[rancid] Backup Fortygate 100D

Adam Korab adam.korab at sixpackets.com
Tue Dec 7 16:31:56 UTC 2021 

On 12/7/21, 9:45 AM, "Rancid-discuss on behalf of heasley" <rancid-discuss-bounces at www.shrubbery.net on behalf of heas at shrubbery.net> wrote:

    Tue, Dec 07, 2021 at 05:34:27AM +0000, simon ben:
    >  Dear All,
    > Btw appreciate and thanks for the reply from Heasley and UGO 
    > As I mentioned below I am trying to backup my fortigate 1000D ( sorry for the typo mistake in my earlier email as 100D) so to test before I edit the router.db and .cloginrc file i ran the below
    > /usr/local/rancid/bin/fnlogin -t 90 -c "get system status" 172.16.xx.xx i see and does not connect
    > 
    > 172.16.xx.xxspawn telnet -K 172.16.xx.xxTrying 172.16.xx.xx...

    That is unrelated to rancid.  Maybe it only accepts ssh or it has a packet
    filter that is blocking you?  For ssh to be tried first you might need to
    add to your cloginrc; 'add <glob> method {ssh}'

Correct.  Fnlogin is trying telnet, which is disabled by default on FGT devices.  Like heas suggests, try add method ssh in your .cloginrc.

On the FortiGate, you can check for telnet most easily from the CLI:

Example show command:

fw01a # show system global 
config system global
    set admin-port 8080
    set admin-server-cert "fw01a"
    set admin-sport 8443
    set admin-telnet disable
    set admintimeout 120
    set alias "FortiGate-VM64"
    set autorun-log-fsck enable
    set gui-ipv6 enable
    set hostname "fw01a"
    set timezone 08
end

Note that in FortiOS, configuration defaults are not exposed with 'show' - you need to enter config mode and do 'show full-configuration' and you can grep to match:

fw01a # config sys global

fw01a (global) # show full-configuration 
config system global
    set admin-concurrent enable
    set admin-console-timeout 0
    set admin-hsts-max-age 15552000
    set admin-https-pki-required disable
    set admin-https-redirect enable
    set admin-https-ssl-versions tlsv1-1 tlsv1-2 tlsv1-3
    set admin-lockout-duration 60
    set admin-lockout-threshold 3
    set admin-login-max 100
    set admin-maintainer enable
    set admin-port 8080
    set admin-restrict-local disable
    set admin-scp disable
    set admin-server-cert "fw01a "
    set admin-sport 8443
    set admin-ssh-grace-time 120
    set admin-ssh-password enable
    set admin-ssh-port 22
    set admin-ssh-v1 disable
    set admin-telnet disable
    set admintimeout 120
    set alias "FortiGate-VM64"
    set allow-traffic-redirect enable
    set anti-replay strict
    set arp-max-entry 131072
    set auth-cert "Fortinet_Factory"
    set auth-http-port 1000
    set auth-https-port 1003
    set auth-keepalive disable
    set auth-session-limit block-new
    set auto-auth-extension-device enable
    set autorun-log-fsck enable
    set av-affinity "0"
    set av-failopen pass
    set av-failopen-session disable
    set batch-cmdb enable
    set block-session-timer 30
    set br-fdb-max-entry 8192
    set cert-chain-max 8
    set cfg-save automatic
    set check-protocol-header loose
    set check-reset-range disable

fw01a (global) # show full-configuration | grep telnet
    set admin-telnet disable

This is FortiOS v6.4.7; YMMV.

AK

More information about the Rancid-discuss mailing list