From e59999c3256d0ec0c2349761b65852a6a1f66c6a Mon Sep 17 00:00:00 2001 From: Alexis La Goutte Date: Fri, 28 Mar 2025 16:18:00 +0100 Subject: [PATCH 01/11] LocalInPolicy: Add cmdlet for Add/Get/Set/Remove Local In Policy --- PowerFGT/Private/Confirm.ps1 | 35 + .../Public/cmdb/firewall/local-in-policy.ps1 | 869 ++++++++++++++++++ 2 files changed, 904 insertions(+) create mode 100644 PowerFGT/Public/cmdb/firewall/local-in-policy.ps1 diff --git a/PowerFGT/Private/Confirm.ps1 b/PowerFGT/Private/Confirm.ps1 index 1bfae8ec..9296584f 100644 --- a/PowerFGT/Private/Confirm.ps1 +++ b/PowerFGT/Private/Confirm.ps1 @@ -192,6 +192,41 @@ Function Confirm-FGTFirewallPolicy { } +Function Confirm-FGTFirewallLocalInPolicy { + + Param ( + [Parameter (Mandatory = $true)] + [object]$argument + ) + + #Check if it looks like an Firewall Local InPolicy element + + if ( -not ( $argument | get-member -name policyid -Membertype Properties)) { + throw "Element specified does not contain a policyid property." + } + if ( -not ( $argument | get-member -name uuid -Membertype Properties)) { + throw "Element specified does not contain an uuid property." + } + if ( -not ( $argument | get-member -name intf -Membertype Properties)) { + throw "Element specified does not contain a intf property." + } + if ( -not ( $argument | get-member -name srcaddr -Membertype Properties)) { + throw "Element specified does not contain a srcaddr property." + } + if ( -not ( $argument | get-member -name dstaddr -Membertype Properties)) { + throw "Element specified does not contain a dstaddr property." + } + if ( -not ( $argument | get-member -name action -Membertype Properties)) { + throw "Element specified does not contain an action property." + } + if ( -not ( $argument | get-member -name status -Membertype Properties)) { + throw "Element specified does not contain a status property." + } + + $true + +} + Function Confirm-FGTFirewallProxyPolicy { Param ( diff --git a/PowerFGT/Public/cmdb/firewall/local-in-policy.ps1 b/PowerFGT/Public/cmdb/firewall/local-in-policy.ps1 new file mode 100644 index 00000000..a4ad7933 --- /dev/null +++ b/PowerFGT/Public/cmdb/firewall/local-in-policy.ps1 @@ -0,0 +1,869 @@ +# +# Copyright 2019, Alexis La Goutte +# +# SPDX-License-Identifier: Apache-2.0 +# + +function Add-FGTFirewallLocalInPolicy { + + <# + .SYNOPSIS + Add a FortiGate Local In Policy + + .DESCRIPTION + Add a FortiGate Local In Policy (interface, source/destination ip, service, action, status...) + + .EXAMPLE + Add-FGTFirewallLocalInPolicy -intf port1 -srcaddr all -dstaddr all + + Add a Local In Policy with source port port1 and destination port2 and source and destination all + + .EXAMPLE + Add-FGTFirewallLocalInPolicy -intf port10 -srcaddr all -dstaddr all -status:$false + + Add a Local In Policy with status is disable + + .EXAMPLE + Add-FGTFirewallLocalInPolicy -intf port1 -srcaddr all -dstaddr all -service HTTP, HTTPS, SSH + + Add a Local In Policy with multiple service port + + .EXAMPLE + Add-FGTFirewallLocalInPolicy -intf port1 -srcaddr all -dstaddr all -comments "My FGT Policy" + + Add a Local In Policy with comment "My FGT Policy" + + .EXAMPLE + Add-FGTFirewallLocalInPolicy -intf port1 -srcaddr all -dstaddr all -policyid 23 + + Add a Local In Policy with Policy ID equal 23 + + .EXAMPLE + $data = @{ "virtual-patch" = "enable" } + Add-FGTFirewallLocalInPolicy -intf port1 -srcaddr all -dstaddr all -data $data + + Add a Local In Policy with virtual-patch using -data + #> + + + Param( + [Parameter (Mandatory = $false)] + [int]$policyid, + [Parameter (Mandatory = $true)] + [string]$intf, + [Parameter (Mandatory = $true)] + [string[]]$srcaddr, + [Parameter (Mandatory = $true)] + [string[]]$dstaddr, + [Parameter (Mandatory = $false)] + [ValidateSet("accept", "deny")] + [string]$action = "accept", + [Parameter (Mandatory = $false)] + [switch]$status, + [Parameter (Mandatory = $false)] + [string]$schedule = "always", + [Parameter (Mandatory = $false)] + [string[]]$service = "ALL", + [Parameter (Mandatory = $false)] + [ValidateLength(0, 255)] + [string]$comments, + [Parameter (Mandatory = $false)] + [switch]$skip, + [Parameter (Mandatory = $false)] + [hashtable]$data, + [Parameter(Mandatory = $false)] + [String[]]$vdom, + [Parameter(Mandatory = $false)] + [psobject]$connection = $DefaultFGTConnection + ) + + Begin { + } + + Process { + + $invokeParams = @{ } + if ( $PsBoundParameters.ContainsKey('skip') ) { + $invokeParams.add( 'skip', $skip ) + } + if ( $PsBoundParameters.ContainsKey('vdom') ) { + $invokeParams.add( 'vdom', $vdom ) + } + + $uri = "api/v2/cmdb/firewall/local-in-policy" + + # Interface + $intf_array = @() + foreach ($i in $intf) { + $intf_array += @{ 'name' = $i } + } + + # Source address + $srcaddr_array = @() + #TODO check if the address (group, vip...) is valid + foreach ($addr in $srcaddr) { + $srcaddr_array += @{ 'name' = $addr } + } + + # Destination address + $dstaddr_array = @() + #TODO check if the address (group, vip...) is valid + foreach ($addr in $dstaddr) { + $dstaddr_array += @{ 'name' = $addr } + } + + # Service + $service_array = @() + #TODO check if the service (group...) is valid + foreach ($s in $service) { + $service_array += @{ 'name' = $s } + } + + $policy = new-Object -TypeName PSObject + + if ( $PsBoundParameters.ContainsKey('name') ) { + $policy | add-member -name "name" -membertype NoteProperty -Value $name + } + + if ( $PsBoundParameters.ContainsKey('policyid') ) { + $policy | add-member -name "policyid" -membertype NoteProperty -Value $policyid + } + + $policy | add-member -name "intf" -membertype NoteProperty -Value $intf_array + + $policy | add-member -name "srcaddr" -membertype NoteProperty -Value $srcaddr_array + + $policy | add-member -name "dstaddr" -membertype NoteProperty -Value $dstaddr_array + + $policy | add-member -name "action" -membertype NoteProperty -Value $action + + #set status enable by default (PSSA don't like to set default value for a switch parameter) + if ( -not $PsBoundParameters.ContainsKey('status') ) { + $status = $true + } + + if ($status) { + $policy | add-member -name "status" -membertype NoteProperty -Value "enable" + } + else { + $policy | add-member -name "status" -membertype NoteProperty -Value "disable" + } + + $policy | add-member -name "schedule" -membertype NoteProperty -Value $schedule + + $policy | add-member -name "service" -membertype NoteProperty -Value $service_array + + + if ( $PsBoundParameters.ContainsKey('comments') ) { + $policy | add-member -name "comments" -membertype NoteProperty -Value $comments + } + + if ( $PsBoundParameters.ContainsKey('data') ) { + $data.GetEnumerator() | ForEach-Object { + $policy | Add-member -name $_.key -membertype NoteProperty -Value $_.value + } + } + + $post = Invoke-FGTRestMethod -method "POST" -body $policy -uri $uri -connection $connection @invokeParams + + #there is no policy name on Local In Policy, get the policy via policyid (return by POST via mkey value) + Get-FGTFirewallLocalInPolicy -policyid $post.mkey -connection $connection @invokeParams + + } + + End { + } +} + +function Add-FGTFirewallLocalInPolicyMember { + + <# + .SYNOPSIS + Add a FortiGate Local In Policy Member + + .DESCRIPTION + Add a FortiGate Local In Policy Member (source or destination address, interface) + + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallLocalInPolicy -policyid 23 + PS C:\>$MyFGTPolicy | Add-FGTFirewallLocalInPolicyMember -srcaddr MyAddress1 + + Add MyAddress1 member to source of Local In Policy 23 + + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallLocalInPolicy -policyid 23 + PS C:\>$MyFGTPolicy | Add-FGTFirewallLocalInPolicyMember -dstaddr MyAddress1, MyAddress2 + + Add MyAddress1 and MyAddress2 member to destination of Local In Policy 23 + + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallLocalInPolicy -policyid 23 + PS C:\>$MyFGTPolicy | Add-FGTFirewallLocalInPolicyMember -intf port1 + + Add port1 member to source interface of Local In Policy 23 + + #> + + [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'low')] + Param( + [Parameter (Mandatory = $true, ValueFromPipeline = $true, Position = 1)] + [ValidateScript( { Confirm-FGTFirewallLocalInPolicy $_ })] + [psobject]$policy, + [Parameter(Mandatory = $false)] + [string[]]$srcaddr, + [Parameter(Mandatory = $false)] + [string[]]$intf, + [Parameter(Mandatory = $false)] + [string[]]$dstaddr, + [Parameter(Mandatory = $false)] + [String[]]$vdom, + [Parameter(Mandatory = $false)] + [psobject]$connection = $DefaultFGTConnection + ) + + Begin { + } + + Process { + + $invokeParams = @{ } + if ( $PsBoundParameters.ContainsKey('vdom') ) { + $invokeParams.add( 'vdom', $vdom ) + } + + $uri = "api/v2/cmdb/firewall/local-in-policy" + + $_policy = new-Object -TypeName PSObject + + if ( $PsBoundParameters.ContainsKey('srcaddr') ) { + + if ($policy.srcaddr.name -eq "all") { + #all => create new empty array members + $members = @() + } + else { + #Add member to existing source address + $members = $policy.srcaddr + } + + foreach ( $member in $srcaddr ) { + $member_name = @{ } + $member_name.add( 'name', $member) + $members += $member_name + } + $_policy | add-member -name "srcaddr" -membertype NoteProperty -Value $members + } + + if ( $PsBoundParameters.ContainsKey('intf') ) { + + if ($policy.intf.name -eq "any") { + #any => create new empty array members + $members = @() + } + else { + #Add member to existing source interface + $members = $policy.intf + } + + foreach ( $member in $intf ) { + $member_name = @{ } + $member_name.add( 'name', $member) + $members += $member_name + } + $_policy | add-member -name "intf" -membertype NoteProperty -Value $members + } + + if ( $PsBoundParameters.ContainsKey('dstaddr') ) { + + if ($policy.dstaddr.name -eq "all") { + #all => create new empty array members + $members = @() + } + else { + #Add member to existing destination address + $members = $policy.dstaddr + } + + foreach ( $member in $dstaddr ) { + $member_name = @{ } + $member_name.add( 'name', $member) + $members += $member_name + } + $_policy | add-member -name "dstaddr" -membertype NoteProperty -Value $members + } + + if ($PSCmdlet.ShouldProcess($policy.name, 'Add Firewall Policy Group Member')) { + Invoke-FGTRestMethod -method "PUT" -body $_policy -uri $uri -uri_escape $policy.policyid -connection $connection @invokeParams | Out-Null + + Get-FGTFirewallLocalInPolicy -connection $connection @invokeParams -id $policy.policyid + } + } + + End { + } +} + +function Get-FGTFirewallLocalInPolicy { + + <# + .SYNOPSIS + Get list of all policies/rules + + .DESCRIPTION + Get list of all policies (name, interface, address (network) source/destination, service, action...) + + .EXAMPLE + Get-FGTFirewallLocalInPolicy + + Get list of all policies + + .EXAMPLE + Get-FGTFirewallLocalInPolicy -policyid 23 + + Get policy with id 23 + + .EXAMPLE + Get-FGTFirewallLocalInPolicy -uuid 9e73a10e-1772-51ea-a8d7-297686fd7702 + + Get policy with uuid 9e73a10e-1772-51ea-a8d7-297686fd7702 + + .EXAMPLE + Get-FGTFirewallLocalInPolicy -skip + + Get list of all policies (but only relevant attributes) + + .EXAMPLE + Get-FGTFirewallLocalInPolicy -meta + + Get list of all policies with metadata (q_...) like usage (q_ref) + + .EXAMPLE + Get-FGTFirewallLocalInPolicy -vdom vdomX + + Get list of all policies on vdomX + #> + + [CmdletBinding(DefaultParameterSetName = "default")] + Param( + [Parameter (Mandatory = $false, ParameterSetName = "uuid")] + [string]$uuid, + [Parameter (Mandatory = $false, ParameterSetName = "policyid")] + [string[]]$policyid, + [Parameter (Mandatory = $false)] + [Parameter (ParameterSetName = "filter")] + [string]$filter_attribute, + [Parameter (Mandatory = $false)] + [Parameter (ParameterSetName = "uuid")] + [Parameter (ParameterSetName = "policyid")] + [Parameter (ParameterSetName = "filter")] + [ValidateSet('equal', 'contains')] + [string]$filter_type = "equal", + [Parameter (Mandatory = $false)] + [Parameter (ParameterSetName = "filter")] + [psobject]$filter_value, + [Parameter(Mandatory = $false)] + [switch]$meta, + [Parameter(Mandatory = $false)] + [switch]$skip, + [Parameter(Mandatory = $false)] + [String[]]$vdom, + [Parameter(Mandatory = $false)] + [psobject]$connection = $DefaultFGTConnection + ) + + Begin { + } + + Process { + + $invokeParams = @{ } + if ( $PsBoundParameters.ContainsKey('meta') ) { + $invokeParams.add( 'meta', $meta ) + } + if ( $PsBoundParameters.ContainsKey('skip') ) { + $invokeParams.add( 'skip', $skip ) + } + if ( $PsBoundParameters.ContainsKey('vdom') ) { + $invokeParams.add( 'vdom', $vdom ) + } + + #Filtering + switch ( $PSCmdlet.ParameterSetName ) { + "uuid" { + $filter_value = $uuid + $filter_attribute = "uuid" + } + "policyid" { + $filter_value = $policyid + $filter_attribute = "policyid" + } + default { } + } + + #if filter value and filter_attribute, add filter (by default filter_type is equal) + if ( $filter_value -and $filter_attribute ) { + $invokeParams.add( 'filter_value', $filter_value ) + $invokeParams.add( 'filter_attribute', $filter_attribute ) + $invokeParams.add( 'filter_type', $filter_type ) + } + + $reponse = Invoke-FGTRestMethod -uri 'api/v2/cmdb/firewall/local-in-policy' -method 'GET' -connection $connection @invokeParams + $reponse.results + } + + End { + } +} + +function Move-FGTFirewallLocalInPolicy { + + <# + .SYNOPSIS + Move a FortiGate Local In Policy + + .DESCRIPTION + Move a Policy/Rule object (after or before) on the FortiGate + + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallLocalInPolicy -policyid 23 + PS C:\>$MyFGTPolicy | Move-FGTFirewallLocalInPolicy -after -id 12 + + Move Policy object id 23 after Policy id 12 + + #> + + [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'low')] + Param( + [Parameter (Mandatory = $true, ValueFromPipeline = $true, Position = 1)] + [ValidateScript( { Confirm-FGTFirewallLocalInPolicy $_ })] + [psobject]$policy, + [Parameter(Mandatory = $true, ParameterSetName = "after")] + [switch]$after, + [Parameter(Mandatory = $true, ParameterSetName = "before")] + [switch]$before, + [Parameter(Mandatory = $true)] + [ValidateScript( { ($_ -is [int]) -or (Confirm-FGTFirewallLocalInPolicy $_ ) })] + [psobject]$id, + [Parameter(Mandatory = $false)] + [String[]]$vdom, + [Parameter(Mandatory = $false)] + [psobject]$connection = $DefaultFGTConnection + ) + + Begin { + } + + Process { + + $invokeParams = @{ } + if ( $PsBoundParameters.ContainsKey('vdom') ) { + $invokeParams.add( 'vdom', $vdom ) + } + + #id is a Policy Rule (from Get-FGTFirewallLocalInPolicy) ? + if ( $id.policyid ) { + #Get the policyid + [int]$id = $id.policyid + } + + $uri = "api/v2/cmdb/firewall/local-in-policy" + $extra = "action=move" + + switch ( $PSCmdlet.ParameterSetName ) { + "after" { + $extra += "&after=$($id)" + } + "before" { + $extra += "&before=$($id)" + } + default { } + } + if ($PSCmdlet.ShouldProcess($policy.name, 'Move Firewall Policy')) { + $null = Invoke-FGTRestMethod -method "PUT" -uri $uri -uri_escape $policy.policyid -extra $extra -connection $connection @invokeParams + } + + Get-FGTFirewallLocalInPolicy -policyid $policy.policyid -connection $connection @invokeParams + } + + End { + } +} + +function Set-FGTFirewallLocalInPolicy { + + <# + .SYNOPSIS + Configure a FortiGate Local In Policy + + .DESCRIPTION + Change a FortiGate Local in Policy Policy/Rules (source/destination ip, interface, action, status, ...) + + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallLocalInPolicy -policyid 23 + PS C:\>$MyFGTPolicy | Set-FGTFirewallLocalInPolicy -intf port1 -srcaddr MyFGTAddress + + Change MyFGTPolicy (Policy id 23) to intf port1 and srcaddr MyFGTAddress + + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallLocalInPolicy -policyid 23 + PS C:\>$MyFGTPolicy | Set-FGTFirewallLocalInPolicy -service HTTP,HTTPS + + Change MyFGTPolicy (Policy id 23) to set service to HTTP and HTTPS + + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallLocalInPolicy -policyid 23 + PS C:\>$MyFGTPolicy | Set-FGTFirewallLocalInPolicy -comments "My FGT Policy" + + Change MyFGTPolicy (Policy id 23) to set a new comments + + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallLocalInPolicy -policyid 23 + PS C:\>$MyFGTPolicy | Set-FGTFirewallLocalInPolicy -status:$false + + Change MyFGTPolicy (Policy id 23) to set status disable + + .EXAMPLE + $data = @{"virtual-patch" = "enable" } + PS C:\>$MyFGTPolicy = Get-FGTFirewallLocalInPolicy -policyid 23 + PS C:\>$MyFGTPolicy | Set-FGTFirewallLocalInPolicy -data $data + + Change MyFGTPolicy (Policy id 23) to setvirtual-patch to enabled using -data + + #> + + [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'medium', DefaultParameterSetName = 'default')] + Param( + [Parameter (Mandatory = $true, ValueFromPipeline = $true, Position = 1)] + [ValidateScript( { Confirm-FGTFirewallLocalInPolicy $_ })] + [psobject]$policy, + [Parameter (Mandatory = $false)] + [string]$name, + [string[]]$intf, + [Parameter (Mandatory = $false)] + [string[]]$srcaddr, + [Parameter (Mandatory = $false)] + [string[]]$dstaddr, + [Parameter (Mandatory = $false)] + [ValidateSet("accept", "deny")] + [string]$action, + [Parameter (Mandatory = $false)] + [switch]$status, + [Parameter (Mandatory = $false)] + [string]$schedule, + [Parameter (Mandatory = $false)] + [string[]]$service, + [Parameter (Mandatory = $false)] + [switch]$nat, + [Parameter (Mandatory = $false)] + [ValidateLength(0, 255)] + [string]$comments, + [Parameter (Mandatory = $false)] + [hashtable]$data, + [Parameter(Mandatory = $false)] + [String[]]$vdom, + [Parameter(Mandatory = $false)] + [psobject]$connection = $DefaultFGTConnection + ) + + Begin { + } + + Process { + + $invokeParams = @{ } + if ( $PsBoundParameters.ContainsKey('vdom') ) { + $invokeParams.add( 'vdom', $vdom ) + } + + $uri = "api/v2/cmdb/firewall/local-in-policy" + + $_policy = new-Object -TypeName PSObject + + if ( $PsBoundParameters.ContainsKey('intf') ) { + # Interface + $intf_array = @() + #TODO check if the interface (zone ?) is valid + foreach ($intf in $intf) { + $intf_array += @{ 'name' = $intf } + } + $_policy | add-member -name "intf" -membertype NoteProperty -Value $intf_array + } + + if ( $PsBoundParameters.ContainsKey('srcaddr') ) { + # Source address + $srcaddr_array = @() + #TODO check if the address (group, vip...) is valid + foreach ($addr in $srcaddr) { + $srcaddr_array += @{ 'name' = $addr } + } + $_policy | add-member -name "srcaddr" -membertype NoteProperty -Value $srcaddr_array + } + + if ( $PsBoundParameters.ContainsKey('dstaddr') ) { + # Destination address + $dstaddr_array = @() + #TODO check if the address (group, vip...) is valid + foreach ($addr in $dstaddr) { + $dstaddr_array += @{ 'name' = $addr } + } + $_policy | add-member -name "dstaddr" -membertype NoteProperty -Value $dstaddr_array + } + + if ( $PsBoundParameters.ContainsKey('action') ) { + $_policy | add-member -name "action" -membertype NoteProperty -Value $action + } + + if ( $PsBoundParameters.ContainsKey('status') ) { + if ($status) { + $_policy | add-member -name "status" -membertype NoteProperty -Value "enable" + } + else { + $_policy | add-member -name "status" -membertype NoteProperty -Value "disable" + } + } + + if ( $PsBoundParameters.ContainsKey('schedule') ) { + $_policy | add-member -name "schedule" -membertype NoteProperty -Value $schedule + } + + if ( $PsBoundParameters.ContainsKey('service') ) { + # Service + $service_array = @() + #TODO check if the service (group...) is valid + foreach ($s in $service) { + $service_array += @{ 'name' = $s } + } + $_policy | add-member -name "service" -membertype NoteProperty -Value $service_array + } + + if ( $PsBoundParameters.ContainsKey('comments') ) { + $_policy | add-member -name "comments" -membertype NoteProperty -Value $comments + } + + if ( $PsBoundParameters.ContainsKey('data') ) { + $data.GetEnumerator() | ForEach-Object { + $_policy | Add-member -name $_.key -membertype NoteProperty -Value $_.value + } + } + + if ($PSCmdlet.ShouldProcess($address.name, 'Configure Firewall Policy')) { + Invoke-FGTRestMethod -method "PUT" -body $_policy -uri $uri -uri_escape $policy.policyid -connection $connection @invokeParams | out-Null + + Get-FGTFirewallLocalInPolicy -connection $connection @invokeParams -policyid $policy.policyid + } + } + + End { + } +} + +function Remove-FGTFirewallLocalInPolicy { + + <# + .SYNOPSIS + Remove a FortiGate Local In Policy + + .DESCRIPTION + Remove a Local In Policy object on the FortiGate + + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallLocalInPolicy -policyid 23 + PS C:\>$MyFGTPolicy | Remove-FGTFirewallLocalInPolicy + + Remove Local in Policy id 23 + + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallLocalInPolicy -policyid 23 + PS C:\>$MyFGTPolicy | Remove-FGTFirewallLocalInPolicy -confirm:$false + + Remove Local in Policy id 23y with no confirmation + + #> + + [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'high')] + Param( + [Parameter (Mandatory = $true, ValueFromPipeline = $true, Position = 1)] + [ValidateScript( { Confirm-FGTFirewallLocalInPolicy $_ })] + [psobject]$policy, + [Parameter(Mandatory = $false)] + [String[]]$vdom, + [Parameter(Mandatory = $false)] + [psobject]$connection = $DefaultFGTConnection + ) + + Begin { + } + + Process { + + $invokeParams = @{ } + if ( $PsBoundParameters.ContainsKey('vdom') ) { + $invokeParams.add( 'vdom', $vdom ) + } + + $uri = "api/v2/cmdb/firewall/local-in-policy" + + if ($PSCmdlet.ShouldProcess($policy.name, 'Remove Firewall Policy')) { + $null = Invoke-FGTRestMethod -method "DELETE" -uri $uri -uri_escape $policy.policyid -connection $connection @invokeParams + } + } + + End { + } +} + +function Remove-FGTFirewallLocalInPolicyMember { + + <# + .SYNOPSIS + Remove a FortiGate Local In Policy Member + + .DESCRIPTION + Remove a FortiGate Local In Policy Member (source, destination address and interface) + + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallLocalInPolicy -policyid 23 + PS C:\>$MyFGTPolicy | Remove-FGTFirewallLocalInPolicyMember -srcaddr MyAddress1 + + Remove source MyAddress1 member to MyFGTPolicy (policy id 23) + + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallLocalInPolicy -policyid 23 + PS C:\>$MyFGTPolicy | Remove-FGTFirewallLocalInPolicyMember -dstaddr MyAddress1, MyAddress2 + + Remove destination MyAddress1 and MyAddress2 member to MyFGTPolicy (policy id 23) + + .EXAMPLE + $MyFGTPolicy = Get-FGTFirewallLocalInPolicy -policyid 23 + PS C:\>$MyFGTPolicy | Remove-FGTFirewallLocalInPolicyMember -intf port1 + + Remove port1 member to interface of MyFGTPolicy (policy id 23) + + + #> + + [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'medium')] + Param( + [Parameter (Mandatory = $true, ValueFromPipeline = $true, Position = 1)] + [ValidateScript( { Confirm-FGTFirewallLocalInPolicy $_ })] + [psobject]$policy, + [Parameter(Mandatory = $false)] + [string[]]$srcaddr, + [Parameter(Mandatory = $false)] + [string[]]$intf, + [Parameter(Mandatory = $false)] + [string[]]$dstaddr, + [Parameter(Mandatory = $false)] + [String[]]$vdom, + [Parameter(Mandatory = $false)] + [psobject]$connection = $DefaultFGTConnection + ) + + Begin { + } + + Process { + + $invokeParams = @{ } + if ( $PsBoundParameters.ContainsKey('vdom') ) { + $invokeParams.add( 'vdom', $vdom ) + } + + $uri = "api/v2/cmdb/firewall/local-in-policy" + + $_policy = new-Object -TypeName PSObject + + if ( $PsBoundParameters.ContainsKey('srcaddr') ) { + #Create a new source addr array + $members = @() + foreach ($m in $policy.srcaddr) { + $member_name = @{ } + $member_name.add( 'name', $m.name) + $members += $member_name + } + + #Remove member + foreach ($remove_member in $srcaddr) { + #May be a better (and faster) solution... + $members = $members | Where-Object { $_.name -ne $remove_member } + } + + #check if there is always a member... (it is not really (dependy of release...) possible don't have member on Policy) + if ( $members.count -eq 0 ) { + Throw "You can't remove all members. Use Set-FGTFirewallLocalInPolicy to remove Source Address" + } + + #if there is only One or less member force to be an array + if ( $members.count -le 1 ) { + $members = @($members) + } + + $_policy | add-member -name "srcaddr" -membertype NoteProperty -Value $members + } + + if ( $PsBoundParameters.ContainsKey('dstaddr') ) { + #Create a new destination addr array + $members = @() + foreach ($m in $policy.dstaddr) { + $member_name = @{ } + $member_name.add( 'name', $m.name) + $members += $member_name + } + + #Remove member + foreach ($remove_member in $dstaddr) { + #May be a better (and faster) solution... + $members = $members | Where-Object { $_.name -ne $remove_member } + } + + #check if there is always a member... (it is not really (dependy of release...) possible don't have member on Policy) + if ( $members.count -eq 0 ) { + Throw "You can't remove all members. Use Set-FGTFirewallLocalInPolicy to remove Destination Address" + } + + #if there is only One or less member force to be an array + if ( $members.count -le 1 ) { + $members = @($members) + } + + $_policy | add-member -name "dstaddr" -membertype NoteProperty -Value $members + } + + if ( $PsBoundParameters.ContainsKey('intf') ) { + #Create a new intf array + $members = @() + foreach ($m in $policy.intf) { + $member_name = @{ } + $member_name.add( 'name', $m.name) + $members += $member_name + } + + #Remove member + foreach ($remove_member in $intf) { + #May be a better (and faster) solution... + $members = $members | Where-Object { $_.name -ne $remove_member } + } + + #check if there is always a member... (it is not really (dependy of release...) possible don't have member on Policy) + if ( $members.count -eq 0 ) { + Throw "You can't remove all members. Use Set-FGTFirewallLocalInPolicy to remove interface" + } + + #if there is only One or less member force to be an array + if ( $members.count -le 1 ) { + $members = @($members) + } + + $_policy | add-member -name "intf" -membertype NoteProperty -Value $members + } + + if ($PSCmdlet.ShouldProcess($policy.name, 'Remove Firewall Policy Group Member')) { + Invoke-FGTRestMethod -method "PUT" -body $_policy -uri $uri -uri_escape $policy.policyid -connection $connection @invokeParams | Out-Null + + Get-FGTFirewallLocalInPolicy -connection $connection @invokeParams -name $addrgrp.name + } + } + + End { + } +} \ No newline at end of file From a1f99c5a79da111171b702514c6b625b40de8fd9 Mon Sep 17 00:00:00 2001 From: Alexis La Goutte Date: Wed, 24 Dec 2025 16:22:12 +0100 Subject: [PATCH 02/11] LocalInPolicy: Add -schema parameter for get too --- PowerFGT/Public/cmdb/firewall/local-in-policy.ps1 | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/PowerFGT/Public/cmdb/firewall/local-in-policy.ps1 b/PowerFGT/Public/cmdb/firewall/local-in-policy.ps1 index a4ad7933..0527da2e 100644 --- a/PowerFGT/Public/cmdb/firewall/local-in-policy.ps1 +++ b/PowerFGT/Public/cmdb/firewall/local-in-policy.ps1 @@ -337,6 +337,11 @@ function Get-FGTFirewallLocalInPolicy { Get list of all policies with metadata (q_...) like usage (q_ref) + .EXAMPLE + Get-FGTFirewallLocalInPolicy -schema + + Get schema of Local In Policy + .EXAMPLE Get-FGTFirewallLocalInPolicy -vdom vdomX @@ -365,6 +370,8 @@ function Get-FGTFirewallLocalInPolicy { [switch]$meta, [Parameter(Mandatory = $false)] [switch]$skip, + [Parameter(Mandatory = $false, ParameterSetName = "schema")] + [switch]$schema, [Parameter(Mandatory = $false)] [String[]]$vdom, [Parameter(Mandatory = $false)] @@ -387,6 +394,10 @@ function Get-FGTFirewallLocalInPolicy { $invokeParams.add( 'vdom', $vdom ) } + if ( $PsBoundParameters.ContainsKey('schema') ) { + $invokeParams.add( 'extra', "&action=schema" ) + } + #Filtering switch ( $PSCmdlet.ParameterSetName ) { "uuid" { From cd16a962e123369e9d2cf7b59ef30f62fc2e20f9 Mon Sep 17 00:00:00 2001 From: Alexis La Goutte Date: Wed, 24 Dec 2025 16:47:56 +0100 Subject: [PATCH 03/11] LocalInPolicy: Fix some typo found when write test... --- PowerFGT/Public/cmdb/firewall/local-in-policy.ps1 | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/PowerFGT/Public/cmdb/firewall/local-in-policy.ps1 b/PowerFGT/Public/cmdb/firewall/local-in-policy.ps1 index 0527da2e..2d512a68 100644 --- a/PowerFGT/Public/cmdb/firewall/local-in-policy.ps1 +++ b/PowerFGT/Public/cmdb/firewall/local-in-policy.ps1 @@ -50,7 +50,7 @@ function Add-FGTFirewallLocalInPolicy { [Parameter (Mandatory = $false)] [int]$policyid, [Parameter (Mandatory = $true)] - [string]$intf, + [string[]]$intf, [Parameter (Mandatory = $true)] [string[]]$srcaddr, [Parameter (Mandatory = $true)] @@ -292,10 +292,10 @@ function Add-FGTFirewallLocalInPolicyMember { $_policy | add-member -name "dstaddr" -membertype NoteProperty -Value $members } - if ($PSCmdlet.ShouldProcess($policy.name, 'Add Firewall Policy Group Member')) { + if ($PSCmdlet.ShouldProcess($policy.policyid, 'Add Firewall Policy Group Member')) { Invoke-FGTRestMethod -method "PUT" -body $_policy -uri $uri -uri_escape $policy.policyid -connection $connection @invokeParams | Out-Null - Get-FGTFirewallLocalInPolicy -connection $connection @invokeParams -id $policy.policyid + Get-FGTFirewallLocalInPolicy -connection $connection @invokeParams -policyid $policy.policyid } } @@ -489,7 +489,7 @@ function Move-FGTFirewallLocalInPolicy { } default { } } - if ($PSCmdlet.ShouldProcess($policy.name, 'Move Firewall Policy')) { + if ($PSCmdlet.ShouldProcess($policy.policyid, 'Move Firewall Policy')) { $null = Invoke-FGTRestMethod -method "PUT" -uri $uri -uri_escape $policy.policyid -extra $extra -connection $connection @invokeParams } @@ -714,7 +714,7 @@ function Remove-FGTFirewallLocalInPolicy { $uri = "api/v2/cmdb/firewall/local-in-policy" - if ($PSCmdlet.ShouldProcess($policy.name, 'Remove Firewall Policy')) { + if ($PSCmdlet.ShouldProcess($policy.policyid, 'Remove Firewall Policy')) { $null = Invoke-FGTRestMethod -method "DELETE" -uri $uri -uri_escape $policy.policyid -connection $connection @invokeParams } } @@ -868,10 +868,10 @@ function Remove-FGTFirewallLocalInPolicyMember { $_policy | add-member -name "intf" -membertype NoteProperty -Value $members } - if ($PSCmdlet.ShouldProcess($policy.name, 'Remove Firewall Policy Group Member')) { + if ($PSCmdlet.ShouldProcess($policy.policyid, 'Remove Firewall Policy Group Member')) { Invoke-FGTRestMethod -method "PUT" -body $_policy -uri $uri -uri_escape $policy.policyid -connection $connection @invokeParams | Out-Null - Get-FGTFirewallLocalInPolicy -connection $connection @invokeParams -name $addrgrp.name + Get-FGTFirewallLocalInPolicy -connection $connection @invokeParams -policyid $policy.policyid } } From 10547884fa7f7706f26e8ec88f5d81c18347b4c2 Mon Sep 17 00:00:00 2001 From: Alexis La Goutte Date: Wed, 24 Dec 2025 17:19:44 +0100 Subject: [PATCH 04/11] LocalInPolicy: Add Tests --- .../FirewallLocalInPolicy.Tests.ps1 | 1019 +++++++++++++++++ 1 file changed, 1019 insertions(+) create mode 100644 Tests/integration/FirewallLocalInPolicy.Tests.ps1 diff --git a/Tests/integration/FirewallLocalInPolicy.Tests.ps1 b/Tests/integration/FirewallLocalInPolicy.Tests.ps1 new file mode 100644 index 00000000..94a7db17 --- /dev/null +++ b/Tests/integration/FirewallLocalInPolicy.Tests.ps1 @@ -0,0 +1,1019 @@ +# +# Copyright 2020, Alexis La Goutte +# +# SPDX-License-Identifier: Apache-2.0 +# + +#include common configuration +. ../common.ps1 + +BeforeAll { + Connect-FGT @invokeParams +} + +Describe "Get Firewall Local In Policy" { + + BeforeAll { + $policy1 = Add-FGTFirewallLocalInPolicy -intf $pester_port1 -srcaddr all -dstaddr all + $script:uuid = $policy1.uuid + $script:policyid1 = $policy1.policyid + Add-FGTFirewallLocalInPolicy -intf $pester_port2 -srcaddr all -dstaddr all + } + + It "Get Policy Does not throw an error" { + { + Get-FGTFirewallLocalInPolicy + } | Should -Not -Throw + } + + It "Get ALL Policy" { + $policy = Get-FGTFirewallLocalInPolicy + $policy.count | Should -Not -Be $NULL + } + + It "Get ALL Policy with -skip" { + $policy = Get-FGTFirewallLocalInPolicy -skip + $policy.count | Should -Not -Be $NULL + } + + It "Get Policy -Schema" { + $schema = Get-FGTFirewallLocalInPolicy -schema + $schema | Should -Not -BeNullOrEmpty + $schema.name | Should -Be "local-in-policy" + $schema.category | Should -Not -BeNullOrEmpty + $schema.children | Should -Not -BeNullOrEmpty + $schema.mkey | Should -Be "policyid" + } + + It "Get Policy ($pester_policy1) and confirm (via Confirm-FGTFirewallLocalInPolicy)" { + $policy = Get-FGTFirewallLocalInPolicy -policyid $script:policyid1 + Confirm-FGTFirewallLocalInPolicy ($policy) | Should -Be $true + } + + It "Get Policy ($pester_policy1) and meta" { + $policy = Get-FGTFirewallLocalInPolicy -policyid $script:policyid1 -meta + $policy.policyid | Should -Be $script:policyid1 + $policy.q_ref | Should -Not -BeNullOrEmpty + $policy.q_static | Should -Not -BeNullOrEmpty + $policy.q_no_rename | Should -Not -BeNullOrEmpty + $policy.q_global_entry | Should -Not -BeNullOrEmpty + $policy.q_type | Should -Not -BeNullOrEmpty + $policy.q_path | Should -Be "firewall" + $policy.q_name | Should -Be "local-in-policy" + $policy.q_mkey_type | Should -Be "integer" + if ($DefaultFGTConnection.version -ge "6.2.0") { + $policy.q_no_edit | Should -Not -BeNullOrEmpty + } + #$policy.q_class | Should -Not -BeNullOrEmpty + } + + Context "Search" { + + + It "Search Policy by uuid ($script:uuid)" { + $policy = Get-FGTFirewallLocalInPolicy -uuid $script:uuid + @($policy).count | Should -be 1 + $policy.uuid | Should -Be $script:uuid + } + + It "Search Policy by policyid ($script:policyid1)" { + $policy = Get-FGTFirewallLocalInPolicy -policyid $script:policyid1 + @($policy).count | Should -be 1 + $policy.policyid | Should -Be $script:policyid1 + } + + } + + AfterAll { + Get-FGTFirewallLocalInPolicy -policyid $script:policyid1 | Remove-FGTFirewallLocalInPolicy -confirm:$false + Get-FGTFirewallLocalInPolicy -policyid $script:policyid2 | Remove-FGTFirewallLocalInPolicy -confirm:$false + } + +} + + +Describe "Add Firewall Local In Policy" { + + BeforeAll { + Add-FGTFirewallLocalInPolicy -policyid 44 -intf $pester_port2 -srcaddr all -dstaddr all + } + + AfterEach { + Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicy -confirm:$false + } + + It "Add Policy $pester_policy1 ($pester_port1 / $pester_port2 : All/All)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.intf.name | Should -Be $pester_port1 + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + Context "Multi Interface" { + + It "Add Policy $pester_policy1 (intf: $pester_port1, $pester_port3)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1, $pester_port3 -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid + $policy.uuid | Should -Not -BeNullOrEmpty + ($policy.intf.name).count | Should -be "2" + $policy.intf.name | Should -BeIn $pester_port1, $pester_port3 + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + } + + Context "Multi Source / destination address" { + + BeforeAll { + Add-FGTFirewallAddress -Name $pester_address1 -ip 192.0.2.1 -mask 255.255.255.255 + Add-FGTFirewallAddress -Name $pester_address2 -ip 192.0.2.2 -mask 255.255.255.255 + Add-FGTFirewallAddress -Name $pester_address3 -ip 192.0.2.3 -mask 255.255.255.255 + Add-FGTFirewallAddress -Name $pester_address4 -ip 192.0.2.4 -mask 255.255.255.255 + } + + It "Add Policy $pester_policy1 (src addr: $pester_address1 and dst addr: all)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr $pester_address1 -dstaddr all + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.intf.name | Should -BeIn $pester_port1 + $policy.srcaddr.name | Should -Be $pester_address1 + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add Policy $pester_policy1 (src addr: $pester_address1, $pester_address3 and dst addr: all)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr $pester_address1, $pester_address3 -dstaddr all + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.intf.name | Should -BeIn $pester_port1 + ($policy.srcaddr.name).count | Should -Be "2" + $policy.srcaddr.name | Should -BeIn $pester_address1, $pester_address3 + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add Policy $pester_policy1 (src addr: all and dst addr: $pester_address2)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr $pester_address2 + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.intf.name | Should -BeIn $pester_port1 + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be $pester_address2 + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add Policy $pester_policy1 (src addr: all and dst addr: $pester_address2, $pester_address4)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr $pester_address2, $pester_address4 + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.intf.name | Should -BeIn $pester_port1 + $policy.srcaddr.name | Should -Be "all" + ($policy.dstaddr.name).count | Should -Be "2" + $policy.dstaddr.name | Should -BeIn $pester_address2, $pester_address4 + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add Policy $pester_policy1 (src addr: $pester_address1, $pester_address3 and dst addr: $pester_address2, $pester_address4)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr $pester_address1, $pester_address3 -dstaddr $pester_address2, $pester_address4 + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.intf.name | Should -BeIn $pester_port1 + ($policy.srcaddr.name).count | Should -Be "2" + $policy.srcaddr.name | Should -BeIn $pester_address1, $pester_address3 + ($policy.dstaddr.name).count | Should -Be "2" + $policy.dstaddr.name | Should -BeIn $pester_address2, $pester_address4 + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + AfterAll { + Get-FGTFirewallAddress -name $pester_address1 | Remove-FGTFirewallAddress -confirm:$false + Get-FGTFirewallAddress -name $pester_address2 | Remove-FGTFirewallAddress -confirm:$false + Get-FGTFirewallAddress -name $pester_address3 | Remove-FGTFirewallAddress -confirm:$false + Get-FGTFirewallAddress -name $pester_address4 | Remove-FGTFirewallAddress -confirm:$false + } + + } + + It "Add Policy $pester_policy1 (with action deny)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all -action deny + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.intf.name | Should -Be $pester_port1 + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "deny" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add Policy $pester_policy1 (status disable)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all -status:$false + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.intf.name | Should -Be $pester_port1 + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "disable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add Policy $pester_policy1 (with 1 service : HTTP)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all -service HTTP + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.intf.name | Should -Be $pester_port1 + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "HTTP" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add Policy $pester_policy1 (with 2 services : HTTP, HTTPS)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all -service HTTP, HTTPS + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.intf.name | Should -Be $pester_port1 + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -BeIn "HTTP", "HTTPS" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + #Add Schedule ? need API + It "Add Policy $pester_policy1 (with schedule none)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all -schedule none + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.intf.name | Should -Be $pester_port1 + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "All" + $policy.schedule | Should -Be "none" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add Policy $pester_policy1 (with comments)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all -comments "Add via PowerFGT" + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.intf.name | Should -Be $pester_port1 + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "All" + $policy.schedule | Should -Be "always" + $policy.comments | Should -Be "Add via PowerFGT" + } + + It "Add Policy $pester_policy1 (with data (1 field))" { + $data = @{ "virtual-patch" = "enable" } + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all -data $data + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.intf.name | Should -Be $pester_port1 + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "All" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + $policy.'virtual-patch' | Should -Be "enable" + } + + It "Add Policy $pester_policy1 (with data (2 fields))" { + $data = @{ "virtual-patch" = "enable" ; "comments" = "Add via PowerFGT and -data" } + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all -data $data + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.intf.name | Should -Be $pester_port1 + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "All" + $policy.schedule | Should -Be "always" + $policy.comments | Should -Be "Add via PowerFGT and -data" + $policy.'virtual-patch' | Should -Be "enable" + } + + AfterAll { + Get-FGTFirewallPolicy -policyid 44 | Remove-FGTFirewallPolicy -confirm:$false + } +} + +Describe "Add Firewall Local In Policy Member" { + + BeforeAll { + #Create some Address object + Add-FGTFirewallAddress -Name $pester_address1 -ip 192.0.2.1 -mask 255.255.255.255 + Add-FGTFirewallAddress -Name $pester_address2 -ip 192.0.2.2 -mask 255.255.255.255 + Add-FGTFirewallAddress -Name $pester_address3 -ip 192.0.2.3 -mask 255.255.255.255 + Add-FGTFirewallAddress -Name $pester_address4 -ip 192.0.2.4 -mask 255.255.255.255 + } + + AfterEach { + Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicy -confirm:$false + } + + Context "Add Member(s) to Source Address" { + + It "Add 1 member to Policy Src Address $pester_address1 (with All before)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -srcaddr $pester_address1 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.intf.name | Should -BeIn $pester_port1 + $policy.srcaddr.name | Should -Be $pester_address1 + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add 2 members to Policy Src Address $pester_address1, $pester_address3 (with All before)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -srcaddr $pester_address1, $pester_address3 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.intf.name | Should -BeIn $pester_port1 + ($policy.srcaddr.name).count | Should -Be "2" + $policy.srcaddr.name | Should -Be $pester_address1, $pester_address3 + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add 1 member to Policy Src Address $pester_address3 (with $pester_address1 before)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr $pester_address1 -dstaddr all + @($p).count | Should -Be "1" + Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -srcaddr $pester_address3 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.intf.name | Should -BeIn $pester_port1 + ($policy.srcaddr.name).count | Should -Be "2" + $policy.srcaddr.name | Should -Be $pester_address1, $pester_address3 + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + } + + Context "Add Member(s) to Destination Address" { + + It "Add 1 member to Policy Dst Address $pester_address2 (with All before)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -dstaddr $pester_address2 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.intf.name | Should -BeIn $pester_port1 + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "$pester_address2" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add 2 members to Policy Dst Address $pester_address2, $pester_address4 (with All before)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -dstaddr $pester_address2, $pester_address4 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.intf.name | Should -BeIn $pester_port1 + $policy.srcaddr.name | Should -Be "all" + ($policy.dstaddr.name).count | Should -Be "2" + $policy.dstaddr.name | Should -BeIn $pester_address2, $pester_address4 + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add 1 member to Policy Dst Address $pester_address4 (with $pester_address2 before)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr $pester_address2 + @($p).count | Should -Be "1" + Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -dstaddr $pester_address4 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.intf.name | Should -BeIn $pester_port1 + $policy.srcaddr.name | Should -Be "all" + ($policy.dstaddr.name).count | Should -Be "2" + $policy.dstaddr.name | Should -BeIn $pester_address2, $pester_address4 + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + } + + Context "Add Member(s) to Source and Destination Address" { + + It "Add 1 member to Policy src Address $pester_address1 dst Address $pester_address2 (with All before)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -srcaddr $pester_address1 -dstaddr $pester_address2 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.intf.name | Should -BeIn $pester_port1 + $policy.srcaddr.name | Should -Be "$pester_address1" + $policy.dstaddr.name | Should -Be "$pester_address2" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add 2 members to Policy Src Address $pester_address1, $pester_address3 and Dst Address $pester_address2, $pester_address4 (with All before)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -srcaddr $pester_address1, $pester_address3 -dstaddr $pester_address2, $pester_address4 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.intf.name | Should -BeIn $pester_port1 + ($policy.srcaddr.name).count | Should -Be "2" + $policy.srcaddr.name | Should -BeIn $pester_address1, $pester_address3 + ($policy.dstaddr.name).count | Should -Be "2" + $policy.dstaddr.name | Should -BeIn $pester_address2, $pester_address4 + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add 1 members to Policy Src Address $pester_address3 and Dst Address $pester_address4 (with $pester_address1/$pester_address2 before)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr $pester_address1 -dstaddr $pester_address2 + @($p).count | Should -Be "1" + Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -srcaddr $pester_address3 -dstaddr $pester_address4 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.intf.name | Should -BeIn $pester_port1 + ($policy.srcaddr.name).count | Should -Be "2" + $policy.srcaddr.name | Should -BeIn $pester_address1, $pester_address3 + ($policy.dstaddr.name).count | Should -Be "2" + $policy.dstaddr.name | Should -BeIn $pester_address2, $pester_address4 + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + } + + Context "Add Member(s) to Interface" { + + It "Add 1 member to Policy Src Interface $pester_port1 (with any before)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf any -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -intf $pester_port1 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.intf.name | Should -Be $pester_port1 + ($policy.intf.name).count | Should -Be "1" + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable"x + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add 2 members to Policy Interface $pester_port1, $pester_port3 (with any before)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf any -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -intf $pester_port3, $pester_port4 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.intf.name | Should -Be $pester_port3, $pester_port4 + ($policy.intf.name).count | Should -Be "2" + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable"x + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Add 1 member to Policy Interface $pester_port3 (with $pester_port1 before)" { + $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -intf $pester_port3 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.intf.name | Should -Be $pester_port1, $pester_port3 + ($policy.intf.name).count | Should -Be "2" + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable"x + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + } + + AfterAll { + Get-FGTFirewallAddress -name $pester_address1 | Remove-FGTFirewallAddress -confirm:$false + Get-FGTFirewallAddress -name $pester_address2 | Remove-FGTFirewallAddress -confirm:$false + Get-FGTFirewallAddress -name $pester_address3 | Remove-FGTFirewallAddress -confirm:$false + Get-FGTFirewallAddress -name $pester_address4 | Remove-FGTFirewallAddress -confirm:$false + } + +} +<# +Describe "Move Firewall Local In Policy" { + + BeforeEach { + $p1 = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all -service SSH + $script:policyid1 = [int]$p1.policyid + $p2 = Add-FGTFirewallLocalInPolicy -policyid 44 -intf $pester_port1 -srcaddr all -dstaddr all -service HTTP + $script:policyid2 = [int]$p2.policyid + $p3 = Add-FGTFirewallLocalInPolicy -policyid 85 -intf $pester_port1 -srcaddr all -dstaddr all -service HTTPS + $script:policyid3 = [int]$p3.policyid + } + + AfterEach { + Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicy -confirm:$false + Get-FGTFirewallLocalInPolicy -policyid 44 | Remove-FGTFirewallLocalInPolicy -confirm:$false + Get-FGTFirewallLocalInPolicy -policyid 85 | Remove-FGTFirewallLocalInPolicy -confirm:$false + } + + Context "Move Policy Using id" { + + It "Move Policy SSH after HTTPS (using id)" { + Get-FGTFirewallLocalInPolicy -policyid 23 | Move-FGTFirewallLocalInPolicy -after -id $policyid3 + $policy = Get-FGTFirewallLocalInPolicy + $policy[0].policyid | Should -Be 44 + $policy[1].policyid | Should -Be 85 + $policy[2].policyid | Should -Be 23 + } + + It "Move Policy HTTPS before SSH (using id)" { + Get-FGTFirewallLocalInPolicy --policyid 85 | Move-FGTFirewallLocalInPolicy -before -id $policyid1 + $policy = Get-FGTFirewallLocalInPolicy + $policy[0].policyid | Should -Be 85 + $policy[1].policyid | Should -Be 23 + $policy[2].policyid | Should -Be 44 + } + } + + Context "Move Policy Using Firewall Local In Policy Object" { + + It "Move Policy HTTPS before SSH (using Firewall Local In Policy Object)" { + + Get-FGTFirewallLocalInPolicy -policyid 85 | Move-FGTFirewallLocalInPolicy -before -id (Get-FGTFirewallLocalInPolicy -policyid 23) + $policy = Get-FGTFirewallLocalInPolicy + $policy[0].policyid | Should -Be 85 + $policy[1].policyid | Should -Be 23 + $policy[2].policyid | Should -Be 44 + } + } +} +#> + +Describe "Configure Firewall Local In Policy" { + + BeforeAll { + $policy = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all + $script:uuid = $policy.uuid + } + + Context "Multi Interface" { + + It "Set Policy $pester_policy1 (intf: $pester_port1, $pester_port3)" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -intf $pester_port1, $pester_port3 + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + + $policy.uuid | Should -Not -BeNullOrEmpty + ($policy.intf.name).count | Should -be "2" + $policy.intf.name | Should -BeIn $pester_port1, $pester_port3 + } + + } + + Context "Multi Source / Destination address" { + + BeforeAll { + Add-FGTFirewallAddress -Name $pester_address1 -ip 192.0.2.1 -mask 255.255.255.255 + Add-FGTFirewallAddress -Name $pester_address2 -ip 192.0.2.2 -mask 255.255.255.255 + Add-FGTFirewallAddress -Name $pester_address3 -ip 192.0.2.3 -mask 255.255.255.255 + Add-FGTFirewallAddress -Name $pester_address4 -ip 192.0.2.4 -mask 255.255.255.255 + } + + It "Set Policy $pester_policy1 (src addr: $pester_address1)" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -srcaddr $pester_address1 + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.srcaddr.name | Should -Be $pester_address1 + } + + It "Set Policy $pester_policy1 (src addr: $pester_address1, $pester_address3)" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -srcaddr $pester_address1, $pester_address3 + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + ($policy.srcaddr.name).count | Should -Be "2" + $policy.srcaddr.name | Should -BeIn $pester_address1, $pester_address3 + } + + It "Set Policy $pester_policy1 (dst addr: $pester_address2)" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -dstaddr $pester_address2 + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.dstaddr.name | Should -Be $pester_address2 + } + + It "Set Policy $pester_policy1 (dst addr: $pester_address2, $pester_address4)" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -dstaddr $pester_address2, $pester_address4 + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + ($policy.dstaddr.name).count | Should -Be "2" + $policy.dstaddr.name | Should -BeIn $pester_address2, $pester_address4 + } + + It "Set Policy $pester_policy1 (src addr: all and dst addr: all)" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -srcaddr all -dstaddr all + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + ($policy.srcaddr.name).count | Should -Be "1" + $policy.srcaddr.name | Should -Be "all" + ($policy.dstaddr.name).count | Should -Be "1" + $policy.dstaddr.name | Should -Be "all" + } + + AfterAll { + Get-FGTFirewallAddress -name $pester_address1 | Remove-FGTFirewallAddress -confirm:$false + Get-FGTFirewallAddress -name $pester_address2 | Remove-FGTFirewallAddress -confirm:$false + Get-FGTFirewallAddress -name $pester_address3 | Remove-FGTFirewallAddress -confirm:$false + Get-FGTFirewallAddress -name $pester_address4 | Remove-FGTFirewallAddress -confirm:$false + } + + } + + It "Set Policy $pester_policy1 (with action deny)" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -action deny + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.action | Should -Be "deny" + } + + It "Set Policy $pester_policy1 (with action accept)" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -action accept + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.action | Should -Be "accept" + } + + It "Set Policy $pester_policy1 (status disable)" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -status:$false + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.status | Should -Be "disable" + } + + It "Set Policy $pester_policy1 (status enable)" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -status + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.status | Should -Be "enable" + } + + It "Set Policy $pester_policy1 (with 1 service : HTTP)" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -service HTTP + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.service.name | Should -Be "HTTP" + } + + It "Set Policy $pester_policy1 (with 2 services : SSH, HTTPS)" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -service SSH, HTTPS + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.service.name | Should -BeIn "SSH", "HTTPS" + } + + It "Set Policy $pester_policy1 (with 1 service : ALL))" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -service ALL + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.service.name | Should -Be "all" + } + + #Add Schedule ? need API + It "Set Policy $pester_policy1 (with schedule none)" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -schedule none + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.schedule | Should -Be "none" + } + + It "Set Policy $pester_policy1 (with schedule always)" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -schedule always + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.schedule | Should -Be "always" + } + + It "Set Policy $pester_policy1 (with comments)" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -comments "Modify via PowerFGT" + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.comments | Should -Be "Modify via PowerFGT" + } + + It "Set Policy $pester_policy1 (with comments: null)" { + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -comments "" + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.comments | Should -BeNullOrEmpty + } + + It "Set Policy $pester_policy1 (with data (1 field))" { + $data = @{ "virtual-patch" = "enable" } + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -data $data + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.'virtual-patch' | Should -Be "enable" + } + + It "Set Policy $pester_policy1 (with data (2 fields))" { + $data = @{ "virtual-patch" = "disable" ; "comments" = "Modify via PowerFGT and -data" } + $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -data $data + @($p).count | Should -Be "1" + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.comments | Should -Be "Modify via PowerFGT and -data" + $policy.'virtual-patch' | Should -Be "disable" + } + + AfterAll { + Get-FGTFirewallLocalInPolicy -uuid $script:uuid | Remove-FGTFirewallLocalInPolicy -confirm:$false + } + +} +Describe "Remove Firewall Local In Policy" { + + BeforeEach { + Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all + } + + It "Remove Policy $pester_policy1 by pipeline" { + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy | Remove-FGTFirewallLocalInPolicy -confirm:$false + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy | Should -Be $NULL + } + +} + +Describe "Remove Firewall Local In Policy Member" { + + BeforeAll { + #Create some Address object + Add-FGTFirewallAddress -Name $pester_address1 -ip 192.0.2.1 -mask 255.255.255.255 + Add-FGTFirewallAddress -Name $pester_address2 -ip 192.0.2.2 -mask 255.255.255.255 + Add-FGTFirewallAddress -Name $pester_address3 -ip 192.0.2.3 -mask 255.255.255.255 + } + + AfterEach { + Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicy -confirm:$false + } + + Context "Remove Member(s) to Source Address" { + BeforeEach { + Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr $pester_address1, $pester_address2, $pester_address3 -dstaddr all + } + + It "Remove 1 member to Policy Src Address $pester_address1 (with 3 members before)" { + Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicyMember -srcaddr $pester_address1 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.intf.name | Should -BeIn $pester_port1 + ($policy.srcaddr.name).count | Should -Be "2" + $policy.srcaddr.name | Should -Be $pester_address2, $pester_address3 + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Remove 2 members to Policy Src Address $pester_address1, $pester_address2 (with 3 members before)" { + Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicyMember -srcaddr $pester_address1, $pester_address2 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.intf.name | Should -BeIn $pester_port1 + $policy.srcaddr.name | Should -Be $pester_address3 + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Try Remove 3 members to Policy Src Address $pester_address1, $pester_address2, $pester_address3 (with 3 members before)" { + { + Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicyMember -srcaddr $pester_address1, $pester_address2, $pester_address3 + } | Should -Throw "You can't remove all members. Use Set-FGTFirewallLocalInPolicy to remove Source Address" + } + + } + + Context "Remove Member(s) to Interface" { + BeforeEach { + Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1, $pester_port2, $pester_port3 -srcaddr all -dstaddr all + } + + It "Remove 1 member to Policy Interface $pester_port1 (with 3 members before)" { + Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicyMember -intf $pester_port1 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.intf.name | Should -BeIn $pester_port2, $pester_port3 + ($policy.intf.name).count | Should -Be "2" + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Remove 2 members to Policy Interface $pester_port1, $pester_port2 (with 3 members before)" { + Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicyMember -intf $pester_port1, $pester_port2 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.intf.name | Should -BeIn $pester_port3 + ($policy.srcaddr.name).count | Should -Be "1" + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be "all" + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Try Remove 3 members to Address $pester_port1, $pester_port2, $pester_port3 (with 3 members before)" { + { + Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicyMember -intf $pester_port1, $pester_port2, $pester_port3 + } | Should -Throw "You can't remove all members. Use Set-FGTFirewallLocalInPolicy to remove interface" + } + + } + + Context "Remove Member(s) to Destination Address" { + BeforeEach { + Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr $pester_address1, $pester_address2, $pester_address3 + } + + It "Remove 1 member to Policy Dest Address $pester_address1 (with 3 members before)" { + Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicyMember -dstaddr $pester_address1 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.intf.name | Should -BeIn $pester_port1 + $policy.srcaddr.name | Should -Be "all" + ($policy.dstaddr.name).count | Should -Be "2" + $policy.dstaddr.name | Should -Be $pester_address2, $pester_address3 + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Remove 2 members to Policy Dest Address $pester_address1, $pester_address2 (with 3 members before)" { + Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicyMember -dstaddr $pester_address1, $pester_address2 + $policy = Get-FGTFirewallLocalInPolicy -policyid 23 + $policy.uuid | Should -Not -BeNullOrEmpty + $policy.intf.name | Should -BeIn $pester_port1 + $policy.srcaddr.name | Should -Be "all" + $policy.dstaddr.name | Should -Be $pester_address3 + $policy.action | Should -Be "accept" + $policy.status | Should -Be "enable" + $policy.service.name | Should -Be "all" + $policy.schedule | Should -Be "always" + $policy.comments | Should -BeNullOrEmpty + } + + It "Try Remove 3 members to Policy Dest Address $pester_address1, $pester_address2, $pester_address3 (with 3 members before)" { + { + Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicyMember -dstaddr $pester_address1, $pester_address2, $pester_address3 + } | Should -Throw "You can't remove all members. Use Set-FGTFirewallLocalInPolicy to remove Destination Address" + } + + } + + AfterAll { + Get-FGTFirewallAddress -name $pester_address1 | Remove-FGTFirewallAddress -confirm:$false + Get-FGTFirewallAddress -name $pester_address2 | Remove-FGTFirewallAddress -confirm:$false + Get-FGTFirewallAddress -name $pester_address3 | Remove-FGTFirewallAddress -confirm:$false + } + +} +#> +AfterAll { + Disconnect-FGT -confirm:$false +} \ No newline at end of file From 6c03b6fa38cebbe6f8dc24eb436772c2bc05495d Mon Sep 17 00:00:00 2001 From: Alexis La Goutte Date: Tue, 30 Dec 2025 17:12:05 +0100 Subject: [PATCH 05/11] LocalInPolicy: Fix before FortiOS 7.4.x, intf is only a string not an array and it is not possible to add multiple interface... update tests too --- .../Public/cmdb/firewall/local-in-policy.ps1 | 13 +- .../FirewallLocalInPolicy.Tests.ps1 | 197 +++++++++++++++--- 2 files changed, 176 insertions(+), 34 deletions(-) diff --git a/PowerFGT/Public/cmdb/firewall/local-in-policy.ps1 b/PowerFGT/Public/cmdb/firewall/local-in-policy.ps1 index 2d512a68..79fbf14a 100644 --- a/PowerFGT/Public/cmdb/firewall/local-in-policy.ps1 +++ b/PowerFGT/Public/cmdb/firewall/local-in-policy.ps1 @@ -93,9 +93,16 @@ function Add-FGTFirewallLocalInPolicy { $uri = "api/v2/cmdb/firewall/local-in-policy" # Interface - $intf_array = @() - foreach ($i in $intf) { - $intf_array += @{ 'name' = $i } + #After 7.4.0, you can have multiple interface + if ($connection.version -ge "7.4.0") { + $intf_array = @() + foreach ($i in $intf) { + $intf_array += @{ 'name' = $i } + } + } + else { + #Add Warning ? + $intf_array = $intf } # Source address diff --git a/Tests/integration/FirewallLocalInPolicy.Tests.ps1 b/Tests/integration/FirewallLocalInPolicy.Tests.ps1 index 94a7db17..6eaa8c8e 100644 --- a/Tests/integration/FirewallLocalInPolicy.Tests.ps1 +++ b/Tests/integration/FirewallLocalInPolicy.Tests.ps1 @@ -107,7 +107,12 @@ Describe "Add Firewall Local In Policy" { @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid $policy.uuid | Should -Not -BeNullOrEmpty - $policy.intf.name | Should -Be $pester_port1 + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } $policy.srcaddr.name | Should -Be "all" $policy.dstaddr.name | Should -Be "all" $policy.action | Should -Be "accept" @@ -117,7 +122,7 @@ Describe "Add Firewall Local In Policy" { $policy.comments | Should -BeNullOrEmpty } - Context "Multi Interface" { + Context "Multi Interface" -skip:($fgt_version -lt "7.4.0") { It "Add Policy $pester_policy1 (intf: $pester_port1, $pester_port3)" { $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1, $pester_port3 -srcaddr all -dstaddr all @@ -151,7 +156,12 @@ Describe "Add Firewall Local In Policy" { @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid $policy.uuid | Should -Not -BeNullOrEmpty - $policy.intf.name | Should -BeIn $pester_port1 + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } $policy.srcaddr.name | Should -Be $pester_address1 $policy.dstaddr.name | Should -Be "all" $policy.action | Should -Be "accept" @@ -166,7 +176,12 @@ Describe "Add Firewall Local In Policy" { @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid $policy.uuid | Should -Not -BeNullOrEmpty - $policy.intf.name | Should -BeIn $pester_port1 + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } ($policy.srcaddr.name).count | Should -Be "2" $policy.srcaddr.name | Should -BeIn $pester_address1, $pester_address3 $policy.dstaddr.name | Should -Be "all" @@ -182,7 +197,12 @@ Describe "Add Firewall Local In Policy" { @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid $policy.uuid | Should -Not -BeNullOrEmpty - $policy.intf.name | Should -BeIn $pester_port1 + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } $policy.srcaddr.name | Should -Be "all" $policy.dstaddr.name | Should -Be $pester_address2 $policy.action | Should -Be "accept" @@ -197,7 +217,12 @@ Describe "Add Firewall Local In Policy" { @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid $policy.uuid | Should -Not -BeNullOrEmpty - $policy.intf.name | Should -BeIn $pester_port1 + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } $policy.srcaddr.name | Should -Be "all" ($policy.dstaddr.name).count | Should -Be "2" $policy.dstaddr.name | Should -BeIn $pester_address2, $pester_address4 @@ -213,7 +238,12 @@ Describe "Add Firewall Local In Policy" { @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid $policy.uuid | Should -Not -BeNullOrEmpty - $policy.intf.name | Should -BeIn $pester_port1 + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } ($policy.srcaddr.name).count | Should -Be "2" $policy.srcaddr.name | Should -BeIn $pester_address1, $pester_address3 ($policy.dstaddr.name).count | Should -Be "2" @@ -239,7 +269,12 @@ Describe "Add Firewall Local In Policy" { @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid $policy.uuid | Should -Not -BeNullOrEmpty - $policy.intf.name | Should -Be $pester_port1 + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } $policy.srcaddr.name | Should -Be "all" $policy.dstaddr.name | Should -Be "all" $policy.action | Should -Be "deny" @@ -254,7 +289,12 @@ Describe "Add Firewall Local In Policy" { @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid $policy.uuid | Should -Not -BeNullOrEmpty - $policy.intf.name | Should -Be $pester_port1 + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } $policy.srcaddr.name | Should -Be "all" $policy.dstaddr.name | Should -Be "all" $policy.action | Should -Be "accept" @@ -269,7 +309,12 @@ Describe "Add Firewall Local In Policy" { @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid $policy.uuid | Should -Not -BeNullOrEmpty - $policy.intf.name | Should -Be $pester_port1 + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } $policy.srcaddr.name | Should -Be "all" $policy.dstaddr.name | Should -Be "all" $policy.action | Should -Be "accept" @@ -284,7 +329,12 @@ Describe "Add Firewall Local In Policy" { @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid $policy.uuid | Should -Not -BeNullOrEmpty - $policy.intf.name | Should -Be $pester_port1 + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } $policy.srcaddr.name | Should -Be "all" $policy.dstaddr.name | Should -Be "all" $policy.action | Should -Be "accept" @@ -300,7 +350,12 @@ Describe "Add Firewall Local In Policy" { @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid $policy.uuid | Should -Not -BeNullOrEmpty - $policy.intf.name | Should -Be $pester_port1 + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } $policy.srcaddr.name | Should -Be "all" $policy.dstaddr.name | Should -Be "all" $policy.action | Should -Be "accept" @@ -315,7 +370,12 @@ Describe "Add Firewall Local In Policy" { @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid $policy.uuid | Should -Not -BeNullOrEmpty - $policy.intf.name | Should -Be $pester_port1 + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } $policy.srcaddr.name | Should -Be "all" $policy.dstaddr.name | Should -Be "all" $policy.action | Should -Be "accept" @@ -331,7 +391,12 @@ Describe "Add Firewall Local In Policy" { @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid $policy.uuid | Should -Not -BeNullOrEmpty - $policy.intf.name | Should -Be $pester_port1 + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } $policy.srcaddr.name | Should -Be "all" $policy.dstaddr.name | Should -Be "all" $policy.action | Should -Be "accept" @@ -348,7 +413,12 @@ Describe "Add Firewall Local In Policy" { @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid $policy.uuid | Should -Not -BeNullOrEmpty - $policy.intf.name | Should -Be $pester_port1 + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } $policy.srcaddr.name | Should -Be "all" $policy.dstaddr.name | Should -Be "all" $policy.action | Should -Be "accept" @@ -386,7 +456,12 @@ Describe "Add Firewall Local In Policy Member" { Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -srcaddr $pester_address1 $policy = Get-FGTFirewallLocalInPolicy -policyid 23 $policy.uuid | Should -Not -BeNullOrEmpty - $policy.intf.name | Should -BeIn $pester_port1 + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } $policy.srcaddr.name | Should -Be $pester_address1 $policy.dstaddr.name | Should -Be "all" $policy.action | Should -Be "accept" @@ -402,7 +477,12 @@ Describe "Add Firewall Local In Policy Member" { Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -srcaddr $pester_address1, $pester_address3 $policy = Get-FGTFirewallLocalInPolicy -policyid 23 $policy.uuid | Should -Not -BeNullOrEmpty - $policy.intf.name | Should -BeIn $pester_port1 + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } ($policy.srcaddr.name).count | Should -Be "2" $policy.srcaddr.name | Should -Be $pester_address1, $pester_address3 $policy.dstaddr.name | Should -Be "all" @@ -419,7 +499,12 @@ Describe "Add Firewall Local In Policy Member" { Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -srcaddr $pester_address3 $policy = Get-FGTFirewallLocalInPolicy -policyid 23 $policy.uuid | Should -Not -BeNullOrEmpty - $policy.intf.name | Should -BeIn $pester_port1 + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } ($policy.srcaddr.name).count | Should -Be "2" $policy.srcaddr.name | Should -Be $pester_address1, $pester_address3 $policy.dstaddr.name | Should -Be "all" @@ -440,7 +525,12 @@ Describe "Add Firewall Local In Policy Member" { Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -dstaddr $pester_address2 $policy = Get-FGTFirewallLocalInPolicy -policyid 23 $policy.uuid | Should -Not -BeNullOrEmpty - $policy.intf.name | Should -BeIn $pester_port1 + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } $policy.srcaddr.name | Should -Be "all" $policy.dstaddr.name | Should -Be "$pester_address2" $policy.action | Should -Be "accept" @@ -456,7 +546,12 @@ Describe "Add Firewall Local In Policy Member" { Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -dstaddr $pester_address2, $pester_address4 $policy = Get-FGTFirewallLocalInPolicy -policyid 23 $policy.uuid | Should -Not -BeNullOrEmpty - $policy.intf.name | Should -BeIn $pester_port1 + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } $policy.srcaddr.name | Should -Be "all" ($policy.dstaddr.name).count | Should -Be "2" $policy.dstaddr.name | Should -BeIn $pester_address2, $pester_address4 @@ -473,7 +568,12 @@ Describe "Add Firewall Local In Policy Member" { Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -dstaddr $pester_address4 $policy = Get-FGTFirewallLocalInPolicy -policyid 23 $policy.uuid | Should -Not -BeNullOrEmpty - $policy.intf.name | Should -BeIn $pester_port1 + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } $policy.srcaddr.name | Should -Be "all" ($policy.dstaddr.name).count | Should -Be "2" $policy.dstaddr.name | Should -BeIn $pester_address2, $pester_address4 @@ -493,7 +593,12 @@ Describe "Add Firewall Local In Policy Member" { Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -srcaddr $pester_address1 -dstaddr $pester_address2 $policy = Get-FGTFirewallLocalInPolicy -policyid 23 $policy.uuid | Should -Not -BeNullOrEmpty - $policy.intf.name | Should -BeIn $pester_port1 + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } $policy.srcaddr.name | Should -Be "$pester_address1" $policy.dstaddr.name | Should -Be "$pester_address2" $policy.action | Should -Be "accept" @@ -509,7 +614,12 @@ Describe "Add Firewall Local In Policy Member" { Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -srcaddr $pester_address1, $pester_address3 -dstaddr $pester_address2, $pester_address4 $policy = Get-FGTFirewallLocalInPolicy -policyid 23 $policy.uuid | Should -Not -BeNullOrEmpty - $policy.intf.name | Should -BeIn $pester_port1 + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } ($policy.srcaddr.name).count | Should -Be "2" $policy.srcaddr.name | Should -BeIn $pester_address1, $pester_address3 ($policy.dstaddr.name).count | Should -Be "2" @@ -527,7 +637,12 @@ Describe "Add Firewall Local In Policy Member" { Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -srcaddr $pester_address3 -dstaddr $pester_address4 $policy = Get-FGTFirewallLocalInPolicy -policyid 23 $policy.uuid | Should -Not -BeNullOrEmpty - $policy.intf.name | Should -BeIn $pester_port1 + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } ($policy.srcaddr.name).count | Should -Be "2" $policy.srcaddr.name | Should -BeIn $pester_address1, $pester_address3 ($policy.dstaddr.name).count | Should -Be "2" @@ -540,7 +655,7 @@ Describe "Add Firewall Local In Policy Member" { } } - Context "Add Member(s) to Interface" { + Context "Add Member(s) to Interface" -skip:($fgt_version -lt "7.4.0") { It "Add 1 member to Policy Src Interface $pester_port1 (with any before)" { $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf any -srcaddr all -dstaddr all @@ -661,7 +776,7 @@ Describe "Configure Firewall Local In Policy" { $script:uuid = $policy.uuid } - Context "Multi Interface" { + Context "Multi Interface" -skip:($fgt_version -lt "7.4.0") { It "Set Policy $pester_policy1 (intf: $pester_port1, $pester_port3)" { $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -intf $pester_port1, $pester_port3 @@ -888,7 +1003,12 @@ Describe "Remove Firewall Local In Policy Member" { Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicyMember -srcaddr $pester_address1 $policy = Get-FGTFirewallLocalInPolicy -policyid 23 $policy.uuid | Should -Not -BeNullOrEmpty - $policy.intf.name | Should -BeIn $pester_port1 + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } ($policy.srcaddr.name).count | Should -Be "2" $policy.srcaddr.name | Should -Be $pester_address2, $pester_address3 $policy.dstaddr.name | Should -Be "all" @@ -903,7 +1023,12 @@ Describe "Remove Firewall Local In Policy Member" { Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicyMember -srcaddr $pester_address1, $pester_address2 $policy = Get-FGTFirewallLocalInPolicy -policyid 23 $policy.uuid | Should -Not -BeNullOrEmpty - $policy.intf.name | Should -BeIn $pester_port1 + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } $policy.srcaddr.name | Should -Be $pester_address3 $policy.dstaddr.name | Should -Be "all" $policy.action | Should -Be "accept" @@ -921,7 +1046,7 @@ Describe "Remove Firewall Local In Policy Member" { } - Context "Remove Member(s) to Interface" { + Context "Remove Member(s) to Interface" -skip:($fgt_version -lt "7.4.0") { BeforeEach { Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1, $pester_port2, $pester_port3 -srcaddr all -dstaddr all } @@ -973,7 +1098,12 @@ Describe "Remove Firewall Local In Policy Member" { Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicyMember -dstaddr $pester_address1 $policy = Get-FGTFirewallLocalInPolicy -policyid 23 $policy.uuid | Should -Not -BeNullOrEmpty - $policy.intf.name | Should -BeIn $pester_port1 + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } $policy.srcaddr.name | Should -Be "all" ($policy.dstaddr.name).count | Should -Be "2" $policy.dstaddr.name | Should -Be $pester_address2, $pester_address3 @@ -988,7 +1118,12 @@ Describe "Remove Firewall Local In Policy Member" { Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicyMember -dstaddr $pester_address1, $pester_address2 $policy = Get-FGTFirewallLocalInPolicy -policyid 23 $policy.uuid | Should -Not -BeNullOrEmpty - $policy.intf.name | Should -BeIn $pester_port1 + if ($DefaultFGTConnection.version -ge "7.4.0") { + $policy.intf.name | Should -Be $pester_port1 + } + else { + $policy.intf | Should -Be $pester_port1 + } $policy.srcaddr.name | Should -Be "all" $policy.dstaddr.name | Should -Be $pester_address3 $policy.action | Should -Be "accept" From 262698b7b0ed241718fb976bdb926faad6cb8d86 Mon Sep 17 00:00:00 2001 From: Alexis La Goutte Date: Tue, 30 Dec 2025 17:17:57 +0100 Subject: [PATCH 06/11] LocalInPolicy: No uuid before 6.4.x Update Tests --- PowerFGT/Private/Confirm.ps1 | 7 +- .../FirewallLocalInPolicy.Tests.ps1 | 211 +++++++++++++----- 2 files changed, 162 insertions(+), 56 deletions(-) diff --git a/PowerFGT/Private/Confirm.ps1 b/PowerFGT/Private/Confirm.ps1 index 9296584f..d5022cfb 100644 --- a/PowerFGT/Private/Confirm.ps1 +++ b/PowerFGT/Private/Confirm.ps1 @@ -204,9 +204,10 @@ Function Confirm-FGTFirewallLocalInPolicy { if ( -not ( $argument | get-member -name policyid -Membertype Properties)) { throw "Element specified does not contain a policyid property." } - if ( -not ( $argument | get-member -name uuid -Membertype Properties)) { - throw "Element specified does not contain an uuid property." - } + #No uuid before 6.4.x + #if ( -not ( $argument | get-member -name uuid -Membertype Properties)) { + # throw "Element specified does not contain an uuid property." + #} if ( -not ( $argument | get-member -name intf -Membertype Properties)) { throw "Element specified does not contain a intf property." } diff --git a/Tests/integration/FirewallLocalInPolicy.Tests.ps1 b/Tests/integration/FirewallLocalInPolicy.Tests.ps1 index 6eaa8c8e..34150d53 100644 --- a/Tests/integration/FirewallLocalInPolicy.Tests.ps1 +++ b/Tests/integration/FirewallLocalInPolicy.Tests.ps1 @@ -70,7 +70,7 @@ Describe "Get Firewall Local In Policy" { Context "Search" { - It "Search Policy by uuid ($script:uuid)" { + It "Search Policy by uuid ($script:uuid)" -skip:($fgt_version -lt "6.4.0") { $policy = Get-FGTFirewallLocalInPolicy -uuid $script:uuid @($policy).count | Should -be 1 $policy.uuid | Should -Be $script:uuid @@ -106,7 +106,9 @@ Describe "Add Firewall Local In Policy" { $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } if ($DefaultFGTConnection.version -ge "7.4.0") { $policy.intf.name | Should -Be $pester_port1 } @@ -128,7 +130,9 @@ Describe "Add Firewall Local In Policy" { $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1, $pester_port3 -srcaddr all -dstaddr all @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } ($policy.intf.name).count | Should -be "2" $policy.intf.name | Should -BeIn $pester_port1, $pester_port3 $policy.srcaddr.name | Should -Be "all" @@ -155,7 +159,9 @@ Describe "Add Firewall Local In Policy" { $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr $pester_address1 -dstaddr all @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } if ($DefaultFGTConnection.version -ge "7.4.0") { $policy.intf.name | Should -Be $pester_port1 } @@ -175,7 +181,9 @@ Describe "Add Firewall Local In Policy" { $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr $pester_address1, $pester_address3 -dstaddr all @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } if ($DefaultFGTConnection.version -ge "7.4.0") { $policy.intf.name | Should -Be $pester_port1 } @@ -196,7 +204,9 @@ Describe "Add Firewall Local In Policy" { $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr $pester_address2 @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } if ($DefaultFGTConnection.version -ge "7.4.0") { $policy.intf.name | Should -Be $pester_port1 } @@ -216,7 +226,9 @@ Describe "Add Firewall Local In Policy" { $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr $pester_address2, $pester_address4 @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } if ($DefaultFGTConnection.version -ge "7.4.0") { $policy.intf.name | Should -Be $pester_port1 } @@ -237,7 +249,9 @@ Describe "Add Firewall Local In Policy" { $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr $pester_address1, $pester_address3 -dstaddr $pester_address2, $pester_address4 @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } if ($DefaultFGTConnection.version -ge "7.4.0") { $policy.intf.name | Should -Be $pester_port1 } @@ -268,7 +282,9 @@ Describe "Add Firewall Local In Policy" { $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all -action deny @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } if ($DefaultFGTConnection.version -ge "7.4.0") { $policy.intf.name | Should -Be $pester_port1 } @@ -288,7 +304,10 @@ Describe "Add Firewall Local In Policy" { $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all -status:$false @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } + if ($DefaultFGTConnection.version -ge "7.4.0") { $policy.intf.name | Should -Be $pester_port1 } @@ -308,7 +327,9 @@ Describe "Add Firewall Local In Policy" { $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all -service HTTP @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } if ($DefaultFGTConnection.version -ge "7.4.0") { $policy.intf.name | Should -Be $pester_port1 } @@ -328,7 +349,9 @@ Describe "Add Firewall Local In Policy" { $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all -service HTTP, HTTPS @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } if ($DefaultFGTConnection.version -ge "7.4.0") { $policy.intf.name | Should -Be $pester_port1 } @@ -349,7 +372,9 @@ Describe "Add Firewall Local In Policy" { $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all -schedule none @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } if ($DefaultFGTConnection.version -ge "7.4.0") { $policy.intf.name | Should -Be $pester_port1 } @@ -369,7 +394,9 @@ Describe "Add Firewall Local In Policy" { $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all -comments "Add via PowerFGT" @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } if ($DefaultFGTConnection.version -ge "7.4.0") { $policy.intf.name | Should -Be $pester_port1 } @@ -390,7 +417,9 @@ Describe "Add Firewall Local In Policy" { $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all -data $data @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } if ($DefaultFGTConnection.version -ge "7.4.0") { $policy.intf.name | Should -Be $pester_port1 } @@ -412,7 +441,9 @@ Describe "Add Firewall Local In Policy" { $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all -data $data @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } if ($DefaultFGTConnection.version -ge "7.4.0") { $policy.intf.name | Should -Be $pester_port1 } @@ -455,7 +486,9 @@ Describe "Add Firewall Local In Policy Member" { @($p).count | Should -Be "1" Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -srcaddr $pester_address1 $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } if ($DefaultFGTConnection.version -ge "7.4.0") { $policy.intf.name | Should -Be $pester_port1 } @@ -476,7 +509,9 @@ Describe "Add Firewall Local In Policy Member" { @($p).count | Should -Be "1" Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -srcaddr $pester_address1, $pester_address3 $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } if ($DefaultFGTConnection.version -ge "7.4.0") { $policy.intf.name | Should -Be $pester_port1 } @@ -498,7 +533,9 @@ Describe "Add Firewall Local In Policy Member" { @($p).count | Should -Be "1" Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -srcaddr $pester_address3 $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } if ($DefaultFGTConnection.version -ge "7.4.0") { $policy.intf.name | Should -Be $pester_port1 } @@ -524,7 +561,9 @@ Describe "Add Firewall Local In Policy Member" { @($p).count | Should -Be "1" Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -dstaddr $pester_address2 $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } if ($DefaultFGTConnection.version -ge "7.4.0") { $policy.intf.name | Should -Be $pester_port1 } @@ -545,7 +584,9 @@ Describe "Add Firewall Local In Policy Member" { @($p).count | Should -Be "1" Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -dstaddr $pester_address2, $pester_address4 $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } if ($DefaultFGTConnection.version -ge "7.4.0") { $policy.intf.name | Should -Be $pester_port1 } @@ -567,7 +608,9 @@ Describe "Add Firewall Local In Policy Member" { @($p).count | Should -Be "1" Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -dstaddr $pester_address4 $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } if ($DefaultFGTConnection.version -ge "7.4.0") { $policy.intf.name | Should -Be $pester_port1 } @@ -592,7 +635,9 @@ Describe "Add Firewall Local In Policy Member" { @($p).count | Should -Be "1" Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -srcaddr $pester_address1 -dstaddr $pester_address2 $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } if ($DefaultFGTConnection.version -ge "7.4.0") { $policy.intf.name | Should -Be $pester_port1 } @@ -613,7 +658,9 @@ Describe "Add Firewall Local In Policy Member" { @($p).count | Should -Be "1" Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -srcaddr $pester_address1, $pester_address3 -dstaddr $pester_address2, $pester_address4 $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } if ($DefaultFGTConnection.version -ge "7.4.0") { $policy.intf.name | Should -Be $pester_port1 } @@ -636,7 +683,9 @@ Describe "Add Firewall Local In Policy Member" { @($p).count | Should -Be "1" Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -srcaddr $pester_address3 -dstaddr $pester_address4 $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } if ($DefaultFGTConnection.version -ge "7.4.0") { $policy.intf.name | Should -Be $pester_port1 } @@ -662,7 +711,9 @@ Describe "Add Firewall Local In Policy Member" { @($p).count | Should -Be "1" Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -intf $pester_port1 $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } $policy.intf.name | Should -Be $pester_port1 ($policy.intf.name).count | Should -Be "1" $policy.srcaddr.name | Should -Be "all" @@ -679,7 +730,9 @@ Describe "Add Firewall Local In Policy Member" { @($p).count | Should -Be "1" Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -intf $pester_port3, $pester_port4 $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } $policy.intf.name | Should -Be $pester_port3, $pester_port4 ($policy.intf.name).count | Should -Be "2" $policy.srcaddr.name | Should -Be "all" @@ -696,7 +749,9 @@ Describe "Add Firewall Local In Policy Member" { @($p).count | Should -Be "1" Get-FGTFirewallLocalInPolicy -policyid 23 | Add-FGTFirewallLocalInPolicyMember -intf $pester_port3 $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } $policy.intf.name | Should -Be $pester_port1, $pester_port3 ($policy.intf.name).count | Should -Be "2" $policy.srcaddr.name | Should -Be "all" @@ -783,7 +838,9 @@ Describe "Configure Firewall Local In Policy" { @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } ($policy.intf.name).count | Should -be "2" $policy.intf.name | Should -BeIn $pester_port1, $pester_port3 } @@ -803,7 +860,9 @@ Describe "Configure Firewall Local In Policy" { $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -srcaddr $pester_address1 @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } $policy.srcaddr.name | Should -Be $pester_address1 } @@ -811,7 +870,9 @@ Describe "Configure Firewall Local In Policy" { $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -srcaddr $pester_address1, $pester_address3 @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } ($policy.srcaddr.name).count | Should -Be "2" $policy.srcaddr.name | Should -BeIn $pester_address1, $pester_address3 } @@ -820,7 +881,9 @@ Describe "Configure Firewall Local In Policy" { $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -dstaddr $pester_address2 @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } $policy.dstaddr.name | Should -Be $pester_address2 } @@ -828,7 +891,9 @@ Describe "Configure Firewall Local In Policy" { $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -dstaddr $pester_address2, $pester_address4 @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } ($policy.dstaddr.name).count | Should -Be "2" $policy.dstaddr.name | Should -BeIn $pester_address2, $pester_address4 } @@ -837,7 +902,9 @@ Describe "Configure Firewall Local In Policy" { $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -srcaddr all -dstaddr all @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } ($policy.srcaddr.name).count | Should -Be "1" $policy.srcaddr.name | Should -Be "all" ($policy.dstaddr.name).count | Should -Be "1" @@ -857,7 +924,9 @@ Describe "Configure Firewall Local In Policy" { $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -action deny @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } $policy.action | Should -Be "deny" } @@ -865,7 +934,9 @@ Describe "Configure Firewall Local In Policy" { $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -action accept @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } $policy.action | Should -Be "accept" } @@ -873,7 +944,9 @@ Describe "Configure Firewall Local In Policy" { $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -status:$false @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } $policy.status | Should -Be "disable" } @@ -881,7 +954,9 @@ Describe "Configure Firewall Local In Policy" { $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -status @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } $policy.status | Should -Be "enable" } @@ -889,7 +964,9 @@ Describe "Configure Firewall Local In Policy" { $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -service HTTP @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } $policy.service.name | Should -Be "HTTP" } @@ -897,7 +974,9 @@ Describe "Configure Firewall Local In Policy" { $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -service SSH, HTTPS @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } $policy.service.name | Should -BeIn "SSH", "HTTPS" } @@ -905,7 +984,9 @@ Describe "Configure Firewall Local In Policy" { $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -service ALL @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } $policy.service.name | Should -Be "all" } @@ -914,7 +995,9 @@ Describe "Configure Firewall Local In Policy" { $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -schedule none @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } $policy.schedule | Should -Be "none" } @@ -922,7 +1005,9 @@ Describe "Configure Firewall Local In Policy" { $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -schedule always @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } $policy.schedule | Should -Be "always" } @@ -930,7 +1015,9 @@ Describe "Configure Firewall Local In Policy" { $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -comments "Modify via PowerFGT" @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } $policy.comments | Should -Be "Modify via PowerFGT" } @@ -938,7 +1025,9 @@ Describe "Configure Firewall Local In Policy" { $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -comments "" @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } $policy.comments | Should -BeNullOrEmpty } @@ -947,7 +1036,9 @@ Describe "Configure Firewall Local In Policy" { $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -data $data @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } $policy.'virtual-patch' | Should -Be "enable" } @@ -956,7 +1047,9 @@ Describe "Configure Firewall Local In Policy" { $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -data $data @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } $policy.comments | Should -Be "Modify via PowerFGT and -data" $policy.'virtual-patch' | Should -Be "disable" } @@ -1002,7 +1095,9 @@ Describe "Remove Firewall Local In Policy Member" { It "Remove 1 member to Policy Src Address $pester_address1 (with 3 members before)" { Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicyMember -srcaddr $pester_address1 $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } if ($DefaultFGTConnection.version -ge "7.4.0") { $policy.intf.name | Should -Be $pester_port1 } @@ -1022,7 +1117,9 @@ Describe "Remove Firewall Local In Policy Member" { It "Remove 2 members to Policy Src Address $pester_address1, $pester_address2 (with 3 members before)" { Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicyMember -srcaddr $pester_address1, $pester_address2 $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } if ($DefaultFGTConnection.version -ge "7.4.0") { $policy.intf.name | Should -Be $pester_port1 } @@ -1054,7 +1151,9 @@ Describe "Remove Firewall Local In Policy Member" { It "Remove 1 member to Policy Interface $pester_port1 (with 3 members before)" { Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicyMember -intf $pester_port1 $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } $policy.intf.name | Should -BeIn $pester_port2, $pester_port3 ($policy.intf.name).count | Should -Be "2" $policy.srcaddr.name | Should -Be "all" @@ -1069,7 +1168,9 @@ Describe "Remove Firewall Local In Policy Member" { It "Remove 2 members to Policy Interface $pester_port1, $pester_port2 (with 3 members before)" { Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicyMember -intf $pester_port1, $pester_port2 $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } $policy.intf.name | Should -BeIn $pester_port3 ($policy.srcaddr.name).count | Should -Be "1" $policy.srcaddr.name | Should -Be "all" @@ -1097,7 +1198,9 @@ Describe "Remove Firewall Local In Policy Member" { It "Remove 1 member to Policy Dest Address $pester_address1 (with 3 members before)" { Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicyMember -dstaddr $pester_address1 $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } if ($DefaultFGTConnection.version -ge "7.4.0") { $policy.intf.name | Should -Be $pester_port1 } @@ -1117,7 +1220,9 @@ Describe "Remove Firewall Local In Policy Member" { It "Remove 2 members to Policy Dest Address $pester_address1, $pester_address2 (with 3 members before)" { Get-FGTFirewallLocalInPolicy -policyid 23 | Remove-FGTFirewallLocalInPolicyMember -dstaddr $pester_address1, $pester_address2 $policy = Get-FGTFirewallLocalInPolicy -policyid 23 - $policy.uuid | Should -Not -BeNullOrEmpty + if ($DefaultFGTConnection.version -ge "6.4.0") { + $policy.uuid | Should -Not -BeNullOrEmpty + } if ($DefaultFGTConnection.version -ge "7.4.0") { $policy.intf.name | Should -Be $pester_port1 } From bed3d68a4b8220e0e393546e4cab34f938cb2307 Mon Sep 17 00:00:00 2001 From: Alexis La Goutte Date: Wed, 31 Dec 2025 10:01:13 +0100 Subject: [PATCH 07/11] LocalInPolicy: Use service-negate for data filter it is available on FortiOS 7.0 (but no yet on 6.x...) --- .../integration/FirewallLocalInPolicy.Tests.ps1 | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/Tests/integration/FirewallLocalInPolicy.Tests.ps1 b/Tests/integration/FirewallLocalInPolicy.Tests.ps1 index 34150d53..8e454e18 100644 --- a/Tests/integration/FirewallLocalInPolicy.Tests.ps1 +++ b/Tests/integration/FirewallLocalInPolicy.Tests.ps1 @@ -413,7 +413,7 @@ Describe "Add Firewall Local In Policy" { } It "Add Policy $pester_policy1 (with data (1 field))" { - $data = @{ "virtual-patch" = "enable" } + $data = @{ "service-negate" = "enable" } $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all -data $data @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid @@ -433,11 +433,11 @@ Describe "Add Firewall Local In Policy" { $policy.service.name | Should -Be "All" $policy.schedule | Should -Be "always" $policy.comments | Should -BeNullOrEmpty - $policy.'virtual-patch' | Should -Be "enable" + $policy.'service-negate' | Should -Be "enable" } It "Add Policy $pester_policy1 (with data (2 fields))" { - $data = @{ "virtual-patch" = "enable" ; "comments" = "Add via PowerFGT and -data" } + $data = @{ "service-negate" = "enable" ; "comments" = "Add via PowerFGT and -data" } $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all -data $data @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid $p.policyid @@ -457,7 +457,7 @@ Describe "Add Firewall Local In Policy" { $policy.service.name | Should -Be "All" $policy.schedule | Should -Be "always" $policy.comments | Should -Be "Add via PowerFGT and -data" - $policy.'virtual-patch' | Should -Be "enable" + $policy.'service-negate' | Should -Be "enable" } AfterAll { @@ -1032,18 +1032,18 @@ Describe "Configure Firewall Local In Policy" { } It "Set Policy $pester_policy1 (with data (1 field))" { - $data = @{ "virtual-patch" = "enable" } + $data = @{ "service-negate" = "enable" } $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -data $data @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid 23 if ($DefaultFGTConnection.version -ge "6.4.0") { $policy.uuid | Should -Not -BeNullOrEmpty } - $policy.'virtual-patch' | Should -Be "enable" + $policy.'service-negate' | Should -Be "enable" } It "Set Policy $pester_policy1 (with data (2 fields))" { - $data = @{ "virtual-patch" = "disable" ; "comments" = "Modify via PowerFGT and -data" } + $data = @{ "service-negate" = "disable" ; "comments" = "Modify via PowerFGT and -data" } $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -data $data @($p).count | Should -Be "1" $policy = Get-FGTFirewallLocalInPolicy -policyid 23 @@ -1051,7 +1051,7 @@ Describe "Configure Firewall Local In Policy" { $policy.uuid | Should -Not -BeNullOrEmpty } $policy.comments | Should -Be "Modify via PowerFGT and -data" - $policy.'virtual-patch' | Should -Be "disable" + $policy.'service-negate' | Should -Be "disable" } AfterAll { From b82578e49c7a8d1c82e162321c30366e2c79bd87 Mon Sep 17 00:00:00 2001 From: Alexis La Goutte Date: Wed, 31 Dec 2025 10:12:27 +0100 Subject: [PATCH 08/11] LocalInPolicy: Fix -data tests with old FortiOS 6.x don't support virtual-patch or service-negate... --- Tests/integration/FirewallLocalInPolicy.Tests.ps1 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Tests/integration/FirewallLocalInPolicy.Tests.ps1 b/Tests/integration/FirewallLocalInPolicy.Tests.ps1 index 8e454e18..87b8bd58 100644 --- a/Tests/integration/FirewallLocalInPolicy.Tests.ps1 +++ b/Tests/integration/FirewallLocalInPolicy.Tests.ps1 @@ -412,7 +412,7 @@ Describe "Add Firewall Local In Policy" { $policy.comments | Should -Be "Add via PowerFGT" } - It "Add Policy $pester_policy1 (with data (1 field))" { + It "Add Policy $pester_policy1 (with data (1 field))" -skip:($fgt_version -lt "7.0.0") { $data = @{ "service-negate" = "enable" } $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all -data $data @($p).count | Should -Be "1" @@ -436,7 +436,7 @@ Describe "Add Firewall Local In Policy" { $policy.'service-negate' | Should -Be "enable" } - It "Add Policy $pester_policy1 (with data (2 fields))" { + It "Add Policy $pester_policy1 (with data (2 fields))" -skip:($fgt_version -lt "7.0.0") { $data = @{ "service-negate" = "enable" ; "comments" = "Add via PowerFGT and -data" } $p = Add-FGTFirewallLocalInPolicy -policyid 23 -intf $pester_port1 -srcaddr all -dstaddr all -data $data @($p).count | Should -Be "1" @@ -1031,7 +1031,7 @@ Describe "Configure Firewall Local In Policy" { $policy.comments | Should -BeNullOrEmpty } - It "Set Policy $pester_policy1 (with data (1 field))" { + It "Set Policy $pester_policy1 (with data (1 field))" -skip:($fgt_version -lt "7.0.0") { $data = @{ "service-negate" = "enable" } $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -data $data @($p).count | Should -Be "1" @@ -1042,7 +1042,7 @@ Describe "Configure Firewall Local In Policy" { $policy.'service-negate' | Should -Be "enable" } - It "Set Policy $pester_policy1 (with data (2 fields))" { + It "Set Policy $pester_policy1 (with data (2 fields))" -skip:($fgt_version -lt "7.0.0") { $data = @{ "service-negate" = "disable" ; "comments" = "Modify via PowerFGT and -data" } $p = Get-FGTFirewallLocalInPolicy -policyid 23 | Set-FGTFirewallLocalInPolicy -data $data @($p).count | Should -Be "1" From 9fe5fc9830d2ba8c928c571bb6b022a3925472c2 Mon Sep 17 00:00:00 2001 From: Alexis La Goutte Date: Wed, 31 Dec 2025 10:45:39 +0100 Subject: [PATCH 09/11] README.md: Add note about Local In Policy and also list of new cmdlet ! --- README.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/README.md b/README.md index b6b74846..2870cf6d 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,7 @@ With this module (version 0.9.1) you can manage: - [Monitor](#monitor) (Get) - [Policy](#policy) (Add/Get/Remove) - [Proxy Address/Address Group/ Policy](#proxy) (Add/Get/Set/Remove) +- [Local In Policy](#local-in-poloicy) (Add/Get/Copy/Set/Remove and Add/Remove Member) - [Router BGP](#bgp) (Get/Set) - [Router OSPF](#ospf) (Get/Set) - RoutePolicy (Get) @@ -2221,6 +2222,14 @@ There is also cmdlet for Proxy For Proxy Policy, it is possible to specific explict proxy or transparent For FortiGate 6.0.x, you need to enable proxy mode before (and enable feature) +### Local In Policy + +There is also cmdlet for Local in Policy + +You can create a new Local In Policy `Add-FGTFirewallLocalInPolicy`, retrieve its information `Get-FGTFirewallLocalInPolicy` +Add member to source or destinationn address `Add-FGTFirewallLocalInPolicyMember` and remove member `Add-FGTFirewallLocalInPolicyMember`, +set it `Set-FGTFirewallLocalInPolicy` or delete it `Remove-FGTFirewalLocalInPolicy`. + ### Connecting with API Token If you have a REST API administrator account setup, you can connect with the API @@ -2358,6 +2367,8 @@ Currently, [@alagoutte](#author) started this project and will keep maintaining Add-FGTFirewallAddress Add-FGTFirewallAddressGroup Add-FGTFirewallAddressGroupMember +Add-FGTFirewallLocalInPolicy +Add-FGTFirewallLocalInPolicyMember Add-FGTFirewallPolicy Add-FGTFirewallPolicyMember Add-FGTFirewallProxyAddress @@ -2385,6 +2396,7 @@ Add-FGTVpnIpsecPhase1Interface Add-FGTVpnIpsecPhase2Interface Confirm-FGTAddress Confirm-FGTAddressGroup +Confirm-FGTFirewallLocalInPolicy Confirm-FGTFirewallPolicy Confirm-FGTFirewallProxyPolicy Confirm-FGTInterface @@ -2421,6 +2433,7 @@ Get-FGTFirewallAddress Get-FGTFirewallAddressGroup Get-FGTFirewallInternetServiceName Get-FGTFirewallIPPool +Get-FGTFirewallLocalInPolicy Get-FGTFirewallPolicy Get-FGTFirewallProxyAddress Get-FGTFirewallProxyAddressGroup @@ -2507,10 +2520,13 @@ Get-FGTWirelessWTP Get-FGTWirelessWTPGroup Get-FGTWirelessWTPProfile Invoke-FGTRestMethod +Move-FGTFirewallLocalInPolicy Move-FGTFirewallPolicy Remove-FGTFirewallAddress Remove-FGTFirewallAddressGroup Remove-FGTFirewallAddressGroupMember +Remove-FGTFirewallLocalInPolicy +Remove-FGTFirewallLocalInPolicyMember Remove-FGTFirewallPolicy Remove-FGTFirewallPolicyMember Remove-FGTFirewallProxyAddress @@ -2540,6 +2556,7 @@ Set-FGTCipherSSL Set-FGTConnection Set-FGTFirewallAddress Set-FGTFirewallAddressGroup +Set-FGTFirewallLocalInPolicy Set-FGTFirewallPolicy Set-FGTFirewallProxyAddressGroup Set-FGTFirewallServiceCustom From b055fe75c038d311384b2081e23c1cbc728412da Mon Sep 17 00:00:00 2001 From: Alexis La Goutte Date: Wed, 31 Dec 2025 10:51:49 +0100 Subject: [PATCH 10/11] LocalInPolicy(Tests): Fix typo about AfterAll for Policy --- Tests/integration/FirewallLocalInPolicy.Tests.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Tests/integration/FirewallLocalInPolicy.Tests.ps1 b/Tests/integration/FirewallLocalInPolicy.Tests.ps1 index 87b8bd58..63ec378e 100644 --- a/Tests/integration/FirewallLocalInPolicy.Tests.ps1 +++ b/Tests/integration/FirewallLocalInPolicy.Tests.ps1 @@ -461,7 +461,7 @@ Describe "Add Firewall Local In Policy" { } AfterAll { - Get-FGTFirewallPolicy -policyid 44 | Remove-FGTFirewallPolicy -confirm:$false + Get-FGTFirewallLocalInPolicy -policyid 44 | Remove-FGTFirewallLocalInPolicy -confirm:$false } } From 271b5249d50a9487f0214f6bed8553034939c28a Mon Sep 17 00:00:00 2001 From: Alexis La Goutte Date: Wed, 31 Dec 2025 10:56:11 +0100 Subject: [PATCH 11/11] LocalInPolicy(Tests): Fix typo on Move (extra -) and enable test --- Tests/integration/FirewallLocalInPolicy.Tests.ps1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Tests/integration/FirewallLocalInPolicy.Tests.ps1 b/Tests/integration/FirewallLocalInPolicy.Tests.ps1 index 63ec378e..009c91eb 100644 --- a/Tests/integration/FirewallLocalInPolicy.Tests.ps1 +++ b/Tests/integration/FirewallLocalInPolicy.Tests.ps1 @@ -773,7 +773,7 @@ Describe "Add Firewall Local In Policy Member" { } } -<# + Describe "Move Firewall Local In Policy" { BeforeEach { @@ -802,7 +802,7 @@ Describe "Move Firewall Local In Policy" { } It "Move Policy HTTPS before SSH (using id)" { - Get-FGTFirewallLocalInPolicy --policyid 85 | Move-FGTFirewallLocalInPolicy -before -id $policyid1 + Get-FGTFirewallLocalInPolicy -policyid 85 | Move-FGTFirewallLocalInPolicy -before -id $policyid1 $policy = Get-FGTFirewallLocalInPolicy $policy[0].policyid | Should -Be 85 $policy[1].policyid | Should -Be 23 @@ -822,7 +822,7 @@ Describe "Move Firewall Local In Policy" { } } } -#> + Describe "Configure Firewall Local In Policy" {