Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
farhanahmed
Staff
Staff

Created on ‎12-07-2023 09:46 PM Edited on ‎01-24-2024 09:16 PM

Article Id 288279

Technical Tip: Use TCL Script in FortiManager to set source IP in FortiGate config by fetching FortiGate interface IP addresses

Description

 

This article describes how to use a TCL script in FortiManager to fetch FortiGate interface IP addresses and set the source IP for FortiAnalyzer logging config in FortiGate. Settings source IP is helpful in case connectivity is through a VPN tunnel.

The script can be run for multiple FortiGates at the same time.

 

Scope

 

FortiManager.

 

Solution

 

  1. To enable the TCL script, configure the following CLI settings in FortiManager.

 

config system admin setting

(setting) set show_tcl_script enable

(setting) end

 

 

  1. Go to Device Manager -> Scripts,  select type TCL Script, and select 'Create new'.

 

Create the below TCL script:

 

#!
proc do_cmd {cmd} {
puts [exec "$cmd\n" "# " 15]
}
do_cmd "config system interface"
#
# FortiGate interface to fetch the IP address
#
do_cmd "edit port1"
set query [exec "show\n" "# "]
set output [split $query \n]
#
# Fetching the interface IP address
#
regexp {(?:\d+\.\d+\.\d+\.\d+){1}} $output ip
do_cmd "end"
#
# Setting the source IP
#
do_cmd "config log fortianalyzer setting"
do_cmd "set status enable"
do_cmd "set source-ip $ip"
do_cmd "end"

 

1.png

 

The script will fetch the IP address from the FortiGate interface (set on line#9 of the script above) and set it as the source-ip.

 

Note:

For FortiGate(s) with VDOMs enabled, a different script will be required.

 

#!
proc do_cmd {cmd} {
puts [exec "$cmd\n" "# " 15]
}
do_cmd "config global" <----- 'config global' is required for FortiGate(s) with VDOMs.
do_cmd "config system interface"
#
# FortiGate interface to fetch the IP address
#
do_cmd "edit port1"
set query [exec "show\n" "# "]
set output [split $query \n]
#
# Fetching the interface IP address
#
regexp {(?:\d+\.\d+\.\d+\.\d+){1}} $output ip
do_cmd "end"
#
# Setting the source IP
#
do_cmd "config log fortianalyzer setting"
do_cmd "set status enable"
do_cmd "set source-ip $ip"
do_cmd "end"

 

 

  1.  Check the FortiGate, there is no source IP set yet:

 

get log fortianalyzer setting

 

 

2.png

 

Check the same under FortiManager -> Device Manager.

 

3.png

 

 

  1. Check the IP address on Port1 of FortiGate:

 

5.png

 

Check under FortiManager -> Device Manager:

 

6.png

 

  1. Run the script under the Device Manager -> Scripts, select the script and select 'Run Script':

 

7.png

 

Select the FortiGate and select the right arrow:

 

8.png

 

 

Select Run Now:

 

9.png

 

Select OK:

 

10.png

 

The script is running:

 

11.png

 

Script ran successfully:

 

12.png

 

 

Note:
If there are any errors, refer to the below document to troubleshoot TCL scripts:

Technical Tip: How to troubleshoot TCL Scripts failed in FortiManager

 

  1. FortiGate(s) now have set the source-ip to the FortiGate interface (port1 in this example) IP address:

 

13.png

 

Check under FortiManager-> Device Manager:

 

14.png

 

Related documents:

Technical Tip: How to troubleshoot TCL Scripts failed in FortiManager

Tcl scripts

535
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.