Public/FortiGate/Get-PwFgSecurityPolicy.ps1
|
function Get-PwFgSecurityPolicy { [CmdletBinding()] <# .SYNOPSIS Gets named addresses from saved ASA config file. #> Param ( [Parameter(Mandatory = $True, Position = 0, ParameterSetName = 'path')] [string]$ConfigPath, [Parameter(Mandatory = $True, Position = 0, ParameterSetName = 'array')] [array]$ConfigArray ) # It's nice to be able to see what cmdlet is throwing output isn't it? $VerbosePrefix = "Get-PwFgSecurityPolicy:" # Check for path and import if ($ConfigPath) { if (Test-Path $ConfigPath) { $LoopArray = Get-Content $ConfigPath } } else { $LoopArray = $ConfigArray } # Setup return Array $ReturnArray = @() $SectionRegex = @() $SectionRegex += '^config\ firewall\ policy$' $IgnoredRegex = @() $IgnoredRegex += '^\s+next$' $IgnoredRegex += '^\s+set\ uuid\ .+' $IgnoredRegex += '^\s+set\ logtraffic\ .+' $IgnoredRegex += '^\s+set\ schedule\ ".+"' $IgnoredRegex += '^\s+set\ av-profile\ ".+"' $IgnoredRegex += '^\s+set\ ips-sensor\ ".+"' $IgnoredRegex += '^\s+set\ ssl-ssh-profile\ ".+"' $IgnoredRegex += '^\s+set\ utm-status\ .+' $IgnoredRegex += '^\s+set\ fsso\ disable' $IgnoredRegex += '^\s+set\ global-label\ ".+"' $IgnoredRegex += '^\s+set\ scan-botnet-connections\ block' $IpRx = [regex] "(\d+)\.(\d+)\.(\d+)\.(\d+)" $TotalLines = $LoopArray.Count $i = 0 $StopWatch = [System.Diagnostics.Stopwatch]::StartNew() # used by Write-Progress so it doesn't slow the whole function down :fileloop foreach ($entry in $LoopArray) { $i++ # Write progress bar, we're only updating every 1000ms, if we do it every line it takes forever if ($StopWatch.Elapsed.TotalMilliseconds -ge 1000) { $PercentComplete = [math]::truncate($i / $TotalLines * 100) Write-Progress -Activity "Reading Support Output" -Status "$PercentComplete% $i/$TotalLines" -PercentComplete $PercentComplete $StopWatch.Reset() $StopWatch.Start() } if ($entry -eq "") { continue } ########################################################################################### # Check for the Section $EvalParams = @{ } $EvalParams.StringToEval = $entry #region getvdom ################################################ $EvalParams.Regex = [regex] '^config vdom$' $Eval = Get-RegexMatch @EvalParams if ($Eval) { Write-Verbose "$VerbosePrefix $i Lookup for vdom" $LookingForVdom = $true continue fileloop } if ($LookingForVdom) { $EvalParams.Regex = [regex] '^edit\ (.+)' $Eval = Get-RegexMatch @EvalParams -ReturnGroupNumber 1 if ($Eval) { Write-Verbose "$VerbosePrefix $i vdom found: $Eval" $LookingForVdom = $false $ActiveVdom = $Eval continue fileloop } } ################################################ #region getvdom #region sectionstart ################################################ foreach ($regex in $SectionRegex) { $EvalParams.Regex = [regex] $regex $Eval = Get-RegexMatch @EvalParams if ($Eval) { Write-Verbose "$VerbosePrefix $i Section Start" $InSection = $true continue fileloop } } ################################################ #region sectionstart if ($InSection) { #region ignoredregex ################################################ foreach ($regex in $IgnoredRegex) { $EvalParams.Regex = [regex] $regex $Eval = Get-RegexMatch @EvalParams if ($Eval) { continue fileloop } } ################################################ #endregion ignoredregex # Section Ends $EvalParams.Regex = [regex] '^end$' $Eval = Get-RegexMatch @EvalParams if ($Eval) { Write-Verbose "$VerbosePrefix $i Section End" $InSection = $false continue } # edit 1 $EvalParams.Regex = [regex] '^\ +edit\ (\d+)' $Eval = Get-RegexMatch @EvalParams -ReturnGroupNumber 1 if ($Eval) { $NewObject = [SecurityPolicy]::new() $ReturnArray += $NewObject $NewObject.Name = $Eval $NewObject.Index = $Eval $NewObject.Vdom = $ActiveVdom $NewObject.Number = $ReturnArray.Count continue } # set srcintf "port0" "port1" # set dstintf "port0" "port0" $EvalParams.Regex = [regex] '^\s+set\ (?<direction>src|dst)intf\ (?<member>.+)' $Eval = Get-RegexMatch @EvalParams if ($Eval) { foreach ($m in ($Eval.Groups['member'].Value).Split('" "')) { switch ($Eval.Groups['direction'].Value) { 'src' { $NewObject.SourceInterface += $m.Trim('"') } 'dst' { $NewObject.DestinationInterface += $m.Trim('"') } } } continue } # set srcaddr "add1" "add2" # set dstaddr "add1" "add2" $EvalParams.Regex = [regex] '^\s+set\ (?<direction>src|dst)addr\ (?<member>.+)' $Eval = Get-RegexMatch @EvalParams if ($Eval) { foreach ($m in ($Eval.Groups['member'].Value).Split('" "')) { switch ($Eval.Groups['direction'].Value) { 'src' { $NewObject.Source += $m.Trim('"') } 'dst' { $NewObject.Destination += $m.Trim('"') } } } continue } # set service "service1" "service2" $EvalParams.Regex = [regex] '^\s+set\ service\ (?<member>.+)' $Eval = Get-RegexMatch @EvalParams if ($Eval) { foreach ($m in ($Eval.Groups['member'].Value).Split('" "')) { $NewObject.Service += $m.Trim('"') } continue } # set groups "group1" "group2" $EvalParams.Regex = [regex] '^\s+set\ groups\ (?<member>.+)' $Eval = Get-RegexMatch @EvalParams if ($Eval) { foreach ($m in ($Eval.Groups['member'].Value).Split('" "')) { $NewObject.SourceUser += $m.Trim('"') } continue } # set application-list "default" $EvalParams.Regex = [regex] '^\s+set\ application-list\ (?<member>.+)' $Eval = Get-RegexMatch @EvalParams if ($Eval) { foreach ($m in ($Eval.Groups['member'].Value).Split('" "')) { $NewObject.Application += $m.Trim('"') } continue } # set status disable $EvalParams.Regex = [regex] '^\s+set\ status\ disable' $Eval = Get-RegexMatch @EvalParams if ($Eval) { $NewObject.Enabled = $false continue } # set nat disable $EvalParams.Regex = [regex] '^\s+set\ nat\ enable' $Eval = Get-RegexMatch @EvalParams if ($Eval) { $NewObject.NatEnabled = $true continue } # set name "name" $EvalParams.Regex = [regex] '^\s+set\ name\ "(.+?)"' $Eval = Get-RegexMatch @EvalParams -ReturnGroupNumber 1 if ($Eval) { $NewObject.Name = $Eval continue } #region simpleprops ################################################ if ($NewObject) { $EvalParams.VariableToUpdate = ([REF]$NewObject) $EvalParams.ReturnGroupNum = 1 $EvalParams.LoopName = 'fileloop' $EvalParams.Verbose = $false } # set action accept $EvalParams.ObjectProperty = "Action" $EvalParams.Regex = [regex] '^\s+set\ action\ (.+)' $Eval = Get-RegexMatch @EvalParams # set action accept $EvalParams.ObjectProperty = "Comment" $EvalParams.Regex = [regex] '^\s+set\ comments\ "(.+?)"' $Eval = Get-RegexMatch @EvalParams ################################################ #endregion simpleprops Write-Warning "$VerbosePrefix $i UNHANDLED: $entry" } } return $ReturnArray } |