Skip to content

firewall

Firewall object types

ADDRESS_GROUP_CATEGORY module-attribute #

ADDRESS_GROUP_CATEGORY = Literal['default', 'ztna-ems-tag', 'ztna-geo-tag']

ADDRESS_GROUP_TYPE module-attribute #

ADDRESS_GROUP_TYPE = Literal['default', 'array', 'folder']

ADDRESS_TYPE module-attribute #

ADDRESS_TYPE = Literal['ipmask', 'iprange', 'fqdn', 'wildcard', 'geography', 'url', 'wildcard-fqdn', 'nsx', 'aws', 'dynamic', 'interface-subnet', 'mac', 'fqdn-group']

ALLOW_ROUTING module-attribute #

ALLOW_ROUTING = Literal['disable', 'enable']

CLEARPASS_SPT module-attribute #

CLEARPASS_SPT = Literal['unknown', 'healthy', 'quarantine', 'checkup', 'transition', 'infected', 'transient']

DIRTY module-attribute #

DIRTY = Literal['dirty', 'clean']

FABRIC_OBJECT module-attribute #

FABRIC_OBJECT = Literal['disable', 'enable']

NODE_IP_ONLY module-attribute #

NODE_IP_ONLY = Literal['disable', 'enable']

OBJ_TYPE module-attribute #

OBJ_TYPE = Literal['ip', 'mac']

SDN_ADDR_TYPE module-attribute #

SDN_ADDR_TYPE = Literal['private', 'public', 'all']

SUB_TYPE module-attribute #

SUB_TYPE = Literal['sdn', 'clearpass-spt', 'fsso', 'ems-tag', 'swc-tag', 'fortivoice-tag', 'fortinac-tag', 'fortipolicy-tag']

Address #

Bases: FMGObject

Address class for high-level operations

Attributes:

Name Type Description
name str

object name
allow_routing str

Defines whether the use of this address in the static route configuration is enabled or disabled, with possible values being 'disable' or 'enable'.
associated_interface str | list[str]

object assigned to interface/zone name
subnet str | list[str]

subnet in x.x.x.x/x or [x.x.x.x, y.y.y.y] format
cache_ttl int

Defines the minimal TTL (Time To Live) of individual IP addresses in FQDN cache measured in seconds.
clearpass_spt str

Represents the SPT (System Posture Token) value, indicating system status. Possible values include 'healthy', 'quarantine', 'transition', etc.
color int

color code for the address object icon on the GUI.
comment str

comment for the address object.
country str

IP addresses associated to a specific country.
dirty str

Indicates whether the address is to be deleted; possible values 'dirty' or 'clean'.
end_ip str

The final IP address (inclusive) in the range for the address.
epg_name str

endpoint group name.
fabric_object str

Indicates the Security Fabric global object setting, with possible values being 'disable' or 'enable'.
filter str

Match criteria filter.
fqdn str

Fully Qualified Domain Name address.
fsso_group List[str]

A list of FSSO group(s).
interface str

Name of interface whose IP address is to be used.
list List[AddressList]

List (TODO: figure out, docs don't help)
macaddr List[str]

Multiple MAC address ranges.
node_ip_only str

Defines whether only the collection of node addresses in Kubernetes is enabled or disabled. Possible values are 'disable' or 'enable'.
obj_id str

Object ID for NSX.
obj_tag str

Tag of dynamic address object.
obj_type str

type of the object (IP, MAC)
organization str

Organization domain name (Syntax: organization/domain).
policy_group str

policy group name.
sdn str

SDN.
sdn_addr_type str

Type of addresses to collect.
sdn_tag str

SDN tag.
start_ip str

First IP address (inclusive) in the range for the address.
sub_type str

Indicates the sub-type of address. Possible values include 'sdn', 'clearpass-spt', 'fsso', etc.
subnet_name str

Subnet name.
tag_detection_level str

Tag detection level of dynamic address object.
tag_type str

Tag type of dynamic address object.
tagging List[AddressTagging]

tagging details for this address.
tenant str

tenant related to this address.
type str

Indicates the type of address. Possible values include 'ipmask', 'iprange', 'fqdn', etc.
uuid str

Contains the Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
wildcard str

This is the IP address and wildcard netmask.
wildcard_fqdn str

Contains a Fully Qualified Domain Name with wildcard characters.
global_object int

global object related to this address.
mapping__scope List[dict, Scope]

the mapping scope for this address.

standardize_assoc_iface #

standardize_assoc_iface(v)

validator: FMG sends a list with a single element, replace with single element

Source code in pyfortinet/fmg_api/firewall.py 
212
213
214
215
216
217
218
@field_validator("associated_interface")
def standardize_assoc_iface(cls, v):
    """validator: FMG sends a list with a single element, replace with single element"""
    if isinstance(v, list):
        return first(v, None)
    else:
        return v

standardize_subnet #

standardize_subnet(v)

validator: x.x.x.x/y.y.y.y -> x.x.x.x/y

API use this list form: ["1.2.3.4", "255.255.255.0"] Human use this form: "1.2.3.4/24"

Source code in pyfortinet/fmg_api/firewall.py 
200
201
202
203
204
205
206
207
208
209
210
@field_validator("subnet")
def standardize_subnet(cls, v):
    """validator: x.x.x.x/y.y.y.y -> x.x.x.x/y

    API use this list form: ["1.2.3.4", "255.255.255.0"]
    Human use this form: "1.2.3.4/24"
    """
    if isinstance(v, list):
        return IPv4Interface("/".join(v)).compressed
    else:
        return IPv4Interface(v).compressed

validate_wildcard #

validate_wildcard(v) -> str

Ensure wildcard address definition is correct (x.x.x.x y.y.y.y)

Source code in pyfortinet/fmg_api/firewall.py 
268
269
270
271
272
273
274
@field_validator("wildcard", mode="before")
def validate_wildcard(cls, v) -> str:
    """Ensure wildcard address definition is correct (x.x.x.x y.y.y.y)"""
    if isinstance(v, list):
        return " ".join(IPv4Address(part).compressed for part in v)
    else:  # string
        return " ".join(IPv4Address(part).compressed for part in v.split())

AddressGroup #

Bases: FMGObject