[rancid] FortiGate - config fetch ends prematurely - hash-mark in config file
Ni Ne
nineoften at hotmail.com
Wed Oct 17 04:36:35 UTC 2018
Noticed that a full config backup of some of our FortiGates have been failing due to a hash-mark (#) present in the configuration itself. FortiGates let you add comments to nearly any objects. The comment field is free-form, best I can tell, and lets you insert hash-mark characters. For example a service object had this configuration causing the rancid run to fail at the offending line of "set comment":
--------------
config firewall service custom
edit "TCP/UDP-4118-4122"
set proxy disable
set category ''
set protocol TCP/UDP/SCTP
set helper auto
set check-reset-range default
set comment "Ticket # 123456"
set color 1
set visibility enable
set iprange 0.0.0.0
set fqdn ''
set tcp-portrange 4118-4122
set udp-portrange 4118-4122
unset sctp-portrange
set tcp-halfclose-timer 0
set tcp-halfopen-timer 0
set tcp-timewait-timer 0
set udp-idle-timer 0
set session-ttl 0
next
end
--------------
After removing all offending characters from the firewall config the rancid-run completed fully and normally.
I've been playing around with fnrancid (3.8, build 3763) to try to find a way to accommodate this happening again, but with only partial success.
I changed the prompt setting code to the following:
--------------
# - FortiGate prompts end with either '#' or '$'. Further, they may
# be prepended with a '~' if the hostname is too long. Therefore,
# we need to figure out what our prompt really is.
if (!defined($prompt)) {
if ($_ =~ '^(.*) # ') {
$prompt = "$1 # ";
--------------
The above works great when the rancid user has root/super_admin permissions (hash-mark (#) prompt). Adjusting rancid to have non-root permissions with a dollar-sign ($) prompt and tacking on some additional code, rancid fails due to end of run not found.
--------------
# - FortiGate prompts end with either '#' or '$'. Further, they may
# be prepended with a '~' if the hostname is too long. Therefore,
# we need to figure out what our prompt really is.
if (!defined($prompt)) {
if ($_ =~ '^(.*) # ') {
$prompt = "$1 # ";
} else {
if ($_ =~ '^(.*) \$ ') {
$prompt = "$1 \$ ";
}
}
}
--------------
I tried some variations and either get the same error (end of run not found) or every config line is pre-pended with #. I even tried explicitly defining the firewall name inside $prompt against the firewall I am testing to bypass $1 expansion.
Anyone have ideas why this is failing? I added some debug statements and my regex matches and $prompt is being set as I would expect, but for some reason it's not matching when rancid runs.
Doing some testing, when the hostname in the prompt does get truncated, it stays the same regardless of what config level you enter.
Here is example of setting a 25-character hostname and then entering a few levels of config:
--------------
fortigate-firewall # config system global
fortigate-firewall (global) # set hostname 1234567890123456789012345
fortigate-firewall (global) # end
12345678901234567890~345 #
12345678901234567890~345 # config firewall service group
12345678901234567890~345 (group) # edit JD_TEST_GROUP
12345678901234567890~345 (JD_TEST_GROUP) # set comment "coding is fun"
12345678901234567890~345 (JD_TEST_GROUP) # end
12345678901234567890~345 #
--------------
Thanks,
-Aaron
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20181017/609b5339/attachment.html>
More information about the Rancid-discuss
mailing list