Technical Tip: How to configure 'fmg-source-ip' from FortiManager using TCL Script
Description
This article describes how to modify 'fmg-source-ip' parameter from FortiManager, using the TCL script.
FortiGate parameter 'fmg-source-ip', under system central-management, is used to specify the FortiGate source-IP when establishing communication between FortiGate and FortiManager.
Scope
FortiManager, all firmware.
Solution
Modifying the fmg-source-ip parameter is not allowed in the FortiManager Device Database. For that reason, CLI Templates and scripts in the 'Device Database' cannot be used. The user must execute the script at 'Remote FortiGate Directly (via CLI)'.
It is possible to use the TCL script to automate the task on several FortiGates using a single script when the source-IP interface name remains the same.
- Configure the following CLI settings.
FMG # config system admin setting
(setting) set show_tcl_script enable
(setting) end
-
Navigate from Device Manager -> Scripts -> Select 'Create new'.
-
Create a TCL script as shown in the screenshot, using the following script text. Example:
#!
proc do_cmd {cmd} {
puts [exec "$cmd\n" "# " 15]
}
# Get IP address from desired interface and vdom.
do_cmd "config vdom"
do_cmd "edit root"
do_cmd "config system interface"
do_cmd "edit port4"
set query [exec "show\n" "# "]
#puts $query
set output [split $query "\n"]
#Find IP address and puts $ip
regexp {(?:\d+\.){3}\d+} $output ip
do_cmd "end"
do_cmd "end"
# configure fmg-source-ip
do_cmd "config global"
do_cmd "config system central-management"
do_cmd "set fmg-source-ip $ip"
do_cmd "end"
-
Run the script in the required FortiGates.
Note: Modify the TCL script depending on interface names and VDOM configuration.
Related articles:
Technical Tip: FortiManager failed to execute script in the Device Database
Troubleshooting Tip: How to troubleshoot TCL script failure in FortiManager