Technical Tip: How to run python, bash, powershell, or teraterm scripts provided by TAC to troubleshoot FortiGate issues

Description

This article describes how to run the monitoring/troubleshooting scripts provided by FortiGate TAC.

Scope

FortiOS.

Solution

Before starting:

• SSH must be enabled on the interface of the FortiGate that the script will connect to.

• The device that this script runs on needs be up and maintain SSH connectivity to the FortiGate throughout the time the script is being run.

• The user account used by the script for authentication must have super admin privileges. The exception to this is the python instruction on Windows.

Windows Instructions for Python:

Install python:

1. Install python3.13 from Microsoft Store (recommended - does not need admin privileges).

2. Install Python on Windows.

Create the virtual environment:

cd <Directory of the script>
python -m venv venv
.\venv\Scripts\activate.bat

Install a Python-based SSHv2 client to facilitate connections between the client machine and the FortiGate. The provided scripts support either Paramiko and Netmiko:

Paramiko (recommended, supported on newer python versions):

pip install paramiko

Netmiko (Not recommended, used with legacy python versions):

pip install netmiko

Run the script using the following options:

python [script_name]

Note: The python script will prompt for IP, username, password, and SSH port in order automatically and saves the output of the script to a file on the same directory called 'debug_output.log'.

Note: If more than one scripts must be run, create two separate directories for each script and subsequently two different virtual environments (one per directory).

Linux/MacOS Instructions for Python:

 
Install python:

1. Linux:  How to install Python on Linux.

2. MacOS: How to install Python on MacOS.

Create the virtual environment:

cd <Directory of the script>
python3.<patch version> -m venv venv
source venv/bin/activate

Install a Python-based SSHv2 client to facilitate connections between the client machine and the FortiGate. The provided scripts support both Paramiko and Netmiko:

Paramiko (Recommended, supported on newer python versions):

pip install paramiko

Netmiko (Not recommended, used with legacy python versions):

pip install netmiko

Run the script using the following options:

python3.<patch version> [script_name]

Note: The python script will prompt for IP, username, password, and SSH port in order automatically and saves the output of the script to a file on the same directory called 'debug_output.log'.

Note: In case more than one scripts needs be run, create two separate directories for each script and subsequently two different virtual environments (one per directory).

 
Instructions for Bash scripts:

On a Linux client machine, take care to update the onboard packages using the relevant package manager before executing the bash script. The bash scripts requires the "expect" package to be installed. The following are example commands for apt-based systems such as Debian and Ubuntu:

sudo apt update -y
sudo apt install expect -y

Bash scripts will contain admin username and device IP address settings for the FortiGate. These settings can be modified in the script to adjust these values:

sudo apt update -y
sudo apt install expect -y

Additionally, the script is defined to produce log files within a local directory on the client machine. The following is the script section that can be edited to change where the log output is written:

# Folder and filename for logs
set log_folder "./"

Finally, the script can be executed using the following commands (change directories, make the script executable, then run the script):

cd <Directory where the file is located>
chmod +x script_name.exp
./script_name.exp

Once the script is run, it will prompt for the password of the FortiGate and the script will start collecting data.

 
Instructions for Powershell:

On a PowerShell terminal with admin privileges, run the following cmdlets to install modules required for running scripts with SSH connectivity:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
Install-PackageProvider -Name NuGet -Force
Install-Module -Name Posh-SSH 

To edit the username and the IP, modify the following settings found within the script:

$DeviceIP = '192.168.1.1'
$Username = 'admin'

To edit the file the script will log to, these settings can also be found in the script:

# Output configuration
$OutputDirectory = 'C:\Debug|Output'

On the directory where the script is located, the script can be started as the following:

.\powershellscript.ps1

Once the script is run, it will prompt for the password of the FortiGate and the script will start collecting data.

Instructions for TeraTerm: Follow the steps in Troubleshooting Tip: High memory and High CPU general script using Tera Term.