Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmarcuccetti
Staff
Staff

Created on ‎01-11-2021 10:00 AM Edited on ‎04-10-2025 10:22 PM By Community Manager

Article Id 193685

Technical Tip: Automated script execution

Description

 

This article describes how to use the automated scripting on FortiGate.

 

Scope

 

FortiGate.


Solution

 

In FortiOS it is possible to configure auto-scripts and this feature can be used for various purposes.

Important note:
The auto-script output is stored in the RAM, so if running multiple scripts with a maximum of default 10MB (set output-size), calculate and monitor the RAM usage. Improper use of the auto-script may trigger a conserve mode.

 

Note:

Some commands will not work with the auto-script on older firmware versions.

Support for further commands like 'diag test app xxx', 'diag wad xxx', 'diag ips xxx' were added in FortiOS 7.6.1 and above.


Note:
If the output size is exceeded, the script will stop. Consider the auto-script as a temporary installation only, it is good for time-based troubleshooting.

CLI example to send a backup to a TFTP server:

 

config system auto-script
    edit "backup"
        set interval 120           <----- Interval of time in seconds to execute the task, for example for 2 minutes.
        set repeat 0               <----- Time of repeats, 0 means always. The default is 1.
        set start auto             <---- If set to auto the process would start by the system automatically, manual is the default where it is necessary to start the process.
        set script "execute backup config ftp backup.conf 10.10.10.2 test test"
    next
end

 

Whereas in this example:

  • 10.10.10.2 is the IP of the FTP server.
  • backup.conf is the name of the file.
  •  test/test is the user and password of the FTP.

CLI example to send a backup to the FTP server in FortiGates with VDOMs:

 

config system auto-script
    edit "backup"
        set interval 120
        set repeat 0
        set start auto
        set script "
            config global
            execute backup config ftp backup.conf 10.10.10.2 test test"
    next
end

 

Where:

  • 10.10.10.2 is the IP of the FTP server.
  • backup.conf is the name of the file.
  • test/test is the user and password of the FTP.

Add multiple CLI commands in the CLI script.

For example, if it is desired to check the generic status output from the CLI like:

 

get system status
get system performance status

FGT # config system auto-script
FGT (auto-script) # edit "status"
FGT (status) # set interval 300
FGT (status) #        set repeat 0
FGT (status) #        set start auto
FGT (status) #        set script "       <----- Press enter key here add the first command.
get system status                        <----- Press the enter key here and add the second command in the next line.
get system performance status"           <----- Make sure that the last command ends with a double quotation mark.

 

Once a double quotation mark is added, it will redirect to the command prompt.


FGT (status) # sh
config system auto-script
    edit "status"
        set interval 120
        set repeat 0
        set start auto
        set script "
        get system status
        get system performance status
     "
    next
end

 

To check the script output stored in the file.

From GUI:

Go to System -> Advanced -> Scheduled Script.
Select the 'Download' button from the 'Status' field for the selected script and Open the file to read the output.

  
Note:
From v6.2.2 the System -> Advanced is removed, it is only possible to see the script scheduled via CLI. From v6.2.0, automation action is introduced as an alternative for auto-script.

From CLI.

To view the results of the script named 'status' (with no VDOMs).
 
exec auto-script result status
Script status output:
########## script name: status ##########

========== #1, 2019-10-01 14:24:04 ==========
FGT $ get system status
Version: FortiGate-100D v6.2.1,build0932,190716 (GA)
Virus-DB: 72.00005(2019-10-01 03:19)
Extended DB: 1.00000(2018-04-09 18:07)
... output continues ...

To view the results of the script named 'status' (with VDOMs - enter it in global):

config global
exec auto-script result status

To control the auto-scripts in other ways, to modify the value of the script or a restart is needed for example:
 
exec auto-script start “name
exec auto-script stop “name” or stopall
 

Modifying a running script will show an output (error) as shown below. So, the script must be stopped running before making any modifications.

 
Script can not be changed when it is running.
object set operator error, -14 discard the setting
Command fail. Return code -14
 
Other examples:
To get an FSSO user list every 5 seconds for a maximum size of 100MB, filtered for the IP 172.16.17.132.
 
config system auto-script
    edit "firewall-user-list"
        set interval 5
        set repeat 0
        set script "diag firewall auth list | grep 172.16.17.132 -A 7"
        set output-size 100
    next
    edit "auth-user-list"
        set interval 5
        set repeat 0
        set script "diag debug auth fsso list | grep 172.16.17.132"
        set output-size 100
    next
end
exec auto-script start firewall-user-list
exec auto-script start auth-user-list
    
To get a session list every 10 seconds for the IP 10.10.10.48.
 
config system auto-script
    edit "session-list"
        set interval 5
        set repeat 0
        set script "diag sys session filter src 10.10.10.48
            diag sys session list"
                set output-size 100
    next
end
 
Example of auto-script to Restart WAD:

 

config system auto-script

   edit "restart-wad"

     set interval 3600

     set repeat 65535

     set start auto

     set script "diag test app wad 99"

    next

   end

 
Example of auto-script to get OSPF routing

 

config system auto-script

    edit "OSPF_routing_script"

        set interval 5

        set repeat 50000

        set start auto

        set script "

        get sys stat

        get router info routing-table ospf

        get system arp

        get router info ospf neighbor

        "

end

 
Example of auto-script to clear DHCP lease:


config system auto-script

    edit "clear_dhcp_lease"

        set interval 600

        set repeat 65535

        set start auto

        set script "

        execute dhcp lease-list

        execute dhcp lease-clear all

        "

    next

end

 
Example of clearing the unit inventory list from FortiGate in a particular interval:


config system auto-script

    edit "clear_dhcp_lease"

        set interval 600  <---- interval of choice

        set repeat 0

        set start auto

        set script "diagnose user device clear"

    next

end

 
If having in few scenarios to restart a process or kill the process, below are examples of restarting and killing ipsmonitor process.
Note that the 'diag test app xxx' commands might not work on older firmware versions when executed in the auto-script.
 
config system auto-script
    edit "ipsrestart"
        set interval 43200                  <-- 12 hours.
        set repeat 0                         <-- Infinite times no limit.
        set start auto                       <-- Automatic process by system.
        set script "                   <-- Script to restart the ipsmonitor.
        diagnose test application ipsmonitor 99
        fnsysctl killall ipsmonitor
"
    next
end
 
In HA auto-script configuration it will get auto-sync, it is only necessary to configure it on the primary device.
It will capture the command output individually on both firewalls.

Refer to the below screenshots: 

FGT-1.PNG
 
FGT-2.PNG
 
The auto-script will place temporary files on the disk.
To verify if the auto script is still running and also show the current size of the output of a specific script run:
 
execute auto-script status
auto-script_test <-- Running, output file size: 567.3K.
 
When the configured max output size is reached the script will stop and change the status from "running" to "executed".
The command will then show the final file size.
 
execute auto-script status
auto-script_test <-- Executed, output file size: 11.1M.
 

The temporary files of the auto-script are stored in '/tmp/$$auto-script$$/'.
The total size of all auto-script files can be checked with the following commands:

 

fnsysctl df -k
fnsysctl df -h
fnsysctl ls -al /tmp/$$auto-script$$/
fnsysctl du -aLL /tmp/$$auto-script$$


Example outputs:

 

# fnsysctl df -h
Filesystem Size Used Available Use% Mounted on
none 1.4G 362.2M 1.0G 25% /tmp
... cut ...

 

# fnsysctl ls -al /tmp/$$auto-script$$/
drwxr-xr-x 2 0 0 Tue Jan 7 10:22:52 2025 60 .
drwxrwxrwt 56 0 0 Tue Jan 7 10:30:14 2025 5060 ..
-rw-r--r-- 1 0 0 Tue Jan 7 10:22:48 2025 11617598 auto-script_test.out <- 11,08 MB.

 

# fnsysctl du -aLL /tmp/$$auto-script$$
11348 /tmp/$$auto-script$$/auto-script_test.out
11348 /tmp/$$auto-script$$ <----- 11,08 MB.

 

Related documents:

system auto-script

Technical Tip: How to restart/kill all processes with the 'fnsysctl' command

Technical Tip: Configuring an automated script for daily FortiGate configuration backups

Technical Tip: How to clear the unit inventory list from FortiGate in particular interval

61953
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.