How to run TCL script against ADOM's policy package?
On our FortiManager (5.4.1 VM) we have an ADOM defined with several VDOM's, each with its own firewall policy package.
These policy packages have already hundreds of policies. Right now we are in need to update few parameters of every single policy in all policy packages. There is no way we can do this manually in GUI policy by policy.
We could grab the whole configuration of FortiManager or directly the FortiGates in a text form and do a search/replace and then re-apply it. But I don't find this to be the smartest way to change configuration.
I believe the ideal approach is to use a script.
CLI scripts do not make sense because there is no way to use variables, loops, if/else statements etc. in a CLI script.
So I turned my attention to TCL scripts. I have enabled them for FortiManager.
I am actually able to write a TCL script which should do exactly what I need the script to do. There are nice examples in the administration guide or here in the forum.
My problem is how to execute such TCL script against particular policy package.
When I go to "Device Manager" -> "Scripts" and create a new TCL script, the only target I can choose is "Remote FortiGate Directly (via CLI)". Somehow the option to run it against "Policy Package, ADOM database" is missing (is available for CLI scripts).
I am a bit afraid of this "Remote FortiGate Directly" option, as it sounds like bypassing FortiManager's database and bringing FortiGate and FortiManager out of sync by executing the TCL script in this way.
I am not aware of any way to run TCL script on the policy package. If you run it on the FGT directly, an autoupdate/retrieve should update your device manager database and then you would need to import policies from device manager to policy&object database.
Did you look at the JSON API. It may help to achieve what you want
Thanks for feedback. Well yes exactly, do it directly on FGT, then re-import the policies to FMGR, but I don't like this idea. Any time we need to do such change we would have to re-import. I was hoping there is a neater way.
I was looking at the JSON API today, but find the documentation a bit difficult to understand, found no description of the functions, I have to guess them. But I will give it a try.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.