[rancid] Re: fnrancid and Fortinet equipment

john heasley heas at shrubbery.net
Tue Sep 19 20:38:32 UTC 2006


Mon, Sep 18, 2006 at 03:19:34PM -0500, Eric Humphries:
> On 9/18/06, john heasley <heas at shrubbery.net> wrote:
> >
> >Sun, Sep 17, 2006 at 03:49:17PM -0500, Eric Humphries:
> >> Hey guys,
> >>
> >> I'm using rancid on a FreeBSD 6.1-Stable box, and I'm trying to log into
> >> some fortinet equipment (more specifically a Fortigate 60M) using the
> >> fnrancid module.
> >>
> >> I'm able to manually use clogin to log into the firewall and it brings
> >me to
> >> the prompt but immediately after the session freezes and I'm unable to
> >> type/run commands. Using rancid-run fails to run the commands as well so
> >it
> >> appears to be something with how the script expects the login prompt to
> >> appear, possibly. The hostname I have on the device is "testdevice $"
> >when I
> >> log in as a user and "testdevice #" when I log in with admin. There is
> >not
> >> enable password required.
> >
> >I'm not familiar with the fortinet (or the netscreen), but there seems to
> >have
> >been a change in the UI.
> >1) nlogin expects the prompt to end with "-> "
> >2) nlogin does not know about an "enable" mode.
> 
> 
> 
> 1) Well I've yet to see any fortinet equipment have a prompt that ends in
> ->, default or otherwise.
> 2) Well, I guess the noenable business isn't going to do the trick then.

That may be; fnrancid was contributed.  It could be that it never worked
for fortinet, but more likely that it worked with some really old version,
since I trust Dan Pfleger would not have advertised support that did not
work.

> So, this is not going to work.  nlogin will need to be changed.  Or, try
> >clogin to see if it works: clogin -c 'some command; some other command'
> >
> >> I'm quite new to rancid (a few days) and I've searched around for help
> >> regarding this specific issue but I've yet to find anything that matches
> >my
> >> problem well. I can provide information as necessary, just tell me what
> >you
> >> need to see.
> >>
> >> Is there something I'm doing wrong that would cause the shell to hang?
> >I've
> >> tried running rancid with tcsh, and sh - both with the same result.
> >
> >It should not hang forever.  If it is expecting output and not receiving
> >it,
> >the timeout should trip and the login script should close the connection.
> >If it is hanging forever, then I suspect you're using solaris/linux and
> >you
> >need to apply the expect patch from the rancid web page.
> >
> 
> 
> It does trip the TIMEOUT.
> 
> So I guess my main question is is the fnrancid module setup to expect a
> prompt that ends in "-> "? I haven't had time to dig into fnrancid or nlogin
> to lear the innerworkings as I've only been messing with it in my freetime.
> Eventually, I would like to deploy this for close to 1,000 firewalls or so.
> 
> I guess my next step is to dig into fnrancid and try to figure out what its
> doing. I know the modules are fancy front-ends for expect that are used to
> describe device behavior but thats as far as I've gone.

Since it seems to more closely resemble the cisco, than what the nlogin offers,
I suggest trying clogin first.  It may be sufficient for fnrancid.



More information about the Rancid-discuss mailing list