Scripts – FortiManager 5.2

Example: Add information to existing firewall policies.

Script:

#!

# need to define procedure do_cmd

# the second parameter of exec should be “# ”

# If split one command to multiple lines use “\” to continue proc do_cmd {cmd} {

puts [exec “$cmd\n” “# “]

}

foreach line [split [exec “show firewall policy\n” “# “] \n] {

if {[regexp {edit[ ]+([0-9]+)} $line match policyid]} { continue

} elseif {[regexp {set[ ]+(\w+)[ ]+(.*)\r} $line match key value]} { lappend fw_policy($policyid) “$key $value” }

}

do_cmd “config firewall policy” foreach policyid [array names fw_policy] { if {[lsearch $fw_policy($policyid){diffservcode_forward 000011}] == -1} { do_cmd “edit $policyid” do_cmd “set diffserv-forward enable” do_cmd “set diffservcode-forward 000011” do_cmd “next”

}

} do_cmd “end”

Variations:

This type of script is useful for updating long lists of records. For example if the FortiOS version adds new keywords to user accounts, you can create a script similar to this one to get the list of user accounts and for each one edit it, add the new information, and move on to the next.

This script uses two decision statements. Both are involved in text matching. The first decision is checking each line of input for the policy ID and if its not there it skips the line. If it is there, all the policy information is saved to an array for future use. The second decision searches the array of policy information to see which polices are miss In analyzing this script:

  • line 1 is the required #! to indicate this is a Tcl script l line 2-8 is a loop that reads each policy’s information and appends only the policy ID number to an array variable called fw_policy
  • line 9 opens the CLI to the firewall policy section to prepare for the loop l line 10 starts the for each loop that increments through all the firewall policy names stored in fw_policy l line 11 checks each policy for an existing differvcode_forward 000011 entry – if its not found lines 12-15 are executed, otherwise they are skipped
  • line 12 opens the policy determined by the loop counter l line 13-14 enable diffserv_forward, and set it to 000011 l line 15 saves this entry and prepares for the next one l line 16 closes the if statement l line 17 closes the for each loop l line 18 saves all the updated firewall policy entries
Additional Tcl Scripts

Example: Get and display state information about the FortiGate device.:

Script:

#!

#Run on FortiOS v5.00

#This script will display FortiGate’s CPU states,

#Memory states, and Up time

puts [exec “# This is an example Tcl script to get the system performance of the FortiGate\n” “# ” 15 ]

set input [exec “get system status\n” “# ” 15]

regexp {Version: *([^ ]+) ([^,]+),build([0-9]+),[0-9]+} $input dummy status

(Platform) status(Version) status(Build) if {$status(Version) eq “v5.0”} { puts -nonewline [exec “config global\n” “# ” 30]

puts -nonewline [exec “get system performance status\n” “# ” 30] puts -nonewline [exec “end\n” “# ” 30]

} else {

puts -nonewline [exec “get system performance\n” “#” 30] }

Output:

——- Executing time: 2013-10-21 16:21:43 ——

Starting log (Run on device)

FortiGate-VM64 # config global

FortiGate-VM64 (global) # get system performance status

CPU states: 0% user 0% system 0% nice 100% idle

CPU0 states: 0% user 0% system 0% nice 100% idle

CPU1 states: 0% user 0% system 0% nice 100% idle

Memory states: 73% used

Average network usage: 0 kbps in 1 minute, 0 kbps in 10 minutes, 0 kbps in 30 minutes

Average sessions: 1 sessions in 1 minute, 2 sessions in 10 minutes, 2 sessions in 30 minutes

Average session setup rate: 0 sessions per second in last 1 minute, 0 sessions per second in last 10 minutes, 0 sessions per second in last 30 minutes

Virus caught: 0 total in 1 minute

IPS attacks blocked: 0 total in 1 minute

Uptime: 6 days, 1 hours, 34 minutes

FortiGate-VM64 (global) # end

FortiGate-VM64 #

——- The end of log ———-

——- Executing time: 2013-10-21 16:16:58 ——

This entry was posted in Administration Guides, FortiManager and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.