diff --git a/PowerFGT/Private/Confirm.ps1 b/PowerFGT/Private/Confirm.ps1 index 1bfae8ec..d5022cfb 100644 --- a/PowerFGT/Private/Confirm.ps1 +++ b/PowerFGT/Private/Confirm.ps1 @@ -192,6 +192,42 @@ Function Confirm-FGTFirewallPolicy { } +Function Confirm-FGTFirewallLocalInPolicy { + + Param ( + [Parameter (Mandatory = $true)] + [object]$argument + ) + + #Check if it looks like an Firewall Local InPolicy element + + if ( -not ( $argument | get-member -name policyid -Membertype Properties)) { + throw "Element specified does not contain a policyid property." + } + #No uuid before 6.4.x + #if ( -not ( $argument | get-member -name uuid -Membertype Properties)) { + # throw "Element specified does not contain an uuid property." + #} + if ( -not ( $argument | get-member -name intf -Membertype Properties)) { + throw "Element specified does not contain a intf property." + } + if ( -not ( $argument | get-member -name srcaddr -Membertype Properties)) { + throw "Element specified does not contain a srcaddr property." + } + if ( -not ( $argument | get-member -name dstaddr -Membertype Properties)) { + throw "Element specified does not contain a dstaddr property." + } + if ( -not ( $argument | get-member -name action -Membertype Properties)) { + throw "Element specified does not contain an action property." + } + if ( -not ( $argument | get-member -name status -Membertype Properties)) { + throw "Element specified does not contain a status property." + } + + $true + +} + Function Confirm-FGTFirewallProxyPolicy { Param ( diff --git a/PowerFGT/Public/cmdb/firewall/local-in-policy.ps1 b/PowerFGT/Public/cmdb/firewall/local-in-policy.ps1 new file mode 100644 index 00000000..79fbf14a --- /dev/null +++ b/PowerFGT/Public/cmdb/firewall/local-in-policy.ps1 @@ -0,0 +1,887 @@ +# +# Copyright 2019, Alexis La Goutte +# +# SPDX-License-Identifier: Apache-2.0 +# + +function Add-FGTFirewallLocalInPolicy { + + <# + .SYNOPSIS + Add a FortiGate Local In Policy + + .DESCRIPTION + Add a FortiGate Local In Policy (interface, source/destination ip, service, action, status...) + + .EXAMPLE + Add-FGTFirewallLocalInPolicy -intf port1 -srcaddr all -dstaddr all + + Add a Local In Policy with source port port1 and destination port2 and source and destination all + + .EXAMPLE + Add-FGTFirewallLocalInPolicy -intf port10 -srcaddr all -dstaddr all -status:$false + + Add a Local In Policy with status is disable + + .EXAMPLE + Add-FGTFirewallLocalInPolicy -intf port1 -srcaddr all -dstaddr all -service HTTP, HTTPS, SSH + + Add a Local In Policy with multiple service port + + .EXAMPLE + Add-FGTFirewallLocalInPolicy -intf port1 -srcaddr all -dstaddr all -comments "My FGT Policy" + + Add a Local In Policy with comment "My FGT Policy" + + .EXAMPLE + Add-FGTFirewallLocalInPolicy -intf port1 -srcaddr all -dstaddr all -policyid 23 + + Add a Local In Policy with Policy ID equal 23 + + .EXAMPLE + $data = @{ "virtual-patch" = "enable" } + Add-FGTFirewallLocalInPolicy -intf port1 -srcaddr all -dstaddr all -data $data + + Add a Local In Policy with virtual-patch using -data + #> + + + Param( + [Parameter (Mandatory = $false)] + [int]$policyid, + [Parameter (Mandatory = $true)] + [string[]]$intf, + [Parameter (Mandatory = $true)] + [string[]]$srcaddr, + [Parameter (Mandatory = $true)] + [string[]]$dstaddr, + [Parameter (Mandatory = $false)] + [ValidateSet("accept", "deny")] + [string]$action = "accept", + [Parameter (Mandatory = $false)] + [switch]$status, + [Parameter (Mandatory = $false)] + [string]$schedule = "always", + [Parameter (Mandatory = $false)] + [string[]]$service = "ALL", + [Parameter (Mandatory = $false)] + [ValidateLength(0, 255)] + [string]$comments, + [Parameter (Mandatory = $false)] + [switch]$skip, + [Parameter (Mandatory = $false)] + [hashtable]$data, + [Parameter(Mandatory = $false)] + [String[]]$vdom, + [Parameter(Mandatory = $false)] + [psobject]$connection = $DefaultFGTConnection + ) + + Begin { + } + + Process { + + $invokeParams = @{ } + if ( $PsBoundParameters.ContainsKey('skip') ) { + $invokeParams.add( 'skip', $skip ) + } + if ( $PsBoundParameters.ContainsKey('vdom') ) { + $invokeParams.add( 'vdom', $vdom ) + } + + $uri = "api/v2/cmdb/firewall/local-in-policy" + + # Interface + #After 7.4.0, you can have multiple interface + if ($connection.version -ge "7.4.0") { + $intf_array = @() + foreach ($i in $intf) { + $intf_array += @{ 'name' = $i } + } + } + else { + #Add Warning ? + $intf_array = $intf + } + + # Source address + $srcaddr_array = @() + #TODO check if the address (group, vip...) is valid + foreach ($addr in $srcaddr) { + $srcaddr_array += @{ 'name' = $addr } + } + + # Destination address + $dstaddr_array = @() + #TODO check if the address (group, vip...) is valid + foreach ($addr in $dstaddr) { + $dstaddr_array += @{ 'name' = $addr } + } + + # Service + $service_array = @() + #TODO check if the service (group...) is valid + foreach ($s in $service) { + $service_array += @{ 'name' = $s } + } + + $policy = new-Object -TypeName PSObject + + if ( $PsBoundParameters.ContainsKey('name') ) { + $policy | add-member -name "name" -membertype NoteProperty -Value $name + } + + if ( $PsBoundParameters.ContainsKey('policyid') ) { + $policy | add-member -name "policyid" -membertype NoteProperty -Value $policyid + } + + $policy | add-member -name "intf" -membertype NoteProperty -Value $intf_array + + $policy | add-member -name "srcaddr" -membertype NoteProperty -Value $srcaddr_array + + $policy | add-member -name "dstaddr" -membertype NoteProperty -Value $dstaddr_array + + $policy | add-member -name "action" -membertype NoteProperty -Value $action + + #set status enable by default (PSSA don't like to set default value for a switch parameter) + if ( -not $PsBoundParameters.ContainsKey('status') ) { + $status = $true + } + + if ($status) { + $policy | add-member -name "status" -membertype NoteProperty -Value "enable" + } + else { + $policy | add-member -name "status" -membertype NoteProperty -Value "disable" + } + + $policy | add-member -name "schedule" -membertype NoteProperty -Value $schedule + + $policy | add-member -name "service" -membertype NoteProperty -Value $service_array + + + if ( $PsBoundParameters.ContainsKey('comments') ) { + $policy | add-member -name "comments" -membertype NoteProperty -Value $comments + } + + if ( $PsBoundParameters.ContainsKey('data') ) { + $data.GetEnumerator() | ForEach-Object { + $policy | Add-member -name $_.key -membertype NoteProperty -Value $_.value + } + } + + $post = Invoke-FGTRestMethod -method "POST" -body $policy -uri $uri -connection $connection @invokeParams + + #there is no policy name on Local In Policy, get the policy via policyid (return by POST via mkey value) + Get-FGTFirewallLocalInPolicy -policyid $post.mkey -connection $connection @invokeParams + + } + + End { + } +} + +function Add-FGTFirewallLocalInPolicyMember { + + <# + .SYNOPSIS + Add a FortiGate Local In Policy Member + + .DESCRIPTION + Add a FortiGate Local In Policy Member (source or destination address, interface) + + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallLocalInPolicy -policyid 23 + PS C:\>$MyFGTPolicy | Add-FGTFirewallLocalInPolicyMember -srcaddr MyAddress1 + + Add MyAddress1 member to source of Local In Policy 23 + + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallLocalInPolicy -policyid 23 + PS C:\>$MyFGTPolicy | Add-FGTFirewallLocalInPolicyMember -dstaddr MyAddress1, MyAddress2 + + Add MyAddress1 and MyAddress2 member to destination of Local In Policy 23 + + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallLocalInPolicy -policyid 23 + PS C:\>$MyFGTPolicy | Add-FGTFirewallLocalInPolicyMember -intf port1 + + Add port1 member to source interface of Local In Policy 23 + + #> + + [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'low')] + Param( + [Parameter (Mandatory = $true, ValueFromPipeline = $true, Position = 1)] + [ValidateScript( { Confirm-FGTFirewallLocalInPolicy $_ })] + [psobject]$policy, + [Parameter(Mandatory = $false)] + [string[]]$srcaddr, + [Parameter(Mandatory = $false)] + [string[]]$intf, + [Parameter(Mandatory = $false)] + [string[]]$dstaddr, + [Parameter(Mandatory = $false)] + [String[]]$vdom, + [Parameter(Mandatory = $false)] + [psobject]$connection = $DefaultFGTConnection + ) + + Begin { + } + + Process { + + $invokeParams = @{ } + if ( $PsBoundParameters.ContainsKey('vdom') ) { + $invokeParams.add( 'vdom', $vdom ) + } + + $uri = "api/v2/cmdb/firewall/local-in-policy" + + $_policy = new-Object -TypeName PSObject + + if ( $PsBoundParameters.ContainsKey('srcaddr') ) { + + if ($policy.srcaddr.name -eq "all") { + #all => create new empty array members + $members = @() + } + else { + #Add member to existing source address + $members = $policy.srcaddr + } + + foreach ( $member in $srcaddr ) { + $member_name = @{ } + $member_name.add( 'name', $member) + $members += $member_name + } + $_policy | add-member -name "srcaddr" -membertype NoteProperty -Value $members + } + + if ( $PsBoundParameters.ContainsKey('intf') ) { + + if ($policy.intf.name -eq "any") { + #any => create new empty array members + $members = @() + } + else { + #Add member to existing source interface + $members = $policy.intf + } + + foreach ( $member in $intf ) { + $member_name = @{ } + $member_name.add( 'name', $member) + $members += $member_name + } + $_policy | add-member -name "intf" -membertype NoteProperty -Value $members + } + + if ( $PsBoundParameters.ContainsKey('dstaddr') ) { + + if ($policy.dstaddr.name -eq "all") { + #all => create new empty array members + $members = @() + } + else { + #Add member to existing destination address + $members = $policy.dstaddr + } + + foreach ( $member in $dstaddr ) { + $member_name = @{ } + $member_name.add( 'name', $member) + $members += $member_name + } + $_policy | add-member -name "dstaddr" -membertype NoteProperty -Value $members + } + + if ($PSCmdlet.ShouldProcess($policy.policyid, 'Add Firewall Policy Group Member')) { + Invoke-FGTRestMethod -method "PUT" -body $_policy -uri $uri -uri_escape $policy.policyid -connection $connection @invokeParams | Out-Null + + Get-FGTFirewallLocalInPolicy -connection $connection @invokeParams -policyid $policy.policyid + } + } + + End { + } +} + +function Get-FGTFirewallLocalInPolicy { + + <# + .SYNOPSIS + Get list of all policies/rules + + .DESCRIPTION + Get list of all policies (name, interface, address (network) source/destination, service, action...) + + .EXAMPLE + Get-FGTFirewallLocalInPolicy + + Get list of all policies + + .EXAMPLE + Get-FGTFirewallLocalInPolicy -policyid 23 + + Get policy with id 23 + + .EXAMPLE + Get-FGTFirewallLocalInPolicy -uuid 9e73a10e-1772-51ea-a8d7-297686fd7702 + + Get policy with uuid 9e73a10e-1772-51ea-a8d7-297686fd7702 + + .EXAMPLE + Get-FGTFirewallLocalInPolicy -skip + + Get list of all policies (but only relevant attributes) + + .EXAMPLE + Get-FGTFirewallLocalInPolicy -meta + + Get list of all policies with metadata (q_...) like usage (q_ref) + + .EXAMPLE + Get-FGTFirewallLocalInPolicy -schema + + Get schema of Local In Policy + + .EXAMPLE + Get-FGTFirewallLocalInPolicy -vdom vdomX + + Get list of all policies on vdomX + #> + + [CmdletBinding(DefaultParameterSetName = "default")] + Param( + [Parameter (Mandatory = $false, ParameterSetName = "uuid")] + [string]$uuid, + [Parameter (Mandatory = $false, ParameterSetName = "policyid")] + [string[]]$policyid, + [Parameter (Mandatory = $false)] + [Parameter (ParameterSetName = "filter")] + [string]$filter_attribute, + [Parameter (Mandatory = $false)] + [Parameter (ParameterSetName = "uuid")] + [Parameter (ParameterSetName = "policyid")] + [Parameter (ParameterSetName = "filter")] + [ValidateSet('equal', 'contains')] + [string]$filter_type = "equal", + [Parameter (Mandatory = $false)] + [Parameter (ParameterSetName = "filter")] + [psobject]$filter_value, + [Parameter(Mandatory = $false)] + [switch]$meta, + [Parameter(Mandatory = $false)] + [switch]$skip, + [Parameter(Mandatory = $false, ParameterSetName = "schema")] + [switch]$schema, + [Parameter(Mandatory = $false)] + [String[]]$vdom, + [Parameter(Mandatory = $false)] + [psobject]$connection = $DefaultFGTConnection + ) + + Begin { + } + + Process { + + $invokeParams = @{ } + if ( $PsBoundParameters.ContainsKey('meta') ) { + $invokeParams.add( 'meta', $meta ) + } + if ( $PsBoundParameters.ContainsKey('skip') ) { + $invokeParams.add( 'skip', $skip ) + } + if ( $PsBoundParameters.ContainsKey('vdom') ) { + $invokeParams.add( 'vdom', $vdom ) + } + + if ( $PsBoundParameters.ContainsKey('schema') ) { + $invokeParams.add( 'extra', "&action=schema" ) + } + + #Filtering + switch ( $PSCmdlet.ParameterSetName ) { + "uuid" { + $filter_value = $uuid + $filter_attribute = "uuid" + } + "policyid" { + $filter_value = $policyid + $filter_attribute = "policyid" + } + default { } + } + + #if filter value and filter_attribute, add filter (by default filter_type is equal) + if ( $filter_value -and $filter_attribute ) { + $invokeParams.add( 'filter_value', $filter_value ) + $invokeParams.add( 'filter_attribute', $filter_attribute ) + $invokeParams.add( 'filter_type', $filter_type ) + } + + $reponse = Invoke-FGTRestMethod -uri 'api/v2/cmdb/firewall/local-in-policy' -method 'GET' -connection $connection @invokeParams + $reponse.results + } + + End { + } +} + +function Move-FGTFirewallLocalInPolicy { + + <# + .SYNOPSIS + Move a FortiGate Local In Policy + + .DESCRIPTION + Move a Policy/Rule object (after or before) on the FortiGate + + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallLocalInPolicy -policyid 23 + PS C:\>$MyFGTPolicy | Move-FGTFirewallLocalInPolicy -after -id 12 + + Move Policy object id 23 after Policy id 12 + + #> + + [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'low')] + Param( + [Parameter (Mandatory = $true, ValueFromPipeline = $true, Position = 1)] + [ValidateScript( { Confirm-FGTFirewallLocalInPolicy $_ })] + [psobject]$policy, + [Parameter(Mandatory = $true, ParameterSetName = "after")] + [switch]$after, + [Parameter(Mandatory = $true, ParameterSetName = "before")] + [switch]$before, + [Parameter(Mandatory = $true)] + [ValidateScript( { ($_ -is [int]) -or (Confirm-FGTFirewallLocalInPolicy $_ ) })] + [psobject]$id, + [Parameter(Mandatory = $false)] + [String[]]$vdom, + [Parameter(Mandatory = $false)] + [psobject]$connection = $DefaultFGTConnection + ) + + Begin { + } + + Process { + + $invokeParams = @{ } + if ( $PsBoundParameters.ContainsKey('vdom') ) { + $invokeParams.add( 'vdom', $vdom ) + } + + #id is a Policy Rule (from Get-FGTFirewallLocalInPolicy) ? + if ( $id.policyid ) { + #Get the policyid + [int]$id = $id.policyid + } + + $uri = "api/v2/cmdb/firewall/local-in-policy" + $extra = "action=move" + + switch ( $PSCmdlet.ParameterSetName ) { + "after" { + $extra += "&after=$($id)" + } + "before" { + $extra += "&before=$($id)" + } + default { } + } + if ($PSCmdlet.ShouldProcess($policy.policyid, 'Move Firewall Policy')) { + $null = Invoke-FGTRestMethod -method "PUT" -uri $uri -uri_escape $policy.policyid -extra $extra -connection $connection @invokeParams + } + + Get-FGTFirewallLocalInPolicy -policyid $policy.policyid -connection $connection @invokeParams + } + + End { + } +} + +function Set-FGTFirewallLocalInPolicy { + + <# + .SYNOPSIS + Configure a FortiGate Local In Policy + + .DESCRIPTION + Change a FortiGate Local in Policy Policy/Rules (source/destination ip, interface, action, status, ...) + + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallLocalInPolicy -policyid 23 + PS C:\>$MyFGTPolicy | Set-FGTFirewallLocalInPolicy -intf port1 -srcaddr MyFGTAddress + + Change MyFGTPolicy (Policy id 23) to intf port1 and srcaddr MyFGTAddress + + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallLocalInPolicy -policyid 23 + PS C:\>$MyFGTPolicy | Set-FGTFirewallLocalInPolicy -service HTTP,HTTPS + + Change MyFGTPolicy (Policy id 23) to set service to HTTP and HTTPS + + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallLocalInPolicy -policyid 23 + PS C:\>$MyFGTPolicy | Set-FGTFirewallLocalInPolicy -comments "My FGT Policy" + + Change MyFGTPolicy (Policy id 23) to set a new comments + + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallLocalInPolicy -policyid 23 + PS C:\>$MyFGTPolicy | Set-FGTFirewallLocalInPolicy -status:$false + + Change MyFGTPolicy (Policy id 23) to set status disable + + .EXAMPLE + $data = @{"virtual-patch" = "enable" } + PS C:\>$MyFGTPolicy = Get-FGTFirewallLocalInPolicy -policyid 23 + PS C:\>$MyFGTPolicy | Set-FGTFirewallLocalInPolicy -data $data + + Change MyFGTPolicy (Policy id 23) to setvirtual-patch to enabled using -data + + #> + + [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'medium', DefaultParameterSetName = 'default')] + Param( + [Parameter (Mandatory = $true, ValueFromPipeline = $true, Position = 1)] + [ValidateScript( { Confirm-FGTFirewallLocalInPolicy $_ })] + [psobject]$policy, + [Parameter (Mandatory = $false)] + [string]$name, + [string[]]$intf, + [Parameter (Mandatory = $false)] + [string[]]$srcaddr, + [Parameter (Mandatory = $false)] + [string[]]$dstaddr, + [Parameter (Mandatory = $false)] + [ValidateSet("accept", "deny")] + [string]$action, + [Parameter (Mandatory = $false)] + [switch]$status, + [Parameter (Mandatory = $false)] + [string]$schedule, + [Parameter (Mandatory = $false)] + [string[]]$service, + [Parameter (Mandatory = $false)] + [switch]$nat, + [Parameter (Mandatory = $false)] + [ValidateLength(0, 255)] + [string]$comments, + [Parameter (Mandatory = $false)] + [hashtable]$data, + [Parameter(Mandatory = $false)] + [String[]]$vdom, + [Parameter(Mandatory = $false)] + [psobject]$connection = $DefaultFGTConnection + ) + + Begin { + } + + Process { + + $invokeParams = @{ } + if ( $PsBoundParameters.ContainsKey('vdom') ) { + $invokeParams.add( 'vdom', $vdom ) + } + + $uri = "api/v2/cmdb/firewall/local-in-policy" + + $_policy = new-Object -TypeName PSObject + + if ( $PsBoundParameters.ContainsKey('intf') ) { + # Interface + $intf_array = @() + #TODO check if the interface (zone ?) is valid + foreach ($intf in $intf) { + $intf_array += @{ 'name' = $intf } + } + $_policy | add-member -name "intf" -membertype NoteProperty -Value $intf_array + } + + if ( $PsBoundParameters.ContainsKey('srcaddr') ) { + # Source address + $srcaddr_array = @() + #TODO check if the address (group, vip...) is valid + foreach ($addr in $srcaddr) { + $srcaddr_array += @{ 'name' = $addr } + } + $_policy | add-member -name "srcaddr" -membertype NoteProperty -Value $srcaddr_array + } + + if ( $PsBoundParameters.ContainsKey('dstaddr') ) { + # Destination address + $dstaddr_array = @() + #TODO check if the address (group, vip...) is valid + foreach ($addr in $dstaddr) { + $dstaddr_array += @{ 'name' = $addr } + } + $_policy | add-member -name "dstaddr" -membertype NoteProperty -Value $dstaddr_array + } + + if ( $PsBoundParameters.ContainsKey('action') ) { + $_policy | add-member -name "action" -membertype NoteProperty -Value $action + } + + if ( $PsBoundParameters.ContainsKey('status') ) { + if ($status) { + $_policy | add-member -name "status" -membertype NoteProperty -Value "enable" + } + else { + $_policy | add-member -name "status" -membertype NoteProperty -Value "disable" + } + } + + if ( $PsBoundParameters.ContainsKey('schedule') ) { + $_policy | add-member -name "schedule" -membertype NoteProperty -Value $schedule + } + + if ( $PsBoundParameters.ContainsKey('service') ) { + # Service + $service_array = @() + #TODO check if the service (group...) is valid + foreach ($s in $service) { + $service_array += @{ 'name' = $s } + } + $_policy | add-member -name "service" -membertype NoteProperty -Value $service_array + } + + if ( $PsBoundParameters.ContainsKey('comments') ) { + $_policy | add-member -name "comments" -membertype NoteProperty -Value $comments + } + + if ( $PsBoundParameters.ContainsKey('data') ) { + $data.GetEnumerator() | ForEach-Object { + $_policy | Add-member -name $_.key -membertype NoteProperty -Value $_.value + } + } + + if ($PSCmdlet.ShouldProcess($address.name, 'Configure Firewall Policy')) { + Invoke-FGTRestMethod -method "PUT" -body $_policy -uri $uri -uri_escape $policy.policyid -connection $connection @invokeParams | out-Null + + Get-FGTFirewallLocalInPolicy -connection $connection @invokeParams -policyid $policy.policyid + } + } + + End { + } +} + +function Remove-FGTFirewallLocalInPolicy { + + <# + .SYNOPSIS + Remove a FortiGate Local In Policy + + .DESCRIPTION + Remove a Local In Policy object on the FortiGate + + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallLocalInPolicy -policyid 23 + PS C:\>$MyFGTPolicy | Remove-FGTFirewallLocalInPolicy + + Remove Local in Policy id 23 + + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallLocalInPolicy -policyid 23 + PS C:\>$MyFGTPolicy | Remove-FGTFirewallLocalInPolicy -confirm:$false + + Remove Local in Policy id 23y with no confirmation + + #> + + [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'high')] + Param( + [Parameter (Mandatory = $true, ValueFromPipeline = $true, Position = 1)] + [ValidateScript( { Confirm-FGTFirewallLocalInPolicy $_ })] + [psobject]$policy, + [Parameter(Mandatory = $false)] + [String[]]$vdom, + [Parameter(Mandatory = $false)] + [psobject]$connection = $DefaultFGTConnection + ) + + Begin { + } + + Process { + + $invokeParams = @{ } + if ( $PsBoundParameters.ContainsKey('vdom') ) { + $invokeParams.add( 'vdom', $vdom ) + } + + $uri = "api/v2/cmdb/firewall/local-in-policy" + + if ($PSCmdlet.ShouldProcess($policy.policyid, 'Remove Firewall Policy')) { + $null = Invoke-FGTRestMethod -method "DELETE" -uri $uri -uri_escape $policy.policyid -connection $connection @invokeParams + } + } + + End { + } +} + +function Remove-FGTFirewallLocalInPolicyMember { + + <# + .SYNOPSIS + Remove a FortiGate Local In Policy Member + + .DESCRIPTION + Remove a FortiGate Local In Policy Member (source, destination address and interface) + + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallLocalInPolicy -policyid 23 + PS C:\>$MyFGTPolicy | Remove-FGTFirewallLocalInPolicyMember -srcaddr MyAddress1 + + Remove source MyAddress1 member to MyFGTPolicy (policy id 23) + + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallLocalInPolicy -policyid 23 + PS C:\>$MyFGTPolicy | Remove-FGTFirewallLocalInPolicyMember -dstaddr MyAddress1, MyAddress2 + + Remove destination MyAddress1 and MyAddress2 member to MyFGTPolicy (policy id 23) + + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallLocalInPolicy -policyid 23 + PS C:\>$MyFGTPolicy | Remove-FGTFirewallLocalInPolicyMember -intf port1 + + Remove port1 member to interface of MyFGTPolicy (policy id 23) + + + #> + + [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'medium')] + Param( + [Parameter (Mandatory = $true, ValueFromPipeline = $true, Position = 1)] + [ValidateScript( { Confirm-FGTFirewallLocalInPolicy $_ })] + [psobject]$policy, + [Parameter(Mandatory = $false)] + [string[]]$srcaddr, + [Parameter(Mandatory = $false)] + [string[]]$intf, + [Parameter(Mandatory = $false)] + [string[]]$dstaddr, + [Parameter(Mandatory = $false)] + [String[]]$vdom, + [Parameter(Mandatory = $false)] + [psobject]$connection = $DefaultFGTConnection + ) + + Begin { + } + + Process { + + $invokeParams = @{ } + if ( $PsBoundParameters.ContainsKey('vdom') ) { + $invokeParams.add( 'vdom', $vdom ) + } + + $uri = "api/v2/cmdb/firewall/local-in-policy" + + $_policy = new-Object -TypeName PSObject + + if ( $PsBoundParameters.ContainsKey('srcaddr') ) { + #Create a new source addr array + $members = @() + foreach ($m in $policy.srcaddr) { + $member_name = @{ } + $member_name.add( 'name', $m.name) + $members += $member_name + } + + #Remove member + foreach ($remove_member in $srcaddr) { + #May be a better (and faster) solution... + $members = $members | Where-Object { $_.name -ne $remove_member } + } + + #check if there is always a member... (it is not really (dependy of release...) possible don't have member on Policy) + if ( $members.count -eq 0 ) { + Throw "You can't remove all members. Use Set-FGTFirewallLocalInPolicy to remove Source Address" + } + + #if there is only One or less member force to be an array + if ( $members.count -le 1 ) { + $members = @($members) + } + + $_policy | add-member -name "srcaddr" -membertype NoteProperty -Value $members + } + + if ( $PsBoundParameters.ContainsKey('dstaddr') ) { + #Create a new destination addr array + $members = @() + foreach ($m in $policy.dstaddr) { + $member_name = @{ } + $member_name.add( 'name', $m.name) + $members += $member_name + } + + #Remove member + foreach ($remove_member in $dstaddr) { + #May be a better (and faster) solution... + $members = $members | Where-Object { $_.name -ne $remove_member } + } + + #check if there is always a member... (it is not really (dependy of release...) possible don't have member on Policy) + if ( $members.count -eq 0 ) { + Throw "You can't remove all members. Use Set-FGTFirewallLocalInPolicy to remove Destination Address" + } + + #if there is only One or less member force to be an array + if ( $members.count -le 1 ) { + $members = @($members) + } + + $_policy | add-member -name "dstaddr" -membertype NoteProperty -Value $members + } + + if ( $PsBoundParameters.ContainsKey('intf') ) { + #Create a new intf array + $members = @() + foreach ($m in $policy.intf) { + $member_name = @{ } + $member_name.add( 'name', $m.name) + $members += $member_name + } + + #Remove member + foreach ($remove_member in $intf) { + #May be a better (and faster) solution... + $members = $members | Where-Object { $_.name -ne $remove_member } + } + + #check if there is always a member... (it is not really (dependy of release...) possible don't have member on Policy) + if ( $members.count -eq 0 ) { + Throw "You can't remove all members. Use Set-FGTFirewallLocalInPolicy to remove interface" + } + + #if there is only One or less member force to be an array + if ( $members.count -le 1 ) { + $members = @($members) + } + + $_policy | add-member -name "intf" -membertype NoteProperty -Value $members + } + + if ($PSCmdlet.ShouldProcess($policy.policyid, 'Remove Firewall Policy Group Member')) { + Invoke-FGTRestMethod -method "PUT" -body $_policy -uri $uri -uri_escape $policy.policyid -connection $connection @invokeParams | Out-Null + + Get-FGTFirewallLocalInPolicy -connection $connection @invokeParams -policyid $policy.policyid + } + } + + End { + } +} \ No newline at end of file diff --git a/README.md b/README.md index b6b74846..2870cf6d 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,7 @@ With this module (version 0.9.1) you can manage: - [Monitor](#monitor) (Get) - [Policy](#policy) (Add/Get/Remove) - [Proxy Address/Address Group/ Policy](#proxy) (Add/Get/Set/Remove) +- [Local In Policy](#local-in-poloicy) (Add/Get/Copy/Set/Remove and Add/Remove Member) - [Router BGP](#bgp) (Get/Set) - [Router OSPF](#ospf) (Get/Set) - RoutePolicy (Get) @@ -2221,6 +2222,14 @@ There is also cmdlet for Proxy For Proxy Policy, it is possible to specific explict proxy or transparent For FortiGate 6.0.x, you need to enable proxy mode before (and enable feature) +### Local In Policy + +There is also cmdlet for Local in Policy + +You can create a new Local In Policy `Add-FGTFirewallLocalInPolicy`, retrieve its information `Get-FGTFirewallLocalInPolicy` +Add member to source or destinationn address `Add-FGTFirewallLocalInPolicyMember` and remove member `Add-FGTFirewallLocalInPolicyMember`, +set it `Set-FGTFirewallLocalInPolicy` or delete it `Remove-FGTFirewalLocalInPolicy`. + ### Connecting with API Token If you have a REST API administrator account setup, you can connect with the API @@ -2358,6 +2367,8 @@ Currently, [@alagoutte](#author) started this project and will keep maintaining Add-FGTFirewallAddress Add-FGTFirewallAddressGroup Add-FGTFirewallAddressGroupMember +Add-FGTFirewallLocalInPolicy +Add-FGTFirewallLocalInPolicyMember Add-FGTFirewallPolicy Add-FGTFirewallPolicyMember Add-FGTFirewallProxyAddress @@ -2385,6 +2396,7 @@ Add-FGTVpnIpsecPhase1Interface Add-FGTVpnIpsecPhase2Interface Confirm-FGTAddress Confirm-FGTAddressGroup +Confirm-FGTFirewallLocalInPolicy Confirm-FGTFirewallPolicy Confirm-FGTFirewallProxyPolicy Confirm-FGTInterface @@ -2421,6 +2433,7 @@ Get-FGTFirewallAddress Get-FGTFirewallAddressGroup Get-FGTFirewallInternetServiceName Get-FGTFirewallIPPool +Get-FGTFirewallLocalInPolicy Get-FGTFirewallPolicy Get-FGTFirewallProxyAddress Get-FGTFirewallProxyAddressGroup @@ -2507,10 +2520,13 @@ Get-FGTWirelessWTP Get-FGTWirelessWTPGroup Get-FGTWirelessWTPProfile Invoke-FGTRestMethod +Move-FGTFirewallLocalInPolicy Move-FGTFirewallPolicy Remove-FGTFirewallAddress Remove-FGTFirewallAddressGroup Remove-FGTFirewallAddressGroupMember +Remove-FGTFirewallLocalInPolicy +Remove-FGTFirewallLocalInPolicyMember Remove-FGTFirewallPolicy Remove-FGTFirewallPolicyMember Remove-FGTFirewallProxyAddress @@ -2540,6 +2556,7 @@ Set-FGTCipherSSL Set-FGTConnection Set-FGTFirewallAddress Set-FGTFirewallAddressGroup +Set-FGTFirewallLocalInPolicy Set-FGTFirewallPolicy Set-FGTFirewallProxyAddressGroup Set-FGTFirewallServiceCustom diff --git a/Tests/integration/FirewallLocalInPolicy.Tests.ps1 b/Tests/integration/FirewallLocalInPolicy.Tests.ps1 new file mode 100644 index 00000000..009c91eb --- /dev/null +++ b/Tests/integration/FirewallLocalInPolicy.Tests.ps1 @@ -0,0 +1,1259 @@ +# +# Copyright 2020, Alexis La Goutte +# +# SPDX-License-Identifier: Apache-2.0 +# + +#include common configuration +. ../common.ps1 + +BeforeAll { + Connect-FGT @invokeParams +} + +Describe "Get Firewall Local In Policy" { + + BeforeAll { + $policy1 = Add-FGTFirewallLocalInPolicy -intf $pester_port1 -srcaddr all -dstaddr all + $script:uuid = $policy1.uuid + $script:policyid1 = $policy1.policyid + Add-FGTFirewallLocalInPolicy -intf $pester_port2 -srcaddr all -dstaddr all + } + + It "Get Policy Does not throw an error" { + { + Get-FGTFirewallLocalInPolicy + } | Should -Not -Throw + } + + It "Get ALL Policy" { + $policy = Get-FGTFirewallLocalInPolicy + $policy.count | Should -Not -Be $NULL + } + + It "Get ALL Policy with -skip" { + $policy = Get-FGTFirewallLocalInPolicy -skip + $policy.count | Should -Not -Be $NULL + } + + It "Get Policy -Schema" { + $schema = Get-FGTFirewallLocalInPolicy -schema + $schema | Should -Not -BeNullOrEmpty + $schema.name | Should -Be "local-in-policy" + $schema.category | Should -Not -BeNullOrEmpty + $schema.children | Should -Not -BeNullOrEmpty + $schema.mkey | Should -Be "policyid" + } + + It "Get Policy ($pester_policy1) and confirm (via Confirm-FGTFirewallLocalInPolicy)" { + $policy = Get-FGTFirewallLocalInPolicy -policyid $script:policyid1 + Confirm-FGTFirewallLocalInPolicy ($policy) | Should -Be $true + } + + It "Get Policy ($pester_policy1) and meta" { + $policy = Get-FGTFirewallLocalInPolicy -policyid $script:policyid1 -meta + $policy.policyid | Should -Be $script:policyid1 + $policy.q_ref | Should -Not -BeNullOrEmpty + $policy.q_static | Should -Not -BeNullOrEmpty + $policy.q_no_rename | Should -Not -BeNullOrEmpty + $policy.q_global_entry | Should -Not -BeNullOrEmpty + $policy.q_type | Should -Not -BeNullOrEmpty + $policy.q_path | Should -Be "firewall" + $policy.q_name | Should -Be "local-in-policy" + $policy.q_mkey_type | Should -Be "integer" + if ($DefaultFGTConnection.version -ge "6.2.0") { + $policy.q_no_edit | Should -Not -BeNullOrEmpty + } + #$policy.q_class | Should -Not -BeNullOrEmpty + } + + Context "Search" { + + + It "Search Policy by uuid ($script:uuid)" -skip:($fgt_version -lt "6.4.0") { + $policy = Get-FGTFirewallLocalInPolicy -uuid $script:uuid + @($policy).count | Should -be 1 + $policy.uuid | Should -Be $script:uuid + } + + It "Search Policy by policyid ($script:policyid1)" { + $policy = Get-FGTFirewallLocalInPolicy -policyid $script:policyid1 + @($policy).count | Should -be 1 + $policy.policyid | Should -Be $script:policyid1 + } + + } + + AfterAll { + Get-FGTFirewallLocalInPolicy -policyid $script:policyid1 | Remove-FGTFirewallLocalInPolicy -confirm:$false + Get-FGTFirewallLocalInPolicy -policyid $script:policyid2 | Remove-FGTFirewallLocalInPolicy -confirm:$false + } + +} + + +Describe "Add Firewall Local In Policy" { + + BeforeAll { + Add-FGTFirewallLocalInPolicy -policyid 44 -intf $pester_port2 -srcaddr all -dstaddr all + } + + AfterEach { + Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicy -confirm:$false + } + + It "Add Policy $pester_policy1 ($pester_port1 / $pester_port2 : All/All)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + Context "Multi Interface" -skip:($fgt_version -lt "7.4.0") { + + It "Add Policy $pester_policy1 (intf: $pester_port1, $pester_port3)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1, $pester_port3 -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + ($policy.intf.name).count | Should -be "2" + $policy.intf.name | Should -BeIn $pester_port1, $pester_port3 + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + } + + Context "Multi Source / destination address" { + + BeforeAll { + Add-FGTFirewallAddress -Name $pester_address1 -ip 192.0.2.1 -mask 255.255.255.255 + Add-FGTFirewallAddress -Name $pester_address2 -ip 192.0.2.2 -mask 255.255.255.255 + Add-FGTFirewallAddress -Name $pester_address3 -ip 192.0.2.3 -mask 255.255.255.255 + Add-FGTFirewallAddress -Name $pester_address4 -ip 192.0.2.4 -mask 255.255.255.255 + } + + It "Add Policy $pester_policy1 (src addr: $pester_address1 and dst addr: all)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr $pester_address1 -dstaddr all + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } + $policy.srcaddr.name | Should -Be $pester_address1 + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add Policy $pester_policy1 (src addr: $pester_address1, $pester_address3 and dst addr: all)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr $pester_address1, $pester_address3 -dstaddr all + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } + ($policy.srcaddr.name).count | Should -Be "2" + $policy.srcaddr.name | Should -BeIn $pester_address1, $pester_address3 + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add Policy $pester_policy1 (src addr: all and dst addr: $pester_address2)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr $pester_address2 + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be $pester_address2 + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add Policy $pester_policy1 (src addr: all and dst addr: $pester_address2, $pester_address4)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr $pester_address2, $pester_address4 + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } + $policy.srcaddr.name | Should -Be "all" + ($policy.dstaddr.name).count | Should -Be "2" + $policy.dstaddr.name | Should -BeIn $pester_address2, $pester_address4 + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add Policy $pester_policy1 (src addr: $pester_address1, $pester_address3 and dst addr: $pester_address2, $pester_address4)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr $pester_address1, $pester_address3 -dstaddr $pester_address2, $pester_address4 + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } + ($policy.srcaddr.name).count | Should -Be "2" + $policy.srcaddr.name | Should -BeIn $pester_address1, $pester_address3 + ($policy.dstaddr.name).count | Should -Be "2" + $policy.dstaddr.name | Should -BeIn $pester_address2, $pester_address4 + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + AfterAll { + Get-FGTFirewallAddress -name $pester_address1 | Remove-FGTFirewallAddress -confirm:$false + Get-FGTFirewallAddress -name $pester_address2 | Remove-FGTFirewallAddress -confirm:$false + Get-FGTFirewallAddress -name $pester_address3 | Remove-FGTFirewallAddress -confirm:$false + Get-FGTFirewallAddress -name $pester_address4 | Remove-FGTFirewallAddress -confirm:$false + } + + } + + It "Add Policy $pester_policy1 (with action deny)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all -action deny + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "deny" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add Policy $pester_policy1 (status disable)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all -status:$false + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "disable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add Policy $pester_policy1 (with 1 service : HTTP)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all -service HTTP + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "HTTP" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add Policy $pester_policy1 (with 2 services : HTTP, HTTPS)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all -service HTTP, HTTPS + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -BeIn "HTTP", "HTTPS" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + #Add Schedule ? need API + It "Add Policy $pester_policy1 (with schedule none)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all -schedule none + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "All" + $policy.schedule | Should -Be "none" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add Policy $pester_policy1 (with comments)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all -comments "Add via PowerFGT" + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "All" + $policy.schedule | Should -Be "always" + $policy.comments | Should -Be "Add via PowerFGT" + } + + It "Add Policy $pester_policy1 (with data (1 field))" -skip:($fgt_version -lt "7.0.0") { + $data = @{ "service-negate" = "enable" } + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all -data $data + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "All" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + $policy.'service-negate' | Should -Be "enable" + } + + It "Add Policy $pester_policy1 (with data (2 fields))" -skip:($fgt_version -lt "7.0.0") { + $data = @{ "service-negate" = "enable" ; "comments" = "Add via PowerFGT and -data" } + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all -data $data + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "All" + $policy.schedule | Should -Be "always" + $policy.comments | Should -Be "Add via PowerFGT and -data" + $policy.'service-negate' | Should -Be "enable" + } + + AfterAll { + Get-FGTFirewallLocalInPolicy -policyid 44 | Remove-FGTFirewallLocalInPolicy -confirm:$false + } +} + +Describe "Add Firewall Local In Policy Member" { + + BeforeAll { + #Create some Address object + Add-FGTFirewallAddress -Name $pester_address1 -ip 192.0.2.1 -mask 255.255.255.255 + Add-FGTFirewallAddress -Name $pester_address2 -ip 192.0.2.2 -mask 255.255.255.255 + Add-FGTFirewallAddress -Name $pester_address3 -ip 192.0.2.3 -mask 255.255.255.255 + Add-FGTFirewallAddress -Name $pester_address4 -ip 192.0.2.4 -mask 255.255.255.255 + } + + AfterEach { + Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicy -confirm:$false + } + + Context "Add Member(s) to Source Address" { + + It "Add 1 member to Policy Src Address $pester_address1 (with All before)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -srcaddr $pester_address1 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } + $policy.srcaddr.name | Should -Be $pester_address1 + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add 2 members to Policy Src Address $pester_address1, $pester_address3 (with All before)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -srcaddr $pester_address1, $pester_address3 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } + ($policy.srcaddr.name).count | Should -Be "2" + $policy.srcaddr.name | Should -Be $pester_address1, $pester_address3 + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add 1 member to Policy Src Address $pester_address3 (with $pester_address1 before)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr $pester_address1 -dstaddr all + @($p).count | Should -Be "1" + Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -srcaddr $pester_address3 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } + ($policy.srcaddr.name).count | Should -Be "2" + $policy.srcaddr.name | Should -Be $pester_address1, $pester_address3 + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + } + + Context "Add Member(s) to Destination Address" { + + It "Add 1 member to Policy Dst Address $pester_address2 (with All before)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -dstaddr $pester_address2 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "$pester_address2" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add 2 members to Policy Dst Address $pester_address2, $pester_address4 (with All before)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -dstaddr $pester_address2, $pester_address4 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } + $policy.srcaddr.name | Should -Be "all" + ($policy.dstaddr.name).count | Should -Be "2" + $policy.dstaddr.name | Should -BeIn $pester_address2, $pester_address4 + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add 1 member to Policy Dst Address $pester_address4 (with $pester_address2 before)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr $pester_address2 + @($p).count | Should -Be "1" + Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -dstaddr $pester_address4 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } + $policy.srcaddr.name | Should -Be "all" + ($policy.dstaddr.name).count | Should -Be "2" + $policy.dstaddr.name | Should -BeIn $pester_address2, $pester_address4 + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + } + + Context "Add Member(s) to Source and Destination Address" { + + It "Add 1 member to Policy src Address $pester_address1 dst Address $pester_address2 (with All before)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -srcaddr $pester_address1 -dstaddr $pester_address2 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } + $policy.srcaddr.name | Should -Be "$pester_address1" + $policy.dstaddr.name | Should -Be "$pester_address2" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add 2 members to Policy Src Address $pester_address1, $pester_address3 and Dst Address $pester_address2, $pester_address4 (with All before)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -srcaddr $pester_address1, $pester_address3 -dstaddr $pester_address2, $pester_address4 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } + ($policy.srcaddr.name).count | Should -Be "2" + $policy.srcaddr.name | Should -BeIn $pester_address1, $pester_address3 + ($policy.dstaddr.name).count | Should -Be "2" + $policy.dstaddr.name | Should -BeIn $pester_address2, $pester_address4 + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add 1 members to Policy Src Address $pester_address3 and Dst Address $pester_address4 (with $pester_address1/$pester_address2 before)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr $pester_address1 -dstaddr $pester_address2 + @($p).count | Should -Be "1" + Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -srcaddr $pester_address3 -dstaddr $pester_address4 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } + ($policy.srcaddr.name).count | Should -Be "2" + $policy.srcaddr.name | Should -BeIn $pester_address1, $pester_address3 + ($policy.dstaddr.name).count | Should -Be "2" + $policy.dstaddr.name | Should -BeIn $pester_address2, $pester_address4 + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + } + + Context "Add Member(s) to Interface" -skip:($fgt_version -lt "7.4.0") { + + It "Add 1 member to Policy Src Interface $pester_port1 (with any before)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf any -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -intf $pester_port1 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + $policy.intf.name | Should -Be $pester_port1 + ($policy.intf.name).count | Should -Be "1" + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable"x + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add 2 members to Policy Interface $pester_port1, $pester_port3 (with any before)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf any -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -intf $pester_port3, $pester_port4 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + $policy.intf.name | Should -Be $pester_port3, $pester_port4 + ($policy.intf.name).count | Should -Be "2" + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable"x + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add 1 member to Policy Interface $pester_port3 (with $pester_port1 before)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -intf $pester_port3 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + $policy.intf.name | Should -Be $pester_port1, $pester_port3 + ($policy.intf.name).count | Should -Be "2" + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable"x + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + } + + AfterAll { + Get-FGTFirewallAddress -name $pester_address1 | Remove-FGTFirewallAddress -confirm:$false + Get-FGTFirewallAddress -name $pester_address2 | Remove-FGTFirewallAddress -confirm:$false + Get-FGTFirewallAddress -name $pester_address3 | Remove-FGTFirewallAddress -confirm:$false + Get-FGTFirewallAddress -name $pester_address4 | Remove-FGTFirewallAddress -confirm:$false + } + +} + +Describe "Move Firewall Local In Policy" { + + BeforeEach { + $p1 = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all -service SSH + $script:policyid1 = [int]$p1.policyid + $p2 = Add-FGTFirewallLocalInPolicy -policyid 44 -intf $pester_port1 -srcaddr all -dstaddr all -service HTTP + $script:policyid2 = [int]$p2.policyid + $p3 = Add-FGTFirewallLocalInPolicy -policyid 85 -intf $pester_port1 -srcaddr all -dstaddr all -service HTTPS + $script:policyid3 = [int]$p3.policyid + } + + AfterEach { + Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicy -confirm:$false + Get-FGTFirewallLocalInPolicy -policyid 44 | Remove-FGTFirewallLocalInPolicy -confirm:$false + Get-FGTFirewallLocalInPolicy -policyid 85 | Remove-FGTFirewallLocalInPolicy -confirm:$false + } + + Context "Move Policy Using id" { + + It "Move Policy SSH after HTTPS (using id)" { + Get-FGTFirewallLocalInPolicy -policyid 23 | Move-FGTFirewallLocalInPolicy -after -id $policyid3 + $policy = Get-FGTFirewallLocalInPolicy + $policy[0].policyid | Should -Be 44 + $policy[1].policyid | Should -Be 85 + $policy[2].policyid | Should -Be 23 + } + + It "Move Policy HTTPS before SSH (using id)" { + Get-FGTFirewallLocalInPolicy -policyid 85 | Move-FGTFirewallLocalInPolicy -before -id $policyid1 + $policy = Get-FGTFirewallLocalInPolicy + $policy[0].policyid | Should -Be 85 + $policy[1].policyid | Should -Be 23 + $policy[2].policyid | Should -Be 44 + } + } + + Context "Move Policy Using Firewall Local In Policy Object" { + + It "Move Policy HTTPS before SSH (using Firewall Local In Policy Object)" { + + Get-FGTFirewallLocalInPolicy -policyid 85 | Move-FGTFirewallLocalInPolicy -before -id (Get-FGTFirewallLocalInPolicy -policyid 23) + $policy = Get-FGTFirewallLocalInPolicy + $policy[0].policyid | Should -Be 85 + $policy[1].policyid | Should -Be 23 + $policy[2].policyid | Should -Be 44 + } + } +} + + +Describe "Configure Firewall Local In Policy" { + + BeforeAll { + $policy = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all + $script:uuid = $policy.uuid + } + + Context "Multi Interface" -skip:($fgt_version -lt "7.4.0") { + + It "Set Policy $pester_policy1 (intf: $pester_port1, $pester_port3)" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -intf $pester_port1, $pester_port3 + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + ($policy.intf.name).count | Should -be "2" + $policy.intf.name | Should -BeIn $pester_port1, $pester_port3 + } + + } + + Context "Multi Source / Destination address" { + + BeforeAll { + Add-FGTFirewallAddress -Name $pester_address1 -ip 192.0.2.1 -mask 255.255.255.255 + Add-FGTFirewallAddress -Name $pester_address2 -ip 192.0.2.2 -mask 255.255.255.255 + Add-FGTFirewallAddress -Name $pester_address3 -ip 192.0.2.3 -mask 255.255.255.255 + Add-FGTFirewallAddress -Name $pester_address4 -ip 192.0.2.4 -mask 255.255.255.255 + } + + It "Set Policy $pester_policy1 (src addr: $pester_address1)" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -srcaddr $pester_address1 + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + $policy.srcaddr.name | Should -Be $pester_address1 + } + + It "Set Policy $pester_policy1 (src addr: $pester_address1, $pester_address3)" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -srcaddr $pester_address1, $pester_address3 + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + ($policy.srcaddr.name).count | Should -Be "2" + $policy.srcaddr.name | Should -BeIn $pester_address1, $pester_address3 + } + + It "Set Policy $pester_policy1 (dst addr: $pester_address2)" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -dstaddr $pester_address2 + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + $policy.dstaddr.name | Should -Be $pester_address2 + } + + It "Set Policy $pester_policy1 (dst addr: $pester_address2, $pester_address4)" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -dstaddr $pester_address2, $pester_address4 + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + ($policy.dstaddr.name).count | Should -Be "2" + $policy.dstaddr.name | Should -BeIn $pester_address2, $pester_address4 + } + + It "Set Policy $pester_policy1 (src addr: all and dst addr: all)" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + ($policy.srcaddr.name).count | Should -Be "1" + $policy.srcaddr.name | Should -Be "all" + ($policy.dstaddr.name).count | Should -Be "1" + $policy.dstaddr.name | Should -Be "all" + } + + AfterAll { + Get-FGTFirewallAddress -name $pester_address1 | Remove-FGTFirewallAddress -confirm:$false + Get-FGTFirewallAddress -name $pester_address2 | Remove-FGTFirewallAddress -confirm:$false + Get-FGTFirewallAddress -name $pester_address3 | Remove-FGTFirewallAddress -confirm:$false + Get-FGTFirewallAddress -name $pester_address4 | Remove-FGTFirewallAddress -confirm:$false + } + + } + + It "Set Policy $pester_policy1 (with action deny)" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -action deny + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + $policy.action | Should -Be "deny" + } + + It "Set Policy $pester_policy1 (with action accept)" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -action accept + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + $policy.action | Should -Be "accept" + } + + It "Set Policy $pester_policy1 (status disable)" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -status:$false + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + $policy.status | Should -Be "disable" + } + + It "Set Policy $pester_policy1 (status enable)" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -status + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + $policy.status | Should -Be "enable" + } + + It "Set Policy $pester_policy1 (with 1 service : HTTP)" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -service HTTP + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + $policy.service.name | Should -Be "HTTP" + } + + It "Set Policy $pester_policy1 (with 2 services : SSH, HTTPS)" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -service SSH, HTTPS + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + $policy.service.name | Should -BeIn "SSH", "HTTPS" + } + + It "Set Policy $pester_policy1 (with 1 service : ALL))" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -service ALL + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + $policy.service.name | Should -Be "all" + } + + #Add Schedule ? need API + It "Set Policy $pester_policy1 (with schedule none)" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -schedule none + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + $policy.schedule | Should -Be "none" + } + + It "Set Policy $pester_policy1 (with schedule always)" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -schedule always + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + $policy.schedule | Should -Be "always" + } + + It "Set Policy $pester_policy1 (with comments)" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -comments "Modify via PowerFGT" + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + $policy.comments | Should -Be "Modify via PowerFGT" + } + + It "Set Policy $pester_policy1 (with comments: null)" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -comments "" + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + $policy.comments | Should -BeNullOrEmpty + } + + It "Set Policy $pester_policy1 (with data (1 field))" -skip:($fgt_version -lt "7.0.0") { + $data = @{ "service-negate" = "enable" } + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -data $data + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + $policy.'service-negate' | Should -Be "enable" + } + + It "Set Policy $pester_policy1 (with data (2 fields))" -skip:($fgt_version -lt "7.0.0") { + $data = @{ "service-negate" = "disable" ; "comments" = "Modify via PowerFGT and -data" } + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -data $data + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + $policy.comments | Should -Be "Modify via PowerFGT and -data" + $policy.'service-negate' | Should -Be "disable" + } + + AfterAll { + Get-FGTFirewallLocalInPolicy -uuid $script:uuid | Remove-FGTFirewallLocalInPolicy -confirm:$false + } + +} +Describe "Remove Firewall Local In Policy" { + + BeforeEach { + Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all + } + + It "Remove Policy $pester_policy1 by pipeline" { + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy | Remove-FGTFirewallLocalInPolicy -confirm:$false + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy | Should -Be $NULL + } + +} + +Describe "Remove Firewall Local In Policy Member" { + + BeforeAll { + #Create some Address object + Add-FGTFirewallAddress -Name $pester_address1 -ip 192.0.2.1 -mask 255.255.255.255 + Add-FGTFirewallAddress -Name $pester_address2 -ip 192.0.2.2 -mask 255.255.255.255 + Add-FGTFirewallAddress -Name $pester_address3 -ip 192.0.2.3 -mask 255.255.255.255 + } + + AfterEach { + Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicy -confirm:$false + } + + Context "Remove Member(s) to Source Address" { + BeforeEach { + Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr $pester_address1, $pester_address2, $pester_address3 -dstaddr all + } + + It "Remove 1 member to Policy Src Address $pester_address1 (with 3 members before)" { + Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicyMember -srcaddr $pester_address1 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } + ($policy.srcaddr.name).count | Should -Be "2" + $policy.srcaddr.name | Should -Be $pester_address2, $pester_address3 + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Remove 2 members to Policy Src Address $pester_address1, $pester_address2 (with 3 members before)" { + Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicyMember -srcaddr $pester_address1, $pester_address2 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } + $policy.srcaddr.name | Should -Be $pester_address3 + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Try Remove 3 members to Policy Src Address $pester_address1, $pester_address2, $pester_address3 (with 3 members before)" { + { + Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicyMember -srcaddr $pester_address1, $pester_address2, $pester_address3 + } | Should -Throw "You can't remove all members. Use Set-FGTFirewallLocalInPolicy to remove Source Address" + } + + } + + Context "Remove Member(s) to Interface" -skip:($fgt_version -lt "7.4.0") { + BeforeEach { + Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1, $pester_port2, $pester_port3 -srcaddr all -dstaddr all + } + + It "Remove 1 member to Policy Interface $pester_port1 (with 3 members before)" { + Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicyMember -intf $pester_port1 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + $policy.intf.name | Should -BeIn $pester_port2, $pester_port3 + ($policy.intf.name).count | Should -Be "2" + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Remove 2 members to Policy Interface $pester_port1, $pester_port2 (with 3 members before)" { + Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicyMember -intf $pester_port1, $pester_port2 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + $policy.intf.name | Should -BeIn $pester_port3 + ($policy.srcaddr.name).count | Should -Be "1" + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Try Remove 3 members to Address $pester_port1, $pester_port2, $pester_port3 (with 3 members before)" { + { + Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicyMember -intf $pester_port1, $pester_port2, $pester_port3 + } | Should -Throw "You can't remove all members. Use Set-FGTFirewallLocalInPolicy to remove interface" + } + + } + + Context "Remove Member(s) to Destination Address" { + BeforeEach { + Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr $pester_address1, $pester_address2, $pester_address3 + } + + It "Remove 1 member to Policy Dest Address $pester_address1 (with 3 members before)" { + Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicyMember -dstaddr $pester_address1 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } + $policy.srcaddr.name | Should -Be "all" + ($policy.dstaddr.name).count | Should -Be "2" + $policy.dstaddr.name | Should -Be $pester_address2, $pester_address3 + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Remove 2 members to Policy Dest Address $pester_address1, $pester_address2 (with 3 members before)" { + Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicyMember -dstaddr $pester_address1, $pester_address2 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be $pester_address3 + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Try Remove 3 members to Policy Dest Address $pester_address1, $pester_address2, $pester_address3 (with 3 members before)" { + { + Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicyMember -dstaddr $pester_address1, $pester_address2, $pester_address3 + } | Should -Throw "You can't remove all members. Use Set-FGTFirewallLocalInPolicy to remove Destination Address" + } + + } + + AfterAll { + Get-FGTFirewallAddress -name $pester_address1 | Remove-FGTFirewallAddress -confirm:$false + Get-FGTFirewallAddress -name $pester_address2 | Remove-FGTFirewallAddress -confirm:$false + Get-FGTFirewallAddress -name $pester_address3 | Remove-FGTFirewallAddress -confirm:$false + } + +} +#> +AfterAll { + Disconnect-FGT -confirm:$false +} \ No newline at end of file