[rancid] rancid with Fortigate FG100A
diego.ercolani at ssis.sm
Wed Jul 6 13:18:21 UTC 2011
I don't knoww deeply fortigate because if I can I prefer to use linux directly
so feel free to change the command or the command sequence to perform a
This is the power of opensource, every one can add a small piece of his
knowledge and bring the community a full (hopely errorproof) utility.
I have only one clustered installation of fortigate and what I noticed is that
from time to time, fortigate adds some line feed that make seem the
configuration has changed... this is very annoying but I can't do experiments
because it's a productin environment.
In data mercoledì 6 luglio 2011 14:28:54, Gavin McCullagh ha scritto:
> Hi guys,
> On Mon, 31 Jan 2011, Diego Ercolani wrote:
> > I've already submitted patch to accomplish fortinet. Here it is the
> > relevant post:
> > http://www.shrubbery.net/pipermail/rancid-discuss/2009-June/004005.html
> > if you see in the mailing list there are time to time modifications.
> We've been using this with the 100A and are now using it also with a 200B
> (which works fine incidentally).
> However, one thing that I wonder is whether we really have the optimal
> command to pull the config.
> fnrancid currently uses "show full-configuration" to pull the config of the
> system. This pulls the absolutely full configuration with every unmodified
> default included. The result, for example, is that adding a simple
> firewall rule results in a patch like this:
> + edit 71
> + set srcintf "port1"
> + set dstintf "port8"
> + set srcaddr "xxxxxxxxxxxx"
> + set dstaddr "all"
> + set rtp-nat disable
> + set action accept
> + set status enable
> + set dynamic-profile disable
> + unset dynamic-profile-access
> + set schedule "always"
> + set schedule-timeout disable
> + set service "HTTP" "HTTPS"
> + set utm-status disable
> + set logtraffic disable
> + set logtraffic-app enable
> + set auto-asic-offload enable
> + set webcache disable
> + set session-ttl 0
> + set wccp disable
> + set fsso disable
> + set disclaimer disable
> + set natip 0.0.0.0 0.0.0.0
> + set match-vip disable
> + set diffserv-forward disable
> + set diffserv-reverse disable
> + set tcp-mss-sender 0
> + set tcp-mss-receiver 0
> + set comments "Allow xxxxxxxxxxxx to connect for updates"
> + set endpoint-check disable
> + set label ''
> + set global-label ''
> + set replacemsg-override-group ''
> + set identity-based disable
> + set traffic-shaper ''
> + set traffic-shaper-reverse ''
> + set per-ip-shaper ''
> + set nat disable
> + set dynamic-profile-fallthrough disable
> + set client-reputation disable
> + next
> Only about five of the above lines were actually chosen, the rest are all
> defaults. Personally, I'm inclined more toward using just the "show"
> command which pulls the configuration settings that we have actually made
> omitting defaults.
> Is this "pull absolutely every detail" policy the norm in Rancid?
> Obviously I can change this locally myself if I really want.
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
More information about the Rancid-discuss