FortiOS 5.4 introduced a long-awaited feature called auto-script. Head over to http://help.fortinet.com/fos50hlp/54/index.htm and then “5.4 What’s New” if you are interested in learning more. For those of us, who have worked on Cisco routers and used aliases or EEM feature, the auto-script feature is somewhere in between the two. It allows commands to be executed periodically or either once and I see this to be a great add to the feature set, especially when it comes to collecting lots of information quickly. This blog post captures:
- How to configure auto-script feature
- How to execute a script
- How to view the results.
- How to upload results to an FTP server
- Maximum limit
- Few features that I would like to see in future FortiOS releases
This feature may not be available on all models as a hard drive is necessary to make use of it.
The above comes from the “5.4 What’s New” document, however, this how-to was written on a FortiGate 60D, which doesn’t have a hard drive. Release notes have a typo or this feature won’t work on some firewalls but given that none of the commands write to the flash, I think it’s a typo. I am waiting for confirmation from Fortinet on this.
As the feature does not requires a FortiGate with hard disk, the information from the scripts is probably stored in RAM Disk. I would advise not to store too much of data and limit the number of times the script is executed.
Configuration snippet below can be used to configure a script that is executed manually and only once. Comments start with #.
config system auto-script edit "getSystemInfo" #^^^___Name of your script #The number of seconds the script will sleep if the repeat is greater than 1. Default: 0 set interval 0 #The number of times the command should be executed. Default: 1 set repeat 1 #Whether the script should be started automatically or manually. Default: manual set start manual # Capture system status set script "get system status | grep # Get the performance of the system get sys performance status # Verify NTP status. diagnose sys ntp status # View crash log diagnose debug crashlog read # Capture system time again get system status | grep time " next end
There is grep in FortiOS if you would like to reduce the output returned but I prefer capturing all the information and parse later.
Executing the script above is done using the command:
execute auto-script run getSystemInfo
Results from the script can be viewed using the command:
execute auto-script result getSystemInfo
Below is a sample output from the command above.
execute auto-script result getSystemInfo Script getSystem output: ########## script name: getSystem ########## ========== #1, 2017-02-28 13:38:58 ========== HOMERTR $ get system status Version: FortiGate-60D v5.4.3,build1111,161220 (GA) Virus-DB: 32.00122(2016-01-25 00:16) Extended DB: 1.00000(2012-10-17 15:46) IPS-DB: 6.00741(2015-12-01 02:30) IPS-ETDB: 0.00000(2001-01-01 00:00) Serial-Number: FGT60DXXXXXXXXX IPS Malicious URL Database: 1.00001(2015-01-01 01:01) Botnet DB: 1.00000(2012-05-28 22:51) BIOS version: 04000014 System Part-Number: P12397-02 Log hard disk: Not available Hostname: HOMERTR Operation Mode: NAT Current virtual domain: root Max number of virtual domains: 10 Virtual domains status: 1 in NAT mode, 0 in TP mode Virtual domain configuration: disable FIPS-CC mode: disable Current HA mode: standalone Branch point: 1111 Release Version Information: GA System time: Tue Feb 28 13:38:59 2017 HOMERTR $ get system status | grep time System time: Tue Feb 28 13:38:59 2017 HOMERTR $ get sys performance status CPU states: 2% user 23% system 0% nice 75% idle CPU0 states: 2% user 23% system 0% nice 75% idle Memory states: 17% used Average network usage: 5033 / 5140 kbps in 1 minute, 4804 / 4900 kbps in 10 minutes, 5015 / 5114 kbps in 30 minutes Average sessions: 269 sessions in 1 minute, 272 sessions in 10 minutes, 269 sessions in 30 minutes Average session setup rate: 1 sessions per second in last 1 minute, 1 sessions per second in last 10 minutes, 0 sessions per second in last 30 minutes Virus caught: 0 total in 1 minute IPS attacks blocked: 0 total in 1 minute Uptime: 36 days, 12 hours, 35 minutes HOMERTR $ get system status | grep time System time: Tue Feb 28 13:38:59 2017 HOMERTR $ diagnose sys ntp status synchronized: yes, ntpsync: enabled, server-mode: disabled ipv4 server(192.168.1.10) 192.168.1.10 -- reachable(0x1) S:3 T:195 selected server-version=4, stratum=2 reference time is dc603dac.f25881a1 -- UTC Tue Feb 28 18:19:24 2017 clock offset is 0.035784 sec, root delay is 0.001816 sec
Upload to FTP Server
This is a great feature to get the results off a FortiGate quickly where the user has the option to send the output to an FTP or TFTP server. This can be done using the command below.
execute auto-script backup ftp getSystem 192.168.1.2 test test
You will see a message similar to one below in the case of a success.
Send file to ftp server OK.
You can’t specify the path where you want to upload or the filename that you want. The filename is auto generated.
E.g. getSystem_FGT60D4613012067_20170228_140120, which includes the name of the script, serial number, date, and time.
Script Maximum Limit
The “set script” command has a limit of 255. E.g. if you enter too many commands, you might get an error similar to one below.
string value is too long. the size is 279, the limit is 255
In order to overcome the problem, use the short form for your commands. E.g.: Instead of using
get system status
g sy stat
Some features that I sent to Fortinet.
- Let the name be true – make it more of a “script” to allow for variables, etc.
- Ability to run and view the results in one single command.
- Increase the “set script” limit from 255. Shortcodes could be used.
- Backup shouldn’t go FTP (scp?)
- Backup should have an option to backup results from all scripts
- Add API so that the scripts can be executed using API and results can be retrieved using API.
- Nested Scripts – Ability to define multiple scripts and then execute them from one.
I hope that this note was useful. I plan to write another blog post to share some scripts, related to:
- General System
- Network Statistics
- Hardware Acceleration
- Firewall Statistics
- Session Statistics
- IPsec Statistics