Programmatic management of FortiMail access lists (Proof of Concept)

I have written this script for a prospect concerned about integrating security management with their business process.

With Fortinet products this is simple for couple of reasons:

1. Entire device configuration can be expressed with flat, human readable text file which can be archived and versioned.
2. Format of this configuration makes it easy to extract deltas between devices and configuration versions using diff and version control tools. This way Fortinet virtual appliances are Infrastructure as Code ready.
3. All configuration state is accessible and changeable via CLI.
4. Growing part of it can be manipulated using REST APIs.

Scenario

The goal is to enforce TLS encrypted SMTP communication with group of e-mail domains belonging to business partners. Every other domain is being offered TLS voluntarily.

FortiMail implementation is receive and delivery policy composed of individual domain entries and default catchall rule:

There are two operations to automate:

1. adding new domain should create new rule, above catchall specifying profile in both receive and delivery policy
2. removing domain should ensure domain is not defined in policies and will hit catchall

For the purpose of this PoC both operations are defined as ruby scripts.

Demo

2 minute video showing scripts in action:

Source code

All source code used in this excercise is available here:

It has been tested with FortiMail v5.3 build 608, but the method used is generic and could be applied to list based configuration on any Fortinet device with minimal modification.