DX NetOps

Expand all | Collapse all

NCM Capture Config for Fortigate Firewall using SSH

Jump to Best Answer
  • 1.  NCM Capture Config for Fortigate Firewall using SSH

    Posted 02-14-2017 04:53 AM

    Hello,

    I need help on NCM Capture Config for Fortigate Firewall. I'm already run the SSH PERL script and the problem is only 22 lines captured, the actual line is around 3k. The script as per below.

     

     

    #!/opt/SPECTRUM/bin/perl -w

    # This script will capture the running configuration of a
    # Cisco SAN-OS device through an SSH session and print it to STDOUT.
    #
    # Error Codes:
    # 0 = Success
    # 255 = Usage error
    # 254 = Invalid timeout value
    # 252 = Login error
    # 249 = Exec prompt not found error
    # 244 = Error retrieving configuration
    # 245 = Insufficient privileges
    # 253 = Unexpected output
    #

    use strict;
    use warnings;
    use Net::SSH::Expect;

    $ENV{'PATH'} = "/usr/bin:". $ENV{'PATH'};

    ### Main ###
    if( $#ARGV != 4 && $#ARGV != 5 )
    {
    print "Usage: capture_running.pl <device IP> <user> <pass> <enable_pass>
    <login_timeout_in_seconds> <capture_timeout_in_seconds>\n";
    print STDERR "Usage: capture_running.pl <deviceIP> <user> <pass>
    <enable_pass> <login_timeout_in_seconds> <capture_timeout_in_seconds>\n";
    exit 255;
    }
    elsif( $ARGV[4] < 1 || $ARGV[4] > 600 )
    {
    print "$ARGV[4] is the login timeout and must be an int between 1 and 600 seconds\n";
    print STDERR "$ARGV[4] is the login timeout and must be an int between 1 and 600 seconds\n";
    exit 254;
    }
    elsif( $#ARGV == 5 && ( $ARGV[5] < 1 || $ARGV[5] > 600 ) )
    {
    print "$ARGV[5] is the capture timeout and must be an int between 1 and 600 seconds\n";
    print STDERR "$ARGV[5] is the capture timeout and must be an int between 1 and 600 seconds\n";
    exit 254;
    }
    else
    {
    my $capture_timeout = $ARGV[4];
    if( $ARGV[5] )
    {
    $capture_timeout = $ARGV[5];
    }

    my $errorCode = 1;
    my @data;
    my $errorString = "\nHost $ARGV[0]: \n";

    ($errorCode, @data) = GetConfig( $ARGV[0], $ARGV[1], $ARGV[2], $ARGV[3],
    $ARGV[4], $capture_timeout );

    if( $errorCode == 0 )
    {
    # Success. The running configuration
    # content is in the data variable

    foreach ( @data ) { print "$_\n" }; # print the configuration to STDOUT
    exit 0;
    }
    else
    {
    print STDERR $errorString;

    if( $errorCode == 245 )
    {
    print STDERR join " ", @data, "\nEnsure that the device user has
    sufficient privileges to disable paging and view the config\n";
    }
    else
    {
    print STDERR join " ", @data, "\n";
    }

    exit $errorCode;
    }
    }

    exit 0;

    sub GetConfig
    {
    my $deviceIP=shift;
    my $user=shift;
    my $pass=shift;
    my $epass=shift;
    my $login_timeout=shift;
    my $capture_timeout=shift;
    my @config;
    my $msg;

    my $ssh = Net::SSH::Expect->new ( host => $deviceIP,
    user => $user,
    password=> $pass,
    raw_pty => 1,
    no_terminal => 0,
    timeout => $login_timeout
    );

    my $login_output;
    eval { $login_output = $ssh->login(); };
    if( $@ )
    {
    $msg = "Login has failed. Output: $login_output";
    return( 252, $msg );
    }

    # login output should contain the right prompt characters
    if( $login_output !~ /\$\s*\z/ )
    {
    $msg = "Login has failed. Didn't see device prompt as expected.";
    $ssh->close();
    return( 252, $msg );
    }

    if( $login_output !~ /\$\s*\z/ ) # Replace '#' is the prompt character here
    {
    # we don't have the '#' prompt, means we still can't exec commands
    $msg = "Exec prompt not found.";
    $ssh->close();
    return( 249, $msg );
    }

    # disable paging
    # different commands for different devices, if they don't
    # work then we will get messages about problems later
    # specifically the "No prompt after 'sh run'" error
    # errmsg doesn't get set when these error and if we use print
    # and getlines to read for errors it causes problems with print "sh run"
    # later.
    # $ssh->exec( "term pager 0" );
    my $paging = $ssh->exec( "terminal length 0" );
    if ( $paging =~ /\s?%\s/ )
    {
    $msg = "Unable to set terminal size to 0 - Insufficient privileges";
    $ssh->close();
    return( 245, $msg);
    }

    $ssh->send( "sh" );
    $ssh->timeout( $capture_timeout );
    $ssh->peek(0);

    while( my $line = $ssh->read_line() )
    {
    # get configuration content

    if( $line !~
    /sh|Building configuration|Current configuration|^\s*$/ )
    {
    push @config, $line;
    }
    }

    if( @config <= 0 )
    {
    $msg = "No data retrieved, the capture timeout may be too low.";
    $ssh->close();
    return( 244, $msg );
    }

    if( scalar grep { $_ =~ /^%/ } @config )
    {
    # Ensure show running actually returned the config and not an error
    # message containing '%'
    return( 245, @config );
    }

    return( 0, @config ); # everything was okay, return the captured data



  • 2.  Re: NCM Capture Config for Fortigate Firewall using SSH
    Best Answer

    Posted 02-15-2017 01:56 AM

    Hi

    Have you set paging to off. This is done on the firewall itself.

    config system console
      set output standard
    end

     

    Hope it helps

    Klaus



  • 3.  Re: NCM Capture Config for Fortigate Firewall using SSH

    Posted 02-16-2017 03:03 AM

    Hi,

     

    Mr Klaus-Peter Lintz,

     

    Thanks for your suggestion. I will try it. Another question..Instead of set paging to off in firewall itself, there is another way? for example execute the command in PERL script? I'm not an expert in PERL script. 



  • 4.  Re: NCM Capture Config for Fortigate Firewall using SSH

    Posted 02-16-2017 12:56 PM

    Hi Try this

    After you logged in

    $ssh->exec("config system console");
    $ssh->exec("set output standard");
    $ssh->exec("end");

     

    At the end of the script (Not sure if default is the correct setting to change the paging back)

    $ssh->exec("config system console");
    $ssh->exec("set output default");
    $ssh->exec("end");



  • 5.  Re: NCM Capture Config for Fortigate Firewall using SSH

    Posted 02-17-2017 03:12 AM

    Hi,

     

    my workaround to bypass the paging problem was, build the configuration file on the device, transfer it via tftp to the SpectroServer and send it to STDOUT.

     

    Regards,

    Olaf



  • 6.  Re: NCM Capture Config for Fortigate Firewall using SSH

    Posted 02-17-2017 06:06 AM

    Great. Please sent me the script and config file. I need to do the same thing

     

    Regards

    klaus



  • 7.  Re: NCM Capture Config for Fortigate Firewall using SSH

    Posted 02-17-2017 09:28 AM

    Sorry, the script is owned by one of our customers, I'm not allowed to publish.

     

    As far as I remember it was something llike

     

    -prepare an empty local file for tftp transfer

    -connect

    "config global";           # Configuration mode on the device
    " execute backup config tftp "; # start config transfer

    -disconnect

    -print local file

     

    Regards,

    Olaf



  • 8.  Re: NCM Capture Config for Fortigate Firewall using SSH

    Posted 02-20-2017 06:19 AM

    Thanks