jafartavana01/fortigate-utm-analyzer
GitHub: jafartavana01/fortigate-utm-analyzer
一款零依赖的Python CLI工具,用于对FortiGate防火墙配置进行深度安全审计并生成带严重程度标记的综合评估报告。
Stars: 5 | Forks: 1
# 🔐 FortiGate UTM 安全分析器
[flags]
```
### 所有标志
| 标志 | 描述 | 输出文件 |
|---|---|---|
| `-c` | **必需** —— 配置文件的路径 | — |
| **数据平面** | | |
| `-f` | 防火墙策略审计 (IPv4+IPv6) | `_firewall_policy_report.txt` |
| `-i` | SSL/SSH inspection profiles | `_ssl_inspection_report.txt` |
| `-av` | Antivirus profiles (v8.0 sub-block) | `_antivirus_report.txt` |
| `-utm` | 所有 UTM profiles (IPS+WF+App+DNS+WAF+Email+Video+File+VPatch+LLM) | `_utm_profiles_report.txt` |
| `-intel` | 策略智能 (被遮蔽/重复/统计) | `_policy_intelligence_report.txt` |
| `-unused` | 未使用对象审计 | `_unused_objects_report.txt` |
| `-vip` | VIP/端口转发安全 | `_vip_security_report.txt` |
| **VPN** | | |
| `-vpn` | IPsec Phase1+Phase2 | `_vpn_report.txt` |
| `-sslvpn` | SSL-VPN + 门户 | `_sslvpn_report.txt` |
| `-cert` | 证书审计 | `_certificate_report.txt` |
| **基础设施** | | |
| `-ha` | HA 配置 | `_ha_report.txt` |
| `-log` | 日志记录 (FA1-3, syslogd1-4, event filter, disk) | `_logging_report.txt` |
| `-dos` | 基础 DoS 策略 | `_dos_policy_report.txt` |
| `-antidos` | 全面 Anti-DoS 防护审计 | `_antidos_report.txt` |
| `-sdwan` | SD-WAN 审计 | `_sdwan_report.txt` |
| **系统** | | |
| `-s` | 全面系统加固 (admin+interface+global+SNMP+SSH+NTP+DNS+IKE+CSF+FIPS+FortiGuard+local-in) | `_system_report.txt` |
| `-iface` | 接口暴露评分 | `_interface_exposure_report.txt` |
| **云 / 零信任** | | |
| `-fabric` | Fabric 连接器 (AWS/Azure/GCP/EMS/ZTNA/SASE) | `_fabric_connector_report.txt` |
| `-ai` | AI/LLM 应用安全 | `_ai_llm_audit_report.txt` |
| **报告** | | |
| `--summary` | 执行摘要 + JSON 导出 | `_SUMMARY.txt` + `_SUMMARY.json` |
| `--all` | 在一次运行中完成上述所有内容 | 以上全部 |
### 常见工作流
```
# 全面审计 — 所有内容
python3 utm.py -c fw.conf --all
# 快速安全态势(优先检查最具影响力的项)
python3 utm.py -c fw.conf -f -i -av -s -antidos --summary
# Policy 表清理(适用于老旧环境)
python3 utm.py -c fw.conf -intel -unused -vip --summary
# VPN 与远程访问加固
python3 utm.py -c fw.conf -vpn -sslvpn -cert -s --summary
# Management plane 安全
python3 utm.py -c fw.conf -s -iface -log -ha -antidos --summary
# Cloud 与 Zero Trust 就绪情况
python3 utm.py -c fw.conf -fabric -ai -f --summary
# SD-WAN 健康状况审查
python3 utm.py -c fw.conf -sdwan -iface --summary
# 快速测试 — 内置示例 config
python3 utm.py -c sample_config.conf --all
```
## 📁 输出文件
所有输出均写入当前目录,根据配置文件进行命名。对 `fw-prod.conf` 运行 `--all` 会生成:
```
fw-prod.conf_firewall_policy_report.txt
fw-prod.conf_ssl_inspection_report.txt
fw-prod.conf_antivirus_report.txt
fw-prod.conf_utm_profiles_report.txt
fw-prod.conf_policy_intelligence_report.txt
fw-prod.conf_unused_objects_report.txt
fw-prod.conf_vip_security_report.txt
fw-prod.conf_vpn_report.txt
fw-prod.conf_sslvpn_report.txt
fw-prod.conf_certificate_report.txt
fw-prod.conf_ha_report.txt
fw-prod.conf_logging_report.txt
fw-prod.conf_dos_policy_report.txt
fw-prod.conf_antidos_report.txt
fw-prod.conf_sdwan_report.txt
fw-prod.conf_system_report.txt
fw-prod.conf_interface_exposure_report.txt
fw-prod.conf_fabric_connector_report.txt
fw-prod.conf_ai_llm_audit_report.txt
fw-prod.conf_SUMMARY.txt
fw-prod.conf_SUMMARY.json ← machine-readable, ingest into Splunk/SIEM
```
## 📊 输出示例
对内置的 `sample_config.conf` 运行 `--all` (故意配置错误):
```
================================================================================
================= FORTIGATE SECURITY AUDIT — EXECUTIVE SUMMARY =================
================================================================================
Config file : sample_config.conf
Risk Rating : CRITICAL
Risk Score : 876.5 (CRITICAL×10 + HIGH×5 + MEDIUM×2 + INFO×0.5)
Total Findings: 312
CRITICAL 12
HIGH 89
MEDIUM 118
INFO 93
================================================================================
FINDINGS BY SECTION:
──────────────────────────────────────────────────────────────────────────────
Section CRIT HIGH MED INFO TOT
──────────────────────────────────────────────────────────────────────────────
AI/LLM Security 1 3 4 1 9
Admin Accounts 0 6 0 3 9
Anti-DoS Hardening 0 5 3 2 10
Anti-DoS IPS 0 2 1 0 3
Anti-DoS Policies 1 4 2 0 7
Antivirus Profiles 0 1 10 6 17
Certificates 0 0 1 1 2
Enhanced Local-in 2 1 1 0 4
Fabric Connectors 0 4 3 1 8
Firewall Policies 3 14 18 24 59
Global Hardening 1 3 4 5 13
HA Config 0 1 3 2 6
IKE Global 0 2 1 0 3
Interface Exposure 0 7 2 1 10
Interfaces 0 7 1 1 9
Logging 0 1 4 2 7
NTP 0 1 1 2 4
Policy Intelligence 1 2 3 5 11
SD-WAN 1 1 2 0 4
SSL Inspection 0 6 10 4 20
SSL-VPN 0 3 4 1 8
SNMP 1 1 1 0 3
Unused Objects 0 0 2 8 10
VIP Security 2 1 1 2 6
VPN Phase1 0 7 2 1 10
...
CRITICAL & HIGH FINDINGS (excerpt):
──────────────────────────────────────────────────────────────────────────────
[VIP Security ] CRITICAL: VIP 'RDP-Server' exposes RDP (port 3389) from internet
[VIP Security ] CRITICAL: VIP 'SMB-Server' exposes SMB (port 445) from internet
[Anti-DoS Policies ] CRITICAL: WAN interface 'wan1' has NO DoS policy
[Enhanced Local-in ] CRITICAL: WAN 'wan1' has mgmt access AND no local-in-policy
[SD-WAN ] CRITICAL: No health-checks configured
[AI/LLM Security ] CRITICAL: Chinese AI detected (deepseek) — data sovereignty risk
[Fabric Connectors ] HIGH: AWS static access-key/secret-key in config
[Fabric Connectors ] HIGH: Azure client-secret stored in config
[VPN Phase1 ] HIGH: IKEv1 aggressive mode — PSK hash exposed
================================================================================
```
### Anti-DoS 评分报告示例
```
══════════════════════════════════════════════════════════════════════════════
═══════════════ ANTI-DoS / DoS PROTECTION AUDIT ════════════════════════════
══════════════════════════════════════════════════════════════════════════════
Overall DoS Protection Score : 0.0 / 10 — CRITICAL — NO EFFECTIVE DoS PROTECTION
CRITICAL: 1 HIGH: 4 MEDIUM: 2 INFO: 0
[░░░░░░░░░░] 0.0/10
Policy #1 Interface: wan1 Status: enable Src: all Dst: all
Anomaly sensors configured: 7
Sensor Status Action Threshold Log Assessment
───────────────────────── ───────── ───────── ─────────── ─────── ──────────
tcp_syn_flood enable monitor 2000 disable ⚠ NOT BLOCKING
udp_flood enable block 999999 disable ⚠ THRESH TOO HIGH
icmp_flood disable block 250 enable ⚠ DISABLED
ip_src_session enable block 5000 enable ✓ OK
```
### 接口暴露评分示例
```
Interface Role IP Exposed Protocols Score
─────────────────────────────────────────────────────────────────────────────────────
wan1 wan 203.0.113.1/24 ping https ssh http snmp telnet 9.2/10
[█████████░] CRITICAL EXPOSURE
dmz dmz 10.10.10.1/24 http telnet 7.8/10
[███████░░░] HIGH EXPOSURE
port1 lan 192.168.1.1/24 ping https 2.1/10
[██░░░░░░░░] LOW EXPOSURE
```
## 🏗️ 架构与内部原理
### 解析器设计
```
utm.py (5695 lines, 0 external dependencies)
│
├── Base Parsers
│ ├── extract_block() — config X / edit / set / next / end
│ ├── extract_flat_block() — flat blocks (system global etc.)
│ └── extract_nested_block() — nested sub-blocks (NTP servers)
│
├── Version-Aware Parsers
│ ├── parse_ssl_profiles_v2() — 6.x flat + 7/8 per-protocol sub-blocks
│ │ (https.status, ftps.min-allowed-ssl-version etc.)
│ └── parse_av_profiles_v2() — 6.x flat + 8.0 sub-blocks
│ (http.av-scan, content-disarm.office-macro etc.)
│
├── Specialized Parsers
│ ├── parse_dos_policy_full() — anomaly sub-block aware (reads every sensor)
│ ├── parse_sdwan() — nested members + health-checks + rules
│ └── parse_np_global() — NP7/NP6/NPU auto-detection
│
├── 58 Section Parsers — one per config section
│
├── 35 Weakness Functions — each: Dict → List[str] with severity prefix
│
├── Object Reference Engine — cross-references all object types vs all policies
│
├── Scoring Engine
│ ├── Firewall scoring — CRITICAL×10 + HIGH×5 + MEDIUM×2 + INFO×0.5
│ └── Anti-DoS 0-10 — deduction model with per-category caps
│
├── 22 Report Generators — ASCII tables + findings + CLI remediation
│
└── CLI (argparse) — 30 flags + --all
```
### 评分模型
```
Global Risk Score = (CRITICAL × 10) + (HIGH × 5) + (MEDIUM × 2) + (INFO × 0.5)
Risk Tier:
CRITICAL → any CRITICAL finding OR Score ≥ 50
HIGH → Score ≥ 25
MEDIUM → Score ≥ 10
LOW → Score < 10
Anti-DoS Score (0–10):
Starts at 10, deductions per finding:
CRITICAL: -3 (capped at -6)
HIGH: -1.5 (capped at -4.5)
MEDIUM: -0.5 (capped at -2)
INFO: -0.1 (capped at -0.5)
Grade: STRONG (8+) / ACCEPTABLE (6+) / WEAK (4+) / POOR (2+) / CRITICAL
```
## 🔧 扩展工具
### 向现有域添加检查
```
def fw_policy_weaknesses(p: Dict) -> List[str]:
findings = []
# ... existing checks ...
# Example: flag RDP service in any accept policy
service = nv(p.get("service", ""))
if "RDP" in service.upper() and nv(p.get("action","")) == "accept":
findings.append(f(H, "Policy permits RDP — use SSL-VPN instead of direct RDP exposure."))
return findings
```
### 添加新的配置部分(3 个步骤)
```
# Step 1: Parser — 标准 block 一行
def parse_my_section(t):
return extract_block(t, "my config block name")
# Step 2: Weakness 函数
def my_section_weaknesses(obj: Dict) -> List[str]:
findings = []
name = nv(obj.get("name", obj.get("_id", "")))
if nv(obj.get("some-field", "")) != "enable":
findings.append(f(M, f"MySection '{name}': some-field not enabled."))
return findings
# Step 3: 接入 main() — 解析、生成报告、收集发现
```
### 在 Splunk 或 Python 中使用 JSON 输出
```
import json
with open("fw.conf_SUMMARY.json") as fh:
data = json.load(fh)
# 风险概览
print(data["summary"]["risk"]) # "CRITICAL"
print(data["summary"]["score"]) # 876.5
print(data["summary"]["counts"]) # {"CRITICAL": 12, "HIGH": 89, ...}
# 跨所有部分的所有 CRITICAL 发现
for section, finds in data["findings"].items():
crits = [f for f in finds if f.startswith("CRITICAL:")]
for c in crits:
print(f"[{section}] {c}")
# 按部分细分
for section, sc in data["summary"]["by_section"].items():
if sc["CRITICAL"] > 0 or sc["HIGH"] > 0:
print(f"{section}: C={sc['CRITICAL']} H={sc['HIGH']}")
```
## 🔒 安全注意事项
- `.gitignore` 排除所有 `*.conf` 文件,除了 `sample_config.conf` —— 切勿提交真实的设备配置
- 加密存储配置备份:`gpg --symmetric --cipher-algo AES256 firewall.conf`
- 该工具进行**零网络连接** —— 所有操作均在本地进行,不会有任何数据离开您的机器
- 运行后:在共享系统上执行 `chmod 600 firewall.conf`
- 在外部共享报告之前,请清理 IP、用户名、PSK 和 API 密钥
- `_SUMMARY.json` 包含所有发现文本 —— 请将其与配置文件一样谨慎对待
## 🗺️ 路线图
- [ ] 带有颜色编码严重程度仪表板和图表的 HTML 报告
- [ ] BGP 安全审计(路由过滤、前缀限制、MD5 身份验证、max-prefix)
- [ ] FortiOS 版本检测 → 基于版本条件的检查逻辑
- [ ] 支持 VDOM 的解析(per-VDOM 配置部分 + 全局部分)
- [ ] 配置差异比对模式:比较两个备份,报告更改的设置和新增的风险
- [ ] 用于企业审计报告的 CSV/Excel 导出
- [ ] RADIUS / LDAP / SAML 身份验证服务器加固
- [ ] FortiNAC 集成审计
- [ ] FortiMonitor 云监控集成检查
- [ ] 自动化多设备审计运行器(接受配置文件列表)
- [ ] 带有针对示例配置的回归测试的 GitHub Actions CI
## 👤 作者
**Jafar Tavana**
网络安全工程师 | CCIE 候选人 | FortiGate 专家
拥有 15 年以上网络工程经验。精通 Cisco、Fortinet、Mikrotik、Linux、Windows Server。
致力于开发能够消除防火墙审计中机械性工作的安全工具。
- GitHub: [@jafartavana01](https://github.com/jafartavana01)
## 📄 许可证
MIT —— 详情请参阅 [许可证](LICENSE)。
最全面的开源 FortiGate 安全配置审计工具。
将其指向 show full-configuration 备份。获取 300 多项带严重程度标记的发现,
涵盖 35 个审计域 —— 覆盖每个安全平面、每一层以及每个 FortiOS 版本。
如果该工具在生产审计中发现了真实的隐患,请考虑点亮 Star ⭐
这有助于其他工程师发现这个工具。
标签:FortiGate, Python, 文档结构分析, 无后门, 逆向工具, 防火墙