DX NetOps

 View Only
  • 1.  NCM Capture Config for Fortigate Firewall using SSH

    Posted Jul 06, 2021 05:28 AM

    Hi All, 

    We are having problems capture config for Fortigate  devices. (ModelTypename: FortinetFortiOS, Devicetype: FortiGate 100E) The perl script in below.

     

    When I run the script on the spectro server, I get the following error. "Ensure thar the device user has sufficient privieges to disable paging and view the config." 

    The disable paging part of the script is as follows.
     

    How do you capture config for Fortigate model devices?  

     

     

     

     

    #!/opt/SPECTRUM/bin/perl -w
      # This script will capture the running configuration of a
      # Cisco SAN-OS device through an SSH session and print it to STDOUT.
      #
      # Error Codes:
      #   0   = Success
      #   255 = Usage error
      #   254 = Invalid timeout value
      #   252 = Login error
      #   249 = Exec prompt not found error
      #   244 = Error retrieving configuration
      #   245 = Insufficient privileges
      #   253 = Unexpected output
      #
      use strict;
      use warnings;
      use Net::SSH::Expect;
    #  $ENV{'PATH'} = "/usr/bin:". $ENV{'PATH'};
      $ARGV[4]=5;
      $ARGV[5]=5;
      ### Main ###
      if( $#ARGV != 4 && $#ARGV != 5 )
      {
          print "Usage: capture_running.pl <device IP> <user> <pass> <enable_pass>
      <login_timeout_in_seconds> <capture_timeout_in_seconds>\n";
          print STDERR "Usage:  capture_running.pl <deviceIP> <user> <pass>
      <enable_pass> <login_timeout_in_seconds> <capture_timeout_in_seconds>\n";
          exit 255;
      }
      elsif( $ARGV[4] < 1 || $ARGV[4] > 600 )
      {
          print "$ARGV[4] is the login timeout and must be an int between 1 and 600  seconds\n";
          print STDERR "$ARGV[4] is the login timeout and must be an int between 1 and  600 seconds\n";
          exit 254;
      }
      elsif( $#ARGV == 5 && ( $ARGV[5] < 1 || $ARGV[5] > 600 ) )
      {
          print "$ARGV[5] is the capture timeout and must be an int between 1 and 600  seconds\n";
          print STDERR "$ARGV[5] is the capture timeout and must be an int between 1  and 600 seconds\n";
          exit 254;
      }
      else
      {
          my $capture_timeout = $ARGV[4];
          if( $ARGV[5] )
          {
             $capture_timeout = $ARGV[5];
          }
          my $errorCode = 1;
          my @data;
          my $errorString = "\nHost $ARGV[0]:  \n";
          ($errorCode, @data) = GetConfig( $ARGV[0], $ARGV[1], $ARGV[2], $ARGV[3],
                                           $ARGV[4], $capture_timeout );
          if( $errorCode == 0 )
          {
              # Success.  The running configuration
              # content is in the data variable
              foreach ( @data ) { print "$_\n" }; # print the configuration to STDOUT
              exit 0;
          }
          else
          {
              print STDERR $errorString;
              if( $errorCode == 245 )
              {
                  print STDERR join " ", @data, "\nEnsure that the device user has
      sufficient privileges to disable paging and view the config\n";
              }
              else
              {
                  print STDERR join " ", @data, "\n";
              }
              exit $errorCode;
          }
      }
      exit 0;
      sub GetConfig
      {
          my $deviceIP=shift;
          my $user=shift;
          my $pass=shift;
          my $epass=shift;
          my $login_timeout=shift;
          my $capture_timeout=shift;
          my @config;
          my $msg;
          my $ssh = Net::SSH::Expect->new ( host => $deviceIP,
                                            user => $user,
                                            password=> $pass,
                                            raw_pty => 1,
                                            no_terminal => 0,
                                            timeout => $login_timeout
                                          );
          my $login_output;
          eval { $login_output = $ssh->login(); };
          if( $@ )
          {
              $msg = "Login has failed. Output: $login_output";
              return( 252, $msg );
          }
          # login output should contain the right prompt characters
        
               #  $ssh->send( "enable admin" );
                  #   $ssh->send( $pass );
          
          if( $login_output !~ /([#^]*)$/ )  # Replace '#' is the prompt character here
          {
     
      #        we don't have the '#' prompt, means we still can't exec commands
               $msg = "Exec prompt not found.";
               $ssh->close();
               return( 249, $msg );
          }
          # disable paging
          # different commands for different devices, if they don't
          # work then we will get messages about problems later
          # specifically the "No prompt after 'sh run'" error
          # errmsg doesn't get set when these error and if we use print
          # and getlines to read for errors it causes problems with print "sh run"
          # later.
      # $ssh->exec( "term pager 0" );
    #terminal length 0
    $ssh->exec("config system console");
        $ssh->timeout( $capture_timeout );
       $ssh->exec("set output standard");
        $ssh->timeout( $capture_timeout );
         $ssh->exec("end");
          my $paging = $ssh->exec( "disable clippage" );
          if ( $paging =~  /\s?%\s/ )
          {
              $msg = "Unable to set disable clippage";
              $ssh->close();
                 return( 245, $msg);
          }

          $ssh->send( "show full-configuration" );
          $ssh->timeout( $capture_timeout );
          $ssh->timeout( $capture_timeout );
          $ssh->peek(0);

          while( my $line = $ssh->read_line() )
          {
              # get configuration content
              if( $line !~
                  /sh run|Building configuration|Current configuration|^\s*$/ )
              {
                  push @config, $line;
              }
          }
          
     

          if( @config <= 0 )
          {
              $msg = "No data retrieved, the capture timeout may be too low.";
              $ssh->close();
              return( 244, $msg );
          }
          if( scalar grep { $_ =~ /^%/ } @config )
          {
              # Ensure show running actually returned the config and not an error
              # message containing '%'
              return( 245, @config );
          }
          
              
          return( 0, @config ); # everything was okay, return the captured data
      }
     



  • 2.  RE: NCM Capture Config for Fortigate Firewall using SSH

    Posted Aug 01, 2021 07:11 PM
    UP


  • 3.  RE: NCM Capture Config for Fortigate Firewall using SSH

    Broadcom Employee
    Posted Aug 02, 2021 01:06 AM

    Hello, 

    The message is telling you that
    a: you have to disable paging - so you don't have to hit space / return to view the next page of the configuration ( N number of times ) 
    b: the user you are connecting as *may* not have the privilege's to execute the equivalent " show run" command you would execute on a Cisco Router to view view the device configuration.

    Don