CLI script samples

Getting information remotely is one of the main purposes of your FortiManager system, and CLI scripts allow you to access any information on your FortiGate devices. Getting information typically involves only one line of script as the following scripts show.


To view interface information for port1
Script	show system interface port1
Output	config system interface edit "port1" set vdom "root" set ip 172.20.120.148 255.255.255.0 set allowaccess ping https ssh set type physical next end
Variations	Remove the interface name to see a list that includes all the interfaces on the FortiGate device including virtual interfaces such as VLANs.


To view the entries in the static routing table
Script	show route static
Output	config router static edit 1 set device "port1" set gateway 172.20.120.2 next edit 2 set device "port2" set distance 7 set dst 172.20.120.0 255.255.255.0 set gateway 172.20.120.2 next end
Variations	none


To view information about all the configured FDN servers on this device
Script	diag debug rating
Output	Locale : english The service is not enabled.
Variations	Output for this script will vary based on the state of the FortiGate device. The above output is for a FortiGate device that has never been registered. For a registered FortiGate device without a valid license, the output would be similar to: Locale : english License : Unknown Expiration : N/A Hostname : guard.fortinet.net -=- Server List (Tue Oct 3 09:34:46 2006) -=- IP Weight Round-time TZ Packets Curr Lost Total Lost None

Setting FortiGate device information with CLI scripts gives you access to more settings and allows you more fine grained control than you may have in the Device Manager. Also CLI commands allow access to more advanced options that are not available in the FortiGate GUI. Scripts that set information require more lines.


	Any scripts that you will be running on the global database must include the full CLI commands and not use short forms for the commands. Short form commands will not run on the global database.


To create a new account profile called policy_admin allowing read-only access to policy related areas
Script	config system accprofile edit "policy_admin" set avgrp read set fwgrp read set ipsgrp read set loggrp read set spamgrp read set sysgrp read set webgrp read next end
Output	Starting script execution config system accprofile (accprofile)# edit "policy_admin" set avgrp read set fwgrp read set ipsgrp read set loggrp read set spamgrp read set sysgrp read set webgrp read next end exit new entry 'policy_admin' added (policy_admin)# set avgrp read (policy_admin)# set fwgrp read (policy_admin)# set ipsgrp read (policy_admin)# set loggrp read (policy_admin)# set spamgrp read (policy_admin)# set sysgrp read (policy_admin)# set webgrp read (policy_admin)# next (accprofile)# end MyFortiGate # MyFortiGate # MyFortiGate # exit
Variations	This profile is read-only to allow a policy administrator to monitor this device’s configuration and traffic. Variations may include enabling other areas as read-only or write privileges based on that account type’s needs.

With the introduction of global objects/security console (global database), you can run a CLI script on the FortiManager global database in addition to running it on a FortiGate unit directly. Compare the following sample scripts: