[rancid] rancid with Fortigate FG100A

Discussion:

Gavin McCullagh

2011-01-30 17:02:34 UTC

Hi,

we're just starting to use Rancid and have started off with a Fortigate
FG100A firewall. Regrettably, the existing scripts (nlogin, fnrancid)
don't quite work with it.

I've managed to patch those to get what seems to be a working setup (see
below). The prompt is different, the get config command is slightly
different and you need to strip out the "System time" from the status or
else you get a patch every hour.

Would it be of interest to add support to the project?

Gavin

--- nlogin 2011-01-27 17:19:04.000000000 +0000
+++ fglogin 2011-01-30 15:00:21.000000000 +0000
@@ -482,7 +482,7 @@
set router [string tolower $router]
send_user "$router\n"

- set prompt {-> }
+ set prompt " #"

# Figure out passwords
if { $do_passwd || $do_enapasswd } {
@@ -557,7 +557,7 @@
continue
}
} elseif { $do_script } {
- send "set console page 0\r"
+ #send "set console page 0\r"
expect -re $prompt {}
source $sfile
catch {close};

--- fnrancid 2011-01-30 15:48:57.000000000 +0000
+++ fgrancid 2011-01-30 15:49:48.000000000 +0000
@@ -59,7 +59,7 @@
$file = $opt_f;
$host = $ARGV[0];
$found_end = 0;
-$timeo = 90; # nlogin timeout in seconds
+$timeo = 90; # fglogin timeout in seconds

my(@commandtable, %commands, @commands);# command lists
my($aclsort) = ("ipsort"); # ACL sorting mode
@@ -173,6 +173,7 @@
while (<INPUT>) {
tr/\015//d;
next if /^\s*$/;
+ next if /^\s*System time: /;
last if(/$prompt/);
ProcessHistory("","","","$_");
#print STDOUT "$_";
@@ -214,7 +215,7 @@
# Main
@commandtable = (
{'get system status' => 'GetSystem'},
- {'get conf' => 'GetConf'}
+ {'show ' => 'GetConf'}
);
# Use an array to preserve the order of the commands and a hash for mapping
# commands to the subroutine and track commands that have been completed.
@@ -242,13 +243,13 @@
print STDERR "opening file $host\n" if ($debug);
print STDOUT "opening file $host\n" if ($log);
open(INPUT,"<$host") || die "open failed for $host: $!\n"; } else {
- print STDERR "executing nlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($debug);
- print STDOUT "executing nlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($log);
+ print STDERR "executing fglogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($debug);
+ print STDOUT "executing fglogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($log);
if (defined($ENV{NOPIPE})) {
- system "nlogin -t $timeo -c \"$cisco_cmds\" $host </dev/null > $host.raw 2>&1" || die "nlogin failed for $host: $!\n";
- open(INPUT, "< $host.raw") || die "nlogin failed for $host: $!\n";
+ system "fglogin -t $timeo -c \"$cisco_cmds\" $host </dev/null > $host.raw 2>&1" || die "fglogin failed for $host: $!\n";
+ open(INPUT, "< $host.raw") || die "fglogin failed for $host: $!\n";
} else {
- open(INPUT,"nlogin -t $timeo -c \"$cisco_cmds\" $host </dev/null |") || die "nlogin failed for $host: $!\n";
+ open(INPUT,"fglogin -t $timeo -c \"$cisco_cmds\" $host </dev/null |") || die "fglogin failed for $host: $!\n";
}
}

@@ -276,13 +277,13 @@
TOP: while(<INPUT>) {
tr/\015//d;
if (/^Error:/) {
- print STDOUT ("$host nlogin error: $_");
- print STDERR ("$host nlogin error: $_") if ($debug);
+ print STDOUT ("$host fglogin error: $_");
+ print STDERR ("$host fglogin error: $_") if ($debug);
last;
}
- while (/>\s*($cmds_regexp)\s*$/) {
+ while (/#\s*($cmds_regexp)\s*$/) {
$cmd = $1;
- if (!defined($prompt)) { $prompt = " >\s*"; }
+ if (!defined($prompt)) { $prompt = " #\s*"; }
print STDERR ("HIT COMMAND:$_") if ($debug);
if (!defined($commands{$cmd})) {
print STDERR "$host: found unexpected command - \"$cmd\"\n";
@@ -307,6 +308,7 @@
}

# check for completeness
+printf STDERR scalar(%commands) . "\n";
if (scalar(%commands) || !$found_end) {
if (scalar(%commands)) {
printf(STDOUT "$host: missed cmd(s): %s\n", join(',', keys(%commands)));

Diego Ercolani

2011-01-31 09:09:59 UTC

Permalink

Hi.
I've already submitted patch to accomplish fortinet. Here it is the relevant
post:
http://www.shrubbery.net/pipermail/rancid-discuss/2009-June/004005.html

if you see in the mailing list there are time to time modifications.

Hope this help
Diego

Post by Gavin McCullagh
Hi,
we're just starting to use Rancid and have started off with a Fortigate
FG100A firewall. Regrettably, the existing scripts (nlogin, fnrancid)
don't quite work with it.
I've managed to patch those to get what seems to be a working setup (see
below). The prompt is different, the get config command is slightly
different and you need to strip out the "System time" from the status or
else you get a patch every hour.
Would it be of interest to add support to the project?
Gavin
--- nlogin 2011-01-27 17:19:04.000000000 +0000
+++ fglogin 2011-01-30 15:00:21.000000000 +0000
@@ -482,7 +482,7 @@
set router [string tolower $router]
send_user "$router\n"
- set prompt {-> }
+ set prompt " #"
# Figure out passwords
if { $do_passwd || $do_enapasswd } {
@@ -557,7 +557,7 @@
continue
}
} elseif { $do_script } {
- send "set console page 0\r"
+ #send "set console page 0\r"
expect -re $prompt {}
source $sfile
catch {close};
--- fnrancid 2011-01-30 15:48:57.000000000 +0000
+++ fgrancid 2011-01-30 15:49:48.000000000 +0000
@@ -59,7 +59,7 @@
$file = $opt_f;
$host = $ARGV[0];
$found_end = 0;
-$timeo = 90; # nlogin timeout in seconds
+$timeo = 90; # fglogin timeout in seconds
my($aclsort) = ("ipsort"); # ACL sorting mode
@@ -173,6 +173,7 @@
while (<INPUT>) {
tr/\015//d;
next if /^\s*$/;
+ next if /^\s*System time: /;
last if(/$prompt/);
ProcessHistory("","","","$_");
#print STDOUT "$_";
@@ -214,7 +215,7 @@
# Main
@commandtable = (
{'get system status' => 'GetSystem'},
- {'get conf' => 'GetConf'}
+ {'show ' => 'GetConf'}
);
# Use an array to preserve the order of the commands and a hash for
mapping # commands to the subroutine and track commands that have been
print STDERR "opening file $host\n" if ($debug);
print STDOUT "opening file $host\n" if ($log);
open(INPUT,"<$host") || die "open failed for $host: $!\n"; } else {
- print STDERR "executing nlogin -t $timeo -c\"$cisco_cmds\" $host\n" if
($debug); - print STDOUT "executing nlogin -t $timeo -c\"$cisco_cmds\"
$host\n" if ($log); + print STDERR "executing fglogin -t $timeo
-c\"$cisco_cmds\" $host\n" if ($debug); + print STDOUT "executing
fglogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($log); if
(defined($ENV{NOPIPE})) {
- system "nlogin -t $timeo -c \"$cisco_cmds\" $host </dev/null > $host.raw
2>&1" || die "nlogin failed for $host: $!\n"; - open(INPUT, "< $host.raw")
|| die "nlogin failed for $host: $!\n"; + system "fglogin -t $timeo -c
\"$cisco_cmds\" $host </dev/null > $host.raw 2>&1" || die "fglogin failed
for $host: $!\n"; + open(INPUT, "< $host.raw") || die "fglogin failed for
$host: $!\n"; } else {
- open(INPUT,"nlogin -t $timeo -c \"$cisco_cmds\" $host </dev/null |") ||
die "nlogin failed for $host: $!\n"; + open(INPUT,"fglogin -t $timeo -c
$!\n"; }
}
@@ -276,13 +277,13 @@
TOP: while(<INPUT>) {
tr/\015//d;
if (/^Error:/) {
- print STDOUT ("$host nlogin error: $_");
- print STDERR ("$host nlogin error: $_") if ($debug);
+ print STDOUT ("$host fglogin error: $_");
+ print STDERR ("$host fglogin error: $_") if ($debug);
last;
}
- while (/>\s*($cmds_regexp)\s*$/) {
+ while (/#\s*($cmds_regexp)\s*$/) {
$cmd = $1;
- if (!defined($prompt)) { $prompt = " >\s*"; }
+ if (!defined($prompt)) { $prompt = " #\s*"; }
print STDERR ("HIT COMMAND:$_") if ($debug);
if (!defined($commands{$cmd})) {
print STDERR "$host: found unexpected command - \"$cmd\"\n";
@@ -307,6 +308,7 @@
}
# check for completeness
+printf STDERR scalar(%commands) . "\n";
if (scalar(%commands) || !$found_end) {
if (scalar(%commands)) {
printf(STDOUT "$host: missed cmd(s): %s\n", join(',', keys(%commands)));
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

Gavin McCullagh

2011-02-01 00:04:15 UTC

Permalink

Hi,

Post by Diego Ercolani
I've already submitted patch to accomplish fortinet. Here it is the relevant
http://www.shrubbery.net/pipermail/rancid-discuss/2009-June/004005.html
if you see in the mailing list there are time to time modifications.

I see, thanks very much. I've upgraded to v2.3.6 (I was using the debian
packages which are v2.3.2) and it seems to work.

The only trouble I see so far is that we're getting repeated patches with
lines like:
- !System time: Mon Jan 31 22:11:05 2011
+ !System time: Mon Jan 31 23:11:09 2011
and:
- #conf_file_ver=7138776372466847334
+ #conf_file_ver=2985214935052655642

So I'm experimenting with a patch:

---------------------------------------------------------------------------------

--- /usr/local/rancid/bin/fnrancid.orig 2011-01-31 23:59:10.000000000 +0000
+++ /usr/local/rancid/bin/fnrancid 2011-01-31 23:59:54.000000000 +0000
@@ -175,7 +175,7 @@
next if /^\s*$/;
last if (/$prompt/);

- next if (/^System Time:/);
+ next if (/^System Time:/i);
next if (/^\s*Virus-DB: .*/);
next if (/^\s*Extended DB: .*/);
next if (/^\s*IPS-DB: .*/);
@@ -207,7 +207,7 @@
# System time is fortigate extraction time
next if (/^\s*!System time:/);
# remove occurrances of conf_file_ver
- next if (/^conf_file_ver=/);
+ next if (/^#?conf_file_ver=/);
# filter variabilities between configurations. password encryption
# upon each display of the configuration.
if (/^\s*(set [^\s]*)\s(Enc\s[^\s]+)(.*)/i && $filter_pwds > 0 ) {

---------------------------------------------------------------------------------

I'm also seeing the two RSA Private Keys changing regularly which is very
odd. I'm not sure if that tells me something's odd about the firewall
rather than about Rancid, but I'm seeing this on two different FG100A
firewalls.

Gavin

Gavin McCullagh

2011-02-02 10:25:01 UTC

Permalink

Hi,

Post by Gavin McCullagh
I'm also seeing the two RSA Private Keys changing regularly which is very
odd. I'm not sure if that tells me something's odd about the firewall
rather than about Rancid, but I'm seeing this on two different FG100A
firewalls.

I have a request in with Fortinet to understand why this is.

In the meantime, I've written a small patch to strip the private key from
the config rancid keeps. It works, though I'm not yet sure if ignoring
this key is a sensible thing to do. If I get a decent answer from Fortinet
I'll pass it on here.

Gavin

--- fnrancid.v1 2011-02-01 23:25:13.000000000 +0000
+++ fnrancid 2011-02-01 23:40:34.000000000 +0000
@@ -170,6 +170,7 @@
sub GetSystem {
print STDERR " In GetSystem: $_" if ($debug);

+ my $priv_key;
while (<INPUT>) {
tr/\015//d;
next if /^\s*$/;
@@ -203,6 +204,11 @@
tr/\015//d;
next if /^\s*$/;
last if (/$prompt/);
+ # spot the start of an RSA private key
+ $priv_key = 1 if(/^\s*set private-key "-----BEGIN RSA PRIVATE KEY-----/);
+ # spot the end of an RSA private key
+ $priv_key = 0 && next if(/^\s*-----END RSA PRIVATE KEY-----"/);
+ next if($priv_key == 1);

# System time is fortigate extraction time
next if (/^\s*!System time:/);

Gavin McCullagh

2011-07-06 12:28:54 UTC

Permalink

Hi guys,

We've been using this with the 100A and are now using it also with a 200B
(which works fine incidentally).

However, one thing that I wonder is whether we really have the optimal
command to pull the config.

fnrancid currently uses "show full-configuration" to pull the config of the
system. This pulls the absolutely full configuration with every unmodified
default included. The result, for example, is that adding a simple
firewall rule results in a patch like this:

+ edit 71
+ set srcintf "port1"
+ set dstintf "port8"
+ set srcaddr "xxxxxxxxxxxx"
+ set dstaddr "all"
+ set rtp-nat disable
+ set action accept
+ set status enable
+ set dynamic-profile disable
+ unset dynamic-profile-access
+ set schedule "always"
+ set schedule-timeout disable
+ set service "HTTP" "HTTPS"
+ set utm-status disable
+ set logtraffic disable
+ set logtraffic-app enable
+ set auto-asic-offload enable
+ set webcache disable
+ set session-ttl 0
+ set wccp disable
+ set fsso disable
+ set disclaimer disable
+ set natip 0.0.0.0 0.0.0.0
+ set match-vip disable
+ set diffserv-forward disable
+ set diffserv-reverse disable
+ set tcp-mss-sender 0
+ set tcp-mss-receiver 0
+ set comments "Allow xxxxxxxxxxxx to connect for updates"
+ set endpoint-check disable
+ set label ''
+ set global-label ''
+ set replacemsg-override-group ''
+ set identity-based disable
+ set traffic-shaper ''
+ set traffic-shaper-reverse ''
+ set per-ip-shaper ''
+ set nat disable
+ set dynamic-profile-fallthrough disable
+ set client-reputation disable
+ next

Only about five of the above lines were actually chosen, the rest are all
defaults. Personally, I'm inclined more toward using just the "show"
command which pulls the configuration settings that we have actually made
omitting defaults.

Is this "pull absolutely every detail" policy the norm in Rancid?
Obviously I can change this locally myself if I really want.

Gavin

Diego Ercolani

2011-07-06 13:18:21 UTC

Permalink

Hello,
I don't knoww deeply fortigate because if I can I prefer to use linux directly
so feel free to change the command or the command sequence to perform a
configuration dump.
This is the power of opensource, every one can add a small piece of his
knowledge and bring the community a full (hopely errorproof) utility.

I have only one clustered installation of fortigate and what I noticed is that
from time to time, fortigate adds some line feed that make seem the
configuration has changed... this is very annoying but I can't do experiments
because it's a productin environment.
Diego

Post by Gavin McCullagh
Hi guys,

Post by Diego Ercolani
I've already submitted patch to accomplish fortinet. Here it is the
http://www.shrubbery.net/pipermail/rancid-discuss/2009-June/004005.html
if you see in the mailing list there are time to time modifications.

We've been using this with the 100A and are now using it also with a 200B
(which works fine incidentally).
However, one thing that I wonder is whether we really have the optimal
command to pull the config.
fnrancid currently uses "show full-configuration" to pull the config of the
system. This pulls the absolutely full configuration with every unmodified
default included. The result, for example, is that adding a simple
+ edit 71
+ set srcintf "port1"
+ set dstintf "port8"
+ set srcaddr "xxxxxxxxxxxx"
+ set dstaddr "all"
+ set rtp-nat disable
+ set action accept
+ set status enable
+ set dynamic-profile disable
+ unset dynamic-profile-access
+ set schedule "always"
+ set schedule-timeout disable
+ set service "HTTP" "HTTPS"
+ set utm-status disable
+ set logtraffic disable
+ set logtraffic-app enable
+ set auto-asic-offload enable
+ set webcache disable
+ set session-ttl 0
+ set wccp disable
+ set fsso disable
+ set disclaimer disable
+ set natip 0.0.0.0 0.0.0.0
+ set match-vip disable
+ set diffserv-forward disable
+ set diffserv-reverse disable
+ set tcp-mss-sender 0
+ set tcp-mss-receiver 0
+ set comments "Allow xxxxxxxxxxxx to connect for updates"
+ set endpoint-check disable
+ set label ''
+ set global-label ''
+ set replacemsg-override-group ''
+ set identity-based disable
+ set traffic-shaper ''
+ set traffic-shaper-reverse ''
+ set per-ip-shaper ''
+ set nat disable
+ set dynamic-profile-fallthrough disable
+ set client-reputation disable
+ next
Only about five of the above lines were actually chosen, the rest are all
defaults. Personally, I'm inclined more toward using just the "show"
command which pulls the configuration settings that we have actually made
omitting defaults.
Is this "pull absolutely every detail" policy the norm in Rancid?
Obviously I can change this locally myself if I really want.
Gavin
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

Gavin McCullagh

2011-07-06 13:35:36 UTC

Permalink

Hi,

Post by Diego Ercolani
I don't knoww deeply fortigate because if I can I prefer to use linux directly
so feel free to change the command or the command sequence to perform a
configuration dump.
This is the power of opensource, every one can add a small piece of his
knowledge and bring the community a full (hopely errorproof) utility.

I couldn't agree more, but I'm hoping to work out what the community
in general thinks. I don't think this question is particularly a Fortigate
one.

In general, is it better for Rancid to record and version the entire
config of a device including defaults, or to just version the non-default
config.

I can see arguments for both:

- when you upgrade firmware, the defaults might change and rancid could
presumably only note these if you version the entire config.

- the config and patches can be quite complex if you version the entire
config.

- if the unit should fail, you get a new one and want to deploy the
config from Rancid, I would usually prefer to just deploy our config
changes and not override the defaults. If rancid holds the full config,
you can't really work out what are defaults and what are your settings.
Perhaps others might prefer to actually set those defaults where
necessary.

I imagine this issue arises with units other than the Fortigates.

Post by Diego Ercolani
I have only one clustered installation of fortigate and what I noticed is that
from time to time, fortigate adds some line feed that make seem the
configuration has changed... this is very annoying but I can't do experiments
because it's a productin environment.

I've noticed the same actually, though generally it seems to be within the
"app-detect" lines which are all defaults (at least on our install).
Reducing this problem might be a happy side-effect of versioning the
reduced config.

Gavin

john heasley

2011-07-06 22:06:24 UTC

Permalink

Post by Gavin McCullagh

Post by Diego Ercolani
This is the power of opensource, every one can add a small piece of his
knowledge and bring the community a full (hopely errorproof) utility.

thats funny.

Post by Gavin McCullagh
In general, is it better for Rancid to record and version the entire
config of a device including defaults, or to just version the non-default
config.
- when you upgrade firmware, the defaults might change and rancid could
presumably only note these if you version the entire config.

thats the impetus for the command that is used. hopefully the route of
least surprise if you must recover a device's config.

Post by Gavin McCullagh
- if the unit should fail, you get a new one and want to deploy the
config from Rancid, I would usually prefer to just deploy our config
changes and not override the defaults. If rancid holds the full config,
you can't really work out what are defaults and what are your settings.
Perhaps others might prefer to actually set those defaults where
necessary.

if thats a concern, perhaps you need a full and non-full version [in separate
groups].

Post by Gavin McCullagh
I imagine this issue arises with units other than the Fortigates.

CatOS.

Post by Gavin McCullagh

perhaps that is a defect in fnrancid's login script?

Iñaki Martínez Díez

2011-02-02 14:33:43 UTC

Permalink

Hi,

I have problems getting configs from fortigates:

Version: Fortigate-5001FA2 3.00,build0670,080729

Version: Fortigate-1000AFA2 3.00,build0416,070821

The problem is not getting complete config and the last lines are like
these:

--More--
--More--

No errors in log.
Rancid versión 2.3.6, also tested with earlier versions.

Any help ?

Thank you in advance.

Post by Gavin McCullagh
Hi,

Post by Diego Ercolani
I've already submitted patch to accomplish fortinet. Here it is the
relevant
http://www.shrubbery.net/pipermail/rancid-discuss/2009-June/004005.html
if you see in the mailing list there are time to time modifications.

I see, thanks very much. I've upgraded to v2.3.6 (I was using the debian
packages which are v2.3.2) and it seems to work.
The only trouble I see so far is that we're getting repeated patches with
- !System time: Mon Jan 31 22:11:05 2011
+ !System time: Mon Jan 31 23:11:09 2011
- #conf_file_ver=7138776372466847334
+ #conf_file_ver=2985214935052655642
--------------------------------------------------------------------------
-------
--- /usr/local/rancid/bin/fnrancid.orig 2011-01-31 23:59:10.000000000
+0000
+++ /usr/local/rancid/bin/fnrancid 2011-01-31 23:59:54.000000000 +0000
@@ -175,7 +175,7 @@
next if /^\s*$/;
last if (/$prompt/);
- next if (/^System Time:/);
+ next if (/^System Time:/i);
next if (/^\s*Virus-DB: .*/);
next if (/^\s*Extended DB: .*/);
next if (/^\s*IPS-DB: .*/);
@@ -207,7 +207,7 @@
# System time is fortigate extraction time
next if (/^\s*!System time:/);
# remove occurrances of conf_file_ver
- next if (/^conf_file_ver=/);
+ next if (/^#?conf_file_ver=/);
# filter variabilities between configurations. password encryption
# upon each display of the configuration.
if (/^\s*(set [^\s]*)\s(Enc\s[^\s]+)(.*)/i && $filter_pwds > 0 ) {
--------------------------------------------------------------------------
-------
I'm also seeing the two RSA Private Keys changing regularly which is very
odd. I'm not sure if that tells me something's odd about the firewall
rather than about Rancid, but I'm seeing this on two different FG100A
firewalls.
Gavin
________________________________________

Iñaki Martínez Díez
Departamento de redes
acens Technologies S.L.
***@acens.com
Teléfono: 637 772 156

Fax: 911 418 501
Este mensaje puede contener información confidencial dirigida exclusivamente a su destinatario.
No se permite su copia o distribución sin la autorización expresa y por anticipado de acens.
Si recibió este mensaje por error, por favor, comuníquelo al emisor y elimínelo de su ordenador. Gracias.
This message may contain confidential information exclusively addressed to its intended recipient.
The copy or distribution of this message is not permitted without the prior express consent by acens.
If you are not the intended recipient of this message please advise the sender and delete it. Thank you.

Gavin McCullagh

2011-02-02 15:18:10 UTC

Permalink

Hi,

Post by IÃ±aki MartÃnez DÃez
Version: Fortigate-5001FA2 3.00,build0670,080729
Version: Fortigate-1000AFA2 3.00,build0416,070821
The problem is not getting complete config and the last lines are like
--More--
--More--

The console is in "more" (pager) mode. You need to change it to standard
mode:

gcd-fw # config system console

gcd-fw (console) # set output standard

gcd-fw (console) # end

gcd-fw # show system console
config system console
set output standard
end

If you want it in "more" mode for your own usage, you might need to get the
rancid script to set it to standard, then take its config, then set it back
again. A decent console app would probably achieve the same thing though.

Gavin

john heasley

2011-02-02 20:25:14 UTC

Permalink

Post by Gavin McCullagh
Hi,

The console is in "more" (pager) mode. You need to change it to standard
gcd-fw # config system console
gcd-fw (console) # set output standard
gcd-fw (console) # end
gcd-fw # show system console
config system console
set output standard
end
If you want it in "more" mode for your own usage, you might need to get the
rancid script to set it to standard, then take its config, then set it back
again. A decent console app would probably achieve the same thing though.

assuming that the pager can not be disabled per-tty, which i presume is
what the magic chant 'set output standard' does; teach fnlogin about the
pager. but, fnlogin already has a case for the pager. So, why is that
not working?

I'll bet its failing because there are control characters among the pager
prompt. set NOPIPE=YES and collect from the device with fnrancid -d hostname
then look for the pager prompt in the hostname.raw file in your editor. or
look at the debug output of fnlogin -d hostname to see why the match is
failing.

Gavin McCullagh

2011-02-02 22:04:34 UTC

Permalink

Hi John,

Post by john heasley

Post by Gavin McCullagh
The console is in "more" (pager) mode. You need to change it to standard
gcd-fw # config system console
gcd-fw (console) # set output standard
gcd-fw (console) # end

assuming that the pager can not be disabled per-tty, which i presume is
what the magic chant 'set output standard' does; teach fnlogin about the
pager. but, fnlogin already has a case for the pager. So, why is that
not working?
I'll bet its failing because there are control characters among the pager
prompt. set NOPIPE=YES and collect from the device with fnrancid -d hostname
then look for the pager prompt in the hostname.raw file in your editor. or
look at the debug output of fnlogin -d hostname to see why the match is
failing.

You make a compelling point. My guess is the "(console)" in the prompt
too.

I came across the same problem and just disabled the pager manually myself,
I hadn't noticed that the expect script explicitly did this. I'll try and
get time to test and see is the prompt the issue.

Gavin

Iñaki Martínez Díez

2011-02-04 11:41:39 UTC

Permalink

Hello,

Debug mode done, I got this:

set authgrp none
--More-- set avgrp none
set fwgrp none

Last lines:

next
--More-- edit "operator"
--More--

NOTE: after "--" there are spaces not tab, checked with 2 editors.

I think the problem is this line in fnlogin:

460 -gl "--More--" { send " "

Post by john heasley

Post by Gavin McCullagh
Hi,

Post by IÃ±aki MartÃnez DÃez
Version: Fortigate-5001FA2 3.00,build0670,080729
Version: Fortigate-1000AFA2 3.00,build0416,070821
The problem is not getting complete config and the last lines are

Post by IÃ±aki MartÃnez DÃez
--More--
--More--

The console is in "more" (pager) mode. You need to change it to
standard
gcd-fw # config system console
gcd-fw (console) # set output standard
gcd-fw (console) # end
gcd-fw # show system console
config system console
set output standard
end
If you want it in "more" mode for your own usage, you might need to get
the
rancid script to set it to standard, then take its config, then set it
back
again. A decent console app would probably achieve the same thing
though.

assuming that the pager can not be disabled per-tty, which i presume is
what the magic chant 'set output standard' does; teach fnlogin about the
pager. but, fnlogin already has a case for the pager. So, why is that
not working?
I'll bet its failing because there are control characters among the pager
prompt. set NOPIPE=YES and collect from the device with fnrancid -d
hostname
then look for the pager prompt in the hostname.raw file in your editor.
or
look at the debug output of fnlogin -d hostname to see why the match is
failing.
________________________________________

john heasley

2011-02-04 23:33:44 UTC

Permalink

Post by IÃ±aki MartÃnez DÃez
Hello,
set authgrp none
--More-- set avgrp none
set fwgrp none
next
--More-- edit "operator"
--More--
NOTE: after "--" there are spaces not tab, checked with 2 editors.
460 -gl "--More--" { send " "

no, thats fine.

i think the device is stupid. my guess is that telnet/ssh sent zero for
the rows tty attribute that the device's pager is confused.

is this (from fnlogin) working on your device:
# Disable output paging.
send -- "config system console\r"
expect -re $prompt; send -- "set output standard\r"
expect -re $prompt; send -- "end\r"
expect -re $prompt;

does a hack like this have an affect:
Index: bin/fnlogin.in
===================================================================
--- bin/fnlogin.in (revision 2282)
+++ bin/fnlogin.in (working copy)
@@ -99,6 +99,8 @@
set password_file $env(CLOGINRC)
}

+stty rows 1024
+
# Sometimes firewall take awhile to answer (the default is 10 sec)
set timeout 45

Iñaki Martínez Díez

2011-02-10 09:07:02 UTC

Permalink

Hi,

Post by john heasley
i think the device is stupid. my guess is that telnet/ssh sent zero for
the rows tty attribute that the device's pager is confused.

Yes the device is "very" stupid and more with old versions.

Post by john heasley
# Disable output paging.
send -- "config system console\r"
expect -re $prompt; send -- "set output standard\r"
expect -re $prompt; send -- "end\r"
expect -re $prompt;

It is ignored, but i think is version or user permissions.

Post by john heasley
Index: bin/fnlogin.in
===================================================================
--- bin/fnlogin.in (revision 2282)
+++ bin/fnlogin.in (working copy)
@@ -99,6 +99,8 @@
set password_file $env(CLOGINRC)
}
+stty rows 1024
+
# Sometimes firewall take awhile to answer (the default is 10 sec)
set timeout 45

Do not have effect :(

My best option is:

1) change manually "set output standard"
2) user with root permissions

With this i got a configuration but it is different than tftp
configuration.

I will try to open a case with Fortinet to try to understand why config
if different with "show full-configuration" and tftp.

________________________________________
Iñaki Martínez Díez
Departamento de redes
acens Technologies S.L.
***@acens.com
Teléfono: 637 772 156

Fax: 911 418 501
Este mensaje puede contener información confidencial dirigida exclusivamente a su destinatario.
No se permite su copia o distribución sin la autorización expresa y por anticipado de acens.
Si recibió este mensaje por error, por favor, comuníquelo al emisor y elimínelo de su ordenador. Gracias.
This message may contain confidential information exclusively addressed to its intended recipient.
The copy or distribution of this message is not permitted without the prior express consent by acens.
If you are not the intended recipient of this message please advise the sender and delete it. Thank you.