|
import argparse |
|
import os |
|
import spaces |
|
|
|
import gradio as gr |
|
|
|
import json |
|
from threading import Thread |
|
import torch |
|
from transformers import AutoModelForCausalLM, AutoTokenizer, TextIteratorStreamer |
|
|
|
MAX_LENGTH = 4096 |
|
DEFAULT_MAX_NEW_TOKENS = 1024 |
|
|
|
|
|
def parse_args(): |
|
parser = argparse.ArgumentParser() |
|
parser.add_argument("--base_model", type=str) |
|
parser.add_argument("--n_gpus", type=int, default=1) |
|
return parser.parse_args() |
|
|
|
@spaces.GPU() |
|
def predict(message, history, system_prompt, temperature, max_tokens): |
|
global model, tokenizer, device |
|
messages = [{'role': 'system', 'content': system_prompt}] |
|
for human, assistant in history: |
|
messages.append({'role': 'user', 'content': human}) |
|
messages.append({'role': 'assistant', 'content': assistant}) |
|
messages.append({'role': 'user', 'content': message}) |
|
problem = [tokenizer.apply_chat_template(messages, tokenize=False, add_generation_prompt=True)] |
|
stop_tokens = ["<|endoftext|>", "<|im_end|>"] |
|
streamer = TextIteratorStreamer(tokenizer, timeout=100.0, skip_prompt=True, skip_special_tokens=True) |
|
enc = tokenizer(problem, return_tensors="pt", padding=True, truncation=True) |
|
input_ids = enc.input_ids |
|
attention_mask = enc.attention_mask |
|
|
|
if input_ids.shape[1] > MAX_LENGTH: |
|
input_ids = input_ids[:, -MAX_LENGTH:] |
|
|
|
input_ids = input_ids.to(device) |
|
attention_mask = attention_mask.to(device) |
|
generate_kwargs = dict( |
|
{"input_ids": input_ids, "attention_mask": attention_mask}, |
|
streamer=streamer, |
|
do_sample=True, |
|
top_p=0.95, |
|
temperature=temperature, |
|
max_new_tokens=DEFAULT_MAX_NEW_TOKENS, |
|
use_cache=True, |
|
eos_token_id=tokenizer.eos_token_id |
|
) |
|
t = Thread(target=model.generate, kwargs=generate_kwargs) |
|
t.start() |
|
outputs = [] |
|
for text in streamer: |
|
outputs.append(text) |
|
yield "".join(outputs) |
|
|
|
""" |
|
examples=[ |
|
["How can you move a policy by policy ID?"], |
|
["What is the command to enable security profiles in a firewall policy?"], |
|
["How do you configure a service group in the GUI?"], |
|
["How can you configure the firewall policy change summary in the CLI?"], |
|
["How do you disable hardware acceleration for an IPv4 firewall policy in the CLI?"], |
|
["How can you enable WAN optimization in a firewall policy using the CLI?"], |
|
["What are services in FortiOS and how are they used in firewall policies?"], |
|
], |
|
""" |
|
sys_prompt = """FortiOS firewall configuration in CLI.\n |
|
Use the firewall config template below to refine your answer, make sure the attributes in the config belongs to the template.\n |
|
config firewall policy |
|
edit <policyid> |
|
set action [accept|deny|ipsec] |
|
set anti-replay [enable|disable] |
|
set application-list {string} |
|
set auth-cert {string} |
|
set auth-path [enable|disable] |
|
set auth-redirect-addr {string} |
|
set auto-asic-offload [enable|disable] |
|
set av-profile {string} |
|
set block-notification [enable|disable] |
|
set captive-portal-exempt [enable|disable] |
|
set capture-packet [enable|disable] |
|
set casb-profile {string} |
|
set cifs-profile {string} |
|
set comments {var-string} |
|
set custom-log-fields <field-id1>, <field-id2>, ... |
|
set decrypted-traffic-mirror {string} |
|
set delay-tcp-npu-session [enable|disable] |
|
set diameter-filter-profile {string} |
|
set diffserv-copy [enable|disable] |
|
set diffserv-forward [enable|disable] |
|
set diffserv-reverse [enable|disable] |
|
set diffservcode-forward {user} |
|
set diffservcode-rev {user} |
|
set disclaimer [enable|disable] |
|
set dlp-profile {string} |
|
set dnsfilter-profile {string} |
|
set dsri [enable|disable] |
|
set dstaddr <name1>, <name2>, ... |
|
set dstaddr-negate [enable|disable] |
|
set dstaddr6 <name1>, <name2>, ... |
|
set dstaddr6-negate [enable|disable] |
|
set dstintf <name1>, <name2>, ... |
|
set dynamic-shaping [enable|disable] |
|
set email-collect [enable|disable] |
|
set emailfilter-profile {string} |
|
set fec [enable|disable] |
|
set file-filter-profile {string} |
|
set firewall-session-dirty [check-all|check-new] |
|
set fixedport [enable|disable] |
|
set fsso-agent-for-ntlm {string} |
|
set fsso-groups <name1>, <name2>, ... |
|
set geoip-anycast [enable|disable] |
|
set geoip-match [physical-location|registered-location] |
|
set groups <name1>, <name2>, ... |
|
set http-policy-redirect [enable|disable] |
|
set icap-profile {string} |
|
set identity-based-route {string} |
|
set inbound [enable|disable] |
|
set inspection-mode [proxy|flow] |
|
set internet-service [enable|disable] |
|
set internet-service-custom <name1>, <name2>, ... |
|
set internet-service-custom-group <name1>, <name2>, ... |
|
set internet-service-group <name1>, <name2>, ... |
|
set internet-service-name <name1>, <name2>, ... |
|
set internet-service-negate [enable|disable] |
|
set internet-service-src [enable|disable] |
|
set internet-service-src-custom <name1>, <name2>, ... |
|
set internet-service-src-custom-group <name1>, <name2>, ... |
|
set internet-service-src-group <name1>, <name2>, ... |
|
set internet-service-src-name <name1>, <name2>, ... |
|
set internet-service-src-negate [enable|disable] |
|
set internet-service6 [enable|disable] |
|
set internet-service6-custom <name1>, <name2>, ... |
|
set internet-service6-custom-group <name1>, <name2>, ... |
|
set internet-service6-group <name1>, <name2>, ... |
|
set internet-service6-name <name1>, <name2>, ... |
|
set internet-service6-negate [enable|disable] |
|
set internet-service6-src [enable|disable] |
|
set internet-service6-src-custom <name1>, <name2>, ... |
|
set internet-service6-src-custom-group <name1>, <name2>, ... |
|
set internet-service6-src-group <name1>, <name2>, ... |
|
set internet-service6-src-name <name1>, <name2>, ... |
|
set internet-service6-src-negate [enable|disable] |
|
set ippool [enable|disable] |
|
set ips-sensor {string} |
|
set ips-voip-filter {string} |
|
set logtraffic [all|utm|disable] |
|
set logtraffic-start [enable|disable] |
|
set match-vip [enable|disable] |
|
set match-vip-only [enable|disable] |
|
set name {string} |
|
set nat [enable|disable] |
|
set nat46 [enable|disable] |
|
set nat64 [enable|disable] |
|
set natinbound [enable|disable] |
|
set natip {ipv4-classnet} |
|
set natoutbound [enable|disable] |
|
set network-service-dynamic <name1>, <name2>, ... |
|
set network-service-src-dynamic <name1>, <name2>, ... |
|
set np-acceleration [enable|disable] |
|
set ntlm [enable|disable] |
|
set ntlm-enabled-browsers <user-agent-string1>, <user-agent-string2>, ... |
|
set ntlm-guest [enable|disable] |
|
set outbound [enable|disable] |
|
set passive-wan-health-measurement [enable|disable] |
|
set pcp-inbound [enable|disable] |
|
set pcp-outbound [enable|disable] |
|
set pcp-poolname <name1>, <name2>, ... |
|
set per-ip-shaper {string} |
|
set permit-any-host [enable|disable] |
|
set permit-stun-host [enable|disable] |
|
set policy-expiry [enable|disable] |
|
set policy-expiry-date {datetime} |
|
set policy-expiry-date-utc {user} |
|
set poolname <name1>, <name2>, ... |
|
set poolname6 <name1>, <name2>, ... |
|
set port-preserve [enable|disable] |
|
set profile-group {string} |
|
set profile-protocol-options {string} |
|
set profile-type [single|group] |
|
set radius-mac-auth-bypass [enable|disable] |
|
set redirect-url {var-string} |
|
set replacemsg-override-group {string} |
|
set reputation-direction [source|destination] |
|
set reputation-direction6 [source|destination] |
|
set reputation-minimum {integer} |
|
set reputation-minimum6 {integer} |
|
set rtp-addr <name1>, <name2>, ... |
|
set rtp-nat [disable|enable] |
|
set schedule {string} |
|
set schedule-timeout [enable|disable] |
|
set sctp-filter-profile {string} |
|
set send-deny-packet [disable|enable] |
|
set service <name1>, <name2>, ... |
|
set service-negate [enable|disable] |
|
set session-ttl {user} |
|
set sgt <id1>, <id2>, ... |
|
set sgt-check [enable|disable] |
|
set src-vendor-mac <id1>, <id2>, ... |
|
set srcaddr <name1>, <name2>, ... |
|
set srcaddr-negate [enable|disable] |
|
set srcaddr6 <name1>, <name2>, ... |
|
set srcaddr6-negate [enable|disable] |
|
set srcintf <name1>, <name2>, ... |
|
set ssh-filter-profile {string} |
|
set ssh-policy-redirect [enable|disable] |
|
set ssl-ssh-profile {string} |
|
set status [enable|disable] |
|
set tcp-mss-receiver {integer} |
|
set tcp-mss-sender {integer} |
|
set tcp-session-without-syn [all|data-only|disable] |
|
set timeout-send-rst [enable|disable] |
|
set tos {user} |
|
set tos-mask {user} |
|
set tos-negate [enable|disable] |
|
set traffic-shaper {string} |
|
set traffic-shaper-reverse {string} |
|
set users <name1>, <name2>, ... |
|
set utm-status [enable|disable] |
|
set uuid {uuid} |
|
set videofilter-profile {string} |
|
set virtual-patch-profile {string} |
|
set vlan-cos-fwd {integer} |
|
set vlan-cos-rev {integer} |
|
set vlan-filter {user} |
|
set voip-profile {string} |
|
set vpntunnel {string} |
|
set waf-profile {string} |
|
set wanopt [enable|disable] |
|
set wanopt-detection [active|passive|off] |
|
set wanopt-passive-opt [default|transparent|non-transparent] |
|
set wanopt-peer {string} |
|
set wanopt-profile {string} |
|
set wccp [enable|disable] |
|
set webcache [enable|disable] |
|
set webcache-https [disable|enable] |
|
set webfilter-profile {string} |
|
set webproxy-forward-server {string} |
|
set webproxy-profile {string} |
|
set ztna-device-ownership [enable|disable] |
|
set ztna-ems-tag <name1>, <name2>, ... |
|
set ztna-ems-tag-secondary <name1>, <name2>, ... |
|
set ztna-geo-tag <name1>, <name2>, ... |
|
set ztna-policy-redirect [enable|disable] |
|
set ztna-status [enable|disable] |
|
set ztna-tags-match-logic [or|and] |
|
next |
|
end\n |
|
""" |
|
|
|
if __name__ == "__main__": |
|
args = parse_args() |
|
tokenizer = AutoTokenizer.from_pretrained("lliu01/fortios_one_config") |
|
model = AutoModelForCausalLM.from_pretrained( |
|
"lliu01/fortios_one_config", |
|
torch_dtype=torch.bfloat16, |
|
low_cpu_mem_usage=True |
|
) |
|
device = torch.device('cuda' if torch.cuda.is_available() else 'cpu') |
|
model = model.to(device) |
|
gr.ChatInterface( |
|
predict, |
|
title="FortiOS CLI Chat - Demo", |
|
description="FortiOS CLI Chat", |
|
theme="soft", |
|
chatbot=gr.Chatbot(label="Chat History",), |
|
textbox=gr.Textbox(placeholder="input", container=False, scale=7), |
|
retry_btn=None, |
|
undo_btn="Delete Previous", |
|
clear_btn="Clear", |
|
additional_inputs=[ |
|
gr.Textbox(sys_prompt, label="System Prompt"), |
|
gr.Slider(0, 1, 0.5, label="Temperature"), |
|
gr.Slider(100, 2048, 1024, label="Max Tokens"), |
|
], |
|
examples=[ |
|
["Allow all traffic from any source IP address and any source interface 'port10' to any destination IP address and any destination interface 'port9'. This policy will be applied at all times (always) and will allow all services. Additionally, this policy will enable UTM features, use proxy-based inspection mode, and use an SSL-SSH profile named 'deep-custom'. Finally, this policy will also enable source NAT."], |
|
["Configure a firewall policy to allow users 'dina' and '15947' to access 'DR-Exchange-Servers' and 'HQ-Exchange-Servers' using RDP protocol from the 'SSL-VPN-IT-Pool' address range, incoming from the 'ssl.FG-Traffic' interface and outgoing to the 'FG-PA-Inside' interface. The policy should have Antivirus scanning enabled with profile 'ABE_AV' and log all traffic. The policy should be always active and currently disabled for testing or maintenance purposes."], |
|
["Configure a firewall policy named 'ZoomAccess' that allows traffic from the 'IP_10.96.54.149' and 'HighCourt_Zoom' addresses coming in through the 'VLAN51' interface to access the 'Zoom_access' destination through the 'npu0_vlink1' interface, at any time, with all services allowed, using proxy-based inspection and SSL certificate inspection."], |
|
["Create a dynamic firewall address object named 'EMS2_ZTNA_Condiciones-Clinic' that is based on a FortiClient EMS tag. This object will be used to represent a group of devices that have the 'Condiciones-Clinic' tag in the EMS system, which is related to zero-trust access control (ZTNA)."], |
|
["The user wants to create a dynamic firewall address object named 'Pre-Prod DMN Servers' that retrieves IP addresses from a VMware vCenter SDN (Software-Defined Networking) environment. The object will dynamically include IP addresses that match the filter criteria 'Name=b4dmn*' from the vCenter inventory. Specifically, the object will include the following IP addresses: 172.21.121.44, 172.21.121.45, 172.21.121.46, 172.21.121.47, 172.21.121.48, and 172.21.121.49, each with associated object IDs and network IDs for further identification and grouping."], |
|
["The user wants to create a traffic shaper named 'Videoconferencia' that limits the maximum bandwidth to 60 megabits per second, effectively enforcing an upper bandwidth limit for video conferencing traffic."], |
|
["Configure an interface named 'Sec60' in the 'root' virtual domain with an IP address of 172.18.60.1/24. Allow management access to this interface for ping, fabric, and speed-test. Enable device identification and set the interface role to LAN. Set the SNMP index to 41 and enable auto-authentication for dedicated Fortinet extension devices. Additionally, enable switch controller features such as IGMP snooping, IGMP snooping proxy, and DHCP snooping. Set the color of the interface icon on the GUI to 7 and associate it with the 'FortiLink' interface and VLAN ID 60."], |
|
], |
|
additional_inputs_accordion_name="Parameters", |
|
).queue().launch() |
