Hi guys. Is there any way to run a blanket script in FMG with "show" or "get" commands for Fortigates having multiple VDOMs without needing to enter every VDOM, and then output the results?
If yes, any example would be helpful.
If no, what are other alternatives that could be used on multiple Fortigates with different set of VDOMs?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I have the need to check policy rules within a adom policy package via a script. I know I can run config commands against the adom database from within a TCL script using the exec_ondb procedure/function. However, when I try to use "show", "get", "diag" commands, the TCL script shows no returned output (and that is true for both Fortigates (exec command) and adom database (exec_ondb command).
Is there any way to get the exec or exec_ondb commands to recognize or return data from "show" commands?
Hi burger87,
Have you tried the command below 'sudo <vdom name>'?
Example below:
sudo root show system interface
From within a FortiManager CLI TCL script? How would that be done?
Here is my FMG TCL script. It has two sections. The first section uses "config firewall address" and creates a new address object. That works great. The second section, tries to use "show firewall policy". It returns nothing in the output (but it doesn't error either).
puts [exec_ondb "/adom/./pkg/default" "
config firewall address
edit TEST_OBJECT
set subnet 2.2.2.2/32
next
end
" "# "]
puts [exec_ondb "/adom/./pkg/default" "
show firewall policy
" "# "]
Here's is the script results:
-------Executing time: Thu Aug 1 17:30:39 2024-----------
Starting log (Run on device)
DEBUG INFO:
TCL command exec_ondb: target = /adom/./pkg/default
config firewall address
edit TEST_OBJECT
set subnet 2.2.2.2/32
next
end
#
DEBUG INFO:
TCL command exec_ondb: target = /adom/./pkg/default
#
config firewall address
edit TEST_OBJECT
set subnet 2.2.2.2/32
n ext
end
show firewall policy
----------------End of Log-------------------------
Hi nathan_h,
You can't run 'sudo root' anywhere in FortiManager. So I really don't understand your answer at all. Can you explain further please?
The TCL script cannot be used to show or get the config, it can only make changes on the ADOM DB. I would suggest to explore the FMG APIs for this or use the 'exe fmpolicy print-adom-package ?' on FMG CLI.
Created on 08-14-2024 04:59 PM Edited on 08-22-2024 04:48 PM
I have written several scripts (outside of FMG) that utilize the FMG API. They were great except that they are outside of FMG. It is highly desirable to run scripts from within FMG because:
1) FMG CLI/TCL scripts are easily exported and imported from one FMG to another FMG.
2) The scripts are self contained within FMG which makes them an integral part of the FMG solution as a whole.
3) Customers are much more comfortable with scripts when they run inside of the FMG product.
4) FMG as a "single pane of glass" is the best place for scripts to run. The scripts are self contained within FMG so that FMG backup, upgrades and accessibility is all handled by FMG features themselves.
So it is a real shame that show commands don't work. It is also a real shame that "exec fmpolicy print-adom-package" type commands cannot be run from within CLI/TCL scripts because that would solve the problem most beautifully.
Another nice way to solve the problem would be to let FMG TCL scripts exececute the curl command. That would allow FMG TCL scripts to access the FMG API. That would be way coo!!!!
** UPDATE **: I developed a work around that allows FMG CLI commands to be run from within TCL scripts. See this article. Also, I developed a work around that allows FMG TCL scripts to send emails. See this article.
A feature request is inevitable :D
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.