|
Remove the comment 'Created by IPSec Template' from IPSec Tunnels (phase1 and phase2) and its static routes, which can be an issue if there are multiple tunnels.
Make sure the FortiGate is compatible with FortiManager.
FortiOS Compatibility Tool
Follow the initial steps from this article on how to enable and run TCL scripts in FortiManager:
Technical Tip: How to use TCL script...existing route
- Go to Device Manager -> Scripts, select type TCL Script, and select 'Create new'. Create the following TCL script:
#!
proc do_cmd {cmd} {
puts [exec "$cmd\n" "# "]
}
#
foreach line [split [exec "show router static\n" "# "] \n] {
#
# Fetching the 'edit' and its value
#
if {[regexp {edit\s(\d+)} $line match policy]} {
continue
#
} elseif {[regexp {set\s(comment)\s"(.*IPSec\sTemplate.*])} $line match key value]} {
#
lappend policies_comment($policy) "$key $value"
}
}
#
do_cmd "config router static\n"
#
foreach policy [array names policies_comment] {
do_cmd "edit $policy"
do_cmd "unset comment"
do_cmd "next"
}
do_cmd "end"
Note:
The text on line#13 ('IPSec 'Template') is case-sensitive. Make sure to match it as it shows on the FortiGate config. The comment from static route #5 has been removed:
Verifying on the FortiGate:
- Remove the comment from phase2 and phase1 tunnels. Go to Device Manager -> Scripts, select type TCL Script, and select 'Create new'. Create the following TCL script:
#!
proc do_cmd {cmd} {
puts [exec "$cmd\n" "# "]
}
#
foreach line [split [exec "show vpn ipsec phase2-interface\n" "# "] \n] {
#
# Fetching the 'edit' and its value
#
if {[regexp {edit\s"(\w+)} $line match phase2]} {
continue
#
} elseif {[regexp {set\s(comments)\s"(.*Template.*])} $line match key value]} {
#
lappend phase2_comment($phase2) "$key $value"
}
}
#
foreach line [split [exec "show vpn ipsec phase1-interface\n" "# "] \n] {
#
if {[regexp {edit\s"(\w+)} $line match phase1]} {
continue
#
} elseif {[regexp {set\s(comments)\s"(.*Template.*])} $line match key value]} {
#
lappend phase1_comment($phase1) "$key $value"
}
}
#
do_cmd "config vpn ipsec phase2-interface\n"
#
foreach phase2 [array names phase2_comment] {
do_cmd "edit $phase2"
do_cmd "unset comments"
do_cmd "next"
}
do_cmd "end"
#
do_cmd "config vpn ipsec phase1-interface\n"
#
foreach phase1 [array names phase1_comment] {
do_cmd "edit $phase1"
do_cmd "unset comments"
do_cmd "next"
}
do_cmd "end"
Run the script on the desired FortiGate, the script can run on one or more FortiGates at the same time. The comment has been removed from the VPN Tunnel:
Verifying on the FortiGate:
Note:
- The script can be run on multiple FortiGates at the same time.
- In case Tunnels were created by VPN-Manager and the firewall was removed from FortiManager and added back in, tunnels will not be managed by VPN Manager and have to remove the comment 'Created by VPN Manager' for FortiManager not to remove the tunnels on the next install. In this case, change the line #13 and #24 of the script in step 2 with the below line:
} elseif {[regexp {set\s(comments)\s"(.*VPN\sManager.*])} $line match key value]} {
Related articles:
Tcl scripts
Technical Tip: How to troubleshoot TCL Scripts failed in FortiManager
Technical Tip: How to find the interface's MAC address
Technical Tip: How to fetch FortiAP and FortiSwitch Serials using TCL Script in FortiManager
|
