Sunday, March 3, 2013

TCL scripting with Fortimanager 4.0

This is how you write a simple TCL that will parse the IP address from CLI and input it into your commands.

1. The Problem. 

I needed to begin logging about 200 80c's to our FortiAnalyzer.

The main issue is that all of our interface tunnels are set with local and remote IPs for simplicity so when I input the private 192.x IP of the Analyzer into the GUI it would not route through the tunnel.

The solution to this is to use internal interface IP in the CLI like so:

config log fortianalyzer setting
set status enable
set source-ip

In the above example let's say that is the internal interface IP for this box.

Now, the question was how I was going to do these for 200 units .. each with their own unique internal interface IP.

2. Fortimanager TCL scripting

Access the Fortimanager TCL scripting feature in the "Device Manager" tab under "Tools".

Click on "Create New"

3. The Script

puts "Script starts ..."

# Create do_cmd procedure to execute CLI commands
proc do_cmd {cmd} {
puts [exec "$cmd\n" "# " 15]

# get internal ip
do_cmd "config system interface"
do_cmd "edit internal"
set query [exec "show\n" "# "]
#puts $query
set output [split $query "\n"]
#Find IP address and puts $ip
regexp {(?:\d+\.){3}\d+} $output ip
do_cmd "end"

# set internal ip as source ip for log fortianalyzer
do_cmd "config log fortianalyzer setting"
do_cmd "set status enable"
do_cmd "set source-ip $ip"
do_cmd "end"

Input and save.

4. Execute and Verify

You can only execute scripts at the group level so (if you haven't already) create a new test script group and add your test unit into the group.

Right click the group name and select "Script".

Click "Create New"

Select your script from the drop down and hit OK.

5. Review Script Log

Go to the dashboard of the unit that was in the group that you ran the script on.
On the right side: Click on "Configure" next to Script status.

In this window you should be able to see your script execution history which should look something like my output below.

Starting log (Run on device)
Script starts ...
config system interface

HQ_LAB (interface) #
edit internal
change table entry 'internal'
HQ_LAB (internal) #
cmd_clean_context 0, abort=0
config log fortianalyzer setting

HQ_LAB (setting) #
set status enable
path=log.fortianalyzer, objname=setting, size=340, sz_attr=1
attr : status enable, 4, 0
HQ_LAB (setting) #
set source-ip
path=log.fortianalyzer, objname=setting, size=340, sz_attr=1
attr : source-ip, 4, 320
HQ_LAB (setting) #
cmd_clean_context 0, abort=0

I hope this has helped some of you out there. Leave a comment if you have any questions.
Thank you!


Anonymous said...

Great post! For anyone (like me) that had trouble finding the scripting menu; you'll need to enable it first under Settings > Admin > Admin Settings (Show Script option needs to be enabled)

Loïc Guiraud said...

in addition, source-ip for remote LDAP is configured on the Policy & Object part
to resolve this, we must create a TCL script editing a dynamic mapping