Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
REMYJIMMY
New Contributor

Created on ‎09-21-2022 02:56 AM

Send Email with TCL Script

Hello,

 

There is any solution to send a email with TCL Script or CLI ?

 

I need to send information after script Schedule execution.

 

Sorry for my English, I'm French.

 

Thanks,

Jimmy

Labels:
1211
0 Kudos
7 REPLIES 7
Anonymous
Not applicable

Created on ‎09-23-2022 02:15 PM

Hello Jimmy,

 

                  Thanks for reaching Fortinet Community. Could you explain your query more in detail to that we can assist better.

 

Hope to hear from you soon.

 

Thanks and regards,

1184
0 Kudos
REMYJIMMY
New Contributor
In response to Anonymous

Created on ‎09-26-2022 07:56 AM

 

Hello, thanks for your reply.

 

We used ADVPN and some shortcut path stay open and we kill them manually sometimes. 

 

I created a script in TCL which kill any duplicate tunnel (if there are) everyday and we want to send a email to notify what tunnel was kill.

 

Thanks,

Jimmy

1167
0 Kudos
Katoomba
New Contributor III
In response to gfleming

Created on ‎08-01-2024 12:45 PM

The goal is to have FortiManager send the email with the content of the returned information from a scheduled TCL script. You can schedule a TCL script to run periodically. But can the results be emailed somewhere from within TCL script?

Katoomba
Katoomba
532
0 Kudos
farhanahmed
Staff
Staff

Created on ‎08-09-2024 10:24 AM

FortiManager does not have the ability to send emails from the TCL script. You can reach out to your Fortinet Sales rep. to raise a feature request for this.

FA
507
0 Kudos
Katoomba
New Contributor III

Created on ‎08-22-2024 11:52 AM Edited on ‎08-23-2024 08:46 AM

Introduction

It turns out that you can send an email from an FMG TCL script. It's not perfect but it can get the job done.

FortiGate as Gateway to Mail Server

Since you can have a TCL script send commands to FortiGates, and since a FortiGate can telnet to other devices (which in this case, will be an SMTP mail server), it becomes possible to send an email from a FMG TCL script. The TCL script below sends commands to a FortiGate to telnet to an SMTP mail server and then provides the SMTP mail server with commands and data to send the email itself. Note that (obviously) the FortiGate must have network access to the SMTP mail server via TCP port 25. So the FortiGate is the middle man between FMG TCL and the mail server.

 

#!/usr/bin/tclsh
############################################################
############################################################
# This script demonstrates how to send an email from an FMG
# TCL script via an SMTP server that is accessed via a
# FortiGate.
# NOTE: Communication with the SMTP server is unsecured on
# TCP port 25.
# NOTE: The target FortiGate must have access to the SMTP 
# server on TCP port 25.
############################################################
############################################################
set startTime [clock seconds]
############################################################
############################################################
# set mail server variables
set SMTP_HOST "172.16.31.15"
set SMTP_EHLO "liberty.saturn.home"
set SMTP_MAIL_FROM "noc@wantegrity.com"
set SMTP_RCPT_TO "mhawkins@wantegrity.com"
set SMTP_SUBJECT "This is a test email subject line"
set SMTP_BODY "This is the email body text.\n\nWell it turns out that you can send an email from FMG TCL scripts after all.\nBest,\n  FMG"
############################################################
############################################################
# define procedures section
############################################################
# execute FortiGate or FortiManager commands
proc do_cmd {cmd} {
  # note that return prompt (#|\$) is expanded to handle non super and super user FMG users as well as FortiGates
  puts [exec "$cmd\n" " (#|\$) " 10]
}
# execute SMTP mail server commands
proc do_mail {cmd} {
  # note the expected SMTP server return codes
  puts [exec "$cmd\n" "(ESMTP|\[1-5\]\[0-9\]\{2\})" 10]
}
proc get_sys_status aname {
  upvar $aname a
  set a(vdom) true
  set input [exec "get system status\n" "# " 15 ]
  set linelist [split $input \n]
  foreach line $linelist {
    if {[regexp {Virtual domain configuration: disable} $line]} { set a(vdom) false }
    if {![regexp {([^:]+):(.*)} $line dummy key value]} continue
    switch -regexp -- $key {
      Version { regexp {FortiGate-([^ ]+) ([^,]+),build([\d]+),.*} $value dummy a(platform) a(version) a(build) }
      Serial-Number { set a(serial-number) [string trim $value] }
      Hostname { set a(hostname) [string trim $value] }
    }
  }
}
############################################################
############################################################
# set verbose to true to increase output
set verbose true
############################################################
############################################################
# begin main script
############################################################
# get FortiGate information
get_sys_status status
if { ($verbose == true) } {
  puts "This Fortigate is model: \[$status(platform)\]."
  puts "It is running FortOS version: \[$status(version)\]."
  puts "The firmware is build number: \[$status(build)\]."
  puts "The device serial number is: \[$status(serial-number)\]."
  puts "The machine hostname is: \[$status(hostname)\]."
}
############################################################
############################################################
# enter vdom if vdoms are enabled
if { ($status(vdom) == true) } {
  # Enter VDOM if its enabled
  if { ($verbose == true) } { puts "Entering vdom:\[root\]" }
  do_cmd "config vdom"
  do_cmd "edit root"
} else {
  if { ($verbose == true) } { puts "No vdoms on this Fortigate" }
}
############################################################
############################################################
# TELNET into mail server from the FortiGate
if { ($verbose == true) } { puts "Connecting to mail server: \[$SMTP_HOST\]." }
do_mail "execute telnet $SMTP_HOST 25"
do_mail "ehlo $SMTP_EHLO"
do_mail "MAIL FROM:$SMTP_MAIL_FROM"
do_mail "RCPT TO:$SMTP_RCPT_TO"
set nowTime [clock seconds]
do_mail "DATA\nTo:$SMTP_RCPT_TO\nFrom:$SMTP_MAIL_FROM\nSubject:$SMTP_SUBJECT\nScript started:$startTime\nScript Now:$nowTime\n$SMTP_BODY\n."
if { ($verbose == true) } { puts "Exiting mail server: \[$SMTP_HOST\]." }
do_cmd "quit"
############################################################
############################################################
if { ($verbose == true) } { puts "Script Finished. Exiting FortiGate: \[$status(hostname)\]." }
do_cmd "end"
# End of script
############################################################

 

Implementation Notes

1) the SMTP_xxx... variables need to be set according to your own configuration needs.

2) The do_mail expect regex "(ESMTP|\[1-5\]\[0-9\]\{2\})" might need to be adjusted to match your email server.

3) This script does not use any email server authentication to access the email server but it certainly could be added.

CAVEATS/LIMITATIONS

It is not very practical (nor is it very security conscious) to set up every FortiGate with access to an mail server. Perhaps that's OK for some environments, in which case, the script above can be used and emails can be sent as the script walks through each specific FortiGate. This would be useful for TCL scripts that target multiple FortiGates.

A better approach might be to set up one FortiGate to be the "gateway" (middle-man) between FMG TCL scripts and the email server. This approach would be best suited for when the TCL script is accessing the ADOM or policy packages using the "exec_ondb" command. In those sorts of TCL scripts, access to a FortiGate isn't even needed for the script to be successful. But with TCL scripts, you must select at least one FortiGate to run again, even if the script is only intended to work against the ADOM or policy packages. So for TCL scripts of that type, you would simply pick the one FortiGate that has network access to the mail server so that the TCL script can send emails. A typical use case would be to work with the adom database, collect results, and then email out to some email address.

Other Resources

This article describes how to run FMG CLI commands via TCL scripts.

For Fortinet documentation regarding TCL scripts see here.

Katoomba
Katoomba
423
0 Kudos
Katoomba
New Contributor III

Created on ‎08-22-2024 12:01 PM Edited on ‎08-23-2024 08:47 AM

Introduction

It turns out that you can send an email from an FMG TCL script. It's not perfect but it can get the job done.

FortiGate as Gateway to Mail Server

Since you can have a TCL script send commands to FortiGates, and since a FortiGate can telnet to other devices (which in this case, will be an SMTP mail server), it becomes possible to send an email from a FMG TCL script. The TCL script below sends commands to a FortiGate to telnet to an SMTP mail server and then provides the SMTP mail server with commands and data to send the email itself. Note that (obviously) the FortiGate must have network access to the SMTP mail server via TCP port 25. So the FortiGate is the middle man between FMG TCL and the mail server.

 

#!/usr/bin/tclsh
############################################################
############################################################
# This script demonstrates how to send an email from an FMG
# TCL script via an SMTP server that is accessed via a
# FortiGate.
# NOTE: Communication with the SMTP server is unsecured on
# TCP port 25.
# NOTE: The target FortiGate must have access to the SMTP 
# server on TCP port 25.
############################################################
############################################################
set startTime [clock seconds]
############################################################
############################################################
# set mail server variables
set SMTP_HOST "172.16.31.15"
set SMTP_EHLO "liberty.saturn.home"
set SMTP_MAIL_FROM "noc@wantegrity.com"
set SMTP_RCPT_TO "mhawkins@wantegrity.com"
set SMTP_SUBJECT "This is a test email subject line"
set SMTP_BODY "This is the email body text.\n\nWell it turns out that you can send an email from FMG TCL scripts after all.\nBest,\n  FMG"
############################################################
############################################################
# define procedures section
############################################################
# execute FortiGate or FortiManager commands
proc do_cmd {cmd} {
  # note that return prompt (#|\$) is expanded to handle non super and super user FMG users as well as FortiGates
  puts [exec "$cmd\n" " (#|\$) " 10]
}
# execute SMTP mail server commands
proc do_mail {cmd} {
  # note the expected SMTP server return codes
  puts [exec "$cmd\n" "(ESMTP|\[1-5\]\[0-9\]\{2\})" 10]
}
proc get_sys_status aname {
  upvar $aname a
  set a(vdom) true
  set input [exec "get system status\n" "# " 15 ]
  set linelist [split $input \n]
  foreach line $linelist {
    if {[regexp {Virtual domain configuration: disable} $line]} { set a(vdom) false }
    if {![regexp {([^:]+):(.*)} $line dummy key value]} continue
    switch -regexp -- $key {
      Version { regexp {FortiGate-([^ ]+) ([^,]+),build([\d]+),.*} $value dummy a(platform) a(version) a(build) }
      Serial-Number { set a(serial-number) [string trim $value] }
      Hostname { set a(hostname) [string trim $value] }
    }
  }
}
############################################################
############################################################
# set verbose to true to increase output
set verbose true
############################################################
############################################################
# begin main script
############################################################
# get FortiGate information
get_sys_status status
if { ($verbose == true) } {
  puts "This Fortigate is model: \[$status(platform)\]."
  puts "It is running FortOS version: \[$status(version)\]."
  puts "The firmware is build number: \[$status(build)\]."
  puts "The device serial number is: \[$status(serial-number)\]."
  puts "The machine hostname is: \[$status(hostname)\]."
}
############################################################
############################################################
# enter vdom if vdoms are enabled
if { ($status(vdom) == true) } {
  # Enter VDOM if its enabled
  if { ($verbose == true) } { puts "Entering vdom:\[root\]" }
  do_cmd "config vdom"
  do_cmd "edit root"
} else {
  if { ($verbose == true) } { puts "No vdoms on this Fortigate" }
}
############################################################
############################################################
# TELNET into mail server from the FortiGate
if { ($verbose == true) } { puts "Connecting to mail server: \[$SMTP_HOST\]." }
do_mail "execute telnet $SMTP_HOST 25"
do_mail "ehlo $SMTP_EHLO"
do_mail "MAIL FROM:$SMTP_MAIL_FROM"
do_mail "RCPT TO:$SMTP_RCPT_TO"
set nowTime [clock seconds]
do_mail "DATA\nTo:$SMTP_RCPT_TO\nFrom:$SMTP_MAIL_FROM\nSubject:$SMTP_SUBJECT\nScript started:$startTime\nScript Now:$nowTime\n$SMTP_BODY\n."
if { ($verbose == true) } { puts "Exiting mail server: \[$SMTP_HOST\]." }
do_cmd "quit"
############################################################
############################################################
if { ($verbose == true) } { puts "Script Finished. Exiting FortiGate: \[$status(hostname)\]." }
do_cmd "end"
# End of script
############################################################

 

Implementation Notes

1) the SMTP_xxx... variables need to be set according to your own configuration needs.

2) The do_mail expect regex "(ESMTP|\[1-5\]\[0-9\]\{2\})" might need to be adjusted to match your email server.

3) This script does not use any email server authentication to access the email server but it certainly could be added.

CAVEATS/LIMITATIONS

It is not very practical (nor is it very security conscious) to set up every FortiGate with access to an mail server. Perhaps that's OK for some environments, in which case, the script above can be used and emails can be sent as the script walks through each specific FortiGate. This would be useful for TCL scripts that target multiple FortiGates.

A better approach might be to set up one FortiGate to be the "gateway" (middle-man) between FMG TCL scripts and the email server. This approach would be best suited for when the TCL script is accessing the ADOM or policy packages using the "exec_ondb" command. In those sorts of TCL scripts, access to a FortiGate isn't even needed for the script to be successful. But with TCL scripts, you must select at least one FortiGate to run again, even if the script is only intended to work against the ADOM or policy packages. So for TCL scripts of that type, you would simply pick the one FortiGate that has network access to the mail server so that the TCL script can send emails. A typical use case would be to work with the adom database, collect results, and then email out to some email address.

Other Resources

This article describes how to run FMG CLI commands via TCL scripts.

For Fortinet documentation regarding TCL scripts see here.

Katoomba
Katoomba
419
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.