FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kahelek_FTNT
Staff
Staff
Article Id 195063
Description
Fortinet has a CLI utility available to accomplish bulk changes where necessary or useful; as an alternative, to what otherwise would involve a repeated and time-consuming point and click GUI operation. For customers with large rule-sets, and/or a lot of changes to make, this is a great time saving utility.

The CLI utility used to accomplish the changes is referred to as a Batch command. It typically runs from Global context, and the contents for the changes can be pasted on. If the input is not as expected or there is any issue with the length of any value(s) that are submitted, the batch command will still complete, but will have the opportunity to review the data submitted with the exec batch lastlog command.  This makes validating the integrity of Bulk changes very simple.

Solution
Consider a situation where a company wants to modify logging instructions across a number of policies. Rather than clicking in and out of each policy on the GUI, this can be scripted and batched, then pasted using the following as an example: A standard Linux environment (Cygwin, etc) can be used to create the contents for your copy/paste operation soon to follow.

- Example_Policies is a file with all the policy id numbers in it one line each.
- Example_File will be the file to load via a copy/paste into the batch processing instruction.

--

$ for i in `cat Example_Policies`; do echo "edit $i"; echo "set logtraffic all"; echo "set logtraffic-start enable"; echo "next"; done > Example_File

--

$ more Example_Policies
10
20
30
40
50

--

$ more Example_File
--

edit 10
set logtraffic all
set logtraffic-start enable
next
edit 20
set logtraffic all
set logtraffic-start enable
next
edit 30
set logtraffic all
set logtraffic-start enable
next
edit 40
set logtraffic all
set logtraffic-start enable
next

--

We can now copy/paste this output into a batch instruction, as indicated below,  using the "edit vdom" and "config firewall policy" batch qualifiers prior to the pasted instruction set.

Firewall (global) # exec batch start     << this opens the Batch process context.

Enter batch mode...

Firewall (global) # conf vdom             << This line and the following 2 manually typed lines are context qualifiers necessary to articulate the paste context.
Firewall (global) # edit root
Firewall (global) # conf firewall policy

Begin paste:

Firewall (global) # edit 10
Firewall (global) # set logtraffic all
Firewall (global) # set logtraffic-start enable
Firewall (global) # next
Firewall (global) # edit 20
Firewall (global) # set logtraffic all
Firewall (global) # set logtraffic-start enable
Firewall (global) # next
Firewall (global) # edit 30
Firewall (global) # set logtraffic all
Firewall (global) # set logtraffic-start enable
Firewall (global) # next
Firewall (global) # edit 40
Firewall (global) # set logtraffic all
Firewall (global) # set logtraffic-start enable
Firewall (global) # next

End paste:

Firewall (global) # end                          << Now, we complete the instruct by closing it off.
Firewall (global) # exec batch end        << This initiates the commit, for the changes introduced, while the Batch process context was opened.

Exit and run batch commands...

You can then proof your changes with the exec batch lastlog command.  In order to verify the success of your operation, it should look similar to the following output, for this example.

Firewall (global) # exec batch lastlog
0: conf vdom
0: edit root
0: conf firewall policy
0: edit 10
0: set logtraffic all
0: set logtraffic-start enable
0: next
0: edit 20
0: set logtraffic all
0: set logtraffic-start enable
0: next
0: edit 30
0: set logtraffic all
0: set logtraffic-start enable
0: next
0: edit 40
0: set logtraffic all
0: set logtraffic-start enable
0: next
0: end

Here we see zeroes across the board, for the previous operation. This indicates all the commands were digested properly and we entered and exited context properly, in succession.   Any integer value other than a zero would indicate an error in the instruction set.   

Contributors