To get and display state information about the FortiGate device | ||
Script | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | #! #Run on FortiOS v4.00 #This script will display FortiGate's CPU states, #Memory states, and Up time set input [exec "get system status\n" "# "] regexp {Version: *([^ ]+) ([^,]+),build([0-9]+),[0 -9]+} $input dummy status(Platform) status(Version) status(Build) if {$status(Version) eq "4.00"} { puts -nonewline [exec "get system performance status\n" "# " 30] } else { puts -nonewline [exec "get system performance\n" "# " 30] } |
Output | Starting script execution get system performance CPU states: 92% used, 8% idle Memory states: 55% used Up: 9 days, 5 hours, 1 minutes. Fortigate-50B # | |
Variations | none. | |
Versions | 4.0 |
To configure common global settings | ||
Script | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 20 21 22 23 24 25 26 27 28 29 30 31 32 33 | #! #Run on FortiOS v4.00 #This script will configure common global settings #if you do not want to set a parameter, comment the #corresponding set command #if you want to reset a parameter to it's default #value, set it an empty string set sys_global(ntpserver) "2.2.2.2" set sys_global(admintimeout) "" set sys_global(authtimeout) 20 set sys_global(ntpsync) "enable" #procedure to execute FortiGate command proc fgt_cmd cmd { puts -nonewline [exec "$cmd\n" "# " 30] } #config system global---begin fgt_cmd "config system global" foreach key [array names sys_global] { if {$sys_global($key) ne ""} { fgt_cmd "set $key $sys_global($key)" } else { fgt_cmd "unset $key" } } fgt_cmd "end" #config system global---end |
Output | Starting script execution | |
Variations | none |
To configure syslogd settings and filters | ||
Script | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 | #! #Run on FortiOS v4.00 #This script will configure log syslogd setting and #filter #key-value pairs for 'config log syslogd setting', no #value means default value. set setting_list {{status enable} {csv enable} {facility alert} {port} {server 1.1.1.2}} #key-value pairs for 'config log syslogd filter', no #value means default value. set filter_list {{attack enable} {email enable} {im enable} {severity} {traffic enable} {virus disable} {web enable}} #set the number of syslogd server, "", "2" or "3" set syslogd_no "2" #procedure to execute FortiGate CLI command proc fgt_cmd cmd { puts -nonewline [exec "$cmd\n" "# "] } #procedure to set a series of key-value pairs proc set_kv kv_list { foreach kv $kv_list { set len [llength $kv] if {$len == 0} { continue } elseif {$len == 1} { fgt_cmd "unset [lindex $kv 0]" } else { fgt_cmd "set [lindex $kv 0] [lindex $kv 1]" } } } #configure log syslogd setting---begin fgt_cmd "config log syslogd$syslogd_no setting" set_kv $setting_list fgt_cmd "end" #configure log syslogd setting---end #configure log syslogd filter---begin fgt_cmd "config log syslogd$syslogd_no filter" set_kv $filter_list fgt_cmd "end" #configure log syslogd filter---end |
Output | Starting script execution config log syslogd2 setting (setting)# set status enable (setting)# set csv enable (setting)# set facility alert (setting)# unset port (setting)# set server 1.1.1.2 (setting)# end FGT# config log syslogd2 filter (filter)# set attack enable (filter)# set email enable (filter)# set im enable (filter)# unset severity (filter)# set traffic enable (filter)# set virus disable (filter)# set web enable (filter)# end FGT# | |
Variations | none |
To configure the FortiGate device to communicate with a FortiAnalyzer unit | ||
Script | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 | #! #This script will configure the FortiGate device to #communicate with a FortiAnalyzer unit #Enter the following key-value pairs for 'config #system fortianalyzer' set status enable set address-mode static set encrypt enable #localid will be set as the hostname automatically #later set psksecret "123456" set server 1.1.1.1 set ver-1 disable #for fortianalyzer, fortianalyzer2 or #fortianalyzer3, enter the corresponding value "", #"2", "3" set faz_no "" #keys used for 'config system fortianalyzer', if you #do not want to change the value of a key, do not put #it in the list set key_list {status address-mode encrypt localid psksecret server ver-1} #procedure to get system status from a FortiGate proc get_sys_status aname { upvar $aname a set input [split [exec "get system status\n" "# "] \n] foreach line $input { if {![regexp {([^:]+):(.*)} $line dummy key value]} continue set a([string trim $key]) [string trim $value] } }#procedure to execute FortiGate command proc fgt_cmd cmd { puts -nonewline [exec "$cmd\n" "# "] }#set the localid as the FortiGate's hostname get_sys_status sys_status set localid $sys_status(Hostname) #config system fortianalyzer---begin fgt_cmd "config system fortianalyzer$faz_no" foreach key $key_list { if [info exists $key] { fgt_cmd "set $key [set $key]" } else { fgt_cmd "unset $key" } } fgt_cmd "end" #config system fortianalyzer---end |
Output | Starting script execution config system fortianalyzer (fortianalyzer)# set status enable (fortianalyzer)# set address-mode static (fortianalyzer)# set encrypt enable (fortianalyzer)# set localid bob_the_great (fortianalyzer)# set psksecret 123456 (fortianalyzer)# set server 1.1.1.1 (fortianalyzer)# set ver-1 disable (fortianalyzer)# end FGT# | |
Variations | none |
To create custom IPS signatures and add them to a custom group | ||
Script | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 | #! #Run on FortiOS v4.00 #This script will create custom ips signatures and #add them to a custom signature group #Enter custom ips signatures, signature names are the #names of array elements set custom_sig(c1) {"F-SBID(--protocol icmp; --icmp_type 10; )"} set custom_sig(c2) {"F-SBID(--protocol icmp; --icmp_type 0; )"} #Enter custom ips group settings set custom_rule(c1) {{status enable} {action drop} {log enable} {log-packet} {severity high}} set custom_rule(c2) {{status enable} {action reset} {log} {log-packet disable} {severity low}} #procedure to execute FortiGate command proc fgt_cmd cmd { puts -nonewline [exec "$cmd\n" "# "] } #procedure to set a series of key-value pairs proc set_kv kv_list { foreach kv $kv_list { set len [llength $kv] if {$len == 0} { continue } elseif {$len == 1} { fgt_cmd "unset [lindex $kv 0]" } else { fgt_cmd "set [lindex $kv 0] [lindex $kv 1]" } } } #config ips custom---begin fgt_cmd "config ips custom" foreach sig_name [array names custom_sig] { fgt_cmd "edit $sig_name" fgt_cmd "set signature $custom_sig($sig_name)" fgt_cmd "next" } fgt_cmd "end" #config ips group custom---begin fgt_cmd "config ips group custom" foreach rule_name [array names custom_rule] { fgt_cmd "config rule $rule_name" set_kv $custom_rule($rule_name) fgt_cmd "end" } fgt_cmd "end" #config ips group custom---end |
Output | Starting script execution config ips custom (custom)# edit c1 new entry 'c1' added (c1)# set signature "F-SBID(--protocol icmp; --icmp_type 10; )" (c1)# next (custom)# edit c2 new entry 'c2' added (c2)# set signature "F-SBID(--protocol icmp; --icmp_type 0; )" (c2)# next (custom)# end FGT# config ips group custom (custom)# config rule c1 (c1)# set status enable (c1)# set action drop (c1)# set log enable (c1)# unset log-packet (c1)# set severity high (c1)# end (custom)# config rule c2 (c2)# set status enable (c2)# set action reset (c2)# unset log (c2)# set log-packet disable (c2)# set severity low (c2)# end (custom)# end FGT # | |
Variations | none |