Hi,
On our FortiManager (5.4.1 VM) we have an ADOM defined with several VDOM's, each with its own firewall policy package.
These policy packages have already hundreds of policies. Right now we are in need to update few parameters of every single policy in all policy packages. There is no way we can do this manually in GUI policy by policy.
We could grab the whole configuration of FortiManager or directly the FortiGates in a text form and do a search/replace and then re-apply it. But I don't find this to be the smartest way to change configuration.
I believe the ideal approach is to use a script.
CLI scripts do not make sense because there is no way to use variables, loops, if/else statements etc. in a CLI script.
So I turned my attention to TCL scripts. I have enabled them for FortiManager.
I am actually able to write a TCL script which should do exactly what I need the script to do. There are nice examples in the administration guide or here in the forum.
My problem is how to execute such TCL script against particular policy package.
When I go to "Device Manager" -> "Scripts" and create a new TCL script, the only target I can choose is "Remote FortiGate Directly (via CLI)". Somehow the option to run it against "Policy Package, ADOM database" is missing (is available for CLI scripts).
I am a bit afraid of this "Remote FortiGate Directly" option, as it sounds like bypassing FortiManager's database and bringing FortiGate and FortiManager out of sync by executing the TCL script in this way.
I would like to run the following script:
#!
proc do_cmd {cmd} {
puts [exec "$cmd\n" "# "]
}
foreach line [split [exec "show firewall policy\n" "# "] \n] {
if {[regexp {edit[ ]+([0-9]+)} $line match policyid]} {
continue
} elseif {[regexp {set[ ]+(\w+)[ ]+(.*)\r} $line match key value]} {
lappend fw_policy($policyid) "$key $value"
}
}
do_cmd "config firewall policy"
foreach policyid [array names fw_policy] {
do_cmd "edit $policyid"
do_cmd "set comments comment_string_here"
do_cmd "next"
}
do_cmd "end"
So how can I run this TCL script on FortiManager against a Policy Package, when there is no such option in the script settings?
Thank you in advance for any hints.
Martin
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
I am not aware of any way to run TCL script on the policy package. If you run it on the FGT directly, an autoupdate/retrieve should update your device manager database and then you would need to import policies from device manager to policy&object database.
Did you look at the JSON API. It may help to achieve what you want
Regards
Jocelyn
Hi Jocelyn,
Thanks for feedback. Well yes exactly, do it directly on FGT, then re-import the policies to FMGR, but I don't like this idea. Any time we need to do such change we would have to re-import. I was hoping there is a neater way.
I was looking at the JSON API today, but find the documentation a bit difficult to understand, found no description of the functions, I have to guess them. But I will give it a try.
Thanks again.
Martin
According to this: http://help.fortinet.com/fmgr/50hlp/56/5-6-1/FortiManager_Admin_Guide/1000_Device%20Manager/2400_Scr... it is possible and works(tested) but it's strange when you say run this on Remote FortiGate Directly (via CLI) but actually you are running it on the local FortiManager Database
For policy see Example 2 in the link
puts [exec_ondb "/adom/./pkg/<pkg_fullpath>" "embedded cli commands" "# "] or puts [exec_ondb "/pkg/<pkg_fullpath>" "embeded cli commands" "# "]
You simply run the script against any device and exec_ondb will execute the commands against the adom database. So as long as you do not include any "exec" commands in the script, all exec_ondb commands will be applied to the adom database and nothing will be executed on the fortigate. But you do have to select a single fortigate to run the script against, even though your script won't actually do anything to the fortigate because your script won't have any "exec" commands.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.