SRL Guide

• Run Rule controls whether the rule runs once for the whole device or once per VDOM.
• Configuration Section scopes this to a selected config section when one is provided.
• Loop Configuration Section controls whether the rule iterates each edit entry within that section.
• When looping is enabled, this is the current entry during each iteration.
• When looping is disabled and a Configuration Section is set, this is the selected section node.
• If the rule emits no explicit finding but finishes in a fail state in legacy-compatible paths, SRL can still emit an implicit fail finding.

Statements

// Single-line comment
/* Multi-line
   comment */

$value = "text";
let $name = "root";
$total += 1;
$counter++;
++$retries;
$counter -= 2;

if (this.name equals "root") {
    addPassFinding();
} else {
    addFailFinding("Root is missing.", "Create or restore the root entry.");
}

• Block statements use braces: if (...) { ... }, foreach (...) { ... }.
• Assignments support both let $var = ... and $var = ....
• $var += ... appends text or adds numbers, depending on both operand types.
• $var -= ... subtracts a numeric value from a numeric variable.
• $var++, ++$var, $var--, and --$var are supported for writable numeric variables.
• Prefix forms return the updated value. Postfix forms return the original value.
• Strings may use double quotes, single quotes, or backticks.
• Booleans are true and false.
• Numbers may be integers or decimals.
• null is not a general-purpose runtime value in SRL expressions. It is only special-cased for supported optional finding arguments.

SRL can read both variables and configuration paths.

$adminName = this.name;
$pathText = path(this);
$parentNode = parent(this);
$policyName = config.vdoms.root.firewall.policy.10.name;
$vendor = appliance.vendor;
$wanType = appliance.interfaces.wan1.network_type;
$fieldName = "status";
$dynamicValue = this.$fieldName;

• this is the current scoped configuration node.
• config is the normalized configuration tree.
• appliance is the detected device/runtime scope passed into SRL for both audits and Test Rule runs.
• Path segments are dot-separated.
• Path interpolation is supported, for example config.system.interface.$ifaceName.ip.
• If a path cannot be resolved, SRL treats it as unresolved rather than throwing a hard parse error. Most helper functions then treat it as empty/missing.
• When a config node is converted to a string, SRL renders it in a FortiGate-style config block format.

if (this.status equals "enable") {
    addPassFinding();
} else if (this.status equals "disable") {
    addFailFinding("The setting is disabled.", "Enable the setting.");
} else {
    addInfoFinding("The setting could not be classified.", "Review the configuration manually.");
}

foreach ($member in this.member) {
    if ($member contains "all") {
        addFailFinding("The list contains ALL.", "Replace ALL with explicit members.");
        break
    }
}

• Supported blocks: if, else if, elseif, else, foreach.
• Supported flow control: return, break, continue.
• foreach ($item in some.path) loops visible array items.
• Inside a foreach, the loop variable and this are both set to the current item.

Text and conversion helpers

Presence and counting

Numeric helpers

Certificate helpers

Collection helpers

Metadata helpers

Network and address helpers

addPassFinding();

addFailFinding(details, remediation, remediation_time, title_override, scope_override, section_override);

addInfoFinding(details, remediation, remediation_time, title_override, scope_override, section_override);

• addPassFinding() does not accept any parameters.
• details is required for fail and info findings.
• remediation is required for fail findings and optional for info findings.
• remediation_time is optional for fail and info findings.
• If remediation_time is omitted, left blank, or set to null, runtime defaults it to 30.
• title_override is optional. If omitted, the rule name is used.
• scope_override is optional.
• section_override is optional.

Examples

addPassFinding();

addFailFinding(
    "Administrative access is exposed to unrestricted sources.",
    "Restrict this policy to trusted management networks."
);

addFailFinding(
    "Password complexity is disabled.",
    "Enable password complexity requirements.",
    ,
    "Weak password policy"
);

addInfoFinding(
    "Traffic logging is enabled for this policy.",
    ,
    45,
    "Logging enabled"
);

addFailFinding(
    "The global admin profile allows insecure services.",
    "Restrict the allowed administrative services.",
    45,
    "Global admin exposure",
    "global",
    "config.system.admin"
);

1. Check a single section value

if (number(this.admintimeout) <= 15 and number(this.admintimeout) > 0) {
    addPassFinding();
} else {
    addFailFinding(
        "Administrative timeout is greater than 15 minutes or not set correctly.",
        "Set admintimeout to 15 minutes or less."
    );
}

2. Loop through section entries

foreach ($admin in this) {
    if ($admin.status equals "disable") {
        addInfoFinding(
            "An administrator entry is disabled: " + name($admin),
            "Delete administrators from the system, if they are no longer required.",
            10,
            "Disabled administrator"
        );
    }
}

3. Check certificate expiry

$days = cert_days_remaining(this.certificate)

if (not_exists($days)) {
    addInfoFinding(
        "Certificate expiry could not be checked.",
        "Review the certificate manually and confirm it is valid and correctly imported.",
        15
    );
} else if ($days <= 0) {
    addFailFinding(
        "Certificate has expired.",
        "Renew or replace the expired certificate.",
        30
    );
} else if ($days <= 30) {
    addFailFinding(
        "Certificate expires soon.",
        "Renew or replace the certificate before it expires.",
        30
    );
}

4. Match public policy destinations and ports to DoS policy coverage

foreach ($srcintf in this.srcintf) {
    if (not any(lower(appliance.interfaces.$srcintf.network_type), "any", "internet")) {
        continue;
    }

    if (dos_policy_covers(config.firewall.dos-policy, $srcintf, this.dstaddr, getAllServicePorts(this.service))) {
        addPassFinding();
    } else {
        addFailFinding(
            "No enabled DoS policy on " + $srcintf + " fully covers " + getAllIpAddresses(this.dstaddr) + " for ports " + getAllServicePorts(this.service) + ".",
            "Create or expand a DoS policy so its dstaddr and service fully cover the exposed destination and ports."
        );
    }
}

5. Normalize text before comparison

$normalized = lower(trim(this.status));

if ($normalized equals "enable") {
    addPassFinding();
} else {
    addFailFinding(
        "The feature is not enabled.",
        "Enable the feature."
    );
}

4. Work with service object expansion

$tcpPorts = getAllServiceTcpPorts(this.service);

if (any($tcpPorts, "23", "2323")) {
    addFailFinding(
        "The policy permits Telnet-related TCP ports.",
        "Remove Telnet and use SSH instead.",
        20,
        "Insecure management service"
    );
}

5. Use appliance metadata in Rule Test or full audits

addInfoFinding(
    "Running on " + appliance.vendor + " " + appliance.type + " " + appliance.os,
    ,
    5,
    "Appliance context"
);

6. Use increment and decrement operators

$i = 1;
$before = $i++;
$after = ++$i;
$after--;
$after -= 2;

addInfoFinding(
    "before=" + $before + ", i=" + $i + ", after=" + $after,
    ,
    0,
    "Counter example"
);

• $var = expr assigns a variable.
• $var += expr appends text or adds numbers.
• $var -= expr subtracts a numeric value.
• $var++, ++$var, $var--, and --$var increment or decrement writable numeric variables.
• if (...) { ... } supports else if and else.
• foreach ($item in path) { ... } loops array-like nodes.
• this is the current scoped object.
• config is the normalized configuration root.
• appliance exposes runtime metadata such as vendor, OS version, scope, VDOMs, and interface network types.
• return, break, and continue are supported.

• string(array) renders config-like text for config nodes.
• number(value) strips non-numeric characters before conversion.
• bool(value) treats true, 1, yes, on, and enabled as true.
• Equality and contains comparisons are case-insensitive.
• len(value) returns string length for text and item count for arrays.

• matches_regex treats the right side as a regex pattern body.
• replace() supports both literal replacement and regex replacement when the pattern uses a proper regex delimiter, for example /pattern/i.

• Pass findings must use addPassFinding() with no arguments.
• Fail findings require non-empty details and remediation.
• Info findings require non-empty details. remediation is optional.
• remediation_time must be numeric, blank, or null.
• Unterminated strings, unclosed blocks, and unsupported statements are compile errors.
• Runtime errors are surfaced in Test Rule and audit output.

• Write complete finding text inside the finding function itself.
• Prefer explicit titles for reusable or looped findings.
• Use helper functions like lower() and trim() before comparing vendor text.
• Increment and decrement operators only work on writable numeric SRL variables, not on read-only inputs like this, config, or appliance.
• Use Test Rule with a real config before saving production rule changes.
• Keep remediation text action-oriented and specific to the detected issue.