Can you not push a script from the FMG? Or batch-script upload ?

Ken Felix

oh ok yes you could push a script from FMG. I just up to now never used that feature so can't say anything about it. But yes might be an option too.

If the vpn names are the same we've use for loop and change the psk on vpns via script. The FGTs have a public-key so it's automated and loops thru and changes the vpns in a simple execution.

e.g  part of the sript

======================

# vpn tunnel gw list in file vpn.txt

# python runs a script to create a random password that we will set on our devices 

py1=/usr/bin/python

py2=/opscenter/FTNT/scripts/python.password

psk=`$py1 $py2`

## now we change the FGTs psk  

H="config vdom\n edit root\n config vpn ipsec phase1-interface\n edit FGTCorp2RemoteTunnel\n set psksecret  $psk\n end\n" 

for p in " cat vpn.txt" ;  

do       echo -e "$H"  | ssh -o "StrictHostKeyChecking=no"   fgtadminteam@$p]fgtadminteam@$p ;  

done 

You can run the script before hand to see how it would display the password e.g  

config vdom edit root config vpn ipsec phase1-interface edit FGTCorp2RemoteTunnel set psksecret  .@3bR_4$xWWL&6dgAhdk#83k@l@9k12k&3ts5Fg end 

I would suggest no ssh host key checks to ensure the script won't fail from a upgrade or failover  or if the ssh keys are changed.

Vpn.txt files has all of the vpns gateways by ip.address 

YMMV, but we change psk like this every 3months and it works 100% flawlessly if the network is not down the host that runs the script is up. We crontab this to fire every 90days 

TIP: Avoid using the following characters  '\ " in the random password 

Ken Felix

Thank you everyone for your response, will try to study first the scripting.