netmiko
netmiko copied to clipboard
ktbyers
Issues with current Fortinet Driver
Linking other fortinet issues:
https://github.com/ktbyers/netmiko/issues/2119
https://github.com/ktbyers/netmiko/issues/1852
Hi @ktbyers ,
So basically with the current driver the config mode does nothing in the driver. When you log into it, you can only make a show of the full configuration. If you want to do more, you need to be in config mode (global or vdom). that makes unsable the send_config_set command for example and more constraints in the use of the send_command.
To do so, I propose to update the config_mode method to support both mode add some controls specifically on vdom mode (in order to avoid the creation of unwanted vdom)
@Trasmontinho Just correct me if I am wrong here:
So basically with the current driver the config mode does nothing in the driver.
This is only true if you have VDOMs configured, if you don't have VDOMs then send_config_set() would work properly? Is this correct?
This part regarding "if you don't have vdom configured" I'm not sure because we use to have vdom in our Firewalls in my company.
All I can say is that in this case you can't use the driver like it is. It throws you errors. I'll make a reverse on my driver and give you the outputs to illustrate it.
For now I'm preparing the pull request for the F5. :-)
Examples (just for notes) so I can understand the config behavior:
FWF6000000065 # config firewall policy
FWF6000000065 (policy) # edit 0
FWF6000000065 (0) # end
Attribute 'srcintf' MUST be set.
Command fail. Return code -56.
FWF6000000065 #
Fortigate-VM # config system interface
Fortigate-VM (interface) # edit port 1
Fortigate-VM (port1) # end
Fortigate-VM #
@Trasmontinho Can you show me a few simple examples of what the manual CLI behavior is like on the Fortinet for configuration when using VDOMs. I have been looking online, but all the docs I have found so far hide the prompt behaviors (so it does me no good). In other words, they show only the commands and not how the prompts change.
Ideally show me from the CLI from exactly when you login to doing some simple configuration.
below some examles (I've obfuscated the hostname of my firewall) : As soon as you are connected you have the available commands below :
firewall #
config Configure object.
get Get dynamic and system information.
show Show configuration.
exit Exit the CLI.
more examples to show you the interest of some updates of the driver :
firewall # show
<Enter>
full-configuration show full configuration
Or
firewall # get
system System operation configuration.
firewall # get system
status System status.
firewall # get system status
<Enter>
firewall (global) #
config Configure object.
get Get dynamic and system information.
show Show configuration.
diagnose Diagnose facility.
execute Execute static commands.
alias Execute alias commands.
end End and save last config.
sudo sudo command.
firewall # config global
firewall (global) #
config Configure object.
get Get dynamic and system information.
show Show configuration.
diagnose Diagnose facility.
execute Execute static commands.
alias Execute alias commands.
end End and save last config.
sudo sudo command.
firewall (global) # end
firewall # config vdom
firewall (vdom) #
edit Add/edit a table value.
delete Delete a table value.
end End and save last config.
firewall (vdom) # edit
<vdom> Virtual Domain Name
VDOM1
VDOM2
VDOM3
root
firewall (vdom) # edit VDOM1
current vf=VDOM1:11
firewall (VDOM1) #
config Configure object.
get Get dynamic and system information.
show Show configuration.
diagnose Diagnose facility.
execute Execute static commands.
alias Execute alias commands.
next Configure next table entry.
end End and save last config.
sudo sudo command.
Hi @ktbyers,
Regarding this issue how would you like to proceed on it ? I can make the pull request with updated methods but your advice would be appreciated on it :-)
The general problem is that there is no generic way on the Fortinet to enter configuration mode. In other words, certain Fortinet users might do any of the below:
config firewall policy # not using VDOMs
config system interface # not using VDOMs
config global # using VDOMs; global configs
config vdom # using VDOMs; global configs
It looks like the current Fortinet driver would expect you to do the following:
cmd_list = [
"config system interface",
"edit port 1",
"end",
]
net_connect.send_config_set(cmd_list)
That looks like it would probably work (looking at the code), but it likely would fail the Netmiko test suite and is definitely not a common Netmiko pattern (having to specify the config mode command and end)
Another pattern that would probably work is to use the config_mode_command argument to send_config_set() so:
cmd_list = [
"edit port 1",
]
net_connect.send_config_set(cmd_list, config_mode_command="config system interface")
This assumes the items that you have in the Fortinet PR:
https://github.com/ktbyers/netmiko/pull/2045
Except I would change the defintion of config_mode to be:
def config_mode(self, config_command="", pattern="", re_flags=0):
In other words, we shouldn't make the default command be config global since that would break things for Fortinet user's not using VDOMs.
So I would think we should use your PR (#2045) with some minor modifications to it.
Note, I am reverse engineering Fortinet behavior based on online examples/documentation so just let me know if I am making an error in any of my statements above.
don't worry I am as you regarding fortinet and use support from my colleagues on specific questions. :-)
About config global I agree with you.
Let me update it from my side and make some test like it.
at the beginning I was thinking more about something like that :
def config_mode(self, config_command="", vdom_name="", new_vdom ="False", pattern="", re_flags=0):
and adding some conditions whether we have VDOM on it or not and give more control on the VDOM creation.
Yeah, I wouldn't be willing to do that as then the Fortinet config_mode method would be different from the rest of Netmiko, but we could potentially make methods that were Fortinet only. For example:
def config_mode_vdom(...)
def config_mode_global(...)
ok !
Let's do this.
If we do so, how link the send_config_set() to those functions ? does it still generic ?
Yeah, good point, send_config_set() wouldn't be linked to them. send_config_set() would only be linked to config_mode().
So maybe a better name for the methods would be:
def config_vdom(...)
def config_global(...)
In other words, they just execute config vdom or config global and potentially reset your base_prompt. This would let you execute send_config_set() as by default the config_mode() method would do nothing.
So if you did:
net_connect.config_vdom()
net_connect.send_config_set(cmd_list)
I think that would probably work.
The config_vdom() would execute: config vdom
send_config_set would then send whatever was in cmd_list
Ok I've got my homeworks. :-)
I'll come to you maybe next week about it with an update of the pull request (maybe I'll stage it) depending on my time around it.
Hi Kirk,
Done all the job today.
I've got to roll the testing stuff if I've got time till the end of the week.
Closing as it is better IMO to finish #3091 and then address new/remaining issues as they come up.