napalm-fortios icon indicating copy to clipboard operation
napalm-fortios copied to clipboard

Published 20 hours ago verified publisher icon napalm-automation-community

merge does a replace, and rollback raises an error

Open jmcgill298 opened this issue 8 years ago • 9 comments
trafficstars

###Description of Issue/Question load_merge_candidate() replaces the "blocks" entire config with contents in the file rollback() fails due to 'fnsysctl ls -l data2/config' not being a valid command

Did you follow the steps from https://github.com/napalm-automation/napalm#faq

  • [x ] Yes
  • [ ] No

Setup

Ubuntu, Python 2.7.12, napalm-base==0.23.2, napalm-fortios==0.4.0, pyfg==0.49, paramiko==2.1.2, netmiko==1.3.0, FortiGate-VM64-KVM v5.2.5,build701 (GA)

napalm-fortios version

(Paste verbatim output from pip freeze | grep napalm-fortios between quotes below)

napalm-fortios==0.4.0

FortiOS version

(Paste verbatim output from get sys status between quotes below)

FortiGate-VM64-KVM # get sys status
Version: FortiGate-VM64-KVM v5.2.5,build0701,151203 (GA)
Virus-DB: 16.00560(2012-10-19 08:31)
Extended DB: 1.00000(2012-10-17 15:46)
IPS-DB: 5.00555(2014-10-07 01:21)
IPS-ETDB: 0.00000(2001-01-01 00:00)
Botnet DB: 1.00000(2012-05-28 22:51)
License Status: Valid
VM Resources: 1 CPU/1 allowed, 970 MB RAM/1024 MB allowed
BIOS version: 04000002
Log hard disk: Need format
Hostname: FortiGate-VM64-KVM
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 1
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 701
Release Version Information: GA
FortiOS x86-64: Yes
System time: Tue Apr  4 08:05:31 2017

Steps to Reproduce the Issue

Error Traceback

(Paste the complete traceback of the exception between quotes below)

load_merge_candidate() does not have any tracebacks

rollback():
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/jmcgill/ans23/local/lib/python2.7/site-packages/napalm_fortios/fortios.py", line 144, in rollback
    'fnsysctl cat data2/config/{rollback_file}'.format(rollback_file))
KeyError: u'rollback_file'

>>> o = fw._execute_command_with_vdom('fnsysctl ls -l data2/config', vdom=None)
>>> o
[u' Unknown action 0', u'']

FortiGate-VM64-KVM # fnsysctl ls -l data2/config
Unknown action 0

jmcgill298 avatar Apr 04 '17 15:04 jmcgill298

Example of load_merge_candidate: Before:

config firewall policy
        edit 5
          set service "HTTPS"
          set schedule "always"
          set srcaddr "users"
          set dstintf "any"
          set srcintf "any"
          set action accept
          set dstaddr "web_server"
        next
    end

New Config File:

config firewall policy
    edit 6
        set srcintf "any"
        set dstintf "any"
        set srcaddr "ansible"
        set dstaddr "target"
        set action accept
        set schedule "always"
        set service "SSH"

Using Napalm:

fw.load_merge_candidate(filename=new_conf)
>>> print(fw.compare_config())
    config firewall policy
        delete 5
        edit 6
          set service "SSH"
          set schedule "always"
          set srcaddr "ansible"
          set dstintf "any"
          set srcintf "any"
          set action accept
          set dstaddr "target"
        next
    end

Knowingly commit bad merge results:

FortiGate-VM64-KVM # show firewall policy
config firewall policy
    edit 6
        set uuid a8c5f4f6-1944-51e7-98b2-41983beb9039
        set srcintf "any"
        set dstintf "any"
        set srcaddr "ansible"
        set dstaddr "target"
        set action accept
        set schedule "always"
        set service "SSH"
    next
end

jmcgill298 avatar Apr 04 '17 15:04 jmcgill298

Thanks for submitting the issue. I will investigate. Does appear (based on limited info from searching as I wasn't able to find anything official from Fortinet) that the fnsysctl command was pulled from FortiOS in a recent release(s). Will also investigate possible alternatives for rolling back.

ebeahan avatar Apr 05 '17 16:04 ebeahan

@ebeahan any update on the merge issue?

jmcgill298 avatar Apr 12 '17 15:04 jmcgill298

@jmcgill298 sorry not yet. I've done some initial testing and was able to recreate the merge issue you described, but I haven't been able to pin down where/what is causing the issue. I need to dig into the napalm-fortios driver and possibly pyFG to figure out what's going on to cause that behavior. I'll try to look into it more by the beginning of next week.

ebeahan avatar Apr 13 '17 16:04 ebeahan

@dbarrosop Would you be able to take a look? Based on the logic I'm seeing in the pyFG FortiConfig class when compare_config is being called, it looks like any blocks present in the running_config but not the candidate_config get set in a "delete" statement?

https://github.com/spotify/pyfg/blob/master/pyFG/forticonfig.py#L160-L162

ebeahan avatar Apr 19 '17 05:04 ebeahan

@ebeahan sorry for the late response. Yeah, you are correct.

Regarding the issue, has someone contacted/talked with fortinet?

dbarrosop avatar May 13 '17 16:05 dbarrosop

@dbarrosop Thanks for clarifying. I don't have any vendor contacts with Fortinet anymore, so I haven't been able to confirm what version the fnsysctl command got pulled starting out.

ebeahan avatar May 22 '17 13:05 ebeahan

I am running version v5.4.1 and I still have fnsysctlon all devices.

awlx avatar Aug 17 '17 08:08 awlx

confirmed that fnsysctl is present on v5.6.2

rwat avatar Mar 28 '18 15:03 rwat