[rancid] rancid with Fortigate FG100A

Gavin McCullagh gmccullagh at gmail.com
Wed Jul 6 12:28:54 UTC 2011 

Hi guys,

On Mon, 31 Jan 2011, Diego Ercolani wrote:

> I've already submitted patch to accomplish fortinet. Here it is the relevant 
> post:
> http://www.shrubbery.net/pipermail/rancid-discuss/2009-June/004005.html
> 
> if you see in the mailing list there are time to time modifications.

We've been using this with the 100A and are now using it also with a 200B
(which works fine incidentally).

However, one thing that I wonder is whether we really have the optimal
command to pull the config.

fnrancid currently uses "show full-configuration" to pull the config of the
system.  This pulls the absolutely full configuration with every unmodified
default included.  The result, for example, is that adding a simple
firewall rule results in a patch like this:

+     edit 71
+         set srcintf "port1"
+         set dstintf "port8"
+             set srcaddr "xxxxxxxxxxxx"
+             set dstaddr "all"
+         set rtp-nat disable
+         set action accept
+         set status enable
+         set dynamic-profile disable
+         unset dynamic-profile-access
+         set schedule "always"
+         set schedule-timeout disable
+             set service "HTTP" "HTTPS"
+         set utm-status disable
+         set logtraffic disable
+         set logtraffic-app enable
+         set auto-asic-offload enable
+         set webcache disable
+         set session-ttl 0
+         set wccp disable
+         set fsso disable
+         set disclaimer disable
+         set natip 0.0.0.0 0.0.0.0
+         set match-vip disable
+         set diffserv-forward disable
+         set diffserv-reverse disable
+         set tcp-mss-sender 0
+         set tcp-mss-receiver 0
+         set comments "Allow xxxxxxxxxxxx to connect for updates"
+         set endpoint-check disable
+         set label ''
+         set global-label ''
+         set replacemsg-override-group ''
+         set identity-based disable
+         set traffic-shaper ''
+         set traffic-shaper-reverse ''
+         set per-ip-shaper ''
+         set nat disable
+         set dynamic-profile-fallthrough disable
+         set client-reputation disable
+     next

Only about five of the above lines were actually chosen, the rest are all
defaults.  Personally, I'm inclined more toward using just the "show"
command which pulls the configuration settings that we have actually made
omitting defaults.  

Is this "pull absolutely every detail" policy the norm in Rancid?
Obviously I can change this locally myself if I really want.

Gavin

More information about the Rancid-discuss mailing list