[rancid] Couple of Questions. upgrading and Fortinet issue.
Richard Savage
Richard.Savage at newnet.co.uk
Tue Jul 16 10:28:08 UTC 2013
Chris
From the output there you are running version 4 firmware. We are running version 5 firmware and see the following
changing:
Index: configs/xxx.xxx.xxx.xxx
===================================================================
- -- configs/xxx.xxx.xxx.xxx (revision 1353)
@@ -2369,7 +2369,7 @@
end
config system autoupdate tunneling
set address ''
- set password ENC dhoUEEHeL5UkwJRmdsHswXW+8tLjEc6JmH3TBtcL7WRTjy6Ayq2X+SaXB1XYjAF5Q4BGYmX+g6FRgI2kJWMaPg7kFQivPUsd4g/fx2NCReNZkqQbj3QlN4SE3g5uOJW+a96UQXXnDHd73Xatc7Bfyq603aSClDGPahDz8c7K6CjWDaPIiSPm4OsE4ZWvNV4ycDhRQg==
+ set password ENC ttt+Kp8HtbS9m8mAtqlZV0MrgVMF4zaSGNqA+OzWjRhsuIiA1xtdkMsopQbx4D3zb+YqG5luzq6YR6qv9CsS8QsmR0knpp8uyfUgI4CXDRBd/orXkpaBwfnxb4YHp5uvViDVkLmchFLCTYLru5PXBIvMY0xhNBT4ohcQhYk8im3GTEzQmpJDRCgFLBjB0tFO/WhkzA==
set port 0
set status disable
set username ''
@@ -7499,7 +7499,7 @@
end
config vpn certificate local
edit "Fortinet_Factory"
- set password ENC jfMgY0J2VTU2w51hIRcsX0GWrGIjHZGk6Yn7n9JRPdlypYzBLU0jduL4MqD9fLG0p3W1L28vysoAR+KEpfV1Jpz+abCdkZa2z6Ws950ADwdhN/k6ofJ6oDsqfvX1O3XQBNQFMrn4LZyeZBbghMAdxJj6LgcAfS9ITdsoYjwoMNdWhsF/nLZ9DT/5rO5ytoaymZNmHA==
+ set password ENC RnXcEYclwQ1yEPTAfnnaWo0z1OgZDn5PArWoZ6JcGklyiZiefOCdOMxZ0cFTwrFDW4XVjnBldBGWgMqfHa3I67fkej0P5TavkuefMQgghB84jDu/TmTVxxsie70xLtoLggZj3Ip/8JB8S760ZJFK3FRCZ3CAy7rv7oowEodY3/HhN5GgeJnYgi1RhQkevNgIggkTcA==
# set private-key "-----BEGIN RSA PRIVATE KEY-----
# <removed>#-----END RSA PRIVATE KEY-----"
-----END RSA PRIVATE KEY-----"
@@ -7531,7 +7531,7 @@
set source-ip 0.0.0.0
next
edit "Fortinet_Firmware"
- set password ENC JVq7ApNWXXVHYsi1w+jn09tqslHpX2ukinOyignjB7mbnzizmJ+0L+xVMtvncf/6TTk78aaN3t23d7AuRxuSHU/LAJv7cgX5nwReoZlLHxnmGGmuuRNONekb4+SawfNCEelksJYxFYBGoDrhzwy9yc/g8cYxlTmNSkdlIkR+YFgbbFanVrS/ZHv49HKc/MRByXvl7w==
+ set password ENC 9GByWeF7ueFwhAeZcfaQ4cAPx5a4MljomxrRVi8I2NVkefDND/kfdRrvR4WFMxXe7ab4/Ck8kZmUo8X4fFHs1JC9Bo8KqO104lXNGhKO6+mJsVvfGxtAHNfkmnNa/DilEZVZXotewhD2YN1kf/JOrUT5lrHoWQrKo0rB5MUSEgYur+0yY++cGyr0+C4eAU/w7FLX8Q==
# set private-key "-----BEGIN RSA PRIVATE KEY-----
# <removed>#-----END RSA PRIVATE KEY-----"
-----END RSA PRIVATE KEY-----"
@@ -7562,7 +7562,7 @@
set source-ip 0.0.0.0
next
edit "Fortinet_CA_SSLProxy"
- set password ENC ii+WdWZzSvyoSuavT+MTZtJ5bK80ckENEZU9xufB7OcSxZ3o1XLz5UcZKWVszMf7um+pXQusHZKXvg00MpND3eRv/HeXvH1YwuEHB6k+Gs9tbL51uMK0GNqhl15ArgqYpTxLXbeYuukaonOSDI7lzI+pn4JoxDKgYvfCesYR20nzbtj5W6mP4cCw9A51aKlEmLpDlA==
+ set password ENC NokvU0icZ4noGkTcAl1toRRKptAhax6RQ/YjMG2puabX/wty4PNJXC91Y1DIvWJU9wExoF2qUuBR/wDvCOmOyEXrXsc+DYpXtcCCIXsSwxr9Xe8quqmXkDw9LhZKFF+FBrL8rQDw9BrCTtUNYtaisu+WR69fJ5VPp+KIAqBiL5v+atEjn/zl6DiLnOtwLuNgE5cJ8Q==
# set private-key "-----BEGIN RSA PRIVATE KEY-----
# <removed>#-----END RSA PRIVATE KEY-----"
-----END RSA PRIVATE KEY-----"
@@ -7593,7 +7593,7 @@
set source-ip 0.0.0.0
next
edit "Fortinet_Wifi"
- set password ENC 7DubW8l84gayfXLG1ijmTzijwSwzmR7SarrN9poQ0G/iS/xVDpDswefkm75+KTV0NhtXFqlpDLnOH8q3BLEigNijhxsqmLD2iK5PK+SP60563hHkWrRLSn+gBkXv7RMpdY75NC/7A1CtATPz8JUf4qJ9cvUWiZ8CgHL/MRfPir7t29AuE3mbo5eIy85zhJi77q71BA==
+ set password ENC hCz2B7PDett8D8llPvp7gvH+rKuQXNOGc8fIpMniLifo4lpD8OKsjnltCyb8bgg0WmmbYyf1n/kc8ZcozpXo5ar082yqW2VHs8mAl8yY/st6+XBdCLvfAxZmliGFe9BCJcMPXDB807wIO/TUMDTS3u8JwdHTDKJ4QTCRoP/qj0DnFW/DqQg5IIGK9XdGBs/QTf73oQ==
# set private-key "-----BEGIN RSA PRIVATE KEY-----
# <removed>#-----END RSA PRIVATE KEY-----"
-----END RSA PRIVATE KEY-----"
@@ -20560,21 +20560,21 @@
set wireless-port 0
set phone1 ''
set username1 ''
- set passwd1 ENC OYecWm8MUPUowKbMfgivzvXvlponep0BLTfLYaqkJroVNFMakcll5YDLHaOsLuhL76qMHt4I3p2NA6DiAWZb4ZjdZCpaBMYyBT4RFgDFPlbIq+13GDZmFLqLRm9p/Mp5VIJWO2f6/oGF5tMZuOZAIbBAfISA1CzV3eZ3lxSQNwwzXwmfIqDgIeTQMkvLLpnX0FamDw==
+ set passwd1 ENC bpiIeQF/TJOjs1885gNpw2GiWZURU7b+ct0t11wGiqoct9i6DYFKytD+JhaikQfa1KbZ+QsczX6XItDWMxDg9u8Vvs4JTTh2EGx+88F/uJoBsCYDVtBysFZqm8JpuqWVWTMzI8/gh6A7z9LN8k2HrZIAS5LZ8NuugQcWZLSK+nUDyPu6E4Sr44X47k5/EA6uOQX8cw==
set extra-init1 ''
set peer-modem1 generic
set ppp-echo-request1 enable
set authtype1 pap chap mschap mschapv2
set phone2 ''
set username2 ''
- set passwd2 ENC ngu9UIr4Cy/bs0sn9ll6HUh8Tl58VwCvAvdKR/WfU6UDYEjOSVraM0ERzPnu2dAa5AO2wwz3zPMje9Un3kbO+O+uVuAmOwYQwAh8gM4A4aEx8wGL+rBFb9Bwa7cGgfdqKrjlhnpJ7avQXMtxFlYr8b7z/96DeyTyQtgIbUMB0bBYm70uS6rhesp2FoPpVdJWeA8RGQ==
+ set passwd2 ENC KN9+FmugZN1NHjd8isGa5/Up6MfyrNevAueemgXFJCSlsvZtLlo9ZSqpr8dQvsiC3vtdH+Cx7Tzwx3uHVtdEHzMcgrcyzMkrWY3fYf2G7kOYMZbdg72uAveJPsdGbv/tUd+HNrEvStRDTPSVCANEPJF0ECxVEgvT4sENTpq7WW0OllYc5YfwbXzWlCgGefwUXTGcBA==
set extra-init2 ''
set peer-modem2 generic
set ppp-echo-request2 enable
set authtype2 pap chap mschap mschapv2
set phone3 ''
set username3 ''
- set passwd3 ENC YTCFaleufbiTG5/JtEso4EWBOc9UQ8zgjG2uJDAkGJrWaRNRdEz4CJfKxC2IsdRsNeAUcmKaEZggB0qYMD6PDTgiGEYd1Ip/LKJ0FRehBnJmZmesiglUOwuwOW/kmo3oqy7yIl7BFc8cgyAQwgdtFNDDrVFv3b64BdVyuTD2BzHv9AW+gq7XYDpranFKKt/P4n1Npg==
+ set passwd3 ENC +wtrAlt9E99XPKKm7S2HNCMOVapqEyeI1xXadcO3jYASu7AIeNC+47WfkyGGCO2O8m4jMLNvyWqMhQJVVfJXjnpVEVpTr1BtgwuFZJUIysg7NqvzSV9O6/Po5IfPtRx+kQxzYo8qXk1gvzTCYKpBTyLKT+MTp4ubpSHsuKpDUZPaZK96YLrfJ/BBLlAt5RgIsi1EWg==
set extra-init3 ''
set peer-modem3 generic
set ppp-echo-request3 enable
@@ -25318,8 +25318,8 @@
set adjacency-check disable
set auth-mode-l1 password
set auth-mode-l2 password
- set auth-password-l1 ENC j23VOr2Fga+lMtAtKilexLuPfzb4DU7CbMwUuJyONEj8l8l3fhB/SLRzbOV0JM1YTbRcvlf/0KfeMQm7LVSysTQ4J+5UjdUtdvT4bgBrDAEdf63lizBsRiyUM+bU08NXgrNdo9ZRA7V40L3n1VlnBSdF3uxvonrBeoll4uH8FPMZ3pmq60gojs95wgjQPvVooKExWQ==
- set auth-password-l2 ENC IZr/IkmcQNStBmAezJQEzIc9c8zHHjZM8ABXDxnbKHnY4j06reeCUTR5F2h33Z8ypGXBOk3AETl/RxEsoCeFhUR1Oynwbq+yBuEbIyhjw4p9wusJ4tyFaOXopvWN/4Q9wMN1lVolo2VjiXm5xMbVwbX2AICvuvdggzEaXDL2qoSIZszC2bEIqGfZl1E2NbT2G1q/0A==
+ set auth-password-l1 ENC DgCyfyhRjXp8lhW3Rx5y6O4hJmLlFn1zVRho1o92ZOqjaan5/MAjiBt5CDh7YaGB+sgLt8Ahs+2N3Z1MtHpHdcSiR6TIXn11zVblwGRPvjNyFPgV2sHVROJCbxxSqWZ+GjKQuezScmmAJnIR+6+JLPNqGuievtwgpweGPmj/YSy+z5EC56ibyQGYF5a6Wu3NRNku7w==
+ set auth-password-l2 ENC W+1SYTl72Tr+zOTjvAZnGECi9P2FOaSVq+GCsfNb0c53CuJ6pMek+PWNrKdl2cCQBqGAamr5aGhbUI6Yg7eXqH/M0YLU8nEQzAkGnuv1Dxcq4CwKQY9qEmzJlIzDNgTveMyD5lSxS4znQwtwEd33FBpV/yPLaz8PiP0p6/fo+Ugv2erMX+12frfo3AEVRQjd1U4MUQ==
set auth-sendonly-l1 disable
set auth-sendonly-l2 disable
set default-originate disable
Need someway to excude the password from fortigate backups
Rich
On 15/07/13 22:42, Chris Davis wrote:
> Here is what I am seeing in my rancid reports.
>
> Index: configs/x.x.x.x
> ===================================================================
> retrieving revision 1.150
> diff -U 4 -r1.150 x.x.x.x
> @@ -17,9 +17,9 @@
> !Distribution: International
> !Branch point: 665
> !Release Version Information: MR3 Patch 14
> !FortiOS x86-64: Yes
> - !System time: Mon Jul 15 15:06:58 2013
> + !System time: Mon Jul 15 16:07:02 2013
>
> config system global
> set access-banner disable
> set admin-concurrent enable
> @@ -9112,22 +9112,22 @@
> edit "Fortinet_Factory"
> !set password ENC <removed>
> set private-key "-----BEGIN RSA PRIVATE KEY-----
> Proc-Type: 4,ENCRYPTED
>
> And then my old key and then the new key. I'm not sure if it's getting confused on the master/slave issue because the fortinet's have the same IP address, even though there are two separate firewalls. Could be the time issue too.
>
> Chris
>
> -----Original Message-----
> From: Richard Savage [mailto:Richard.Savage at newnet.co.uk]
> Sent: Monday, July 15, 2013 4:30 PM
> To: heasley
> Cc: Chris Davis; 'rancid-discuss at shrubbery.net'
> Subject: Re: [rancid] Couple of Questions. upgrading and Fortinet issue.
>
>
>
> On 15/07/2013 22:27, "heasley" <heas at shrubbery.net> wrote:
>
>> Mon, Jul 15, 2013 at 09:06:13PM +0000, Richard Savage:
>>> The other thing I?ve noticed is that other folks also had passwords
>>> seem to be continually changing and causing alerts. I have never
>>> noted this in my clusters????????yet.
>>>
>>> -- Yes I see this all the time, every time a backup is run. I need to
>>> be able to backup a full config on other devices, (cisco, juicer) so
>>> can't disable the grabbing of password data in rancid as this would
>>> stop it being backed up for all cisco and juniper hardware. Not sure
>>> of any way to achieve this at the moment.
>> what if a <group>/rancid.conf were supported that could over-ride
>> configuration of the global rancid.conf?
> Yes either a group or a hardware type would be good. Some way of excluding the password from certain hosts would be great. :)
>
> Rich
>
> This e-mail is sent on behalf of NewNet Limited, a company registered in England and Wales, registered number 03128506, registered office Carnac Lodge, Cams Estate, FAREHAM, Hampshire PO16 8UJ and regulated by Ofcom. The information in this e-mail is confidential and is intended solely for the use of that individual or entity to which it is addressed. Unauthorised use, dissemination, distribution, publication or copying of this communication is strictly prohibited. If you receive this in error, please notify us by email to privacy at newnet.co.uk<mailto:privacy at newnet.co.uk> and delete any copies. For information about how we process data and monitor communications please see our privacy statement<http://www.newnet.co.uk/Bottom-Bar/privacy-policy.php>.
This e-mail is sent on behalf of NewNet Limited, a company registered in England and Wales, registered number 03128506, registered office Carnac Lodge, Cams Estate, FAREHAM, Hampshire PO16 8UJ and regulated by Ofcom. The information in this e-mail is confidential and is intended solely for the use of that individual or entity to which it is addressed. Unauthorised use, dissemination, distribution, publication or copying of this communication is strictly prohibited. If you receive this in error, please notify us by email to privacy at newnet.co.uk<mailto:privacy at newnet.co.uk> and delete any copies. For information about how we process data and monitor communications please see our privacy statement<http://www.newnet.co.uk/Bottom-Bar/privacy-policy.php>.
More information about the Rancid-discuss
mailing list