Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.6.0 Administration Guide
    7.6.0
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    CLI script action

    CLI script action

    The CLI script action can run when an automation stitch is triggered. It executes a series of commands in the CLI, as defined by the administrator. The scripts commands can be entered manually, uploaded as a file, or recorded in the CLI console. The output of the script can be fed as a variable (%%results%%) into the next action in the stitch. This could then be sent as an email using the email action, for example.

    Note

    The CLI script action utilizes the auto-script feature to perform the execution of the script commands. The output size of the auto-script feature controls the size of the output for the script execution (10MB by default). This output is read into a buffer for use by the automation stitch action, and that buffer is limited to 192K characters for the email action. This means that the total allowable limit for CLI script output that is used in an email action is 192K characters. The buffer sizes for other actions may vary, for example the buffer to use the results in a webhook action could be a different size.

    		 
    config system automation-action
    edit <name>
        set action-type cli-script
        set output-size <integer>
        set timeout <integer>
    next
end

    output-size <integer>

    Set the size to limit the script output, in megabytes (1 - 1024, default = 10).

    timeout <integer>

    Set the maximum running time for this script, in seconds (0 - 300, 0 = no timeout).
    Note

    Certain diagnostic commands may not function as expected with CLI scripts and result in no output. For example, when used in a CLI script, the diagnostic command dia test application dnsproxy 6 fails to produce any output because the cli-script feature does not support daemon message() prints.

    Example

    In this example, the script sets the idle timeout value to 479 minutes, and sends an email with the script output.

    To configure a stitch with a CLI script action in the GUI:

    1. Go to Security Fabric > Automation and click Create New.

    2. Enter the stitch name (auto-cli-1).

    3. Configure the trigger:

      1. Click Add Trigger.

      2. Select Any Security Rating Notification.

      3. Click Apply.

    4. Configure the CLI Script action:

      1. Click Add Action.

      2. Click Create and select CLI Script.

      3. Enter the following:

        Name

        admintimeout

        Script

        		 
        config system global
    set admintimeout 479
end

        Alternatively, click Upload to upload a file, or click >_Record in CLI console and enter the CLI commands.

        Administrator profile

        Select a profile

      4. Click OK.

      5. Select the action in the list and click Apply.

    5. Configure the Email notification action:

      1. Click Add Action.

      2. Click Create and select Email.

      3. Enter the following:

        Name

        auto-cli-1_email

        To

        Enter an email address

        Subject

        CSF stitch alert

        Body

        %%results%%

      4. Click OK.

      5. Select the action in the list and click Apply.

    6. Click OK.

    To configure a stitch with a CLI script action in the CLI:

    1. Create the automation trigger:

      config system automation-trigger
    edit "Any Security Rating Notification"
        set event-type security-rating-summary
        set report-type any			
    next
end

    2. Create the automation actions:

      config system automation-action
    edit "admintimeout"
        set action-type cli-script
        set script "config system global
            set admintimeout 479
            end"
        set output-size 10
        set timeout 0	
        set accprofile "super_admin"
    next
    edit "auto-cli-1_email"
        set action-type email
        set email-to "admin@fortinet.com"
        set email-subject "CSF stitch alert"
        set message "%%results%%"
    next
end

    3. Create the automation stitch:

      config system automation-stitch
    edit "auto-cli-1"
        set trigger "Any Security Rating Notification"
        config actions
            edit 1
                set action "admintimeout"
                set required enable
            next
            edit 2
                set action "auto-cli-1_email"
                set required enable
            next
        end
    next
end
    Sample email

    The email sent by the action will look similar to the following:

    Previous
    Next

    CLI script action

    CLI script action

    The CLI script action can run when an automation stitch is triggered. It executes a series of commands in the CLI, as defined by the administrator. The scripts commands can be entered manually, uploaded as a file, or recorded in the CLI console. The output of the script can be fed as a variable (%%results%%) into the next action in the stitch. This could then be sent as an email using the email action, for example.

    Note

    The CLI script action utilizes the auto-script feature to perform the execution of the script commands. The output size of the auto-script feature controls the size of the output for the script execution (10MB by default). This output is read into a buffer for use by the automation stitch action, and that buffer is limited to 192K characters for the email action. This means that the total allowable limit for CLI script output that is used in an email action is 192K characters. The buffer sizes for other actions may vary, for example the buffer to use the results in a webhook action could be a different size.

    		 
    config system automation-action
    edit <name>
        set action-type cli-script
        set output-size <integer>
        set timeout <integer>
    next
end

    output-size <integer>

    Set the size to limit the script output, in megabytes (1 - 1024, default = 10).

    timeout <integer>

    Set the maximum running time for this script, in seconds (0 - 300, 0 = no timeout).
    Note

    Certain diagnostic commands may not function as expected with CLI scripts and result in no output. For example, when used in a CLI script, the diagnostic command dia test application dnsproxy 6 fails to produce any output because the cli-script feature does not support daemon message() prints.

    Example

    In this example, the script sets the idle timeout value to 479 minutes, and sends an email with the script output.

    To configure a stitch with a CLI script action in the GUI:

    1. Go to Security Fabric > Automation and click Create New.

    2. Enter the stitch name (auto-cli-1).

    3. Configure the trigger:

      1. Click Add Trigger.

      2. Select Any Security Rating Notification.

      3. Click Apply.

    4. Configure the CLI Script action:

      1. Click Add Action.

      2. Click Create and select CLI Script.

      3. Enter the following:

        Name

        admintimeout

        Script

        		 
        config system global
    set admintimeout 479
end

        Alternatively, click Upload to upload a file, or click >_Record in CLI console and enter the CLI commands.

        Administrator profile

        Select a profile

      4. Click OK.

      5. Select the action in the list and click Apply.

    5. Configure the Email notification action:

      1. Click Add Action.

      2. Click Create and select Email.

      3. Enter the following:

        Name

        auto-cli-1_email

        To

        Enter an email address

        Subject

        CSF stitch alert

        Body

        %%results%%

      4. Click OK.

      5. Select the action in the list and click Apply.

    6. Click OK.

    To configure a stitch with a CLI script action in the CLI:

    1. Create the automation trigger:

      config system automation-trigger
    edit "Any Security Rating Notification"
        set event-type security-rating-summary
        set report-type any			
    next
end

    2. Create the automation actions:

      config system automation-action
    edit "admintimeout"
        set action-type cli-script
        set script "config system global
            set admintimeout 479
            end"
        set output-size 10
        set timeout 0	
        set accprofile "super_admin"
    next
    edit "auto-cli-1_email"
        set action-type email
        set email-to "admin@fortinet.com"
        set email-subject "CSF stitch alert"
        set message "%%results%%"
    next
end

    3. Create the automation stitch:

      config system automation-stitch
    edit "auto-cli-1"
        set trigger "Any Security Rating Notification"
        config actions
            edit 1
                set action "admintimeout"
                set required enable
            next
            edit 2
                set action "auto-cli-1_email"
                set required enable
            next
        end
    next
end
    Sample email

    The email sent by the action will look similar to the following:

    Previous
    Next