hi all,
I'm reading this:
is there anyone that can share any useful trick about real-life script in production?
I'm interested in how I can get more from this feature.
Thanks
This is a question I have been pursuing for some time and have found very little. Here is one resource I did find with some practical use cases (it may be a little dated): http://www.fortihelp.com/search/label/TCL
The above resource and the examples in the admin guide are quite helpful with regard to scripting changes directly on FortiGate units. However, performing changes directly against your FortiGates will bring your FortiManager device database and policy packages out of sync. You are then forced to re-import / synchronize policy packages.
It seems like the answer to this is to use the exec_ondb procedure (mentioned in the admin guide) to make changes directly to the device database and policy packages on the FortiManager. Once that central policy is changed you could then push it out to all your FortiGate devices. But the admin guide has no practical examples of this. At this moment I am stuck on the syntactical differences between the exec and exec_ondb commands. If I ever get past this issue I may post about it.
But I agree with your original sentiment: this looks like an incredibly powerful tool if I just knew how to use it properly.
Thanks!
Depends a lot on your network.
For instance I've found useful scripts that add a static route, modify the access options, or modify a VPN on thousands of devices.
Hi there, it works the exec_ondb
they have some examples here: http://help.fortinet.com/fmgr/50hlp/56/5-6-1/FortiManager_Admin_Guide/1000_Device%20Manager/2400_Scr... but I have an other issue now. How to read back the data that is on the fortimanager db ?
I need to perform some policy position movement and policy based route appending.
I just got a ticket with support open but in the meantime any tip is highly recommended.
JohnAgora wrote:If they are TCL scripts for FMG DB, could you please share those scripts or snippets with the relevant modify VPN part?Depends a lot on your network.
For instance I've found useful scripts that add a static route, modify the access options, or modify a VPN on thousands of devices.
thanks
I remember seeing a customer who had 1000+ firewalls and needed to ensure that HTTP/TELNET was disabled for every interface on each firewall for compliance. They created a TCL script that went through each firewalls interface and checked to see if HTTP/TELNET was enabled as an administration access and disable it. Sent the script out and in 10minutes they sorted out all 1000+ firewalls, was magic :)
This is exactly why they cretead the FortiManager. We have in the root ADOM in header policy such rules that deny telnet and some other stuff. No need for scripting there and it applies to all our future and current firewalls/vdoms and it's enforced even if we give them to other third parties to manage their own rules. My issue in relation the tcl script is that I have to create a some ssl-vpn profiles(differnt portal,realm,pool,etc.) and there is no consolidated way(wizzard) to do so. So I created a TCL script that runs on and agains the FortiManager database to keep all in the same place. My issue now is that I cannot read back from FMG DB the current configured policy or any other stuff. I can only write them. All show,get FG commands are not working with exec_ondb on the FMG.
Has anyone experienced this ?
I search and tried different methods but I cannot seem to find a way and I would not enjoy to reverse engineer the libdmserver.so library that runs the tcl script to convince my self that there is no other way. btw. a short string on the library resulted that there are some other __exec_cli_commands available: dm_read ... __has_permission __parse_ondb_parameters ???where can I find some documentation over this function __exec_ondb ... I searched on the Fortinet Developer Network but did not found anything except that everybody recommends REST API which in the FMG case is not really close to a swagger like documentation usable.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.