Discussion:
[rancid] Fortigate - tweak suggestion as well as issue with spacing FortiOS >5.4+
Chris Wopat
2017-05-30 13:17:24 UTC
Permalink
Two notes with Fortigate (fnrancid)- one a feature request, the other
an issue we're trying to pin down.

1) feature - i'd suggest changing the config it fetches from 'show
full-configuration' to just 'show', which will show only non-default
stuff. 'show full-configuration' is equivilant to IOS's 'show
running-config full'. 'show' seems to match better with how most
devices are handled.


2) issue with spacing / tabbing causing excessive diffs. This seemed
to have begun happening in FortiOS 5.4 and was not happening on 5.2.
It happens in both 5.4 and 5.6 and across various devices (half dozen,
1000d, 600d, 100d.).

Random sections of the config line wrap or change their spacing and
flip back and forth. It doesn't seem to be excessively wide lines, nor
any specific section of the config.

This is a change detected between two consecutive runs with no changes
made to a device:

config system global
- set admintimeout 35
+ set admintimeout
+ 35


config system global
- set admintimeout
- 35
+ set admintimeout 35


.. and another:

config system global
- set disk-usage wanopt
+ set disk-usage
+ wanopt

config system global
- set disk-usage
- wanopt
+ set disk-usage wanopt


.. and another:

- config
- system accprofile
+ config system accprofile
edit "prof_admin"
set mntgrp read-write


.. and so on

- next
+ next
end


- next
+ next
end

Curious if others are seeing this as well. I've opened a case w/
Fortinet as I believe it's on their side, but have a hard time
convincing them.
Alexander Griesser
2017-05-30 13:25:29 UTC
Permalink
Hi,

me too (tm).
On all of my fortigates - also happens on Quaggas, fwiw.
The linebreaks are hard to ignore for diff, but this one:

- next
+ next
end

can be fixed by adding "ignore-whitespace" as a diff option which would make sense in all situations I guess; not sure if there's any router/switch/firewall which really cares about whitespace syntax-wise.

Best,

Alexander Griesser
Head of Systems Operations

ANEXIA Internetdienstleistungs GmbH

E-Mail: ***@anexia-it.com
Web: http://www.anexia-it.com

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt
Geschäftsführer: Alexander Windbichler
Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601


-----Ursprüngliche Nachricht-----
Von: Rancid-discuss [mailto:rancid-discuss-***@shrubbery.net] Im Auftrag von Chris Wopat
Gesendet: Dienstag, 30. Mai 2017 15:17
An: rancid-***@shrubbery.net
Betreff: [rancid] Fortigate - tweak suggestion as well as issue with spacing FortiOS >5.4+

Two notes with Fortigate (fnrancid)- one a feature request, the other an issue we're trying to pin down.

1) feature - i'd suggest changing the config it fetches from 'show full-configuration' to just 'show', which will show only non-default stuff. 'show full-configuration' is equivilant to IOS's 'show running-config full'. 'show' seems to match better with how most devices are handled.


2) issue with spacing / tabbing causing excessive diffs. This seemed to have begun happening in FortiOS 5.4 and was not happening on 5.2.
It happens in both 5.4 and 5.6 and across various devices (half dozen, 1000d, 600d, 100d.).

Random sections of the config line wrap or change their spacing and flip back and forth. It doesn't seem to be excessively wide lines, nor any specific section of the config.

This is a change detected between two consecutive runs with no changes made to a device:

config system global
- set admintimeout 35
+ set admintimeout
+ 35


config system global
- set admintimeout
- 35
+ set admintimeout 35


.. and another:

config system global
- set disk-usage wanopt
+ set disk-usage
+ wanopt

config system global
- set disk-usage
- wanopt
+ set disk-usage wanopt


.. and another:

- config
- system accprofile
+ config system accprofile
edit "prof_admin"
set mntgrp read-write


.. and so on

- next
+ next
end


- next
+ next
end

Curious if others are seeing this as well. I've opened a case w/ Fortinet as I believe it's on their side, but have a hard time convincing them.
Chris Wopat
2017-05-30 14:45:04 UTC
Permalink
On Tue, May 30, 2017 at 8:25 AM, Alexander Griesser
Post by Alexander Griesser
Hi,
me too (tm).
On all of my fortigates - also happens on Quaggas, fwiw.
- next
+ next
end
can be fixed by adding "ignore-whitespace" as a diff option which would make sense in all situations I guess; not sure if there's any router/switch/firewall which really cares about whitespace syntax-wise.
Curious if others opened tickets with Fortigate on this? Perhaps if a
few of us did they'd get the memo.
Alexander Griesser
2017-05-30 15:25:16 UTC
Permalink
Post by Alexander Griesser
me too (tm).
On all of my fortigates - also happens on Quaggas, fwiw.
- next
+ next
end
can be fixed by adding "ignore-whitespace" as a diff option which would make sense in all situations I guess; not sure if there's any router/switch/firewall which really cares about whitespace syntax-wise.
Curious if others opened tickets with Fortigate on this? Perhaps if a few of us did they'd get the memo.
I personally did not and I'm not sure if they would care after all. From my experience, they will most likely tell you to use the integrated config backup option of their systems rather than using unsupported third party tools to retrieve the configuration.

Best,
/AG
heasley
2017-06-06 06:43:39 UTC
Permalink
Post by Alexander Griesser
Hi,
me too (tm).
On all of my fortigates - also happens on Quaggas, fwiw.
- next
+ next
end
Is the command to disable the pager perhaps not working?
Post by Alexander Griesser
can be fixed by adding "ignore-whitespace" as a diff option which would make sense in all situations I guess; not sure if there's any router/switch/firewall which really cares about whitespace syntax-wise.
True, but this would filter spaces that are legitimate. :)
Post by Alexander Griesser
-----Ursprüngliche Nachricht-----
Gesendet: Dienstag, 30. Mai 2017 15:17
Betreff: [rancid] Fortigate - tweak suggestion as well as issue with spacing FortiOS >5.4+
Two notes with Fortigate (fnrancid)- one a feature request, the other an issue we're trying to pin down.
1) feature - i'd suggest changing the config it fetches from 'show full-configuration' to just 'show', which will show only non-default stuff. 'show full-configuration' is equivilant to IOS's 'show running-config full'. 'show' seems to match better with how most devices are handled.
I do not know the platform; you folks tell me. or, covert it to a module and
have more than one spec.
Post by Alexander Griesser
2) issue with spacing / tabbing causing excessive diffs. This seemed to have begun happening in FortiOS 5.4 and was not happening on 5.2.
It happens in both 5.4 and 5.6 and across various devices (half dozen, 1000d, 600d, 100d.).
Random sections of the config line wrap or change their spacing and flip back and forth. It doesn't seem to be excessively wide lines, nor any specific section of the config.
config system global
- set admintimeout 35
+ set admintimeout
+ 35
config system global
- set admintimeout
- 35
+ set admintimeout 35
config system global
- set disk-usage wanopt
+ set disk-usage
+ wanopt
config system global
- set disk-usage
- wanopt
+ set disk-usage wanopt
- config
- system accprofile
+ config system accprofile
edit "prof_admin"
set mntgrp read-write
.. and so on
- next
+ next
end
- next
+ next
end
Curious if others are seeing this as well. I've opened a case w/ Fortinet as I believe it's on their side, but have a hard time convincing them.
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Chris Wopat
2017-06-06 13:26:52 UTC
Permalink
Post by heasley
Post by Alexander Griesser
Hi,
me too (tm).
On all of my fortigates - also happens on Quaggas, fwiw.
- next
+ next
end
Is the command to disable the pager perhaps not working?
disabling pager appears to be working properly, the fnlogin script seems
to properly do the correct commands (page 496 of
http://docs.fortinet.com/uploaded/files/800/fortigate-cli-50.pdf )

config system console
set output standard

It does appear to send a "config global" command prior to this which
appears to not be valid on fortiOS 5.2/5.4/5.6. Perhaps necessary on
older versions, unsure.
Post by heasley
Post by Alexander Griesser
1) feature - i'd suggest changing the config it fetches from 'show full-configuration' to just 'show', which will show only non-default stuff. 'show full-configuration' is equivilant to IOS's 'show running-config full'. 'show' seems to match better with how most devices are handled.
I do not know the platform; you folks tell me. or, covert it to a module and
have more than one spec.
I'd like to hear if others are on board with this, if so the quick and
dirty is just adjusting @commandtable's

{'show full-configuration' => 'GetConf'}

to

{'show' => 'GetConf'}


Another patch that I hope others agree on would be to add this to sub
GetSystem {}

next if (/^\s*IPS-ETDB: .*/);
next if (/^\s*APP-DB: .*/);
next if (/^\s*IPS Malicious URL Database: .*/);
next if (/^\s*Botnet DB: .*/);

There are already a few lines like this in there, this may be fixes for
newer versions of those names or newer features.

They're supper chatty and update every few days with revision #s and
timestamps. Example lines if the regexp should be tweaked further (it
was copied from existing):

IPS-ETDB: 11.00153(2017-06-05 18:43)
APP-DB: 11.00152(2017-06-01 23:21)
IPS Malicious URL Database: 1.00665(2017-06-05 05:25)
Botnet DB: 3.00393(2017-06-05 10:09)

--Chris
Griesser Alexander
2017-06-08 06:30:56 UTC
Permalink
Hey,
Post by Chris Wopat
Post by heasley
Post by Alexander Griesser
1) feature - i'd suggest changing the config it fetches from 'show full-configuration' to just 'show', which will show only non-default stuff. 'show full-configuration' is equivilant to IOS's 'show running-config full'. 'show' seems to match
better with how most devices are handled.
I do not know the platform; you folks tell me. or, covert it to a
module and have more than one spec.
{'show full-configuration' => 'GetConf'}
to
{'show' => 'GetConf'}
I think default values might change from time to time, so I do usually prefer to have a full config dump of my devices, just in case I need to recover from an older version of the configuration after an upgrade - but I'm not exactly sure how Forti* handles these kinds of things, so basically, I do not really have a strong opinion on that.
Post by Chris Wopat
Another patch that I hope others agree on would be to add this to sub GetSystem {}
next if (/^\s*IPS-ETDB: .*/);
next if (/^\s*APP-DB: .*/);
next if (/^\s*IPS Malicious URL Database: .*/);
next if (/^\s*Botnet DB: .*/);
There are already a few lines like this in there, this may be fixes for newer versions of those names or newer features.
+1 on that, good point.

Best,
Alex
Chris Wopat
2017-06-08 14:37:35 UTC
Permalink
Post by Griesser Alexander
I think default values might change from time to time, so I do usually
prefer to have a full config dump of my devices, just in case I need to
recover from an older version of the configuration after an upgrade - but
I'm not exactly sure how Forti* handles these kinds of things, so
basically, I do not really have a strong opinion on that.
Curious of others thoughts if anyone else uses forti*. I've not used them
extensively enough to know if they change defaults often, I'm only really
involved in this as they're devices on net and they should use our common
backup mechanism.
Post by Griesser Alexander
+1 on that, good point.
Guessing these are universally supported as they're super chatty. I can
submit a patch for this if that's the more official method to do so.

--Chris
Griesser Alexander
2017-06-08 06:36:15 UTC
Permalink
Post by heasley
Post by Chris Wopat
- next
+ next
end
can be fixed by adding "ignore-whitespace" as a diff option which would make sense in all situations I guess; not sure if there's any router/switch/firewall which really cares about whitespace syntax-wise.
True, but this would filter spaces that are legitimate. :)
Like which ones? I'm not aware of any legitimate spaces in the configuration of networking devices - does anyone have a syntax example for any device which makes a difference between one or two spaces in the configuration?

Best,
Alex
Piegorsch, Weylin William
2017-06-09 10:58:22 UTC
Permalink
If you’re asking “any” device - in Cisco descriptions (FEX descriptions, interface descriptions...) I’ll sometimes add whitespace so that under some “show” commands I get output alignment. Makes it easy to visually identify errors (typeos, etc) and I’m playing with similar Regex-based automated verification in my vendor tools (PRIME Infrastructure and so forth), and under normal operation non-alignment makes it a bit of a challenge to quickly scan and find the information I’m looking for.

I don’t know Forti*, not sure if that applies here.

weylin

-----Original Message-----
From: Griesser Alexander <***@anexia-it.com>
Date: Thursday, June 8, 2017 at 02:36
To: heasley <***@shrubbery.net>
Cc: Chris Wopat <***@falz.net>, "rancid-***@shrubbery.net" <rancid-***@shrubbery.net>
Subject: Re: [rancid] Fortigate - tweak suggestion as well as issue with spacing FortiOS >5.4+
Post by heasley
Post by Chris Wopat
- next
+ next
end
can be fixed by adding "ignore-whitespace" as a diff option which would make sense in all situations I guess; not sure if there's any router/switch/firewall which really cares about whitespace syntax-wise.
True, but this would filter spaces that are legitimate. :)
Like which ones? I'm not aware of any legitimate spaces in the configuration of networking devices - does anyone have a syntax example for any device which makes a difference between one or two spaces in the configuration?

Best,
Alex
Alexander Griesser
2017-06-09 12:15:07 UTC
Permalink
Good point, totally missed that.

Best,

Alexander Griesser
Head of Systems Operations

ANEXIA Internetdienstleistungs GmbH

E-Mail: ***@anexia-it.com
Web: http://www.anexia-it.com

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt
Geschäftsführer: Alexander Windbichler
Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601

-----Ursprüngliche Nachricht-----
Von: Piegorsch, Weylin William [mailto:***@bu.edu]
Gesendet: Freitag, 9. Juni 2017 12:58
An: Alexander Griesser <***@anexia-it.com>; heasley <***@shrubbery.net>
Cc: Chris Wopat <***@falz.net>; rancid-***@shrubbery.net
Betreff: Re: [rancid] Fortigate - tweak suggestion as well as issue with spacing FortiOS >5.4+

If you’re asking “any” device - in Cisco descriptions (FEX descriptions, interface descriptions...) I’ll sometimes add whitespace so that under some “show” commands I get output alignment. Makes it easy to visually identify errors (typeos, etc) and I’m playing with similar Regex-based automated verification in my vendor tools (PRIME Infrastructure and so forth), and under normal operation non-alignment makes it a bit of a challenge to quickly scan and find the information I’m looking for.

I don’t know Forti*, not sure if that applies here.

weylin

-----Original Message-----
From: Griesser Alexander <***@anexia-it.com>
Date: Thursday, June 8, 2017 at 02:36
To: heasley <***@shrubbery.net>
Cc: Chris Wopat <***@falz.net>, "rancid-***@shrubbery.net" <rancid-***@shrubbery.net>
Subject: Re: [rancid] Fortigate - tweak suggestion as well as issue with spacing FortiOS >5.4+
Post by heasley
Post by Chris Wopat
- next
+ next
end
can be fixed by adding "ignore-whitespace" as a diff option which would make sense in all situations I guess; not sure if there's any router/switch/firewall which really cares about whitespace syntax-wise.
True, but this would filter spaces that are legitimate. :)
Like which ones? I'm not aware of any legitimate spaces in the configuration of networking devices - does anyone have a syntax example for any device which makes a difference between one or two spaces in the configuration?

Best,
Alex
Merijn Evertse
2017-06-20 10:18:15 UTC
Permalink
Hi,

Latest alpha release still has this issue with FortiOS 5.0.

- set two-factor-ftm-expiry 72
+ set two-fac
+ tor-ftm-expiry 72

And

- set
- admin-https-ssl-versions tlsv1-1 tlsv1-2
+ set admin-https-ssl-versions tlsv1-1 tlsv1-2

Merijn Evertse

-----Oorspronkelijk bericht-----
Van: Rancid-discuss [mailto:rancid-discuss-***@shrubbery.net] Namens Alexander Griesser
Verzonden: vrijdag 9 juni 2017 14:15
Aan: Piegorsch, Weylin William <***@bu.edu>; heasley <***@shrubbery.net>
CC: Chris Wopat <***@falz.net>; rancid-***@shrubbery.net
Onderwerp: Re: [rancid] Fortigate - tweak suggestion as well as issue with spacing FortiOS >5.4+

Good point, totally missed that.

Best,

Alexander Griesser
Head of Systems Operations

ANEXIA Internetdienstleistungs GmbH

E-Mail: ***@anexia-it.com
Web: http://www.anexia-it.com

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt
Geschäftsführer: Alexander Windbichler
Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601

-----Ursprüngliche Nachricht-----
Von: Piegorsch, Weylin William [mailto:***@bu.edu]
Gesendet: Freitag, 9. Juni 2017 12:58
An: Alexander Griesser <***@anexia-it.com>; heasley <***@shrubbery.net>
Cc: Chris Wopat <***@falz.net>; rancid-***@shrubbery.net
Betreff: Re: [rancid] Fortigate - tweak suggestion as well as issue with spacing FortiOS >5.4+

If you’re asking “any” device - in Cisco descriptions (FEX descriptions, interface descriptions...) I’ll sometimes add whitespace so that under some “show” commands I get output alignment. Makes it easy to visually identify errors (typeos, etc) and I’m playing with similar Regex-based automated verification in my vendor tools (PRIME Infrastructure and so forth), and under normal operation non-alignment makes it a bit of a challenge to quickly scan and find the information I’m looking for.

I don’t know Forti*, not sure if that applies here.

weylin

-----Original Message-----
From: Griesser Alexander <***@anexia-it.com>
Date: Thursday, June 8, 2017 at 02:36
To: heasley <***@shrubbery.net>
Cc: Chris Wopat <***@falz.net>, "rancid-***@shrubbery.net" <rancid-***@shrubbery.net>
Subject: Re: [rancid] Fortigate - tweak suggestion as well as issue with spacing FortiOS >5.4+
Post by heasley
Post by Chris Wopat
- next
+ next
end
can be fixed by adding "ignore-whitespace" as a diff option which would make sense in all situations I guess; not sure if there's any router/switch/firewall which really cares about whitespace syntax-wise.
True, but this would filter spaces that are legitimate. :)
Like which ones? I'm not aware of any legitimate spaces in the configuration of networking devices - does anyone have a syntax example for any device which makes a difference between one or two spaces in the configuration?

Best,
Alex




_______________________________________________
Rancid-discuss mailing list
Rancid-***@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

Merijn Evertse
2017-05-30 13:25:48 UTC
Permalink
Hi,

We have the same issue with Fortigate 5.0 releases.
There was already a discussion on the Rancid list about this, but at this moment the suggestions from that discussion did not solve it for us.

Merijn Evertse

-----Oorspronkelijk bericht-----
Van: Rancid-discuss [mailto:rancid-discuss-***@shrubbery.net] Namens Chris Wopat
Verzonden: dinsdag 30 mei 2017 15:17
Aan: rancid-***@shrubbery.net
Onderwerp: [rancid] Fortigate - tweak suggestion as well as issue with spacing FortiOS >5.4+

Two notes with Fortigate (fnrancid)- one a feature request, the other an issue we're trying to pin down.

1) feature - i'd suggest changing the config it fetches from 'show full-configuration' to just 'show', which will show only non-default stuff. 'show full-configuration' is equivilant to IOS's 'show running-config full'. 'show' seems to match better with how most devices are handled.


2) issue with spacing / tabbing causing excessive diffs. This seemed to have begun happening in FortiOS 5.4 and was not happening on 5.2.
It happens in both 5.4 and 5.6 and across various devices (half dozen, 1000d, 600d, 100d.).

Random sections of the config line wrap or change their spacing and flip back and forth. It doesn't seem to be excessively wide lines, nor any specific section of the config.

This is a change detected between two consecutive runs with no changes made to a device:

config system global
- set admintimeout 35
+ set admintimeout
+ 35


config system global
- set admintimeout
- 35
+ set admintimeout 35


.. and another:

config system global
- set disk-usage wanopt
+ set disk-usage
+ wanopt

config system global
- set disk-usage
- wanopt
+ set disk-usage wanopt


.. and another:

- config
- system accprofile
+ config system accprofile
edit "prof_admin"
set mntgrp read-write


.. and so on

- next
+ next
end


- next
+ next
end

Curious if others are seeing this as well. I've opened a case w/ Fortinet as I believe it's on their side, but have a hard time convincing them.
Loading...