diff --git a/PowerFGT/Public/cmdb/firewall/policy.ps1 b/PowerFGT/Public/cmdb/firewall/policy.ps1 index 2e155e287..9b753c9ab 100644 --- a/PowerFGT/Public/cmdb/firewall/policy.ps1 +++ b/PowerFGT/Public/cmdb/firewall/policy.ps1 @@ -326,7 +326,7 @@ function Add-FGTFirewallPolicyMember { Add a FortiGate Policy Member .DESCRIPTION - Add a FortiGate Policy Member (source or destination address) + Add a FortiGate Policy Member (source or destination address/interface) .EXAMPLE $MyFGTPolicy = Get-FGTFirewallPolicy -name MyFGTPolicy @@ -340,6 +340,17 @@ function Add-FGTFirewallPolicyMember { Add MyAddress1 and MyAddress2 member to destination of MyFGTPolicy + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallPolicy -name MyFGTPolicy + PS C:\>$MyFGTPolicy | Add-FGTFirewallPolicyMember -srcintf port1 + + Add port1 member to source interface of MyFGTPolicy + + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallPolicy -name MyFGTPolicy + PS C:\>$MyFGTPolicy | Add-FGTFirewallPolicyMember -dstintf port2 + + Add port2 member to destination interface of MyFGTPolicy #> [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'low')] @@ -350,8 +361,12 @@ function Add-FGTFirewallPolicyMember { [Parameter(Mandatory = $false)] [string[]]$srcaddr, [Parameter(Mandatory = $false)] + [string[]]$srcintf, + [Parameter(Mandatory = $false)] [string[]]$dstaddr, [Parameter(Mandatory = $false)] + [string[]]$dstintf, + [Parameter(Mandatory = $false)] [String[]]$vdom, [Parameter(Mandatory = $false)] [psobject]$connection = $DefaultFGTConnection @@ -390,6 +405,25 @@ function Add-FGTFirewallPolicyMember { $_policy | add-member -name "srcaddr" -membertype NoteProperty -Value $members } + if ( $PsBoundParameters.ContainsKey('srcintf') ) { + + if ($policy.srcintf.name -eq "any") { + #any => create new empty array members + $members = @() + } + else { + #Add member to existing source interface + $members = $policy.srcintf + } + + foreach ( $member in $srcintf ) { + $member_name = @{ } + $member_name.add( 'name', $member) + $members += $member_name + } + $_policy | add-member -name "srcintf" -membertype NoteProperty -Value $members + } + if ( $PsBoundParameters.ContainsKey('dstaddr') ) { if ($policy.dstaddr.name -eq "all") { @@ -409,6 +443,25 @@ function Add-FGTFirewallPolicyMember { $_policy | add-member -name "dstaddr" -membertype NoteProperty -Value $members } + if ( $PsBoundParameters.ContainsKey('dstintf') ) { + + if ($policy.dstintf.name -eq "any") { + #any => create new empty array members + $members = @() + } + else { + #Add member to existing source interface + $members = $policy.dstintf + } + + foreach ( $member in $dstintf ) { + $member_name = @{ } + $member_name.add( 'name', $member) + $members += $member_name + } + $_policy | add-member -name "dstintf" -membertype NoteProperty -Value $members + } + if ($PSCmdlet.ShouldProcess($policy.name, 'Add Firewall Policy Group Member')) { Invoke-FGTRestMethod -method "PUT" -body $_policy -uri $uri -uri_escape $policy.policyid -connection $connection @invokeParams | Out-Null @@ -963,19 +1016,31 @@ function Remove-FGTFirewallPolicyMember { Remove a FortiGate Policy Member .DESCRIPTION - Remove a FortiGate Policy Member (source or destination address) + Remove a FortiGate Policy Member (source or destination address/interface) .EXAMPLE - $MyFGTPolicy = Get-FGTFirewallPolicyGroup -name MyFGTPolicy - PS C:\>$MyFGTPolicy | Remove-FGTFirewallPolicyGroupMember -member MyAddress1 + $MyFGTPolicy = Get-FGTFirewallPolicy -name MyFGTPolicy + PS C:\>$MyFGTPolicy | Remove-FGTFirewallPolicyMember -srcaddr MyAddress1 - Remove MyAddress1 member to MyFGTPolicy + Remove source MyAddress1 member to MyFGTPolicy .EXAMPLE - $MyFGTPolicy = Get-FGTFirewallPolicyGroup -name MyFGTPolicy - PS C:\>$MyFGTPolicy | Remove-FGTFirewallPolicyGroupMember -member MyAddress1, MyAddress2 + $MyFGTPolicy = Get-FGTFirewallPolicy -name MyFGTPolicy + PS C:\>$MyFGTPolicy | Remove-FGTFirewallPolicyMember -dstaddr MyAddress1, MyAddress2 + + Remove destination MyAddress1 and MyAddress2 member to MyFGTPolicy + + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallPolicy -name MyFGTPolicy + PS C:\>$MyFGTPolicy | Remove-FGTFirewallPolicyMember -srcintf port1 + + Remove port1 member to source interface of MyFGTPolicy - Remove MyAddress1 and MyAddress2 member to MyFGTPolicy + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallPolicy -name MyFGTPolicy + PS C:\>$MyFGTPolicy | Remove-FGTFirewallPolicyMember -dstintf port2 + + Remove port2 member to destination interface of MyFGTPolicy #> @@ -987,8 +1052,12 @@ function Remove-FGTFirewallPolicyMember { [Parameter(Mandatory = $false)] [string[]]$srcaddr, [Parameter(Mandatory = $false)] + [string[]]$srcintf, + [Parameter(Mandatory = $false)] [string[]]$dstaddr, [Parameter(Mandatory = $false)] + [string[]]$dstintf, + [Parameter(Mandatory = $false)] [String[]]$vdom, [Parameter(Mandatory = $false)] [psobject]$connection = $DefaultFGTConnection @@ -1025,7 +1094,7 @@ function Remove-FGTFirewallPolicyMember { #check if there is always a member... (it is not really (dependy of release...) possible don't have member on Policy) if ( $members.count -eq 0 ) { - Throw "You can't remove all members. Use Set-FGTFirewallPolicy to remove Address Group" + Throw "You can't remove all members. Use Set-FGTFirewallPolicy to remove Source Address" } #if there is only One or less member force to be an array @@ -1053,7 +1122,7 @@ function Remove-FGTFirewallPolicyMember { #check if there is always a member... (it is not really (dependy of release...) possible don't have member on Policy) if ( $members.count -eq 0 ) { - Throw "You can't remove all members. Use Set-FGTFirewallPolicy to remove Address Group" + Throw "You can't remove all members. Use Set-FGTFirewallPolicy to remove Destination Address" } #if there is only One or less member force to be an array @@ -1064,6 +1133,63 @@ function Remove-FGTFirewallPolicyMember { $_policy | add-member -name "dstaddr" -membertype NoteProperty -Value $members } + if ( $PsBoundParameters.ContainsKey('srcintf') ) { + #Create a new source addrarray + $members = @() + foreach ($m in $policy.srcintf) { + $member_name = @{ } + $member_name.add( 'name', $m.name) + $members += $member_name + } + + #Remove member + foreach ($remove_member in $srcintf) { + #May be a better (and faster) solution... + $members = $members | Where-Object { $_.name -ne $remove_member } + } + + #check if there is always a member... (it is not really (dependy of release...) possible don't have member on Policy) + if ( $members.count -eq 0 ) { + Throw "You can't remove all members. Use Set-FGTFirewallPolicy to remove Source interface" + } + + #if there is only One or less member force to be an array + if ( $members.count -le 1 ) { + $members = @($members) + } + + $_policy | add-member -name "srcintf" -membertype NoteProperty -Value $members + } + + if ( $PsBoundParameters.ContainsKey('dstintf') ) { + #Create a new source addrarray + $members = @() + foreach ($m in $policy.dstintf) { + $member_name = @{ } + $member_name.add( 'name', $m.name) + $members += $member_name + } + + #Remove member + foreach ($remove_member in $dstintf) { + #May be a better (and faster) solution... + $members = $members | Where-Object { $_.name -ne $remove_member } + } + + #check if there is always a member... (it is not really (dependy of release...) possible don't have member on Policy) + if ( $members.count -eq 0 ) { + Throw "You can't remove all members. Use Set-FGTFirewallPolicy to remove Destination Interface" + } + + #if there is only One or less member force to be an array + if ( $members.count -le 1 ) { + $members = @($members) + } + + $_policy | add-member -name "dstintf" -membertype NoteProperty -Value $members + } + + if ($PSCmdlet.ShouldProcess($policy.name, 'Remove Firewall Policy Group Member')) { Invoke-FGTRestMethod -method "PUT" -body $_policy -uri $uri -uri_escape $policy.policyid -connection $connection @invokeParams | Out-Null diff --git a/Tests/integration/FirewallPolicy.Tests.ps1 b/Tests/integration/FirewallPolicy.Tests.ps1 index 575528be5..8df97a03a 100644 --- a/Tests/integration/FirewallPolicy.Tests.ps1 +++ b/Tests/integration/FirewallPolicy.Tests.ps1 @@ -1032,6 +1032,140 @@ Describe "Add Firewall Policy Member" { } } + Context "Add Member(s) to Source Interface" { + + It "Add 1 member to Policy Src Interface $pester_port1 (with any before)" { + $p = Add-FGTFirewallPolicy -name $pester_policy1 -srcintf any -dstintf $pester_port2 -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + Get-FGTFirewallPolicy -Name $pester_policy1 | Add-FGTFirewallPolicyMember -srcintf $pester_port1 + $policy = Get-FGTFirewallPolicy -name $pester_policy1 + $policy.name | Should -Be $pester_policy1 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.srcintf.name | Should -Be $pester_port1 + $policy.dstintf.name | Should -Be $pester_port2 + ($policy.srcintf.name).count | Should -Be "1" + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable"x + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.nat | Should -Be "disable" + $policy.logtraffic | Should -Be "utm" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add 2 members to Policy Src Interface $pester_port1, $pester_port3 (with any before)" { + $p = Add-FGTFirewallPolicy -name $pester_policy1 -srcintf any -dstintf $pester_port2 -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + Get-FGTFirewallPolicy -Name $pester_policy1 | Add-FGTFirewallPolicyMember -srcintf $pester_port3, $pester_port4 + $policy = Get-FGTFirewallPolicy -name $pester_policy1 + $policy.name | Should -Be $pester_policy1 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.srcintf.name | Should -Be $pester_port3, $pester_port4 + $policy.dstintf.name | Should -Be $pester_port2 + ($policy.srcintf.name).count | Should -Be "2" + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable"x + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.nat | Should -Be "disable" + $policy.logtraffic | Should -Be "utm" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add 1 member to Policy Src Interface $pester_port3 (with $pester_port1 before)" { + $p = Add-FGTFirewallPolicy -name $pester_policy1 -srcintf $pester_port1 -dstintf $pester_port2 -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + Get-FGTFirewallPolicy -Name $pester_policy1 | Add-FGTFirewallPolicyMember -srcintf $pester_port3 + $policy = Get-FGTFirewallPolicy -name $pester_policy1 + $policy.name | Should -Be $pester_policy1 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.srcintf.name | Should -Be $pester_port1, $pester_port3 + $policy.dstintf.name | Should -Be $pester_port2 + ($policy.srcintf.name).count | Should -Be "2" + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable"x + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.nat | Should -Be "disable" + $policy.logtraffic | Should -Be "utm" + $policy.comments | Should -BeNullOrEmpty + } + + } + + Context "Add Member(s) to Destination Interface" { + + It "Add 1 member to Policy Dst Interface $pester_port2 (with any before)" { + $p = Add-FGTFirewallPolicy -name $pester_policy1 -srcintf $pester_port1 -dstintf any -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + Get-FGTFirewallPolicy -Name $pester_policy1 | Add-FGTFirewallPolicyMember -dstintf $pester_port2 + $policy = Get-FGTFirewallPolicy -name $pester_policy1 + $policy.name | Should -Be $pester_policy1 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.srcintf.name | Should -Be $pester_port1 + $policy.dstintf.name | Should -Be $pester_port2 + ($policy.dstintf.name).count | Should -Be "1" + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.nat | Should -Be "disable" + $policy.logtraffic | Should -Be "utm" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add 2 members to Policy Dst Interface $pester_port2, $pester_port4 (with any before)" { + $p = Add-FGTFirewallPolicy -name $pester_policy1 -srcintf $pester_port1 -dstintf any -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + Get-FGTFirewallPolicy -Name $pester_policy1 | Add-FGTFirewallPolicyMember -dstintf $pester_port2, $pester_port4 + $policy = Get-FGTFirewallPolicy -name $pester_policy1 + $policy.name | Should -Be $pester_policy1 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.srcintf.name | Should -Be $pester_port1 + $policy.dstintf.name | Should -BeIn $pester_port2, $pester_port4 + ($policy.dstintf.name).count | Should -Be "2" + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.nat | Should -Be "disable" + $policy.logtraffic | Should -Be "utm" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add 1 member to Policy Dst Interface $pester_port4 (with $pester_port2 before)" { + $p = Add-FGTFirewallPolicy -name $pester_policy1 -srcintf $pester_port1 -dstintf $pester_port2 -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + Get-FGTFirewallPolicy -Name $pester_policy1 | Add-FGTFirewallPolicyMember -dstintf $pester_port4 + $policy = Get-FGTFirewallPolicy -name $pester_policy1 + $policy.name | Should -Be $pester_policy1 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.srcintf.name | Should -Be $pester_port1 + $policy.dstintf.name | Should -Be $pester_port2, $pester_port4 + ($policy.dstintf.name).count | Should -Be "2" + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.nat | Should -Be "disable" + $policy.logtraffic | Should -Be "utm" + $policy.comments | Should -BeNullOrEmpty + } + + } + AfterAll { Get-FGTFirewallAddress -name $pester_address1 | Remove-FGTFirewallAddress -confirm:$false Get-FGTFirewallAddress -name $pester_address2 | Remove-FGTFirewallAddress -confirm:$false @@ -1635,7 +1769,58 @@ Describe "Remove Firewall Policy Member" { It "Try Remove 3 members to Policy Src Address $pester_address1, $pester_address2, $pester_address3 (with 3 members before)" { { Get-FGTFirewallPolicy -Name $pester_policy1 | Remove-FGTFirewallPolicyMember -srcaddr $pester_address1, $pester_address2, $pester_address3 - } | Should -Throw "You can't remove all members. Use Set-FGTFirewallPolicy to remove Address Group" + } | Should -Throw "You can't remove all members. Use Set-FGTFirewallPolicy to remove Source Address" + } + + } + + Context "Remove Member(s) to Source Interface" { + BeforeEach { + Add-FGTFirewallPolicy -name $pester_policy1 -srcintf $pester_port1, $pester_port2, $pester_port3 -dstintf $pester_port4 -srcaddr all -dstaddr all + } + + It "Remove 1 member to Policy Src Interface $pester_port1 (with 3 members before)" { + Get-FGTFirewallPolicy -Name $pester_policy1 | Remove-FGTFirewallPolicyMember -srcintf $pester_port1 + $policy = Get-FGTFirewallPolicy -name $pester_policy1 + $policy.name | Should -Be $pester_policy1 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.srcintf.name | Should -BeIn $pester_port2, $pester_port3 + ($policy.srcintf.name).count | Should -Be "2" + $policy.dstintf.name | Should -Be $pester_port4 + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.nat | Should -Be "disable" + $policy.logtraffic | Should -Be "utm" + $policy.comments | Should -BeNullOrEmpty + } + + It "Remove 2 members to Policy Src Interface $pester_port1, $pester_port2 (with 3 members before)" { + Get-FGTFirewallPolicy -Name $pester_policy1 | Remove-FGTFirewallPolicyMember -srcintf $pester_port1, $pester_port2 + $policy = Get-FGTFirewallPolicy -name $pester_policy1 + $policy.name | Should -Be $pester_policy1 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.srcintf.name | Should -BeIn $pester_port3 + $policy.dstintf.name | Should -Be $pester_port4 + ($policy.srcaddr.name).count | Should -Be "1" + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.nat | Should -Be "disable" + $policy.logtraffic | Should -Be "utm" + $policy.comments | Should -BeNullOrEmpty + } + + It "Try Remove 3 members to Policy Src Address $pester_port1, $pester_port2, $pester_port3 (with 3 members before)" { + { + Get-FGTFirewallPolicy -Name $pester_policy1 | Remove-FGTFirewallPolicyMember -srcintf $pester_port1, $pester_port2, $pester_port3 + } | Should -Throw "You can't remove all members. Use Set-FGTFirewallPolicy to remove Source interface" } } @@ -1685,7 +1870,58 @@ Describe "Remove Firewall Policy Member" { It "Try Remove 3 members to Policy Dst Address $pester_address1, $pester_address2, $pester_address3 (with 3 members before)" { { Get-FGTFirewallPolicy -Name $pester_policy1 | Remove-FGTFirewallPolicyMember -dstaddr $pester_address1, $pester_address2, $pester_address3 - } | Should -Throw "You can't remove all members. Use Set-FGTFirewallPolicy to remove Address Group" + } | Should -Throw "You can't remove all members. Use Set-FGTFirewallPolicy to remove Destination Address" + } + + } + + Context "Remove Member(s) to Destination Interface" { + BeforeEach { + Add-FGTFirewallPolicy -name $pester_policy1 -srcintf $pester_port4 -dstintf $pester_port1, $pester_port2, $pester_port3 -srcaddr all -dstaddr all + } + + It "Remove 1 member to Policy Dst Interface $pester_port1 (with 3 members before)" { + Get-FGTFirewallPolicy -Name $pester_policy1 | Remove-FGTFirewallPolicyMember -dstintf $pester_port1 + $policy = Get-FGTFirewallPolicy -name $pester_policy1 + $policy.name | Should -Be $pester_policy1 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.srcintf.name | Should -Be $pester_port4 + $policy.dstintf.name | Should -BeIn $pester_port2, $pester_port3 + ($policy.dstintf.name).count | Should -Be "2" + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.nat | Should -Be "disable" + $policy.logtraffic | Should -Be "utm" + $policy.comments | Should -BeNullOrEmpty + } + + It "Remove 2 members to Policy Dst Address $pester_port1, $pester_port2 (with 3 members before)" { + Get-FGTFirewallPolicy -Name $pester_policy1 | Remove-FGTFirewallPolicyMember -dstintf $pester_port1, $pester_port2 + $policy = Get-FGTFirewallPolicy -name $pester_policy1 + $policy.name | Should -Be $pester_policy1 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.srcintf.name | Should -Be $pester_port4 + $policy.dstintf.name | Should -BeIn $pester_port3 + ($policy.dstintf.name).count | Should -Be "1" + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.nat | Should -Be "disable" + $policy.logtraffic | Should -Be "utm" + $policy.comments | Should -BeNullOrEmpty + } + + It "Try Remove 3 members to Policy Dst Address $pester_port1, $pester_port2, $pester_port3 (with 3 members before)" { + { + Get-FGTFirewallPolicy -Name $pester_policy1 | Remove-FGTFirewallPolicyMember -dstintf $pester_port1, $pester_port2, $pester_port3 + } | Should -Throw "You can't remove all members. Use Set-FGTFirewallPolicy to remove Destination interface" } }