Scripts – FortiManager 5.2

CLI scripts

CLI scripts include only FortiOS CLI commands as they are entered at the command line prompt on a FortiGate device. CLI scripts do not include Tool Command Language (Tcl) commands, and the first line of the script is not “#!” as it is for Tcl scripts.

CLI scripts are useful for specific tasks such as configuring a routing table, adding new firewall policies, or getting system information. These example tasks easily apply to any or all FortiGate devices connected to the FortiManager system.

However, the more complex a CLI script becomes the less it can be used with all FortiGate devices – it quickly becomes tied to one particular device or configuration. One example of this is any script that includes the specific IP address of a FortiGate device’s interfaces cannot be executed on a different FortiGate device.

Samples of CLI scripts have been included to help get you started writing your own scripts for your network administration tasks.

Error messages will help you determine the causes of any CLI scripting problems, and fix them. For more information, see Error Messages.

The troubleshooting tips section provides some suggestions on how to quickly locate and fix problems in your CLI scripts. For more information, see Troubleshooting Tips.

CLI script samples

There are two types of CLI scripts. The first type is getting information from your FortiGate device. The second type is changing information on your FortiGate device.

Getting information remotely is one of the main purposes of your FortiManager system, and CLI scripts allow you to access any information on your FortiGate devices. Getting information typically involves only one line of script as the following scripts show.

To view interface information for port1:
Script                show system interface port1

 

Output config system interface edit “port1” set vdom “root” set ip 172.20.120.148 255.255.255.0 set allowaccess ping https ssh set type physical

next end

Variations Remove the interface name to see a list that includes all the interfaces on the FortiGate device including virtual interfaces such as VLANs.
Note This script does not work when run on a policy package.
  If the preceding script is used to be run on the FortiGate Directly (via CLI) or run on device database on a FortiGate has the VDOM enabled. The script will have be modified to the following:

config global show system interface port1 end

  Since running on device database does not yield any useful information.

View the log of script running on device: FortiGate-VM64-70

——- Executing time: 2013-10-15 13:27:32 ——

Starting log (Run on database)

config global

end

Running script on DB success

  ——- The end of log ———-

 

The script should be run on the FortiGate Directly (via CLI).

View the log of script running on device: FortiGate-VM64-70

——- Executing time: 2013-10-15 13:52:02 —–Starting log (Run on device)

FortiGate-VM64 $  config global

FortiGate-VM64 (global) $ show system interface port1 config system interface edit “port1” set vdom “root”

set ip 10.2.66.181 255.255.0.0

set allowaccess ping https ssh snmp http telnet fgfm auto-ipsec radius-acct probe-response capwap

set type physical set snmp-index 1

next end

FortiGate-VM64 (global) $  end

——- The end of log ———-

To view the entries in the static routing table. To get any useful information, the script has to be re-written for the following if the VDOM is enabled for FortiGate and has to be run on the FortiGate Directly (via CLI).

config vdom edit root show route static

next end

Here is a sample run of the preceding script running on the FortiGate Directly (via CLI). View the log of script running on device: FortiGate-VM64-70

——- Executing time: 2013-10-15 14:24:10 —–Starting log (Run on device) FortiGate-VM64 $  config vdom FortiGate-VM64 (vdom) $ edit root current vf=root:0

FortiGate-VM64 (root) $ show route static config router static edit 1 set device “port1” set gateway 10.2.0.250

next end

FortiGate-VM64 (root) $ next

FortiGate-VM64 (vdom) $  end

——- The end of log ———-

 

To view the entries in the static routing table:
Script                show route static
Output                          config router static

edit 1 set device “port1” set gateway 172.20.120.2

next edit 2 set device “port2” set distance 7

set dst 172.20.120.0 255.255.255.0 set gateway 172.20.120.2

next end

Variations        none
View information about all the configured FDN servers on this device:
Script                            config global

diag debug rating

end

Output                   View the log of script running on device: FortiGate-VM64

——- Executing time: 2013-10-15 14:32:15 —–Starting log (Run on device)

FortiGate-VM64 $  config global

FortiGate-VM64 (global) $ diagnose debug rating

Locale : english

License : Contract

Expiration : Thu Jan 3 17:00:00 2030

-=- Server List (Tue Oct 15 14:32:49 2013) -=IP Weight RTT Flags TZ Packets Curr Lost Total Lost

192.168.100.206 35 2 DIF -8 4068 72 305

192.168.100.188 36 2 F -8 4052 72 308

FortiGate-VM64 (global) $  end

——- The end of log ———-

305

Variations Output for this script will vary based on the state of the FortiGate device. The preceding output is for a FortiGate device that has never been registered.

For a registered FortiGate device without a valid license, the output would be similar to:

Locale : english

License : Unknown

Expiration : N/A

Hostname : guard.fortinet.net

-=- Server List (Tue Oct 3 09:34:46 2006) -=-

IP Weight Round-time TZ Packets Curr Lost Total Lost ** None **

Setting FortiGate device information with CLI scripts gives you access to more settings and allows you more fine grained control than you may have in the Device Manager. Also CLI commands allow access to more advanced options that are not available in the FortiGate GUI. Scripts that set information require more lines.

Create a new account profile called policy_admin allowing read-only access to policy related areas:
Script                             config global

config system accprofile edit “policy_admin” set fwgrp read set loggrp read set sysgrp read

next

end end

Output View the log of script running on device:FortiGate-VM64

——- Executing time: 2013-10-16 13:39:35 —–Starting log (Run on device)

FortiGate-VM64 $  config global

  FortiGate-VM64 (global) $ config system accprofile
  FortiGate-VM64 (accprofile) $ edit “prof_admin”
  FortiGate-VM64 (prof_admin) $ set fwgrp read
  FortiGate-VM64 (prof_admin) $ set loggrp read
  FortiGate-VM64 (prof_admin) $ set sysgrp read
  FortiGate-VM64 (prof_admin) $ next
  FortiGate-VM64 (accprofile) $ end
  FortiGate-VM64 (global) $  end

——- The end of log ———-

Variations This profile is read-only to allow a policy administrator to monitor this device’s configuration and traffic.

Variations may include enabling other areas as read-only or write permissions based on that account type’s needs.

With the introduction of global objects/security console (global database), you can run a CLI script on the

FortiManager global database in addition to running it on a FortiGate unit directly. Compare the following sample scripts:

Running a CLI script on a FortiGate unit

config vdom edit “root” config firewall policy edit 10 set srcintf “port5” set dstintf “port6” set srcaddr “all” set dstaddr “all” set status disable set schedule “always” set service “ALL” set logtraffic disable

next

end

Running a CLI script on the global database

config firewall policy edit 10 set srcintf “port5” set dstintf “port6” set srcaddr “all” set dstaddr “all” set status disable set schedule “always” set service “ALL” set logtraffic disable

next end

This entry was posted in Administration Guides, FortiManager and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.