The article describes how to remove the comment ‘Created by IPSec Template’ from FortiGate using a TCL script via FortiManager.
If in any case IPSec templates assigned to FortiGate are removed and deleted from FortiManager, on the next install FortiManager will try to delete those IPSec templates (and static routes).
Scope
FortiManager, FortiGate
Solution
Remove the comment ‘Created by IPSec Template’ from IPSec Tunnels (phase1 and phase2) and its static routes, which can be an issue if there are multiple tunnels.
Follow the initial steps from this article on how to enable and run TCL scripts in FortiManager:
Technical Tip: How to use TCL script…existing route
Step 1: Go to Device Manager -> Scripts, select type TCL Script, and select ‘Create new’.
Create the following TCL script:
#!
proc do_cmd {cmd} {
puts [exec "$cmd\n" "# "]
}
#
foreach line [split [exec "show router static\n" "# "] \n] {
#
# Fetching the 'edit' and its value
#
if {[regexp {edit\s(\d+)} $line match policy]} {
continue
#
} elseif {[regexp {set\s(comment)\s"(.*IPSec\sTemplate.*])} $line match key value]} {
#
lappend policies_comment($policy) "$key $value"
}
}
#
do_cmd "config router static\n"
#
foreach policy [array names policies_comment] {
do_cmd "edit $policy"
do_cmd "unset comment"
do_cmd "next"
}
do_cmd "end"
The comment from static route #5 has been removed.
Verifying on the FortiGate.
Step 2: Remove the comment from phase2 and phase1 tunnels. Go to Device Manager -> Scripts, select type TCL Script, and select ‘Create new’.
Create the following TCL script:
#!
proc do_cmd {cmd} {
puts [exec "$cmd\n" "# "]
}
#
foreach line [split [exec "show vpn ipsec phase2-interface\n" "# "] \n] {
#
# Fetching the 'edit' and its value
#
if {[regexp {edit\s"(\w+)} $line match phase2]} {
continue
#
} elseif {[regexp {set\s(comments)\s"(.*Template.*])} $line match key value]} {
#
lappend phase2_comment($phase2) "$key $value"
}
}
#
foreach line [split [exec "show vpn ipsec phase1-interface\n" "# "] \n] {
#
if {[regexp {edit\s"(\w+)} $line match phase1]} {
continue
#
} elseif {[regexp {set\s(comments)\s"(.*Template.*])} $line match key value]} {
#
lappend phase1_comment($phase1) "$key $value"
}
}
#
do_cmd "config vpn ipsec phase2-interface\n"
#
foreach phase2 [array names phase2_comment] {
do_cmd "edit $phase2"
do_cmd "unset comments"
do_cmd "next"
}
do_cmd "end"
#
do_cmd "config vpn ipsec phase1-interface\n"
#
foreach phase1 [array names phase1_comment] {
do_cmd "edit $phase1"
do_cmd "unset comments"
do_cmd "next"
}
do_cmd "end"
Run the script on the desired FortiGate. The comment has been removed from the VPN Tunnel.
Verifying on the FortiGate.
Note:
- The script can be run on multiple FortiGates at the same time.
- In case Tunnels were created by VPN-Manager and the firewall was removed from FortiManager and added back in, tunnels will not be managed by VPN Manager and have to remove the comment ‘Created by VPN Manager’ for FortiManager not to remove the tunnels on the next install. In this case, change the line#13 and #25 of the script in step#2 with the below line:
} elseif {[regexp {set\s(comments)\s"(.*VPN\sManager.*])} $line match key value]} {