|
In this example, 'port3' is being replaced with 'port2' on two FortiGates. FGT-A has no VDOMs and FGT-B has VDOMs enabled, the script is making changes for 'root' VDOM.
- Check the current policies on the FortiGates:
FGT-A:
FGT-B (vdom = root):
Note:
Follow the initial steps in this article to enable and run TCL scripts in FortiManager:
Technical Tip: How to use Tcl script...existing route.
- Go to Device Manager -> Scripts, select TCL Script, as the Type, and select 'Create new'.
Create the following Tcl script:
# Define the procedure to execute commands
proc do_cmd {cmd} {
puts [exec "$cmd\n" "# "]
}
#
# Execute command to get system status
#
set status [exec "get system status\n" "# " 15]
#
# Check if VDOM is disabled
#
if {[regexp {Virtual domain configuration: disable} $status]} {
set vdom_enabled false
} else {
set vdom_enabled true
}
#
# Define the VDOM if enabled
#
if {$vdom_enabled} {
set vdom "root"
}
#
# Define the interface to change and the new interface
#
set intftochange "port3"
set intfchangewith "port2"
#
# Print interface information
puts "Interface to change: $intftochange"
puts "Interface to change with: $intfchangewith"
#
# Enter VDOM if its enabled
if {$vdom_enabled} {
do_cmd "config vdom"
do_cmd "edit $vdom"
}
# Iterate through firewall policies
foreach line1 [split [exec "show firewall policy\n" "# "] \n] {
if {[regexp {edit[ ]+([0-9]+)} $line1 match policyid]} {
continue
}
# Check and modify source interface
if {[regexp "set (srcintf) \"$intftochange\"" $line1 match key1 value1]} {
lappend policysrc($policyid) "$key1 $value1"
}
# Check and modify destination interface
if {[regexp "set (dstintf) \"$intftochange\"" $line1 match key2 value2]} {
lappend policydst($policyid) "$key2 $value2"
}
}
do_cmd "config firewall policy"
# Modify source interfaces
foreach policyid [array names policysrc] {
do_cmd "edit $policyid"
do_cmd "set $key1 $intfchangewith"
do_cmd "next"
}
# Modify destination interfaces
foreach policyid [array names policydst] {
do_cmd "edit $policyid"
do_cmd "set $key2 $intfchangewith"
do_cmd "next"
}
# Exit configuration mode
do_cmd "end"
if {$vdom_enabled} {
do_cmd "end"
}
Note:
The script takes into consideration whether VDOMs are enabled on the FortiGate. The same script can be run on multiple FortiGates.
Make sure to change the variables 'intftochange', 'intfchangewith', and 'vdom' as required.
- After the script runs successfully, check the policies on FortiGates, 'port3' has been replaced with 'port2':
FGT-A:
FGT-B (vdom = root):
The script is useful in case FortiGate is being managed by FortiManager ADOM in backup mode -> ADOM Modes, where policies are not managed by FortiManager Policy & Objects.
Related documents:
Tcl scripts.
Technical Tip: How to troubleshoot TCL Scripts failed in FortiManager.
Technical Tip: How to fetch MAC address of all physical interfaces of FortiGates using a FortiManage...
|
