Working with Scripts : Script samples : TCL scripts : Additional TCL Scripts
 
Additional TCL Scripts
To get and display state information about the FortiGate device
Script
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#!
#Run on FortiOS v4.00
#This script will display FortiGate's CPU states,
#Memory states, and Up time
 
set input [exec "get system status\n" "# "]
regexp {Version: *([^ ]+) ([^,]+),build([0-9]+),[0
-9]+} $input dummy status(Platform) status(Version)
status(Build)
 
if {$status(Version) eq "4.00"} {
puts -nonewline [exec "get system performance
status\n" "# " 30]
} else {
puts -nonewline [exec "get system performance\n" "#
" 30]
}
 
Output
 
Starting script execution
 
get system performance
 
CPU states: 92% used, 8% idle
Memory states: 55% used
Up: 9 days, 5 hours, 1 minutes.
Fortigate-50B #
Variations
 
none.
Versions
 
4.0
To configure common global settings
Script
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#!
 
#Run on FortiOS v4.00
#This script will configure common global settings
#if you do not want to set a parameter, comment the
#corresponding set command
#if you want to reset a parameter to it's default
#value, set it an empty string
 
set sys_global(ntpserver) "2.2.2.2"
set sys_global(admintimeout) ""
set sys_global(authtimeout) 20
set sys_global(ntpsync) "enable"
 
#procedure to execute FortiGate command
proc fgt_cmd cmd {
puts -nonewline [exec "$cmd\n" "# " 30]
}
#config system global---begin
 
fgt_cmd "config system global"
foreach key [array names sys_global] {
if {$sys_global($key) ne ""} {
fgt_cmd "set $key $sys_global($key)"
} else {
fgt_cmd "unset $key"
}
}
fgt_cmd "end"
 
#config system global---end
 
Output
 
Starting script execution
Variations
 
none
To configure syslogd settings and filters
Script
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#!
 
#Run on FortiOS v4.00
#This script will configure log syslogd setting and
#filter
 
#key-value pairs for 'config log syslogd setting', no
#value means default value.
set setting_list {{status enable} {csv enable}
{facility alert} {port} {server 1.1.1.2}}
 
#key-value pairs for 'config log syslogd filter', no
#value means default value.
set filter_list {{attack enable} {email enable} {im
enable} {severity} {traffic enable} {virus disable}
{web enable}}
 
#set the number of syslogd server, "", "2" or "3"
set syslogd_no "2"
 
#procedure to execute FortiGate CLI command
proc fgt_cmd cmd {
puts -nonewline [exec "$cmd\n" "# "]
}
 
#procedure to set a series of key-value pairs
proc set_kv kv_list {
foreach kv $kv_list {
set len [llength $kv]
if {$len == 0} {
continue
} elseif {$len == 1} {
fgt_cmd "unset [lindex $kv 0]"
} else {
fgt_cmd "set [lindex $kv 0] [lindex $kv 1]"
}
}
}
 
#configure log syslogd setting---begin
 
fgt_cmd "config log syslogd$syslogd_no setting"
set_kv $setting_list
fgt_cmd "end"
 
#configure log syslogd setting---end
#configure log syslogd filter---begin
fgt_cmd "config log syslogd$syslogd_no filter"
set_kv $filter_list
fgt_cmd "end"
#configure log syslogd filter---end
Output
 
Starting script execution
 
config log syslogd2 setting
(setting)# set status enable
(setting)# set csv enable
(setting)# set facility alert
(setting)# unset port
(setting)# set server 1.1.1.2
(setting)# end
FGT# config log syslogd2 filter
(filter)# set attack enable
(filter)# set email enable
(filter)# set im enable
(filter)# unset severity
(filter)# set traffic enable
(filter)# set virus disable
(filter)# set web enable
(filter)# end
FGT#
Variations
 
none
To configure the FortiGate device to communicate with a FortiAnalyzer unit
Script
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
#!
#This script will configure the FortiGate device to
#communicate with a FortiAnalyzer unit
#Enter the following key-value pairs for 'config
#system fortianalyzer'
 
set status enable
set address-mode static
set encrypt enable
#localid will be set as the hostname automatically
#later
set psksecret "123456"
set server 1.1.1.1
set ver-1 disable
 
#for fortianalyzer, fortianalyzer2 or
#fortianalyzer3, enter the corresponding value "",
#"2", "3"
set faz_no ""
 
#keys used for 'config system fortianalyzer', if you
#do not want to change the value of a key, do not put
#it in the list
set key_list {status address-mode encrypt localid
psksecret server ver-1}
 
#procedure to get system status from a FortiGate
proc get_sys_status aname {
upvar $aname a
set input [split [exec "get system status\n" "# "]
\n]
foreach line $input {
if {![regexp {([^:]+):(.*)} $line dummy key
value]} continue
set a([string trim $key]) [string trim $value]
}
}#procedure to execute FortiGate command
proc fgt_cmd cmd {
puts -nonewline [exec "$cmd\n" "# "]
}#set the localid as the FortiGate's hostname
get_sys_status sys_status
set localid $sys_status(Hostname)
 
#config system fortianalyzer---begin
fgt_cmd "config system fortianalyzer$faz_no"
 
foreach key $key_list {
if [info exists $key] {
fgt_cmd "set $key [set $key]"
} else {
fgt_cmd "unset $key"
} }
fgt_cmd "end"
#config system fortianalyzer---end
Output
 
Starting script execution
config system fortianalyzer
(fortianalyzer)# set status enable
(fortianalyzer)# set address-mode static
(fortianalyzer)# set encrypt enable
(fortianalyzer)# set localid bob_the_great
(fortianalyzer)# set psksecret 123456
(fortianalyzer)# set server 1.1.1.1
(fortianalyzer)# set ver-1 disable
(fortianalyzer)# end
FGT#
Variations
 
none
To create custom IPS signatures and add them to a custom group
Script
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
#!
#Run on FortiOS v4.00
#This script will create custom ips signatures and
#add them to a custom signature group
 
#Enter custom ips signatures, signature names are the
#names of array elements
set custom_sig(c1) {"F-SBID(--protocol icmp;
--icmp_type 10; )"}
set custom_sig(c2) {"F-SBID(--protocol icmp;
--icmp_type 0; )"}
 
#Enter custom ips group settings
set custom_rule(c1) {{status enable} {action drop}
{log enable} {log-packet} {severity high}}
 
set custom_rule(c2) {{status enable} {action reset}
{log} {log-packet disable} {severity low}}
 
#procedure to execute FortiGate command
proc fgt_cmd cmd {
puts -nonewline [exec "$cmd\n" "# "]
}
 
#procedure to set a series of key-value pairs
proc set_kv kv_list {
foreach kv $kv_list {
set len [llength $kv]
if {$len == 0} {
continue
} elseif {$len == 1} {
fgt_cmd "unset [lindex $kv 0]"
} else {
fgt_cmd "set [lindex $kv 0] [lindex $kv 1]"
}
} }
#config ips custom---begin
fgt_cmd "config ips custom"
foreach sig_name [array names custom_sig] {
fgt_cmd "edit $sig_name"
fgt_cmd "set signature $custom_sig($sig_name)"
fgt_cmd "next"
}
fgt_cmd "end"
#config ips group custom---begin
fgt_cmd "config ips group custom"
foreach rule_name [array names custom_rule] {
fgt_cmd "config rule $rule_name"
set_kv $custom_rule($rule_name)
fgt_cmd "end"
}
fgt_cmd "end"
#config ips group custom---end
Output
 
Starting script execution
config ips custom
(custom)# edit c1
new entry 'c1' added
(c1)# set signature "F-SBID(--protocol icmp; --icmp_type 10; )"
 
(c1)# next
(custom)# edit c2
new entry 'c2' added
(c2)# set signature "F-SBID(--protocol icmp; --icmp_type 0; )"
 
(c2)# next
(custom)# end
FGT# config ips group custom
(custom)# config rule c1
(c1)# set status enable
(c1)# set action drop
(c1)# set log enable
(c1)# unset log-packet
(c1)# set severity high
(c1)# end
(custom)# config rule c2
(c2)# set status enable
(c2)# set action reset
(c2)# unset log
(c2)# set log-packet disable
(c2)# set severity low
(c2)# end
(custom)# end
FGT #
Variations
 
none