[rancid] Fortigate rancid issues
Gerhard Mourani
GMourani at prival.ca
Wed Dec 14 21:27:51 UTC 2011
Guys,
Just to let you know that the provided patches worked for me with our FortiGate. Big thanks to you. Also since it`s working now, it should be interesting to improve it again and add support for FortiAnalyzer and FortiWeb too which are wildly used now.
Regards,
-----Original Message-----
From: Gerhard Mourani
Sent: December-12-11 10:32 AM
To: 'Drikus Brits'; john heasley
Cc: rancid-discuss at shrubbery.net
Subject: RE: [rancid] Fortigate rancid issues
Thanks, I've applied the changes and will let all know if this work for me too after some days.
-----Original Message-----
From: Drikus Brits [mailto:Drikus.Brits at vodacom.co.za]
Sent: December-12-11 10:25 AM
To: Gerhard Mourani; john heasley
Cc: rancid-discuss at shrubbery.net
Subject: RE: [rancid] Fortigate rancid issues
HI,
Hehe, the below won't fix the certificate that is changing the whole time, if you want to get rid of that you need to make the following changes :
fnrancid
@209,9
# -- http://www.shrubbery.net/pipermail/rancid-discuss/2011-February/005488.html
# -- spot the start of an RSA private key
$priv_key = 1 if(/^\s*set private-key "-----BEGIN RSA PRIVATE KEY-----/);
# spot the end of an RSA private key
$priv_key = 0 && next if(/^\s*-----END RSA PRIVATE KEY-----"/);
next if($priv_key == 1);
## end of hack
It works well. As for the patch from john & andy, it seems to be working, as I have not yet had some of those fortigate issues.
I'd like to monitor till the end of the week before I'd say go ahead with the changes.
d.
-----Original Message-----
From: Gerhard Mourani [mailto:GMourani at prival.ca]
Sent: Monday, December 12, 2011 5:19 PM
To: john heasley; Drikus Brits
Cc: rancid-discuss at shrubbery.net
Subject: RE: [rancid] Fortigate rancid issues
Hello,
Even with provided patch, I receive every day diff related to VPN connection crypto keys like the following with my FortiGate 80C:
!set password ENC <removed> !set password ENC <removed>
set private-key "-----BEGIN RSA PRIVATE KEY----- set private-key "-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,FAEBFA3BD9D852E2 DEK-Info: DES-EDE3-CBC,C7650C0C4F6C6104
88melT42IuRmujhlBChB+P/EsRUYA4C5HDEspCCTkawDt5MsIoKIqkx+/afEGCKh 0xk8R9ypKFjgVZtIs+aZjwzotLjg4EHBMunqJUju7b1HJ9NQLCSuQTPom4Cx6sxE
gfqtbliorSZN4hbaFr3TambNuOWy32M1rAsYRbmR4g2PW9k02yAktQQsBIWSciM9 5s9Ust2KISMSsMggDmLVDsSXfPFVSxdOoipMu1AklnhJDBGEwACSqycm2eNVAm4U
fvYIqSDZO6e733S0iikFoya9n0mcEYZilBk46fOzSRdoPEiAuUtc4zCB/uvQLwrk BSt8jPkX1akEHvyCUBSzqaiG2NMmK5MQaZ4434S8VHEWt1RiWfbDzV3QrQZl4AcZ
hJNSuC87AbE9iG0ohvYQgok/xLIPDYdbGLyYK0iBgLDd6qYIzwkINZ1hkNYfyKmx
ex/XeQva24dzLFNxurLFYN7BQdUSCQpe3APpjMfjEfEtTKIt+YHf1fUd6jrmpjeX
vnIzCTyZsTlgIXm6DRlVnFi7bDrUho5y/S9jQrdj2jEUrgZfVnULqfa9A7k145o/ DC/XrG3IfyDSmv0XdZWbFq1b3fuXuSJ2b8PqYkmho9DqU8eegfcxP3F5jiDKz087
ImBnn7zsKPfpQyc8IXPL+OWUwaCdIkaI8/QHCfJk6tZZfQ0YSfjjhVyeGUo8iB2
TsZIsw7ituk5BTqSHj6iy9HViJ/zLeevmEV6WEgcjD4Uz4UvGTyuws/tHJ3F/gH5
njlVCUWd/U8CGk64FuH311lNBSsWpUNWKBlPiCJfssUDRco1JIgn1Jl3jk3qe4kY sinmPC6EGkNLUwKhTdBRIQ0cLBOI25lpfI3dNLc3oRHmi6Spb7W0VUic3b5eRtuN
z6q2e7lPc1FMM70ljRsq7sMhAXrAZNOe890MIzNtDqtMQJph3AiHPPXcWJhfxFym QpDyCfYGX7LYliSnxIBZ34G/YcbgUOJjGvcvhJMR8arVH3V09yS5jD2DTthY3dWI
Gerhard,
-----Original Message-----
From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of john heasley
Sent: December-07-11 5:39 PM
To: Drikus Brits
Cc: rancid-discuss at shrubbery.net
Subject: Re: [rancid] Fortigate rancid issues
Mon, Nov 07, 2011 at 06:55:30AM +0000, Drikus Brits:
> Hi all,
>
> I've recently added a couple of fortigates onto rancid , and seems to work without issues , however , every couple of hours I get some firewalls diffs with stupid changes it picks up somewhere.
>
> Example :
>
> <snip>
>
> set av-failopen pass
>
> - set av-failopen-session disable
>
> + set av-failopen-session disable
>
> set batch-cmdb enable
> </snip>
>
> Or
>
> <snip>
>
> config system amc-slot
>
> - edit "sw1"
>
> + edit
>
> + "sw1"
>
> next
>
>
> &&
>
> Then the next hour :
>
>
> end
>
> config system amc-slot
>
> - edit
>
> - "sw1"
>
> + edit "sw1"
>
> next
>
> end
> </snip>
>
>
> Any ideas what the problem might be as to why it picks up some commands as 2 lines , and then suddenly as 1 ?
>
> Thanks
Could you try this patch?
http://www.shrubbery.net/pipermail/rancid-discuss/2011-July/005787.html
and, a superset of that (from "Andy") is below. i'd like some confirmation if these work before committing the change.
Index: bin/fnlogin.in
===================================================================
--- bin/fnlogin.in (revision 2343)
+++ bin/fnlogin.in (working copy)
@@ -451,6 +451,10 @@
expect -re $prompt; send -- "end\r"
expect -re $prompt;
+# see http://www.shrubbery.net/pipermail/rancid-discuss/2011-July/005787.html
+ # this is the only way i see to get rid of more prompts in o/p..grrrrr
+ log_user 0
+
set commands [split $command \;]
set num_commands [llength $commands]
for {set i 0} {$i < $num_commands} { incr i} { @@ -459,10 +463,12 @@
-re "$prompt" { send "\r"
sleep 0.5
}
- -gl "--More--" { send " "
+ -gl "--More--\[^\n\r]*" { send " "
exp_continue
- -re "\[\n\r]+" { exp_continue }
}
+ -re "\[^\r\n]*\[\n\r]+" { send_user -- "$expect_out(buffer)"
+ exp_continue
+ }
}
}
expect {
@@ -573,8 +579,12 @@
}
} elseif { $do_script } {
# Disable output paging.
+ send "config global\r"
+ expect -re $prompt {}
send "config system console\r"
+ expect -re $prompt {}
send "set output standard\r"
+ expect -re $prompt {}
send "end\r"
expect -re $prompt {}
source $sfile
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
This e-mail is classified C2 - Vodacom Restricted - Information to be used inside Vodacom but it may be shared with authorised partners.
?This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link www.vodacom.co.za/vodacom/terms+and+conditions "
More information about the Rancid-discuss
mailing list