The Problem
FortiManager allows for the scheduling of the execution of CLI and TCL scripts. When setting up scheduling, the user is able to select FortiGate devices OR device groups that are to be included in the scheduled script execution. But the way that the selection works, the device groups themselves are not actually assigned to the schedule. It appears that the devices that are in the group are assigned instead. This severely degrades the usefulness of selecting device groups, which is that when a group of devices is selected for the schedule, if devices are added or removed from the group, then they would be added/removed from the schedule execution. In this way, it would be easy to set up a schedule for a group and then simply maintain the desired device membership in the device group. Unfortunately, that isn't the behavior of group selection.
Behavior exists on FMG v7.4.3-build2487 240514 (GA) and others.
Setup
FortiManager allows for the creation of CLI and TCL scripts. These scripts are a powerful and flexible way of applying configurations to FortiGates. It is also possible to schedule CLI and TCL scripts. The scheduling must be enabled first by executing the following commands from the FortiManager CLI.
config system admin setting
set show_schedule_script enable
end
Once the scheduling feature is enabled, the CLI/TCL script page shows a new option for "Scheduling", which is accessible via the "More" drop down menu. The picture below shows this.
Scheduling a Script
To schedule a specific scrip, first select the script (so that it is highlighted) and then select "Schedule Script" from the "More" drop down menu. You can also schedule a script by hovering over the "schedule" column of the desired script and click on the right hand side handle, as shown below (the red square surrounds the edit handle).
Set the Schedule Parameters
When the edit handle is clicked or the "Schedule Script" menu is clicked, the "Schedule Script" configuration dialog is opened, as shown in the image below.
The schedule needs to be enabled, the periodicity needs to be selected, and the target FortiGates need to be selected. Note that the device group ALL_FORTIGATES was selected (as shown in the image above).
Pressing the "Set Schedule" button closes the script schedule dialog and opens a confirmation dialog box, as shown below. Note that the dialog shows that the ALL_FORTIGATES device group was selected for the scheduled script.
One would imagine that this means that the group itself is configured for the script schedule (and not individual FortiGates that are members of the group). In our example, two firewalls belong to the ALL_FORTIGATES group. They are branch_03 and hub_01, as shown (in the red box) in the image below.
The Problem
When you open the schedule up again, you will find that the group is no longer selected. Instead, the members of the group are selected. See the image below.
This means that if members are added or removed from the ALL_FORTIGATES device group, the membership changes will NOT be reflected in the script schedule. This severely impairs the usefulness of assigning groups to the script schedule because one of the main benefits of selecting a group would be that you could add or remove devices from the group and the script would run on a schedule against the current members of the group. In this way, you can configure the script schedule and assign a group and then the only maintenance task is to maintain the correct device membership in the device group.
Questions
The current behavior might be a bug, or maybe it was programmed that way intentionally. Either way, the behavior makes selecting a group basically useless. Is there something I am getting wrong here? Or is this a bug that needs to be fixed?
