Mailing List Archive: RANCID: Users

rancid with Fortigate FG100A

Index | Next | Previous | View Threaded

gmccullagh at gmail

Jan 30, 2011, 9:02 AM

Post #1 of 15 (2142 views)
Permalink

rancid with Fortigate FG100A

Hi,

we're just starting to use Rancid and have started off with a Fortigate
FG100A firewall. Regrettably, the existing scripts (nlogin, fnrancid)
don't quite work with it.

I've managed to patch those to get what seems to be a working setup (see
below). The prompt is different, the get config command is slightly
different and you need to strip out the "System time" from the status or
else you get a patch every hour.

Would it be of interest to add support to the project?

Gavin

--- nlogin 2011-01-27 17:19:04.000000000 +0000
+++ fglogin 2011-01-30 15:00:21.000000000 +0000
@@ -482,7 +482,7 @@
set router [string tolower $router]
send_user "$router\n"

- set prompt {-> }
+ set prompt " #"

# Figure out passwords
if { $do_passwd || $do_enapasswd } {
@@ -557,7 +557,7 @@
continue
}
} elseif { $do_script } {
- send "set console page 0\r"
+ #send "set console page 0\r"
expect -re $prompt {}
source $sfile
catch {close};

--- fnrancid 2011-01-30 15:48:57.000000000 +0000
+++ fgrancid 2011-01-30 15:49:48.000000000 +0000
@@ -59,7 +59,7 @@
$file = $opt_f;
$host = $ARGV[0];
$found_end = 0;
-$timeo = 90; # nlogin timeout in seconds
+$timeo = 90; # fglogin timeout in seconds

my(@commandtable, %commands, @commands);# command lists
my($aclsort) = ("ipsort"); # ACL sorting mode
@@ -173,6 +173,7 @@
while (<INPUT>) {
tr/\015//d;
next if /^\s*$/;
+ next if /^\s*System time: /;
last if(/$prompt/);
ProcessHistory("","","","$_");
#print STDOUT "$_";
@@ -214,7 +215,7 @@
# Main
@commandtable = (
{'get system status' => 'GetSystem'},
- {'get conf' => 'GetConf'}
+ {'show ' => 'GetConf'}
);
# Use an array to preserve the order of the commands and a hash for mapping
# commands to the subroutine and track commands that have been completed.
@@ -242,13 +243,13 @@
print STDERR "opening file $host\n" if ($debug);
print STDOUT "opening file $host\n" if ($log);
open(INPUT,"<$host") || die "open failed for $host: $!\n"; } else {
- print STDERR "executing nlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($debug);
- print STDOUT "executing nlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($log);
+ print STDERR "executing fglogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($debug);
+ print STDOUT "executing fglogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($log);
if (defined($ENV{NOPIPE})) {
- system "nlogin -t $timeo -c \"$cisco_cmds\" $host </dev/null > $host.raw 2>&1" || die "nlogin failed for $host: $!\n";
- open(INPUT, "< $host.raw") || die "nlogin failed for $host: $!\n";
+ system "fglogin -t $timeo -c \"$cisco_cmds\" $host </dev/null > $host.raw 2>&1" || die "fglogin failed for $host: $!\n";
+ open(INPUT, "< $host.raw") || die "fglogin failed for $host: $!\n";
} else {
- open(INPUT,"nlogin -t $timeo -c \"$cisco_cmds\" $host </dev/null |") || die "nlogin failed for $host: $!\n";
+ open(INPUT,"fglogin -t $timeo -c \"$cisco_cmds\" $host </dev/null |") || die "fglogin failed for $host: $!\n";
}
}

@@ -276,13 +277,13 @@
TOP: while(<INPUT>) {
tr/\015//d;
if (/^Error:/) {
- print STDOUT ("$host nlogin error: $_");
- print STDERR ("$host nlogin error: $_") if ($debug);
+ print STDOUT ("$host fglogin error: $_");
+ print STDERR ("$host fglogin error: $_") if ($debug);
last;
}
- while (/>\s*($cmds_regexp)\s*$/) {
+ while (/#\s*($cmds_regexp)\s*$/) {
$cmd = $1;
- if (!defined($prompt)) { $prompt = " >\s*"; }
+ if (!defined($prompt)) { $prompt = " #\s*"; }
print STDERR ("HIT COMMAND:$_") if ($debug);
if (!defined($commands{$cmd})) {
print STDERR "$host: found unexpected command - \"$cmd\"\n";
@@ -307,6 +308,7 @@
}

# check for completeness
+printf STDERR scalar(%commands) . "\n";
if (scalar(%commands) || !$found_end) {
if (scalar(%commands)) {
printf(STDOUT "$host: missed cmd(s): %s\n", join(',', keys(%commands)));

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

diego.ercolani at ssis

Jan 31, 2011, 1:09 AM

Post #2 of 15 (2048 views)
Permalink

Re: rancid with Fortigate FG100A [In reply to]

Hi.
I've already submitted patch to accomplish fortinet. Here it is the relevant
post:
http://www.shrubbery.net/pipermail/rancid-discuss/2009-June/004005.html

if you see in the mailing list there are time to time modifications.

Hope this help
Diego

In data domenica 30 gennaio 2011 18:02:34, Gavin McCullagh ha scritto:
> Hi,
>
> we're just starting to use Rancid and have started off with a Fortigate
> FG100A firewall. Regrettably, the existing scripts (nlogin, fnrancid)
> don't quite work with it.
>
> I've managed to patch those to get what seems to be a working setup (see
> below). The prompt is different, the get config command is slightly
> different and you need to strip out the "System time" from the status or
> else you get a patch every hour.
>
> Would it be of interest to add support to the project?
>
> Gavin
>
>
> --- nlogin 2011-01-27 17:19:04.000000000 +0000
> +++ fglogin 2011-01-30 15:00:21.000000000 +0000
> @@ -482,7 +482,7 @@
> set router [string tolower $router]
> send_user "$router\n"
>
> - set prompt {-> }
> + set prompt " #"
>
> # Figure out passwords
> if { $do_passwd || $do_enapasswd } {
> @@ -557,7 +557,7 @@
> continue
> }
> } elseif { $do_script } {
> - send "set console page 0\r"
> + #send "set console page 0\r"
> expect -re $prompt {}
> source $sfile
> catch {close};
>
>
>
> --- fnrancid 2011-01-30 15:48:57.000000000 +0000
> +++ fgrancid 2011-01-30 15:49:48.000000000 +0000
> @@ -59,7 +59,7 @@
> $file = $opt_f;
> $host = $ARGV[0];
> $found_end = 0;
> -$timeo = 90; # nlogin timeout in seconds
> +$timeo = 90; # fglogin timeout in seconds
>
> my(@commandtable, %commands, @commands);# command lists
> my($aclsort) = ("ipsort"); # ACL sorting mode
> @@ -173,6 +173,7 @@
> while (<INPUT>) {
> tr/\015//d;
> next if /^\s*$/;
> + next if /^\s*System time: /;
> last if(/$prompt/);
> ProcessHistory("","","","$_");
> #print STDOUT "$_";
> @@ -214,7 +215,7 @@
> # Main
> @commandtable = (
> {'get system status' => 'GetSystem'},
> - {'get conf' => 'GetConf'}
> + {'show ' => 'GetConf'}
> );
> # Use an array to preserve the order of the commands and a hash for
> mapping # commands to the subroutine and track commands that have been
> completed. @@ -242,13 +243,13 @@
> print STDERR "opening file $host\n" if ($debug);
> print STDOUT "opening file $host\n" if ($log);
> open(INPUT,"<$host") || die "open failed for $host: $!\n"; } else {
> - print STDERR "executing nlogin -t $timeo -c\"$cisco_cmds\" $host\n" if
> ($debug); - print STDOUT "executing nlogin -t $timeo -c\"$cisco_cmds\"
> $host\n" if ($log); + print STDERR "executing fglogin -t $timeo
> -c\"$cisco_cmds\" $host\n" if ($debug); + print STDOUT "executing
> fglogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($log); if
> (defined($ENV{NOPIPE})) {
> - system "nlogin -t $timeo -c \"$cisco_cmds\" $host </dev/null > $host.raw
> 2>&1" || die "nlogin failed for $host: $!\n"; - open(INPUT, "< $host.raw")
> || die "nlogin failed for $host: $!\n"; + system "fglogin -t $timeo -c
> \"$cisco_cmds\" $host </dev/null > $host.raw 2>&1" || die "fglogin failed
> for $host: $!\n"; + open(INPUT, "< $host.raw") || die "fglogin failed for
> $host: $!\n"; } else {
> - open(INPUT,"nlogin -t $timeo -c \"$cisco_cmds\" $host </dev/null |") ||
> die "nlogin failed for $host: $!\n"; + open(INPUT,"fglogin -t $timeo -c
> \"$cisco_cmds\" $host </dev/null |") || die "fglogin failed for $host:
> $!\n"; }
> }
>
> @@ -276,13 +277,13 @@
> TOP: while(<INPUT>) {
> tr/\015//d;
> if (/^Error:/) {
> - print STDOUT ("$host nlogin error: $_");
> - print STDERR ("$host nlogin error: $_") if ($debug);
> + print STDOUT ("$host fglogin error: $_");
> + print STDERR ("$host fglogin error: $_") if ($debug);
> last;
> }
> - while (/>\s*($cmds_regexp)\s*$/) {
> + while (/#\s*($cmds_regexp)\s*$/) {
> $cmd = $1;
> - if (!defined($prompt)) { $prompt = " >\s*"; }
> + if (!defined($prompt)) { $prompt = " #\s*"; }
> print STDERR ("HIT COMMAND:$_") if ($debug);
> if (!defined($commands{$cmd})) {
> print STDERR "$host: found unexpected command - \"$cmd\"\n";
> @@ -307,6 +308,7 @@
> }
>
> # check for completeness
> +printf STDERR scalar(%commands) . "\n";
> if (scalar(%commands) || !$found_end) {
> if (scalar(%commands)) {
> printf(STDOUT "$host: missed cmd(s): %s\n", join(',', keys(%commands)));
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss [at] shrubbery
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

gmccullagh at gmail

Jan 31, 2011, 4:04 PM

Post #3 of 15 (2081 views)
Permalink

Re: rancid with Fortigate FG100A [In reply to]

Hi,

On Mon, 31 Jan 2011, Diego Ercolani wrote:

> I've already submitted patch to accomplish fortinet. Here it is the relevant
> post:
> http://www.shrubbery.net/pipermail/rancid-discuss/2009-June/004005.html
>
> if you see in the mailing list there are time to time modifications.

I see, thanks very much. I've upgraded to v2.3.6 (I was using the debian
packages which are v2.3.2) and it seems to work.

The only trouble I see so far is that we're getting repeated patches with
lines like:
- !System time: Mon Jan 31 22:11:05 2011
+ !System time: Mon Jan 31 23:11:09 2011
and:
- #conf_file_ver=7138776372466847334
+ #conf_file_ver=2985214935052655642

So I'm experimenting with a patch:

---------------------------------------------------------------------------------

--- /usr/local/rancid/bin/fnrancid.orig 2011-01-31 23:59:10.000000000 +0000
+++ /usr/local/rancid/bin/fnrancid 2011-01-31 23:59:54.000000000 +0000
@@ -175,7 +175,7 @@
next if /^\s*$/;
last if (/$prompt/);

- next if (/^System Time:/);
+ next if (/^System Time:/i);
next if (/^\s*Virus-DB: .*/);
next if (/^\s*Extended DB: .*/);
next if (/^\s*IPS-DB: .*/);
@@ -207,7 +207,7 @@
# System time is fortigate extraction time
next if (/^\s*!System time:/);
# remove occurrances of conf_file_ver
- next if (/^conf_file_ver=/);
+ next if (/^#?conf_file_ver=/);
# filter variabilities between configurations. password encryption
# upon each display of the configuration.
if (/^\s*(set [^\s]*)\s(Enc\s[^\s]+)(.*)/i && $filter_pwds > 0 ) {

---------------------------------------------------------------------------------

I'm also seeing the two RSA Private Keys changing regularly which is very
odd. I'm not sure if that tells me something's odd about the firewall
rather than about Rancid, but I'm seeing this on two different FG100A
firewalls.

Gavin

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

gmccullagh at gmail

Feb 2, 2011, 2:25 AM

Post #4 of 15 (2121 views)
Permalink

Re: rancid with Fortigate FG100A [In reply to]

Hi,

On Tue, 01 Feb 2011, Gavin McCullagh wrote:

> I'm also seeing the two RSA Private Keys changing regularly which is very
> odd. I'm not sure if that tells me something's odd about the firewall
> rather than about Rancid, but I'm seeing this on two different FG100A
> firewalls.

I have a request in with Fortinet to understand why this is.

In the meantime, I've written a small patch to strip the private key from
the config rancid keeps. It works, though I'm not yet sure if ignoring
this key is a sensible thing to do. If I get a decent answer from Fortinet
I'll pass it on here.

Gavin

--- fnrancid.v1 2011-02-01 23:25:13.000000000 +0000
+++ fnrancid 2011-02-01 23:40:34.000000000 +0000
@@ -170,6 +170,7 @@
sub GetSystem {
print STDERR " In GetSystem: $_" if ($debug);

+ my $priv_key;
while (<INPUT>) {
tr/\015//d;
next if /^\s*$/;
@@ -203,6 +204,11 @@
tr/\015//d;
next if /^\s*$/;
last if (/$prompt/);
+ # spot the start of an RSA private key
+ $priv_key = 1 if(/^\s*set private-key "-----BEGIN RSA PRIVATE KEY-----/);
+ # spot the end of an RSA private key
+ $priv_key = 0 && next if(/^\s*-----END RSA PRIVATE KEY-----"/);
+ next if($priv_key == 1);

# System time is fortigate extraction time
next if (/^\s*!System time:/);

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

imd at acens

Feb 2, 2011, 6:33 AM

Post #5 of 15 (2063 views)
Permalink

Re: rancid with Fortigate FG100A [In reply to]

Hi,

I have problems getting configs from fortigates:

Version: Fortigate-5001FA2 3.00,build0670,080729

Version: Fortigate-1000AFA2 3.00,build0416,070821

The problem is not getting complete config and the last lines are like
these:

--More--
--More--

No errors in log.
Rancid versi�n 2.3.6, also tested with earlier versions.

Any help ?

Thank you in advance.

El 01/02/11 01:04, "Gavin McCullagh" <gmccullagh [at] gmail> escribi�:

>Hi,
>
>On Mon, 31 Jan 2011, Diego Ercolani wrote:
>
>> I've already submitted patch to accomplish fortinet. Here it is the
>>relevant
>> post:
>> http://www.shrubbery.net/pipermail/rancid-discuss/2009-June/004005.html
>>
>> if you see in the mailing list there are time to time modifications.
>
>I see, thanks very much. I've upgraded to v2.3.6 (I was using the debian
>packages which are v2.3.2) and it seems to work.
>
>The only trouble I see so far is that we're getting repeated patches with
>lines like:
> - !System time: Mon Jan 31 22:11:05 2011
> + !System time: Mon Jan 31 23:11:09 2011
>and:
> - #conf_file_ver=7138776372466847334
> + #conf_file_ver=2985214935052655642
>
>So I'm experimenting with a patch:
>
>--------------------------------------------------------------------------
>-------
>
>--- /usr/local/rancid/bin/fnrancid.orig 2011-01-31 23:59:10.000000000
>+0000
>+++ /usr/local/rancid/bin/fnrancid 2011-01-31 23:59:54.000000000 +0000
>@@ -175,7 +175,7 @@
> next if /^\s*$/;
> last if (/$prompt/);
>
>- next if (/^System Time:/);
>+ next if (/^System Time:/i);
> next if (/^\s*Virus-DB: .*/);
> next if (/^\s*Extended DB: .*/);
> next if (/^\s*IPS-DB: .*/);
>@@ -207,7 +207,7 @@
> # System time is fortigate extraction time
> next if (/^\s*!System time:/);
> # remove occurrances of conf_file_ver
>- next if (/^conf_file_ver=/);
>+ next if (/^#?conf_file_ver=/);
> # filter variabilities between configurations. password encryption
> # upon each display of the configuration.
> if (/^\s*(set [^\s]*)\s(Enc\s[^\s]+)(.*)/i && $filter_pwds > 0 ) {
>
>--------------------------------------------------------------------------
>-------
>
>I'm also seeing the two RSA Private Keys changing regularly which is very
>odd. I'm not sure if that tells me something's odd about the firewall
>rather than about Rancid, but I'm seeing this on two different FG100A
>firewalls.
>
>Gavin
>
>________________________________________
I�aki Mart�nez D�ez
Departamento de redes
acens Technologies S.L.
imd [at] acens
Tel�fono: 637 772 156

Fax: 911 418 501
Este mensaje puede contener informaci�n confidencial dirigida exclusivamente a su destinatario.
No se permite su copia o distribuci�n sin la autorizaci�n expresa y por anticipado de acens.
Si recibi� este mensaje por error, por favor, comun�quelo al emisor y elim�nelo de su ordenador. Gracias.
This message may contain confidential information exclusively addressed to its intended recipient.
The copy or distribution of this message is not permitted without the prior express consent by acens.
If you are not the intended recipient of this message please advise the sender and delete it. Thank you.
_______________________________________________
>Rancid-discuss mailing list
>Rancid-discuss [at] shrubbery
>http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

gmccullagh at gmail

Feb 2, 2011, 7:18 AM

Post #6 of 15 (2073 views)
Permalink

Re: rancid with Fortigate FG100A [In reply to]

Hi,

On Wed, 02 Feb 2011, I�aki Mart�nez D�ez wrote:

> I have problems getting configs from fortigates:
>
> Version: Fortigate-5001FA2 3.00,build0670,080729
>
> Version: Fortigate-1000AFA2 3.00,build0416,070821
>
> The problem is not getting complete config and the last lines are like
> these:
>
> --More--
> --More--

The console is in "more" (pager) mode. You need to change it to standard
mode:

gcd-fw # config system console

gcd-fw (console) # set output standard

gcd-fw (console) # end

gcd-fw # show system console
config system console
set output standard
end

If you want it in "more" mode for your own usage, you might need to get the
rancid script to set it to standard, then take its config, then set it back
again. A decent console app would probably achieve the same thing though.

Gavin

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

heas at shrubbery

Feb 2, 2011, 12:21 PM

Post #7 of 15 (2045 views)
Permalink

Re: rancid with Fortigate FG100A [In reply to]

Wed, Feb 02, 2011 at 03:18:10PM +0000, Gavin McCullagh:
> Hi,
>
> On Wed, 02 Feb 2011, I?aki Mart?nez D?ez wrote:
>
> > I have problems getting configs from fortigates:
> >
> > Version: Fortigate-5001FA2 3.00,build0670,080729
> >
> > Version: Fortigate-1000AFA2 3.00,build0416,070821
> >
> > The problem is not getting complete config and the last lines are like
> > these:
> >
> > --More--
> > --More--
>
> The console is in "more" (pager) mode. You need to change it to standard
> mode:
>
>
> gcd-fw # config system console
>
> gcd-fw (console) # set output standard
>
> gcd-fw (console) # end
>
> gcd-fw # show system console
> config system console
> set output standard
> end
>
>
> If you want it in "more" mode for your own usage, you might need to get the
> rancid script to set it to standard, then take its config, then set it back
> again. A decent console app would probably achieve the same thing though.

assuming that the pager can not be disabled per-tty, which i presume is
what the magic chant 'set output standard' does; teach fnlogin about the
pager. but, fnlogin already has a case for the pager. So, why is that
not working?

I'll bet its failing because there are control characters among the pager
prompt. set NOPIPE=YES and collect from the device with fnrancid -d hostname
then look for the pager prompt in the hostname.raw file in your editor. or
look at the debug output of fnlogin -d hostname to see why the match is
failing.
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

gmccullagh at gmail

Feb 2, 2011, 2:04 PM

Post #8 of 15 (2051 views)
Permalink

Re: rancid with Fortigate FG100A [In reply to]

Hi John,

On Wed, 02 Feb 2011, john heasley wrote:

> > The console is in "more" (pager) mode. You need to change it to standard
> > mode:
> >
> > gcd-fw # config system console
> > gcd-fw (console) # set output standard
> > gcd-fw (console) # end

> assuming that the pager can not be disabled per-tty, which i presume is
> what the magic chant 'set output standard' does; teach fnlogin about the
> pager. but, fnlogin already has a case for the pager. So, why is that
> not working?

> I'll bet its failing because there are control characters among the pager
> prompt. set NOPIPE=YES and collect from the device with fnrancid -d hostname
> then look for the pager prompt in the hostname.raw file in your editor. or
> look at the debug output of fnlogin -d hostname to see why the match is
> failing.

You make a compelling point. My guess is the "(console)" in the prompt
too.

I came across the same problem and just disabled the pager manually myself,
I hadn't noticed that the expect script explicitly did this. I'll try and
get time to test and see is the prompt the issue.

Gavin

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

imd at acens

Feb 4, 2011, 3:41 AM

Post #9 of 15 (2067 views)
Permalink

Re: rancid with Fortigate FG100A [In reply to]

Hello,

Debug mode done, I got this:

set authgrp none
--More-- set avgrp none
set fwgrp none

Last lines:

next
--More-- edit "operator"
--More--

NOTE: after "--" there are spaces not tab, checked with 2 editors.

I think the problem is this line in fnlogin:

460 -gl "--More--" { send " "

El 02/02/11 21:25, "john heasley" <heas [at] shrubbery> escribi�:

>Wed, Feb 02, 2011 at 03:18:10PM +0000, Gavin McCullagh:
>> Hi,
>>
>> On Wed, 02 Feb 2011, I?aki Mart?nez D?ez wrote:
>>
>> > I have problems getting configs from fortigates:
>> >
>> > Version: Fortigate-5001FA2 3.00,build0670,080729
>> >
>> > Version: Fortigate-1000AFA2 3.00,build0416,070821
>> >
>> > The problem is not getting complete config and the last lines are
>>like
>> > these:
>> >
>> > --More--
>> > --More--
>>
>> The console is in "more" (pager) mode. You need to change it to
>>standard
>> mode:
>>
>>
>> gcd-fw # config system console
>>
>> gcd-fw (console) # set output standard
>>
>> gcd-fw (console) # end
>>
>> gcd-fw # show system console
>> config system console
>> set output standard
>> end
>>
>>
>> If you want it in "more" mode for your own usage, you might need to get
>>the
>> rancid script to set it to standard, then take its config, then set it
>>back
>> again. A decent console app would probably achieve the same thing
>>though.
>
>assuming that the pager can not be disabled per-tty, which i presume is
>what the magic chant 'set output standard' does; teach fnlogin about the
>pager. but, fnlogin already has a case for the pager. So, why is that
>not working?
>
>I'll bet its failing because there are control characters among the pager
>prompt. set NOPIPE=YES and collect from the device with fnrancid -d
>hostname
>then look for the pager prompt in the hostname.raw file in your editor.
>or
>look at the debug output of fnlogin -d hostname to see why the match is
>failing.
>________________________________________
I�aki Mart�nez D�ez
Departamento de redes
acens Technologies S.L.
imd [at] acens
Tel�fono: 637 772 156

Fax: 911 418 501
Este mensaje puede contener informaci�n confidencial dirigida exclusivamente a su destinatario.
No se permite su copia o distribuci�n sin la autorizaci�n expresa y por anticipado de acens.
Si recibi� este mensaje por error, por favor, comun�quelo al emisor y elim�nelo de su ordenador. Gracias.
This message may contain confidential information exclusively addressed to its intended recipient.
The copy or distribution of this message is not permitted without the prior express consent by acens.
If you are not the intended recipient of this message please advise the sender and delete it. Thank you.
_______________________________________________
>Rancid-discuss mailing list
>Rancid-discuss [at] shrubbery
>http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

heas at shrubbery

Feb 4, 2011, 3:33 PM

Post #10 of 15 (2034 views)
Permalink

Re: rancid with Fortigate FG100A [In reply to]

Fri, Feb 04, 2011 at 12:41:39PM +0100, I?aki Mart?nez D?ez:
> Hello,
>
> Debug mode done, I got this:
>
> set authgrp none
> --More-- set avgrp none
> set fwgrp none
>
>
>
> Last lines:
>
> next
> --More-- edit "operator"
> --More--
>
>
>
> NOTE: after "--" there are spaces not tab, checked with 2 editors.
>
>
> I think the problem is this line in fnlogin:
>
> 460 -gl "--More--" { send " "

no, thats fine.

i think the device is stupid. my guess is that telnet/ssh sent zero for
the rows tty attribute that the device's pager is confused.

is this (from fnlogin) working on your device:
# Disable output paging.
send -- "config system console\r"
expect -re $prompt; send -- "set output standard\r"
expect -re $prompt; send -- "end\r"
expect -re $prompt;

does a hack like this have an affect:
Index: bin/fnlogin.in
===================================================================
--- bin/fnlogin.in (revision 2282)
+++ bin/fnlogin.in (working copy)
@@ -99,6 +99,8 @@
set password_file $env(CLOGINRC)
}

+stty rows 1024
+
# Sometimes firewall take awhile to answer (the default is 10 sec)
set timeout 45

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

imd at acens

Feb 10, 2011, 1:07 AM

Post #11 of 15 (2079 views)
Permalink

Re: rancid with Fortigate FG100A [In reply to]

Hi,

>i think the device is stupid. my guess is that telnet/ssh sent zero for
>the rows tty attribute that the device's pager is confused.

Yes the device is "very" stupid and more with old versions.

>is this (from fnlogin) working on your device:
> # Disable output paging.
> send -- "config system console\r"
> expect -re $prompt; send -- "set output standard\r"
> expect -re $prompt; send -- "end\r"
> expect -re $prompt;

It is ignored, but i think is version or user permissions.

>does a hack like this have an affect:
>Index: bin/fnlogin.in
>===================================================================
>--- bin/fnlogin.in (revision 2282)
>+++ bin/fnlogin.in (working copy)
>@@ -99,6 +99,8 @@
> set password_file $env(CLOGINRC)
> }
>
>+stty rows 1024
>+
> # Sometimes firewall take awhile to answer (the default is 10 sec)
> set timeout 45
>

Do not have effect :(

My best option is:

1) change manually "set output standard"
2) user with root permissions

With this i got a configuration but it is different than tftp
configuration.

I will try to open a case with Fortinet to try to understand why config
if different with "show full-configuration" and tftp.

________________________________________
I�aki Mart�nez D�ez
Departamento de redes
acens Technologies S.L.
imd [at] acens
Tel�fono: 637 772 156

Fax: 911 418 501
Este mensaje puede contener informaci�n confidencial dirigida exclusivamente a su destinatario.
No se permite su copia o distribuci�n sin la autorizaci�n expresa y por anticipado de acens.
Si recibi� este mensaje por error, por favor, comun�quelo al emisor y elim�nelo de su ordenador. Gracias.
This message may contain confidential information exclusively addressed to its intended recipient.
The copy or distribution of this message is not permitted without the prior express consent by acens.
If you are not the intended recipient of this message please advise the sender and delete it. Thank you.

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

gmccullagh at gmail

Jul 6, 2011, 5:28 AM

Post #12 of 15 (1717 views)
Permalink

Re: rancid with Fortigate FG100A [In reply to]

Hi guys,

On Mon, 31 Jan 2011, Diego Ercolani wrote:

> I've already submitted patch to accomplish fortinet. Here it is the relevant
> post:
> http://www.shrubbery.net/pipermail/rancid-discuss/2009-June/004005.html
>
> if you see in the mailing list there are time to time modifications.

We've been using this with the 100A and are now using it also with a 200B
(which works fine incidentally).

However, one thing that I wonder is whether we really have the optimal
command to pull the config.

fnrancid currently uses "show full-configuration" to pull the config of the
system. This pulls the absolutely full configuration with every unmodified
default included. The result, for example, is that adding a simple
firewall rule results in a patch like this:

+ edit 71
+ set srcintf "port1"
+ set dstintf "port8"
+ set srcaddr "xxxxxxxxxxxx"
+ set dstaddr "all"
+ set rtp-nat disable
+ set action accept
+ set status enable
+ set dynamic-profile disable
+ unset dynamic-profile-access
+ set schedule "always"
+ set schedule-timeout disable
+ set service "HTTP" "HTTPS"
+ set utm-status disable
+ set logtraffic disable
+ set logtraffic-app enable
+ set auto-asic-offload enable
+ set webcache disable
+ set session-ttl 0
+ set wccp disable
+ set fsso disable
+ set disclaimer disable
+ set natip 0.0.0.0 0.0.0.0
+ set match-vip disable
+ set diffserv-forward disable
+ set diffserv-reverse disable
+ set tcp-mss-sender 0
+ set tcp-mss-receiver 0
+ set comments "Allow xxxxxxxxxxxx to connect for updates"
+ set endpoint-check disable
+ set label ''
+ set global-label ''
+ set replacemsg-override-group ''
+ set identity-based disable
+ set traffic-shaper ''
+ set traffic-shaper-reverse ''
+ set per-ip-shaper ''
+ set nat disable
+ set dynamic-profile-fallthrough disable
+ set client-reputation disable
+ next

Only about five of the above lines were actually chosen, the rest are all
defaults. Personally, I'm inclined more toward using just the "show"
command which pulls the configuration settings that we have actually made
omitting defaults.

Is this "pull absolutely every detail" policy the norm in Rancid?
Obviously I can change this locally myself if I really want.

Gavin

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

diego.ercolani at ssis

Jul 6, 2011, 6:18 AM

Post #13 of 15 (1689 views)
Permalink

Re: rancid with Fortigate FG100A [In reply to]

Hello,
I don't knoww deeply fortigate because if I can I prefer to use linux directly
so feel free to change the command or the command sequence to perform a
configuration dump.
This is the power of opensource, every one can add a small piece of his
knowledge and bring the community a full (hopely errorproof) utility.

I have only one clustered installation of fortigate and what I noticed is that
from time to time, fortigate adds some line feed that make seem the
configuration has changed... this is very annoying but I can't do experiments
because it's a productin environment.
Diego

In data mercoled� 6 luglio 2011 14:28:54, Gavin McCullagh ha scritto:
> Hi guys,
>
> On Mon, 31 Jan 2011, Diego Ercolani wrote:
> > I've already submitted patch to accomplish fortinet. Here it is the
> > relevant post:
> > http://www.shrubbery.net/pipermail/rancid-discuss/2009-June/004005.html
> >
> > if you see in the mailing list there are time to time modifications.
>
> We've been using this with the 100A and are now using it also with a 200B
> (which works fine incidentally).
>
> However, one thing that I wonder is whether we really have the optimal
> command to pull the config.
>
> fnrancid currently uses "show full-configuration" to pull the config of the
> system. This pulls the absolutely full configuration with every unmodified
> default included. The result, for example, is that adding a simple
> firewall rule results in a patch like this:
>
> + edit 71
> + set srcintf "port1"
> + set dstintf "port8"
> + set srcaddr "xxxxxxxxxxxx"
> + set dstaddr "all"
> + set rtp-nat disable
> + set action accept
> + set status enable
> + set dynamic-profile disable
> + unset dynamic-profile-access
> + set schedule "always"
> + set schedule-timeout disable
> + set service "HTTP" "HTTPS"
> + set utm-status disable
> + set logtraffic disable
> + set logtraffic-app enable
> + set auto-asic-offload enable
> + set webcache disable
> + set session-ttl 0
> + set wccp disable
> + set fsso disable
> + set disclaimer disable
> + set natip 0.0.0.0 0.0.0.0
> + set match-vip disable
> + set diffserv-forward disable
> + set diffserv-reverse disable
> + set tcp-mss-sender 0
> + set tcp-mss-receiver 0
> + set comments "Allow xxxxxxxxxxxx to connect for updates"
> + set endpoint-check disable
> + set label ''
> + set global-label ''
> + set replacemsg-override-group ''
> + set identity-based disable
> + set traffic-shaper ''
> + set traffic-shaper-reverse ''
> + set per-ip-shaper ''
> + set nat disable
> + set dynamic-profile-fallthrough disable
> + set client-reputation disable
> + next
>
> Only about five of the above lines were actually chosen, the rest are all
> defaults. Personally, I'm inclined more toward using just the "show"
> command which pulls the configuration settings that we have actually made
> omitting defaults.
>
> Is this "pull absolutely every detail" policy the norm in Rancid?
> Obviously I can change this locally myself if I really want.
>
> Gavin
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss [at] shrubbery
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

gmccullagh at gmail

Jul 6, 2011, 6:35 AM

Post #14 of 15 (1678 views)
Permalink

Re: rancid with Fortigate FG100A [In reply to]

Hi,

On Wed, 06 Jul 2011, Diego Ercolani wrote:

> I don't knoww deeply fortigate because if I can I prefer to use linux directly
> so feel free to change the command or the command sequence to perform a
> configuration dump.
> This is the power of opensource, every one can add a small piece of his
> knowledge and bring the community a full (hopely errorproof) utility.

I couldn't agree more, but I'm hoping to work out what the community
in general thinks. I don't think this question is particularly a Fortigate
one.

In general, is it better for Rancid to record and version the entire
config of a device including defaults, or to just version the non-default
config.

I can see arguments for both:

- when you upgrade firmware, the defaults might change and rancid could
presumably only note these if you version the entire config.

- the config and patches can be quite complex if you version the entire
config.

- if the unit should fail, you get a new one and want to deploy the
config from Rancid, I would usually prefer to just deploy our config
changes and not override the defaults. If rancid holds the full config,
you can't really work out what are defaults and what are your settings.
Perhaps others might prefer to actually set those defaults where
necessary.

I imagine this issue arises with units other than the Fortigates.

> I have only one clustered installation of fortigate and what I noticed is that
> from time to time, fortigate adds some line feed that make seem the
> configuration has changed... this is very annoying but I can't do experiments
> because it's a productin environment.

I've noticed the same actually, though generally it seems to be within the
"app-detect" lines which are all defaults (at least on our install).
Reducing this problem might be a happy side-effect of versioning the
reduced config.

Gavin

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

heas at shrubbery

Jul 6, 2011, 3:06 PM

Post #15 of 15 (1685 views)
Permalink

Re: rancid with Fortigate FG100A [In reply to]

Wed, Jul 06, 2011 at 02:35:36PM +0100, Gavin McCullagh:
> On Wed, 06 Jul 2011, Diego Ercolani wrote:
> > This is the power of opensource, every one can add a small piece of his
> > knowledge and bring the community a full (hopely errorproof) utility.

thats funny.

> In general, is it better for Rancid to record and version the entire
> config of a device including defaults, or to just version the non-default
> config.
>
> I can see arguments for both:
>
> - when you upgrade firmware, the defaults might change and rancid could
> presumably only note these if you version the entire config.

thats the impetus for the command that is used. hopefully the route of
least surprise if you must recover a device's config.

> - if the unit should fail, you get a new one and want to deploy the
> config from Rancid, I would usually prefer to just deploy our config
> changes and not override the defaults. If rancid holds the full config,
> you can't really work out what are defaults and what are your settings.
> Perhaps others might prefer to actually set those defaults where
> necessary.

if thats a concern, perhaps you need a full and non-full version [in separate
groups].

> I imagine this issue arises with units other than the Fortigates.

CatOS.

> > I have only one clustered installation of fortigate and what I noticed is that
> > from time to time, fortigate adds some line feed that make seem the
> > configuration has changed... this is very annoying but I can't do experiments
> > because it's a productin environment.

perhaps that is a defect in fnrancid's login script?
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads