By Manny Fernandez

December 5, 2019

FortiOS AutoScript from CLI

OK folks, time for another quick scripting article.  As many may know, there has been some folks that have hit a bug with v6.2.x (as of the writing of this article) with the wad daemon.  It causes conserve mode  Fortinet is working on fixing this in the next release v6.2.3.  However until this occurs, there is a work around.  This work around can be used for all types scripts to be run automatically in FortiOS.

Creating the Script

config system auto-script
   
      edit wad
       
          set interval 86400
       
          set repeat 180
       
          set start auto
       
          set script "diag test app wad 99"
   
      next

end

Note that in the set script line, you will need the double quotes "".

Other use cases include backing up configs as an example.  I recommend getting FortManager as it has this feature built in and is easier to manage centrally.

config system auto-script
       
      edit backup-config
              
         set interval 1
              
         set repeat 0
              
         set start auto
              
         set script "execute backup config ftp FGT_AUTOCOFING.conf 192.168.1.200 ftpuser ftpuser"
       
      next
   
end

Some of the options for the scripts are listed below

NOTE: I do not recommend you back up your configs via FTP since the password would be in clear text. 

Interval is the interval time in seconds between instances of the script running.
Repeat is the number of times to repeat the running of the script. The value 0 is used to set an infinite number of repetitions.
Start can be selected as manual to start the script manually or as auto to start the script automatically.
Script is the content of the script

From the admin guide:

config system auto-script

      edit {name}
# Configure auto script.

         set name {string} Auto script name. size[35]

         set interval {integer} Repeat interval in seconds. range[0-31557600]

         set repeat {integer} Number of times to repeat this script (0 = infinite). range[0-65535]

         set start {manual | auto} Script starting mode.
manual Starting manually.
auto Starting automatically.

         set script {string} List of FortiOS CLI commands to repeat. size[255]

         set output-size {integer} Number of megabytes to limit script output to (10 - 1024, default = 10). range[10-1024]

      next

end

Automation in 6.2

In 6.2, Fortinet enhanced its ability to have triggers and actions.  One of the Triggers was the ability to look at logs generated by FortiOS and the ability to run CLI scripts based on those messages.  Below we see what that looks like.

2019-12-05_00-01-00.png

 

  1. Under Security Fabric then Automation .  Now you can create a new trigger, In my example , we chose to look for a particular message (see item 2 in above picture).
  2. Particular message.
  3. Choose the action of CLI Script
  4. Optionally, you can have an email sent out.
  5. Enter the script.

Verifying Schedule

You can validate what is running or scheduled to run by going into the GUI

2019-12-05_10-26-21.png

  1. Go to System
  2. Then choose Advanced
  3. Choose the script.  You can stop it, delete it and download the results of the script

When you download the file using the download button, it will download a %script-name.out% file.  This will show you the stdout when you ran the script.

2019-12-05_10-52-44.png

NOTE: In 6.2.3 this GUI option was removed.

Other Options

In case you are wondering what the 99 means in the script, here is a table showing those numbers and what each of them do.

2019-12-05_10-51-07.png

UPDATE: 20200529

Here is an update from FortiOS 6.2.3 and above.  Fortinet moved it to the Automation section.

2020-05-29_17-34-21.png

Here you can see the script entered in the Script section.  We can also see the Frequency where it defined the time it is going to run.  Additionally I am sending an email when it runs.

2020-05-29_17-21-23.png

You can now see the script scheduled to run and that it is enabled.

2020-05-30_00-21-16

Hope this helps

Recent posts

  • If you've spent any time configuring user authentication on... Full Story

  • DNS is one of those technologies that quietly underpins... Full Story

  • BGP issues on FortiGate firewalls usually trace back to... Full Story

  • Every time your laptop talks to your router, a... Full Story

  • If you've spent any time configuring NAT on a... Full Story

  • If you have spent any time configuring firewall policies... Full Story

  • High availability on FortiGate is one of those features... Full Story

  • If you've configured SD-WAN on a FortiGate, you've almost... Full Story

  • FortiLink is the management protocol that turns a FortiSwitch... Full Story

  • FortiSwitches are pretty rock solid from Mean Time Between... Full Story

  • This is a quicky tip.  Have you ever gone... Full Story

  • DNS is one of those quiet pieces of internet... Full Story

  • This article is an updated version of the previous... Full Story

  • You will add ns2 as a secondary (slave) BIND9... Full Story

  • In the process of deploying my lab, I needed... Full Story

  • RFC 8805, used to be known as Self-Correcting IP... Full Story

  • Years back, I wrote an article about certificate pinning. ... Full Story

  • FortiGates have the ability to send alerts to Microsoft... Full Story

  • In this post, I am going to walk through... Full Story

  • Troubleshooting VoIP on a FortiGate can feel like trying... Full Story

  • Prior to FortiOS 7.0, there were three commands to... Full Story

  • In this post, I am going to go over... Full Story

  • What we are going to do:  We are going... Full Story

  • Choosing between FGCP (FortiGate Clustering Protocol) and FGSP (FortiGate... Full Story

  • Creating a VLAN on macOS (The "Pro" Move) A... Full Story

  • This blog post explores the logic behind how macOS... Full Story

  • Pretty Fly for a Wi-Fi Tell My Wi-Fi Love... Full Story

  • Part of my daily gig is creating BoMs (Bill-of-Materials)... Full Story

  • ICMP introduces several security risks, but careful filtering, rate... Full Story

  • The command diag debug application dhcps -1 enables full... Full Story

  • In the world of FortiOS, execute tac report is... Full Story

  • LLDP; What is it The Link Layer Discovery Protocol... Full Story

  • What it actually does When you run diagnose fdsm... Full Story

  • Monkey Bites are bite-sized, high-impact security insights designed for... Full Story

  • I have run macOS in macOS with Parallels but... Full Story

  • Don't be confused with my other FortiNAC posts where... Full Story

  • This is the third session in a multi-part article... Full Story

  • Today I was configuring key-based authentication on a FortiGate... Full Story

  • Netcat, often called the "Swiss Army knife" of networking,... Full Story

  • At its core, IEEE 802.1X is a network layer... Full Story

  • In case you did not see the previous FortiNAC... Full Story

  • This is our 5th session where we are going... Full Story

  • Now that we have Wireshark installed and somewhat configured,... Full Story

  • The Philosophy of Packet Analysis Troubleshooting isn't about looking... Full Story

  • Overview FortiOS 8.0 introduces custom tags as a first-class... Full Story

  • These are two distinct mechanisms on FortiOS, and conflating... Full Story

  • Replacement messages are the pages and text blocks that... Full Story