Scripts – FortiManager 5.2

Leave a reply

Example: Configure common global settings.

Script:

#!

#Run on FortiOS v5.00

#This script will configure common global, user group and ntp settings

#if you do not want to set a parameter, comment the

#corresponding set command

#if you want to reset a parameter to it’s default

#value, set it an empty string

puts [exec “# This is an example Tcl script to configure global, user group and ntp setting of FortiGate\n” “# ” 15 ]

# global set sys_global(admintimeout) “”

# user group set sys_user_group(authtimeout) 20

# ntp set sys_ntp(source-ip) “0.0.0.0” set sys_ntp(ntpsync) “enable” #procedure to execute FortiGate command proc fgt_cmd cmd {

puts -nonewline [exec “$cmd\n” “# ” 30]

}

#config system global—begin fgt_cmd “config global” fgt_cmd “config system global” foreach key [array names sys_global] { if {$sys_global($key) ne “”} {

fgt_cmd “set $key $sys_global($key)”

} else { fgt_cmd “unset $key”

} } fgt_cmd “end” fgt_cmd “end”

#config system global—end

#config system user group—begin fgt_cmd “config vdom” fgt_cmd “edit root” fgt_cmd “config user group” fgt_cmd “edit groupname” foreach key [array names sys_user_group] { if {$sys_user_group($key) ne “”} {

fgt_cmd “set $key $sys_user_group($key)”

} else { fgt_cmd “unset $key”

} } fgt_cmd “end” fgt_cmd “end”

#config system user group—end

#config system ntp—begin fgt_cmd “config global” fgt_cmd “config system ntp” foreach key [array names sys_ntp] { if {$sys_ntp($key) ne “”} {

fgt_cmd “set $key $sys_ntp($key)”

} else { fgt_cmd “unset $key”

}

}

fgt_cmd “end” fgt_cmd “end”

#config system ntp—end

Output:

——- Executing time: 2013-10-22 09:12:57 ——

Starting log (Run on device)

FortiGate-VM64 # config global

FortiGate-VM64 (global) # config system global

FortiGate-VM64 (global) # unset admintimeout

FortiGate-VM64 (global) # end

FortiGate-VM64 (global) # end

FortiGate-VM64 # config vdom FortiGate-VM64 (vdom) # edit root

current vf=root:0

FortiGate-VM64 (root) # config user group

FortiGate-VM64 (group) # edit groupname

FortiGate-VM64 (groupname) # set authtimeout 20

FortiGate-VM64 (groupname) # end

FortiGate-VM64 (root) # end

FortiGate-VM64 # config global

FortiGate-VM64 (global) # config system ntp

FortiGate-VM64 (ntp) # set ntpsync enable

FortiGate-VM64 (ntp) # set source-ip 0.0.0.0

FortiGate-VM64 (ntp) # end

FortiGate-VM64 (global) # end

FortiGate-VM64 #

——- The end of log ———-

Example: Configure syslogd settings and filters.

Script:

#!

#Run on FortiOS v5.00

#This script will configure log syslogd setting and

#filter

#key-value pairs for ‘config log syslogd setting’, no #value means default value. set setting_list {{status enable} {csv enable}

{facility alert} {port} {server 1.1.1.2}}

#key-value pairs for ‘config log syslogd filter’, no #value means default value. puts [exec “# This is an example Tcl script to configure log syslogd setting and filter setting of FortiGate\n” “# ” 15 ]

set filter_list {{attack enable} {email enable} {severity} {traffic enable} {virus disable}

{web enable}}

#set the number of syslogd server, “”, “2” or “3” set syslogd_no “2”

#procedure to execute FortiGate CLI command proc fgt_cmd cmd {

puts -nonewline [exec “$cmd\n” “# “]

}

#procedure to set a series of key-value pairs proc set_kv kv_list {

foreach kv $kv_list {

set len [llength $kv]

if {$len == 0} {

continue

} elseif {$len == 1} { fgt_cmd “unset [lindex $kv 0]”

} else {

fgt_cmd “set [lindex $kv 0] [lindex $kv 1]”

} } }

#configure log syslogd setting—begin fgt_cmd “config global”

fgt_cmd “config log syslogd$syslogd_no setting”

set_kv $setting_list

fgt_cmd “end”

#configure log syslogd setting—end #configure log syslogd filter—begin fgt_cmd “config log syslogd$syslogd_no filter”

set_kv $filter_list

fgt_cmd “end”

#configure log syslogd filter—end

Output:

Starting log (Run on device)

FortiGate-VM64 # config global

FortiGate-VM64 (global) # config log syslogd2 setting

FortiGate-VM64 (setting) # set status enable

FortiGate-VM64 (setting) # set csv enable

FortiGate-VM64 (setting) # set facility alert

FortiGate-VM64 (setting) # unset port

FortiGate-VM64 (setting) # set server 1.1.1.2 FortiGate-VM64 (setting) # end

FortiGate-VM64 (global) # config log syslogd2 filter

FortiGate-VM64 (filter) # set attack enable

FortiGate-VM64 (filter) # set email enable

FortiGate-VM64 (filter) # unset severity

FortiGate-VM64 (filter) # set traffic enable

FortiGate-VM64 (filter) # set virus disable

FortiGate-VM64 (filter) # set web enable

FortiGate-VM64 (filter) # end FortiGate-VM64 (global) #

——- The end of log ———-

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13
This entry was posted in Administration Guides, FortiManager and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.