Welcome, Guest. Please login or register.

Author Topic: Fortigate config Backup 1.6 [SOLVED]  (Read 1093 times)

ntmark

  • Full Member
  • ***
  • Posts: 132
    • View Profile
    • tvnz.co.nz
Fortigate config Backup 1.6 [SOLVED]
« on: May 17, 2016, 01:50:01 AM »
Hi,
 I'm having some problems getting fortigate to do config backups in 1.6
We haven't been doing this in previous versions, so I've been searching through the forums for any config references.
I have finally got the login prompt to work via ssh by changing libcli.pm 'FortiOS' section to this, but there is probably some useless lines in here.
Code: [Select]
$cmd{'FortiOS'}{'ropr'} = '(.+)\s?#$';
$cmd{'FortiOS'}{'enpr'} = '.\s#\s$';
$cmd{'FortiOS'}{'enab'} = 'enable';
$cmd{'FortiOS'}{'shcf'} = 'show full-configuration';
$cmd{'FortiOS'}{'strt'} = '.';
$cmd{'FortiOS'}{'page'} = 'disable clipaging???';
$cmd{'FortiOS'}{'cfst'} = '^config';
$cmd{'FortiOS'}{'more'} = '--More-- ';

This has let me run ./nedi.pl -v -B0 -SAFGgsjmvpadobewitu -a <host IP>
but now I'm getting this error when it's running through the CONF: lines
Code: [Select]
...
CONF:30230 lines read

Configbackup ------------------------------------------------------------------
DBD::mysql::st execute failed: MySQL server has gone away at ./inc/libdb.pm line 900.
DBD::mysql::st execute failed: MySQL server has gone away at ./inc/libdb.pm line 900.

Line 900 of libdb.pm: middle line:
Code: [Select]
$sth = $dbh->prepare("INSERT INTO configs(device,config,changes,time) VALUES ( ?,?,?,? )");
$sth->execute ($dv,$cfg,$chg,$main::now);
misc::WriteCfg($dv) if defined $main::opt{'B'};


Now I'm stuck again.
Does anyone have config backup working in 1.6 with fortigates?

Cheers
Mark.

Edit: removed double post.
« Last Edit: October 20, 2016, 11:12:07 PM by ntmark »

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2495
    • View Profile
    • NeDi
Re: Fortigate config Backup 1.6
« Reply #1 on: July 21, 2016, 10:57:28 AM »
Hi Mark

Would be great to have it working for all boxes. Problem is with differences between models and SW version...

Generally you either use a 'more' string to match for a prompt, which expects a keypress to continue output, or a 'page' command to turn of CLI paging (but not both).

I think they don't have a readonly prompt (e.g. no need for enable command 'enab'), that's why I had 'GitsDoNid' (a string which hopefully never matches) for the readonly prompt 'ropr'. So maybe the 'enpr' was too restrictive (not matching every possible hostname) and your '.\s#\s$' works, because any prompt matches, as long as there's a # at the end. You can also try adding the missing character you might have in your hostname between the square brackets...
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

ntmark

  • Full Member
  • ***
  • Posts: 132
    • View Profile
    • tvnz.co.nz
Re: Fortigate config Backup 1.6
« Reply #2 on: July 22, 2016, 10:17:28 AM »
Haha, yeah version compatibility... always gets me too.

I'll have to look into it more, I think what I'm missing was a # at the prompt.
Hostname needed to match this:'HOSTNAME #' or 'HOST-NAME #'
Maybe I'll find out from their site what characters they support for this.

I was unsure if I needed; enab, strt, more
Will try it without enab and page as it only requires [space] pressed

And what strt does which thinking about it is the output character during a config backup with debug on? (aka progress meter)

Also in the regex for the ropr I'll try to restrict it more, something like this.
Typing  from memory on the regex but would add a second group to match prompt types.
Code: [Select]
$cmd{'FortiOS'}{'ropr'} = 'GitsDoNid';
$cmd{'FortiOS'}{'enpr'} = '[\w+().-]+\s[\$\#]$';
$cmd{'FortiOS'}{'shcf'} = 'show full-configuration';
$cmd{'FortiOS'}{'strt'} = '.';
$cmd{'FortiOS'}{'cfst'} = '^config';
$cmd{'FortiOS'}{'more'} = '--More-- ';

Thanks again Remo
Mark.

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2495
    • View Profile
    • NeDi
Re: Fortigate config Backup 1.6
« Reply #3 on: August 05, 2016, 11:36:33 AM »
strt has been replaced by cfst. You should also need either page or more, but not both as the page command should actually avoid any more prompts.

I've updated perldoc now:
    $cmd: Holds commands, expected prompts and other OS specific parameters
    needed to handle CLI access:
    *   ropr: Read only prompt, if no readonly prompt is used set to some
        string which won't occur otherwise.
    *   enpr: Enable prompt
    *   enab: Enable command
    *   conf: Command to enter config mode
    *   shcf: Command to display config
    *   cfto: Config timeout, wait additional seconds for config (default 10)
    *   cfst: Match start of config (use a . to match anything)
    *   cfen: Match end of config (don't define to match everything up to next
        prompt)
    *   page: Command to disable paging
    *   more: Match "more" prompt (only use if "page" is not available)
    *   dfwd: Show dynamic bridge forwarding table (only IOS & CatOS)
    *   sfwd: Show static bridge forwarding table (only IOS & CatOS)
    *   arp: Show arp table (ASA, Nexus)
« Last Edit: August 05, 2016, 11:42:38 AM by rickli »
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

ntmark

  • Full Member
  • ***
  • Posts: 132
    • View Profile
    • tvnz.co.nz
Re: Fortigate config Backup 1.6
« Reply #4 on: August 08, 2016, 10:11:54 AM »
Man, I'm sorry I should of read the head of libcli.pm for the variable descriptions. (my bad)

Code: [Select]
[\w+()-]+\s\#\s$This is the regex I'm going to try out, it looks like this matches with all our prompts so far + these below:
test #
test-123 #
-_12 #
12345 #
1-2 #
12----56___ #

I've left the () in there but I don't think they are needed along with the literal +

Regarding the hostname requirements this is from their website "The hostname can be up to 35 characters in length. It can include US-ASCII letters, numbers, hyphens, and underscores, but not spaces and special characters."
\w = a-zA-Z0-9_ so only need to have - in that group.

Login prompts seem to always end with a \s#\s at the end (at least for ssh connection), I haven't personally seen an actual dollar $ prompt so removed that.
Would be nice if someone else can confirm if $ is used?

So I've essentially reverted back to your original settings and only changed the {ropr} regex. lol.
oh well.

Now looks like this:
Code: [Select]
$cmd{'FortiOS'}{'ropr'} = 'GitsDoNid';
$cmd{'FortiOS'}{'enpr'} = '[\w+()-]+\s\#\s$';
$cmd{'FortiOS'}{'more'} = '--More-- ';
$cmd{'FortiOS'}{'shcf'} = 'show full-configuration';
$cmd{'FortiOS'}{'cfst'} = '^config';

Seems to work ok.
I'll update if I find any issues.
Thanks for your help. :)

Mark.