Discussion:
[rancid] issue with fortigate FW after upgrade
Shaun Krok
2015-07-14 05:01:59 UTC
Permalink
Hi

Was hoping someone had come across this in recent days.

We have several sites running fortigate FW cluster without issues.
We then upgraded a site to a new version and now have the following
"noise" issue

Running version 3.0 of rancid and I have checked the fnrancid script
and it does have the patch mentioned in the forum

If anyone can help with this would be much appreciated ?

Shaun



**********************

Here is a snip ?

sub GetConf {
print STDERR " In GetConf: $_" if ($debug);

while (<INPUT>) {
tr/\015//d;
next if /^\s*$/;
last if (/$prompt/);

# System time is fortigate extraction time
next if (/^\s*!System time:/);
# remove occurrances of conf_file_ver
next if (/^#?conf_file_ver=/);

# filter cycling RSA private keys
if (/^\s*set private-key "-----BEGIN RSA PRIVATE KEY-----/) {
ProcessHistory("","","","#$_");
ProcessHistory("","","","# <removed>");
while (<INPUT>) {
tr/\015//d;
last if (/$prompt/);

if (/^\s*-----END RSA PRIVATE KEY-----"/) {
ProcessHistory("","","","#$_");
last;
}
}
}
# filter cycling password encryption
if (/^\s*(set [^\s]*)\s(enc\s[^\s]+)(.*)/i && $filter_pwds > 0
) {
ProcessHistory("ENC","","","#$1 ENC <removed> $3\n");
next;
}
ProcessHistory("","","","$_");
}
$found_end = 1;
return(1);
}



retrieving revision 1.510
diff -U 10 -r1.510 de-fw
@@ -16047,35 +16047,35 @@
Z0nf1R7CqJgrTEeDgUwuRMLvyGPui3tbMfYmYb95HLCpTqnJUHvi
-----END CERTIFICATE-----"
set scep-url ''
set source-ip 0.0.0.0
next
end
config vpn certificate local
edit "Fortinet_Factory"
#set password ENC <removed>
set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
- MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIHB+yEmeRPUsCAggA
- MBQGCCqGSIb3DQMHBAgiWcwKklgTzQSCAoATyGNsZtmmKFswxEjAoX9nEm1La21g
- ZlbBj0g4GP4hQwQZ+HTXRgQ+FqqQVst1Ylk6P4TYrSSHux4BXSgg4wCs3JM7d5j7
- g4tlQnvThXPynSTSzARB6fShDqBwSW1+uR3mD+wFoe0wFVW5RW62AaI1D1nvV6oH
- j/71eQLS0Iv9bX3F9VWxnvUm0uQtH6a+L+n5hzsDUyWbfSGvmmmNVTuLzpKXLRaP
- OH0JaIafUI5CNGu1Kvga3Ys++9cBObo+XLUlm4mPICtxOPNBG2rM6TxKHi4z6VZN
- 8wfPzK7BPqKlqAFVpvqfhpNt/uQFCIO4VGIGiLEwI4nF4+pna0UFBv5IXXqRLnXp
- nHDcRD3RA2AqdUUKihH9/WpryY2gu8gL32MJ6corIKOaPRlWKafc5ib4xNL37Qog
- THYimDfTsw+Xo9ksI4pZyegXxI6IgG/tsrFqFTC7kS6Bd57lFN4ruWjB3k5Gb0dO
- s5w0/A2QnQaSnkByAE8yjCcZylqPC3cKGYVWHrO6QlVuw99joS8wFxwuFQvly7Qh
- A/YEr4o+dGe/hkbG9j8o1AFChJNlz1tAl0Q9zs1AgpdCJ4Qzv8ZRRBh4OqPrYFfU
- JuzfVTxEq2BTmgWWCK3pjVuNOP3ezooofbV+Sag9z5PZ+NzY1hn2vJmOLh2iXDXD
- vmLzcRrgttSI2SPYPXTfRjdB/rD+T8pJedz4JQgZfz6gOtarxV8vEHRk6/yyuCsD
- UFxGMpkIriGKEcoPdOAb4Om236P3UOFMnPxKeSgzornVquURhLxR/P9C2+CL4DTB
- TAcKdDuTmBM+mJHlokKvM2YfJGpHr/81vgvuoZLm6wJTtSafE87xU+R4
+ MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI6M+NicV3wgACAggA
+ MBQGCCqGSIb3DQMHBAgTVUNlqWeA9gSCAoC7WF+N85ZdPBwcPJB184UlU2HxL/7+
+ yyTlczZioYo9hUl7P3aWrexeBnb9PRjNfguK9PvaB7TSJr4lmNMs9WINS/wYwPIW
+ RlUzcfEDTQyevlji7GNxVKaE945FjjIstKxYZK62FTGP4eF6GZfBcQNuTgfRFiKW
+ CIEGVD0hhTQ0OL6MPFjT4ILWF1VwaTEOYmw74lLhsPBsLfR8tK0rLrplJvFUqBxx
+ lJJZ3uKOoym7lUMIRbjXRU9ip13/1BnTM44AUvp4r56rbwzK0hpHSGNoKR3Dbpwo
+ XH2zZzufRT2oUu6ENVNkcz8iHGdfqnjqSn0qed0bsL+qPZtVvNV0UM+AX94rVzjI
+ ylhNBlZQjGBHIiAy13MaLe794TER3RGWTrUFw+rMQIRZwV/feK6NnNpo8uTLlU/w
+ 6PXLoifQgvUW95SDPiQnVDNtD7m0W/QTOfjk2m37SgehOf6uhZZ4ohgxxkWlItbz
+ Np6u9+Ep4U+16BURrGkDTDnawmudiJbR/48iVa8TfiAi90z5q1H9/0ONSWHWvl0Z
+ 41JzdWaENVnBIAM278Q0UKoplMk4pFORTfV6NNjn0MPGSoAHktqyE77BOhpREedG
+ HCSq3fgbENdXB3rmL5LlGeSD4xsMoHiR2/0O7nsvD1tjHz7AfPw5A7CGtRev+FKK
+ VeGFsebDD3D/RwaxN8WxWYm/NhKwgnIR4bBbIFg7dWcjK4gMsky7BWioPkrYVhqo
+ /GKE8gjmRvQZqKsGpfLdF28Yptn3PmB+Ooyl7iKiVlM2f64vsxijoND1aG1i5BzH
+ dGCaHYnC3uj2jICXbzSQ8RvhJjGIlaT7jz7mas6Aurl3MKL9V6ObPH4M
-----END ENCRYPTED PRIVATE KEY-----"
set certificate "-----BEGIN CERTIFICATE-----
MIIDRTCCAi2gAwIBAgIDDAYBMA0GCSqGSIb3DQEBBQUAMIGgMQswCQYDVQQGEwJV
UzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJU3Vubnl2YWxlMREwDwYD
VQQKEwhGb3J0aW5ldDEeMBwGA1UECxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRAw
DgYDVQQDEwdzdXBwb3J0MSMwIQYJKoZIhvcNAQkBFhRzdXBwb3J0QGZvcnRpbmV0
LmNvbTAeFw0xMzAzMTExMDMwNTdaFw0zODAxMTkwMzE0MDdaMIGdMQswCQYDVQQG
EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJU3Vubnl2YWxlMREw
DwYDVQQKEwhGb3J0aW5ldDESMBAGA1UECxMJRm9ydGlHYXRlMRkwFwYDVQQDExBG
RzMwMEMzOTEzNjAzMTQ4MSMwIQYJKoZIhvcNAQkBFhRzdXBwb3J0QGZvcnRpbmV0
--
Shaun Krok
Tel: 050 2424 381
Frank Bulk
2015-07-22 03:50:02 UTC
Permalink
Just adjust the match lines to include the block of data you want to ignore.

Frank

-----Original Message-----
From: Rancid-discuss [mailto:rancid-discuss-***@shrubbery.net] On Behalf
Of Shaun Krok
Sent: Tuesday, July 14, 2015 12:02 AM
To: Rancid Discuss <rancid-***@shrubbery.net>
Subject: [rancid] issue with fortigate FW after upgrade

Hi

Was hoping someone had come across this in recent days.

We have several sites running fortigate FW cluster without issues.
We then upgraded a site to a new version and now have the following
"noise" issue

Running version 3.0 of rancid and I have checked the fnrancid script
and it does have the patch mentioned in the forum

If anyone can help with this would be much appreciated ?

Shaun



**********************

Here is a snip ?

sub GetConf {
print STDERR " In GetConf: $_" if ($debug);

while (<INPUT>) {
tr/\015//d;
next if /^\s*$/;
last if (/$prompt/);

# System time is fortigate extraction time
next if (/^\s*!System time:/);
# remove occurrances of conf_file_ver
next if (/^#?conf_file_ver=/);

# filter cycling RSA private keys
if (/^\s*set private-key "-----BEGIN RSA PRIVATE KEY-----/) {
ProcessHistory("","","","#$_");
ProcessHistory("","","","# <removed>");
while (<INPUT>) {
tr/\015//d;
last if (/$prompt/);

if (/^\s*-----END RSA PRIVATE KEY-----"/) {
ProcessHistory("","","","#$_");
last;
}
}
}
# filter cycling password encryption
if (/^\s*(set [^\s]*)\s(enc\s[^\s]+)(.*)/i && $filter_pwds > 0
) {
ProcessHistory("ENC","","","#$1 ENC <removed> $3\n");
next;
}
ProcessHistory("","","","$_");
}
$found_end = 1;
return(1);
}



retrieving revision 1.510
diff -U 10 -r1.510 de-fw
@@ -16047,35 +16047,35 @@
Z0nf1R7CqJgrTEeDgUwuRMLvyGPui3tbMfYmYb95HLCpTqnJUHvi
-----END CERTIFICATE-----"
set scep-url ''
set source-ip 0.0.0.0
next
end
config vpn certificate local
edit "Fortinet_Factory"
#set password ENC <removed>
set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
- MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIHB+yEmeRPUsCAggA
- MBQGCCqGSIb3DQMHBAgiWcwKklgTzQSCAoATyGNsZtmmKFswxEjAoX9nEm1La21g
- ZlbBj0g4GP4hQwQZ+HTXRgQ+FqqQVst1Ylk6P4TYrSSHux4BXSgg4wCs3JM7d5j7
- g4tlQnvThXPynSTSzARB6fShDqBwSW1+uR3mD+wFoe0wFVW5RW62AaI1D1nvV6oH
- j/71eQLS0Iv9bX3F9VWxnvUm0uQtH6a+L+n5hzsDUyWbfSGvmmmNVTuLzpKXLRaP
- OH0JaIafUI5CNGu1Kvga3Ys++9cBObo+XLUlm4mPICtxOPNBG2rM6TxKHi4z6VZN
- 8wfPzK7BPqKlqAFVpvqfhpNt/uQFCIO4VGIGiLEwI4nF4+pna0UFBv5IXXqRLnXp
- nHDcRD3RA2AqdUUKihH9/WpryY2gu8gL32MJ6corIKOaPRlWKafc5ib4xNL37Qog
- THYimDfTsw+Xo9ksI4pZyegXxI6IgG/tsrFqFTC7kS6Bd57lFN4ruWjB3k5Gb0dO
- s5w0/A2QnQaSnkByAE8yjCcZylqPC3cKGYVWHrO6QlVuw99joS8wFxwuFQvly7Qh
- A/YEr4o+dGe/hkbG9j8o1AFChJNlz1tAl0Q9zs1AgpdCJ4Qzv8ZRRBh4OqPrYFfU
- JuzfVTxEq2BTmgWWCK3pjVuNOP3ezooofbV+Sag9z5PZ+NzY1hn2vJmOLh2iXDXD
- vmLzcRrgttSI2SPYPXTfRjdB/rD+T8pJedz4JQgZfz6gOtarxV8vEHRk6/yyuCsD
- UFxGMpkIriGKEcoPdOAb4Om236P3UOFMnPxKeSgzornVquURhLxR/P9C2+CL4DTB
- TAcKdDuTmBM+mJHlokKvM2YfJGpHr/81vgvuoZLm6wJTtSafE87xU+R4
+ MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI6M+NicV3wgACAggA
+ MBQGCCqGSIb3DQMHBAgTVUNlqWeA9gSCAoC7WF+N85ZdPBwcPJB184UlU2HxL/7+
+ yyTlczZioYo9hUl7P3aWrexeBnb9PRjNfguK9PvaB7TSJr4lmNMs9WINS/wYwPIW
+ RlUzcfEDTQyevlji7GNxVKaE945FjjIstKxYZK62FTGP4eF6GZfBcQNuTgfRFiKW
+ CIEGVD0hhTQ0OL6MPFjT4ILWF1VwaTEOYmw74lLhsPBsLfR8tK0rLrplJvFUqBxx
+ lJJZ3uKOoym7lUMIRbjXRU9ip13/1BnTM44AUvp4r56rbwzK0hpHSGNoKR3Dbpwo
+ XH2zZzufRT2oUu6ENVNkcz8iHGdfqnjqSn0qed0bsL+qPZtVvNV0UM+AX94rVzjI
+ ylhNBlZQjGBHIiAy13MaLe794TER3RGWTrUFw+rMQIRZwV/feK6NnNpo8uTLlU/w
+ 6PXLoifQgvUW95SDPiQnVDNtD7m0W/QTOfjk2m37SgehOf6uhZZ4ohgxxkWlItbz
+ Np6u9+Ep4U+16BURrGkDTDnawmudiJbR/48iVa8TfiAi90z5q1H9/0ONSWHWvl0Z
+ 41JzdWaENVnBIAM278Q0UKoplMk4pFORTfV6NNjn0MPGSoAHktqyE77BOhpREedG
+ HCSq3fgbENdXB3rmL5LlGeSD4xsMoHiR2/0O7nsvD1tjHz7AfPw5A7CGtRev+FKK
+ VeGFsebDD3D/RwaxN8WxWYm/NhKwgnIR4bBbIFg7dWcjK4gMsky7BWioPkrYVhqo
+ /GKE8gjmRvQZqKsGpfLdF28Yptn3PmB+Ooyl7iKiVlM2f64vsxijoND1aG1i5BzH
+ dGCaHYnC3uj2jICXbzSQ8RvhJjGIlaT7jz7mas6Aurl3MKL9V6ObPH4M
-----END ENCRYPTED PRIVATE KEY-----"
set certificate "-----BEGIN CERTIFICATE-----
MIIDRTCCAi2gAwIBAgIDDAYBMA0GCSqGSIb3DQEBBQUAMIGgMQswCQYDVQQGEwJV
UzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJU3Vubnl2YWxlMREwDwYD
VQQKEwhGb3J0aW5ldDEeMBwGA1UECxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRAw
DgYDVQQDEwdzdXBwb3J0MSMwIQYJKoZIhvcNAQkBFhRzdXBwb3J0QGZvcnRpbmV0
LmNvbTAeFw0xMzAzMTExMDMwNTdaFw0zODAxMTkwMzE0MDdaMIGdMQswCQYDVQQG
EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJU3Vubnl2YWxlMREw
DwYDVQQKEwhGb3J0aW5ldDESMBAGA1UECxMJRm9ydGlHYXRlMRkwFwYDVQQDExBG
RzMwMEMzOTEzNjAzMTQ4MSMwIQYJKoZIhvcNAQkBFhRzdXBwb3J0QGZvcnRpbmV0
--
Shaun Krok
Tel: 050 2424 381
Loading...