Technical Tip: Automated script execution

gmarcuccetti · ‎01-11-2021

Description

This article describes how to use the automated scripting on FortiGate.

Scope

FortiGate.

Solution

In FortiOS it is possible to configure auto-scripts and this feature can be used for various purposes.

Important note:
The auto-script output is stored in the RAM, so if running multiple scripts with a maximum of default 10MB (set output-size), calculate and monitor the RAM usage. Improper use of the auto-script may trigger a conserve mode.

Note:

Some commands will not work with the auto-script on older firmware versions.

Support for further commands like 'diag test app xxx', 'diag wad xxx', 'diag ips xxx' were added in FortiOS 7.6.1 and above.

Note:
If the output size is exceeded, the script will stop. Consider the auto-script as a temporary installation only, it is good for time-based troubleshooting.

CLI example to send a backup to a TFTP server:

config system auto-script
    edit "backup"
        set interval 120                           <----- Interval of time in seconds to execute the task, for example for 2 minutes.
        set repeat 0                               <----- Time of repeats, 0 means always. The default is 1.
        set start auto <---- If set to auto the process would start by the system automatically, manual is the default where it is necessary to start the process.
        set script "execute backup config ftp backup.conf 10.10.10.2 test test"
    next
end

Whereas in this example:

10.10.10.2 is the IP of the FTP server.
backup.conf is the name of the file.
test/test is the user and password of the FTP.

CLI example to send a backup to the FTP server in FortiGates with VDOMs:

config system auto-script
    edit "backup"
        set interval 120
        set repeat 0
        set start auto
        set script "
  config global
execute backup config ftp backup.conf 10.10.10.2 test test"
    next
end

Where:

10.10.10.2 is the IP of the FTP server.
backup.conf is the name of the file.
test/test is the user and password of the FTP.

Add multiple CLI commands in the CLI script.

For example, if it is desired to check the generic status output from the CLI like:

get system status
get system performance status

FGT # config system auto-script
FGT (auto-script) # edit "status"
FGT (status) # set interval 300
FGT (status) #        set repeat 0
FGT (status) #        set start auto
FGT (status) #        set script "         <----- Press enter key here add the first command.
get system status                        <----- Press the enter key here and add the second command in the next line.
get system performance status"           <----- Make sure that the last command ends with a double quotation mark.

Once a double quotation mark is added, it will redirect to the command prompt.

FGT (status) # sh
config system auto-script
    edit "status"
        set interval 120
        set repeat 0
        set start auto
        set script "
        get system status
        get system performance status
     "
next
end

To check the script output stored in the file.

From GUI:

Go to System -> Advanced -> Scheduled Script.
Select the 'Download' button from the 'Status' field for the selected script and Open the file to read the output.

Note: From FortiOS 6.2.2 the System -> Advanced is removed, it is only possible to see the script scheduled via CLI. From 6.2.0 automation action is introduced as an alternative for auto-script.

From CLI.

To view the results of the script named 'status' (with no VDOMs).

exec auto-script result status

Script status output:
########## script name: status ##########

========== #1, 2019-10-01 14:24:04 ==========
FGT $ get system status
Version: FortiGate-100D v6.2.1,build0932,190716 (GA)
Virus-DB: 72.00005(2019-10-01 03:19)
Extended DB: 1.00000(2018-04-09 18:07)
... output continues ...

To view the results of the script named 'status' (with VDOMs - enter it in global):

config global
exec auto-script result status

To control the auto-scripts in other ways, to modify the value of the script or a restart is needed for example:

exec auto-script start “name

exec auto-script stop “name” or stopall

Modifying a running script will show an output (error) as shown below. So, the script must be stopped running before making any modifications.

Script can not be changed when it is running.
object set operator error, -14 discard the setting
Command fail. Return code -14

Other examples:
To get an FSSO user list every 5 seconds for a maximum size of 100MB, filtered for the IP 172.16.17.132.

config system auto-script

edit "firewall-user-list"

set interval 5

set repeat 0

set script "diag firewall auth list | grep 172.16.17.132 -A 7"
        set output-size 100
   next
edit "auth-user-list"
set interval 5
set repeat 0
set script "diag debug auth fsso list | grep 172.16.17.132"
set output-size 100
   next
end
exec auto-script start firewall-user-list
exec auto-script start auth-user-list

To get a session list every 10 seconds for the IP 10.10.10.48.

config system auto-script

edit "session-list"

set interval 5
set repeat 0
set script "diag sys session filter src 10.10.10.48
diag sys session list"
set output-size 100
next
end

If having in few scenarios to restart a process or kill the process, below are examples of restarting and killing ipsmonitor process.

Note that the 'diag test app xxx' commands might not work on older firmware versions when executed in the auto-script.

config system auto-script

edit "ipsrestart"
set interval 43200 <-- 12 hours.
set repeat 0 <-- Infinite times no limit.
set start auto <-- Automatic process by system.
set script " <-- Script to restart the ipsmonitor.
diagnose test application ipsmonitor 99
fnsysctl killall ipsmonitor
"
next
end

In HA auto-script configuration it will get auto-sync, it is only necessary to configure it on the primary device.
It will capture the command output individually on both firewalls.

Refer to the below screenshots:

The auto-script will place temporary files on the disk.

To verify if the auto script is still running and also show the current size of the output of a specific script run:

execute auto-script status
auto-script_test <-- running, output file size: 567.3K

When the configured max output size is reached the script will stop and change the status from "running" to "executed".
The command will then show the final file size.

execute auto-script status
auto-script_test <-- executed, output file size: 11.1M

The temporary files of the auto-script are stored in '/tmp/$$auto-script$$/'.
The total size of all auto-script files can be checked with the following commands:

fnsysctl df -k
fnsysctl df -h
fnsysctl ls -al /tmp/$$auto-script$$/
fnsysctl du -aLL /tmp/$$auto-script$$

Example outputs:

# fnsysctl df -h
Filesystem Size Used Available Use% Mounted on
none 1.4G 362.2M 1.0G 25% /tmp
... cut ...

# fnsysctl ls -al /tmp/$$auto-script$$/
drwxr-xr-x 2 0 0 Tue Jan 7 10:22:52 2025 60 .
drwxrwxrwt 56 0 0 Tue Jan 7 10:30:14 2025 5060 ..
-rw-r--r-- 1 0 0 Tue Jan 7 10:22:48 2025 11617598 auto-script_test.out <- 11,08 MB.

# fnsysctl du -aLL /tmp/$$auto-script$$
11348 /tmp/$$auto-script$$/auto-script_test.out
11348 /tmp/$$auto-script$$ <----- 11,08 MB

Related documents:

Technical Tip: Automated script execution

You are leaving our website