Fortinet white logo
Fortinet white logo

Administration Guide

CLI scripts

CLI scripts

CLI scripts include only FortiOS CLI commands as they are entered at the command line prompt on a FortiGate device. CLI scripts do not include Tool Command Language (Tcl) commands, and the first line of the script is not “#!” as it is for Tcl scripts.

CLI scripts are useful for specific tasks such as configuring a routing table, adding new firewall policies, or getting system information. These example tasks easily apply to any or all FortiGate devices connected to the FortiManager system.

However, the more complex a CLI script becomes the less it can be used with all FortiGate devices - it quickly becomes tied to one particular device or configuration. One example of this is any script that includes the specific IP address of a FortiGate device’s interfaces cannot be executed on a different FortiGate device.

Samples of CLI scripts have been included to help get you started writing your own scripts for your network administration tasks. See CLI script examples.

Error messages will help you determine the causes of any CLI scripting problems, and fix them. See Error Messages.

The troubleshooting tips section provides some suggestions on how to quickly locate and fix problems in your CLI scripts. See Troubleshooting Tips.

CLI script examples

There are two types of CLI scripts. The first type is getting information from your FortiGate device. The second type is changing information on your FortiGate device.

Scripts for getting information

Getting information remotely is a main function of FortiManager, and CLI scripts allow you to access any information on your FortiGate devices. Getting information typically involves only one line of script as the following scripts show.

View information for port1

Script

show system interface port1

Output

config system interface

edit "port1"

set vdom "root"

set ip 172.20.120.148 255.255.255.0

set allowaccess ping https ssh

set type physical

next

end

Variations

Remove the interface name to see a list that includes all the interfaces on the FortiGate device including virtual interfaces such as VLANs.

Notes

This script does not work when run on a policy package.

If the preceding script is to be run on the FortiGate Directly (via CLI) or run on the device database for a FortiGate that has VDOMs enabled, the script will have be modified to the following:

config global

show system interface port1

end

Since running on device database does not yield any useful information, the script should be run on the FortiGate directly (via CLI).

Example log of script run against the device database:

------- Executing time: 2013-10-15 13:27:32 ------

Starting log (Run on database)

config global

end

Running script on DB success

------- The end of log ----------

Example log of script run on FortiGate Directly (via CLI):

------- Executing time: 2013-10-15 13:52:02 ------

Starting log (Run on device)

FortiGate-VM64 $ config global

FortiGate-VM64 (global) $ show system interface port1

config system interface

edit "port1"

set vdom "root"

set ip 10.2.66.181 255.255.0.0

set allowaccess ping https ssh snmp http fgfm auto-ipsec radius-acct probe-response capwap

set type physical

set snmp-index 1

next

end

FortiGate-VM64 (global) $ end

------- The end of log ----------

View entries in the static routing table

Script

show route static

Output

config router static

edit 1

set device "port1"

set gateway 172.20.120.2

next

edit 2

set device "port2"

set distance 7

set dst 172.20.120.0 255.255.255.0

set gateway 172.20.120.2

next

end

Notes

If VDOMs are enabled for the FortiGate, the script must be re-written as follows and run on the FortiGate Directly (via CLI):

config vdom

edit root

show route static

next

end

Example log of script run on FortiGate Directly (via CLI):

------- Executing time: 2013-10-15 14:24:10 ------

Starting log (Run on device)

FortiGate-VM64 $ config vdom

FortiGate-VM64 (vdom) $ edit root

current vf=root:0

FortiGate-VM64 (root) $ show route static

config router static

edit 1

set device "port1"

set gateway 10.2.0.250

next

end

FortiGate-VM64 (root) $ next

FortiGate-VM64 (vdom) $ end

------- The end of log ----------

View information about all configured FDN servers on the device

Script

config global

diag debug rating

end

Output

View the log of script running on device: FortiGate-VM64

------- Executing time: 2013-10-15 14:32:15 ------

Starting log (Run on device)

FortiGate-VM64 $ config global

FortiGate-VM64 (global) $ diagnose debug rating

Locale : english

License : Contract

Expiration : Thu Jan 3 17:00:00 2030

-=- Server List (Tue Oct 15 14:32:49 2013) -=-

IP Weight RTT Flags TZ Packets Curr Lost Total Lost

192.168.100.206 35 2 DIF -8 4068 72 305

192.168.100.188 36 2 F -8 4052 72 308

FortiGate-VM64 (global) $ end

------- The end of log ----------

Variations

Output for this script will vary based on the state of the FortiGate device. The preceding output is for a FortiGate device that has never been authorized.

For an authorized FortiGate device without a valid license, the output would be similar to:

Locale : english

License : Unknown

Expiration : N/A

Hostname : guard.fortinet.net

-=- Server List (Tue Oct 3 09:34:46 2006) -=-

IP Weight Round-time TZ Packets Curr Lost Total Lost

** None **

Scripts for device configuration

Setting FortiGate device information with CLI scripts gives you access to more settings and allows for more granular control than you may have in the Device Manager. CLI commands also allow access to more advanced options that are not available in the FortiGate GUI. Scripts that set information require more lines.

Any scripts that you will be running on the global database must include the full CLI commands and not use short forms for the commands. Short form commands will not run on the global database.

Create a new admin profile allowing read-only access to policy related areas

Script

config global

config system accprofile

edit "policy_admin"

set fwgrp read

set loggrp read

set sysgrp read

next

end

end

Output

View the log of script running on device: FortiGate-VM64:

------- Executing time: 2013-10-16 13:39:35 ------

Starting log (Run on device)

FortiGate-VM64 $ config global

FortiGate-VM64 (global) $ config system accprofile

FortiGate-VM64 (accprofile) $ edit "prof_admin"

FortiGate-VM64 (prof_admin) $ set fwgrp read

FortiGate-VM64 (prof_admin) $ set loggrp read

FortiGate-VM64 (prof_admin) $ set sysgrp read

FortiGate-VM64 (prof_admin) $ next

FortiGate-VM64 (accprofile) $ end

FortiGate-VM64 (global) $ end

------- The end of log ----------

Variations

This profile is read-only to allow a policy administrator to monitor this device’s configuration and traffic.

Variations may include enabling other areas as read-only or write permissions based on that account type’s needs.

Configure sandboxing using FortiSandbox Cloud on FortiGate

Script

config system fortisandbox

set status enable

set forticloud enable

set server fortisandboxcloud.com

end

Note

For more information on configuring FortiSandbox on FortiGate, see the FortiGate/FortiOS Administration Guide.

Configure a firewall policy in the global database

You can run a CLI script in the FortiManager Global Database in addition to running it on a FortiGate unit directly. Compare the following sample scripts:

Running a CLI script on a FortiGate unit

config vdom

edit “root”

config firewall policy

edit 10

set srcintf “port5”

set dstintf “port6”

set srcaddr “all”

set dstaddr “all”

set status disable

set schedule "always"

set service "ALL"

set logtraffic disable

next

end

Running a CLI script on the Global Database

config global footer policy

edit 10

set srcintf “any”

set dstintf “any”

set srcaddr "gall"

set dstaddr "gall"

set status disable

set schedule "galways"

set service "gALL"

set logtraffic disable

next

end

Variations

The command config global footer policy can be replaced with config global header policy to create a header policy in the Global Database.

Error Messages

Most error messages you will see are regular FortiGate CLI error messages. If you are familiar with the CLI you will likely recognize them.

Other error messages indicate your script encountered problems while executing, such as:

  • command parse error: It was not possible to parse this line of your script into a valid FortiGate CLI command. Common causes for this are misspelled keywords or an incorrect command format.
  • unknown action: Generally this message indicates the previous line of the script was not executed, especially if the previous line accesses an object such as “config router static”.
  • Device XXX failed-1: This usually means there is a problem with the end of the script. XXX is the name of the FortiGate unit the script is to be executed on. If a script has no end statement or that line has an error in it you may see this error message. You may also see this message if the FortiGate unit has not been synchronized by deploying its current configuration.

Troubleshooting Tips

Here are some troubleshooting tips to help locate and fix problems you may experience with your scripts.

  • Check the script output. Generally the error messages displayed here will help you locate and fix the problem.
  • See the FortiGate CLI Reference for more information on all CLI commands.
  • There is a limit to the number of scripts allowed on the FortiManager unit. Try removing an old script before trying to save your current one.
  • As mentioned at the start of this chapter, ensure the console more command is disabled on the FortiGate devices where scripts execute. Otherwise a condition may occur where both the FortiGate device and the FortiManager system are waiting for each other to respond until they timeout.
  • There should be no punctuation at the start or end of the lines.
  • Only whitespace is allowed on the same line as the command. This is useful in lining up end and next commands for quick and easy debugging of the script.
  • Keep your scripts short. They are easier to troubleshoot and it gives you more flexibility. You can easily execute a number of scripts after each other.
  • Use full command names. For example instead of “set host test” use “set hostname test”. This is required for any scripts that are to be run on the global database.
  • Use the number sign (#) to comment out a line you suspect contains an error.

CLI scripts

CLI scripts

CLI scripts include only FortiOS CLI commands as they are entered at the command line prompt on a FortiGate device. CLI scripts do not include Tool Command Language (Tcl) commands, and the first line of the script is not “#!” as it is for Tcl scripts.

CLI scripts are useful for specific tasks such as configuring a routing table, adding new firewall policies, or getting system information. These example tasks easily apply to any or all FortiGate devices connected to the FortiManager system.

However, the more complex a CLI script becomes the less it can be used with all FortiGate devices - it quickly becomes tied to one particular device or configuration. One example of this is any script that includes the specific IP address of a FortiGate device’s interfaces cannot be executed on a different FortiGate device.

Samples of CLI scripts have been included to help get you started writing your own scripts for your network administration tasks. See CLI script examples.

Error messages will help you determine the causes of any CLI scripting problems, and fix them. See Error Messages.

The troubleshooting tips section provides some suggestions on how to quickly locate and fix problems in your CLI scripts. See Troubleshooting Tips.

CLI script examples

There are two types of CLI scripts. The first type is getting information from your FortiGate device. The second type is changing information on your FortiGate device.

Scripts for getting information

Getting information remotely is a main function of FortiManager, and CLI scripts allow you to access any information on your FortiGate devices. Getting information typically involves only one line of script as the following scripts show.

View information for port1

Script

show system interface port1

Output

config system interface

edit "port1"

set vdom "root"

set ip 172.20.120.148 255.255.255.0

set allowaccess ping https ssh

set type physical

next

end

Variations

Remove the interface name to see a list that includes all the interfaces on the FortiGate device including virtual interfaces such as VLANs.

Notes

This script does not work when run on a policy package.

If the preceding script is to be run on the FortiGate Directly (via CLI) or run on the device database for a FortiGate that has VDOMs enabled, the script will have be modified to the following:

config global

show system interface port1

end

Since running on device database does not yield any useful information, the script should be run on the FortiGate directly (via CLI).

Example log of script run against the device database:

------- Executing time: 2013-10-15 13:27:32 ------

Starting log (Run on database)

config global

end

Running script on DB success

------- The end of log ----------

Example log of script run on FortiGate Directly (via CLI):

------- Executing time: 2013-10-15 13:52:02 ------

Starting log (Run on device)

FortiGate-VM64 $ config global

FortiGate-VM64 (global) $ show system interface port1

config system interface

edit "port1"

set vdom "root"

set ip 10.2.66.181 255.255.0.0

set allowaccess ping https ssh snmp http fgfm auto-ipsec radius-acct probe-response capwap

set type physical

set snmp-index 1

next

end

FortiGate-VM64 (global) $ end

------- The end of log ----------

View entries in the static routing table

Script

show route static

Output

config router static

edit 1

set device "port1"

set gateway 172.20.120.2

next

edit 2

set device "port2"

set distance 7

set dst 172.20.120.0 255.255.255.0

set gateway 172.20.120.2

next

end

Notes

If VDOMs are enabled for the FortiGate, the script must be re-written as follows and run on the FortiGate Directly (via CLI):

config vdom

edit root

show route static

next

end

Example log of script run on FortiGate Directly (via CLI):

------- Executing time: 2013-10-15 14:24:10 ------

Starting log (Run on device)

FortiGate-VM64 $ config vdom

FortiGate-VM64 (vdom) $ edit root

current vf=root:0

FortiGate-VM64 (root) $ show route static

config router static

edit 1

set device "port1"

set gateway 10.2.0.250

next

end

FortiGate-VM64 (root) $ next

FortiGate-VM64 (vdom) $ end

------- The end of log ----------

View information about all configured FDN servers on the device

Script

config global

diag debug rating

end

Output

View the log of script running on device: FortiGate-VM64

------- Executing time: 2013-10-15 14:32:15 ------

Starting log (Run on device)

FortiGate-VM64 $ config global

FortiGate-VM64 (global) $ diagnose debug rating

Locale : english

License : Contract

Expiration : Thu Jan 3 17:00:00 2030

-=- Server List (Tue Oct 15 14:32:49 2013) -=-

IP Weight RTT Flags TZ Packets Curr Lost Total Lost

192.168.100.206 35 2 DIF -8 4068 72 305

192.168.100.188 36 2 F -8 4052 72 308

FortiGate-VM64 (global) $ end

------- The end of log ----------

Variations

Output for this script will vary based on the state of the FortiGate device. The preceding output is for a FortiGate device that has never been authorized.

For an authorized FortiGate device without a valid license, the output would be similar to:

Locale : english

License : Unknown

Expiration : N/A

Hostname : guard.fortinet.net

-=- Server List (Tue Oct 3 09:34:46 2006) -=-

IP Weight Round-time TZ Packets Curr Lost Total Lost

** None **

Scripts for device configuration

Setting FortiGate device information with CLI scripts gives you access to more settings and allows for more granular control than you may have in the Device Manager. CLI commands also allow access to more advanced options that are not available in the FortiGate GUI. Scripts that set information require more lines.

Any scripts that you will be running on the global database must include the full CLI commands and not use short forms for the commands. Short form commands will not run on the global database.

Create a new admin profile allowing read-only access to policy related areas

Script

config global

config system accprofile

edit "policy_admin"

set fwgrp read

set loggrp read

set sysgrp read

next

end

end

Output

View the log of script running on device: FortiGate-VM64:

------- Executing time: 2013-10-16 13:39:35 ------

Starting log (Run on device)

FortiGate-VM64 $ config global

FortiGate-VM64 (global) $ config system accprofile

FortiGate-VM64 (accprofile) $ edit "prof_admin"

FortiGate-VM64 (prof_admin) $ set fwgrp read

FortiGate-VM64 (prof_admin) $ set loggrp read

FortiGate-VM64 (prof_admin) $ set sysgrp read

FortiGate-VM64 (prof_admin) $ next

FortiGate-VM64 (accprofile) $ end

FortiGate-VM64 (global) $ end

------- The end of log ----------

Variations

This profile is read-only to allow a policy administrator to monitor this device’s configuration and traffic.

Variations may include enabling other areas as read-only or write permissions based on that account type’s needs.

Configure sandboxing using FortiSandbox Cloud on FortiGate

Script

config system fortisandbox

set status enable

set forticloud enable

set server fortisandboxcloud.com

end

Note

For more information on configuring FortiSandbox on FortiGate, see the FortiGate/FortiOS Administration Guide.

Configure a firewall policy in the global database

You can run a CLI script in the FortiManager Global Database in addition to running it on a FortiGate unit directly. Compare the following sample scripts:

Running a CLI script on a FortiGate unit

config vdom

edit “root”

config firewall policy

edit 10

set srcintf “port5”

set dstintf “port6”

set srcaddr “all”

set dstaddr “all”

set status disable

set schedule "always"

set service "ALL"

set logtraffic disable

next

end

Running a CLI script on the Global Database

config global footer policy

edit 10

set srcintf “any”

set dstintf “any”

set srcaddr "gall"

set dstaddr "gall"

set status disable

set schedule "galways"

set service "gALL"

set logtraffic disable

next

end

Variations

The command config global footer policy can be replaced with config global header policy to create a header policy in the Global Database.

Error Messages

Most error messages you will see are regular FortiGate CLI error messages. If you are familiar with the CLI you will likely recognize them.

Other error messages indicate your script encountered problems while executing, such as:

  • command parse error: It was not possible to parse this line of your script into a valid FortiGate CLI command. Common causes for this are misspelled keywords or an incorrect command format.
  • unknown action: Generally this message indicates the previous line of the script was not executed, especially if the previous line accesses an object such as “config router static”.
  • Device XXX failed-1: This usually means there is a problem with the end of the script. XXX is the name of the FortiGate unit the script is to be executed on. If a script has no end statement or that line has an error in it you may see this error message. You may also see this message if the FortiGate unit has not been synchronized by deploying its current configuration.

Troubleshooting Tips

Here are some troubleshooting tips to help locate and fix problems you may experience with your scripts.

  • Check the script output. Generally the error messages displayed here will help you locate and fix the problem.
  • See the FortiGate CLI Reference for more information on all CLI commands.
  • There is a limit to the number of scripts allowed on the FortiManager unit. Try removing an old script before trying to save your current one.
  • As mentioned at the start of this chapter, ensure the console more command is disabled on the FortiGate devices where scripts execute. Otherwise a condition may occur where both the FortiGate device and the FortiManager system are waiting for each other to respond until they timeout.
  • There should be no punctuation at the start or end of the lines.
  • Only whitespace is allowed on the same line as the command. This is useful in lining up end and next commands for quick and easy debugging of the script.
  • Keep your scripts short. They are easier to troubleshoot and it gives you more flexibility. You can easily execute a number of scripts after each other.
  • Use full command names. For example instead of “set host test” use “set hostname test”. This is required for any scripts that are to be run on the global database.
  • Use the number sign (#) to comment out a line you suspect contains an error.