From 0bb9d65e8994cf8dbc711efabae1fe10a738345e Mon Sep 17 00:00:00 2001 From: Alexis La Goutte Date: Tue, 7 Jan 2025 18:35:28 +0100 Subject: [PATCH 1/7] policy: Add srcintf for Add-FGTFirewallPolicyMember --- PowerFGT/Public/cmdb/firewall/policy.ps1 | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/PowerFGT/Public/cmdb/firewall/policy.ps1 b/PowerFGT/Public/cmdb/firewall/policy.ps1 index 2e155e287..e2c7f21af 100644 --- a/PowerFGT/Public/cmdb/firewall/policy.ps1 +++ b/PowerFGT/Public/cmdb/firewall/policy.ps1 @@ -350,6 +350,8 @@ function Add-FGTFirewallPolicyMember { [Parameter(Mandatory = $false)] [string[]]$srcaddr, [Parameter(Mandatory = $false)] + [string[]]$srcintf, + [Parameter(Mandatory = $false)] [string[]]$dstaddr, [Parameter(Mandatory = $false)] [String[]]$vdom, @@ -390,6 +392,25 @@ function Add-FGTFirewallPolicyMember { $_policy | add-member -name "srcaddr" -membertype NoteProperty -Value $members } + if ( $PsBoundParameters.ContainsKey('srcintf') ) { + + if ($policy.srcintf.name -eq "all") { + #all => create new empty array members + $members = @() + } + else { + #Add member to existing source interface + $members = $policy.srcintf + } + + foreach ( $member in $srcintf ) { + $member_name = @{ } + $member_name.add( 'name', $member) + $members += $member_name + } + $_policy | add-member -name "srcintf" -membertype NoteProperty -Value $members + } + if ( $PsBoundParameters.ContainsKey('dstaddr') ) { if ($policy.dstaddr.name -eq "all") { From e845c2325f9be51b7b27b75d253eb2d97bc1cce1 Mon Sep 17 00:00:00 2001 From: Alexis La Goutte Date: Wed, 8 Jan 2025 17:00:47 +0100 Subject: [PATCH 2/7] policy: Add dstinf for Add-FGTFIrewallPolicyMember --- PowerFGT/Public/cmdb/firewall/policy.ps1 | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/PowerFGT/Public/cmdb/firewall/policy.ps1 b/PowerFGT/Public/cmdb/firewall/policy.ps1 index e2c7f21af..7bc7d78c6 100644 --- a/PowerFGT/Public/cmdb/firewall/policy.ps1 +++ b/PowerFGT/Public/cmdb/firewall/policy.ps1 @@ -354,6 +354,8 @@ function Add-FGTFirewallPolicyMember { [Parameter(Mandatory = $false)] [string[]]$dstaddr, [Parameter(Mandatory = $false)] + [string[]]$dstintf, + [Parameter(Mandatory = $false)] [String[]]$vdom, [Parameter(Mandatory = $false)] [psobject]$connection = $DefaultFGTConnection @@ -430,6 +432,25 @@ function Add-FGTFirewallPolicyMember { $_policy | add-member -name "dstaddr" -membertype NoteProperty -Value $members } + if ( $PsBoundParameters.ContainsKey('dstintf') ) { + + if ($policy.dstintf.name -eq "all") { + #all => create new empty array members + $members = @() + } + else { + #Add member to existing source interface + $members = $policy.dstintf + } + + foreach ( $member in $dstintf ) { + $member_name = @{ } + $member_name.add( 'name', $member) + $members += $member_name + } + $_policy | add-member -name "dstintf" -membertype NoteProperty -Value $members + } + if ($PSCmdlet.ShouldProcess($policy.name, 'Add Firewall Policy Group Member')) { Invoke-FGTRestMethod -method "PUT" -body $_policy -uri $uri -uri_escape $policy.policyid -connection $connection @invokeParams | Out-Null From 93292ddd62311e9394b698e6c3ffcb1aadf0f6ed Mon Sep 17 00:00:00 2001 From: Alexis La Goutte Date: Wed, 8 Jan 2025 21:11:18 +0100 Subject: [PATCH 3/7] Policy(Tests): Add tests for Add src/dst interface --- Tests/integration/FirewallPolicy.Tests.ps1 | 92 ++++++++++++++++++++++ 1 file changed, 92 insertions(+) diff --git a/Tests/integration/FirewallPolicy.Tests.ps1 b/Tests/integration/FirewallPolicy.Tests.ps1 index 575528be5..402e106ff 100644 --- a/Tests/integration/FirewallPolicy.Tests.ps1 +++ b/Tests/integration/FirewallPolicy.Tests.ps1 @@ -1032,6 +1032,98 @@ Describe "Add Firewall Policy Member" { } } + Context "Add Member(s) to Source Interface" { + + It "Add 1 member to Policy Src Interface $pester_port3 (with $pester_port1 before)" { + $p = Add-FGTFirewallPolicy -name $pester_policy1 -srcintf $pester_port1 -dstintf $pester_port2 -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + Get-FGTFirewallPolicy -Name $pester_policy1 | Add-FGTFirewallPolicyMember -srcintf $pester_port3 + $policy = Get-FGTFirewallPolicy -name $pester_policy1 + $policy.name | Should -Be $pester_policy1 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.srcintf.name | Should -Be $pester_port1, $pester_port3 + $policy.dstintf.name | Should -Be $pester_port2 + ($policy.srcintf.name).count | Should -Be "2" + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable"x + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.nat | Should -Be "disable" + $policy.logtraffic | Should -Be "utm" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add 2 members to Policy Src Interface $pester_port3, $pester_port4 (with $pester_port1 before)" { + $p = Add-FGTFirewallPolicy -name $pester_policy1 -srcintf $pester_port1 -dstintf $pester_port2 -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + Get-FGTFirewallPolicy -Name $pester_policy1 | Add-FGTFirewallPolicyMember -srcintf $pester_port3, $pester_port4 + $policy = Get-FGTFirewallPolicy -name $pester_policy1 + $policy.name | Should -Be $pester_policy1 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.srcintf.name | Should -Be $pester_port1, $pester_port3, $pester_port4 + $policy.dstintf.name | Should -Be $pester_port2 + ($policy.srcintf.name).count | Should -Be "3" + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable"x + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.nat | Should -Be "disable" + $policy.logtraffic | Should -Be "utm" + $policy.comments | Should -BeNullOrEmpty + } + + } + + Context "Add Member(s) to Destination Interface" { + + It "Add 1 member to Policy Dst Interface $pester_port4 (with $pester_port2 before)" { + $p = Add-FGTFirewallPolicy -name $pester_policy1 -srcintf $pester_port1 -dstintf $pester_port2 -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + Get-FGTFirewallPolicy -Name $pester_policy1 | Add-FGTFirewallPolicyMember -dstintf $pester_port4 + $policy = Get-FGTFirewallPolicy -name $pester_policy1 + $policy.name | Should -Be $pester_policy1 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.srcintf.name | Should -Be $pester_port1 + $policy.dstintf.name | Should -Be $pester_port2, $pester_port4 + ($policy.dstintf.name).count | Should -Be "2" + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.nat | Should -Be "disable" + $policy.logtraffic | Should -Be "utm" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add 2 members to Policy Dst Interface $pester_port4, $pester_port3 (with $pester_port2 before)" { + $p = Add-FGTFirewallPolicy -name $pester_policy1 -srcintf $pester_port1 -dstintf $pester_port2 -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + Get-FGTFirewallPolicy -Name $pester_policy1 | Add-FGTFirewallPolicyMember -dstintf $pester_port4, $pester_port3 + $policy = Get-FGTFirewallPolicy -name $pester_policy1 + $policy.name | Should -Be $pester_policy1 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.srcintf.name | Should -Be $pester_port1 + $policy.dstintf.name | Should -BeIn $pester_port2, $pester_port3, $pester_port4 + ($policy.dstintf.name).count | Should -Be "3" + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.nat | Should -Be "disable" + $policy.logtraffic | Should -Be "utm" + $policy.comments | Should -BeNullOrEmpty + } + + } + AfterAll { Get-FGTFirewallAddress -name $pester_address1 | Remove-FGTFirewallAddress -confirm:$false Get-FGTFirewallAddress -name $pester_address2 | Remove-FGTFirewallAddress -confirm:$false From 7c738ee84942aecf0412ef8555845c87a7a006f1 Mon Sep 17 00:00:00 2001 From: Alexis La Goutte Date: Wed, 8 Jan 2025 21:18:15 +0100 Subject: [PATCH 4/7] Policy(Member): Add .EXAMPLE to add source or destination interface --- PowerFGT/Public/cmdb/firewall/policy.ps1 | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/PowerFGT/Public/cmdb/firewall/policy.ps1 b/PowerFGT/Public/cmdb/firewall/policy.ps1 index 7bc7d78c6..02a9e6cf9 100644 --- a/PowerFGT/Public/cmdb/firewall/policy.ps1 +++ b/PowerFGT/Public/cmdb/firewall/policy.ps1 @@ -326,7 +326,7 @@ function Add-FGTFirewallPolicyMember { Add a FortiGate Policy Member .DESCRIPTION - Add a FortiGate Policy Member (source or destination address) + Add a FortiGate Policy Member (source or destination address/interface) .EXAMPLE $MyFGTPolicy = Get-FGTFirewallPolicy -name MyFGTPolicy @@ -340,6 +340,17 @@ function Add-FGTFirewallPolicyMember { Add MyAddress1 and MyAddress2 member to destination of MyFGTPolicy + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallPolicy -name MyFGTPolicy + PS C:\>$MyFGTPolicy | Add-FGTFirewallPolicyMember -srcintf port1 + + Add port1 member to source interface of MyFGTPolicy + + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallPolicy -name MyFGTPolicy + PS C:\>$MyFGTPolicy | Add-FGTFirewallPolicyMember -dstintf port2 + + Add port2 member to destination interface of MyFGTPolicy #> [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'low')] From f724674e0569a9d62d55de09f7becb746aadc7af Mon Sep 17 00:00:00 2001 From: Alexis La Goutte Date: Mon, 13 Jan 2025 18:16:08 +0100 Subject: [PATCH 5/7] Policy: Fix when add Policy Member type interface (dst or src) When the initial interface is any... --- PowerFGT/Public/cmdb/firewall/policy.ps1 | 8 +-- Tests/integration/FirewallPolicy.Tests.ps1 | 76 +++++++++++++++++----- 2 files changed, 63 insertions(+), 21 deletions(-) diff --git a/PowerFGT/Public/cmdb/firewall/policy.ps1 b/PowerFGT/Public/cmdb/firewall/policy.ps1 index 02a9e6cf9..05c19f9d8 100644 --- a/PowerFGT/Public/cmdb/firewall/policy.ps1 +++ b/PowerFGT/Public/cmdb/firewall/policy.ps1 @@ -407,8 +407,8 @@ function Add-FGTFirewallPolicyMember { if ( $PsBoundParameters.ContainsKey('srcintf') ) { - if ($policy.srcintf.name -eq "all") { - #all => create new empty array members + if ($policy.srcintf.name -eq "any") { + #any => create new empty array members $members = @() } else { @@ -445,8 +445,8 @@ function Add-FGTFirewallPolicyMember { if ( $PsBoundParameters.ContainsKey('dstintf') ) { - if ($policy.dstintf.name -eq "all") { - #all => create new empty array members + if ($policy.dstintf.name -eq "any") { + #any => create new empty array members $members = @() } else { diff --git a/Tests/integration/FirewallPolicy.Tests.ps1 b/Tests/integration/FirewallPolicy.Tests.ps1 index 402e106ff..a31a3f1be 100644 --- a/Tests/integration/FirewallPolicy.Tests.ps1 +++ b/Tests/integration/FirewallPolicy.Tests.ps1 @@ -1032,16 +1032,37 @@ Describe "Add Firewall Policy Member" { } } - Context "Add Member(s) to Source Interface" { + Context "Add Member(s) to Source Interface" { - It "Add 1 member to Policy Src Interface $pester_port3 (with $pester_port1 before)" { - $p = Add-FGTFirewallPolicy -name $pester_policy1 -srcintf $pester_port1 -dstintf $pester_port2 -srcaddr all -dstaddr all + It "Add 1 member to Policy Src Interface $pester_port1 (with any before)" { + $p = Add-FGTFirewallPolicy -name $pester_policy1 -srcintf any -dstintf $pester_port2 -srcaddr all -dstaddr all @($p).count | Should -Be "1" - Get-FGTFirewallPolicy -Name $pester_policy1 | Add-FGTFirewallPolicyMember -srcintf $pester_port3 + Get-FGTFirewallPolicy -Name $pester_policy1 | Add-FGTFirewallPolicyMember -srcintf $pester_port1 $policy = Get-FGTFirewallPolicy -name $pester_policy1 $policy.name | Should -Be $pester_policy1 $policy.uuid | Should -Not -BeNullOrEmpty - $policy.srcintf.name | Should -Be $pester_port1, $pester_port3 + $policy.srcintf.name | Should -Be $pester_port1 + $policy.dstintf.name | Should -Be $pester_port2 + ($policy.srcintf.name).count | Should -Be "1" + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable"x + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.nat | Should -Be "disable" + $policy.logtraffic | Should -Be "utm" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add 2 members to Policy Src Interface $pester_port1, $pester_port3 (with any before)" { + $p = Add-FGTFirewallPolicy -name $pester_policy1 -srcintf any -dstintf $pester_port2 -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + Get-FGTFirewallPolicy -Name $pester_policy1 | Add-FGTFirewallPolicyMember -srcintf $pester_port3, $pester_port4 + $policy = Get-FGTFirewallPolicy -name $pester_policy1 + $policy.name | Should -Be $pester_policy1 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.srcintf.name | Should -Be $pester_port3, $pester_port4 $policy.dstintf.name | Should -Be $pester_port2 ($policy.srcintf.name).count | Should -Be "2" $policy.srcaddr.name | Should -Be "all" @@ -1055,16 +1076,16 @@ Describe "Add Firewall Policy Member" { $policy.comments | Should -BeNullOrEmpty } - It "Add 2 members to Policy Src Interface $pester_port3, $pester_port4 (with $pester_port1 before)" { + It "Add 1 member to Policy Src Interface $pester_port3 (with $pester_port1 before)" { $p = Add-FGTFirewallPolicy -name $pester_policy1 -srcintf $pester_port1 -dstintf $pester_port2 -srcaddr all -dstaddr all @($p).count | Should -Be "1" - Get-FGTFirewallPolicy -Name $pester_policy1 | Add-FGTFirewallPolicyMember -srcintf $pester_port3, $pester_port4 + Get-FGTFirewallPolicy -Name $pester_policy1 | Add-FGTFirewallPolicyMember -srcintf $pester_port3 $policy = Get-FGTFirewallPolicy -name $pester_policy1 $policy.name | Should -Be $pester_policy1 $policy.uuid | Should -Not -BeNullOrEmpty - $policy.srcintf.name | Should -Be $pester_port1, $pester_port3, $pester_port4 + $policy.srcintf.name | Should -Be $pester_port1, $pester_port3 $policy.dstintf.name | Should -Be $pester_port2 - ($policy.srcintf.name).count | Should -Be "3" + ($policy.srcintf.name).count | Should -Be "2" $policy.srcaddr.name | Should -Be "all" $policy.dstaddr.name | Should -Be "all" $policy.action | Should -Be "accept" @@ -1080,15 +1101,36 @@ Describe "Add Firewall Policy Member" { Context "Add Member(s) to Destination Interface" { - It "Add 1 member to Policy Dst Interface $pester_port4 (with $pester_port2 before)" { - $p = Add-FGTFirewallPolicy -name $pester_policy1 -srcintf $pester_port1 -dstintf $pester_port2 -srcaddr all -dstaddr all + It "Add 1 member to Policy Dst Interface $pester_port2 (with any before)" { + $p = Add-FGTFirewallPolicy -name $pester_policy1 -srcintf $pester_port1 -dstintf any -srcaddr all -dstaddr all @($p).count | Should -Be "1" - Get-FGTFirewallPolicy -Name $pester_policy1 | Add-FGTFirewallPolicyMember -dstintf $pester_port4 + Get-FGTFirewallPolicy -Name $pester_policy1 | Add-FGTFirewallPolicyMember -dstintf $pester_port2 $policy = Get-FGTFirewallPolicy -name $pester_policy1 $policy.name | Should -Be $pester_policy1 $policy.uuid | Should -Not -BeNullOrEmpty $policy.srcintf.name | Should -Be $pester_port1 - $policy.dstintf.name | Should -Be $pester_port2, $pester_port4 + $policy.dstintf.name | Should -Be $pester_port2 + ($policy.dstintf.name).count | Should -Be "1" + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.nat | Should -Be "disable" + $policy.logtraffic | Should -Be "utm" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add 2 members to Policy Dst Interface $pester_port2, $pester_port4 (with any before)" { + $p = Add-FGTFirewallPolicy -name $pester_policy1 -srcintf $pester_port1 -dstintf any -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + Get-FGTFirewallPolicy -Name $pester_policy1 | Add-FGTFirewallPolicyMember -dstintf $pester_port2, $pester_port4 + $policy = Get-FGTFirewallPolicy -name $pester_policy1 + $policy.name | Should -Be $pester_policy1 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.srcintf.name | Should -Be $pester_port1 + $policy.dstintf.name | Should -BeIn $pester_port2, $pester_port4 ($policy.dstintf.name).count | Should -Be "2" $policy.srcaddr.name | Should -Be "all" $policy.dstaddr.name | Should -Be "all" @@ -1101,16 +1143,16 @@ Describe "Add Firewall Policy Member" { $policy.comments | Should -BeNullOrEmpty } - It "Add 2 members to Policy Dst Interface $pester_port4, $pester_port3 (with $pester_port2 before)" { + It "Add 1 member to Policy Dst Interface $pester_port4 (with $pester_port2 before)" { $p = Add-FGTFirewallPolicy -name $pester_policy1 -srcintf $pester_port1 -dstintf $pester_port2 -srcaddr all -dstaddr all @($p).count | Should -Be "1" - Get-FGTFirewallPolicy -Name $pester_policy1 | Add-FGTFirewallPolicyMember -dstintf $pester_port4, $pester_port3 + Get-FGTFirewallPolicy -Name $pester_policy1 | Add-FGTFirewallPolicyMember -dstintf $pester_port4 $policy = Get-FGTFirewallPolicy -name $pester_policy1 $policy.name | Should -Be $pester_policy1 $policy.uuid | Should -Not -BeNullOrEmpty $policy.srcintf.name | Should -Be $pester_port1 - $policy.dstintf.name | Should -BeIn $pester_port2, $pester_port3, $pester_port4 - ($policy.dstintf.name).count | Should -Be "3" + $policy.dstintf.name | Should -Be $pester_port2, $pester_port4 + ($policy.dstintf.name).count | Should -Be "2" $policy.srcaddr.name | Should -Be "all" $policy.dstaddr.name | Should -Be "all" $policy.action | Should -Be "accept" From 5bd5b33fa58031275b86511e38c533f519d4ffe7 Mon Sep 17 00:00:00 2001 From: Alexis La Goutte Date: Mon, 13 Jan 2025 18:37:36 +0100 Subject: [PATCH 6/7] Policy: Add to remove source or destination interface on policy --- PowerFGT/Public/cmdb/firewall/policy.ps1 | 75 ++++++++++++++- Tests/integration/FirewallPolicy.Tests.ps1 | 102 +++++++++++++++++++++ 2 files changed, 176 insertions(+), 1 deletion(-) diff --git a/PowerFGT/Public/cmdb/firewall/policy.ps1 b/PowerFGT/Public/cmdb/firewall/policy.ps1 index 05c19f9d8..7d05b5bd8 100644 --- a/PowerFGT/Public/cmdb/firewall/policy.ps1 +++ b/PowerFGT/Public/cmdb/firewall/policy.ps1 @@ -1016,7 +1016,7 @@ function Remove-FGTFirewallPolicyMember { Remove a FortiGate Policy Member .DESCRIPTION - Remove a FortiGate Policy Member (source or destination address) + Remove a FortiGate Policy Member (source or destination address/interface) .EXAMPLE $MyFGTPolicy = Get-FGTFirewallPolicyGroup -name MyFGTPolicy @@ -1030,6 +1030,18 @@ function Remove-FGTFirewallPolicyMember { Remove MyAddress1 and MyAddress2 member to MyFGTPolicy + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallPolicy -name MyFGTPolicy + PS C:\>$MyFGTPolicy | Remove-FGTFirewallPolicyMember -srcintf port1 + + Remove port1 member to source interface of MyFGTPolicy + + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallPolicy -name MyFGTPolicy + PS C:\>$MyFGTPolicy | Remove-FGTFirewallPolicyMember -dstintf port2 + + Remove port2 member to destination interface of MyFGTPolicy + #> [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'medium')] @@ -1040,8 +1052,12 @@ function Remove-FGTFirewallPolicyMember { [Parameter(Mandatory = $false)] [string[]]$srcaddr, [Parameter(Mandatory = $false)] + [string[]]$srcintf, + [Parameter(Mandatory = $false)] [string[]]$dstaddr, [Parameter(Mandatory = $false)] + [string[]]$dstintf, + [Parameter(Mandatory = $false)] [String[]]$vdom, [Parameter(Mandatory = $false)] [psobject]$connection = $DefaultFGTConnection @@ -1117,6 +1133,63 @@ function Remove-FGTFirewallPolicyMember { $_policy | add-member -name "dstaddr" -membertype NoteProperty -Value $members } + if ( $PsBoundParameters.ContainsKey('srcintf') ) { + #Create a new source addrarray + $members = @() + foreach ($m in $policy.srcintf) { + $member_name = @{ } + $member_name.add( 'name', $m.name) + $members += $member_name + } + + #Remove member + foreach ($remove_member in $srcintf) { + #May be a better (and faster) solution... + $members = $members | Where-Object { $_.name -ne $remove_member } + } + + #check if there is always a member... (it is not really (dependy of release...) possible don't have member on Policy) + if ( $members.count -eq 0 ) { + Throw "You can't remove all members. Use Set-FGTFirewallPolicy to remove Source interface" + } + + #if there is only One or less member force to be an array + if ( $members.count -le 1 ) { + $members = @($members) + } + + $_policy | add-member -name "srcintf" -membertype NoteProperty -Value $members + } + + if ( $PsBoundParameters.ContainsKey('dstintf') ) { + #Create a new source addrarray + $members = @() + foreach ($m in $policy.dstintf) { + $member_name = @{ } + $member_name.add( 'name', $m.name) + $members += $member_name + } + + #Remove member + foreach ($remove_member in $dstintf) { + #May be a better (and faster) solution... + $members = $members | Where-Object { $_.name -ne $remove_member } + } + + #check if there is always a member... (it is not really (dependy of release...) possible don't have member on Policy) + if ( $members.count -eq 0 ) { + Throw "You can't remove all members. Use Set-FGTFirewallPolicy to remove Destination Interface" + } + + #if there is only One or less member force to be an array + if ( $members.count -le 1 ) { + $members = @($members) + } + + $_policy | add-member -name "dstintf" -membertype NoteProperty -Value $members + } + + if ($PSCmdlet.ShouldProcess($policy.name, 'Remove Firewall Policy Group Member')) { Invoke-FGTRestMethod -method "PUT" -body $_policy -uri $uri -uri_escape $policy.policyid -connection $connection @invokeParams | Out-Null diff --git a/Tests/integration/FirewallPolicy.Tests.ps1 b/Tests/integration/FirewallPolicy.Tests.ps1 index a31a3f1be..4552ada52 100644 --- a/Tests/integration/FirewallPolicy.Tests.ps1 +++ b/Tests/integration/FirewallPolicy.Tests.ps1 @@ -1774,6 +1774,57 @@ Describe "Remove Firewall Policy Member" { } + Context "Remove Member(s) to Source Interface" { + BeforeEach { + Add-FGTFirewallPolicy -name $pester_policy1 -srcintf $pester_port1, $pester_port2, $pester_port3 -dstintf $pester_port4 -srcaddr all -dstaddr all + } + + It "Remove 1 member to Policy Src Interface $pester_port1 (with 3 members before)" { + Get-FGTFirewallPolicy -Name $pester_policy1 | Remove-FGTFirewallPolicyMember -srcintf $pester_port1 + $policy = Get-FGTFirewallPolicy -name $pester_policy1 + $policy.name | Should -Be $pester_policy1 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.srcintf.name | Should -BeIn $pester_port2, $pester_port3 + ($policy.srcintf.name).count | Should -Be "2" + $policy.dstintf.name | Should -Be $pester_port4 + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.nat | Should -Be "disable" + $policy.logtraffic | Should -Be "utm" + $policy.comments | Should -BeNullOrEmpty + } + + It "Remove 2 members to Policy Src Interface $pester_port1, $pester_port2 (with 3 members before)" { + Get-FGTFirewallPolicy -Name $pester_policy1 | Remove-FGTFirewallPolicyMember -srcintf $pester_port1, $pester_port2 + $policy = Get-FGTFirewallPolicy -name $pester_policy1 + $policy.name | Should -Be $pester_policy1 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.srcintf.name | Should -BeIn $pester_port3 + $policy.dstintf.name | Should -Be $pester_port4 + ($policy.srcaddr.name).count | Should -Be "1" + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.nat | Should -Be "disable" + $policy.logtraffic | Should -Be "utm" + $policy.comments | Should -BeNullOrEmpty + } + + It "Try Remove 3 members to Policy Src Address $pester_port1, $pester_port2, $pester_port3 (with 3 members before)" { + { + Get-FGTFirewallPolicy -Name $pester_policy1 | Remove-FGTFirewallPolicyMember -srcintf $pester_port1, $pester_port2, $pester_port3 + } | Should -Throw "You can't remove all members. Use Set-FGTFirewallPolicy to remove Source interface" + } + + } + Context "Remove Member(s) to Destination Address" { BeforeEach { Add-FGTFirewallPolicy -name $pester_policy1 -srcintf port1 -dstintf port2 -srcaddr all -dstaddr $pester_address1, $pester_address2, $pester_address3 @@ -1824,6 +1875,57 @@ Describe "Remove Firewall Policy Member" { } + Context "Remove Member(s) to Destination Interface" { + BeforeEach { + Add-FGTFirewallPolicy -name $pester_policy1 -srcintf $pester_port4 -dstintf $pester_port1, $pester_port2, $pester_port3 -srcaddr all -dstaddr all + } + + It "Remove 1 member to Policy Dst Interface $pester_port1 (with 3 members before)" { + Get-FGTFirewallPolicy -Name $pester_policy1 | Remove-FGTFirewallPolicyMember -dstintf $pester_port1 + $policy = Get-FGTFirewallPolicy -name $pester_policy1 + $policy.name | Should -Be $pester_policy1 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.srcintf.name | Should -Be $pester_port4 + $policy.dstintf.name | Should -BeIn $pester_port2, $pester_port3 + ($policy.dstintf.name).count | Should -Be "2" + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.nat | Should -Be "disable" + $policy.logtraffic | Should -Be "utm" + $policy.comments | Should -BeNullOrEmpty + } + + It "Remove 2 members to Policy Dst Address $pester_port1, $pester_port2 (with 3 members before)" { + Get-FGTFirewallPolicy -Name $pester_policy1 | Remove-FGTFirewallPolicyMember -dstintf $pester_port1, $pester_port2 + $policy = Get-FGTFirewallPolicy -name $pester_policy1 + $policy.name | Should -Be $pester_policy1 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.srcintf.name | Should -Be $pester_port4 + $policy.dstintf.name | Should -BeIn $pester_port3 + ($policy.dstintf.name).count | Should -Be "1" + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.nat | Should -Be "disable" + $policy.logtraffic | Should -Be "utm" + $policy.comments | Should -BeNullOrEmpty + } + + It "Try Remove 3 members to Policy Dst Address $pester_port1, $pester_port2, $pester_port3 (with 3 members before)" { + { + Get-FGTFirewallPolicy -Name $pester_policy1 | Remove-FGTFirewallPolicyMember -dstintf $pester_port1, $pester_port2, $pester_port3 + } | Should -Throw "You can't remove all members. Use Set-FGTFirewallPolicy to remove Destination interface" + } + + } + AfterAll { Get-FGTFirewallAddress -name $pester_address1 | Remove-FGTFirewallAddress -confirm:$false Get-FGTFirewallAddress -name $pester_address2 | Remove-FGTFirewallAddress -confirm:$false From dce10c64b369d028fe71479418b0247026b00572 Mon Sep 17 00:00:00 2001 From: Alexis La Goutte Date: Mon, 13 Jan 2025 18:41:31 +0100 Subject: [PATCH 7/7] Policy(RemoveMember): Fix example and error Oups... --- PowerFGT/Public/cmdb/firewall/policy.ps1 | 16 ++++++++-------- Tests/integration/FirewallPolicy.Tests.ps1 | 4 ++-- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/PowerFGT/Public/cmdb/firewall/policy.ps1 b/PowerFGT/Public/cmdb/firewall/policy.ps1 index 7d05b5bd8..9b753c9ab 100644 --- a/PowerFGT/Public/cmdb/firewall/policy.ps1 +++ b/PowerFGT/Public/cmdb/firewall/policy.ps1 @@ -1019,16 +1019,16 @@ function Remove-FGTFirewallPolicyMember { Remove a FortiGate Policy Member (source or destination address/interface) .EXAMPLE - $MyFGTPolicy = Get-FGTFirewallPolicyGroup -name MyFGTPolicy - PS C:\>$MyFGTPolicy | Remove-FGTFirewallPolicyGroupMember -member MyAddress1 + $MyFGTPolicy = Get-FGTFirewallPolicy -name MyFGTPolicy + PS C:\>$MyFGTPolicy | Remove-FGTFirewallPolicyMember -srcaddr MyAddress1 - Remove MyAddress1 member to MyFGTPolicy + Remove source MyAddress1 member to MyFGTPolicy .EXAMPLE - $MyFGTPolicy = Get-FGTFirewallPolicyGroup -name MyFGTPolicy - PS C:\>$MyFGTPolicy | Remove-FGTFirewallPolicyGroupMember -member MyAddress1, MyAddress2 + $MyFGTPolicy = Get-FGTFirewallPolicy -name MyFGTPolicy + PS C:\>$MyFGTPolicy | Remove-FGTFirewallPolicyMember -dstaddr MyAddress1, MyAddress2 - Remove MyAddress1 and MyAddress2 member to MyFGTPolicy + Remove destination MyAddress1 and MyAddress2 member to MyFGTPolicy .EXAMPLE $MyFGTPolicy = Get-FGTFirewallPolicy -name MyFGTPolicy @@ -1094,7 +1094,7 @@ function Remove-FGTFirewallPolicyMember { #check if there is always a member... (it is not really (dependy of release...) possible don't have member on Policy) if ( $members.count -eq 0 ) { - Throw "You can't remove all members. Use Set-FGTFirewallPolicy to remove Address Group" + Throw "You can't remove all members. Use Set-FGTFirewallPolicy to remove Source Address" } #if there is only One or less member force to be an array @@ -1122,7 +1122,7 @@ function Remove-FGTFirewallPolicyMember { #check if there is always a member... (it is not really (dependy of release...) possible don't have member on Policy) if ( $members.count -eq 0 ) { - Throw "You can't remove all members. Use Set-FGTFirewallPolicy to remove Address Group" + Throw "You can't remove all members. Use Set-FGTFirewallPolicy to remove Destination Address" } #if there is only One or less member force to be an array diff --git a/Tests/integration/FirewallPolicy.Tests.ps1 b/Tests/integration/FirewallPolicy.Tests.ps1 index 4552ada52..8df97a03a 100644 --- a/Tests/integration/FirewallPolicy.Tests.ps1 +++ b/Tests/integration/FirewallPolicy.Tests.ps1 @@ -1769,7 +1769,7 @@ Describe "Remove Firewall Policy Member" { It "Try Remove 3 members to Policy Src Address $pester_address1, $pester_address2, $pester_address3 (with 3 members before)" { { Get-FGTFirewallPolicy -Name $pester_policy1 | Remove-FGTFirewallPolicyMember -srcaddr $pester_address1, $pester_address2, $pester_address3 - } | Should -Throw "You can't remove all members. Use Set-FGTFirewallPolicy to remove Address Group" + } | Should -Throw "You can't remove all members. Use Set-FGTFirewallPolicy to remove Source Address" } } @@ -1870,7 +1870,7 @@ Describe "Remove Firewall Policy Member" { It "Try Remove 3 members to Policy Dst Address $pester_address1, $pester_address2, $pester_address3 (with 3 members before)" { { Get-FGTFirewallPolicy -Name $pester_policy1 | Remove-FGTFirewallPolicyMember -dstaddr $pester_address1, $pester_address2, $pester_address3 - } | Should -Throw "You can't remove all members. Use Set-FGTFirewallPolicy to remove Address Group" + } | Should -Throw "You can't remove all members. Use Set-FGTFirewallPolicy to remove Destination Address" } }