Fortigate Automation Stitch Backup autoscript stop

ErrantOsi · ‎12-22-2023

Hi guys, I am trying to configure the automatic tftp backup on our new 100F Forti. I followed a guide how to do the configuration but according to the syslog the process always gets somehow stopped and deleted by the autoscript. When I execute the command manual the backup works. We have two VDOMs, root for MGMT and 1 for production traffic. The configuration is done in the global level (I also tried with adding config global in the cli script).

Anyone has an idea where the issue can be? I am absolute cluesless :\

The Eventlogs I have says:

1. Automation stitch triggered
stitch:backup-stitch is triggered.

2. Autoscript stop automatically
script autod.6 stopped automatically

3. Autoscript delete result
User delete the result of script autod.6 from autod

The Config looks like this:

Trigger:

config system automation-trigger
edit "TFTP-Daily-Backup"
set description ''
set trigger-type scheduled
set trigger-frequency daily
set trigger-hour 16
set trigger-minute 54
next

Action:

edit "backup-action"
set description ''
set action-type cli-script
set minimum-interval 1
set script "execute backup config tftp FOLDERNAME/%%devname%%-%%date%%.conf 10.10.10.10"
set output-size 10
set timeout 0
set execute-security-fabric disable
set accprofile "super_admin"
next

Stitch:

config system automation-stitch
edit "backup-stitch"
set description ''
set status enable
set trigger "TFTP-Daily-Backup"
config actions
edit 1
set action "backup-action"
set delay 0
set required enable
next

ozkanaltas · ‎12-23-2023

Hello @ErrantOsi ,

I encountered the same problem in Fortigate with vdom. But I solved my problem by writing "config global". I think the "config global" spelling is important here.

this style
--------------------
set script "config global
execute backup config tftp FOLDERNAME/%%devname%%-%%date%%.conf 10.10.10.10"

not same this
-------------------------
set script "config global execute backup config tftp FOLDERNAME/%%devname%%-%%date%%.conf 10.10.10.10"

Which style did you try before? The correct one is the first style. If this thing didn't work in your environment. Could you run these commands and share the output with us?

exec auto-script stopall
diag debug reset
diag test app autod 1
diag debug cli 7
diag debug enable

exec auto-script start <stitch_name>

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

View solution in original post

Markus_M · ‎12-22-2023

You could run a status output and see details of the script.

exec auto-script status <name>
exec auto-script result <name>
The script will stop if a condition is met:

output-size 10 (megabyte in memory)

set timeout 0 (unlimited)

Best regards,

Markus

ErrantOsi · ‎12-22-2023

Hi Markus thanks for your answer. I am not sure what you mean? How is the exec auto-script status or result helping in this case? There is no script I created, its just in the automation action?

ozkanaltas · ‎12-23-2023

Hello @ErrantOsi ,

I encountered the same problem in Fortigate with vdom. But I solved my problem by writing "config global". I think the "config global" spelling is important here.

this style
--------------------
set script "config global
execute backup config tftp FOLDERNAME/%%devname%%-%%date%%.conf 10.10.10.10"

not same this
-------------------------
set script "config global execute backup config tftp FOLDERNAME/%%devname%%-%%date%%.conf 10.10.10.10"

Which style did you try before? The correct one is the first style. If this thing didn't work in your environment. Could you run these commands and share the output with us?

exec auto-script stopall
diag debug reset
diag test app autod 1
diag debug cli 7
diag debug enable

exec auto-script start <stitch_name>

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

Markus_M · ‎12-26-2023

if the auto-script is used at least, one needs to run

exec auto-script result <stitch name>

to get its output.

the config global part is a bit tricky. When you need to run multi-line commands you must add them in the same way, ideally just write the stuff in a notepad and paste to the FortiGate CLI. For example:

...
set minimum-interval 1
set script "config global
execute backup config tftp FOLDERNAME/%%devname%%-%%date%%.conf 10.10.10.10"
set output-size 10
...

you need to keep the double quotes exactly where they are.

Similar description here:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Automated-script-execution/ta-p/193685

I honestly don't know the differences between

"config system automation-trigger" and "config system auto-script", but would guess multilines need to be run the same. If you got VDOMs, there is basically no choice. Need to enter the VDOM (global or whatever else), then run the commands.

Best regards,

Markus

ErrantOsi · ‎01-10-2024

Thank you so much for your help!! The problem was the one you stated:

As we use VDOMs we have to write the "config global" exactly like this:

set script "config global
execute backup config tftp FOLDERNAME/%%devname%%-%%date%%.conf 10.10.10.10"

and NOT on the same line like this:

set script "config global execute backup config tftp FOLDERNAME/%%devname%%-%%date%%.conf 10.10.10.10"

In the CLI it looks like this:

edit "TFTP-Backup1-Action"
set description ''
set action-type cli-script
set minimum-interval 0
set script "config global
execute backup config tftp FOLDER/%%devname%%-%%date%%.conf IPADDRESS"
set output-size 10
set timeout 0
set execute-security-fabric disable
set accprofile "admin_prof-admin"
next

In the GUI like that: