[rancid] Fortinet Fortigate problem.

Chris Davis Chris.Davis at prin.edu
Tue Apr 21 21:59:26 UTC 2015

A few weeks ago I posted the following.   A couple of very helpful folks pointed me at the fnlogin script and why it might be failing.  I had just upgraded one of my Fortinet firewall clusters to 5.0.9 firmware and when I upgraded the other cluster, I had the same problem.  One of the answers was to disable the strong encryption on the firewall.   Not my favorite thing to do...  So, I had a look at the fnlogin code.   Now, I'm no expect programmer, but it was straight enough to follow.  I found that the cypher was set to 3des.  I spoke with a Fortinet engineer that I was working with on another issue, and he indeed confirmed that 3des-cbc was not supported in strong encryption mode moving forward.  He said I should choose something else.  

This afternoon I tinkered with swapping aes256-ctr where it had said 3des before, and turned back on strong encryption on the clusters.  And amazingly, it worked!  I'll know for sure when my hourly rancid runs kick off, but I have a small job running every fifteen minutes grabbing some data for the other problem I was working on, and it has successfully grabbed 2 iterations of data for that project.  

So, how hard is it to jump from 2.3.8 to 3.2?   (since I'm feeling flush with success)  I will remember the router file change from : to ; for separators.  Any other gotchas?   

On 30/03/2015 19:03, Chris Davis wrote:
> I?ve been using Rancid 2.3.8 for some time now without any problems. 
> (once I got all the patches installed for it)
> This past week, we upgraded a unit from 5.0.7 firmware to 5.0.9.  This 
> had the negative effect of making it impossible for Rancid to log into 
> the unit.  I have checked all the normal things.  I deleted and 
> recreated the ssh Known_hosts entry.  I?ve even manually logged in 
> from the Rancid server using my own credentials and the rancid 
> credentials and not had any problems.

More information about the Rancid-discuss mailing list