[rancid] rancid login etc. for palo alto and silver peak
Hughes, Doug
Douglas.Hughes at DEShawResearch.com
Tue Oct 30 14:52:28 UTC 2012
The problem is that paloalto buffers all the commands and displays them twice, once while buffering them (as you type them rapidly to the prompt, as panlogin does), and a second time while executing them in series. This throws poor panrancid for a loop. In theory this is as easy as changing the command table, but in practice it means I likely have to modify both panlogin and panrancid to account for the double commands, otherwise the loop deletes after the first sight of a command, which has no output! Ick.
From: Peter Jackson [mailto:peterjackson1610 at gmail.com]
Sent: Monday, October 29, 2012 9:43 PM
To: Hughes, Doug
Cc: rancid-discuss at shrubbery.net
Subject: Re: [rancid] rancid login etc. for palo alto and silver peak
Doug, I have setup your panrancid and panlogin and they are working fine.
However, I just found that you can show the PA config in 'set' format (set cli config-output-format set) and I like that better than the defaul xml format. I would like to back up the configs this way but you have to go into configure mode in order to show the config in set format.
I have tried to modify panlogin but I don't know expect well enough. I was actually trying to borrow the enable section from clogin because panlogin doesn't have a provision for enable mode and while it's not really enable mode that we're getting into, the prompts are the same, > and #.
Any ideas?
On Wed, Sep 12, 2012 at 11:53 AM, Hughes, Doug <Douglas.Hughes at deshawresearch.com<mailto:Douglas.Hughes at deshawresearch.com>> wrote:
Yes, it's for the anti-virus and botnet stuff. If you don't want those diffs, you can comment that part out in the palorancid file.
I thought it might be useful. I might disable it myself.
From: Peter Jackson [mailto:peterjackson1610 at gmail.com<mailto:peterjackson1610 at gmail.com>]
Sent: Wednesday, September 12, 2012 6:02 AM
To: Hughes, Doug
Cc: rancid-discuss at shrubbery.net<mailto:rancid-discuss at shrubbery.net>
Subject: Re: [rancid] rancid login etc. for palo alto and silver peak
Doug, thanks for posting this. I have set this up for one of our PAs but we get the following diffs every so often - not every other RANCID run, but at least a few times a week.
Have you seen anything like this?
#RANCID-CONTENT-TYPE: paloalto
#
+ exit
+ admin at pa101> show
+ admin at pa101> show config
+ admin at pa101> show config running
config {
shared {
ssl-decrypt {
#RANCID-CONTENT-TYPE: paloalto
#
- exit
- admin at pa101> show
- admin at pa101> show config
- admin at pa101> show config running
config {
shared {
ssl-decrypt {
On Tue, Aug 14, 2012 at 10:23 AM, Hughes, Doug <Douglas.Hughes at deshawresearch.com<mailto:Douglas.Hughes at deshawresearch.com>> wrote:
A few people have requested this, so I'm attaching the few hours of work I put into making the rancid login/auth/archive for SilverPeak and for PaloAlto devices. Both of these use ssh for authentication, but I didn't setup or test RSA key auth in either case. The SilverPeak has been tested with 'enable' mode. By default they ship with no enable password. (Apologies for the Windows style attachments.) Both have been copied from another script and modified, so there's probably quite a bit of cruft in there that doesn't need to be, but I cleaned up the worst of it. I'm sure there are a lot of gratuitous regular expressions that could still be eliminated.
Here's what you need in rancid-fe:
%vendortable = (
...
'silverpeak' => 'silverrancid',
'paloalto' => 'panrancid',
...
You can figure our .cloginrc yourself, just don't forget the enable password for the silverpeak, if you have any. ;)
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net<mailto:Rancid-discuss at shrubbery.net>
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20121030/9eb28cc4/attachment.html>
More information about the Rancid-discuss
mailing list