Discussion:
[rancid] Rancid & Fortinet issue
Smaïne Kahlouch
2010-06-28 20:09:50 UTC
Permalink
Hi everyone,

I just finished to install Rancid, everything works fine with CISCO
equipments but i still have some issue for backing up my Fortigate
firewalls.

I've seen these patches and wanted to know if it could be applied to the
current version 2.3.3
http://www.shrubbery.net/pipermail/rancid-discuss/2009-June/004005.html

I have the same problem as describe here
What should i change to solve my problem ? My prompt is like
"FGT[model][s/n] # "

Thanks for your help,
Regards,

Smaïne
Devon True
2010-06-29 15:55:23 UTC
Permalink
Post by Smaïne Kahlouch
Hi everyone,
I just finished to install Rancid, everything works fine with CISCO
equipments but i still have some issue for backing up my Fortigate
firewalls.
I've seen these patches and wanted to know if it could be applied to the
current version 2.3.3
http://www.shrubbery.net/pipermail/rancid-discuss/2009-June/004005.html
I have the same problem as describe here
<http://www.shrubbery.net/pipermail/rancid-discuss/2009-April/003898.html>
What should i change to solve my problem ? My prompt is like
"FGT[model][s/n] # "
Attached are the fnrancid.diff and ftlogin.diff I wrote to backup
Fortigate devices. I did not try the patches you link; I opted to
troubleshoot and write my own.

I basically copied the nlogin script included in the rancid tarball to
ftlogin and then applied the attached diff. I also patched fnrancid
included with rancid.

Some of the modifications may not be necessary and thanks for John
Heasley for some behind-the-scenes advice. These modifications work for
me running a mixture of v3 and v4 FortiOS on several devices.

- --
Devon
Smaïne Kahlouch
2010-06-29 17:53:56 UTC
Permalink
Hi Devon,

Thanks a lot for your help. Is that work for rancid-2.3.3 ?
I just tried that but it doesn't work for me.
Here is what i did, maybe i'm mistaken :

# cp nlogin ftlogin
# patch -p1 < /home/ipoc/ftlogin.diff

missing header for unified diff at line 3 of patch
can't find file to patch at input line 3
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|--- nlogin 2010-06-16 14:36:18.000000000 +0000
|+++ ftlogin 2010-06-17 17:28:20.000000000 +0000
--------------------------
File to patch: /usr/lib/rancid/bin/ftlogin
patching file /usr/lib/rancid/bin/ftlogin
Hunk #2 FAILED at 448.
Hunk #3 FAILED at 488.
patch unexpectedly ends in middle of line
Hunk #4 FAILED at 563.
3 out of 4 hunks FAILED -- saving rejects to
file /usr/lib/rancid/bin/ftlogin.rej

# cat /usr/lib/rancid/bin/ftlogin.rej
***************
*** 445,451 ****
expect {
-re "\[\n\r]+" { exp_continue }
-re "$prompt" {}
- -gl "--- more ---" { send " "
exp_continue
}
}
--- 448,454 ----
expect {
-re "\[\n\r]+" { exp_continue }
-re "$prompt" {}
+ -gl "--More-- " { send " "
exp_continue
}
}
***************
*** 485,491 ****
set timeout $timeoutdflt
}

- set prompt {-> }

# Figure out passwords
if { $do_passwd || $do_enapasswd } {
--- 488,494 ----
set timeout $timeoutdflt
}

+ set prompt {# }

# Figure out passwords
if { $do_passwd || $do_enapasswd } {
***************
*** 560,566 ****
continue
}
} elseif { $do_script } {
- send "set console page 0\r"
expect -re $prompt {}
source $sfile

--- 563,572 ----
continue
}
} elseif { $do_script } {
+ #send "set console page 0\r"
+ send "config system console\r"
+ send "set output standard\r"
+ send "end\r"
expect -re $prompt {}
source $sfile



-------- Message initial --------
De: Devon True <***@noved.org>
À: Smaïne Kahlouch <***@free.fr>
Cc: rancid-***@shrubbery.net
Sujet: Re: [rancid] Rancid & Fortinet issue
Date: Tue, 29 Jun 2010 11:55:23 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Smaïne Kahlouch
Hi everyone,
I just finished to install Rancid, everything works fine with CISCO
equipments but i still have some issue for backing up my Fortigate
firewalls.
I've seen these patches and wanted to know if it could be applied to the
current version 2.3.3
http://www.shrubbery.net/pipermail/rancid-discuss/2009-June/004005.html
I have the same problem as describe here
<http://www.shrubbery.net/pipermail/rancid-discuss/2009-April/003898.html>
What should i change to solve my problem ? My prompt is like
"FGT[model][s/n] # "
Attached are the fnrancid.diff and ftlogin.diff I wrote to backup
Fortigate devices. I did not try the patches you link; I opted to
troubleshoot and write my own.

I basically copied the nlogin script included in the rancid tarball to
ftlogin and then applied the attached diff. I also patched fnrancid
included with rancid.

Some of the modifications may not be necessary and thanks for John
Heasley for some behind-the-scenes advice. These modifications work for
me running a mixture of v3 and v4 FortiOS on several devices.

- --
Devon
Smaïne Kahlouch
2010-06-29 18:15:40 UTC
Permalink
Don't worry i'll modify it by hand.
Thanks again

-------- Message initial --------
De: Smaïne Kahlouch <***@free.fr>
À: Devon True <***@noved.org>
Cc: rancid-***@shrubbery.net
Sujet: [rancid] Re: Rancid & Fortinet issue
Date: Tue, 29 Jun 2010 19:53:56 +0200

Hi Devon,

Thanks a lot for your help. Is that work for rancid-2.3.3 ?
I just tried that but it doesn't work for me.
Here is what i did, maybe i'm mistaken :

# cp nlogin ftlogin
# patch -p1 < /home/ipoc/ftlogin.diff

missing header for unified diff at line 3 of patch
can't find file to patch at input line 3
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|--- nlogin 2010-06-16 14:36:18.000000000 +0000
|+++ ftlogin 2010-06-17 17:28:20.000000000 +0000
--------------------------
File to patch: /usr/lib/rancid/bin/ftlogin
patching file /usr/lib/rancid/bin/ftlogin
Hunk #2 FAILED at 448.
Hunk #3 FAILED at 488.
patch unexpectedly ends in middle of line
Hunk #4 FAILED at 563.
3 out of 4 hunks FAILED -- saving rejects to
file /usr/lib/rancid/bin/ftlogin.rej

# cat /usr/lib/rancid/bin/ftlogin.rej
***************
*** 445,451 ****
expect {
-re "\[\n\r]+" { exp_continue }
-re "$prompt" {}
- -gl "--- more ---" { send " "
exp_continue
}
}
--- 448,454 ----
expect {
-re "\[\n\r]+" { exp_continue }
-re "$prompt" {}
+ -gl "--More-- " { send " "
exp_continue
}
}
***************
*** 485,491 ****
set timeout $timeoutdflt
}

- set prompt {-> }

# Figure out passwords
if { $do_passwd || $do_enapasswd } {
--- 488,494 ----
set timeout $timeoutdflt
}

+ set prompt {# }

# Figure out passwords
if { $do_passwd || $do_enapasswd } {
***************
*** 560,566 ****
continue
}
} elseif { $do_script } {
- send "set console page 0\r"
expect -re $prompt {}
source $sfile

--- 563,572 ----
continue
}
} elseif { $do_script } {
+ #send "set console page 0\r"
+ send "config system console\r"
+ send "set output standard\r"
+ send "end\r"
expect -re $prompt {}
source $sfile



-------- Message initial --------
De: Devon True <***@noved.org>
À: Smaïne Kahlouch <***@free.fr>
Cc: rancid-***@shrubbery.net
Sujet: Re: [rancid] Rancid & Fortinet issue
Date: Tue, 29 Jun 2010 11:55:23 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Smaïne Kahlouch
Hi everyone,
I just finished to install Rancid, everything works fine with CISCO
equipments but i still have some issue for backing up my Fortigate
firewalls.
I've seen these patches and wanted to know if it could be applied to the
current version 2.3.3
http://www.shrubbery.net/pipermail/rancid-discuss/2009-June/004005.html
I have the same problem as describe here
<http://www.shrubbery.net/pipermail/rancid-discuss/2009-April/003898.html>
What should i change to solve my problem ? My prompt is like
"FGT[model][s/n] # "
Attached are the fnrancid.diff and ftlogin.diff I wrote to backup
Fortigate devices. I did not try the patches you link; I opted to
troubleshoot and write my own.

I basically copied the nlogin script included in the rancid tarball to
ftlogin and then applied the attached diff. I also patched fnrancid
included with rancid.

Some of the modifications may not be necessary and thanks for John
Heasley for some behind-the-scenes advice. These modifications work for
me running a mixture of v3 and v4 FortiOS on several devices.

- --
Devon
Smaïne Kahlouch
2010-06-29 18:53:32 UTC
Permalink
Perfectly, thanks.
You roxx :p.

Now i have to see if it's possible to make rancid work with bluecoat
load balancers and checkpoint firewalls.

See you soon


-------- Message initial --------
De: Devon True <***@noved.org>
À: Smaïne Kahlouch <***@free.fr>
Sujet: Re: [rancid] Re: Rancid & Fortinet issue
Date: Tue, 29 Jun 2010 14:22:41 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Smaïne Kahlouch
Don't worry i'll modify it by hand.
Thanks again
Oops! I saw this response too late. :)

Glad you got it patched. Did the patches fix the issue?

- --
Devon
Devon True
2010-06-29 18:21:39 UTC
Permalink
Post by Smaïne Kahlouch
Hi Devon,
Thanks a lot for your help. Is that work for rancid-2.3.3 ?
I just tried that but it doesn't work for me.
# cp nlogin ftlogin
# patch -p1 < /home/ipoc/ftlogin.diff
missing header for unified diff at line 3 of patch
can't find file to patch at input line 3
Perhaps you used the wrong -p or --strip option?
[snip]

It looks like it may be related to the difference in whitespace.

$ patch -p1 -l < ftlogin.diff
missing header for unified diff at line 3 of patch
can't find file to patch at input line 3
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
- --------------------------
|--- nlogin 2010-06-16 14:36:18.000000000 +0000
|+++ ftlogin 2010-06-17 17:28:20.000000000 +0000
- --------------------------
File to patch: ftlogin
patching file ftlogin

A visual inspection of the diff between nlogin and ftlogin looks good.

Here is a unified diff based off nlogin that should resolve whitespace
issues:

- --- nlogin 2010-03-23 19:33:49.000000000 -0400
+++ ftlogin 2010-06-29 14:17:01.000000000 -0400
@@ -435,7 +435,9 @@
global in_proc
set in_proc 1

- - send "set console page 0\r"
+ send "config system console\r"
+ send "set output standard\r"
+ send "end\r"
expect -re $prompt {}

set commands [split $command \;]
@@ -445,7 +447,7 @@
expect {
-re "\[\n\r]+" { exp_continue }
-re "$prompt" {}
- - -gl "--- more ---" { send " "
+ -gl "--More--" { send " "
exp_continue
}
}
@@ -485,7 +487,7 @@
set timeout $timeoutdflt
}

- - set prompt {-> }
+ set prompt {# }

# Figure out passwords
if { $do_passwd || $do_enapasswd } {
@@ -560,7 +562,9 @@
continue
}
} elseif { $do_script } {
- - send "set console page 0\r"
+ send "config system console\r"
+ send "set output standard\r"
+ send "end\r"
expect -re $prompt {}
source $sfile
catch {close};

- --
Devon
john heasley
2010-06-30 01:22:59 UTC
Permalink
Post by Smaïne Kahlouch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Smaïne Kahlouch
Hi everyone,
I just finished to install Rancid, everything works fine with CISCO
equipments but i still have some issue for backing up my Fortigate
firewalls.
I've seen these patches and wanted to know if it could be applied to the
current version 2.3.3
http://www.shrubbery.net/pipermail/rancid-discuss/2009-June/004005.html
I have the same problem as describe here
<http://www.shrubbery.net/pipermail/rancid-discuss/2009-April/003898.html>
What should i change to solve my problem ? My prompt is like
"FGT[model][s/n] # "
Attached are the fnrancid.diff and ftlogin.diff I wrote to backup
Fortigate devices. I did not try the patches you link; I opted to
troubleshoot and write my own.
I basically copied the nlogin script included in the rancid tarball to
ftlogin and then applied the attached diff. I also patched fnrancid
included with rancid.
Some of the modifications may not be necessary and thanks for John
Heasley for some behind-the-scenes advice. These modifications work for
me running a mixture of v3 and v4 FortiOS on several devices.
I dont have any Fortinet devices and do not know anything about them. When
did the prompt change? Are there old devices that can not be upgraded and
whose prompt has not changed? ie: does the old script need to remain?

Has anyone else tested these changes?
Post by Smaïne Kahlouch
- --
Devon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkwqF2sACgkQWP2WrBTHBS/8PgCgyPZkEbXveBiASIAQVsyqjeux
m48AoKbsTHFmOX/U7Sq2e51VWSo/AfGs
=ld8H
-----END PGP SIGNATURE-----
--- fnrancid.orig 2010-06-16 14:46:06.000000000 +0000
+++ fnrancid 2010-06-25 14:24:18.000000000 +0000
@@ -59,7 +59,7 @@
$file = $opt_f;
$host = $ARGV[0];
$found_end = 0;
-$timeo = 90; # nlogin timeout in seconds
+$timeo = 90; # ftlogin timeout in seconds
my($aclsort) = ("ipsort"); # ACL sorting mode
@@ -174,6 +174,9 @@
tr/\015//d;
next if /^\s*$/;
last if(/$prompt/);
+ next if (/^get system status/);
+ next if (/^System time:/);
+ next if (/^FortiClient application signature package:/);
ProcessHistory("","","","$_");
}
print STDOUT "Vendor: $vendor";
@@ -196,10 +199,23 @@
tr/\015//d;
next if /^\s*$/;
last if(/$prompt/);
- if (/(^set.*)('Enc .*')(.*)/) {
- ProcessHistory("ENC","","","!$1 'Enc **encoding removed**' $3\n");
- next;
- }
+ next if (/^#conf_file_ver=/);
+ if (/(^set.*)('Enc .*')(.*)/) {
+ ProcessHistory("ENC","","","!$1 'Enc **encoding removed**' $3\n");
+ next;
+ }
+ if (/(^\s*set psksecret)(\sENC .*)/ && $filter_pwds >= 1) {
+ ProcessHistory("ENC","","","$1 <removed>\n");
+ next;
+ }
+ if (/(^\s*set passwd)(\sENC .*)/ && $filter_pwds >= 1) {
+ ProcessHistory("ENC","","","$1 <removed>\n");
+ next;
+ }
+ if (/(^\s*set password)(\sENC .*)/ && $filter_pwds >= 1) {
+ ProcessHistory("ENC","","","$1 <removed>\n");
+ next;
+ }
ProcessHistory("","","","$_");
}
$found_end = 1;
@@ -212,7 +228,7 @@
# Main
@commandtable = (
{'get system status' => 'GetSystem'},
- {'get conf' => 'GetConf'}
+ {'show' => 'GetConf'}
);
# Use an array to preserve the order of the commands and a hash for mapping
# commands to the subroutine and track commands that have been completed.
@@ -241,13 +257,13 @@
print STDOUT "opening file $host\n" if ($log);
open(INPUT,"<$host") || die "open failed for $host: $!\n";
} else {
- print STDERR "executing nlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($debug);
- print STDOUT "executing nlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($log);
+ print STDERR "executing ftlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($debug);
+ print STDOUT "executing ftlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($log);
if (defined($ENV{NOPIPE})) {
- system "nlogin -t $timeo -c \"$cisco_cmds\" $host </dev/null > $host.raw 2>&1" || die "nlogin failed for $host: $!\n";
- open(INPUT, "< $host.raw") || die "nlogin failed for $host: $!\n";
+ system "ftlogin -t $timeo -c \"$cisco_cmds\" $host </dev/null > $host.raw 2>&1" || die "ftlogin failed for $host: $!\n";
+ open(INPUT, "< $host.raw") || die "ftlogin failed for $host: $!\n";
} else {
- open(INPUT,"nlogin -t $timeo -c \"$cisco_cmds\" $host </dev/null |") || die "nlogin failed for $host: $!\n";
+ open(INPUT,"ftlogin -t $timeo -c \"$cisco_cmds\" $host </dev/null |") || die "ftlogin failed for $host: $!\n";
}
}
@@ -263,25 +279,27 @@
$filter_commstr = 0;
}
# determine password filtering mode
-if ($ENV{"FILTER_PWDS"} =~ /no/i) {
- $filter_pwds = 0;
-} elsif ($ENV{"FILTER_PWDS"} =~ /all/i) {
- $filter_pwds = 2;
-} else {
- $filter_pwds = 1;
-}
+#if ($ENV{"FILTER_PWDS"} =~ /no/i) {
+# $filter_pwds = 0;
+#} elsif ($ENV{"FILTER_PWDS"} =~ /all/i) {
+# $filter_pwds = 2;
+#} else {
+# $filter_pwds = 1;
+#}
+# Force $filter_pwds to 1
+$filter_pwds = 1;
ProcessHistory("","","","!RANCID-CONTENT-TYPE: fortigate\n\n");
TOP: while(<INPUT>) {
tr/\015//d;
if (/^Error:/) {
- print STDOUT ("$host nlogin error: $_");
- print STDERR ("$host nlogin error: $_") if ($debug);
+ print STDOUT ("$host ftlogin error: $_");
+ print STDERR ("$host ftlogin error: $_") if ($debug);
last;
}
- while (/>\s*($cmds_regexp)\s*$/) {
+ while (/#\s*($cmds_regexp)\s*$/) {
$cmd = $1;
- if (!defined($prompt)) { $prompt = " >\s*"; }
+ if (!defined($prompt)) { $prompt = " #\s*"; }
print STDERR ("HIT COMMAND:$_") if ($debug);
if (!defined($commands{$cmd})) {
print STDERR "$host: found unexpected command - \"$cmd\"\n";
--- nlogin 2010-06-16 14:36:18.000000000 +0000
+++ ftlogin 2010-06-17 17:28:20.000000000 +0000
@@ -435,7 +435,10 @@
global in_proc
set in_proc 1
- send "set console page 0\r"
+ #send "set console page 0\r"
+ send "config system console\r"
+ send "set output standard\r"
+ send "end\r"
What does that do? does that affect the "nvram" config?
Post by Smaïne Kahlouch
expect -re $prompt {}
set commands [split $command \;]
@@ -445,7 +448,7 @@
expect {
-re "\[\n\r]+" { exp_continue }
-re "$prompt" {}
- -gl "--- more ---" { send " "
+ -gl "--More-- " { send " "
exp_continue
}
}
@@ -485,7 +488,7 @@
set timeout $timeoutdflt
}
- set prompt {-> }
+ set prompt {# }
# Figure out passwords
if { $do_passwd || $do_enapasswd } {
@@ -560,7 +563,10 @@
continue
}
} elseif { $do_script } {
- send "set console page 0\r"
+ #send "set console page 0\r"
+ send "config system console\r"
+ send "set output standard\r"
+ send "end\r"
expect -re $prompt {}
source $sfile
catch {close};
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Devon True
2010-06-30 12:59:46 UTC
Permalink
Post by john heasley
I dont have any Fortinet devices and do not know anything about them. When
did the prompt change? Are there old devices that can not be upgraded and
whose prompt has not changed? ie: does the old script need to remain?
I have only been using Fortinet devices for the past 1.5 years, but I
don't recall ever seeing the prompt ->; it was either $ or #. On the
Netscreen devices I admin, -> is the prompt and the nlogin script works
great on those devices.

There was some discussion about the prompt changing back in 2006 on this
mailing list.

http://thread.gmane.org/gmane.network.rancid/1515/focus=1527

- --
Devon

Loading...