[rancid] Fortinet Fortigate problem.

Discussion:

Chris Davis

2015-04-21 21:59:26 UTC

A few weeks ago I posted the following. A couple of very helpful folks pointed me at the fnlogin script and why it might be failing. I had just upgraded one of my Fortinet firewall clusters to 5.0.9 firmware and when I upgraded the other cluster, I had the same problem. One of the answers was to disable the strong encryption on the firewall. Not my favorite thing to do... So, I had a look at the fnlogin code. Now, I'm no expect programmer, but it was straight enough to follow. I found that the cypher was set to 3des. I spoke with a Fortinet engineer that I was working with on another issue, and he indeed confirmed that 3des-cbc was not supported in strong encryption mode moving forward. He said I should choose something else.

This afternoon I tinkered with swapping aes256-ctr where it had said 3des before, and turned back on strong encryption on the clusters. And amazingly, it worked! I'll know for sure when my hourly rancid runs kick off, but I have a small job running every fifteen minutes grabbing some data for the other problem I was working on, and it has successfully grabbed 2 iterations of data for that project.

So, how hard is it to jump from 2.3.8 to 3.2? (since I'm feeling flush with success) I will remember the router file change from : to ; for separators. Any other gotchas?

I?ve been using Rancid 2.3.8 for some time now without any problems.
(once I got all the patches installed for it)
This past week, we upgraded a unit from 5.0.7 firmware to 5.0.9. This
had the negative effect of making it impossible for Rancid to log into
the unit. I have checked all the normal things. I deleted and
recreated the ssh Known_hosts entry. I?ve even manually logged in
from the Rancid server using my own credentials and the rancid
credentials and not had any problems.

Nick Nauwelaerts

2015-04-27 09:54:39 UTC

Permalink

heya,
i had a few issues on my fortinet running "v5.0,build0292,140801 (GA Patch 9)". the fnlogin bundled with rancid 3.2 didnt like the pager prompt "--More--" and fnrancid did some funky reformatting of whitespace when the "--More--" prompt was involved. Here are my diffs (read: fiddled until it worked) for both. disclaimer: only tested with 2 devices running the before mentioned fortios version, your experience may differ.

// nick

-----Original Message-----
From: Rancid-discuss [mailto:rancid-discuss-***@shrubbery.net] On Behalf Of Chris Davis
Sent: Tuesday, April 21, 2015 23:59
To: 'rancid-***@shrubbery.net'
Subject: Re: [rancid] Fortinet Fortigate problem.

A few weeks ago I posted the following. A couple of very helpful folks pointed me at the fnlogin script and why it might be failing. I had just upgraded one of my Fortinet firewall clusters to 5.0.9 firmware and when I upgraded the other cluster, I had the same problem. One of the answers was to disable the strong encryption on the firewall. Not my favorite thing to do... So, I had a look at the fnlogin code. Now, I'm no expect programmer, but it was straight enough to follow. I found that the cypher was set to 3des. I spoke with a Fortinet engineer that I was working with on another issue, and he indeed confirmed that 3des-cbc was not supported in strong encryption mode moving forward. He said I should choose something else.

This afternoon I tinkered with swapping aes256-ctr where it had said 3des before, and turned back on strong encryption on the clusters. And amazingly, it worked! I'll know for sure when my hourly rancid runs kick off, but I have a small job running every fifteen minutes grabbing some data for the other problem I was working on, and it has successfully grabbed 2 iterations of data for that project.

So, how hard is it to jump from 2.3.8 to 3.2? (since I'm feeling flush with success) I will remember the router file change from : to ; for separators. Any other gotchas?

_______________________________________________
Rancid-discuss mailing list
Rancid-***@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

________________________________

Volg Aquafin op Facebook<https://www.facebook.com/AquafinNV> | Twitter<https://twitter.com/aquafinnv> | YouTube<http://www.youtube.com/channel/UCk_4P5BJ-MtEEDCkCsR_KqQ?feature=mhee> | LinkedIN<http://www.linkedin.com/company/aquafin/products>

Disclaimer: zie www.aquafin.be<http://www.aquafin.be> P Denk aan het milieu. Druk deze mail niet onnodig af.

waz0wski

2015-04-29 18:06:50 UTC

Permalink

Hey Nick,

Thanks for posting this - I just ran into a similar issue, and your patches to fnlogin/fnrancid are working fine for me with rancid-3.1-2.el6.x86_64 against fortigates running v5.2.3,build670

Post by Nick Nauwelaerts
heya,
i had a few issues on my fortinet running "v5.0,build0292,140801 (GA Patch 9)". the fnlogin bundled with rancid 3.2 didnt like the pager prompt "--More--" and fnrancid did some funky reformatting of whitespace when the "--More--" prompt was involved. Here are my diffs (read: fiddled until it worked) for both. disclaimer: only tested with 2 devices running the before mentioned fortios version, your experience may differ.
// nick
-----Original Message-----
Sent: Tuesday, April 21, 2015 23:59
Subject: Re: [rancid] Fortinet Fortigate problem.
A few weeks ago I posted the following. A couple of very helpful folks pointed me at the fnlogin script and why it might be failing. I had just upgraded one of my Fortinet firewall clusters to 5.0.9 firmware and when I upgraded the other cluster, I had the same problem. One of the answers was to disable the strong encryption on the firewall. Not my favorite thing to do... So, I had a look at the fnlogin code. Now, I'm no expect programmer, but it was straight enough to follow. I found that the cypher was set to 3des. I spoke with a Fortinet engineer that I was working with on another issue, and he indeed confirmed that 3des-cbc was not supported in strong encryption mode moving forward. He said I should choose something else.
This afternoon I tinkered with swapping aes256-ctr where it had said 3des before, and turned back on strong encryption on the clusters. And amazingly, it worked! I'll know for sure when my hourly rancid runs kick off, but I have a small job running every fifteen minutes grabbing some data for the other problem I was working on, and it has successfully grabbed 2 iterations of data for that project.
So, how hard is it to jump from 2.3.8 to 3.2? (since I'm feeling flush with success) I will remember the router file change from : to ; for separators. Any other gotchas?

_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
________________________________
Volg Aquafin op Facebook<https://www.facebook.com/AquafinNV> | Twitter<https://twitter.com/aquafinnv> | YouTube<http://www.youtube.com/channel/UCk_4P5BJ-MtEEDCkCsR_KqQ?feature=mhee> | LinkedIN<http://www.linkedin.com/company/aquafin/products>
Disclaimer: zie www.aquafin.be<http://www.aquafin.be> P Denk aan het milieu. Druk deze mail niet onnodig af.
<fnlogin.diff><fnrancid.diff>_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss