Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
burger87
New Contributor

Created on ‎04-28-2019 12:41 AM

Run "show" or "get" commands via script in FMG

Hi guys. Is there any way to run a blanket script in FMG with "show" or "get" commands for Fortigates having multiple VDOMs without needing to enter every VDOM, and then output the results?

 

If yes, any example would be helpful.

If no, what are other alternatives that could be used on multiple Fortigates with different set of VDOMs?

Labels:
2350
0 Kudos
7 REPLIES 7
Katoomba
New Contributor III

Created on ‎08-01-2024 12:54 PM

I have the need to check policy rules within a adom policy package via a script. I know I can run config commands against the adom database from within a TCL script using the exec_ondb procedure/function. However, when I try to use "show", "get", "diag" commands, the TCL script shows no returned output (and that is true for both Fortigates (exec command) and adom database (exec_ondb command).

 

Is there any way to get the exec or exec_ondb commands to recognize or return data from "show" commands?

Katoomba
Katoomba
644
0 Kudos
nathan_h
Staff
Staff

Created on ‎08-01-2024 01:32 PM

Hi burger87,

 

Have you tried the command below 'sudo <vdom name>'?

 

Example below:

sudo root show system interface

Nathan
FCP-NS, FCP-PCS, FCP-SO, FCSS-NS, FCSS-PCS, FCSS-SASE
639
0 Kudos
Katoomba
New Contributor III
In response to nathan_h

Created on ‎08-01-2024 02:35 PM

From within a FortiManager CLI TCL script? How would that be done?

 

Here is my FMG TCL script. It has two sections. The first section uses "config firewall address" and creates a new address object. That works great. The second section, tries to use "show firewall policy". It returns nothing in the output (but it doesn't error either).

 

puts [exec_ondb "/adom/./pkg/default" "
config firewall address
edit TEST_OBJECT
set subnet 2.2.2.2/32
next
end
" "# "]

puts [exec_ondb "/adom/./pkg/default" "
show firewall policy
" "# "]

 

Here's is the script results:

 

-------Executing time: Thu Aug 1 17:30:39 2024-----------
Starting log (Run on device)
DEBUG INFO:
TCL command exec_ondb: target = /adom/./pkg/default
config firewall address
edit TEST_OBJECT
set subnet 2.2.2.2/32
next
end
#
DEBUG INFO:
TCL command exec_ondb: target = /adom/./pkg/default
#
config firewall address
edit TEST_OBJECT
set subnet 2.2.2.2/32
n ext
end
show firewall policy

----------------End of Log-------------------------

Katoomba
Katoomba
631
0 Kudos
Katoomba
New Contributor III
In response to nathan_h

Created on ‎08-08-2024 04:35 PM

Hi nathan_h,

 

You can't run 'sudo root' anywhere in FortiManager. So I really don't understand your answer at all. Can you explain further please?

Katoomba
Katoomba
577
0 Kudos
farhanahmed
Staff
Staff

Created on ‎08-14-2024 04:49 PM Edited on ‎08-14-2024 04:51 PM

The TCL script cannot be used to show or get the config, it can only make changes on the ADOM DB. I would suggest to explore the FMG APIs for this or use the 'exe fmpolicy print-adom-package ?' on FMG CLI.

FA
527
0 Kudos
Katoomba
New Contributor III
In response to farhanahmed

Created on ‎08-14-2024 04:59 PM Edited on ‎08-22-2024 04:48 PM

I have written several scripts (outside of FMG) that utilize the FMG API. They were great except that they are outside of FMG. It is highly desirable to run scripts from within FMG because:

1) FMG CLI/TCL scripts are easily exported and imported from one FMG to another FMG.

2) The scripts are self contained within FMG which makes them an integral part of the FMG solution as a whole.

3) Customers are much more comfortable with scripts when they run inside of the FMG product.

4) FMG as a "single pane of glass" is the best place for scripts to run. The scripts are self contained within FMG so that FMG backup, upgrades and accessibility is all handled by FMG features themselves.

 

So it is a real shame that show commands don't work. It is also a real shame that "exec fmpolicy print-adom-package" type commands cannot be run from within CLI/TCL scripts because that would solve the problem most beautifully.

Another nice way to solve the problem would be to let FMG TCL scripts exececute the curl command. That would allow FMG TCL scripts to access the FMG API. That would be way coo!!!!

 

** UPDATE **: I developed a work around that allows FMG CLI commands to be run from within TCL scripts. See this article. Also, I developed a work around that allows FMG TCL scripts to send emails. See this article.

Katoomba
Katoomba
522
farhanahmed
Staff
Staff
In response to Katoomba

Created on ‎08-14-2024 05:17 PM

A feature request is inevitable :D

FA
518
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.