DX NetOps

Hello,

I need help on NCM Capture Config for Fortigate Firewall. I'm already run the SSH PERL script and the problem is only 22 lines captured, the actual line is around 3k. The script as per below.

#!/opt/SPECTRUM/bin/perl -w

# This script will capture the running configuration of a
# Cisco SAN-OS device through an SSH session and print it to STDOUT.
#
# Error Codes:
# 0 = Success
# 255 = Usage error
# 254 = Invalid timeout value
# 252 = Login error
# 249 = Exec prompt not found error
# 244 = Error retrieving configuration
# 245 = Insufficient privileges
# 253 = Unexpected output
#

use strict;
use warnings;
use Net::SSH::Expect;

$ENV{'PATH'} = "/usr/bin:". $ENV{'PATH'};

### Main ###
if( $#ARGV != 4 && $#ARGV != 5 )
{
print "Usage: capture_running.pl <device IP> <user> <pass> <enable_pass>
<login_timeout_in_seconds> <capture_timeout_in_seconds>\n";
print STDERR "Usage: capture_running.pl <deviceIP> <user> <pass>
<enable_pass> <login_timeout_in_seconds> <capture_timeout_in_seconds>\n";
exit 255;
}
elsif( $ARGV[4] < 1 || $ARGV[4] > 600 )
{
print "$ARGV[4] is the login timeout and must be an int between 1 and 600 seconds\n";
print STDERR "$ARGV[4] is the login timeout and must be an int between 1 and 600 seconds\n";
exit 254;
}
elsif( $#ARGV == 5 && ( $ARGV[5] < 1 || $ARGV[5] > 600 ) )
{
print "$ARGV[5] is the capture timeout and must be an int between 1 and 600 seconds\n";
print STDERR "$ARGV[5] is the capture timeout and must be an int between 1 and 600 seconds\n";
exit 254;
}
else
{
my $capture_timeout = $ARGV[4];
if( $ARGV[5] )
{
$capture_timeout = $ARGV[5];
}

my $errorCode = 1;
my @data;
my $errorString = "\nHost $ARGV[0]: \n";

($errorCode, @data) = GetConfig( $ARGV[0], $ARGV[1], $ARGV[2], $ARGV[3],
$ARGV[4], $capture_timeout );

if( $errorCode == 0 )
{
# Success. The running configuration
# content is in the data variable

foreach ( @data ) { print "$_\n" }; # print the configuration to STDOUT
exit 0;
}
else
{
print STDERR $errorString;

if( $errorCode == 245 )
{
print STDERR join " ", @data, "\nEnsure that the device user has
sufficient privileges to disable paging and view the config\n";
}
else
{
print STDERR join " ", @data, "\n";
}

exit $errorCode;
}
}

exit 0;

sub GetConfig
{
my $deviceIP=shift;
my $user=shift;
my $pass=shift;
my $epass=shift;
my $login_timeout=shift;
my $capture_timeout=shift;
my @config;
my $msg;

my $ssh = Net::SSH::Expect->new ( host => $deviceIP,
user => $user,
password=> $pass,
raw_pty => 1,
no_terminal => 0,
timeout => $login_timeout
);

my $login_output;
eval { $login_output = $ssh->login(); };
if( $@ )
{
$msg = "Login has failed. Output: $login_output";
return( 252, $msg );
}

# login output should contain the right prompt characters
if( $login_output !~ /\$\s*\z/ )
{
$msg = "Login has failed. Didn't see device prompt as expected.";
$ssh->close();
return( 252, $msg );
}

if( $login_output !~ /\$\s*\z/ ) # Replace '#' is the prompt character here
{
# we don't have the '#' prompt, means we still can't exec commands
$msg = "Exec prompt not found.";
$ssh->close();
return( 249, $msg );
}

# disable paging
# different commands for different devices, if they don't
# work then we will get messages about problems later
# specifically the "No prompt after 'sh run'" error
# errmsg doesn't get set when these error and if we use print
# and getlines to read for errors it causes problems with print "sh run"
# later.
# $ssh->exec( "term pager 0" );
my $paging = $ssh->exec( "terminal length 0" );
if ( $paging =~ /\s?%\s/ )
{
$msg = "Unable to set terminal size to 0 - Insufficient privileges";
$ssh->close();
return( 245, $msg);
}

$ssh->send( "sh" );
$ssh->timeout( $capture_timeout );
$ssh->peek(0);

while( my $line = $ssh->read_line() )
{
# get configuration content

if( $line !~
/sh|Building configuration|Current configuration|^\s*$/ )
{
push @config, $line;
}
}

if( @config <= 0 )
{
$msg = "No data retrieved, the capture timeout may be too low.";
$ssh->close();
return( 244, $msg );
}

if( scalar grep { $_ =~ /^%/ } @config )
{
# Ensure show running actually returned the config and not an error
# message containing '%'
return( 245, @config );
}

return( 0, @config ); # everything was okay, return the captured data
} 

Hi

Have you set paging to off. This is done on the firewall itself.

config system console
  set output standard
end

Hope it helps

Klaus

Hi,

Mr Klaus-Peter Lintz,

Thanks for your suggestion. I will try it. Another question..Instead of set paging to off in firewall itself, there is another way? for example execute the command in PERL script? I'm not an expert in PERL script. 

Hi Try this

After you logged in

$ssh->exec("config system console");
$ssh->exec("set output standard");
$ssh->exec("end");

At the end of the script (Not sure if default is the correct setting to change the paging back)

$ssh->exec("config system console");
$ssh->exec("set output default");
$ssh->exec("end");

Hi,

my workaround to bypass the paging problem was, build the configuration file on the device, transfer it via tftp to the SpectroServer and send it to STDOUT.

Regards,

Olaf

Great. Please sent me the script and config file. I need to do the same thing

Regards

klaus

Sorry, the script is owned by one of our customers, I'm not allowed to publish.

As far as I remember it was something llike

-prepare an empty local file for tftp transfer

-connect

"config global";           # Configuration mode on the device
" execute backup config tftp "; # start config transfer

-disconnect

-print local file

Regards,

Olaf

Thanks