In this post, we are going to take a brief look at FortiGate and Python from a beginner’s point of view. Today’s networks almost require some knowledge of automation and Python is becoming the de facto standard. Also, it’s becoming more and more prudent for today’s engineers to get a decent grasp of some basic techniques involved with python programming. This will not only make their jobs easier, but to make themselves more marketable. Below we are going to touch on a few introductory examples of how to use Python (specifically the “pyFG” library) with your local FortiGate firewall.
Installation and general Python programming
This post won’t necessarily get into the specifics of installing Python and/or pip, there are many better guides for that. Also, this post will assume you have a very basic knowledge of Python. If not, I highly suggest getting Zed Shaw’s book “Learn Python the Hard Way” and working through that. It is an excellent primer for Python.
Moving on, let’s install the pyFG library. To get the pyFG library on your local machine (Linus and/or MacOS), run:
brandon@echobase:~$ pip install pyFG
Then verify it is installed with:
brandon@echobase:~$ pip list -- edited -- pyfg (0.50)
Alright, now we are ready to start playing around with Python and FortiGates. If you have Windows or are using Anaconda, use the Anaconda package manager to download pyFG.
PyFG is the flagship python library that communicates with FortiOS on the FortiGate firewall. A link to the github repository is here complete with source code and examples. Digging into the repository, there are two main libraries:
We’ll take a look at FortiOS today.
This library consists of the functions and methods to take in variables, open up an SSH connection to your Fortigate (using paramiko), run other functions, and then close up your SSH connection. Let’s start by looking at the initialization function “__init__” of the FortiOS class:
def __init__(self, hostname, vdom=None, username=None, password=None, keyfile=None, timeout=60)
With the “init” function, you can pass the following variables to the FortiOS class:
– hostname (IP address)
– vdom (by default it is “None”)
Let’s do a quick test, start your interactive Python interpreter, open up a connection to our FortiGate and run the command “show sys global”:
>>> from pyFG import FortiOS >>> a=FortiOS('172.16.1.1',username='admin',password='password') >>> a.open() >>> a.execute_command('show sys global') [u' config system global', u' set alias "FGT60AAAAAAAAAAA"', u' set gui-theme mariner', u' set hostname "FGT60E"', u' set switch-controller enable', u' set timezone 12', u'end', u'']
Now, that output is a little gross but you get the idea of using Python to execute a command. Be careful with this one because it will execute any command.
Now let’s try something else. Let’s grab a section of a config and display it (which we can later use). To do this, run the “load_config” function with a “show” command, but omit the word “show”. For instance, “show router static” would just use the string ‘router static’.
>>> a.load_config('router static') >>> print a.running_config.to_text() config router static edit 1 set device "wan2" set gateway 192.168.255.2 next end
There that’s more like it. Don’t forget to close up shop:
Lastly, if you want a cheap way of doing nightly backups, use this script (make sure you update your hostname and credentials):
from pyFG import FortiOS import datetime # Open the SSH connection a = FortiOS('172.16.1.1',username='admin',password='password') a.open() # Run the "show full-configuration" command and store it a.load_config('full') # Name the file with current date filename = 'backup_config_' + datetime.datetime.today().strftime('%Y-%m-%d') #Open the file and write the config f = open(filename,'w') f.write(a.running_config.to_text()) f.close() #close the FortiGate config a.close()
Then you can run a cronjob for this nightly or weekly. Right now, this script takes nearly 10 minutes to run because of an issue with paramiko’s SSH connection to the FortiGate. So if you have hundreds of FortiGates, this will probably not be worth your time. Tracking for the issue is HERE ON GITHUB
We’ll look at more ways to manipulate FortiGate configs with Python in my next post.
As always, please leave me any questions, comments, corrections below.
Thanks for reading.