Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

How to run TCL script against ADOM's policy package?



On our FortiManager (5.4.1 VM) we have an ADOM defined with several VDOM's, each with its own firewall policy package.

These policy packages have already hundreds of policies. Right now we are in need to update few parameters of every single policy in all policy packages. There is no way we can do this manually in GUI policy by policy.


We could grab the whole configuration of FortiManager or directly the FortiGates in a text form and do a search/replace and then re-apply it. But I don't find this to be the smartest way to change configuration.


I believe the ideal approach is to use a script.

CLI scripts do not make sense because there is no way to use variables, loops, if/else statements etc. in a CLI script.


So I turned my attention to TCL scripts. I have enabled them for FortiManager.

I am actually able to write a TCL script which should do exactly what I need the script to do. There are nice examples in the administration guide or here in the forum. 


My problem is how to execute such TCL script against particular policy package.

When I go to "Device Manager" -> "Scripts" and create a new TCL script, the only target I can choose is "Remote FortiGate Directly (via CLI)". Somehow the option to run it against "Policy Package, ADOM database" is missing (is available for CLI scripts). 

I am a bit afraid of this "Remote FortiGate Directly" option, as it sounds like bypassing FortiManager's database and bringing FortiGate and FortiManager out of sync by executing the TCL script in this way.


I would like to run the following script:


proc do_cmd {cmd} {
        puts [exec "$cmd\n" "# "]
foreach line [split [exec "show firewall policy\n" "# "] \n] {
        if {[regexp {edit[ ]+([0-9]+)} $line match policyid]} {
        } elseif {[regexp {set[ ]+(\w+)[ ]+(.*)\r} $line match key value]} {
                lappend fw_policy($policyid) "$key $value"
do_cmd "config firewall policy"
foreach policyid [array names fw_policy] {
        do_cmd "edit $policyid"
        do_cmd "set comments comment_string_here"
        do_cmd "next"
do_cmd "end"



So how can I run this TCL script on FortiManager against a Policy Package, when there is no such option in the script settings? 


Thank you in advance for any hints.







I am not aware of any way to run TCL script on the policy package. If you run it on the FGT directly, an autoupdate/retrieve should update your device manager database and then you would need to import policies from device manager to policy&object database.


Did you look at the JSON API. It may help to achieve what you want






Hi Jocelyn,


Thanks for feedback. Well yes exactly, do it directly on FGT, then re-import the policies to FMGR, but I don't like this idea. Any time we need to do such change we would have to re-import. I was hoping there is a neater way.


I was looking at the JSON API today, but find the documentation a bit difficult to understand, found no description of the functions, I have to guess them. But I will give it a try.


Thanks again.


New Contributor

According to this: it is possible and works(tested) but it's strange when you say run this on Remote FortiGate Directly (via CLI) but actually you are running it on the local FortiManager Database


For policy see Example 2 in the link


puts [exec_ondb "/adom/./pkg/<pkg_fullpath>" "embedded cli commands" "# "] or puts [exec_ondb "/pkg/<pkg_fullpath>" "embeded cli commands" "# "]


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors