Simplifying FortiGate Deployment using FortiManager Scripting with Variables

The ability to use CLI scripts from the FortiManager provides a massive benefit when dealing with the configuration and deployment of firewalls on a large scale. For example, say that you are deploying hundreds of distributed firewalls across your organization that are similar in topology (such as a retail shop or manufacturing facility). If you were to use the normal GUI for deployment, you would need to configure each individual firewall and making changes to the corresponding sections within the configuration for items like interface IPs, address objects specific to that site and other site specific parameters. The ability to use a script simplifies this tremendously because it allows for reuse of command line parameters across multiple devices saving time.

This feature has been present in the FortiManager for a long time however a shortcoming associated with the functionality was around the ability to use variables. For example, in the previous use case, I mentioned that there are certain parameters that are site-specific. For example, those parameters could be the following:

1. Interface IP Addresses
2. Site specific address objects
3. Site specific DHCP scopes

This list can go on and on, but you can see, in general, even with scripting, you would have to generate a unique script for each specific FortiGate. To accompany that functionality, one could use options like a custom perl script or a template solution like Jinja2 to generate these script files and then upload them to the FortiManager. While this was suitable option, it does introduce an extra step and does not provide a “single pane of glass” experience that Fortinet aims to provide.

CLI Templates

FortiManager 6.2 introduces a new feature called CLI Templates which greatly enhances its scripting capabilities. This new features allows the FortiManager administrator to define a common set of variables that contain values specific to a particular FortiGate. This opens up a whole new world of opportunity because now a script within FortiManager can reference a variable and substitute the specific value based on the FortiGate. Combine this with the zero-touch capabilities on the FortiManager and there is truly the potential to greatly simplify the roll out of FortiGates in a highly distributed environment.

This workflow for this feature consists of the following steps:

1. Define variables (meta fields) for script
2. Assign value to variables per FortiGate
3. Create script referencing the variables
4. Apply the script to the FortiGate device database
5. Push the configuration to the FortiGate

Defining Variables (Meta Fields)

Meta fields are an extension to the FortiManager that allows the administrator to define fields to provide extra information about an object in the FortiManager. A common object to define these fields for is the FortiGate device. When defining these variables, you can either choose to make them “optional” or “required”. See the steps below for information on how to define an example meta field:

1.Click on “System Settings | Meta Fields”

2. Click “Create New”

3. Select “Device” for the object; “subnet1_fgt_ip” for Name; “Optional” for Importance; leave other values default | Click “OK”:

These steps were repeated to create meta fields (variables) for the FortiGate DHCP start and end addresses as well. This will be referenced later in this post.

Assigning values to FortiGate Variables

Once you have the variables to be used in the script defined, values specific to those FortiGates can be defined. To do so, follow the workflow as shown below:

1.Under “Device Manager” | Right-Click FortiGate | Select “Edit”

2. Click on “Device Location” and observe your meta field variables

3. Populate the values for these meta fields with the values specific to your environment | Click “OK”

Creating the CLI Templates Script

Once you have the values assigned to the specific FortiGate, proceed with creating the script that will reference the meta fields (variables) that will be populated by these values. When creating this script, you will need to reference the meta field by using the following nomenclature:

$(<meta field>)

For example, previously, the meta field “subnet1_fgt_ip” has been defined and assigned to the FortiGate. To reference this value in the script, the following would need to be used within the CLI Templates script:

$(subnet1_fgt_ip)

When the CLI Template script is ran against this particular FortiGate, the FortiManager will consult the “meta fields” section for this particular FortiGate and substitute the value of “192.168.250.1” within this script. As an example of this, see the following workflow showing script creation:

1. Click “Device Manager” | “Scripts” | “CLI Template”

2. Click “Create New”

3. Populate the “Template Name”, “Comments” and “Script Details” similar to what is shown in the screenshot below | Click “OK”:

Below is the detailed output of the configuration referenced above in its entirety:

config system interface
    edit "internal"
        set vdom "root"
        set ip $(subnet1_fgt_ip) 255.255.255.0
        set allowaccess ping https ssh http fgfm capwap
        set type hard-switch
        set stp enable
        set role lan
    next
end
config system dhcp server
    edit 1
        set dns-service default
        set default-gateway $(subnet1_fgt_ip)
        set netmask 255.255.255.0
        set interface "internal"
        config ip-range
            edit 1
                set start-ip $(subnet1_start_ip)
                set end-ip $(subnet1_end_ip)
            next
        end
    next
end

This step could actually occur at the beginning of the workflow, especially if you know what variables (meta fields) you are going to reference and exactly how you are going to name them.

Applying the CLI Template Script to the FortiGate

Once the script has been created, it needs to be assigned to the FortiGate. To accomplish this, do the steps listed below:

1. Under “Device Manager” | “Scripts” | “CLI Templates”, Right-Click the script | Select “Assign Device”

2. Check the box next to the FortiGate you want to assign the script to | Select “OK”

3. Confirm under the “Device Manager” | “Device & Groups” that the script has been assigned but yet to be applied:

4. Right-click the Device | Select “Quick Install (Device DB)”

5. Click “OK” on the “Quick Install (Device DB)” dialog box

6. Confirm that the script runs successfully | Click “Finish”

At this point, it can be confirmed via looking at the “Database Configuration” for the device that the proper values have been substituted and applied to the FortiGate as shown in the screen shots below:

As it is displayed in the above screenshots, the FortiManager substituted the value of the corresponding meta field definition for the FortiGate into its corresponding location within the script file. The last step in this process is to apply the configuration to the FortiGate using the normal Install Wizard in FortiManager.

Hopefully, this article scratches the surface of the true potential of this feature and all of the creative ways it can be leveraged to simplify the configuration and deployment of FortiGate firewalls. Feel free to leave a comment in the section below on how you will use this feature.