netmiko
netmiko copied to clipboard
ktbyers
Is Fortinet/Fortigate support broken?
- OSX 10.11.6
- Python 3.6.0
- Netmiko 1.2.8
- FortiGate-1500D v5.4.3,build1111,161220 (GA)
This is my example script:
#!/usr/bin/env python
# coding=utf-8
"""
Fortinet Fortigate Test
"""
import logging
from netmiko import ConnectHandler
logging.basicConfig(level=logging.DEBUG)
logger = logging.getLogger('global')
devices = []
ips = ["10.10.10.1"]
for ip in ips:
fortinet = {
'device_type': 'fortinet',
'ip': ip,
'username': 'admin',
'password': 'xxxxx'
}
devices.append(fortinet)
for device in devices:
net_connect = ConnectHandler(**device)
output = net_connect.send_command('config global')
output = net_connect.send_command('diagnose hardware deviceinfo nic')
print(output)
Attached is a debug log.
After the config global command is issued by my script (not the one built into netmiko, the initial get system status seem to work, but as you can see I didn't issue that) the console prompt is returned but not detected and falls into an endless loop of DEBUG:netmiko:read_channel:, as a result the diagnose hardware deviceinfo nic doesn't execute.
Does anyone else see the same?
Yes, Netmiko issues get system status as it needs to determine if 'Virtual domain configuration: enable' is configured (in order to disable paging).
It looks like the get system status command is causing problems (as the output is paged i.e. --More--). Can you try this fix and log what happens when you use it?
https://github.com/ktbyers/netmiko/commit/f9acf19ed1b4b56cd7d9f179a8e88fb968afc1d7
It is in the Netmiko develop branch
A step forward but not resolved. Updated debug attached - test_fortinet.debuglog-2.txt.
In the debug, the new <space>is sent at line 60 DEBUG:netmiko:write_channel: b' \n' which completes the output and returns the prompt, the subsequent config global directed from fortinet/fortinet_ssh.py:L36 is then sent but the disable_paging_command from fortinet/fortinet_ssh.py:L44 do not execute. I Assume something must have gone wrong in the earlier L36 self.send_command_timing ?
What's also curious is, why is a new transport then setup? i.e. Is that normal?
To rule out FW issues, I've tried with a different firewall - test_fortinet.debuglog-otherFW.txt, same results.
@linickx Okay, this issue is probably fixed (now in develop branch)
https://github.com/ktbyers/netmiko/commit/6910f064c36eb293b493592de376b6c3a4f2a11a
The issue is the following...
36 output = self.send_command_timing(vdom_additional_command)
37 if output.find("Command fail"):
output.find returns -1 when it fails. -1 is treated by Python as a boolean True (i.e. every integer besides 0 is treated by Python as True).
So this section was always being executed (which was why the SSH session was being re-established).
if output.find("Command fail"):
self.allow_disable_global = False
self.remote_conn.close()
self.establish_connection(width=100, height=1000)
@linickx
Note, you still need to change this line in YOUR code.
From:
output = net_connect.send_command('config global')
To:
output = net_connect.send_command_timing('config global', delay_factor=4)
You might not need the delay_factor argument, but you can experiment with this.
It's working now, thank you. :)
I tested on both firewalls, an updated debug - test_fortinet.debuglog-otherFW-2.txt - for one of them is attached.
fortinet/fortinet_ssh.py#L44 requires and additional end in the list, notice the prompt at line 82 of the debug, after the output has been updated via set output standard \n end \n the prompt is still in global config.
On send_command Vs send_command_timing the original code works not sure your reasoning for this recommendation?
Also, you could probably save yourself the 13 lines of code added in https://github.com/ktbyers/netmiko/commit/f9acf19ed1b4b56cd7d9f179a8e88fb968afc1d7 by using get system status | grep Virtual on fortinet/fortinet_ssh.py#L14
Actually..
fortinet/fortinet_ssh.py#L44 requires and additional end in the list
This is probably caused due to both my firewalls have multi-vdom's enabled.. that probably wouldn't happen on a single domain device.
I suspect the "wrong" prompt is due to fortinet_ssh.py#L33, to exit cleanly, before L49 return output + new_output you probably need:
if self.vdoms:
output = self.send_command_timing("end", delay_factor=4)
@linickx
I made some additional changes based on your comments above:
https://github.com/ktbyers/netmiko/commit/f1f57094b01ad9f82a95e9def4dab87dd4412232
Note, on your question here:
On send_command Vs send_command_timing the original code works not
sure your reasoning for this recommendation?
The reason send_command() worked and you weren't required to use send_command_timing() is because of the end issue you referenced. In other words, you were already in config global context because of our earlier failure to end.
Consequently, the prompt didn't actually change and send_command() worked.
With the new commit (assuming I did it right)...send_command() will probably stop working and you will have to use send_command_timing (because the prompt will now be changing).
Yep, that's all fixed now.
As you suggested, I did need to update my test script.
For the future reference of others, final debug attached - test_fortinet.debuglog-otherFW-3.txt - and updated script below.
@ktbyers Thank you.
#!/usr/bin/env python
# coding=utf-8
"""
Fortinet Fortigate Test
"""
import logging
from netmiko import ConnectHandler
logging.basicConfig(level=logging.DEBUG)
logger = logging.getLogger('global')
devices = []
ips = ["10.159.75.204"]
for ip in ips:
fortinet = {
'device_type': 'fortinet',
'ip': ip,
'username': 'admin',
'password': 'xxxxx'
}
devices.append(fortinet)
for device in devices:
net_connect = ConnectHandler(**device)
output = net_connect.send_command_timing('config global', delay_factor=4)
output = net_connect.send_command_timing('diagnose hardware deviceinfo nic', delay_factor=4)
print(output)
@ktbyers
I have a FGT firewall that I'm trying to create a connection to and this firewall uses VDOMs. I get the following output when I attempt to start my data gathering session:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python2.7/site-packages/netmiko/base_connection.py", line 1301, in send_command
search_pattern
IOError: Search pattern never detected in send_command_expect: fw01-\-device-city\ \$
>>> #
I've Googled quite a few times and am not finding the correct combination of posts and responses to help make this work. I hope you are still checking posts but I know you're probably busy.
python2.7 Python 2.7 is dead. Netmiko has not supported it for a long time.
Also not really a good idea to comment on a closed issue that has been closed for almost five years.
= )
I only commented on it because someone w a similar issue had already commented. I only used Pv2 because I was in a hurry and my Pv3 was gen'ing an error w the import netmiko statement. I was in a hurry and moved on. I did briefly look for you email because the post was so old, I wasn't sure that you'd actually respond. I didn't find it after looking very briefly and moved on to the post. Sorry Kirk.
I think I found the solution to my problem by adding the 'expect_string = '[#?$]' syntax to my send_command tuple.
Is there a class you offer w just the Netmiko, Paramiko stuff?
On Wed, Feb 9, 2022, 12:00 PM Kirk Byers @.***> wrote:
python2.7 Python 2.7 is dead. Netmiko has not supported it for a long time.
Also not really a good idea to comment on a closed issue that has been closed for almost five years.
— Reply to this email directly, view it on GitHub https://github.com/ktbyers/netmiko/issues/384#issuecomment-1034093663, or unsubscribe https://github.com/notifications/unsubscribe-auth/AVNXZZ4LG5KFGLZUNUJHKATU2K2UDANCNFSM4DBQEDJA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you commented.Message ID: @.***>
Yeah, no worries. I realized I was a bit crabby on this response the first time so my bad there.
I do have a Netmiko specific class, but right now it is in a bit of limbo until probably the summer as I need to revamp some of the content for Netmiko V4.
Awesome! I'll keep an eye out for it. Thank you for getting back to me. You're an Internet Super Hero.
On Thu, Feb 10, 2022, 11:50 PM Kirk Byers @.***> wrote:
Yeah, no worries. I realized I was a bit crabby on this response the first time so my bad there.
I do have a Netmiko specific class, but right now it is in a bit of limbo until probably the summer as I need to revamp some of the content for Netmiko V4.
— Reply to this email directly, view it on GitHub https://github.com/ktbyers/netmiko/issues/384#issuecomment-1035925141, or unsubscribe https://github.com/notifications/unsubscribe-auth/AVNXZZ77XNP5B5S56EUVP63U2SWTHANCNFSM4DBQEDJA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you commented.Message ID: @.***>
I'm unable to connect to fortigate here my script
from netmiko import ConnectHandler
s = { 'device_type': 'fortinet', 'ip': '172.19.0.23', 'username': 'admin', 'password': 'XXXXX' }
net_connect = ConnectHandler(**s)
timeout Traceback (most recent call last)
/usr/local/lib/python3.7/dist-packages/netmiko/base_connection.py in establish_connection(self, width, height) 1045 try: -> 1046 self.remote_conn_pre.connect(**ssh_connect_params) 1047 except socket.error as conn_error:
7 frames
timeout: timed out
During handling of the above exception, another exception occurred:
NetmikoTimeoutException Traceback (most recent call last)
/usr/local/lib/python3.7/dist-packages/netmiko/base_connection.py in establish_connection(self, width, height) 1066 1067 msg = msg.lstrip() -> 1068 raise NetmikoTimeoutException(msg) 1069 except paramiko.ssh_exception.AuthenticationException as auth_err: 1070 self.paramiko_cleanup()
NetmikoTimeoutException: TCP connection to device failed.
Common causes of this problem are:
- Incorrect hostname or IP address.
- Wrong TCP port.
- Intermediate firewall blocking access.
Device settings: fortinet 172.19.0.23:22
- OSX 10.11.6
- Python 3.6.0
- Netmiko 1.2.8
- FortiGate-1500D v5.4.3,build1111,161220 (GA)
This is my example script:
#!/usr/bin/env python # coding=utf-8 """ Fortinet Fortigate Test """ import logging from netmiko import ConnectHandler logging.basicConfig(level=logging.DEBUG) logger = logging.getLogger('global') devices = [] ips = ["10.10.10.1"] for ip in ips: fortinet = { 'device_type': 'fortinet', 'ip': ip, 'username': 'admin', 'password': 'xxxxx' } devices.append(fortinet) for device in devices: net_connect = ConnectHandler(**device) output = net_connect.send_command('config global') output = net_connect.send_command('diagnose hardware deviceinfo nic') print(output)Attached is a debug log.
After the
config globalcommand is issued by my script (not the one built into netmiko, the initialget system statusseem to work, but as you can see I didn't issue that) the console prompt is returned but not detected and falls into an endless loop ofDEBUG:netmiko:read_channel:, as a result thediagnose hardware deviceinfo nicdoesn't execute.Does anyone else see the same?
@linickx Hii linickx can help out to connect fortigate
@saikumar981 We are working on an updated/new Fortigate driver here:
https://github.com/ktbyers/netmiko/pull/2876
If you want to test it when we finish it that would be great.
@saikumar981 We are working on an updated/new Fortigate driver here:
#2876
If you want to test it when we finish it that would be great
Hi Kirk,
Today i tired to Connect my fortigate but im still facing the same and FYR please the find the below code and error
import logging
from netmiko import ConnectHandler
logging.basicConfig(level=logging.DEBUG) logger = logging.getLogger('global')
devices = []
ips = ["195.168.11.1"] for ip in ips: fortinet = { 'device_type': 'fortinet', 'ip': ip, 'username': 'admin', 'password': 'XXXXXXXX' } devices.append(fortinet)
for device in devices: net_connect = ConnectHandler(**device) output = net_connect.send_command_timing('config global', delay_factor=4) output = net_connect.send_command_timing('diagnose hardware deviceinfo nic', delay_factor=4) print(output)
############ Errors#############
NoValidConnectionsError Traceback (most recent call last)
/usr/local/lib/python3.8/dist-packages/netmiko/base_connection.py in establish_connection(self, width, height) 1045 try: -> 1046 self.remote_conn_pre.connect(**ssh_connect_params) 1047 except socket.error as conn_error:
5 frames
NoValidConnectionsError: [Errno None] Unable to connect to port 22 on 195.168.11.1
During handling of the above exception, another exception occurred:
NetmikoTimeoutException Traceback (most recent call last)
/usr/local/lib/python3.8/dist-packages/netmiko/base_connection.py in establish_connection(self, width, height) 1066 1067 msg = msg.lstrip() -> 1068 raise NetmikoTimeoutException(msg) 1069 except paramiko.ssh_exception.AuthenticationException as auth_err: 1070 self.paramiko_cleanup()
NetmikoTimeoutException: TCP connection to device failed.
Common causes of this problem are:
- Incorrect hostname or IP address.
- Wrong TCP port.
- Intermediate firewall blocking access.
Device settings: fortinet 195.168.11.1:22
Thanks.
Your error looks like you are unable to reach the device on port 22.
Unable to connect to port 22 on 195.168.11.1
Can you verify the server you are running the script on can actually reach the SSH port of that device.
Yes, i can reach the fortigate through an ssh client (Putty) and also configured the allowaccess on SSH
Thank you.
That error indicates you had a lower level socket error (looking at the Netmiko source code).
You probably would need to debug it more on your side. Thinks like do you see the connection three-way handshake (or does it show up in Netstat), what does the logs of the Fortinet/Fortigate show for this connection?
From Netmiko's perspective, it looks like there is no SSH there (i.e. nothing to connect to at that IP address/hostname and port).