Scripts – FortiManager 5.2

Example: Create custom IPS signatures and add them to a custom group.

Script:

#!

#Run on FortiOS v5.00

#This script will create custom ips signatures and #change the settings for the custom ips signatures

puts [exec “# This is an example Tcl script to create custom ips signatures and change the settings for the custom ips signatures on a FortiGate\n” “# ” 15 ]

#Enter custom ips signatures, signature names are the

#names of array elements set custom_sig(c1) {“F-SBID(–protocol icmp;–icmp_type 10; )”} set custom_sig(c2) {“F-SBID(–protocol icmp;–icmp_type 0; )”}

#Enter custom ips settings set custom_rule(c1) {{status enable} {action block} {log enable} {log-packet} {severity high}}

set custom_rule(c2) {{status enable} {action pass} {log} {log-packet disable} {severity low}}

#procedure to execute FortiGate command proc fgt_cmd cmd {

puts -nonewline [exec “$cmd\n” “# “]

}

#procedure to set a series of key-value pairs proc set_kv kv_list { foreach kv $kv_list { set len [llength $kv]

if {$len == 0} {

continue

} elseif {$len == 1} { fgt_cmd “unset [lindex $kv 0]”

} else {

fgt_cmd “set [lindex $kv 0] [lindex $kv 1]”

}

} }

#config ips custom—begin fgt_cmd “config vdom” fgt_cmd “edit root” fgt_cmd “config ips custom”

foreach sig_name [array names custom_sig] { fgt_cmd “edit $sig_name”

fgt_cmd “set signature $custom_sig($sig_name)” fgt_cmd “next”

}

fgt_cmd “end”

#config ips custom settings—begin foreach rule_name [array names custom_rule] { fgt_cmd “config ips custom” fgt_cmd “edit $rule_name” set_kv $custom_rule($rule_name) fgt_cmd “end”

}

fgt_cmd “end”

#config ips custom settings—end

Output:

Starting log (Run on device)

FortiGate-VM64 # config vdom FortiGate-VM64 (vdom) # edit root

current vf=root:0

FortiGate-VM64 (root) # config ips custom FortiGate-VM64 (custom) # edit c1

set signature “F-SBID(–protocol icmp;–icmp_type 10; )”

FortiGate-VM64 (c1) # set signature “F-SBID(–protocol icmp;–icmp_type 10; )”

FortiGate-VM64 (c1) # next

FortiGate-VM64 (custom) # edit c2

FortiGate-VM64 (c2) # set signature “F-SBID(–protocol icmp;–icmp_type 0; )”

FortiGate-VM64 (c2) # next

FortiGate-VM64 (custom) # end

FortiGate-VM64 (root) # config ips custom

FortiGate-VM64 (custom) # edit c1

FortiGate-VM64 (c1) # set status enable

FortiGate-VM64 (c1) # set action block

FortiGate-VM64 (c1) # set log enable

FortiGate-VM64 (c1) # unset log-packet

FortiGate-VM64 (c1) # set severity high

FortiGate-VM64 (c1) # end

FortiGate-VM64 (root) # config ips custom

FortiGate-VM64 (custom) # edit c2

FortiGate-VM64 (c2) # set status enable

FortiGate-VM64 (c2) # set action pass

FortiGate-VM64 (c2) # unset log

FortiGate-VM64 (c2) # set log-packet disable

FortiGate-VM64 (c2) # set severity low

FortiGate-VM64 (c2) # end

FortiGate-VM64 (root) # end

FortiGate-VM64 #

——- The end of log ———-

Variations:

None.

Tcl file IO

You can write to and read from files using Tcl scripts. For security reasons there is only one directory on the

FortiManager where scripts can access files. For this reason, there is no reason to include the directory in the file name you are accessing. For example “/var/temp/myfile” or “~/myfile” will cause an error, but “myfile” or “/myfile” is OK.

The Tcl commands that are supported for file IO are: file, open, gets, read, tell, seek, eof, flush, close, fcopy, fconfigure, and fileevent.

The Tcl file command only supports delete subcommand, and does not support the -force option.

There is 10MB of diskspace allocated for Tcl scripts. An error will be reported if this size is exceeded.

These files will be reset when the following CLI commands are run: exec format, exec reset partition, or exec resetall. The files will not be reset when the firmware is updated unless otherwise specified.

To write to a file:  
Script #!

set somefile [open “tcl_test” w] puts $somefile “Hello, world!” close $somefile

To read from a file:
Script                          #!

set otherfile [open “tcl_test” r] while {[gets $otherfile line] >= 0} { puts [string length $line]

}

close $otherfile

Output                 Hello, world!

These two short scripts write a file called tcl_test and then read it back.

Line 3 in both scripts opens the file either for reading (r) or writing (w) and assigns it to a filehandle (somefile or otherfile). Later in the script when you see these filehandles, its input or output passing to the open file.

When reading from the file, lines 4 and 5 loop through the file line by line until it reaches the end of the file. Each line that is read is put to the screen.

Both scripts close the file before they exit.

Troubleshooting Tips

This section includes suggestions to help you find and fix problems you may be having with your scripts.

  • Make sure the commands you are trying to execute are valid for the version of FortiOS running on your target FortiGate device.
  • You should always use braces when evaluating code that may contain user input, to avoid possible security breaches. To illustrate the danger, consider this interactive session:

% set userinput {[puts DANGER!]}

[puts DANGER!] % expr $userinput == 1 DANGER!

0

% expr {$userinput == 1}

0

In the first example, the code contained in the user-supplied input is evaluated, whereas in the second the braces prevent this potential danger. As a general rule, always surround expressions with braces, whether using expr directly or some other command that takes an expression.

  • A number that includes a leading zero or zeros, such as 0500 or 0011, is interpreted as an octal number, not a decimal number. So 0500 is actually 320 in decimal, and 0011 is 9 in decimal.
  • There is a limit to the number of scripts allowed on the FortiManager unit. Try removing an old script before trying to save your current one.
  • Using the Tcl command “catch” you can add custom error messages in your script to alert you to problems during the script execution. When catch encounters an error it will return 1, but if there is no error it will return 0. For example:

if { [catch {open $someFile w} fid] } {

puts stderr “Could not open $someFile for writing\n$fid” exit 1 ;# error opening the file! } else {

# put the rest of your script here

}

Use Tcl script to access FortiManager’s device database or ADOM database

You can use Tcl script to access FortiManager’s device database or ADOM database (local database). See the examples below:

Example 1: Run the Tcl script on an ADOM database for a specify policy package. For example, creating new a policy or object:

Syntax puts [exec_ondb “/adom/<adom_name>/pkg/<pkg_fullpath>” “embedded cli commands” “#

“]

Usage puts [exec_ondb “/adom/52/pkg/default” ” config firewall address edit port5_address next end

” “# “]

Example 2: Run the Tcl script on the current ADOM database for a specify policy package. For example, creating a new policy and object:

Syntax   puts [exec_ondb “/adom/./pkg/<pkg_fullpath>” “embedded cli commands” “# “]
  or puts [exec_ondb “/pkg/<pkg_fullpath>” “embeded cli commands” “# “]
Usage   puts [exec_ondb “/adom/./pkg/default” ” config firewall address edit port5_address next end

” “# “]

Example 3: Run Tcl script on a specific device in an ADOM:

Syntax puts [exec_ondb “/adom/<adom_name>/device/<dev_name>” “embedded cli commands” “#

“]

Usage puts [exec_ondb “/adom/v52/device/FGT60CA” ” config global config system global set admintimeout 440

end end

” “# “]

Example 4: Run Tcl script on all devices in an ADOM:

Syntax puts [exec_ondb “/adom/<adom_name>/device/.” “embedded cli commands” “# “]
Usage puts [exec_ondb “/adom/v52/device/.” ” config global config system global set admintimeout 440

end end

” “# “]

 

This entry was posted in Administration Guides, FortiManager and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.