ytti
Personalized Comments on FortiOS configuration are not supported
I discovered that fortigate require a specific comment as the first line of his configuration file wich is :
#config-version=yourversion:opmode=:vdom=:user=oxidizeduser
This line is the first to be printed by the "show" or the "show full-configation" command.
So I want to propose a new solution for the "fortiOS.rb" file :
class FortiOS < Oxidized::Model
using Refinements
prompt /^([-\w.~]+(\s[(\w\-.)]+)?~?\s?[#>$]\s?)$/
# When a post-login-banner is enabled, you have to press "a" to log in
expect /^\(Press\s'a'\sto\saccept\):/ do |data, re|
send 'a'
data.sub re, ''
end
expect /^--More--\s$/ do |data, re|
send ' '
data.sub re, ''
end
cmd :secret do |cfg|
# ENC indicates an encrypted password, and secret indicates a secret string
cfg.gsub! /(set .+ ENC) .+/, '\\1 <configuration removed>'
cfg.gsub! /(set .*secret) .+/, '\\1 <configuration removed>'
# A number of other statements also contains sensitive strings
cfg.gsub! /(set (?:passwd|password|key|group-password|auth-password-l1|auth-password-l2|rsso|history0|history1)) .+/, '\\1 <configuration removed>'
cfg.gsub! /(set md5-key [0-9]+) .+/, '\\1 <configuration removed>'
cfg.gsub! /(set private-key ).*?-+END (ENCRYPTED|RSA|OPENSSH) PRIVATE KEY-+\n?"$/m, '\\1<configuration removed>'
cfg.gsub! /(set privatekey ).*?-+END (ENCRYPTED|RSA|OPENSSH) PRIVATE KEY-+\n?"$/m, '\\1<configuration removed>'
cfg.gsub! /(set ca )"-+BEGIN.*?-+END CERTIFICATE-+"$/m, '\\1<configuration removed>'
cfg.gsub! /(set csr ).*?-+END CERTIFICATE REQUEST-+"$/m, '\\1<configuration removed>'
cfg
end
# Different OS have different commands - we use the first that works
# - For fortigate > 7 and possibly earlier versions, we use:
# show | grep . # backup as in fortigate GUI
# show full-configuration | grep . # bakup including default values
# | grep is used to avoid the --More-- prompt
# - It is not documented which systems need the commands without | grep:
# show full-configuration
# show
# Document it here and make a PR on github if you know!
# By default, we use the configuration without default values
# If fullconfig: true is set in the configuration, we get the full config
commandlist = if vars(:fullconfig)
['show full-configuration | grep .',
'show full-configuration', 'show']
else
['show | grep .',
'show full-configuration', 'show']
end
commandlist.each do |fullcmd|
fullcfg = cmd(fullcmd)
fullcfg.lines.drop(1).join
next if fullcfg.lines[1..3].join =~ /(Parsing error at|command parse error)/ # Don't show for unsupported devices (e.g. FortiAnalyzer, FortiManager, FortiMail)
fullcfg.gsub! /(set comments "Error \(No order (found )?for (account )?ID \d+\) on).*/, '\\1 <stripped>"'
cfg << fullcfg
break
end
cfg.join
end
cfg :telnet do
username /^[lL]ogin:/
password /^Password:/
end
cfg :telnet, :ssh do
pre_logout "exit\n"
end
end
The only changes are that I removed all other commands than the show configuration one and I drop the first line of its result to remove the line where the command is displayed. It you think the others commands a necessary you can add them at the end of the file or after the first line of the configuration file.
If you want to keep the "get system status" result, I would advise to replace it by "get system status | grep ." as there is problems when the comments are added to the file due this part of the code expect /^--More--\s$/ do |data, re| send ' ' data.sub re, '' end
This issue is stale because it has been open 90 days with no activity.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Edit your config manualy before restoring it. The other commands are needed.
