FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmarcuccetti
Staff
Staff
Description

This article describes how to use the automated scripting on FortiGate.


Solution
In FortiOS it is possible to configure auto-scripts and this feature can be used for various purposes.

Important note:
The auto-script output is stored in the RAM, so if you run multiple scripts with a maximum of default 10MB (set output-size), please calculate and monitor the RAM usage. !!! Improper use of the auto-script may trigger a conserve mode !!!

Note:
If the output-size is exceeded, the script will stop. Consider the auto-script as a temporary installation only, it is good for time based troubleshooting.

CLI example to send a backup to a TFTP server:
#config system auto-script
    edit "backup"
        set interval 120                           <----- Interval of time in seconds to execute the task.
        set repeat 0                               <----- Time of repeats, 0 means always. Default is 1.
        set start auto
        set script "execute backup config ftp backup.conf 10.10.10.2 test test"
    next
end
whereas in this example:
- 10.10.10.2   is the IP of the FTP server.
- backup.conf  is the name of the file.
- test/test    is the user and password of the FTP.

CLI example to send a backup to FTP server in FortiGates with VDOMs:
# config system auto-script
    edit "backup"
        set interval 120
        set repeat 0
        set start auto
        set script "
       # config global
       # execute backup config ftp backup.conf 10.10.10.2 test test"

    next
end
where:
- 10.10.10.2   is the IP of the FTP server.
- backup.conf  is the name of the file.
- test/test    is the user and password of the FTP.

Add multiple CLI commands in the CLI script.

For example if you want to check the generic status output from the CLI like
#get system status
#get system performance status
FGT # config system auto-script
FGT (auto-script) # edit "status"
FGT (status) # set interval 300
FGT (status) #        set repeat 0
FGT (status) #        set start auto
FGT (status) #        set script "         <----- Press enter key here add first command.
> get system status                        <----- Press enter key here and add second command in next line.
> get system performance status"           <----- Make sure that the last command ends with double quotation mark. Once double quotation mark is added, it will redirect to the command prompt.
FGT (status) # sh
# config system auto-script
    edit "status"
        set interval 120
        set repeat 0
        set start auto
        set script "
        # get system status
        # get system performance status
     "
next
end
To check the script output stored in the file.

From GUI:

Go to System -> Advanced -> Scheduled Script.
Select the 'Download' button   from the 'Status' field for the selected script and Open the file to read the output.




Note: from FortiOS 6.2.2 the System > Advanced is removed, you can only see the script scheduled via CLI. From 6.2.0 automation action is introduced as an alternative for auto-script

From CLI.

To view results of the script named 'status' (with no VDOMs)
# exec auto-script result status
Script status output:
########## script name: status ##########

========== #1, 2019-10-01 14:24:04 ==========
FGT $ get system status
Version: FortiGate-100D v6.2.1,build0932,190716 (GA)
Virus-DB: 72.00005(2019-10-01 03:19)
Extended DB: 1.00000(2018-04-09 18:07)
... output continues ...
To view results of the script named “status” (with VDOMs - enter it in global)
# config global
# exec auto-script result status


To control the auto-scripts in other ways, if a restart is needed for example:
# exec auto-script start “name”
# exec auto-script stop “name” or stopall

Other examples:
To get an FSSO user list every 5 seconds for a maximum size of 100MB, filtered for the IP 172.16.17.132
# config system auto-script
    edit "firewall-user-list"
        set interval 5
        set repeat 0
        set script "diag firewall auth list | grep 172.16.17.132 -A 7"
        set output-size 100
    next
        edit "auth-user-list"
            set interval 5
            set repeat 0
            set script "diag debug auth fsso list | grep 172.16.17.132"
            set output-size 100
    next
end
# exec auto-script start firewall-user-list
# exec auto-script start auth-user-list

To get a session list every 10 seconds for the IP 10.10.10.48
# config system auto-script
    edit "session-list"
        set interval 5
            set repeat 0
            set script "diag sys session filter src 10.10.10.48
            # diag sys session list"
                set output-size 100
            next
        end

Contributors