[rancid] Fortinet Fortigate problem.
Nick Nauwelaerts
nick.nauwelaerts at aquafin.be
Mon Apr 27 09:54:39 UTC 2015
heya,
i had a few issues on my fortinet running "v5.0,build0292,140801 (GA Patch 9)". the fnlogin bundled with rancid 3.2 didnt like the pager prompt "--More--" and fnrancid did some funky reformatting of whitespace when the "--More--" prompt was involved. Here are my diffs (read: fiddled until it worked) for both. disclaimer: only tested with 2 devices running the before mentioned fortios version, your experience may differ.
// nick
-----Original Message-----
From: Rancid-discuss [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Chris Davis
Sent: Tuesday, April 21, 2015 23:59
To: 'rancid-discuss at shrubbery.net'
Subject: Re: [rancid] Fortinet Fortigate problem.
A few weeks ago I posted the following. A couple of very helpful folks pointed me at the fnlogin script and why it might be failing. I had just upgraded one of my Fortinet firewall clusters to 5.0.9 firmware and when I upgraded the other cluster, I had the same problem. One of the answers was to disable the strong encryption on the firewall. Not my favorite thing to do... So, I had a look at the fnlogin code. Now, I'm no expect programmer, but it was straight enough to follow. I found that the cypher was set to 3des. I spoke with a Fortinet engineer that I was working with on another issue, and he indeed confirmed that 3des-cbc was not supported in strong encryption mode moving forward. He said I should choose something else.
This afternoon I tinkered with swapping aes256-ctr where it had said 3des before, and turned back on strong encryption on the clusters. And amazingly, it worked! I'll know for sure when my hourly rancid runs kick off, but I have a small job running every fifteen minutes grabbing some data for the other problem I was working on, and it has successfully grabbed 2 iterations of data for that project.
So, how hard is it to jump from 2.3.8 to 3.2? (since I'm feeling flush with success) I will remember the router file change from : to ; for separators. Any other gotchas?
On 30/03/2015 19:03, Chris Davis wrote:
> I?ve been using Rancid 2.3.8 for some time now without any problems.
> (once I got all the patches installed for it)
>
>
>
> This past week, we upgraded a unit from 5.0.7 firmware to 5.0.9. This
> had the negative effect of making it impossible for Rancid to log into
> the unit. I have checked all the normal things. I deleted and
> recreated the ssh Known_hosts entry. I?ve even manually logged in
> from the Rancid server using my own credentials and the rancid
> credentials and not had any problems.
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
________________________________
Volg Aquafin op Facebook<https://www.facebook.com/AquafinNV> | Twitter<https://twitter.com/aquafinnv> | YouTube<http://www.youtube.com/channel/UCk_4P5BJ-MtEEDCkCsR_KqQ?feature=mhee> | LinkedIN<http://www.linkedin.com/company/aquafin/products>
Disclaimer: zie www.aquafin.be<http://www.aquafin.be> P Denk aan het milieu. Druk deze mail niet onnodig af.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fnlogin.diff
Type: application/octet-stream
Size: 377 bytes
Desc: fnlogin.diff
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20150427/ba9fa0d9/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fnrancid.diff
Type: application/octet-stream
Size: 429 bytes
Desc: fnrancid.diff
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20150427/ba9fa0d9/attachment-0001.obj>
More information about the Rancid-discuss
mailing list