← Back to Skills Marketplace
Fortigate Configuration Skill
by
jiansiting
· GitHub ↗
· v1.0.0
· MIT-0
180
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install fortigate-config
Description
自动配置 FortiGate 防火墙,支持基础策略管理及工控协议(Modbus、IEC104、S7等)的安全配置。
README (SKILL.md)
FortiGate 自动配置技能(工控增强版)
功能说明
本技能通过 FortiGate REST API 实现防火墙的自动化配置,特别增加了对工业控制系统(ICS)协议的支持。您可以:
- 管理防火墙策略(增、删、改、查)
- 管理地址对象
- 配置 Industrial Connectivity(协议转换,仅 Rugged 系列)
- 创建基于工控协议的服务对象(Modbus TCP、IEC104 等)
- 创建针对工控协议的 IPS 配置文件
- 添加工控协议策略并关联安全配置文件
许可证要求
使用工控协议签名功能需要以下许可证之一:
- FortiGuard 工业安全服务
- ATP(高级威胁防护)套装
- UTP(统一威胁防护)套装
配置项
在使用本技能前,需要在 OpenClaw 的环境变量或配置文件中设置以下项:
| 配置项 | 说明 | 必填 | 默认值 |
|---|---|---|---|
FORTIGATE_HOST |
FortiGate 设备的 IP 地址或域名 | 是 | 无 |
FORTIGATE_TOKEN |
API 访问令牌 | 是 | 无 |
FORTIGATE_PORT |
API 端口 | 否 | 443 |
FORTIGATE_VERIFY_SSL |
是否验证 SSL 证书 | 否 | false |
使用方法
@openclaw fortigate-config \x3C操作> \x3C参数(JSON 格式)>
基础操作
| 操作 | 说明 | 参数示例 |
|---|---|---|
list-policies |
列出所有防火墙策略 | {} |
add-address |
添加地址对象 | {"name": "web-server", "subnet": "192.168.1.10/32"} |
delete-address |
删除地址对象 | {"name": "web-server"} |
add-policy |
添加防火墙策略 | {"name": "allow-web", "srcintf": "port1", "dstintf": "port2", "srcaddr": "all", "dstaddr": "all", "action": "accept"} |
update-policy |
更新防火墙策略 | {"policyid": 1, "action": "deny", "name": "new-name"} |
工控协议操作
| 操作 | 说明 | 参数示例 |
|---|---|---|
configure-icond |
配置 Industrial Connectivity 服务(协议转换) | {"interface": "internal1", "protocol_type": "modbus-serial-tcp", "tty_device": "serial0"} |
create-industrial-service |
创建工控协议服务对象 | {"name": "modbus-tcp", "protocol": "TCP", "port": 502} |
create-industrial-ips |
创建工控 IPS 配置文件 | {"name": "plc-protection", "protocols": ["Modbus", "IEC104"], "action": "monitor"} |
add-industrial-policy |
添加工控协议策略(带安全防护) | {"name": "hmi-to-plc", "srcintf": "port1", "dstintf": "port2", "srcaddr": "hmi-net", "dstaddr": "plc-net", "service": "modbus-tcp", "ips_profile": "plc-protection"} |
常见工控协议端口
| 协议 | 端口 | 描述 |
|---|---|---|
| Modbus TCP | TCP 502 | 工业自动化常用协议 |
| IEC 104 | TCP 2404 | 电力系统远程控制协议 |
| S7 Plus | TCP 102 | 西门子 PLC 协议 |
| Ethernet/IP | TCP 44818 | Rockwell/ODVA 工业协议 |
| DNP3 | TCP 20000 | 电力/水务自动化协议 |
注意事项
- 所有写操作(添加、删除、更新)均会先检查对象是否存在,避免重复创建或误删。
- 输出格式优先使用表格(需安装
tabulate),否则使用简单文本对齐。 - 生产环境请将
FORTIGATE_VERIFY_SSL设为true并使用有效证书。
反馈与支持
如有问题,请联系 [email protected]
Usage Guidance
This skill appears to do what it says (automate FortiGate configuration) and only asks for FortiGate connection info. Before installing: 1) Review the complete scripts/main.py (the source provided to me ends truncated — ensure you have the full file and inspect it for unexpected network calls or obfuscated code). 2) Treat FORTIGATE_TOKEN as highly sensitive: use a least-privilege API token/service account and store it in a secure secret store, not a plaintext env var if possible. 3) Set FORTIGATE_VERIFY_SSL=true and use valid certificates in production — the code disables SSL warnings and defaults to not verifying which risks MITM. 4) Test in a lab or on a non-production device first (these operations can change firewall and ICS connectivity). 5) If you allow autonomous invocation, be aware the agent could make changes to your firewall when the skill runs; consider limiting when/how the agent can call this skill. If you provide the full, untruncated source I can raise or lower confidence after reviewing it.
Capability Analysis
Type: OpenClaw Skill
Name: fortigate-config
Version: 1.0.0
The skill is a legitimate automation tool for managing FortiGate firewall configurations via its REST API, with specific enhancements for Industrial Control Systems (ICS) protocols. The code in `scripts/main.py` implements standard CRUD operations for firewall policies, address objects, and industrial security profiles using the `requests` library. It follows security best practices by using environment variables for sensitive credentials (host and token) and includes options for SSL verification. No evidence of data exfiltration, unauthorized execution, or malicious prompt injection was found.
Capability Assessment
Purpose & Capability
The name/description, SKILL.md, and scripts/main.py all describe FortiGate REST API automation and consistently require FORTIGATE_HOST and FORTIGATE_TOKEN. Required capabilities match the stated purpose (policy/address/service/IPS/configuring industrial connectivity).
Instruction Scope
SKILL.md instructs only to set FortiGate connection variables and run operations tied to FortiGate; the runtime script only calls the FortiGate API and prints results. There is no evidence the skill reads unrelated files or exfiltrates data to third parties. However the script globally disables SSL warnings and defaults verification to false unless the env var is set, which broadens the risk surface for MITM if used with insecure settings.
Install Mechanism
No install spec is provided (instruction/code-only). requirements.txt is small and reasonable (requests, tabulate). No downloads from arbitrary URLs or archive extraction are present.
Credentials
Only FortiGate-related environment variables are declared (FORTIGATE_HOST, FORTIGATE_TOKEN, optional port/verify flag) and the script uses exactly those. This is proportionate, but granting the API token gives full ability to modify firewall configuration — the user should ensure the token has minimal necessary scope and is stored securely.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or agent-wide settings. It runs on-demand or via normal autonomous invocation.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install fortigate-config - After installation, invoke the skill by name or use
/fortigate-config - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
FortiGate-config 2.0.0 is a major update enhancing support for industrial protocols and automation:
- Added automated configuration for FortiGate firewalls via REST API.
- Introduced support for industrial control system (ICS) protocols: Modbus, IEC104, S7, etc.
- Enabled management of firewall policies, address objects, and industrial protocol services.
- Supported Industrial Connectivity configuration (protocol conversion, Rugged series only) and creation of ICS-specific IPS profiles and policies.
- Improved safety checks to prevent duplicate or erroneous operations.
- Updated usage instructions and clarified licensing requirements for industrial security features.
Metadata
Frequently Asked Questions
What is Fortigate Configuration Skill?
自动配置 FortiGate 防火墙,支持基础策略管理及工控协议(Modbus、IEC104、S7等)的安全配置。 It is an AI Agent Skill for Claude Code / OpenClaw, with 180 downloads so far.
How do I install Fortigate Configuration Skill?
Run "/install fortigate-config" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Fortigate Configuration Skill free?
Yes, Fortigate Configuration Skill is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Fortigate Configuration Skill support?
Fortigate Configuration Skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Fortigate Configuration Skill?
It is built and maintained by jiansiting (@jiansiting); the current version is v1.0.0.
More Skills