMP type.
Fortigate.Service.ProtocolNumberNumberIP protocol number.
Fortigate.Service.NameStringThe service name.

Command example#

!fortigate-update-firewall-service name=playbook-service comment=helloworld

Context Example#

{
"Fortigate": {
"Service": {
"Name": "playbook-service",
"Ports": {
"SCTP": "",
"TCP": "",
"UDP": ""
}
}
}
}

Human Readable Output#

The firewall service 'playbook-service' was successfully updated.#

fortigate-delete-firewall-service#


Delete firewall services. A service is the combination of network protocols and port numbers that define traffic sources or destinations.

Base Command#

fortigate-delete-firewall-service

Input#

Argument NameDescriptionRequired
nameName of the service to delete. Names can be retrieved with the command fortigate-list-firewall-services.Required
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional

Context Output#

PathTypeDescription
Fortigate.Service.NameStringThe name of the deleted service.
Fortigate.Service.DeletedBooleanWhether the service was deleted.

Command example#

!fortigate-delete-firewall-service name=playbook-service

Context Example#

{
"Fortigate": {
"Service": {
"Deleted": true,
"Name": "playbook-service"
}
}
}

Human Readable Output#

The firewall service 'playbook-service' was successfully deleted.#

fortigate-list-firewall-service-groups#


Retrieve firewall service groups. Service groups are collections of predefined services. Service groups can be used as the source and destination of the policy.

Base Command#

fortigate-list-firewall-service-groups

Input#

Argument NameDescriptionRequired
nameName of a specific service group to return.Optional
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional
filter_fieldSpecifies the field to be searched, such as name or comment, to narrow down the search criteria within the objects. Fields must be written as they are in the raw_response. Reference to possible fields: https://docs.fortinet.com/document/fortigate/7.2.5/cli-reference/232620/config-firewall-service-group.Optional
filter_valueIndicates the value or partial value, for example Sales, that the API should look for within the specified field to find matching objects.Optional
format_fieldsComma-separated fields to format the API call to display certain information. Fields must be written as they are in the raw_response, for example: name or comment. Fields must be written as they are in the raw_response. Reference to possible fields: https://docs.fortinet.com/document/fortigate/7.2.5/cli-reference/232620/config-firewall-service-group.Optional

Context Output#

PathTypeDescription
Fortigate.ServiceGroup.FabricObjectStringSecurity Fabric global object setting. Can be `enable` or `disable`. If `enable`, the object is set as a security fabric-wide global object, otherwise the object is local to this security fabric member.
Fortigate.ServiceGroup.CommentStringThe object`s comment.
Fortigate.ServiceGroup.ProxyStringEnable/disable web proxy service.
Fortigate.ServiceGroup.NameStringThe service group name.
Frotigate.ServiceGroup.Member.NameStringService objects contained within the group.
Fortigate.ServiceGroup.VDOMStringVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units.

Command example#

!fortigate-list-firewall-service-groups name=playbook-service-group

Context Example#

{
"Fortigate": {
"ServiceGroup": {
"Comment": "",
"FabricObject": "disable",
"Member": {
"Name": [
"playbook-service-1"
]
},
"Name": "playbook-service-group",
"Proxy": "disable",
"VDOM": "root"
}
}
}

Human Readable Output#

Firewall Service Groups#

NameMembers
playbook-service-groupplaybook-service-1

fortigate-create-firewall-service-group#


Create firewall service groups. Service groups are collections of predefined services. Service groups can be used as the source and destination of the policy.

Base Command#

fortigate-create-firewall-service-group

Input#

Argument NameDescriptionRequired
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional
nameName of the service group to create.Required
commentA comment for the service group.Optional
membersComma-separated list of service and service group names. Names can be retrieved with the commands fortigate-list-firewall-services and fortigate-list-firewall-service-groups.Required

Context Output#

PathTypeDescription
Fortigate.ServiceGroup.NameStringThe service group name.
Fortigate.ServiceGroup.MembersStringService objects contained within the group.

Command example#

!fortigate-create-firewall-service-group name=playbook-service-group members=playbook-service-1

Context Example#

{
"Fortigate": {
"ServiceGroup": {
"Members": "playbook-service-1",
"Name": "playbook-service-group"
}
}
}

Human Readable Output#

The firewall service group 'playbook-service-group' was successfully created.#

fortigate-update-firewall-service-group#


Update firewall service groups. Service groups are collections of predefined services. Service groups can be used as the source and destination of the policy. New members will override the existing members within the group incase of a conflict.

Base Command#

fortigate-update-firewall-service-group

Input#

Argument NameDescriptionRequired
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional
groupNameName of the service group to update. Names can be retrieved with the command fortigate-list-firewall-service-groups.Required
commentA comment for the service group.Optional
serviceNameComma-separated list of service and service group names. Names can be retrieved with the commands fortigate-list-firewall-services and fortigate-list-firewall-service-groups.Optional
actionWhether to add or remove members from the service group. Possible values are: add, remove.Optional

Context Output#

PathTypeDescription
Fortigate.ServiceGroup.NameStringThe service group name.
Fortigate.ServiceGroup.Service.NameStringService objects contained within the group.

Command example#

!fortigate-update-firewall-service-group groupName=playbook-service-group comment=helloworld

Context Example#

{
"Fortigate": {
"ServiceGroup": {
"Name": "playbook-service-group",
"Service": {
"Name": [
"playbook-service-1"
]
}
}
}
}

Human Readable Output#

The firewall service group 'playbook-service-group' was successfully updated.#

fortigate-delete-firewall-service-group#


Delete firewall service groups. Service groups are collections of predefined services. Service groups can be used as the source and destination of the policy.

Base Command#

fortigate-delete-firewall-service-group

Input#

Argument NameDescriptionRequired
groupNameName of the service group to delete. Names can be retrieved with the command fortigate-list-firewall-service-groups.Required
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional

Context Output#

PathTypeDescription
Fortigate.ServiceGroup.NameStringThe name of the deleted service group.
Fortigate.ServiceGroup.DeletedBooleanWhether the service group was deleted.

Command example#

!fortigate-delete-firewall-service-group groupName=playbook-service-group

Context Example#

{
"Fortigate": {
"ServiceGroup": {
"Deleted": true,
"Name": "playbook-service-group"
}
}
}

Human Readable Output#

The firewall service group 'playbook-service-group' was successfully deleted.#

fortigate-list-firewall-policies#


Retrieve firewall policies. Firewall policies dictate the traffic flow and its processing. They are integral to most of the firewall functions, ensuring that every piece of traffic passing through the unit adheres to a specific policy. These policies determine the direction of the traffic, processing method, and its permission to traverse the firewall.

Base Command#

fortigate-list-firewall-policies

Input#

Argument NameDescriptionRequired
policyIDID of a specific policy to return.Optional
policyNameName of a specific policy to return.Optional
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional
filter_fieldSpecifies the field to be searched, such as name or comment, to narrow down the search criteria within the objects. Fields must be written as they are in the raw_response. Reference to possible fields: https://docs.fortinet.com/document/fortigate/7.2.5/cli-reference/287620/config-firewall-policy.Optional
filter_valueIndicates the value or partial value, for example Sales, that the API should look for within the specified field to find matching objects.Optional
format_fieldsComma-separated fields to format the API call to display certain information. Fields must be written as they are in the raw_response, for example: name or comment. Reference to possible fields: https://docs.fortinet.com/document/fortigate/7.2.5/cli-reference/287620/config-firewall-policy.Optional

Context Output#

PathTypeDescription
Fortigate.Policy.ServiceNegateStringWhen enabled specifies what the service must not be.
Fortigate.Policy.Destination6NegateStringWhen enabled, specifies what the destination IPv6 address must not be.
Fortigate.Policy.DestinationNegateStringWhen enabled, specifies what the destination IPv4 address must not be.
Fortigate.Policy.Source6NegateStringWhen enabled, specifies what the source IPv6 address must not be.
Fortigate.Policy.SourceNegateStringWhen enabled, specifies what the source IPv4 address must not be.
Fortigate.Policy.NATStringWhether the source NAT is enabled or disabled.
Fortigate.Policy.LogStartStringWhether recording logs when a session starts is enabled or disabled.
Fortigate.Policy.LogStringAll log sessions or security profile sessions.
Fortigate.Policy.ServiceStringService and service group names.
Fortigate.Policy.Source6StringSource IPv6 address name and address group names.
Fortigate.Policy.Destination6StringDestination IPv6 address name and address group names.
Fortigate.Policy.DestinationStringDestination IPv4 address and address group names.
Fortigate.Policy.SourceStringSource IPv4 address and address group names.
Fortigate.Policy.ActionStringPolicy action (accept/deny/ipsec).
Fortigate.Policy.DestinationInterfaceStringOutgoing (egress) interface.
Fortigate.Policy.SourceInterfaceStringIncoming (ingress) interface.
Fortigate.Policy.UUIDStringUniversally Unique Identifier.
Fortigate.Policy.NameStringThe policy name.
Fortigate.Policy.StatusStringWhether this policy is enabled or disabled.
Fortigate.Policy.IDNumberThe policy ID.
Fortigate.Policy.DescriptionStringThe policy description.
Fortigate.Policy.SecurityStringPolicy attached security profile.
Fortigate.Policy.VDOMStringVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units.
Fortigate.Policy.ScheduleStringThe name of the schedule.

Command example#

!fortigate-list-firewall-policies policyName=playbook-policy-123456789

Context Example#

{
"Fortigate": {
"Policy": {
"Action": "accept",
"Description": "",
"Destination": "playbook-address-ipv4-1",
"Destination6Negate": "disable",
"DestinationInterface": [
"port2"
],
"DestinationNegate": "disable",
"ID": 18,
"Log": "utm",
"LogStart": "disable",
"NAT": "enable",
"Name": "playbook-policy-123456789",
"Schedule": "always",
"Security": [
"no-inspection",
"default",
"single"
],
"Service": [
"playbook-service-1"
],
"ServiceNegate": "disable",
"Source": "playbook-address-ipv4-1",
"Source6Negate": "disable",
"SourceInterface": [
"port1"
],
"SourceNegate": "disable",
"Status": "enable",
"UUID": "cb72f302-aa22-51ee-eef0-cce9ba5b7ad3",
"VDOM": "root"
}
}
}

Human Readable Output#

Firewall Policies#

IDNameFromToSourceDestinationScheduleServiceActionNATSecurity ProfilesLog
18playbook-policy-123456789port1port2playbook-address-ipv4-1playbook-address-ipv4-1alwaysplaybook-service-1acceptenableno-inspection,
default,
single
utm

fortigate-create-firewall-policy#


Create firewall policies. Firewall policies dictate the traffic flow and its processing. They are integral to most of the firewall functions, ensuring that every piece of traffic passing through the unit adheres to a specific policy. These policies determine the direction of the traffic, processing method, and its permission to traverse the firewall.

Base Command#

fortigate-create-firewall-policy

Input#

Argument NameDescriptionRequired
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional
policyNameName of the policy to create.Required
descriptionThe policy description.Optional
sourceIntfComma-separated list of incoming (ingress) interfaces.Required
dstIntfComma-separated list of outgoing (egress) interfaces.Required
sourceComma-separated list of source IPv4 address and address group names. Names can be retrieved with the commands fortigate-list-firewall-address-ipv4s, fortigate-list-firewall-address-ipv4-multicasts and fortigate-list-firewall-address-ipv4-groups.Optional
source6Comma-separated list of source IPv6 address name and address group names. Names can be retrieved with the commands fortigate-list-firewall-address-ipv6s, fortigate-list-firewall-address-ipv6-multicasts and fortigate-list-firewall-address-ipv6-groups.Optional
destinationComma-separated list of destination IPv4 address and address group names. Names can be retrieved with the commands fortigate-list-firewall-address-ipv4s, fortigate-list-firewall-address-ipv4-multicasts and fortigate-list-firewall-address-ipv4-groups.Optional
destination6Comma-separated list of destination IPv6 address name and address group names. Names can be retrieved with the commands fortigate-list-firewall-address-ipv6s, fortigate-list-firewall-address-ipv6-multicasts and fortigate-list-firewall-address-ipv6-groups.Optional
negate_source_addressWhen enabled, the source address specifies what the source address must not be. Possible values are: enable, disable.Optional
negate_destination_addressWhen enabled, the destination address specifies what the destination address must not be. Possible values are: enable, disable.Optional
serviceComma-separated list of service and service group names. Names can be retrieved with the commands fortigate-list-firewall-services and fortigate-list-firewall-service-groups.Required
negate_serviceWhen enabled, the service specifies what the service must not be. Possible values are: enable, disable.Optional
actionWhether to accept or deny sessions that match the firewall policy. Possible values are: accept, block.Required
statusEnable or disable this policy. Possible values are: enable, disable. Default is enable.Optional
logEnable or disable logging. Log all sessions or security profile sessions. Possible values are: all, utm, disable. Default is enable.Optional
scheduleThe schedule name. This is a time frame that is applied to the policy. Default is always.Optional
natEnable/disable source Network Address Translation. Possible values are: enable, disable. Default is enable.Optional

Context Output#

PathTypeDescription
Fortigate.Policy.NATStringWhether the source NAT is enabled or disabled.
Fortigate.Policy.LogStringAll log sessions or security profile sessions.
Fortigate.Policy.ServiceStringService and service group names.
Fortigate.Policy.Source.Address6.nameStringSource IPv6 address name and address group names.
Fortigate.Policy.Destination.Address6.nameStringDestination IPv6 address name and address group names.
Fortigate.Policy.Destination.Address.nameStringDestination IPv4 address and address group names.
Fortigate.Policy.Source.Address.nameStringSource IPv4 address and address group names.
Fortigate.Policy.ActionStringPolicy action (accept/deny/ipsec).
Fortigate.Policy.Destination.InterfaceStringOutgoing (egress) interface.
Fortigate.Policy.Source.InterfaceStringIncoming (ingress) interface.
Fortigate.Policy.NameStringThe policy name.
Fortigate.Policy.StatusStringWhether this policy is enabled or disabled.
Fortigate.Policy.DescriptionStringThe policy description.

Command example#

!fortigate-create-firewall-policy policyName=playbook-policy sourceIntf=port1 dstIntf=port2 action=accept service=playbook-service-1 source=playbook-address-ipv4-1 destination=playbook-address-ipv4-2

Context Example#

{
"Fortigate": {
"Policy": {
"Action": "accept",
"Description": null,
"Destination": {
"Address": [
{
"name": "playbook-address-ipv4-2"
}
],
"Address6": [
{
"name": ""
}
],
"Interface": "port2"
},
"Log": "enable",
"NAT": "enable",
"Name": "playbook-policy",
"Service": "playbook-service-1",
"Source": {
"Address": [
{
"name": "playbook-address-ipv4-1"
}
],
"Address6": [
{
"name": ""
}
],
"Interface": "port1"
},
"Status": "enable"
}
}
}

Human Readable Output#

The firewall policy 'playbook-policy' was successfully created.#

fortigate-update-firewall-policy#


Update firewall policies. Firewall policies dictate the traffic flow and its processing. They are integral to most of the firewall functions, ensuring that every piece of traffic passing through the unit adheres to a specific policy. These policies determine the direction of the traffic, processing method, and its permission to traverse the firewall.

Base Command#

fortigate-update-firewall-policy

Input#

Argument NameDescriptionRequired
policyIDID of the policy to update. IDs can be retrieved with the command fortigate-list-firewall-policies.Required
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional
fieldField parameter to update. Possible values are: source_interface, destination_interface, description, status, source, destination, service, schedule, action, log, nat, source6, destination6, negate_source, negate_destination, negate_source6, negate_destination6, negate_service.Required
valueValue of the field parameter to update.Required
keep_original_dataWhether to keep the original data or not. Only relevant if the updated field is "source" or "destination". If the supplied value is True, the current data will not be replaced. Instead, the supplied addresses will be added / removed from the existing data. Possible values are: true, false.Optional
add_or_removeWhether to add or remove the supplied addresses from the existing data. Only relevant in case the field to update is "source" or "destination", and keep_original_data is specified to True. Possible values are: add, remove.Optional

Context Output#

PathTypeDescription
Fortigate.Policy.ServiceNegateStringWhen enabled, specifies what the service must not be.
Fortigate.Policy.Destination6NegateStringWhen enabled, specifies what the destination IPv6 address must not be.
Fortigate.Policy.DestinationNegateStringWhen enabled, specifies what the destination IPv4 address must not be.
Fortigate.Policy.Source6NegateStringWhen enabled, specifies what the source IPv6 address must not be.
Fortigate.Policy.SourceNegateStringWhen enabled, specifies what the source IPv4 address must not be.
Fortigate.Policy.NATStringWhether the source NAT is enabled or disabled.
Fortigate.Policy.LogStartStringWhether recording logs when a session starts is enabled or disabled.
Fortigate.Policy.LogStringAll log sessions or security profile sessions.
Fortigate.Policy.ServiceStringService and service group names.
Fortigate.Policy.Source6StringSource IPv6 address name and address group names.
Fortigate.Policy.Destination6StringDestination IPv6 address name and address group names.
Fortigate.Policy.DestinationStringDestination IPv4 address and address group names.
Fortigate.Policy.SourceStringSource IPv4 address and address group names.
Fortigate.Policy.ActionStringPolicy action (accept/deny/ipsec).
Fortigate.Policy.DestinationInterfaceStringOutgoing (egress) interface.
Fortigate.Policy.SourceInterfaceStringIncoming (ingress) interface.
Fortigate.Policy.UUIDStringUniversally Unique Identifier.
Fortigate.Policy.NameStringThe policy name.
Fortigate.Policy.StatusStringWhether this policy is enabled or disabled.
Fortigate.Policy.IDNumberThe policy ID.
Fortigate.Policy.DescriptionStringThe policy description.
Fortigate.Policy.SecurityStringPolicy attached security profile.
Fortigate.Policy.ScheduleStringThe name of the schedule.

Command example#

!fortigate-update-firewall-policy policyID=123456789 field=description value=helloworld

Context Example#

{
"Fortigate": {
"Policy": {
"Action": "accept",
"Description": "helloworld",
"Destination": "playbook-address-ipv4-2",
"Destination6Negate": "disable",
"DestinationInterface": [
"port2"
],
"DestinationNegate": "disable",
"ID": 123456789,
"Log": "utm",
"LogStart": "disable",
"NAT": "enable",
"Name": "playbook-policy-222",
"Schedule": "always",
"Security": [
"no-inspection",
"default",
"single"
],
"Service": [
"playbook-service-1"
],
"ServiceNegate": "disable",
"Source": "playbook-address-ipv4-1",
"Source6Negate": "disable",
"SourceInterface": [
"port1"
],
"SourceNegate": "disable",
"Status": "enable",
"UUID": "8aaa8c5e-aa22-51ee-b28a-472e6447ac59"
}
}
}

Human Readable Output#

The firewall policy '123456789' was successfully updated.#

fortigate-move-firewall-policy#


Move the position of firewall policies. Firewall policies dictate the traffic flow and its processing. They are integral to most of the firewall functions, ensuring that every piece of traffic passing through the unit adheres to a specific policy. These policies determine the direction of the traffic, processing method, and its permission to traverse the firewall.

Base Command#

fortigate-move-firewall-policy

Input#

Argument NameDescriptionRequired
policyIDID of the policy to move. IDs can be retrieved with the command fortigate-list-firewall-policies.Required
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional
positionWhether to position the policy before or after its neighbor. Possible values are: before, after.Required
neighborThe ID of the neighbor policy. IDs can be retrieved with the command fortigate-list-firewall-policies.Required

Context Output#

PathTypeDescription
Fortigate.Policy.IDNumberThe policy ID.
Fortigate.Policy.MovedBooleanWhether the policy was moved.

Command example#

!fortigate-move-firewall-policy policyID=123456789 position=after neighbor=1010101

Context Example#

{
"Fortigate": {
"Policy": {
"ID": "123456789",
"Moved": true
}
}
}

Human Readable Output#

The firewall policy '123456789' was successfully moved.#

fortigate-delete-firewall-policy#


Delete firewall policies. Firewall policies dictate the traffic flow and its processing. They are integral to most of the firewall functions, ensuring that every piece of traffic passing through the unit adheres to a specific policy. These policies determine the direction of the traffic, processing method, and its permission to traverse the firewall.

Base Command#

fortigate-delete-firewall-policy

Input#

Argument NameDescriptionRequired
policyIDID of the policy to delete. IDs can be retrieved with the command fortigate-list-firewall-policies.Required
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional

Context Output#

PathTypeDescription
Fortigate.Policy.IDNumberThe policy ID.
Fortigate.Policy.DeletedBooleanWhether the policy was deleted.

Command example#

!fortigate-delete-firewall-policy policyID=123456789

Context Example#

{
"Fortigate": {
"Policy": {
"Deleted": true,
"ID": "123456789"
}
}
}

Human Readable Output#

The firewall policy '123456789' was successfully deleted.#

fortigate-list-system-vdoms#


Retrieve system VDOMs. Virtual Domains (VDOMs) are used to divide a FortiGate into two or more virtual units that function independently. VDOMs can provide separate security policies and, in NAT mode, completely separate configurations for routing and VPN services for each connected network. Multiple VDOMs can be created and managed as independent units in multi VDOM mode.

Base Command#

fortigate-list-system-vdoms

Input#

Argument NameDescriptionRequired
filter_fieldSpecifies the field to be searched, such as name or comment, to narrow down the search criteria within the objects. Fields must be written as they are in the raw_response. Reference to possible fields: https://docs.fortinet.com/document/fortigate/7.2.5/cli-reference/620/config-system-vdom.Optional
filter_valueIndicates the value or partial value, for example Sales, that the API should look for within the specified field to find matching objects.Optional
format_fieldsComma-separated fields to format the API call to display certain information. Fields must be written as they are in the raw_response, for example: name or comment. Reference to possible fields: https://docs.fortinet.com/document/fortigate/7.2.5/cli-reference/620/config-system-vdom.Optional

Context Output#

PathTypeDescription
Fortigate.VDOM.VClusterIDNumberVirtual cluster ID.
Fortigate.VDOM.ShortNameStringThe virtual domain short name.
Fortigate.VDOM.NameStringThe virtual domain name.

Command example#

!fortigate-list-system-vdoms

Context Example#

{
"Fortigate": {
"VDOM": {
"Name": "root",
"ShortName": "root",
"VClusterID": 0,
"VDOM": "root"
}
}
}

Human Readable Output#

Virtual Domains#

NameShortNameVClusterID
rootroot0

fortigate-list-banned-ips#


Retrieve Banned IPs. Banned IPs are IP addresses that have been quarantined for a variety of reasons, such as administrative decisions or due to security alerts from services like intrusion prevention systems (IPS), antivirus (AV), and denial-of-service (DoS) mitigation.

Base Command#

fortigate-list-banned-ips

Input#

Argument NameDescriptionRequired
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional
filter_fieldSpecifies the field to be searched, such as name or comment, to narrow down the search criteria within the objects. Fields must be written as they are in the raw_response.Optional
filter_valueIndicates the value or partial value, for example Sales, that the API should look for within the specified field to find matching objects.Optional
format_fieldsComma-separated fields to format the API call to display certain information. Fields must be written as they are in the raw_response, for example: name or comment.Optional

Context Output#

PathTypeDescription
Fortigate.BannedIP.IsV6NumberWhether the IP is IPv4 (0) or IPv6 (1).
Fortigate.BannedIP.SourceStringSource of the ban.
Fortigate.BannedIP.IPStringThe IPv4 address.
Fortigate.BannedIP.CreatedNumberDate/time the IP address was added to the banned list.
Fortigate.BannedIP.ExpiresNumberDate/time the IP address expires from the banned list.
Fortigate.BannedIP.VDOMStringVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units.

Command example#

!fortigate-list-banned-ips

Context Example#

{
"Fortigate": {
"BannedIP": [
{
"Created": "2023-12-06 17:44:09",
"Expires": "1970-01-01 00:00:00",
"IP": "0.0.0.0",
"IsV6": 0,
"Source": "Administrative",
"VDOM": "root"
},
{
"Created": "2023-11-27 05:33:32",
"Expires": "1970-01-01 00:00:00",
"IP": "2.2.2.2",
"IsV6": 0,
"Source": "IPS",
"VDOM": "root"
},
{
"Created": "2023-11-27 05:33:41",
"Expires": "1970-01-01 00:00:00",
"IP": "3.3.3.3",
"IsV6": 0,
"Source": "AV",
"VDOM": "root"
},
{
"Created": "2023-11-27 05:33:49",
"Expires": "1970-01-01 00:00:00",
"IP": "4.4.4.4",
"IsV6": 0,
"Source": "DOS",
"VDOM": "root"
},
{
"Created": "2023-11-27 05:34:00",
"Expires": "1970-01-01 00:00:00",
"IP": "5.5.5.5",
"IsV6": 0,
"Source": "Administrative",
"VDOM": "root"
}
]
}
}

Human Readable Output#

Banned IPs#

IPIsV6CreatedExpiresSource
0.0.0.002023-12-06 17:44:091970-01-01 00:00:00Administrative
2.2.2.202023-11-27 05:33:321970-01-01 00:00:00IPS
3.3.3.302023-11-27 05:33:411970-01-01 00:00:00AV
4.4.4.402023-11-27 05:33:491970-01-01 00:00:00DOS
5.5.5.502023-11-27 05:34:001970-01-01 00:00:00Administrative

fortigate-ban-ip#


Ban IPs. Banned IPs are IP addresses that have been quarantined for a variety of reasons, such as administrative decisions or due to security alerts from services like intrusion prevention systems (IPS), antivirus (AV), and denial-of-service (DoS) mitigations.

Base Command#

fortigate-ban-ip

Input#

Argument NameDescriptionRequired
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional
ip_addressComma-separated list of IPs to ban. Both IPv4 and IPv6 addresses are supported.Required
expiryTime until the ban expires in seconds. 0 for indefinite ban. Default is 0.Optional

Context Output#

There is no context output for this command.

Command example#

!fortigate-ban-ip ip_address=0.0.0.0 expiry=0

Human Readable Output#

The IPs '0.0.0.0' were successfully banned.#

fortigate-unban-ip#


Unban IPs. Banned IPs are IP addresses that have been quarantined for a variety of reasons, such as administrative decisions or due to security alerts from services like intrusion prevention systems (IPS), antivirus (AV), and denial-of-service (DoS) mitigations.

Base Command#

fortigate-unban-ip

Input#

Argument NameDescriptionRequired
vdomVirtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. Use * to retrieve all virtual domains. VDOMs can be retrieved with the command fortigate-list-system-vdoms. Default is root.Optional
ip_addressComma-separated list of IPs to unban. Both IPv4 and IPv6 addresses are supported. IPs can be retrieved with the command fortigate-list-banned-ips.Required

Context Output#

There is no context output for this command.

Command example#

!fortigate-unban-ip ip_address=0.0.0.0

Human Readable Output#

The IPs '0.0.0.0' were successfully unbanned.#