Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mvl
New Contributor

How to run TCL script against ADOM's policy package?

Hi,

 

On our FortiManager (5.4.1 VM) we have an ADOM defined with several VDOM's, each with its own firewall policy package.

These policy packages have already hundreds of policies. Right now we are in need to update few parameters of every single policy in all policy packages. There is no way we can do this manually in GUI policy by policy.

 

We could grab the whole configuration of FortiManager or directly the FortiGates in a text form and do a search/replace and then re-apply it. But I don't find this to be the smartest way to change configuration.

 

I believe the ideal approach is to use a script.

CLI scripts do not make sense because there is no way to use variables, loops, if/else statements etc. in a CLI script.

 

So I turned my attention to TCL scripts. I have enabled them for FortiManager.

I am actually able to write a TCL script which should do exactly what I need the script to do. There are nice examples in the administration guide or here in the forum. 

 

My problem is how to execute such TCL script against particular policy package.

When I go to "Device Manager" -> "Scripts" and create a new TCL script, the only target I can choose is "Remote FortiGate Directly (via CLI)". Somehow the option to run it against "Policy Package, ADOM database" is missing (is available for CLI scripts). 

I am a bit afraid of this "Remote FortiGate Directly" option, as it sounds like bypassing FortiManager's database and bringing FortiGate and FortiManager out of sync by executing the TCL script in this way.

 

I would like to run the following script:

 

#!
proc do_cmd {cmd} {
        puts [exec "$cmd\n" "# "]
}
 
foreach line [split [exec "show firewall policy\n" "# "] \n] {
        if {[regexp {edit[ ]+([0-9]+)} $line match policyid]} {
                continue
        } elseif {[regexp {set[ ]+(\w+)[ ]+(.*)\r} $line match key value]} {
                lappend fw_policy($policyid) "$key $value"
        }
}
 
do_cmd "config firewall policy"
 
foreach policyid [array names fw_policy] {
        do_cmd "edit $policyid"
        do_cmd "set comments comment_string_here"
        do_cmd "next"
}
 
do_cmd "end"

 

 

So how can I run this TCL script on FortiManager against a Policy Package, when there is no such option in the script settings? 

 

Thank you in advance for any hints.

Martin

 

 

4 REPLIES 4
jhouvenaghel_FTNT

Hello,

 

I am not aware of any way to run TCL script on the policy package. If you run it on the FGT directly, an autoupdate/retrieve should update your device manager database and then you would need to import policies from device manager to policy&object database.

 

Did you look at the JSON API. It may help to achieve what you want

 

Regards

 

Jocelyn

mvl

Hi Jocelyn,

 

Thanks for feedback. Well yes exactly, do it directly on FGT, then re-import the policies to FMGR, but I don't like this idea. Any time we need to do such change we would have to re-import. I was hoping there is a neater way.

 

I was looking at the JSON API today, but find the documentation a bit difficult to understand, found no description of the functions, I have to guess them. But I will give it a try.

 

Thanks again.

Martin

fsfetea
New Contributor

According to this: http://help.fortinet.com/fmgr/50hlp/56/5-6-1/FortiManager_Admin_Guide/1000_Device%20Manager/2400_Scr... it is possible and works(tested) but it's strange when you say run this on Remote FortiGate Directly (via CLI) but actually you are running it on the local FortiManager Database

 

For policy see Example 2 in the link

 

puts [exec_ondb "/adom/./pkg/<pkg_fullpath>" "embedded cli commands" "# "] or puts [exec_ondb "/pkg/<pkg_fullpath>" "embeded cli commands" "# "]

Katoomba
New Contributor III

You simply run the script against any device and exec_ondb will execute the commands against the adom database. So as long as you do not include any "exec" commands in the script, all exec_ondb commands will be applied to the adom database and nothing will be executed on the fortigate. But you do have to select a single fortigate to run the script against, even though your script won't actually do anything to the fortigate because your script won't have any "exec" commands.

Katoomba
Katoomba
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors