In a previous blog post, the ability to leverage CLI scripts with variables was explained. This served as an introduction to the feature but did not cover all of the capabilities. For example, in the previous blog, the example of configuring the IP address of a FortiGate interface and DHCP settings for that interface required three separate variables to be defined. However, there is a way to accomplish the same task with just one variable.
Meta Field (Variable) modifiers
The CLI Template script variables can accept modifiers to do light text transformations to the value defined under each FortiGate. From testing, it seems like this functionality can primarily be useful for variables that are in a dotted decimal IP address format. An example of this format would be the following:
Assuming that this value is assigned to a meta field (variable) called $subnet1_fgt_ip, its individual numbers delimited by the “.” can be referenced into their own field. For example:
|IP Address Position||Value|
These individual fields can be referenced and modified through the use of the following syntax:
$(<meta field name>:<position>,<modifier>)
The position referenced above refers to the IP address position as listed in the table above. In the case of a standard IPv4 address, there are a total of four positions and are referred to as 1, 2, 3, or 4 in the syntax.
The modifier referenced above can refer to an addition or subtraction mathematical function or just setting the position to to a specific number. Here are the two examples of this in use:
Assuming that the meta field (variable) $subnet1_fgt_ip is set to the value “192.168.100.1”. You can use the following modifier:
The resultant of the execution of this variable within a CLI Template script is the following value:
Please note that if you do not use a math operator (such as addition or subtraction), the FortiManager will just substitute the value of that positioni with the number defined in the modifier.
This does not prove to be very useful in this form, however a more practical example is to use a single variable to set the FortiGate IP address, DHCP scope start and DHCP scope end. This consolidation allows for an improved efficiency of FortiGate deployment.
Single Variable with Modifiers
A common deployment scenario with distributed FortiGates is to define a interface specific IP address and DHCP scope. This usually results in three site specific settings:
IP address of FortiGate
DHCP Start IP
DHCP End IP
Normally this would require defining three separate variables, however, with the use of variable modifiers, this can be accomplished with one variable. See below for the corresponding CLI Template snippet:
config system interface edit "internal" set vdom "root" set ip $(subnet1_fgt_ip) 255.255.255.0 #1 set allowaccess ping https ssh http fgfm capwap set type hard-switch set stp enable set role lan next end config system dhcp server edit 1 set dns-service default set default-gateway $(subnet1_fgt_ip) #2 set netmask 255.255.255.0 set interface "internal" config ip-range edit 1 set start-ip $(subnet1_fgt_ip:4,150) #3 set end-ip $(subnet1_fgt_ip:4,200) #4 next end next end
See the following explanation to this script:
set ip $(subnet1_fgt_ip) 255.255.255.0
1. Sets the IP address of the “internal” interface to “192.168.100.1”
set default-gateway $(subnet1_fgt_ip)
2. Sets the DHCP scope’s “default gateway” for the “internal” interface to “192.168.100.1”
set start-ip $(subnet1_fgt_ip:4,150)
3. Sets the DHCP scope’s starting IP address to “192.168.100.150”
set end-ip $(subnet1_fgt_ip:4,200)
4. Sets the DHCP scope’s starting IP address to “192.168.100.200”
Here’s a walk through of all of these steps completed in the FortiManager and the resultant. This will not contain all of the details as they were covered in previous blog articles.
1. Identify the FortiGates to apply the CLI Template script
2. Set the corresponding meta fields for each FortiGate
3. Create the script referencing these variables to apply to the FortiGates
4. Assign the CLI Template to all applicable FortiGates
5. Apply the configuration to each FortiGate
6. Validate the configurations on each FortiGate