[x] there might be more than one (nw) object with the same name (e.g. "all" for 0.0.0./0 and ::/0) but different uids causing get_active_rules_with_broken_refs_per_mgm to throw errors (fail 4)
[x] deal with systems with 0 NAT rules!
[x] test with real life configs as early as possible
[x] write NAT objects to FWO via API (if not already covered)
[x] #1524
[x] #1394
Access Rules
[x] get access rules (v4, v6, local, global)
[x] rule writing to FWO API: access rules
[x] rule writing: Zone information: leads to access rules with zone info not being imported
ERRORS: [{'import_errors': 'ERR-ImpMain@get_active_rules_with_broken_refs_per_mgm;mgmt 4, dev 4, fail 7 (dst object not found in object table): fe590116-41f7-51ec-a5ef-0172b19c7682; '}]
[x] normalize Nat rules (to CP representation?)
[x] #1400
[x] #1424
ipv6: global header / local / global footer rules
ipv4: global header / local / global footer rules
[ ] add header (rules) for per zone pair (allow to hide header rules as well?) --> @alf-cactus
[ ] later: parse source user(group)
[x] later: parse schedule
Current issues with rules:
[x] one access rule sometimes shows before first header
[x] #1441
[x] fortimanager device itself is displayed in RSB (need to change query)
[x] not all rulebases are found
[x] some ADOMs have import errors (refhandler main)
[ ] #1519
[x] autodiscovery keeps adding gateways
[x] audodicovery creates empty ADOM FortiNAC
[x] remove FortiManager (MDM) from legacy import
[x] #1440
[x] #1439
[x] add parameters for legacy importer to tell it which device types to import
[x] #1449
NAT Rules
[x] get NAT rules fmgr_pkg_firewall_centralsnatmap Configure central SNAT policies.
[x] rule writing to FWO API: NAT rules
[x] decide on necessity to get interface vips & ip pools for NAT
[x] #1419
[x] #1396
[x] #1523
[x] #1418
[x] #1407
[x] difference api call snat/dnat & dual use rules (access/nat) in UI - are there specific nat-only rules: simply add every nat type, there seems to be no overlap
[x] if nat=1 and ippool=0 and fixedport=0 the FM UI shows "Use destination interface address", so this is the implicit default for source nat
[x] example for combined nat rule with "natip" set: see lab fortimanager rule "my combined nat rule" - taking this as source NAT?
General
[x] #1205
[x] replace dev id in local rulebase with dev name
[x] decide on how to use package / rulebase name fields
[x] first report seems to take rather long?
[x] #1342
[x] import loop in python
[x] import_single in python
[x] decide on dealing with consolidated rules - #1212
[x] create anonymized json test data for NAT rules and objects --> @tpurschke
[x] integration test
[ ] decide on dealing with tagging and dynamic groups
[x] decide on dealing with /pm/config/firewall/security-policy - Configure NGFW IPv4/IPv6 application policies.
[x] handle VDOMs --> look into old importer for this; put vdom name in local_rulebase_name field?
using this as an introduction to importer modules for everyone
we may use ansible galaxy collection as a guideline: https://galaxy.ansible.com/fortinet/fortimanager; https://github.com/fortinet-ansible-dev/ansible-galaxy-fortimanager-collection/tree/galaxy/2.1.4
Objects
Access Rules
ERRORS: [{'import_errors': 'ERR-ImpMain@get_active_rules_with_broken_refs_per_mgm;mgmt 4, dev 4, fail 7 (dst object not found in object table): fe590116-41f7-51ec-a5ef-0172b19c7682; '}]
Current issues with rules:
NAT Rules
General
OPTIONAL