Scripts – FortiManager 5.2

Leave a reply

Example: Configure common global settings.

Script:

#!

#Run on FortiOS v5.00

#This script will configure common global, user group and ntp settings

#if you do not want to set a parameter, comment the

#corresponding set command

#if you want to reset a parameter to it’s default

#value, set it an empty string

puts [exec “# This is an example Tcl script to configure global, user group and ntp setting of FortiGate\n” “# ” 15 ]

# global set sys_global(admintimeout) “”

# user group set sys_user_group(authtimeout) 20

# ntp set sys_ntp(source-ip) “0.0.0.0” set sys_ntp(ntpsync) “enable” #procedure to execute FortiGate command proc fgt_cmd cmd {

puts -nonewline [exec “$cmd\n” “# ” 30]

}

#config system global—begin fgt_cmd “config global” fgt_cmd “config system global” foreach key [array names sys_global] { if {$sys_global($key) ne “”} {

fgt_cmd “set $key $sys_global($key)”

} else { fgt_cmd “unset $key”

} } fgt_cmd “end” fgt_cmd “end”

#config system global—end

#config system user group—begin fgt_cmd “config vdom” fgt_cmd “edit root” fgt_cmd “config user group” fgt_cmd “edit groupname” foreach key [array names sys_user_group] { if {$sys_user_group($key) ne “”} {

fgt_cmd “set $key $sys_user_group($key)”

} else { fgt_cmd “unset $key”

} } fgt_cmd “end” fgt_cmd “end”

#config system user group—end

#config system ntp—begin fgt_cmd “config global” fgt_cmd “config system ntp” foreach key [array names sys_ntp] { if {$sys_ntp($key) ne “”} {

fgt_cmd “set $key $sys_ntp($key)”

} else { fgt_cmd “unset $key”

}

}

fgt_cmd “end” fgt_cmd “end”

#config system ntp—end

Output:

——- Executing time: 2013-10-22 09:12:57 ——

Starting log (Run on device)

FortiGate-VM64 # config global

FortiGate-VM64 (global) # config system global

FortiGate-VM64 (global) # unset admintimeout

FortiGate-VM64 (global) # end

FortiGate-VM64 (global) # end

FortiGate-VM64 # config vdom FortiGate-VM64 (vdom) # edit root

current vf=root:0

FortiGate-VM64 (root) # config user group

FortiGate-VM64 (group) # edit groupname

FortiGate-VM64 (groupname) # set authtimeout 20

FortiGate-VM64 (groupname) # end

FortiGate-VM64 (root) # end

FortiGate-VM64 # config global

FortiGate-VM64 (global) # config system ntp

FortiGate-VM64 (ntp) # set ntpsync enable

FortiGate-VM64 (ntp) # set source-ip 0.0.0.0

FortiGate-VM64 (ntp) # end

FortiGate-VM64 (global) # end

FortiGate-VM64 #

——- The end of log ———-

Example: Configure syslogd settings and filters.

Script:

#!

#Run on FortiOS v5.00

#This script will configure log syslogd setting and

#filter

#key-value pairs for ‘config log syslogd setting’, no #value means default value. set setting_list {{status enable} {csv enable}

{facility alert} {port} {server 1.1.1.2}}

#key-value pairs for ‘config log syslogd filter’, no #value means default value. puts [exec “# This is an example Tcl script to configure log syslogd setting and filter setting of FortiGate\n” “# ” 15 ]

set filter_list {{attack enable} {email enable} {severity} {traffic enable} {virus disable}

{web enable}}

#set the number of syslogd server, “”, “2” or “3” set syslogd_no “2”

#procedure to execute FortiGate CLI command proc fgt_cmd cmd {

puts -nonewline [exec “$cmd\n” “# “]

}

#procedure to set a series of key-value pairs proc set_kv kv_list {

foreach kv $kv_list {

set len [llength $kv]

if {$len == 0} {

continue

} elseif {$len == 1} { fgt_cmd “unset [lindex $kv 0]”

} else {

fgt_cmd “set [lindex $kv 0] [lindex $kv 1]”

} } }

#configure log syslogd setting—begin fgt_cmd “config global”

fgt_cmd “config log syslogd$syslogd_no setting”

set_kv $setting_list

fgt_cmd “end”

#configure log syslogd setting—end #configure log syslogd filter—begin fgt_cmd “config log syslogd$syslogd_no filter”

set_kv $filter_list

fgt_cmd “end”

#configure log syslogd filter—end

Output:

Starting log (Run on device)

FortiGate-VM64 # config global

FortiGate-VM64 (global) # config log syslogd2 setting

FortiGate-VM64 (setting) # set status enable

FortiGate-VM64 (setting) # set csv enable

FortiGate-VM64 (setting) # set facility alert

FortiGate-VM64 (setting) # unset port

FortiGate-VM64 (setting) # set server 1.1.1.2 FortiGate-VM64 (setting) # end

FortiGate-VM64 (global) # config log syslogd2 filter

FortiGate-VM64 (filter) # set attack enable

FortiGate-VM64 (filter) # set email enable

FortiGate-VM64 (filter) # unset severity

FortiGate-VM64 (filter) # set traffic enable

FortiGate-VM64 (filter) # set virus disable

FortiGate-VM64 (filter) # set web enable

FortiGate-VM64 (filter) # end FortiGate-VM64 (global) #

——- The end of log ———-


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13
This entry was posted in Administration Guides, FortiManager and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.