[rancid] Re: fortigate issues

john heasley heas at shrubbery.net
Mon Mar 1 18:01:31 UTC 2010 

Mon, Mar 01, 2010 at 04:22:29PM +0100, Diego Ercolani:
> I had today your issue, I've solved with a reboot process of the fortigate 
> appliance....
> rancid (with my patches) simple asks fortinet a dump of the configuration 
> without making bautifying or indent of the configuration dump.
> for the certificate/private key and others, you have to modify the source 
> removing things multiline....
> The main loop where these things are done start at line 176 of fnrancid, but 
> as you see it's very simple and remove only the one-line things matching a tag 
> on the line. You have to create a more sophisticated implementation subroutine 
> that process multiline input at a time e manage exceptions.
> 
> In the same loop I think it's possible to manage issue like more spaces added, 
> but what I saw in my today situation is that sometimes fortigate give the 
> configurations breaking commands with a line feed without any kind of rule 
> eg.... I saw something like:
> 
> retrieving revision 1.1969
> diff -U 4 -r1.1969 fortifw
> @@ -51,9 +51,9 @@
>       set daily-restart disable
>       set detection-summary enable
>       set dst enable
>       set failtime 5
> -      set fds-statistics enable
> +    set fds-stat
> +      istics enable
>       set forticlient-portal-port 8009
>       set fsae-burst-size 300
>       set fsae-rate-limit 100

most likely a side effect of the pager.  nlogin uses 'set console page 0'
to disable the pager.  does this command not work on the fortigate?

> ...this isn't foreseenable, don't you think?
> 
> In data luned? 1 marzo 2010 14:59:56, Rodo Bibi ha scritto:
> : > Hey rancid community
> > 
> > I am working with fortigate 1000A and I have 2 issues I am sure you can
> > help me with.
> > 
> > At each rancid backup I receive an email with configuration changes.
> > 
> > First problem :
> > 
> > retrieving revision 1.1969
> > diff -U 4 -r1.1969 fortifw
> > @@ -51,9 +51,9 @@
> >       set daily-restart disable
> >       set detection-summary enable
> >       set dst enable
> >       set failtime 5
> > -      set fds-statistics enable
> > +    set fds-statistics enable
> >       set forticlient-portal-port 8009
> >       set fsae-burst-size 300
> >       set fsae-rate-limit 100
> > 
> > See, the set fds-statistics enable is removed then added. How can I get rid
> > of this ?
> > 
> > 
> > Second problem :
> > 
> > The display of the private key changes at each backup :

one would think that key should be static.  maybe it rekeys on some
schedule?  what is it used for?  are there multiple private keys in
the config?

> > +         set private-key "-----BEGIN RSA PRIVATE KEY-----
> >   Proc-Type: 4,ENCRYPTED
> > - DEK-Info: DES-EDE3-CBC,3C07324ADB7623412
> > - M1/T1PrO+n8oX1E2Fks46mI6zF3R99g3ulhR9jfXi1zdjYrfEfmz8eIbV0lrECoo
> > - P6DKRBUUJw9p4OPitm1XpIG5SXQSLWjV9GOWeFhsiAWDZrnONzWSkuiunXxu3W3D
> > - BIw4fCC+HXRs1wUHhTf0XWzpbO0pmWfHWcCv8D3jKLXdchGI/5jKyfsVAgv5TT6Q
> > - A40sI463M4xBl2RzNBNvxSF1yrpDdA454W0B4y8uSHLQg0Q94fGiprLpUO9S2NFI
> > - QUKJGqAhNrwGbFCmm7NQxeEbdbJnzJ77rxYjm3+VQaEsPkuKU32DgQTP1uJIxTeB
> > - WM8F30XrOqj6/esxqqL8TZl4uYySJZtR2SVjlhdVlg7zCQSZV3ZbgK7zR5lT3+aK
> > - rUGg3DEiA8ajHxv44QsUutwhSrubreCkaHkRI1VxZpeOroa2x6t8bN/XcvPCWQEo
> > - Y1yXEn7iR3LZxbE5retft+UBhcBs0Xm55vBMGeyNhzkalQveSJ1Bn7A5lLrII8Hy
> > - YlozkgkbzsRsWNFQKFUWGNQR56432IHGWOVDSBQGE5py0Wk1qq+bOQq5T
> > - ySWSKQDdDv3rS2OU3aulmcXvzs+pmLqYHQG6m8vQm0/7EhKEKa2UK2M5Nx4SOLdI
> > - 94iOYWFrJ5SJcIgA3TKaQVpHTEjsSncPVlUu4sBxm3kTQOK5bE52aw==
> > + DEK-Info: DES-EDE3-CBC,B69D648DD9C5C8D
> > + bAAaqPBUPN3p3MkBtkfZ9rCk18Fda5hppgZbInsTBioCajUeewzXOFqLsPBmP4qD
> > + oKakQ9QAt9d4W7SYmRvSWM7kWluOlQDXYOX3NImoYYmF/iCP6sS+mopih5PAy4na
> > + 9Jxe5m5Cb6USdafrSjHqaOQjlXOIGo7vCvs3LyXOhBA2mw1QTJyYPK5ZDiqx+edt
> > + Qqs4EIF8PgzSug2yQmkXu1YeuLaUtpnVu6g7koY3ugeznEJe7qUR15EvYW/VI3eg
> > + xKTmqk95+oNEySR+WcKajv59u01j6FoaD0ALN5rJEVv1AlG0NJryjIlevW1AGVUw
> > + tXG2HJz0zmFX99hIV7RMntZIez2cw+VaojLluHlTdngI9y7LemoLQPrxwKjwCV0+
> > + U3waJhpKV2bFjfqhbcuahifjAFIFA8ghhfbuzfq/y7O8yD25fSE22fU
> > + F0+8ehuNv2M13gATPhUrNtQDo0wSzPaO//Bpei+QT1ulVSMQGveVkVdRH1wHWvPg
> > + AzDVi/HmsVvZa0SBKwuZP4WnVdfuiIyX0frWpGirltPny9BkuM3GSBsa2Oz/f2XS
> > + OEVW1xUT+WFUc55x7rVDvy8WPFSUYL7hFQDJmr2VZC2QJi1W2jVcsAcaAswDo3RE
> > + +3vjawQ1S/p5Sh2UX1XCel+HP5X9mR/3HlPV1EsZ9rwz9mnl2GhQYQ==
> >   -----END RSA PRIVATE KEY-----"
> > 
> > I would love to remove everything " " and display set private-key " ***
> > removed *** ".
> > 
> > Thanks
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

More information about the Rancid-discuss mailing list