Wednesday, January 11, 2017

HOWTO: bulk interface gathering details FortiOS

In this post, I will show you how to gather bulk interface gathering details.

For example, you have a  firewall model that has numerous interface, it can be slow and time consuming to  execute diag cmd per interface.

Take this FGT3240, we will build a script that allow us to run thru all 28ports and drop the diad commands of interest.

Than I will show how you can gather  the status using a unix ssh client.

1: here's the script.

(  this unit runs multi-vdom ...drop the globla cfg  if your single vdom )

for ((a=1; a <=  28; a++))

echo -e "config global"
echo -e "diagnose hardware deviceinfo nic port$a | grep _drop \n"
echo -e "diagnose hardware deviceinfo nic port$a | grep _dp_  \n"
echo -e "diagnose hardware deviceinfo nic port$a | grep err   \n"
echo -e "diag hardware deviceinfo nic  port$a  | grep over \n"
echo -e "end\n"


2: Now the fun part to execute this you could do the following;

./<>  | ssh <username>@firewall.address > myoutput.`date +%Z%T_%F`

3: Here's a netlink  script and statistic collection plus clearing;

for ((a=1; a <=  28; a++))

echo -e "config vdom \n"
echo -e "edit root \n"
echo -e  "diag netlink interface list port$a   \n"
echo -e  "diag netlink interface clear port$a   \n"
echo -e "end \n"


YMMV but you can get very creative and use this in  custom "Expect" scripts or in nagios  | syslog-ng for alert triggers when a condition exists.


and syslog-ng with source and destination filters  would be a simple  bash script  that  runs the and directs the output into sendmail | socfwmongrp1@ | mail -s " ALERT ME  ` date +%F_%T`  -c

Just ensure you have the correct syslog message for the trigger 

Ken Felix

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
        /  \

No comments:

Post a Comment