Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
vraev
Staff
Staff

Created on ‎03-04-2025 07:20 AM Edited on ‎03-04-2025 08:25 AM By Moderator

Article Id 380313

Troubleshooting Tip: Reviewing the TCL script install log

Description

 

This article describes how to view the TCL script results.

 

Scope

 

FortiManager.

 

Solution

 

The TCL scripts can be enabled on FortiManager with the following CLI setting:

 

config system admin setting

    set show_tcl_script {enable | disable - default}

end

 

When enabled, the TCL type scripts become available under 'Device Manager -> Device & Groups -> Scripts -> Create New -> Type: TCL Script'.

 

FMG_TCL_SCRIPT_1.png

 

Note: This article applies only for TCL scripts run directly to the managed FortiGates.

In the TCL script menu, the only available option to 'Run script on' is 'Remote FortiGate directly (via CLI)'. However, it is also possible to run TCL scripts on devicedb and adomdb by using custom commands in the beginning of the scripts. For more information and examples of this use case, refer to Use Tcl script to access FortiManager’s device database or ADOM database - FortiManager administrati....

 

Once created, the TCL script can be run on the selected FortiGates similar to any other FortiManager script.

The task result would look like this:

 

TCL_script_execution.png

 

Select the right icon in the Details column will display the script log.

 

TCL_script_output.png

 

The following examples show how the output should look like normally:

 

Example 1:

 

-------Executing time: Tue Feb 25 09:44:52 2025-----------
Starting log (Run on device)

 

----------------End of Log-------------------------

 

Example 2:

 

-------Executing time: Tue Feb 25 10:24:21 2025-----------

Starting log (Run on device)

config system interface

FGT91G-5 (interface) #

edit port1

change table entry 'port1'

FGT91G-5 (port1) #

end

cmd_clean_context 0, abort=0

FGT91G-5 #

 

If the running the script retunes an error, the details are also printed in the same log.

 

Troubleshooting:

 

FortiManager is running the TCL scripts via the FGFM tunnels to the managed FortiGates but opens an SSH session on top of that.

While there is no live debug for the script itself, it is possible to view the debug of the SSH underlay via the FortiGate CLI.

 

Dun in the FortiGate CLI:

 

diagnose debug application sshd -1

diagnose debug enable

 

Then start the script on the FortiManager side and the FortiGate debug should start printing the SSH connection log:

 

SSH: KEX done
SSH: userauth-request for user admin service ssh-connection method password
SSH: attempt 0 failures 0
SSH: input_userauth_request: setting up authctxt for admin
SSH: input_userauth_request: try method password
SSH: error: Could not get shadow information for admin
SSH: Failed password for admin from 169.254.0.1 port 21324 ssh2
SSH: userauth_finish: failure partial=0 next methods="publickey,password"
SSH: Connection closed by 169.254.0.1

 

In this example, the script execution has failed due to an incorrect 'admin' password.

 

Stop the debug.

 

diagnose debug disable

diagnose debug reset

 

After, add/update the admin_user / password of each FortiGate under Device Manager by right-clicking and selecting Edit.

 

admin_pass1.png

 

If there are still issues, try the FortiGate side debug once again.

 

Related articles:

Labels:
82
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.