Discussion:
[rancid] Re: Rancid with Fortigate Devices?
Mina Eskander
2009-04-16 15:38:45 UTC
Permalink
Has anybody made progress with this?
I set up a new rancid server and did a fnrancid with the following output.

[***@pwcolocacti ~]$ bin/fnrancid -d pwcolofgt100c
executing nlogin -t 90 -c"get system status;get conf" pwcolofgt100c
pwcolofgt100c nlogin error: Error: TIMEOUT reached
pwcolofgt100c nlogin error: Error: TIMEOUT reached
pwcolofgt100c: missed cmd(s): get conf,get system status
pwcolofgt100c: missed cmd(s): get conf,get system status
0: found end
pwcolofgt100c: End of run not found
pwcolofgt100c: End of run not found

not really sure if it's because of a regex problem or the commands or what, I would appreciate any help with this.

Mina Eskander
Perimeterwatch Technologies
Direct: +1 (347) 448-2845
Mobile: +1 (347) 510-4102
***@perimeterwatch.com<mailto:***@perimeterwatch.com>

Network Security | Disaster Recovery | Business Continuity | IT Projects | Application Development
_____________________________________________________________________
New York: (347) 448-2845 - 34-12 36th Street - 2nd Floor - Astoria, NY 11106
john heasley
2009-04-16 18:24:01 UTC
Permalink
Post by Mina Eskander
Has anybody made progress with this?
I set up a new rancid server and did a fnrancid with the following output.
executing nlogin -t 90 -c"get system status;get conf" pwcolofgt100c
pwcolofgt100c nlogin error: Error: TIMEOUT reached
pwcolofgt100c nlogin error: Error: TIMEOUT reached
pwcolofgt100c: missed cmd(s): get conf,get system status
pwcolofgt100c: missed cmd(s): get conf,get system status
0: found end
pwcolofgt100c: End of run not found
pwcolofgt100c: End of run not found
not really sure if it's because of a regex problem or the commands or what, I would appreciate any help with this.
first step should always be to make sure that the expect script is working.
what does
nlogin -t 90 -c"get system status;get conf" pwcolofgt100c
o/p?
Post by Mina Eskander
Network Security | Disaster Recovery | Business Continuity | IT Projects | Application Development
what is 'business continuity'?
Mina Eskander
2009-04-20 13:32:58 UTC
Permalink
I ran the commanded and here is the output:

[***@pwcolocacti ~]$ nlogin -t 90 -c"get system status;get conf" pwcolofgt100c
pwcolofgt100c
spawn ssh -c 3des -x -l meskander pwcolofgt100c
***@pwcolofgt100c's password:
FGT100C3G0860259~ $
Error: TIMEOUT reached

I think ive seen this before, it looks like rancid does not recognize the prompt, what do you think?

-----Original Message-----
From: john heasley [mailto:***@shrubbery.net]
Sent: Thursday, April 16, 2009 2:24 PM
To: Mina Eskander
Cc: rancid-***@shrubbery.net
Subject: Re: [rancid] Re: Rancid with Fortigate Devices?
Post by Mina Eskander
Has anybody made progress with this?
I set up a new rancid server and did a fnrancid with the following output.
executing nlogin -t 90 -c"get system status;get conf" pwcolofgt100c
pwcolofgt100c nlogin error: Error: TIMEOUT reached
pwcolofgt100c nlogin error: Error: TIMEOUT reached
pwcolofgt100c: missed cmd(s): get conf,get system status
pwcolofgt100c: missed cmd(s): get conf,get system status
0: found end
pwcolofgt100c: End of run not found
pwcolofgt100c: End of run not found
not really sure if it's because of a regex problem or the commands or what, I would appreciate any help with this.
first step should always be to make sure that the expect script is working.
what does
nlogin -t 90 -c"get system status;get conf" pwcolofgt100c
o/p?
Post by Mina Eskander
Network Security | Disaster Recovery | Business Continuity | IT Projects | Application Development
what is 'business continuity'?
john heasley
2009-04-20 16:25:09 UTC
Permalink
Post by Mina Eskander
pwcolofgt100c
spawn ssh -c 3des -x -l meskander pwcolofgt100c
FGT100C3G0860259~ $
Error: TIMEOUT reached
I think ive seen this before, it looks like rancid does not recognize the prompt, what do you think?
probably. try it with the -d option
Post by Mina Eskander
-----Original Message-----
Sent: Thursday, April 16, 2009 2:24 PM
To: Mina Eskander
Subject: Re: [rancid] Re: Rancid with Fortigate Devices?
Post by Mina Eskander
Has anybody made progress with this?
I set up a new rancid server and did a fnrancid with the following output.
executing nlogin -t 90 -c"get system status;get conf" pwcolofgt100c
pwcolofgt100c nlogin error: Error: TIMEOUT reached
pwcolofgt100c nlogin error: Error: TIMEOUT reached
pwcolofgt100c: missed cmd(s): get conf,get system status
pwcolofgt100c: missed cmd(s): get conf,get system status
0: found end
pwcolofgt100c: End of run not found
pwcolofgt100c: End of run not found
not really sure if it's because of a regex problem or the commands or what, I would appreciate any help with this.
first step should always be to make sure that the expect script is working.
what does
nlogin -t 90 -c"get system status;get conf" pwcolofgt100c
o/p?
Post by Mina Eskander
Network Security | Disaster Recovery | Business Continuity | IT Projects | Application Development
what is 'business continuity'?
Mina Eskander
2009-04-20 17:39:35 UTC
Permalink
[***@pwcolocacti ~]$ nlogin -d -t 90 -c"get system status;get conf" pwcolofgt100c
pwcolofgt100c
spawn ssh -c 3des -x -l meskander pwcolofgt100c
parent: waiting for sync byte
parent: telling child to go ahead
parent: now unsynchronized from child
spawn: returns {6199}

expect: does "" (spawn_id exp6) match glob pattern "Connection refused"? no
"Unknown host\r\n"? no
"Host is unreachable"? no
"No address associated with name"? no
"Are you sure you want to continue connecting .*"? no
"Host key not found .* (yes/no)?"? no
"HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no
"Offending key for .* (yes/no)?"? no
"denied"? no
" ### Login failed"? no
"(login:)"? no
"@[^\r\n]+[Pp]assword:"? no
"[Pp]assword:"? no
"-> "? no
***@pwcolofgt100c's password:
expect: does "***@pwcolofgt100c's password: " (spawn_id exp6) match glob pattern "Connection refused"? no
"Unknown host\r\n"? no
"Host is unreachable"? no
"No address associated with name"? no
"Are you sure you want to continue connecting .*"? no
"Host key not found .* (yes/no)?"? no
"HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no
"Offending key for .* (yes/no)?"? no
"denied"? no
" ### Login failed"? no
"(login:)"? no
"@[^\r\n]+[Pp]assword:"? yes
expect: set expect_out(0,string) "@pwcolofgt100c's password:"
expect: set expect_out(spawn_id) "exp6"
expect: set expect_out(buffer) "***@pwcolofgt100c's password:"
send: sending "***@v3s\r" to { exp6 }
expect: continuing expect

expect: does " " (spawn_id exp6) match glob pattern "Connection refused"? no
"Unknown host\r\n"? no
"Host is unreachable"? no
"No address associated with name"? no
"Are you sure you want to continue connecting .*"? no
"Host key not found .* (yes/no)?"? no
"HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no
"Offending key for .* (yes/no)?"? no
"denied"? no
" ### Login failed"? no
"(login:)"? no
"@[^\r\n]+[Pp]assword:"? no
"[Pp]assword:"? no
"-> "? no


expect: does " \r\n" (spawn_id exp6) match glob pattern "Connection refused"? no
"Unknown host\r\n"? no
"Host is unreachable"? no
"No address associated with name"? no
"Are you sure you want to continue connecting .*"? no
"Host key not found .* (yes/no)?"? no
"HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no
"Offending key for .* (yes/no)?"? no
"denied"? no
" ### Login failed"? no
"(login:)"? no
"@[^\r\n]+[Pp]assword:"? no
"[Pp]assword:"? no
"-> "? no
FGT100C3G0860259~ $
expect: does " \r\nFGT100C3G0860259~ $ " (spawn_id exp6) match glob pattern "Connection refused"? no
"Unknown host\r\n"? no
"Host is unreachable"? no
"No address associated with name"? no
"Are you sure you want to continue connecting .*"? no
"Host key not found .* (yes/no)?"? no
"HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no
"Offending key for .* (yes/no)?"? no
"denied"? no
" ### Login failed"? no
"(login:)"? no
"@[^\r\n]+[Pp]assword:"? no
"[Pp]assword:"? no
"-> "? no
expect: timed out

Error: TIMEOUT reached
write() failed to write anything - will sleep(1) and retry...
[***@pwcolocacti ~]$

Mina Eskander
Perimeterwatch Technologies
Direct: +1 (347) 448-2845
Mobile: +1 (347) 510-4102
***@perimeterwatch.com

Network Security | Disaster Recovery | Business Continuity | IT Projects | Application Development
_____________________________________________________________________
New York: (347) 448-2845 - 34-12 36th Street - 2nd Floor - Astoria, NY 11106

-----Original Message-----
From: john heasley [mailto:***@shrubbery.net]
Sent: Monday, April 20, 2009 12:25 PM
To: Mina Eskander
Cc: john heasley; rancid-***@shrubbery.net
Subject: Re: [rancid] Re: Rancid with Fortigate Devices?
Post by Mina Eskander
pwcolofgt100c
spawn ssh -c 3des -x -l meskander pwcolofgt100c
FGT100C3G0860259~ $
Error: TIMEOUT reached
I think ive seen this before, it looks like rancid does not recognize the prompt, what do you think?
probably. try it with the -d option
Post by Mina Eskander
-----Original Message-----
Sent: Thursday, April 16, 2009 2:24 PM
To: Mina Eskander
Subject: Re: [rancid] Re: Rancid with Fortigate Devices?
Post by Mina Eskander
Has anybody made progress with this?
I set up a new rancid server and did a fnrancid with the following output.
executing nlogin -t 90 -c"get system status;get conf" pwcolofgt100c
pwcolofgt100c nlogin error: Error: TIMEOUT reached
pwcolofgt100c nlogin error: Error: TIMEOUT reached
pwcolofgt100c: missed cmd(s): get conf,get system status
pwcolofgt100c: missed cmd(s): get conf,get system status
0: found end
pwcolofgt100c: End of run not found
pwcolofgt100c: End of run not found
not really sure if it's because of a regex problem or the commands or what, I would appreciate any help with this.
first step should always be to make sure that the expect script is working.
what does
nlogin -t 90 -c"get system status;get conf" pwcolofgt100c
o/p?
Post by Mina Eskander
Network Security | Disaster Recovery | Business Continuity | IT Projects | Application Development
what is 'business continuity'?
john heasley
2009-04-20 17:45:51 UTC
Permalink
yep, your prompt is nFGT100C3G0860259~ $
but the script expects ->
Peter Serwe
2009-04-20 23:03:37 UTC
Permalink
Post by john heasley
yep, your prompt is nFGT100C3G0860259~ $
but the script expects ->
Ah yes, I had an issue with my new router guy wanting to change all of
the router prompts
for BCP 38 compliance, and I had to veto the prompt change because I
don't want to see either
of my CMS's broken.

That would be another awesome thing to break out into a configuration
file per device, having
a variable to set the regex of the prompt relatively easily, or just
set a simple wildcard. I wonder
if that's even possible with expect. Or if it would be possible to
get the prompt, and set it on the fly,
so that rancid doesn't care what the prompt actually is.

Peter
--
$B%T!<%?!<(B
john heasley
2009-04-21 03:45:07 UTC
Permalink
Post by Peter Serwe
Post by john heasley
yep, your prompt is nFGT100C3G0860259~ $
but the script expects ->
Ah yes, I had an issue with my new router guy wanting to change all of
the router prompts
for BCP 38 compliance, and I had to veto the prompt change because I
don't want to see either
of my CMS's broken.
That would be another awesome thing to break out into a configuration
file per device, having
a variable to set the regex of the prompt relatively easily, or just
set a simple wildcard. I wonder
if that's even possible with expect. Or if it would be possible to
get the prompt, and set it on the fly,
so that rancid doesn't care what the prompt actually is.
i haven't reviewed this script, but most of the others do this. they do
however need some kind of hint. once they find that string, the full
prompt is picked-up from that.

the hint is not cloginrc-programmable.

but...why change it in the first place. I'm assuming that this device's
prompt always ends with "-> ", as I was told it does.
Jeff Moorse
2009-04-21 03:05:58 UTC
Permalink
Anyone know what the correct syntax for the expect script would be to match
prompt (assuming the string of #'s following FGT is variable)?

I have experienced similar problems

Thanks
Post by john heasley
yep, your prompt is nFGT100C3G0860259~ $
but the script expects ->
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
--
-- Jeff Moorse --
Mina Eskander
2009-04-23 15:19:03 UTC
Permalink
I changed the -> in the nlogin script to ~ $ and it still does not work, here is the output I get
[***@pwcolocacti bin]$ nlogin -d -t 90 -c"get system status;get conf" pwcolofgt100c
pwcolofgt100c
spawn ssh -c 3des -x -l meskander pwcolofgt100c
parent: waiting for sync byte
parent: telling child to go ahead
parent: now unsynchronized from child
spawn: returns {16963}

expect: does "" (spawn_id exp6) match glob pattern "Connection refused"? no
"Unknown host\r\n"? no
"Host is unreachable"? no
"No address associated with name"? no
"Are you sure you want to continue connecting .*"? no
"Host key not found .* (yes/no)?"? no
"HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no
"Offending key for .* (yes/no)?"? no
"denied"? no
" ### Login failed"? no
"(login:)"? no
"@[^\r\n]+[Pp]assword:"? no
"[Pp]assword:"? no
"~ $ "? no
***@pwcolofgt100c's password:
expect: does "***@pwcolofgt100c's password: " (spawn_id exp6) match glob pattern "Connection refused"? no
"Unknown host\r\n"? no
"Host is unreachable"? no
"No address associated with name"? no
"Are you sure you want to continue connecting .*"? no
"Host key not found .* (yes/no)?"? no
"HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no
"Offending key for .* (yes/no)?"? no
"denied"? no
" ### Login failed"? no
"(login:)"? no
"@[^\r\n]+[Pp]assword:"? yes
expect: set expect_out(0,string) "@pwcolofgt100c's password:"
expect: set expect_out(spawn_id) "exp6"
expect: set expect_out(buffer) "***@pwcolofgt100c's password:"
send: sending "***@v3s\r" to { exp6 }
expect: continuing expect

expect: does " " (spawn_id exp6) match glob pattern "Connection refused"? no
"Unknown host\r\n"? no
"Host is unreachable"? no
"No address associated with name"? no
"Are you sure you want to continue connecting .*"? no
"Host key not found .* (yes/no)?"? no
"HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no
"Offending key for .* (yes/no)?"? no
"denied"? no
" ### Login failed"? no
"(login:)"? no
"@[^\r\n]+[Pp]assword:"? no
"[Pp]assword:"? no
"~ $ "? no


expect: does " \r\n" (spawn_id exp6) match glob pattern "Connection refused"? no
"Unknown host\r\n"? no
"Host is unreachable"? no
"No address associated with name"? no
"Are you sure you want to continue connecting .*"? no
"Host key not found .* (yes/no)?"? no
"HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no
"Offending key for .* (yes/no)?"? no
"denied"? no
" ### Login failed"? no
"(login:)"? no
"@[^\r\n]+[Pp]assword:"? no
"[Pp]assword:"? no
"~ $ "? no
FGT100C3G0860259~ $
expect: does " \r\nFGT100C3G0860259~ $ " (spawn_id exp6) match glob pattern "Connection refused"? no
"Unknown host\r\n"? no
"Host is unreachable"? no
"No address associated with name"? no
"Are you sure you want to continue connecting .*"? no
"Host key not found .* (yes/no)?"? no
"HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no
"Offending key for .* (yes/no)?"? no
"denied"? no
" ### Login failed"? no
"(login:)"? no
"@[^\r\n]+[Pp]assword:"? no
"[Pp]assword:"? no
"~ $ "? yes
expect: set expect_out(0,string) "~ $ "
expect: set expect_out(spawn_id) "exp6"
expect: set expect_out(buffer) " \r\nFGT100C3G0860259~ $ "
send: sending "\r" to { exp6 }

expect: does "" (spawn_id exp6) match regular expression "[\r\n]+"? no
"^(.+~ $ )"? no


expect: does "\r\r\n" (spawn_id exp6) match regular expression "[\r\n]+"? yes
expect: set expect_out(0,string) "\r\r\n"
expect: set expect_out(spawn_id) "exp6"
expect: set expect_out(buffer) "\r\r\n"
expect: continuing expect

expect: does "" (spawn_id exp6) match regular expression "[\r\n]+"? no
"^(.+~ $ )"? no
FGT100C3G0860259~ $
expect: does "FGT100C3G0860259~ $ " (spawn_id exp6) match regular expression "[\r\n]+"? no
"^(.+~ $ )"? no
expect: timed out

Error: TIMEOUT reached
write() failed to write anything - will sleep(1) and retry...
[***@pwcolocacti bin]$

From: rancid-discuss-***@shrubbery.net [mailto:rancid-discuss-***@shrubbery.net] On Behalf Of Jeff Moorse
Sent: Monday, April 20, 2009 11:06 PM
To: rancid-***@shrubbery.net
Subject: [rancid] Re: Rancid with Fortigate Devices?

Anyone know what the correct syntax for the expect script would be to match prompt (assuming the string of #'s following FGT is variable)?

I have experienced similar problems

Thanks
On Mon, Apr 20, 2009 at 10:45 AM, john heasley <***@shrubbery.net<mailto:***@shrubbery.net>> wrote:
yep, your prompt is nFGT100C3G0860259~ $
but the script expects ->

_______________________________________________
Rancid-discuss mailing list
Rancid-***@shrubbery.net<mailto:Rancid-***@shrubbery.net>
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss



--
-- Jeff Moorse --
john heasley
2009-04-28 19:04:00 UTC
Permalink
Post by Mina Eskander
I changed the -> in the nlogin script to ~ $ and it still does not work, here is the output I get
Would someone who knows the fortigate well please confirm the prompt format?
I was told '-> ', but reading through the manual that I found online, it
seems that the prompt is '$ ' and gives no indication that it changes with
elevated permissions. But, the manual for their CLI seems poorly written.
Post by Mina Eskander
pwcolofgt100c
spawn ssh -c 3des -x -l meskander pwcolofgt100c
parent: waiting for sync byte
parent: telling child to go ahead
parent: now unsynchronized from child
spawn: returns {16963}
expect: does "" (spawn_id exp6) match glob pattern "Connection refused"? no
"Unknown host\r\n"? no
"Host is unreachable"? no
"No address associated with name"? no
"Are you sure you want to continue connecting .*"? no
"Host key not found .* (yes/no)?"? no
"HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no
"Offending key for .* (yes/no)?"? no
"denied"? no
" ### Login failed"? no
"(login:)"? no
"[Pp]assword:"? no
"~ $ "? no
"Unknown host\r\n"? no
"Host is unreachable"? no
"No address associated with name"? no
"Are you sure you want to continue connecting .*"? no
"Host key not found .* (yes/no)?"? no
"HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no
"Offending key for .* (yes/no)?"? no
"denied"? no
" ### Login failed"? no
"(login:)"? no
expect: set expect_out(spawn_id) "exp6"
expect: continuing expect
expect: does " " (spawn_id exp6) match glob pattern "Connection refused"? no
"Unknown host\r\n"? no
"Host is unreachable"? no
"No address associated with name"? no
"Are you sure you want to continue connecting .*"? no
"Host key not found .* (yes/no)?"? no
"HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no
"Offending key for .* (yes/no)?"? no
"denied"? no
" ### Login failed"? no
"(login:)"? no
"[Pp]assword:"? no
"~ $ "? no
expect: does " \r\n" (spawn_id exp6) match glob pattern "Connection refused"? no
"Unknown host\r\n"? no
"Host is unreachable"? no
"No address associated with name"? no
"Are you sure you want to continue connecting .*"? no
"Host key not found .* (yes/no)?"? no
"HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no
"Offending key for .* (yes/no)?"? no
"denied"? no
" ### Login failed"? no
"(login:)"? no
"[Pp]assword:"? no
"~ $ "? no
FGT100C3G0860259~ $
expect: does " \r\nFGT100C3G0860259~ $ " (spawn_id exp6) match glob pattern "Connection refused"? no
"Unknown host\r\n"? no
"Host is unreachable"? no
"No address associated with name"? no
"Are you sure you want to continue connecting .*"? no
"Host key not found .* (yes/no)?"? no
"HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no
"Offending key for .* (yes/no)?"? no
"denied"? no
" ### Login failed"? no
"(login:)"? no
"[Pp]assword:"? no
"~ $ "? yes
expect: set expect_out(0,string) "~ $ "
expect: set expect_out(spawn_id) "exp6"
expect: set expect_out(buffer) " \r\nFGT100C3G0860259~ $ "
send: sending "\r" to { exp6 }
expect: does "" (spawn_id exp6) match regular expression "[\r\n]+"? no
"^(.+~ $ )"? no
expect: does "\r\r\n" (spawn_id exp6) match regular expression "[\r\n]+"? yes
expect: set expect_out(0,string) "\r\r\n"
expect: set expect_out(spawn_id) "exp6"
expect: set expect_out(buffer) "\r\r\n"
expect: continuing expect
expect: does "" (spawn_id exp6) match regular expression "[\r\n]+"? no
"^(.+~ $ )"? no
FGT100C3G0860259~ $
expect: does "FGT100C3G0860259~ $ " (spawn_id exp6) match regular expression "[\r\n]+"? no
"^(.+~ $ )"? no
expect: timed out
Error: TIMEOUT reached
write() failed to write anything - will sleep(1) and retry...
Sent: Monday, April 20, 2009 11:06 PM
Subject: [rancid] Re: Rancid with Fortigate Devices?
Anyone know what the correct syntax for the expect script would be to match prompt (assuming the string of #'s following FGT is variable)?
I have experienced similar problems
Thanks
yep, your prompt is nFGT100C3G0860259~ $
but the script expects ->
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
--
-- Jeff Moorse --
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Jeff Moorse
2009-04-28 19:07:42 UTC
Permalink
For an admin account the prompt is (sans quotes):

"FGT[model][s/n] # "

Please note the trailing space

For a read only account it is the same but with a $ instead of a #

-Jeff Moorse
Post by Mina Eskander
Post by Mina Eskander
I changed the -> in the nlogin script to ~ $ and it still does not work,
here is the output I get
Would someone who knows the fortigate well please confirm the prompt format?
I was told '-> ', but reading through the manual that I found online, it
seems that the prompt is '$ ' and gives no indication that it changes with
elevated permissions. But, the manual for their CLI seems poorly written.
pwcolofgt100c
Post by Mina Eskander
pwcolofgt100c
spawn ssh -c 3des -x -l meskander pwcolofgt100c
parent: waiting for sync byte
parent: telling child to go ahead
parent: now unsynchronized from child
spawn: returns {16963}
expect: does "" (spawn_id exp6) match glob pattern "Connection refused"?
no
Post by Mina Eskander
"Unknown host\r\n"? no
"Host is unreachable"? no
"No address associated with name"? no
"Are you sure you want to continue connecting .*"? no
"Host key not found .* (yes/no)?"? no
"HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no
"Offending key for .* (yes/no)?"? no
"denied"? no
" ### Login failed"? no
"(login:)"? no
"[Pp]assword:"? no
"~ $ "? no
match glob pattern "Connection refused"? no
Post by Mina Eskander
"Unknown host\r\n"? no
"Host is unreachable"? no
"No address associated with name"? no
"Are you sure you want to continue connecting .*"? no
"Host key not found .* (yes/no)?"? no
"HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no
"Offending key for .* (yes/no)?"? no
"denied"? no
" ### Login failed"? no
"(login:)"? no
expect: set expect_out(spawn_id) "exp6"
expect: continuing expect
expect: does " " (spawn_id exp6) match glob pattern "Connection refused"?
no
Post by Mina Eskander
"Unknown host\r\n"? no
"Host is unreachable"? no
"No address associated with name"? no
"Are you sure you want to continue connecting .*"? no
"Host key not found .* (yes/no)?"? no
"HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no
"Offending key for .* (yes/no)?"? no
"denied"? no
" ### Login failed"? no
"(login:)"? no
"[Pp]assword:"? no
"~ $ "? no
expect: does " \r\n" (spawn_id exp6) match glob pattern "Connection
refused"? no
Post by Mina Eskander
"Unknown host\r\n"? no
"Host is unreachable"? no
"No address associated with name"? no
"Are you sure you want to continue connecting .*"? no
"Host key not found .* (yes/no)?"? no
"HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no
"Offending key for .* (yes/no)?"? no
"denied"? no
" ### Login failed"? no
"(login:)"? no
"[Pp]assword:"? no
"~ $ "? no
FGT100C3G0860259~ $
expect: does " \r\nFGT100C3G0860259~ $ " (spawn_id exp6) match glob
pattern "Connection refused"? no
Post by Mina Eskander
"Unknown host\r\n"? no
"Host is unreachable"? no
"No address associated with name"? no
"Are you sure you want to continue connecting .*"? no
"Host key not found .* (yes/no)?"? no
"HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no
"Offending key for .* (yes/no)?"? no
"denied"? no
" ### Login failed"? no
"(login:)"? no
"[Pp]assword:"? no
"~ $ "? yes
expect: set expect_out(0,string) "~ $ "
expect: set expect_out(spawn_id) "exp6"
expect: set expect_out(buffer) " \r\nFGT100C3G0860259~ $ "
send: sending "\r" to { exp6 }
expect: does "" (spawn_id exp6) match regular expression "[\r\n]+"? no
"^(.+~ $ )"? no
expect: does "\r\r\n" (spawn_id exp6) match regular expression "[\r\n]+"?
yes
Post by Mina Eskander
expect: set expect_out(0,string) "\r\r\n"
expect: set expect_out(spawn_id) "exp6"
expect: set expect_out(buffer) "\r\r\n"
expect: continuing expect
expect: does "" (spawn_id exp6) match regular expression "[\r\n]+"? no
"^(.+~ $ )"? no
FGT100C3G0860259~ $
expect: does "FGT100C3G0860259~ $ " (spawn_id exp6) match regular
expression "[\r\n]+"? no
Post by Mina Eskander
"^(.+~ $ )"? no
expect: timed out
Error: TIMEOUT reached
write() failed to write anything - will sleep(1) and retry...
Sent: Monday, April 20, 2009 11:06 PM
Subject: [rancid] Re: Rancid with Fortigate Devices?
Anyone know what the correct syntax for the expect script would be to
match prompt (assuming the string of #'s following FGT is variable)?
Post by Mina Eskander
I have experienced similar problems
Thanks
yep, your prompt is nFGT100C3G0860259~ $
but the script expects ->
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
--
-- Jeff Moorse --
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
--
-- Jeff Moorse --
Mina Eskander
2009-05-29 19:34:28 UTC
Permalink
Thanks for your replay and sorry for such a late response.
Does it make a difference what prompt it is? As long as what I have matches the prompt in the script? I don't know if I can get privileges on this box so I can get the # prompt.

The weird thing is the following:
FGT100A_VPN $
expect: does " \r\nFGT100A_VPN $ " (spawn_id exp6) match glob pattern "Connection refused"? no
"Unknown host\r\n"? no
"Host is unreachable"? no
"No address associated with name"? no
"Are you sure you want to continue connecting .*"? no
"Host key not found .* (yes/no)?"? no
"HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no
"Offending key for .* (yes/no)?"? no
"denied"? no
" ### Login failed"? no
"(login:)"? no
"@[^\r\n]+[Pp]assword:"? no
"[Pp]assword:"? no
" $ "? yes
expect: set expect_out(0,string) " $ "
expect: set expect_out(spawn_id) "exp6"
expect: set expect_out(buffer) " \r\nFGT100A_VPN $ "
send: sending "\r" to { exp6 }

expect: does "" (spawn_id exp6) match regular expression "[\r\n]+"? no
"^(.+ $ )"? no

FGT100A_VPN $
expect: does "\r\r\nFGT100A_VPN $ " (spawn_id exp6) match regular expression "[\r\n]+"? yes
expect: set expect_out(0,string) "\r\r\n"
expect: set expect_out(spawn_id) "exp6"
expect: set expect_out(buffer) "\r\r\n"
expect: continuing expect

expect: does "FGT100A_VPN $ " (spawn_id exp6) match regular expression "[\r\n]+"? no
"^(.+ $ )"? no
expect: timed out

Error: TIMEOUT reached
write() failed to write anything - will sleep(1) and retry...

so it matches the modified prompt I made but then it fails after when it tries to match it with [\r\n]+

any ideas?

Mina Eskander
Perimeterwatch Technologies
Direct: +1 (347) 448-2845
Mobile: +1 (347) 510-4102
***@perimeterwatch.com<mailto:***@perimeterwatch.com>

Network Security | Disaster Recovery | Business Continuity | IT Projects | Application Development
_____________________________________________________________________
New York: (347) 448-2845 - 34-12 36th Street - 2nd Floor - Astoria, NY 11106

From: Jeff Moorse [mailto:***@gmail.com]
Sent: Tuesday, April 28, 2009 3:08 PM
To: john heasley
Cc: Mina Eskander; rancid-***@shrubbery.net
Subject: Re: [rancid] Re: Rancid with Fortigate Devices?

For an admin account the prompt is (sans quotes):

"FGT[model][s/n] # "

Please note the trailing space

For a read only account it is the same but with a $ instead of a #

-Jeff Moorse
Post by Mina Eskander
I changed the -> in the nlogin script to ~ $ and it still does not work, here is the output I get
Would someone who knows the fortigate well please confirm the prompt format?
I was told '-> ', but reading through the manual that I found online, it
seems that the prompt is '$ ' and gives no indication that it changes with
elevated permissions. But, the manual for their CLI seems poorly written.
Post by Mina Eskander
pwcolofgt100c
spawn ssh -c 3des -x -l meskander pwcolofgt100c
parent: waiting for sync byte
parent: telling child to go ahead
parent: now unsynchronized from child
spawn: returns {16963}
expect: does "" (spawn_id exp6) match glob pattern "Connection refused"? no
"Unknown host\r\n"? no
"Host is unreachable"? no
"No address associated with name"? no
"Are you sure you want to continue connecting .*"? no
"Host key not found .* (yes/no)?"? no
"HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no
"Offending key for .* (yes/no)?"? no
"denied"? no
" ### Login failed"? no
"(login:)"? no
"[Pp]assword:"? no
"~ $ "? no
"Unknown host\r\n"? no
"Host is unreachable"? no
"No address associated with name"? no
"Are you sure you want to continue connecting .*"? no
"Host key not found .* (yes/no)?"? no
"HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no
"Offending key for .* (yes/no)?"? no
"denied"? no
" ### Login failed"? no
"(login:)"? no
expect: set expect_out(spawn_id) "exp6"
expect: continuing expect
expect: does " " (spawn_id exp6) match glob pattern "Connection refused"? no
"Unknown host\r\n"? no
"Host is unreachable"? no
"No address associated with name"? no
"Are you sure you want to continue connecting .*"? no
"Host key not found .* (yes/no)?"? no
"HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no
"Offending key for .* (yes/no)?"? no
"denied"? no
" ### Login failed"? no
"(login:)"? no
"[Pp]assword:"? no
"~ $ "? no
expect: does " \r\n" (spawn_id exp6) match glob pattern "Connection refused"? no
"Unknown host\r\n"? no
"Host is unreachable"? no
"No address associated with name"? no
"Are you sure you want to continue connecting .*"? no
"Host key not found .* (yes/no)?"? no
"HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no
"Offending key for .* (yes/no)?"? no
"denied"? no
" ### Login failed"? no
"(login:)"? no
"[Pp]assword:"? no
"~ $ "? no
FGT100C3G0860259~ $
expect: does " \r\nFGT100C3G0860259~ $ " (spawn_id exp6) match glob pattern "Connection refused"? no
"Unknown host\r\n"? no
"Host is unreachable"? no
"No address associated with name"? no
"Are you sure you want to continue connecting .*"? no
"Host key not found .* (yes/no)?"? no
"HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no
"Offending key for .* (yes/no)?"? no
"denied"? no
" ### Login failed"? no
"(login:)"? no
"[Pp]assword:"? no
"~ $ "? yes
expect: set expect_out(0,string) "~ $ "
expect: set expect_out(spawn_id) "exp6"
expect: set expect_out(buffer) " \r\nFGT100C3G0860259~ $ "
send: sending "\r" to { exp6 }
expect: does "" (spawn_id exp6) match regular expression "[\r\n]+"? no
"^(.+~ $ )"? no
expect: does "\r\r\n" (spawn_id exp6) match regular expression "[\r\n]+"? yes
expect: set expect_out(0,string) "\r\r\n"
expect: set expect_out(spawn_id) "exp6"
expect: set expect_out(buffer) "\r\r\n"
expect: continuing expect
expect: does "" (spawn_id exp6) match regular expression "[\r\n]+"? no
"^(.+~ $ )"? no
FGT100C3G0860259~ $
expect: does "FGT100C3G0860259~ $ " (spawn_id exp6) match regular expression "[\r\n]+"? no
"^(.+~ $ )"? no
expect: timed out
Error: TIMEOUT reached
write() failed to write anything - will sleep(1) and retry...
Sent: Monday, April 20, 2009 11:06 PM
Subject: [rancid] Re: Rancid with Fortigate Devices?
Anyone know what the correct syntax for the expect script would be to match prompt (assuming the string of #'s following FGT is variable)?
I have experienced similar problems
Thanks
yep, your prompt is nFGT100C3G0860259~ $
but the script expects ->
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
--
-- Jeff Moorse --
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
--
-- Jeff Moorse --

________________________________
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The information contained in this email is confidential and may also contain privileged information. Sender does not waive confidentiality or legal
privilege. If you are not one of the intended recipients, please notify the sender immediately and destroy this e-mail; you must not copy,
distribute or take any action in reliance on the information contained within.
Internet communications are not secure or error free and the sender does not accept any liability for the content of the email. Although emails are
routinely screened for viruses, the sender does not accept responsibility for any damage caused. Replies to this email may be monitored.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Loading...