For When You Can't Have The Real Thing
[ start | index | login ]
start > Rancid > 2.3.8 > Fortigate noise

Fortigate noise

Created by dave. Last edited by dave, 3 years and 344 days ago. Viewed 3,263 times. #2
[diff] [history] [edit] [rdf]
labels
attachments
(2013-06-28)

Problem

Every time you run rancid-run, your fortigate firewalls spit out rotating RSA keys and password cyphers. So you get a noisy diff every time, even when nothing has changed.

Solution

I made these changes to the GetConf subroutine of the fnrancid script:
# remove occurrances of conf_file_ver
-       next if (/^conf_file_ver=/);
+       next if (/^#?conf_file_ver=/);
+        # filter cycling RSA private keys
+        if (/^s*set private-key "-----BEGIN RSA PRIVATE KEY-----/ && $filter_pwds > 0) {
+            while (<INPUT>) {
+                tr/015//d;
+                last if (/$prompt/);
+                if (/^s*-----END RSA PRIVATE KEY-----"/) {
+                    last;
+                }
+            }
+       }
+        # filter cycling RSA private keys - v5.2.x
+        if (/^s*set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----/ && $filter_pwds > 0 ) {
+            while (<INPUT>) {
+                tr/015//d;
+                last if (/$prompt/);
+                if (/^s*-----END ENCRYPTED PRIVATE KEY-----"/) {
+                    last;
+                }
+            }
+       }
+

# filter variabilities between configurations. password encryption # upon each display of the configuration. - if (/^s*(set [^s]*)s(Encs[^s]+)(.*)/i && $filter_pwds > 0 ) { + if (/^s*(set [^s]*)s(Encs[^s]+)(.*)/i ) { ProcessHistory("ENC","","","#$1 ENC <removed> $3n"); next; } ProcessHistory("","","","$_");

Sorry this diff is a mess, my hg is based on 2.3.6 and I can't figure out how to run this diff against the stock 2.3.8 fnrancid.

This is based on the patch >>>>ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.8.p4.gz, with the difference that I don't test for the $filter_pwds before stripping out the encrypted passwords. If they are going to change every time, I'm just gonna ignore them every time.

Update, 2015-01-02: I changed the script so that it deals with the changed syntax from FortiOS 5.2.x. Also, I now run two versions of this script. One is doctored as above so that rotating passwords and certificates don't get reported every time the script runs, and one is not doctored, but doesn't generate an email to me. The theory is that while I need the reports to see what is changing, I also need a complete config file that doesn't doctor the output so that in a catastrophic failure I have a config I can jam back into a virgin device and recover more completely.

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt