Skip to main content

we are using below format to collect the data from Fortinet firewall for custom command.

 

end
config global
show system dns
show system ntp

 

can anyone check and confirm ,these will not impact anything ,if i remove config gloabl , than command will not run. 

@Rohit_809 Kumar 

if you want to collect DNS and NTP, then these custom commands should be enough.

show system dns
show system ntp

no need for

end
config global

 

here my config

 

If you see something else, please open a support ticket.


i try your format , but i am getting error for this , i raised a support case for this also , and support confirm this format.

 

i just want to double make sure , this format will impact any thing in Firewall end or regular-collection.


Hello

I have a similar question. We want to collect "get system fortiguard" in an environment where we are using vdom. This is a command that only works in "config global". When I add "get system fortiguard" to custom command and collect, commands are only executed under "config vdom" "edit xxxx". Is there a way I can make this only work in "config global"?

 

 


Hi ​@juyoung  ,

 

you can try this format .

 

end
config global
get system fortiguard

 


@Rohit_809 Kumar 
The Fortinet commands “show system dns” and “show system ntp” are global context commands. If you need to run them as part of a custom command group, they will be run on the global context and on each vdom.

The commands will fail with an error on the vdoms, but this will not impact collection. The collector just ignores the error an moves on.

When you are looking for the output of this data in NQE, keep in mind that the only valid output will be on the main firewall.

 

 

 


@Rohit_809 Kumar 

I can collect normally! Thank you.

 

@Christopher 

I ran only "get system fortiguard" and checked the Collection Log. As you said, the Collector executes the Custom command on the entire vdom. However, it does not execute it on "config global", but only on the root vdom and all other vdoms. ("edit vdom" "edit xxx") And have you tried "show system dns" recently? This is also a command that is only executed under config global, so it is not collected properly, just like "get sys fortiguard".

 

Actually, I think this is a problem that needs to be checked on the FN side. It should work without "end" and "config global" as you said. Because the method Rohit gave will exit to end even when entering all vdoms. Thank you


The key distinction here is between the root vdom and the global context.

There is only one global context for the whole Firewall, so if you include the config global in your custom command, the output on all the vdoms in Forward will be the same, including the root vdom.

If you need results from a command run on each vdom, then you must omit “end” and “context global”.

If you need to run the same custom command on each vdom AND in the global context, you need to create two custom commands, one with context global and one without.


For example, if you use the following custom command configuration:

 

There will be multiple files for each device in Forward.

The “show full-configuration” output will be collected from each vdom (including the root vdom), and will be different for every device.

The “show full” output is from the global context and the resulting file will be the same for all devices.

Note: There will also be output files for the “end” and “config global” commands, but they will be empty, since these commands were used simply to enter the global context.


It is critical to note that the ORDER of the custom commands above matters. By inserting the commands “end” and “config global”, all commands that are run after this change in context are run at the global level, even if they are in a different command group.

Therefore, any custom commands that need to be run at the global context should come after commands that need to be run at the vdom context.


Reply