Grep is a fast and easy way of filtering lots of information from the console. The FortiGate allows you to pipe grep to many commands including show, get and diagnose.
To use grep you must pipe it with the search value after a command ex: | grep <value>
There are a few options available with grep that can be seen with the -h flag. Below is a show command that's been piped with grep to display all the options available:
gate1 # show | grep -h
Usage: grep [-invfcABC] PATTERN
Options:
-i Ignore case distinctions
-n Print line number with output lines
-v Select non-matching lines
-f Print fortinet config context
-c Only print count of matching lines
-A Print NUM lines of trailing context
-B Print NUM lines of leading context
-C Print NUM lines of output context
Let's start with a simple show command to display every instance of the value ssl-admin in the config.
gate1 # show | grep ssl-token
edit "ssl-token"
set member "authenticator-radius" "ssl-sms" "ssl-token" "imadmin"
We can see there are two instances of ssl-token. The problem here is that we cannot see exactly where in the config these two instances are referenced. From the config it looks as if we edit 'ssl-token' and then add it to a member of 'ssl-token' which doesn't make sense.
Luckily there is the -f flag which prints the config context which shows us where exactly in config the values are found. Lets try this again with the -f flag:
gate1 # show | grep -f ssl-token
config user local
edit "ssl-token" <---
set type password
set two-factor fortitoken
set email-to "amouawad@ingramlabs.com.au"
set passwd ENC encodedpasswordz
next
end
config user group
edit "Full SSL Access"
set member "authenticator-radius" "ssl-sms" "ssl-token" "imadmin" <---
next
end
That's much better! Now I can see that the two instances of ssl-token are to first create the user (under config user local) and then to add the user to the usergroup 'Full SSL Access' (under config user group). The matched entries are highlighed with a handy arrow '<---'.
All CLI commands on the FortiGate are case sensitive which also includes the grep values. If I searched for the 'Full SSL Access' group but couldn't remember which characters were capitalized I would end up with no results:
gate1 # show | grep "full ssl access"
Doing the same search with the -i flag will ignore all cases (remember to use the -f to see the config context)
gate1 # show | grep -i -f "full ssl access"
config user group
edit "Full SSL Access" <---
set member "authenticator-radius" "ssl-sms" "ssl-token" "imadmin"
next
end
Next lets have a look at how to add an OR operator to grep. In this example I'm trying to get the admin lockout and timeout values to show our auditors for PCI compliance.
gate1 # config system global
gate1 (global) # get | grep admin
admin-concurrent : enable
admin-console-timeout: 0
admin-https-banned-cipher: rc4 low
admin-https-pki-required: disable
admin-https-redirect: enable
admin-https-ssl-versions: tlsv1-1 tlsv1-2
admin-lockout-duration: 60
admin-lockout-threshold: 3
admin-login-max : 100
admin-maintainer : enable
admin-port : 80
admin-scp : disable
admin-server-cert : gate_gui
admin-sport : 4443
admin-ssh-grace-time: 120
admin-ssh-password : enable
admin-ssh-port : 22
admin-ssh-v1 : disable
admin-telnet-port : 23
admintimeout : 480
We can see there's quite a few values returned. The three key values we want here are admin-lockout-duration, admin-lockout-threshhold and admintimeout. Let's try this again with the two search values contained in quotation marks and seperated by \|:
gate1 (global) # get | grep 'admin-lockout\|admintimeout'
admin-lockout-duration: 60
admin-lockout-threshold: 3
admintimeout : 480
Lastly to add an AND operator we just use a fullstop without quotation marks. For example if I want to search for all instances of admin AND ssl I'd use the following:
gate1 (global) # get | grep admin.ssh
admin-ssh-grace-time: 120
admin-ssh-password : enable
admin-ssh-port : 22
admin-ssh-v1 : disable
To use grep you must pipe it with the search value after a command ex: | grep <value>
There are a few options available with grep that can be seen with the -h flag. Below is a show command that's been piped with grep to display all the options available:
gate1 # show | grep -h
Usage: grep [-invfcABC] PATTERN
Options:
-i Ignore case distinctions
-n Print line number with output lines
-v Select non-matching lines
-f Print fortinet config context
-c Only print count of matching lines
-A Print NUM lines of trailing context
-B Print NUM lines of leading context
-C Print NUM lines of output context
Let's start with a simple show command to display every instance of the value ssl-admin in the config.
gate1 # show | grep ssl-token
edit "ssl-token"
set member "authenticator-radius" "ssl-sms" "ssl-token" "imadmin"
We can see there are two instances of ssl-token. The problem here is that we cannot see exactly where in the config these two instances are referenced. From the config it looks as if we edit 'ssl-token' and then add it to a member of 'ssl-token' which doesn't make sense.
Luckily there is the -f flag which prints the config context which shows us where exactly in config the values are found. Lets try this again with the -f flag:
gate1 # show | grep -f ssl-token
config user local
edit "ssl-token" <---
set type password
set two-factor fortitoken
set email-to "amouawad@ingramlabs.com.au"
set passwd ENC encodedpasswordz
next
end
config user group
edit "Full SSL Access"
set member "authenticator-radius" "ssl-sms" "ssl-token" "imadmin" <---
next
end
That's much better! Now I can see that the two instances of ssl-token are to first create the user (under config user local) and then to add the user to the usergroup 'Full SSL Access' (under config user group). The matched entries are highlighed with a handy arrow '<---'.
All CLI commands on the FortiGate are case sensitive which also includes the grep values. If I searched for the 'Full SSL Access' group but couldn't remember which characters were capitalized I would end up with no results:
gate1 # show | grep "full ssl access"
Doing the same search with the -i flag will ignore all cases (remember to use the -f to see the config context)
gate1 # show | grep -i -f "full ssl access"
config user group
edit "Full SSL Access" <---
set member "authenticator-radius" "ssl-sms" "ssl-token" "imadmin"
next
end
Next lets have a look at how to add an OR operator to grep. In this example I'm trying to get the admin lockout and timeout values to show our auditors for PCI compliance.
gate1 # config system global
gate1 (global) # get | grep admin
admin-concurrent : enable
admin-console-timeout: 0
admin-https-banned-cipher: rc4 low
admin-https-pki-required: disable
admin-https-redirect: enable
admin-https-ssl-versions: tlsv1-1 tlsv1-2
admin-lockout-duration: 60
admin-lockout-threshold: 3
admin-login-max : 100
admin-maintainer : enable
admin-port : 80
admin-scp : disable
admin-server-cert : gate_gui
admin-sport : 4443
admin-ssh-grace-time: 120
admin-ssh-password : enable
admin-ssh-port : 22
admin-ssh-v1 : disable
admin-telnet-port : 23
admintimeout : 480
We can see there's quite a few values returned. The three key values we want here are admin-lockout-duration, admin-lockout-threshhold and admintimeout. Let's try this again with the two search values contained in quotation marks and seperated by \|:
gate1 (global) # get | grep 'admin-lockout\|admintimeout'
admin-lockout-duration: 60
admin-lockout-threshold: 3
admintimeout : 480
Lastly to add an AND operator we just use a fullstop without quotation marks. For example if I want to search for all instances of admin AND ssl I'd use the following:
gate1 (global) # get | grep admin.ssh
admin-ssh-grace-time: 120
admin-ssh-password : enable
admin-ssh-port : 22
admin-ssh-v1 : disable
8 comments:
That's really useful, thanks for posting.
Same here. Thank you!
Just a couple of notes about the AND operator:
1) Order matters. In your example, grep ssh.admin would not have found those lines.
2) Extra characters matter. In your example, grep admin.grace would not have found that first line. However, you can add an asterisk to allow for additional characters. For example, grep admin.*grace would have found it.
This can be important when looking up policy information and you want to filter by the dstintf and by the interface name. Here's an example of using it to show all policies that have destination interface of WAN1:
# show firewall policy | grep dstintf.*wan1
You can also combine these by doing something like this (note the case insensitivity provided by the -i and the context information provided by the -f):
# show firewall policy | grep -i -f 'srcIntf.*wAn1\|dSTintf.*Wan1'
How would such a querry look when you want source to be wan1 AND dest wan2 ?
Or source address "all" and destination address "all" ?
Dont think that is possible silavric, I would do it using the web-gui.
I seem to be having trouble with literal match. I have some interfaces with -0 and -1 I need to grep for:
config system interface
show | grep "-1" or show | grep "-0" just gives a help menu. How do I break out of the - to literally have it ignore the -?
I seem to have problem with the below
show firewall policy | grep 'Wan1.*v430.*ssh' -i -f
I do see a policy in GUI but unable to get the results with this
Post a Comment