FortiPower · alagoutte · Jan 14, 2025 · Jan 7, 2025 · Jan 8, 2025 · Jan 8, 2025
diff --git a/PowerFGT/Public/cmdb/firewall/policy.ps1 b/PowerFGT/Public/cmdb/firewall/policy.ps1
@@ -326,7 +326,7 @@ function Add-FGTFirewallPolicyMember {
         Add a FortiGate Policy Member
 
         .DESCRIPTION
-        Add a FortiGate Policy Member (source or destination address)
+        Add a FortiGate Policy Member (source or destination address/interface)
 
         .EXAMPLE
         $MyFGTPolicy = Get-FGTFirewallPolicy -name MyFGTPolicy
@@ -340,6 +340,17 @@ function Add-FGTFirewallPolicyMember {
 
         Add MyAddress1 and MyAddress2 member to destination of MyFGTPolicy
 
+        .EXAMPLE
+        $MyFGTPolicy = Get-FGTFirewallPolicy -name MyFGTPolicy
+        PS C:\>$MyFGTPolicy | Add-FGTFirewallPolicyMember -srcintf port1
+
+        Add port1 member to source interface of MyFGTPolicy
+
+        .EXAMPLE
+        $MyFGTPolicy = Get-FGTFirewallPolicy -name MyFGTPolicy
+        PS C:\>$MyFGTPolicy | Add-FGTFirewallPolicyMember -dstintf port2
+
+        Add port2 member to destination interface of MyFGTPolicy
     #>
 
     [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'low')]
@@ -350,8 +361,12 @@ function Add-FGTFirewallPolicyMember {
         [Parameter(Mandatory = $false)]
         [string[]]$srcaddr,
         [Parameter(Mandatory = $false)]
+        [string[]]$srcintf,
+        [Parameter(Mandatory = $false)]
         [string[]]$dstaddr,
         [Parameter(Mandatory = $false)]
+        [string[]]$dstintf,
+        [Parameter(Mandatory = $false)]
         [String[]]$vdom,
         [Parameter(Mandatory = $false)]
         [psobject]$connection = $DefaultFGTConnection
@@ -390,6 +405,25 @@ function Add-FGTFirewallPolicyMember {
             $_policy | add-member -name "srcaddr" -membertype NoteProperty -Value $members
         }
 
+        if ( $PsBoundParameters.ContainsKey('srcintf') ) {
+
+            if ($policy.srcintf.name -eq "any") {
+                #any => create new empty array members
+                $members = @()
+            }
+            else {
+                #Add member to existing source interface
+                $members = $policy.srcintf
+            }
+
+            foreach ( $member in $srcintf ) {
+                $member_name = @{ }
+                $member_name.add( 'name', $member)
+                $members += $member_name
+            }
+            $_policy | add-member -name "srcintf" -membertype NoteProperty -Value $members
+        }
+
         if ( $PsBoundParameters.ContainsKey('dstaddr') ) {
 
             if ($policy.dstaddr.name -eq "all") {
@@ -409,6 +443,25 @@ function Add-FGTFirewallPolicyMember {
             $_policy | add-member -name "dstaddr" -membertype NoteProperty -Value $members
         }
 
+        if ( $PsBoundParameters.ContainsKey('dstintf') ) {
+
+            if ($policy.dstintf.name -eq "any") {
+                #any => create new empty array members
+                $members = @()
+            }
+            else {
+                #Add member to existing source interface
+                $members = $policy.dstintf
+            }
+
+            foreach ( $member in $dstintf ) {
+                $member_name = @{ }
+                $member_name.add( 'name', $member)
+                $members += $member_name
+            }
+            $_policy | add-member -name "dstintf" -membertype NoteProperty -Value $members
+        }
+
         if ($PSCmdlet.ShouldProcess($policy.name, 'Add Firewall Policy Group Member')) {
             Invoke-FGTRestMethod -method "PUT" -body $_policy -uri $uri -uri_escape $policy.policyid -connection $connection @invokeParams | Out-Null
 
@@ -963,19 +1016,31 @@ function Remove-FGTFirewallPolicyMember {
         Remove a FortiGate Policy Member
 
         .DESCRIPTION
-        Remove a FortiGate Policy Member (source or destination address)
+        Remove a FortiGate Policy Member (source or destination address/interface)
 
         .EXAMPLE
-        $MyFGTPolicy = Get-FGTFirewallPolicyGroup -name MyFGTPolicy
-        PS C:\>$MyFGTPolicy | Remove-FGTFirewallPolicyGroupMember -member MyAddress1
+        $MyFGTPolicy = Get-FGTFirewallPolicy -name MyFGTPolicy
+        PS C:\>$MyFGTPolicy | Remove-FGTFirewallPolicyMember -srcaddr MyAddress1
 
-        Remove MyAddress1 member to MyFGTPolicy
+        Remove source MyAddress1 member to MyFGTPolicy
 
         .EXAMPLE
-        $MyFGTPolicy = Get-FGTFirewallPolicyGroup -name MyFGTPolicy
-        PS C:\>$MyFGTPolicy | Remove-FGTFirewallPolicyGroupMember -member MyAddress1, MyAddress2
+        $MyFGTPolicy = Get-FGTFirewallPolicy -name MyFGTPolicy
+        PS C:\>$MyFGTPolicy | Remove-FGTFirewallPolicyMember -dstaddr MyAddress1, MyAddress2
+
+        Remove destination MyAddress1 and MyAddress2 member to MyFGTPolicy
+
+        .EXAMPLE
+        $MyFGTPolicy = Get-FGTFirewallPolicy -name MyFGTPolicy
+        PS C:\>$MyFGTPolicy | Remove-FGTFirewallPolicyMember -srcintf port1
+
+        Remove port1 member to source interface of MyFGTPolicy
 
-        Remove MyAddress1 and MyAddress2 member to MyFGTPolicy
+        .EXAMPLE
+        $MyFGTPolicy = Get-FGTFirewallPolicy -name MyFGTPolicy
+        PS C:\>$MyFGTPolicy | Remove-FGTFirewallPolicyMember -dstintf port2
+
+        Remove port2 member to destination interface of MyFGTPolicy
 
     #>
 
@@ -987,8 +1052,12 @@ function Remove-FGTFirewallPolicyMember {
         [Parameter(Mandatory = $false)]
         [string[]]$srcaddr,
         [Parameter(Mandatory = $false)]
+        [string[]]$srcintf,
+        [Parameter(Mandatory = $false)]
         [string[]]$dstaddr,
         [Parameter(Mandatory = $false)]
+        [string[]]$dstintf,
+        [Parameter(Mandatory = $false)]
         [String[]]$vdom,
         [Parameter(Mandatory = $false)]
         [psobject]$connection = $DefaultFGTConnection
@@ -1025,7 +1094,7 @@ function Remove-FGTFirewallPolicyMember {
 
             #check if there is always a member... (it is not really (dependy of release...) possible don't have member on Policy)
             if ( $members.count -eq 0 ) {
-                Throw "You can't remove all members. Use Set-FGTFirewallPolicy to remove Address Group"
+                Throw "You can't remove all members. Use Set-FGTFirewallPolicy to remove Source Address"
             }
 
             #if there is only One or less member force to be an array
@@ -1053,7 +1122,7 @@ function Remove-FGTFirewallPolicyMember {
 
             #check if there is always a member... (it is not really (dependy of release...) possible don't have member on Policy)
             if ( $members.count -eq 0 ) {
-                Throw "You can't remove all members. Use Set-FGTFirewallPolicy to remove Address Group"
+                Throw "You can't remove all members. Use Set-FGTFirewallPolicy to remove Destination Address"
             }
 
             #if there is only One or less member force to be an array
@@ -1064,6 +1133,63 @@ function Remove-FGTFirewallPolicyMember {
             $_policy | add-member -name "dstaddr" -membertype NoteProperty -Value $members
         }
 
+        if ( $PsBoundParameters.ContainsKey('srcintf') ) {
+            #Create a new source addrarray
+            $members = @()
+            foreach ($m in $policy.srcintf) {
+                $member_name = @{ }
+                $member_name.add( 'name', $m.name)
+                $members += $member_name
+            }
+
+            #Remove member
+            foreach ($remove_member in $srcintf) {
+                #May be a better (and faster) solution...
+                $members = $members | Where-Object { $_.name -ne $remove_member }
+            }
+
+            #check if there is always a member... (it is not really (dependy of release...) possible don't have member on Policy)
+            if ( $members.count -eq 0 ) {
+                Throw "You can't remove all members. Use Set-FGTFirewallPolicy to remove Source interface"
+            }
+
+            #if there is only One or less member force to be an array
+            if ( $members.count -le 1 ) {
+                $members = @($members)
+            }
+
+            $_policy | add-member -name "srcintf" -membertype NoteProperty -Value $members
+        }
+
+        if ( $PsBoundParameters.ContainsKey('dstintf') ) {
+            #Create a new source addrarray
+            $members = @()
+            foreach ($m in $policy.dstintf) {
+                $member_name = @{ }
+                $member_name.add( 'name', $m.name)
+                $members += $member_name
+            }
+
+            #Remove member
+            foreach ($remove_member in $dstintf) {
+                #May be a better (and faster) solution...
+                $members = $members | Where-Object { $_.name -ne $remove_member }
+            }
+
+            #check if there is always a member... (it is not really (dependy of release...) possible don't have member on Policy)
+            if ( $members.count -eq 0 ) {
+                Throw "You can't remove all members. Use Set-FGTFirewallPolicy to remove Destination Interface"
+            }
+
+            #if there is only One or less member force to be an array
+            if ( $members.count -le 1 ) {
+                $members = @($members)
+            }
+
+            $_policy | add-member -name "dstintf" -membertype NoteProperty -Value $members
+        }
+
+
         if ($PSCmdlet.ShouldProcess($policy.name, 'Remove Firewall Policy Group Member')) {
             Invoke-FGTRestMethod -method "PUT" -body $_policy -uri $uri -uri_escape $policy.policyid -connection $connection @invokeParams | Out-Null