Connect from Ubuntu Shell to the FortiGate Firewall
Managing a FortiGate firewall from a remote system can save valuable time and effort, especially when automation is key to streamlining routine tasks. By connecting from an Ubuntu system to a FortiGate device and executing commands via Bash scripts, you can effectively manage firewall configurations, monitor traffic, or perform troubleshooting tasks without manual intervention. In this post, we’ll walk you through the steps to connect your Ubuntu machine to FortiGate, and show you how to create and execute Bash scripts for seamless command execution, improving both efficiency and control over your network security.
Purpose of the Script
I needed to connect to a FortiGate device (CLI) from my Ubuntu server within the local network, especially when the internet was down. The goal was to disable the WAN interface, wait for 60 seconds, and then re-enable the interface. To accomplish this, I used execute_commands function in bash script.
This function is designed to execute a series of commands on a remote server via SSH. Here’s a detailed breakdown of how it works:
execute_commands() {
local commands=("$@")- execute_commands() is the name of the function.
- local commands=(“$@”) creates a local array named commands that contains all the arguments passed to the function.
sshpass -p "$PASSWORD" ssh -o StrictHostKeyChecking=no -p $PORT $USER@$HOST << EOF
$(for cmd in "${commands[@]}"; do echo "$cmd"; done)
EOF- sshpass -p “$PASSWORD” uses the sshpass utility to provide the SSH password stored in the PASSWORD variable. This allows for non-interactive password authentication.
- ssh -o StrictHostKeyChecking=no -p $PORT $USER@$HOST runs the ssh command with the following options:
- -o StrictHostKeyChecking=no: Disables strict host key checking, which prevents SSH from asking for confirmation if the host key is not already in the known hosts file.
- -p $PORT: Specifies the SSH port to connect to, using the value of the PORT variable.
- $USER@$HOST: Specifies the remote user and host to connect to, using the values of the USER and HOST variables.
Command execution block:
<< EOF
$(for cmd in "${commands[@]}"; do echo "$cmd"; done)
EOF- << EOF initiates a here-document, which allows you to provide input to the SSH command.
- $(for cmd in “${commands[@]}”; do echo “$cmd”; done) is a command substitution that loops over the commands array, printing each command. This results in each command being executed on the remote server.
- EOF marks the end of the here-document.
Example usage:
execute_commands "ls -l" "pwd" "whoami"My Script to Conncet to the FortiGate
I saved it under: /opt/scripts/fortigate/fgt_gw_check.sh
nano fgt_gw_check.sh#!/bin/bash
# Variables
HOST="HOST_IP"
USER="USER"
PASSWORD="PASSWORD" # Not recommended to hardcode passwords; consider using SSH keys or prompting for password
# Port, in my case I changed the port from 22 to 11022
PORT=11022
LOG_FILE="/opt/scripts/log/fortigate_disable_enable_wan1_$(date +%Y-%m-%d).log" # Location for log file
# Commands to disable wan1 interface
disable_commands=(
"config system interface"
"edit wan1"
"set status down"
"end"
)
# Commands to enable wan1 interface
enable_commands=(
"config system interface"
"edit wan1"
"set status up"
"end"
)
# Function to send commands via SSH
execute_commands() {
local commands=("$@")
sshpass -p "$PASSWORD" ssh -o StrictHostKeyChecking=no -p $PORT $USER@$HOST << EOF
$(for cmd in "${commands[@]}"; do echo "$cmd"; done)
EOF
}
# Disable wan1 interface
#echo "Disabling wan1 interface..."
echo "$(date): Disabling wan1 interface..." >> $LOG_FILE
execute_commands "${disable_commands[@]}"
# Wait for 60 seconds
#echo "Waiting for 60 seconds..."
echo "$(date): Waiting for 60 seconds..." >> $LOG_FILE
sleep 60
# Enable wan1 interface
#echo "Enabling wan1 interface..."
echo "$(date): Enabling wan1 interface..." >> $LOG_FILE
execute_commands "${enable_commands[@]}"
echo "$(date): Done." >> $LOG_FILEIn one of the following posts, I will publish my internet monitoring script.
UPDATE: My script to monitor the internet connection
