Welcome, Guest. Please login or register.

Author Topic: Config Backup of Fortigate firewalls - Works, but only for 59lines  (Read 12233 times)

bdyzel

  • Guest
Hey,

I've tweaked the current config, and libcli files to get the fortigate config to backup, but for some reason it backs up the conf, but only for 59 lines then stops.
I've already set the fortigate console output to standard, and testing it with the ssh read only user it runs through the whole config really fast. But I'm missing something, anyone have any ideas?

yes, fortigate isn't supported, so hence the "tweaked" bit. I made the Fortigate device definition to be seens as a Cisco firewall, and edited the libcli file to look like this:
$cmd{'IOS-fw'}{'ropr'} = '(.+)>\s?$';
$cmd{'IOS-fw'}{'enpr'} = 'FG.';
$cmd{'IOS-fw'}{'conf'} = 'show full-configuration';
$cmd{'IOS-fw'}{'strt'} = '.';

bdyzel

  • Guest
Re: Config Backup of Fortigate firewalls - Works, but only for 59lines
« Reply #1 on: March 14, 2013, 08:29:25 AM »
Oh yes, forgot to add this is the result:

Prepare (CLI)  ----------------------------------------------------------------
DISC:Cli arp = not implemented

Arp (SNMP)   ------------------------------------------------------------------
SNMP:Connect 172.16.2.1 omsa_checker v2 Tout:10s MaxMS:1472
ERR :The requested table is empty or does not exist
ARPS:0 ARP entries found

Prepare (CLI)  ----------------------------------------------------------------
PREP:cfg supported and user nedi exists
DISC:Cli config = OK-DB

Config (CLI)   ----------------------------------------------------------------
SSH :nedi:22 Tout:10s OS:IOS-fw EN:FG.
PTY :Forking ssh -o 'StrictHostKeyChecking no' -l nedi 172.16.2.1
CLI2:Matched password:, sending password
CLI3:Password sent
CLI8:Matched enable prompt, OK
CMD :show full-configuration
CONF:config system amc
CONF:    set sw1 auto
CONF:end
CONF:config system global
CONF:    set access-banner disable
CONF:    set admin-concurrent enable
CONF:    set admin-https-pki-required disable
CONF:    set admin-lockout-duration 60
CONF:    set admin-lockout-threshold 3
CONF:    set admin-maintainer enable
CONF:    set admin-port 80
CONF:    set admin-scp disable
CONF:    set admin-server-cert "self-sign"
CONF:    set admin-sport 443
CONF:    set admin-ssh-grace-time 120
CONF:    set admin-ssh-port 22
CONF:    set admin-ssh-v1 disable
CONF:    set admin-telnet-port 23
CONF:    set admintimeout 120
CONF:    set anti-replay strict
CONF:    set auth-cert "self-sign"
CONF:    set auth-http-port 1000
CONF:    set auth-https-port 1003
CONF:    set auth-keepalive disable
CONF:    set auth-policy-exact-match enable
CONF:    set av-failopen pass
CONF:    set av-failopen-session disable
CONF:    set batch-cmdb enable
CONF:    set cfg-save automatic
CONF:    set check-protocol-header loose
CONF:    set check-reset-range disable
CONF:    set clt-cert-req disable
CONF:    set csr-ca-attribute enable
CONF:    set daily-restart disable
CONF:    set detection-summary enable
CONF:    set dst enable
CONF:    set endpoint-control-fds-access enable
CONF:    set endpoint-control-portal-port 8009
CONF:    set et4-work-mode e1
CONF:    set explicit-proxy-auth-timeout 300
CONF:    set fds-statistics enable
CONF:    unset fgd-alert-subscription
CONF:    set fwpolicy-implicit-log disable
CONF:    set fwpolicy6-implicit-log disable
CONF:    set gui-ap-profile enable
CONF:    set gui-central-nat-table disable
CONF:    set gui-dns-database disable
CONF:    set gui-dynamic-profile-display disable
CONF:    set gui-icap disable
CONF:    set gui-implicit-id-based-policy disable
CONF:    set gui-implicit-policy enable
CONF:    set gui-ipsec-manual-key disable
CONF:    set gui-ipv6 disable
CONF:    set gui-lines-per-page 50
CONF:    set gui-load-balance enable
CONF:    set gui-object-tags disable
CONF:    set gui-policy-interface-pairs-view enable
CONF:    set gui-voip-profile disable
CONF:    set hostname "
CONF:59 lines read

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2687
    • View Profile
    • NeDi
Re: Config Backup of Fortigate firewalls - Works, but only for 59lines
« Reply #2 on: March 14, 2013, 07:54:09 PM »
I actually noticed a number of Fortigate .defs exist. So, how about making this official. I've added "FortiOS" to DefGen. Now you don't have to resort to the IOS-fw lines. Does FortiOS have readonly and enable prompts ending with > or # respectively? In addition can "<--more-->" prompts be turned off? Then something like this could be used:

$cmd{'FortiOS'}{'ropr'} = '(.+?)>\s?$';
$cmd{'FortiOS'}{'enpr'} = '(.+?)#\s?$';
$cmd{'FortiOS'}{'enab'} = 'enable';
$cmd{'FortiOS'}{'conf'} = 'show full-configuration';
$cmd{'FortiOS'}{'strt'} = '.';
$cmd{'FortiOS'}{'page'} = 'disable clipaging???';

In case there's no page command try this instead:
$cmd{'Comwar3'}{'more'} = '<--more-->';

Let me know of the outcome, maybe this makes it into 1.0.8!
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

bdyzel

  • Guest
Re: Config Backup of Fortigate firewalls - Works, but only for 59lines
« Reply #3 on: March 15, 2013, 08:00:21 AM »
Hi,

The read only prompt is '$', and the more can be turned off with the following command set: ****(maybe something to note, I've set up the user with full read access, but no change rights, so technically it's a read only user that can do the show full command)****
#config system console
(console) #set out standard

I didn't change the OS from IOS-fw yet.
Here are the results of the different permutations I've tried with the suggested stings below;

1) with the more prompt still enabled I tried this variation;
$cmd{'IOS-fw'}{'ropr'} = '(.+)>\s?$';
$cmd{'IOS-fw'}{'enpr'} = '(.+)#\s?$';
$cmd{'IOS-fw'}{'conf'} = 'show full-configuration';
$cmd{'IOS-fw'}{'strt'} = '.';
$cmd{'IOS-fw'}{'more'} = '<--more-->';

and this was the result;

Prepare (CLI)  ----------------------------------------------------------------
SSH :nedi:22 Tout:10s OS:IOS-fw EN:(.+)#\s?$
PTY :Forking ssh -o 'StrictHostKeyChecking no' -l nedi 172.16.2.1
CLI2:Matched password:, sending password
CLI3:Password sent
pattern match timed-out at /var/nedi/inc/libcli-iopty.pm line 464



2)with the more prompt disabled, I tried this variation;

Prepare (CLI)  ----------------------------------------------------------------
SSH :nedi:22 Tout:10s OS:IOS-fw EN:(.+)>\s?$
PTY :Forking ssh -o 'StrictHostKeyChecking no' -l nedi 172.16.2.1
CLI2:Matched password:, sending password
CLI3:Password sent
pattern match timed-out at /var/nedi/inc/libcli-iopty.pm line 464
« Last Edit: March 15, 2013, 08:02:06 AM by bdyzel »

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2687
    • View Profile
    • NeDi
Re: Config Backup of Fortigate firewalls - Works, but only for 59lines
« Reply #4 on: March 17, 2013, 01:23:17 PM »
Try those prompts:
$cmd{'FortiOS'}{'ropr'} = 'GitsDoNid';
$cmd{'FortiOS'}{'enpr'} = '(.+?)\$\s?$';
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

bdyzel

  • Guest
Re: Config Backup of Fortigate firewalls - Works, but only for 59lines
« Reply #5 on: March 18, 2013, 02:43:13 PM »
These prompts made the Nedi service hang, and I had to restart the server.

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2687
    • View Profile
    • NeDi
Re: Config Backup of Fortigate firewalls - Works, but only for 59lines
« Reply #6 on: March 19, 2013, 01:11:36 AM »
Hmm, so there's no # prompt as you indicated when turning off paging? It's not easy form me to debug like this...

Can post a working example, where you manually do it?

Oh, btw did you notice you get the config all the way up until the hostname is set...which you seem to use in the enable prompt, correct?
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

bdyzel

  • Guest
Re: Config Backup of Fortigate firewalls - Works, but only for 59lines
« Reply #7 on: March 19, 2013, 07:14:50 AM »
I noticed that, but as I'm not an expert with Linux, or regex, I'm not sure what I'd need to tweak to get it working correctly, although the taste of victory is so close, I can't just leave it now.  ;D

The prompt ends with the $ sign due to the user being a "read only super-admin".

The example:


As I've already set the console output mode to standard and not more, it runs through the whole config without pause. I hope this is enough info?

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2687
    • View Profile
    • NeDi
Re: Config Backup of Fortigate firewalls - Works, but only for 59lines
« Reply #8 on: March 25, 2013, 07:26:39 PM »
Eureka :)

Will be in oh8 final!

Just noticed that such huge files seem to get algorithm::diff to stall, wow!
« Last Edit: March 25, 2013, 08:49:21 PM by rickli »
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo