FortiManager Import Module using API - top level issue

[tpurschke]

using this as an introduction to importer modules for everyone

we may use ansible galaxy collection as a guideline: https://galaxy.ansible.com/fortinet/fortimanager; https://github.com/fortinet-ansible-dev/ansible-galaxy-fortimanager-collection/tree/galaxy/2.1.4

Objects

• [x] #1216
• [x] get service objects (applications)
• [x] write ipv4 objects to FWO via API
• [x] write ipv6 objects to FWO via API #1204
• [x] #1217
• [x] #1233
• [x] object writing to FWO API: service groups
• [x] there might be more than one (nw) object with the same name (e.g. "all" for 0.0.0./0 and ::/0) but different uids causing get_active_rules_with_broken_refs_per_mgm to throw errors (fail 4)
• [x] deal with systems with 0 NAT rules!
• [x] test with real life configs as early as possible
• [x] write NAT objects to FWO via API (if not already covered)
• [x] #1524
• [x] #1394

Access Rules

• [x] get access rules (v4, v6, local, global)
• [x] rule writing to FWO API: access rules
• [x] rule writing: Zone information: leads to access rules with zone info not being imported ERRORS: [{'import_errors': 'ERR-ImpMain@get_active_rules_with_broken_refs_per_mgm;mgmt 4, dev 4, fail 7 (dst object not found in object table): fe590116-41f7-51ec-a5ef-0172b19c7682; '}]
• [x] normalize Nat rules (to CP representation?)
• [x] #1400
• [x] #1424
  1. ipv6: global header / local / global footer rules
  2. ipv4: global header / local / global footer rules
• [ ] add header (rules) for per zone pair (allow to hide header rules as well?) --> @alf-cactus
• [ ] later: parse source user(group)
• [x] later: parse schedule

Current issues with rules:

• [x] one access rule sometimes shows before first header
• [x] #1441
• [x] fortimanager device itself is displayed in RSB (need to change query)
• [x] not all rulebases are found
• [x] some ADOMs have import errors (refhandler main)
• [ ] #1519
• [x] autodiscovery keeps adding gateways
• [x] audodicovery creates empty ADOM FortiNAC
• [x] remove FortiManager (MDM) from legacy import
• [x] #1440
• [x] #1439
• [x] add parameters for legacy importer to tell it which device types to import
• [x] #1449

NAT Rules

• [x] get NAT rules fmgr_pkg_firewall_centralsnatmap Configure central SNAT policies.
• [x] rule writing to FWO API: NAT rules
• [x] decide on necessity to get interface vips & ip pools for NAT
• [x] #1419
• [x] #1396
• [x] #1523
• [x] #1418
• [x] #1407
• [x] difference api call snat/dnat & dual use rules (access/nat) in UI - are there specific nat-only rules: simply add every nat type, there seems to be no overlap
• [x] if nat=1 and ippool=0 and fixedport=0 the FM UI shows "Use destination interface address", so this is the implicit default for source nat
• [x] example for combined nat rule with "natip" set: see lab fortimanager rule "my combined nat rule" - taking this as source NAT?

General

• [x] #1205
• [x] replace dev id in local rulebase with dev name
• [x] decide on how to use package / rulebase name fields
• [x] first report seems to take rather long?
• [x] #1342
• [x] import loop in python
• [x] import_single in python
• [x] decide on dealing with consolidated rules - #1212
• [x] create anonymized json test data for NAT rules and objects --> @tpurschke
• [x] integration test
• [ ] decide on dealing with tagging and dynamic groups
• [x] decide on dealing with /pm/config/firewall/security-policy - Configure NGFW IPv4/IPv6 application policies.
• [x] handle VDOMs --> look into old importer for this; put vdom name in local_rulebase_name field?

OPTIONAL

• [x] multicast nat
• fmgr_pkg_firewall_multicastpolicy Configure multicast NAT policies.
• fmgr_pkg_firewall_multicastpolicy6 Configure IPv6 multicast NAT policies.
• [ ] metafields:
• fmgr_pm_config_metafields_firewall_address no description.
• fmgr_pm_config_metafields_firewall_addrgrp no description.
• fmgr_pm_config_metafields_firewall_centralsnatmap no description.
• fmgr_pm_config_metafields_firewall_policy no description.
• fmgr_pm_config_metafields_firewall_service_custom no description.
• fmgr_pm_config_metafields_firewall_service_group no description.

[tpurschke]

handy in preparation for nat issue, maybe even use FWO API for import (reaching final target config)