Description
This article describes how to use the automated scripting on FortiGate.
Scope
FortiGate.
Solution
In FortiOS it is possible to configure auto-scripts and this feature can be used for various purposes.
Important note:
The auto-script output is stored in the RAM, so if running multiple scripts with a maximum of default 10MB (set output-size), calculate and monitor the RAM usage. Improper use of the auto-script may trigger a conserve mode.
Note:
Some commands will not work with the auto-script on older firmware versions.
Support for further commands like 'diag test app xxx', 'diag wad xxx', 'diag ips xxx' were added in FortiOS 7.6.1 and above.
Note:
If the output size is exceeded, the script will stop. Consider the auto-script as a temporary installation only, it is good for time-based troubleshooting.
CLI example to send a backup to a TFTP server:
config system auto-script
edit "backup"
set interval 120 <----- Interval of time in seconds to execute the task, for example for 2 minutes.
set repeat 0 <----- Time of repeats, 0 means always. The default is 1.
set start auto <---- If set to auto the process would start by the system automatically, manual is the default where it is necessary to start the process.
set script "execute backup config ftp backup.conf 10.10.10.2 test test"
next
end
Whereas in this example:
- 10.10.10.2 is the IP of the FTP server.
- backup.conf is the name of the file.
- test/test is the user and password of the FTP.
CLI example to send a backup to the FTP server in FortiGates with VDOMs:
config system auto-script
edit "backup"
set interval 120
set repeat 0
set start auto
set script "
config global
execute backup config ftp backup.conf 10.10.10.2 test test"
next
end
Where:
- 10.10.10.2 is the IP of the FTP server.
- backup.conf is the name of the file.
- test/test is the user and password of the FTP.
Add multiple CLI commands in the CLI script.
For example, if it is desired to check the generic status output from the CLI like:
get system status
get system performance status
FGT # config system auto-script
FGT (auto-script) # edit "status"
FGT (status) # set interval 300
FGT (status) # set repeat 0
FGT (status) # set start auto
FGT (status) # set script " <----- Press enter key here add the first command.
get system status <----- Press the enter key here and add the second command in the next line.
get system performance status" <----- Make sure that the last command ends with a double quotation mark.
Once a double quotation mark is added, it will redirect to the command prompt.
FGT (status) # sh
config system auto-script
edit "status"
set interval 120
set repeat 0
set start auto
set script "
get system status
get system performance status
"
next
end
To check the script output stored in the file.
From GUI:
Go to System -> Advanced -> Scheduled Script.
Select the 'Download' button from the 'Status' field for the selected script and Open the file to read the output.
From CLI.
To view the results of the script named 'status' (with no VDOMs).
########## script name: status ##########
========== #1, 2019-10-01 14:24:04 ==========
FGT $ get system status
Version: FortiGate-100D v6.2.1,build0932,190716 (GA)
Virus-DB: 72.00005(2019-10-01 03:19)
Extended DB: 1.00000(2018-04-09 18:07)
... output continues ...
To view the results of the script named 'status' (with VDOMs - enter it in global):
config global
exec auto-script result status
To control the auto-scripts in other ways, to modify the value of the script or a restart is needed for example:
Modifying a running script will show an output (error) as shown below. So, the script must be stopped running before making any modifications.
object set operator error, -14 discard the setting
Command fail. Return code -14
To get an FSSO user list every 5 seconds for a maximum size of 100MB, filtered for the IP 172.16.17.132.
set output-size 100
next
edit "auth-user-list"
set interval 5
set repeat 0
set script "diag debug auth fsso list | grep 172.16.17.132"
set output-size 100
next
end
exec auto-script start firewall-user-list
exec auto-script start auth-user-list
set repeat 0
set script "diag sys session filter src 10.10.10.48
diag sys session list"
set output-size 100
next
end
config system auto-script
edit "restart-wad"
set interval 3600
set repeat 65535
set start auto
set script "diag test app wad 99"
next
end
config system auto-script
edit "OSPF_routing_script"
set interval 5
set repeat 50000
set start auto
set script "
get sys stat
get router info routing-table ospf
get system arp
get router info ospf neighbor
"
end
config system auto-script
edit "clear_dhcp_lease"
set interval 600
set repeat 65535
set start auto
set script "
execute dhcp lease-list
execute dhcp lease-clear all
"
next
end
set interval 43200 <-- 12 hours.
set repeat 0 <-- Infinite times no limit.
set start auto <-- Automatic process by system.
set script " <-- Script to restart the ipsmonitor.
diagnose test application ipsmonitor 99
fnsysctl killall ipsmonitor
"
next
end
It will capture the command output individually on both firewalls.
Refer to the below screenshots:
auto-script_test <-- Running, output file size: 567.3K.
The command will then show the final file size.
auto-script_test <-- Executed, output file size: 11.1M.
The temporary files of the auto-script are stored in '/tmp/$$auto-script$$/'.
The total size of all auto-script files can be checked with the following commands:
fnsysctl df -k
fnsysctl df -h
fnsysctl ls -al /tmp/$$auto-script$$/
fnsysctl du -aLL /tmp/$$auto-script$$
Example outputs:
# fnsysctl df -h
Filesystem Size Used Available Use% Mounted on
none 1.4G 362.2M 1.0G 25% /tmp
... cut ...
# fnsysctl ls -al /tmp/$$auto-script$$/
drwxr-xr-x 2 0 0 Tue Jan 7 10:22:52 2025 60 .
drwxrwxrwt 56 0 0 Tue Jan 7 10:30:14 2025 5060 ..
-rw-r--r-- 1 0 0 Tue Jan 7 10:22:48 2025 11617598 auto-script_test.out <- 11,08 MB.
# fnsysctl du -aLL /tmp/$$auto-script$$
11348 /tmp/$$auto-script$$/auto-script_test.out
11348 /tmp/$$auto-script$$ <----- 11,08 MB.
Related documents:
