Friday, March 7, 2014

TCL | Create WTP-Profile and add all FAPs on units to new profile

Problem: 

We had a good percentage of access points across the enterprise that were not assigned to a WTP profile but instead were set to "Automatic". Even though this caused us no immediate harm it was definitely not optimal. 

In order to fix this issue we needed a uniform WTP profile across the board on all Fortigates and we needed to assign all of the FAPs on each FGT to the uniform WTP profile. Unfortunately, this option is not available through the standard Fortimanager features and is a very cumbersome process via the CLI because in order to reference the AP you need to address it by it's serial #.

ex:

config wireless-controller wtp
edit "FAP22B3U12345678" 
set wtp-profile "NEWdefaultwifiprof" 
end

Solution:

For a work around we will need to script out this manual process.
The script will need to:

1. Create a new standard WTP profile. 
2. Query all of the FAPs on the unit. 
3. Add each FortiAP to the new WTP profile by serial. 

Script:



#!
#creates do_cmd process
proc do_cmd {cmd} {
  puts [exec "$cmd\n" "# "]
}
#creates single instance of new wtp-profile
do_cmd "config wireless-controller wtp-profile"
do_cmd "edit NEWdefaultwifiprof"
do_cmd "config radio-1"
do_cmd "set mode ap"
do_cmd "set band 802.11n-5G"
do_cmd "set ap-bgscan enable"
do_cmd "set rogue-scan enable"
do_cmd "set frequency-handoff enable"
do_cmd "set ap-handoff enable"
do_cmd "set vaps NewSitewifi"
do_cmd "set channel 36 40 44 48 149 153 157 161 165"
do_cmd "end"
do_cmd "config radio-2"
do_cmd "set mode ap"
do_cmd "set band 802.11n"
do_cmd "set ap-bgscan enable"
do_cmd "set rogue-scan enable"
do_cmd "set frequency-handoff enable"
do_cmd "set ap-handoff enable"
do_cmd "set vaps NewSitewifi"
do_cmd "set channel 1 6 11"
do_cmd "end"
do_cmd "next"
do_cmd "end"
#queries all access points
foreach line [split [exec "show wireless-controller wtp | grep edit\n" "# "] \n] {
#regexp to match FAP serial #s
  if {[regexp {edit[ ]+"(.*)"} $line match fapid]} {
#assigns all aps on fortigate to new wtp-profile
    do_cmd "config wireless-controller wtp"
    do_cmd "edit $fapid"
    do_cmd "set wtp-profile NEWdefaultwifiprof"
    do_cmd "end"
      }

}


Thursday, January 23, 2014

TCL {fortiManager} $script | grep continued

Please refer to my last post on FortiManager scripting for more info.

This script was directly inspired by the legacy Fortinet tech doc: TCL Decisions.

Below is a quick script utilizing our fairly new grep capabilities in FortiOS.

When launched this script will:

1. Find all policies that match our regex.
2. Store their "edit #" value in a variable named $policyid.
3. Run commands in a foreach loop against those policies.

















proc do_cmd {cmd} {
  puts [exec "$cmd\n" "# "]
}
foreach line [split [exec "show firewall policy | grep -f deep-inspection\n" "# "] \n] {
  if {[regexp {edit[ ]+([0-9]+)} $line match policyid]} {
    continue
  } elseif {[regexp {set[ ]+(\w+)[ ]+(.*)\r} $line match key value]} {
    lappend fw_policy($policyid) "$key $value"
  }
}
do_cmd "config firewall policy"
foreach policyid [array names fw_policy] {
    do_cmd "edit $policyid"
    do_cmd "unset deep-inspection-options"
    do_cmd "next"
}
do_cmd "end"


Enjoy and feel free to post and questions or comments below.