Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
oliverlag
New Contributor

Useful script example on Fortimanager

hi all, 

I'm reading this: 

http://docs-legacy.fortinet.com/fmgr/50hlp/52/5-2-0/index.html?context=fmg&topic=script_samples&sing...

 

is there anyone that can share any useful trick about real-life script in production? 

I'm interested in how I can get more from this feature. 

Thanks

 

8 REPLIES 8
jason_yancey
New Contributor

This is a question I have been pursuing for some time and have found very little.  Here is one resource I did find with some practical use cases (it may be a little dated):  http://www.fortihelp.com/search/label/TCL

 

The above resource and the examples in the admin guide are quite helpful with regard to scripting changes directly on FortiGate units.  However, performing changes directly against your FortiGates will bring your FortiManager device database and policy packages out of sync.  You are then forced to re-import / synchronize policy packages. 

 

It seems like the answer to this is to use the exec_ondb procedure (mentioned in the admin guide) to make changes directly to the device database and policy packages on the FortiManager.  Once that central policy is changed you could then push it out to all your FortiGate devices.  But the admin guide has no practical examples of this.  At this moment I am stuck on the syntactical differences between the exec and exec_ondb commands.  If I ever get past this issue I may post about it.

 

But I agree with your original sentiment: this looks like an incredibly powerful tool if I just knew how to use it properly.

oliverlag

Thanks!

JohnAgora

Depends a lot on your network.

For instance I've found useful scripts that add a static route, modify the access options, or modify a VPN on thousands of devices.

fsfetea

Hi there, it works the exec_ondb

they have some examples here: http://help.fortinet.com/fmgr/50hlp/56/5-6-1/FortiManager_Admin_Guide/1000_Device%20Manager/2400_Scr... but I have an other issue now. How to read back the data that is on the fortimanager db ?

I need to perform some policy position movement and policy based route appending.

I just got a ticket with support open but in the meantime any tip is highly recommended.

fsfetea

JohnAgora wrote:

Depends a lot on your network.

For instance I've found useful scripts that add a static route, modify the access options, or modify a VPN on thousands of devices.

If they are TCL scripts for FMG DB, could you please share those scripts or snippets with the relevant modify VPN part?

thanks

neonbit
Valued Contributor

I remember seeing a customer who had 1000+ firewalls and needed to ensure that HTTP/TELNET was disabled for every interface on each firewall for compliance. They created a TCL script that went through each firewalls interface and checked to see if HTTP/TELNET was enabled as an administration access and disable it. Sent the script out and in 10minutes they sorted out all 1000+ firewalls, was magic :)

fsfetea

This is exactly why they cretead the FortiManager. We have in the root ADOM in header policy such rules that deny telnet and some other stuff. No need for scripting there and it applies to all our future and current firewalls/vdoms and it's enforced even if we give them to other third parties to manage their own rules. My issue in relation the tcl script is that I have to create a some ssl-vpn profiles(differnt portal,realm,pool,etc.) and there is no consolidated way(wizzard) to do so. So I created a TCL script that runs on and agains the FortiManager database to keep all in the same place. My issue now is that I cannot read back from FMG DB the current configured policy or any other stuff. I can only write them. All show,get FG commands are not working with exec_ondb on the FMG.

Has anyone experienced this ?

fsfetea

I search and tried different methods but I cannot seem to find a way and I would not enjoy to reverse engineer the libdmserver.so library that runs the tcl script to convince my self that there is no other way. btw. a short string on the library resulted that there are some other __exec_cli_commands available: dm_read ... __has_permission __parse_ondb_parameters ???where can I find some documentation over this function __exec_ondb ... I searched on the Fortinet Developer Network but did not found anything except that everybody recommends REST API which in the FMG case is not really close to a swagger like documentation usable.

Labels
Top Kudoed Authors