Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
farhanahmed
Staff
Staff

Created on ‎12-06-2023 09:47 PM

Article Id 288023

Technical Tip: How to use TCL script to create static routes by fetching gateway IP from an existing route

Description

 

This article describes how to use the TCL script in FortiManager to create static routes on FortiGates by fetching gateway IP from an existing route.

 

Scope

 

FortiManager

 

Solution

 

  1. By default TCL scripts are not enabled in FortiManager, Go to Device Manager -> Scripts, select 'Create new' and it only has the option of 'CLI Script'.

 

1.png

 

  1. To enable the TCL script option, configure the following CLI settings:

 

config system admin setting

(setting) set show_tcl_script enable

(setting) end

 

Check it under Device manager -> Scripts, select Create new and TCL Script option is now available.

 

2.png

 

  1. Checking the existing static route on the FortiGate (gateway is 172.31.200.1):

 

3.png

 

  1. Go to Device Manager -> Scripts, select type TCL Script and select 'Create new' and create the below script:

 

#!
proc do_cmd {cmd} {
puts [exec "$cmd\n" "# " 15]
}
do_cmd "config router static"
#
# Selecting the existing route to fetch the gateway IP from
#
do_cmd "edit 4"
set query [exec "show\n" "# "]
#puts $query
set output [split $query \n]
#
# Find IP address and splitting the octets
# Below regex will first look for 'gateway' and then the IP address.
#
regexp {gateway[ ]([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)} $output match first second third fourth
do_cmd "end"
#
# creating a static routes
#
do_cmd "config router static"
#
do_cmd "edit 0"
do_cmd "set dst 10.0.0.0 255.0.0.0"
do_cmd "set gateway $first.$second.$third.$fourth"
do_cmd "set device port1"
do_cmd "set comment Route_to_Internet"
do_cmd "next"
#
# configure second additional static route
#
do_cmd "edit 0"
do_cmd "set dst 92.168.1.0 255.255.255.0"
do_cmd "set gateway $first.$second.$third.$fourth"
do_cmd "set device port1"
do_cmd "set comment Route_to_Internet"
do_cmd "end" 

 

4.png

 

  • TCL script will only have the 'Run script on' option set to 'Remote FortiGate Directly (via CLI)'.
  • Select 'OK' to save the script.

 

  1. Under Device manager -> Scripts,  select the Script and select 'Run Script'.

 

5.png

 

Select the FortiGate and select the right arrow:

 

6.png

 

Select Run Now:

 

7.png

 

Select OK:

 

8.png

 

The script will start running:

 

9.png

 

Script ran successfully:

 

10.png

 

  1. Checking the new routes on the FortiGate:

 

11.png

 

Related documents:

Technical Tip: How to troubleshoot TCL Scripts failed in FortiManager

Tcl scripts

455
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.