Description
Fortinet has a CLI utility 'batch' available to stage and commit multiple changes as an alternative to what otherwise would involve a repeated and time-consuming point and click GUI or individual CLI operations. For customers with large policy lists or a lot of changes to make, this is can be a useful alternative to CLI copy-paste since batch includes a built-in log.
Batch typically runs from the global VDOM, and the contents for the changes can be pasted on. If some configuration did not apply due to errors, the batch command will still complete but the administrator will have the opportunity to review the data submitted with the 'execute batch lastlog' command. This assists with verifying the integrity of bulk changes.
Scope
FortiGate.
Solution
There is a more recent tool 'config-transaction' similar to batch with better support for multiple administrators but no error log. See config-transaction and workspace mode in the v6.2 New Features Guide
Consider a situation where an administrator wants to modify logging instructions across a number of policies. Rather than clicking in and out of each policy on the GUI, this can be scripted and batched, then pasted into the batch command. A standard Linux environment (Cygwin, etc) can be used to create the contents for the copy/paste operation.
- Example_Policies is a file with all the policy id numbers in it one line each.
- Example_File will be the file to load via a copy/paste into the batch processing instruction.
--
$ for i in `cat Example_Policies`; do echo "edit $i"; echo "set logtraffic all"; echo "set logtraffic-start enable"; echo "next"; done > Example_File
--
$ more Example_Policies
10
20
30
40
50
--
$ more Example_File
edit 10
set logtraffic all
set logtraffic-start enable
next
edit 20
set logtraffic all
set logtraffic-start enable
next
edit 30
set logtraffic all
set logtraffic-start enable
next
edit 40
set logtraffic all
set logtraffic-start enable
next
--
'execute batch start' begins in no VDOM. In a FortiGate operating in multi-vdom mode, the vdom for the operation must be specified.
Firewall (global) # execute batch start << this opens the Batch process context.
Enter batch mode...
Firewall (global) # config vdom << The administrator remains in global vdom throughout. Configuration lines are additions to the batch script.
Firewall (global) # edit root << The vdom name must be entered exactly including correct capitalization.
Firewall (global) # config firewall policy
Administrator pastes the desired configuration changes.
Firewall (global) # edit 10
Firewall (global) # set logtraffic all
Firewall (global) # set logtraffic-start enable
Firewall (global) # next
Firewall (global) # edit 20
Firewall (global) # set logtraffic all
Firewall (global) # set logtraffic-start enable
Firewall (global) # next
Firewall (global) # edit 30
Firewall (global) # set logtraffic all
Firewall (global) # set logtraffic-start enable
Firewall (global) # next
Firewall (global) # edit 40
Firewall (global) # set logtraffic all
Firewall (global) # set logtraffic-start enable
Firewall (global) # next
End paste:
Firewall (global) # end
Firewall (global) # end
Firewall (global) # execute batch end << Staged configuration changes are only made at this point.
Exit and run batch commands...
The administrator can review the changes with the 'execute batch lastlog' command. '0' is a success, any other value is an error.
Firewall (global) # execute batch lastlog
0: conf vdom
0: edit root
0: conf firewall policy
0: edit 10
0: set logtraffic all
0: set logtraffic-start enable
0: next
0: edit 20
0: set logtraffic all
0: set logtraffic-start enable
0: next
0: edit 30
0: set logtraffic all
0: set logtraffic-start enable
0: next
0: edit 40
0: set logtraffic all
0: set logtraffic-start enable
0: next
0: end
This indicates all configurations applied without errors.
