Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mbrassesco
New Contributor

Send command via ssh script

Someone knows how to run an ssh command script to the device? I need to execute that script if and interface get down or something like that, the trigger is a monitoring software. Tks!
9 REPLIES 9
emnoc
Esteemed Contributor III

I would use expect personally. It' s simple to script and can easily be used for triggers and incorporated into anything like nagios or syslog-ng #!/usr/bin/expect set timeout 60 spawn ssh ken@1.1.1.1 expect " Password: " send " mystrongpassword\r" expect " MASW1" send " \r" expect “MASW1” send “copy running startup” expect “MASW" [I/] You can call script locally if you had a cisco router or juniper SRX ( too bad fortinet doesn' t have a shell or tcl scripting :)

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Sean_Toomey_FTNT

too bad fortinet doesn' t have a shell or tcl scripting :)
I can tell you that one is never happening directly on the box as it represents a real and present risk to security on a hardened security device. Before working with Fortinet gear (and following, the company itself), I worked for several years with Cisco ASA and CheckPoint. And part of me loved that I could go into expert mode on CheckPoint and run whatever scripts I wanted and have root level access to the OS, such as it is.. But the truth is that by removing that access from FortiGate and relegating them to debug versions, it makes the device much more stable and secure. To add some substantive content to this discussion, there are many tools out there to automate SSH sessions. You can also do this with FortiManager based on a schedule, or using API if triggered by an external monitoring system. If using FMGR you can use CLI scripts or TCL scripting and either add to the config DB for next policy push, or have it go directly to the device CLI. One last thing is you mentioned running a script if a port fails - if you mean a WAN port, the " virtual-wan-link" functionality in FortiOS will likely do what you want it to, which is to healthcheck a WAN link and automatically fail over if needed. Cheers!
-- Sean Toomey, CISSP FCNSP Consulting Security Engineer (CSE) FORTINET— High Performance Network Security
Mbrassesco
New Contributor

I use plink and works good for me. Tks for your answer!
emnoc
Esteemed Contributor III

Yes plink is the windows equal to expect.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
jtfinley
Contributor

You can inject a text file into SSH using CRON like such below. Example, on a *nix type system: ssh xxx.xxx.xxx.xxx -p 22 < ~/scripts/script1.txt script1.txt diag user device clear exec wireless-controller reset-wtp all y
emnoc
Esteemed Contributor III

I can tell you that one is never happening directly on the box as it represents a real and present risk to security on a hardened security device.
Strange that juniper doesn' t see that as a risk. care to enlighten us what risk are involved? or how much more is it than WebGUI access? Before you answer, most juniper devices offers access is via a limited shell. Other mfg' er also have shell access in there network gear F5 cisco (IOS-XR/ IOS-XE ) Force10 Radware A10networks etc...

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Sean_Toomey_FTNT

It was an executive decision, the way I heard it. There are just some things that are inherently risky. SNMP write is inherently risky but more than a few firewalls let you use it. We don' t. Exposing a shell, access to the underlying filesystem structure, or the ability to store and run scripts on a firewall is convenient, but opens the door to abuse and exploitation. We choose to err on the side of caution. Some of our competitors do not. We' d rather have a box that isn' t pwned. :) Cheers!
-- Sean Toomey, CISSP FCNSP Consulting Security Engineer (CSE) FORTINET— High Performance Network Security
Istvan_Takacs_FTNT

DLP # show sys int config system interface ........... edit " port4" set vdom " root" set mode dhcp set type physical set snmp-index 4 next ........... mylittlepony $ ssh admin@172.16.233.100 << EOF > config sys int > edit port4 > set mode static > set ip 1.1.1.1/24 > next > end > exit > > Pseudo-terminal will not be allocated because stdin is not a terminal. DLP # DLP (interface) # DLP (port4) # DLP (port4) # DLP (port4) # DLP (interface) # DLP # mylittlepony $ mylittlepony $ ssh admin@172.16.233.100 DLP # show sys int config system interface ........... edit " port4" set vdom " root" set ip 1.1.1.1 255.255.255.0 set type physical set snmp-index 4 next ........... From here it' s only a matter of putting your command into a script and execute it.
emnoc
Esteemed Contributor III

If your doing alot of configurations you can also use the batch mode; NMS: NMS:ssh -p 1033 admin@10.10.80.1 < file Pseudo-terminal will not be allocated because stdin is not a terminal. admin@10.10.80.1' s password: SOC60D # SOC60D # SOC60D (interface) # SOC60D (internal1) # SOC60D (internal1) # SOC60D (interface) # SOC60D (internal2) # SOC60D (internal2) # SOC60D (interface) # SOC60D # SOC60D # SOC60D # Exit and run batch commands... NMS: cat file execute batch start config sys int edit internal1 set alias internal1-interface next edit internal2 set alias internal2-interface next end execute batch end Just follow with a execute batch start and end in your script file

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors