[rancid] Re: Rancid & Fortinet issue
john heasley
heas at shrubbery.net
Wed Jun 30 01:22:59 UTC 2010
Tue, Jun 29, 2010 at 11:55:23AM -0400, Devon True:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 6/28/2010 4:09 PM, Sma?ne Kahlouch wrote:
> > Hi everyone,
> >
> > I just finished to install Rancid, everything works fine with CISCO
> > equipments but i still have some issue for backing up my Fortigate
> > firewalls.
> >
> > I've seen these patches and wanted to know if it could be applied to the
> > current version 2.3.3
> > http://www.shrubbery.net/pipermail/rancid-discuss/2009-June/004005.html
> >
> > I have the same problem as describe here
> > <http://www.shrubbery.net/pipermail/rancid-discuss/2009-April/003898.html>
> > What should i change to solve my problem ? My prompt is like
> > "FGT[model][s/n] # "
>
> Attached are the fnrancid.diff and ftlogin.diff I wrote to backup
> Fortigate devices. I did not try the patches you link; I opted to
> troubleshoot and write my own.
>
> I basically copied the nlogin script included in the rancid tarball to
> ftlogin and then applied the attached diff. I also patched fnrancid
> included with rancid.
>
> Some of the modifications may not be necessary and thanks for John
> Heasley for some behind-the-scenes advice. These modifications work for
> me running a mixture of v3 and v4 FortiOS on several devices.
I dont have any Fortinet devices and do not know anything about them. When
did the prompt change? Are there old devices that can not be upgraded and
whose prompt has not changed? ie: does the old script need to remain?
Has anyone else tested these changes?
> - --
> Devon
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.12 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkwqF2sACgkQWP2WrBTHBS/8PgCgyPZkEbXveBiASIAQVsyqjeux
> m48AoKbsTHFmOX/U7Sq2e51VWSo/AfGs
> =ld8H
> -----END PGP SIGNATURE-----
> --- fnrancid.orig 2010-06-16 14:46:06.000000000 +0000
> +++ fnrancid 2010-06-25 14:24:18.000000000 +0000
> @@ -59,7 +59,7 @@
> $file = $opt_f;
> $host = $ARGV[0];
> $found_end = 0;
> -$timeo = 90; # nlogin timeout in seconds
> +$timeo = 90; # ftlogin timeout in seconds
>
> my(@commandtable, %commands, @commands);# command lists
> my($aclsort) = ("ipsort"); # ACL sorting mode
> @@ -174,6 +174,9 @@
> tr/\015//d;
> next if /^\s*$/;
> last if(/$prompt/);
> + next if (/^get system status/);
> + next if (/^System time:/);
> + next if (/^FortiClient application signature package:/);
> ProcessHistory("","","","$_");
> }
> print STDOUT "Vendor: $vendor";
> @@ -196,10 +199,23 @@
> tr/\015//d;
> next if /^\s*$/;
> last if(/$prompt/);
> - if (/(^set.*)('Enc .*')(.*)/) {
> - ProcessHistory("ENC","","","!$1 'Enc **encoding removed**' $3\n");
> - next;
> - }
> + next if (/^#conf_file_ver=/);
> + if (/(^set.*)('Enc .*')(.*)/) {
> + ProcessHistory("ENC","","","!$1 'Enc **encoding removed**' $3\n");
> + next;
> + }
> + if (/(^\s*set psksecret)(\sENC .*)/ && $filter_pwds >= 1) {
> + ProcessHistory("ENC","","","$1 <removed>\n");
> + next;
> + }
> + if (/(^\s*set passwd)(\sENC .*)/ && $filter_pwds >= 1) {
> + ProcessHistory("ENC","","","$1 <removed>\n");
> + next;
> + }
> + if (/(^\s*set password)(\sENC .*)/ && $filter_pwds >= 1) {
> + ProcessHistory("ENC","","","$1 <removed>\n");
> + next;
> + }
> ProcessHistory("","","","$_");
> }
> $found_end = 1;
> @@ -212,7 +228,7 @@
> # Main
> @commandtable = (
> {'get system status' => 'GetSystem'},
> - {'get conf' => 'GetConf'}
> + {'show' => 'GetConf'}
> );
> # Use an array to preserve the order of the commands and a hash for mapping
> # commands to the subroutine and track commands that have been completed.
> @@ -241,13 +257,13 @@
> print STDOUT "opening file $host\n" if ($log);
> open(INPUT,"<$host") || die "open failed for $host: $!\n";
> } else {
> - print STDERR "executing nlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($debug);
> - print STDOUT "executing nlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($log);
> + print STDERR "executing ftlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($debug);
> + print STDOUT "executing ftlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($log);
> if (defined($ENV{NOPIPE})) {
> - system "nlogin -t $timeo -c \"$cisco_cmds\" $host </dev/null > $host.raw 2>&1" || die "nlogin failed for $host: $!\n";
> - open(INPUT, "< $host.raw") || die "nlogin failed for $host: $!\n";
> + system "ftlogin -t $timeo -c \"$cisco_cmds\" $host </dev/null > $host.raw 2>&1" || die "ftlogin failed for $host: $!\n";
> + open(INPUT, "< $host.raw") || die "ftlogin failed for $host: $!\n";
> } else {
> - open(INPUT,"nlogin -t $timeo -c \"$cisco_cmds\" $host </dev/null |") || die "nlogin failed for $host: $!\n";
> + open(INPUT,"ftlogin -t $timeo -c \"$cisco_cmds\" $host </dev/null |") || die "ftlogin failed for $host: $!\n";
> }
> }
>
> @@ -263,25 +279,27 @@
> $filter_commstr = 0;
> }
> # determine password filtering mode
> -if ($ENV{"FILTER_PWDS"} =~ /no/i) {
> - $filter_pwds = 0;
> -} elsif ($ENV{"FILTER_PWDS"} =~ /all/i) {
> - $filter_pwds = 2;
> -} else {
> - $filter_pwds = 1;
> -}
> +#if ($ENV{"FILTER_PWDS"} =~ /no/i) {
> +# $filter_pwds = 0;
> +#} elsif ($ENV{"FILTER_PWDS"} =~ /all/i) {
> +# $filter_pwds = 2;
> +#} else {
> +# $filter_pwds = 1;
> +#}
> +# Force $filter_pwds to 1
> +$filter_pwds = 1;
>
> ProcessHistory("","","","!RANCID-CONTENT-TYPE: fortigate\n\n");
> TOP: while(<INPUT>) {
> tr/\015//d;
> if (/^Error:/) {
> - print STDOUT ("$host nlogin error: $_");
> - print STDERR ("$host nlogin error: $_") if ($debug);
> + print STDOUT ("$host ftlogin error: $_");
> + print STDERR ("$host ftlogin error: $_") if ($debug);
> last;
> }
> - while (/>\s*($cmds_regexp)\s*$/) {
> + while (/#\s*($cmds_regexp)\s*$/) {
> $cmd = $1;
> - if (!defined($prompt)) { $prompt = " >\s*"; }
> + if (!defined($prompt)) { $prompt = " #\s*"; }
> print STDERR ("HIT COMMAND:$_") if ($debug);
> if (!defined($commands{$cmd})) {
> print STDERR "$host: found unexpected command - \"$cmd\"\n";
> --- nlogin 2010-06-16 14:36:18.000000000 +0000
> +++ ftlogin 2010-06-17 17:28:20.000000000 +0000
> @@ -435,7 +435,10 @@
> global in_proc
> set in_proc 1
>
> - send "set console page 0\r"
> + #send "set console page 0\r"
> + send "config system console\r"
> + send "set output standard\r"
> + send "end\r"
What does that do? does that affect the "nvram" config?
> expect -re $prompt {}
>
> set commands [split $command \;]
> @@ -445,7 +448,7 @@
> expect {
> -re "\[\n\r]+" { exp_continue }
> -re "$prompt" {}
> - -gl "--- more ---" { send " "
> + -gl "--More-- " { send " "
> exp_continue
> }
> }
> @@ -485,7 +488,7 @@
> set timeout $timeoutdflt
> }
>
> - set prompt {-> }
> + set prompt {# }
>
> # Figure out passwords
> if { $do_passwd || $do_enapasswd } {
> @@ -560,7 +563,10 @@
> continue
> }
> } elseif { $do_script } {
> - send "set console page 0\r"
> + #send "set console page 0\r"
> + send "config system console\r"
> + send "set output standard\r"
> + send "end\r"
> expect -re $prompt {}
> source $sfile
> catch {close};
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
More information about the Rancid-discuss
mailing list