FortiOS 5.4 introduced a long-awaited feature called auto-script. Head over to http://help.fortinet.com/fos50hlp/54/index.htm and then “5.4 What’s New” if you are interested in learning more. For those of us, who have worked on Cisco routers and used aliases or EEM feature, the auto-script feature is somewhere in between the two. It allows commands to be executed periodically or either once and I see this to be a great add to the feature set, especially when it comes to collecting lots of information quickly. This blog post captures:

  1. How to configure auto-script feature
  2. How to execute a script
  3. How to view the results.
  4. How to upload results to an FTP server
  5. Maximum limit
  6. Few features that I would like to see in future FortiOS releases

This feature may not be available on all models as a hard drive is necessary to make use of it.

The above comes from the “5.4 What’s New” document, however, this how-to was written on a FortiGate 60D, which doesn’t have a hard drive. Release notes have a typo or this feature won’t work on some firewalls but given that none of the commands write to the flash, I think it’s a typo. I am waiting for confirmation from Fortinet on this.

As the feature does not requires a FortiGate with hard disk, the information from the scripts is probably stored in RAM Disk. I would advise not to store too much of data and limit the number of times the script is executed.

Configure Script

Configuration snippet below can be used to configure a script that is executed manually and only once. Comments start with #.

config system auto-script
edit "getSystemInfo"
#^^^___Name of your script
#The number of seconds the script will sleep if the repeat is greater than 1. Default: 0
set interval 0
#The number of times the command should be executed. Default: 1
set repeat 1
#Whether the script should be started automatically or manually. Default: manual
set start manual
# Capture system status
set script "get system status | grep
# Get the performance of the system
get sys performance status
# Verify NTP status.
diagnose sys ntp status
# View crash log
diagnose debug crashlog read
# Capture system time again
get system status | grep time
"
next
end

There is grep in FortiOS if you would like to reduce the output returned but I prefer capturing all the information and parse later.

Execute Script

Executing the script above is done using the command:

execute auto-script run getSystemInfo
View Results

Results from the script can be viewed using the command:

execute auto-script result getSystemInfo

Below is a sample output from the command above.

execute auto-script result getSystemInfo
Script getSystem output:
########## script name: getSystem ##########

========== #1, 2017-02-28 13:38:58 ==========
HOMERTR $ get system status
Version: FortiGate-60D v5.4.3,build1111,161220 (GA)
Virus-DB: 32.00122(2016-01-25 00:16)
Extended DB: 1.00000(2012-10-17 15:46)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 0.00000(2001-01-01 00:00)
Serial-Number: FGT60DXXXXXXXXX
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
Botnet DB: 1.00000(2012-05-28 22:51)
BIOS version: 04000014
System Part-Number: P12397-02
Log hard disk: Not available
Hostname: HOMERTR
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 1111
Release Version Information: GA
System time: Tue Feb 28 13:38:59 2017
HOMERTR $ get system status | grep time
System time: Tue Feb 28 13:38:59 2017
HOMERTR $ get sys performance status
CPU states: 2% user 23% system 0% nice 75% idle
CPU0 states: 2% user 23% system 0% nice 75% idle
Memory states: 17% used
Average network usage: 5033 / 5140 kbps in 1 minute, 4804 / 4900 kbps in 10 minutes, 5015 / 5114 kbps in 30 minutes
Average sessions: 269 sessions in 1 minute, 272 sessions in 10 minutes, 269 sessions in 30 minutes
Average session setup rate: 1 sessions per second in last 1 minute, 1 sessions per second in last 10 minutes, 0 sessions per second in last 30 minutes
Virus caught: 0 total in 1 minute
IPS attacks blocked: 0 total in 1 minute
Uptime: 36 days, 12 hours, 35 minutes
HOMERTR $ get system status | grep time
System time: Tue Feb 28 13:38:59 2017
HOMERTR $ diagnose sys ntp status
synchronized: yes, ntpsync: enabled, server-mode: disabled

ipv4 server(192.168.1.10) 192.168.1.10 -- reachable(0x1) S:3 T:195 selected
server-version=4, stratum=2
reference time is dc603dac.f25881a1 -- UTC Tue Feb 28 18:19:24 2017
clock offset is 0.035784 sec, root delay is 0.001816 sec
Upload to FTP Server

This is a great feature to get the results off a FortiGate quickly where the user has the option to send the output to an FTP or TFTP server. This can be done using the command below.

execute auto-script backup ftp getSystem 192.168.1.2 test test

You will see a message similar to one below in the case of a success.

Send file to ftp server OK.

You can’t specify the path where you want to upload or the filename that you want. The filename is auto generated.

E.g. getSystem_FGT60D4613012067_20170228_140120, which includes the name of the script, serial number, date, and time.

Script Maximum Limit

The “set script” command has a limit of 255. E.g. if you enter too many commands, you might get an error similar to one below.

string value is too long. the size is 279, the limit is 255

In order to overcome the problem, use the short form for your commands. E.g.: Instead of using

get system status

use

g sy stat
Features Requested

Some features that I sent to Fortinet.

  1. Let the name be true – make it more of a “script” to allow for variables, etc.
  2. Ability to run and view the results in one single command.
  3. Increase the “set script” limit from 255. Shortcodes could be used.
  4. Backup shouldn’t go FTP (scp?)
  5. Backup should have an option to backup results from all scripts
  6. Add API so that the scripts can be executed using API and results can be retrieved using API.
  7. Nested Scripts – Ability to define multiple scripts and then execute them from one.

I hope that this note was useful. I plan to write another blog post to share some scripts, related to:

  1. General System
  2. Network Statistics
  3. Hardware Acceleration
  4. Firewall Statistics
  5. Session Statistics
  6. IPsec Statistics
print