[rancid] rancid with Fortigate FG100A

Gavin McCullagh gmccullagh at gmail.com
Wed Jul 6 13:35:36 UTC 2011


On Wed, 06 Jul 2011, Diego Ercolani wrote:

> I don't knoww deeply fortigate because if I can I prefer to use linux directly 
> so feel free to change the command or the command sequence to perform a 
> configuration dump.
> This is the power of opensource, every one can add a small piece of his 
> knowledge and bring the community a full (hopely errorproof) utility.

I couldn't agree more, but I'm hoping to work out what the community
in general thinks.  I don't think this question is particularly a Fortigate

  In general, is it better for Rancid to record and version the entire
  config of a device including defaults, or to just version the non-default

I can see arguments for both:

 - when you upgrade firmware, the defaults might change and rancid could
   presumably only note these if you version the entire config.

 - the config and patches can be quite complex if you version the entire

 - if the unit should fail, you get a new one and want to deploy the
   config from Rancid, I would usually prefer to just deploy our config
   changes and not override the defaults.  If rancid holds the full config,
   you can't really work out what are defaults and what are your settings.
   Perhaps others might prefer to actually set those defaults where

I imagine this issue arises with units other than the Fortigates.

> I have only one clustered installation of fortigate and what I noticed is that 
> from time to time, fortigate adds some line feed that make seem the 
> configuration has changed... this is very annoying but I can't do experiments 
> because it's a productin environment.

I've noticed the same actually, though generally it seems to be within the
"app-detect" lines which are all defaults (at least on our install).
Reducing this problem might be a happy side-effect of versioning the
reduced config.


More information about the Rancid-discuss mailing list