Mailing List Archive: RANCID: Users

Fortigate rancid issues

Index | Next | Previous | View Threaded

Drikus.Brits at vodacom

Nov 6, 2011, 10:55 PM

Post #1 of 6 (702 views)
Permalink

Fortigate rancid issues

Hi all,

I've recently added a couple of fortigates onto rancid , and seems to work without issues , however , every couple of hours I get some firewalls diffs with stupid changes it picks up somewhere.

Example :

<snip>

set av-failopen pass

- set av-failopen-session disable

+ set av-failopen-session disable

set batch-cmdb enable
</snip>

Or

<snip>

config system amc-slot

- edit "sw1"

+ edit

+ "sw1"

next

&&

Then the next hour :

end

config system amc-slot

- edit

- "sw1"

+ edit "sw1"

next

end
</snip>

Any ideas what the problem might be as to why it picks up some commands as 2 lines , and then suddenly as 1 ?

Thanks

Drikus.
This e-mail is classified C2 - Vodacom Restricted - Information to be used inside Vodacom but it may be shared with authorised partners.

“This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link www.vodacom.co.za/vodacom/terms+and+conditions "

heas at shrubbery

Dec 7, 2011, 2:38 PM

Post #2 of 6 (633 views)
Permalink

Re: Fortigate rancid issues [In reply to]

Mon, Nov 07, 2011 at 06:55:30AM +0000, Drikus Brits:
> Hi all,
>
> I've recently added a couple of fortigates onto rancid , and seems to work without issues , however , every couple of hours I get some firewalls diffs with stupid changes it picks up somewhere.
>
> Example :
>
> <snip>
>
> set av-failopen pass
>
> - set av-failopen-session disable
>
> + set av-failopen-session disable
>
> set batch-cmdb enable
> </snip>
>
> Or
>
> <snip>
>
> config system amc-slot
>
> - edit "sw1"
>
> + edit
>
> + "sw1"
>
> next
>
>
> &&
>
> Then the next hour :
>
>
> end
>
> config system amc-slot
>
> - edit
>
> - "sw1"
>
> + edit "sw1"
>
> next
>
> end
> </snip>
>
>
> Any ideas what the problem might be as to why it picks up some commands as 2 lines , and then suddenly as 1 ?
>
> Thanks

Could you try this patch?

http://www.shrubbery.net/pipermail/rancid-discuss/2011-July/005787.html

and, a superset of that (from "Andy") is below. i'd like some confirmation
if these work before committing the change.

Index: bin/fnlogin.in
===================================================================
--- bin/fnlogin.in (revision 2343)
+++ bin/fnlogin.in (working copy)
@@ -451,6 +451,10 @@
expect -re $prompt; send -- "end\r"
expect -re $prompt;

+# see http://www.shrubbery.net/pipermail/rancid-discuss/2011-July/005787.html
+ # this is the only way i see to get rid of more prompts in o/p..grrrrr
+ log_user 0
+
set commands [split $command \;]
set num_commands [llength $commands]
for {set i 0} {$i < $num_commands} { incr i} {
@@ -459,10 +463,12 @@
-re "$prompt" { send "\r"
sleep 0.5
}
- -gl "--More--" { send " "
+ -gl "--More--\[^\n\r]*" { send " "
exp_continue
- -re "\[\n\r]+" { exp_continue }
}
+ -re "\[^\r\n]*\[\n\r]+" { send_user -- "$expect_out(buffer)"
+ exp_continue
+ }
}
}
expect {
@@ -573,8 +579,12 @@
}
} elseif { $do_script } {
# Disable output paging.
+ send "config global\r"
+ expect -re $prompt {}
send "config system console\r"
+ expect -re $prompt {}
send "set output standard\r"
+ expect -re $prompt {}
send "end\r"
expect -re $prompt {}
source $sfile
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

GMourani at prival

Dec 12, 2011, 7:19 AM

Post #3 of 6 (663 views)
Permalink

Re: Fortigate rancid issues [In reply to]

Hello,

Even with provided patch, I receive every day diff related to VPN connection crypto keys like the following with my FortiGate 80C:

!set password ENC <removed> !set password ENC <removed>
set private-key "-----BEGIN RSA PRIVATE KEY----- set private-key "-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,FAEBFA3BD9D852E2 DEK-Info: DES-EDE3-CBC,C7650C0C4F6C6104
88melT42IuRmujhlBChB+P/EsRUYA4C5HDEspCCTkawDt5MsIoKIqkx+/afEGCKh 0xk8R9ypKFjgVZtIs+aZjwzotLjg4EHBMunqJUju7b1HJ9NQLCSuQTPom4Cx6sxE
gfqtbliorSZN4hbaFr3TambNuOWy32M1rAsYRbmR4g2PW9k02yAktQQsBIWSciM9 5s9Ust2KISMSsMggDmLVDsSXfPFVSxdOoipMu1AklnhJDBGEwACSqycm2eNVAm4U
fvYIqSDZO6e733S0iikFoya9n0mcEYZilBk46fOzSRdoPEiAuUtc4zCB/uvQLwrk BSt8jPkX1akEHvyCUBSzqaiG2NMmK5MQaZ4434S8VHEWt1RiWfbDzV3QrQZl4AcZ
hJNSuC87AbE9iG0ohvYQgok/xLIPDYdbGLyYK0iBgLDd6qYIzwkINZ1hkNYfyKmx
ex/XeQva24dzLFNxurLFYN7BQdUSCQpe3APpjMfjEfEtTKIt+YHf1fUd6jrmpjeX
vnIzCTyZsTlgIXm6DRlVnFi7bDrUho5y/S9jQrdj2jEUrgZfVnULqfa9A7k145o/ DC/XrG3IfyDSmv0XdZWbFq1b3fuXuSJ2b8PqYkmho9DqU8eegfcxP3F5jiDKz087
ImBnn7zsKPfpQyc8IXPL+OWUwaCdIkaI8/QHCfJk6tZZfQ0YSfjjhVyeGUo8iB2
TsZIsw7ituk5BTqSHj6iy9HViJ/zLeevmEV6WEgcjD4Uz4UvGTyuws/tHJ3F/gH5
njlVCUWd/U8CGk64FuH311lNBSsWpUNWKBlPiCJfssUDRco1JIgn1Jl3jk3qe4kY sinmPC6EGkNLUwKhTdBRIQ0cLBOI25lpfI3dNLc3oRHmi6Spb7W0VUic3b5eRtuN
z6q2e7lPc1FMM70ljRsq7sMhAXrAZNOe890MIzNtDqtMQJph3AiHPPXcWJhfxFym QpDyCfYGX7LYliSnxIBZ34G/YcbgUOJjGvcvhJMR8arVH3V09yS5jD2DTthY3dWI

Gerhard,

-----Original Message-----
From: rancid-discuss-bounces [at] shrubbery [mailto:rancid-discuss-bounces [at] shrubbery] On Behalf Of john heasley
Sent: December-07-11 5:39 PM
To: Drikus Brits
Cc: rancid-discuss [at] shrubbery
Subject: Re: [rancid] Fortigate rancid issues

Mon, Nov 07, 2011 at 06:55:30AM +0000, Drikus Brits:
> Hi all,
>
> I've recently added a couple of fortigates onto rancid , and seems to work without issues , however , every couple of hours I get some firewalls diffs with stupid changes it picks up somewhere.
>
> Example :
>
> <snip>
>
> set av-failopen pass
>
> - set av-failopen-session disable
>
> + set av-failopen-session disable
>
> set batch-cmdb enable
> </snip>
>
> Or
>
> <snip>
>
> config system amc-slot
>
> - edit "sw1"
>
> + edit
>
> + "sw1"
>
> next
>
>
> &&
>
> Then the next hour :
>
>
> end
>
> config system amc-slot
>
> - edit
>
> - "sw1"
>
> + edit "sw1"
>
> next
>
> end
> </snip>
>
>
> Any ideas what the problem might be as to why it picks up some commands as 2 lines , and then suddenly as 1 ?
>
> Thanks

Could you try this patch?

http://www.shrubbery.net/pipermail/rancid-discuss/2011-July/005787.html

and, a superset of that (from "Andy") is below. i'd like some confirmation if these work before committing the change.

Index: bin/fnlogin.in
===================================================================
--- bin/fnlogin.in (revision 2343)
+++ bin/fnlogin.in (working copy)
@@ -451,6 +451,10 @@
expect -re $prompt; send -- "end\r"
expect -re $prompt;

+# see http://www.shrubbery.net/pipermail/rancid-discuss/2011-July/005787.html
+ # this is the only way i see to get rid of more prompts in o/p..grrrrr
+ log_user 0
+
set commands [split $command \;]
set num_commands [llength $commands]
for {set i 0} {$i < $num_commands} { incr i} { @@ -459,10 +463,12 @@
-re "$prompt" { send "\r"
sleep 0.5
}
- -gl "--More--" { send " "
+ -gl "--More--\[^\n\r]*" { send " "
exp_continue
- -re "\[\n\r]+" { exp_continue }
}
+ -re "\[^\r\n]*\[\n\r]+" { send_user -- "$expect_out(buffer)"
+ exp_continue
+ }
}
}
expect {
@@ -573,8 +579,12 @@
}
} elseif { $do_script } {
# Disable output paging.
+ send "config global\r"
+ expect -re $prompt {}
send "config system console\r"
+ expect -re $prompt {}
send "set output standard\r"
+ expect -re $prompt {}
send "end\r"
expect -re $prompt {}
source $sfile
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

Drikus.Brits at vodacom

Dec 12, 2011, 7:25 AM

Post #4 of 6 (623 views)
Permalink

Re: Fortigate rancid issues [In reply to]

HI,

Hehe, the below won't fix the certificate that is changing the whole time, if you want to get rid of that you need to make the following changes :

fnrancid

@209,9
# -- http://www.shrubbery.net/pipermail/rancid-discuss/2011-February/005488.html
# -- spot the start of an RSA private key
$priv_key = 1 if(/^\s*set private-key "-----BEGIN RSA PRIVATE KEY-----/);
# spot the end of an RSA private key
$priv_key = 0 && next if(/^\s*-----END RSA PRIVATE KEY-----"/);
next if($priv_key == 1);
## end of hack

It works well. As for the patch from john & andy, it seems to be working, as I have not yet had some of those fortigate issues.

I'd like to monitor till the end of the week before I'd say go ahead with the changes.

d.

-----Original Message-----
From: Gerhard Mourani [mailto:GMourani [at] prival]
Sent: Monday, December 12, 2011 5:19 PM
To: john heasley; Drikus Brits
Cc: rancid-discuss [at] shrubbery
Subject: RE: [rancid] Fortigate rancid issues

Hello,

Even with provided patch, I receive every day diff related to VPN connection crypto keys like the following with my FortiGate 80C:

!set password ENC <removed> !set password ENC <removed>
set private-key "-----BEGIN RSA PRIVATE KEY----- set private-key "-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,FAEBFA3BD9D852E2 DEK-Info: DES-EDE3-CBC,C7650C0C4F6C6104
88melT42IuRmujhlBChB+P/EsRUYA4C5HDEspCCTkawDt5MsIoKIqkx+/afEGCKh 0xk8R9ypKFjgVZtIs+aZjwzotLjg4EHBMunqJUju7b1HJ9NQLCSuQTPom4Cx6sxE
gfqtbliorSZN4hbaFr3TambNuOWy32M1rAsYRbmR4g2PW9k02yAktQQsBIWSciM9 5s9Ust2KISMSsMggDmLVDsSXfPFVSxdOoipMu1AklnhJDBGEwACSqycm2eNVAm4U
fvYIqSDZO6e733S0iikFoya9n0mcEYZilBk46fOzSRdoPEiAuUtc4zCB/uvQLwrk BSt8jPkX1akEHvyCUBSzqaiG2NMmK5MQaZ4434S8VHEWt1RiWfbDzV3QrQZl4AcZ
hJNSuC87AbE9iG0ohvYQgok/xLIPDYdbGLyYK0iBgLDd6qYIzwkINZ1hkNYfyKmx
ex/XeQva24dzLFNxurLFYN7BQdUSCQpe3APpjMfjEfEtTKIt+YHf1fUd6jrmpjeX
vnIzCTyZsTlgIXm6DRlVnFi7bDrUho5y/S9jQrdj2jEUrgZfVnULqfa9A7k145o/ DC/XrG3IfyDSmv0XdZWbFq1b3fuXuSJ2b8PqYkmho9DqU8eegfcxP3F5jiDKz087
ImBnn7zsKPfpQyc8IXPL+OWUwaCdIkaI8/QHCfJk6tZZfQ0YSfjjhVyeGUo8iB2
TsZIsw7ituk5BTqSHj6iy9HViJ/zLeevmEV6WEgcjD4Uz4UvGTyuws/tHJ3F/gH5
njlVCUWd/U8CGk64FuH311lNBSsWpUNWKBlPiCJfssUDRco1JIgn1Jl3jk3qe4kY sinmPC6EGkNLUwKhTdBRIQ0cLBOI25lpfI3dNLc3oRHmi6Spb7W0VUic3b5eRtuN
z6q2e7lPc1FMM70ljRsq7sMhAXrAZNOe890MIzNtDqtMQJph3AiHPPXcWJhfxFym QpDyCfYGX7LYliSnxIBZ34G/YcbgUOJjGvcvhJMR8arVH3V09yS5jD2DTthY3dWI

Gerhard,

-----Original Message-----
From: rancid-discuss-bounces [at] shrubbery [mailto:rancid-discuss-bounces [at] shrubbery] On Behalf Of john heasley
Sent: December-07-11 5:39 PM
To: Drikus Brits
Cc: rancid-discuss [at] shrubbery
Subject: Re: [rancid] Fortigate rancid issues

Mon, Nov 07, 2011 at 06:55:30AM +0000, Drikus Brits:
> Hi all,
>
> I've recently added a couple of fortigates onto rancid , and seems to work without issues , however , every couple of hours I get some firewalls diffs with stupid changes it picks up somewhere.
>
> Example :
>
> <snip>
>
> set av-failopen pass
>
> - set av-failopen-session disable
>
> + set av-failopen-session disable
>
> set batch-cmdb enable
> </snip>
>
> Or
>
> <snip>
>
> config system amc-slot
>
> - edit "sw1"
>
> + edit
>
> + "sw1"
>
> next
>
>
> &&
>
> Then the next hour :
>
>
> end
>
> config system amc-slot
>
> - edit
>
> - "sw1"
>
> + edit "sw1"
>
> next
>
> end
> </snip>
>
>
> Any ideas what the problem might be as to why it picks up some commands as 2 lines , and then suddenly as 1 ?
>
> Thanks

Could you try this patch?

http://www.shrubbery.net/pipermail/rancid-discuss/2011-July/005787.html

and, a superset of that (from "Andy") is below. i'd like some confirmation if these work before committing the change.

Index: bin/fnlogin.in
===================================================================
--- bin/fnlogin.in (revision 2343)
+++ bin/fnlogin.in (working copy)
@@ -451,6 +451,10 @@
expect -re $prompt; send -- "end\r"
expect -re $prompt;

+# see http://www.shrubbery.net/pipermail/rancid-discuss/2011-July/005787.html
+ # this is the only way i see to get rid of more prompts in o/p..grrrrr
+ log_user 0
+
set commands [split $command \;]
set num_commands [llength $commands]
for {set i 0} {$i < $num_commands} { incr i} { @@ -459,10 +463,12 @@
-re "$prompt" { send "\r"
sleep 0.5
}
- -gl "--More--" { send " "
+ -gl "--More--\[^\n\r]*" { send " "
exp_continue
- -re "\[\n\r]+" { exp_continue }
}
+ -re "\[^\r\n]*\[\n\r]+" { send_user -- "$expect_out(buffer)"
+ exp_continue
+ }
}
}
expect {
@@ -573,8 +579,12 @@
}
} elseif { $do_script } {
# Disable output paging.
+ send "config global\r"
+ expect -re $prompt {}
send "config system console\r"
+ expect -re $prompt {}
send "set output standard\r"
+ expect -re $prompt {}
send "end\r"
expect -re $prompt {}
source $sfile
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
This e-mail is classified C2 - Vodacom Restricted - Information to be used inside Vodacom but it may be shared with authorised partners.
“This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link www.vodacom.co.za/vodacom/terms+and+conditions "

GMourani at prival

Dec 12, 2011, 7:32 AM

Post #5 of 6 (619 views)
Permalink

Re: Fortigate rancid issues [In reply to]

Thanks, I've applied the changes and will let all know if this work for me too after some days.

-----Original Message-----
From: Drikus Brits [mailto:Drikus.Brits [at] vodacom]
Sent: December-12-11 10:25 AM
To: Gerhard Mourani; john heasley
Cc: rancid-discuss [at] shrubbery
Subject: RE: [rancid] Fortigate rancid issues

HI,

Hehe, the below won't fix the certificate that is changing the whole time, if you want to get rid of that you need to make the following changes :

fnrancid

@209,9
# -- http://www.shrubbery.net/pipermail/rancid-discuss/2011-February/005488.html
# -- spot the start of an RSA private key
$priv_key = 1 if(/^\s*set private-key "-----BEGIN RSA PRIVATE KEY-----/);
# spot the end of an RSA private key
$priv_key = 0 && next if(/^\s*-----END RSA PRIVATE KEY-----"/);
next if($priv_key == 1);
## end of hack

It works well. As for the patch from john & andy, it seems to be working, as I have not yet had some of those fortigate issues.

I'd like to monitor till the end of the week before I'd say go ahead with the changes.

d.

-----Original Message-----
From: Gerhard Mourani [mailto:GMourani [at] prival]
Sent: Monday, December 12, 2011 5:19 PM
To: john heasley; Drikus Brits
Cc: rancid-discuss [at] shrubbery
Subject: RE: [rancid] Fortigate rancid issues

Hello,

Even with provided patch, I receive every day diff related to VPN connection crypto keys like the following with my FortiGate 80C:

!set password ENC <removed> !set password ENC <removed>
set private-key "-----BEGIN RSA PRIVATE KEY----- set private-key "-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,FAEBFA3BD9D852E2 DEK-Info: DES-EDE3-CBC,C7650C0C4F6C6104
88melT42IuRmujhlBChB+P/EsRUYA4C5HDEspCCTkawDt5MsIoKIqkx+/afEGCKh 0xk8R9ypKFjgVZtIs+aZjwzotLjg4EHBMunqJUju7b1HJ9NQLCSuQTPom4Cx6sxE
gfqtbliorSZN4hbaFr3TambNuOWy32M1rAsYRbmR4g2PW9k02yAktQQsBIWSciM9 5s9Ust2KISMSsMggDmLVDsSXfPFVSxdOoipMu1AklnhJDBGEwACSqycm2eNVAm4U
fvYIqSDZO6e733S0iikFoya9n0mcEYZilBk46fOzSRdoPEiAuUtc4zCB/uvQLwrk BSt8jPkX1akEHvyCUBSzqaiG2NMmK5MQaZ4434S8VHEWt1RiWfbDzV3QrQZl4AcZ
hJNSuC87AbE9iG0ohvYQgok/xLIPDYdbGLyYK0iBgLDd6qYIzwkINZ1hkNYfyKmx
ex/XeQva24dzLFNxurLFYN7BQdUSCQpe3APpjMfjEfEtTKIt+YHf1fUd6jrmpjeX
vnIzCTyZsTlgIXm6DRlVnFi7bDrUho5y/S9jQrdj2jEUrgZfVnULqfa9A7k145o/ DC/XrG3IfyDSmv0XdZWbFq1b3fuXuSJ2b8PqYkmho9DqU8eegfcxP3F5jiDKz087
ImBnn7zsKPfpQyc8IXPL+OWUwaCdIkaI8/QHCfJk6tZZfQ0YSfjjhVyeGUo8iB2
TsZIsw7ituk5BTqSHj6iy9HViJ/zLeevmEV6WEgcjD4Uz4UvGTyuws/tHJ3F/gH5
njlVCUWd/U8CGk64FuH311lNBSsWpUNWKBlPiCJfssUDRco1JIgn1Jl3jk3qe4kY sinmPC6EGkNLUwKhTdBRIQ0cLBOI25lpfI3dNLc3oRHmi6Spb7W0VUic3b5eRtuN
z6q2e7lPc1FMM70ljRsq7sMhAXrAZNOe890MIzNtDqtMQJph3AiHPPXcWJhfxFym QpDyCfYGX7LYliSnxIBZ34G/YcbgUOJjGvcvhJMR8arVH3V09yS5jD2DTthY3dWI

Gerhard,

-----Original Message-----
From: rancid-discuss-bounces [at] shrubbery [mailto:rancid-discuss-bounces [at] shrubbery] On Behalf Of john heasley
Sent: December-07-11 5:39 PM
To: Drikus Brits
Cc: rancid-discuss [at] shrubbery
Subject: Re: [rancid] Fortigate rancid issues

Mon, Nov 07, 2011 at 06:55:30AM +0000, Drikus Brits:
> Hi all,
>
> I've recently added a couple of fortigates onto rancid , and seems to work without issues , however , every couple of hours I get some firewalls diffs with stupid changes it picks up somewhere.
>
> Example :
>
> <snip>
>
> set av-failopen pass
>
> - set av-failopen-session disable
>
> + set av-failopen-session disable
>
> set batch-cmdb enable
> </snip>
>
> Or
>
> <snip>
>
> config system amc-slot
>
> - edit "sw1"
>
> + edit
>
> + "sw1"
>
> next
>
>
> &&
>
> Then the next hour :
>
>
> end
>
> config system amc-slot
>
> - edit
>
> - "sw1"
>
> + edit "sw1"
>
> next
>
> end
> </snip>
>
>
> Any ideas what the problem might be as to why it picks up some commands as 2 lines , and then suddenly as 1 ?
>
> Thanks

Could you try this patch?

http://www.shrubbery.net/pipermail/rancid-discuss/2011-July/005787.html

and, a superset of that (from "Andy") is below. i'd like some confirmation if these work before committing the change.

Index: bin/fnlogin.in
===================================================================
--- bin/fnlogin.in (revision 2343)
+++ bin/fnlogin.in (working copy)
@@ -451,6 +451,10 @@
expect -re $prompt; send -- "end\r"
expect -re $prompt;

+# see http://www.shrubbery.net/pipermail/rancid-discuss/2011-July/005787.html
+ # this is the only way i see to get rid of more prompts in o/p..grrrrr
+ log_user 0
+
set commands [split $command \;]
set num_commands [llength $commands]
for {set i 0} {$i < $num_commands} { incr i} { @@ -459,10 +463,12 @@
-re "$prompt" { send "\r"
sleep 0.5
}
- -gl "--More--" { send " "
+ -gl "--More--\[^\n\r]*" { send " "
exp_continue
- -re "\[\n\r]+" { exp_continue }
}
+ -re "\[^\r\n]*\[\n\r]+" { send_user -- "$expect_out(buffer)"
+ exp_continue
+ }
}
}
expect {
@@ -573,8 +579,12 @@
}
} elseif { $do_script } {
# Disable output paging.
+ send "config global\r"
+ expect -re $prompt {}
send "config system console\r"
+ expect -re $prompt {}
send "set output standard\r"
+ expect -re $prompt {}
send "end\r"
expect -re $prompt {}
source $sfile
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
This e-mail is classified C2 - Vodacom Restricted - Information to be used inside Vodacom but it may be shared with authorised partners.
?This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link www.vodacom.co.za/vodacom/terms+and+conditions "
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

GMourani at prival

Dec 14, 2011, 1:27 PM

Post #6 of 6 (640 views)
Permalink

Re: Fortigate rancid issues [In reply to]

Guys,

Just to let you know that the provided patches worked for me with our FortiGate. Big thanks to you. Also since it`s working now, it should be interesting to improve it again and add support for FortiAnalyzer and FortiWeb too which are wildly used now.

Regards,

-----Original Message-----
From: Gerhard Mourani
Sent: December-12-11 10:32 AM
To: 'Drikus Brits'; john heasley
Cc: rancid-discuss [at] shrubbery
Subject: RE: [rancid] Fortigate rancid issues

Thanks, I've applied the changes and will let all know if this work for me too after some days.

-----Original Message-----
From: Drikus Brits [mailto:Drikus.Brits [at] vodacom]
Sent: December-12-11 10:25 AM
To: Gerhard Mourani; john heasley
Cc: rancid-discuss [at] shrubbery
Subject: RE: [rancid] Fortigate rancid issues

HI,

Hehe, the below won't fix the certificate that is changing the whole time, if you want to get rid of that you need to make the following changes :

fnrancid

@209,9
# -- http://www.shrubbery.net/pipermail/rancid-discuss/2011-February/005488.html
# -- spot the start of an RSA private key
$priv_key = 1 if(/^\s*set private-key "-----BEGIN RSA PRIVATE KEY-----/);
# spot the end of an RSA private key
$priv_key = 0 && next if(/^\s*-----END RSA PRIVATE KEY-----"/);
next if($priv_key == 1);
## end of hack

It works well. As for the patch from john & andy, it seems to be working, as I have not yet had some of those fortigate issues.

I'd like to monitor till the end of the week before I'd say go ahead with the changes.

d.

-----Original Message-----
From: Gerhard Mourani [mailto:GMourani [at] prival]
Sent: Monday, December 12, 2011 5:19 PM
To: john heasley; Drikus Brits
Cc: rancid-discuss [at] shrubbery
Subject: RE: [rancid] Fortigate rancid issues

Hello,

Even with provided patch, I receive every day diff related to VPN connection crypto keys like the following with my FortiGate 80C:

!set password ENC <removed> !set password ENC <removed>
set private-key "-----BEGIN RSA PRIVATE KEY----- set private-key "-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,FAEBFA3BD9D852E2 DEK-Info: DES-EDE3-CBC,C7650C0C4F6C6104
88melT42IuRmujhlBChB+P/EsRUYA4C5HDEspCCTkawDt5MsIoKIqkx+/afEGCKh 0xk8R9ypKFjgVZtIs+aZjwzotLjg4EHBMunqJUju7b1HJ9NQLCSuQTPom4Cx6sxE
gfqtbliorSZN4hbaFr3TambNuOWy32M1rAsYRbmR4g2PW9k02yAktQQsBIWSciM9 5s9Ust2KISMSsMggDmLVDsSXfPFVSxdOoipMu1AklnhJDBGEwACSqycm2eNVAm4U
fvYIqSDZO6e733S0iikFoya9n0mcEYZilBk46fOzSRdoPEiAuUtc4zCB/uvQLwrk BSt8jPkX1akEHvyCUBSzqaiG2NMmK5MQaZ4434S8VHEWt1RiWfbDzV3QrQZl4AcZ
hJNSuC87AbE9iG0ohvYQgok/xLIPDYdbGLyYK0iBgLDd6qYIzwkINZ1hkNYfyKmx
ex/XeQva24dzLFNxurLFYN7BQdUSCQpe3APpjMfjEfEtTKIt+YHf1fUd6jrmpjeX
vnIzCTyZsTlgIXm6DRlVnFi7bDrUho5y/S9jQrdj2jEUrgZfVnULqfa9A7k145o/ DC/XrG3IfyDSmv0XdZWbFq1b3fuXuSJ2b8PqYkmho9DqU8eegfcxP3F5jiDKz087
ImBnn7zsKPfpQyc8IXPL+OWUwaCdIkaI8/QHCfJk6tZZfQ0YSfjjhVyeGUo8iB2
TsZIsw7ituk5BTqSHj6iy9HViJ/zLeevmEV6WEgcjD4Uz4UvGTyuws/tHJ3F/gH5
njlVCUWd/U8CGk64FuH311lNBSsWpUNWKBlPiCJfssUDRco1JIgn1Jl3jk3qe4kY sinmPC6EGkNLUwKhTdBRIQ0cLBOI25lpfI3dNLc3oRHmi6Spb7W0VUic3b5eRtuN
z6q2e7lPc1FMM70ljRsq7sMhAXrAZNOe890MIzNtDqtMQJph3AiHPPXcWJhfxFym QpDyCfYGX7LYliSnxIBZ34G/YcbgUOJjGvcvhJMR8arVH3V09yS5jD2DTthY3dWI

Gerhard,

-----Original Message-----
From: rancid-discuss-bounces [at] shrubbery [mailto:rancid-discuss-bounces [at] shrubbery] On Behalf Of john heasley
Sent: December-07-11 5:39 PM
To: Drikus Brits
Cc: rancid-discuss [at] shrubbery
Subject: Re: [rancid] Fortigate rancid issues

Mon, Nov 07, 2011 at 06:55:30AM +0000, Drikus Brits:
> Hi all,
>
> I've recently added a couple of fortigates onto rancid , and seems to work without issues , however , every couple of hours I get some firewalls diffs with stupid changes it picks up somewhere.
>
> Example :
>
> <snip>
>
> set av-failopen pass
>
> - set av-failopen-session disable
>
> + set av-failopen-session disable
>
> set batch-cmdb enable
> </snip>
>
> Or
>
> <snip>
>
> config system amc-slot
>
> - edit "sw1"
>
> + edit
>
> + "sw1"
>
> next
>
>
> &&
>
> Then the next hour :
>
>
> end
>
> config system amc-slot
>
> - edit
>
> - "sw1"
>
> + edit "sw1"
>
> next
>
> end
> </snip>
>
>
> Any ideas what the problem might be as to why it picks up some commands as 2 lines , and then suddenly as 1 ?
>
> Thanks

Could you try this patch?

http://www.shrubbery.net/pipermail/rancid-discuss/2011-July/005787.html

and, a superset of that (from "Andy") is below. i'd like some confirmation if these work before committing the change.

Index: bin/fnlogin.in
===================================================================
--- bin/fnlogin.in (revision 2343)
+++ bin/fnlogin.in (working copy)
@@ -451,6 +451,10 @@
expect -re $prompt; send -- "end\r"
expect -re $prompt;

+# see http://www.shrubbery.net/pipermail/rancid-discuss/2011-July/005787.html
+ # this is the only way i see to get rid of more prompts in o/p..grrrrr
+ log_user 0
+
set commands [split $command \;]
set num_commands [llength $commands]
for {set i 0} {$i < $num_commands} { incr i} { @@ -459,10 +463,12 @@
-re "$prompt" { send "\r"
sleep 0.5
}
- -gl "--More--" { send " "
+ -gl "--More--\[^\n\r]*" { send " "
exp_continue
- -re "\[\n\r]+" { exp_continue }
}
+ -re "\[^\r\n]*\[\n\r]+" { send_user -- "$expect_out(buffer)"
+ exp_continue
+ }
}
}
expect {
@@ -573,8 +579,12 @@
}
} elseif { $do_script } {
# Disable output paging.
+ send "config global\r"
+ expect -re $prompt {}
send "config system console\r"
+ expect -re $prompt {}
send "set output standard\r"
+ expect -re $prompt {}
send "end\r"
expect -re $prompt {}
source $sfile
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
This e-mail is classified C2 - Vodacom Restricted - Information to be used inside Vodacom but it may be shared with authorised partners.
?This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link www.vodacom.co.za/vodacom/terms+and+conditions "
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads