Description
This article describes how to view the TCL script results.
Scope
FortiManager.
Solution
The TCL scripts can be enabled on FortiManager with the following CLI setting:
config system admin setting
set show_tcl_script {enable | disable - default}
end
When enabled, the TCL type scripts become available under 'Device Manager -> Device & Groups -> Scripts -> Create New -> Type: TCL Script'.
Note: This article applies only to TCL scripts run directly to the managed FortiGates.
In the TCL script menu, the only available option to 'Run script on' is 'Remote FortiGate directly (via CLI)'. However, it is also possible to run TCL scripts on devicedb and adomdb by using custom commands at the beginning of the scripts. For more information and examples of this use case, refer to this document: Use Tcl script to access FortiManager’s device database or ADOM database.
Once created, the TCL script can be run on the selected FortiGates, similar to any other FortiManager script.
The task result would look like this:
Select the right icon in the Details column will display the script log.
The following examples show how the output should look normal:
Example 1:
-------Executing time: Tue Feb 25 09:44:52 2025-----------
Starting log (Run on device)
----------------End of Log-------------------------
Example 2:
-------Executing time: Tue Feb 25 10:24:21 2025-----------
Starting log (Run on device)
config system interface
FGT91G-5 (interface) #
edit port1
change table entry 'port1'
FGT91G-5 (port1) #
end
cmd_clean_context 0, abort=0
FGT91G-5 #
If the running the script returns an error, the details are also printed in the same log.
Troubleshooting:
FortiManager is running the TCL scripts via the FGFM tunnels to the managed FortiGates, but opens an SSH session on top of that.
While there is no live debug for the script itself, it is possible to view the debug of the SSH underlay via the FortiGate CLI.
Dun in the FortiGate CLI:
diagnose debug application sshd -1
diagnose debug enable
Then start the script on the FortiManager side, and the FortiGate debug should start printing the SSH connection log:
SSH: KEX done
SSH: userauth-request for user admin service ssh-connection method password
SSH: attempt 0 failures 0
SSH: input_userauth_request: setting up authctxt for admin
SSH: input_userauth_request: try method password
SSH: error: Could not get shadow information for admin
SSH: Failed password for admin from 169.254.0.1 port 21324 ssh2
SSH: userauth_finish: failure partial=0 next methods="publickey,password"
SSH: Connection closed by 169.254.0.1
In this example, the script execution has failed due to an incorrect 'admin' password.
Also possible to check the CLI behavior and the fgfm connection on the FortiGate while running the script:
On FortiGate CLI:
diagnose debug cli 255
diagnose debug app fgfmd 255
Stop the debug.
diagnose debug disable
diagnose debug reset
After, add/update the admin_user / password of each FortiGate under Device Manager by 'right-clicking' and selecting Edit.
If there are still issues, try the FortiGate side debug once again.
Related documents:
