Backup FortiADC

[NetSec33]

Hello all.

Somebody can help me? I want to backup a Loadbalancer FortiADC 100F. The CLI command to see the config is the same as the Firewall: show full-configuration. I try it on the CLI and it works. But when i try to backup with oxidized using the backup file "fortios.rb", no backup done. The icon stay blue. No error shown. When i try to connect in SSH to the fortiADC from my oxidized server, it works.

I think it will be a problem of syntax on the fortios.rb file but i dont understand why it not work.

See down my fortios.rb file:

class FortiOS < Oxidized::Model

  comment  '# '

  prompt /^([-\w\.\~]+(\s[\(\w\-\.\)]+)?\~?\s?[#>$]\s?)$/

  expect /^--More--\s$/ do |data, re|
    send ' '
    data.sub re, ''
  end

  cmd :all do |cfg, cmdstring|
    new_cfg = comment "COMMAND: #{cmdstring}\n"
    new_cfg << cfg.each_line.to_a[1..-2].map { |line| line.gsub(/(conf_file_ver=)(.*)/, '\1<stripped>\3') }.join
  end

  cmd :secret do |cfg|
    cfg.gsub! /(set (?:passwd|password|psksecret|secret|key|group-password|secondary-secret|tertiary-secret|auth-password-l1|auth-password-l2|rsso|history0|history1|inter-controller-key ENC)).*/, '\\1 <configuration removed>'
    cfg.gsub! /(set private-key).*-+END ENCRYPTED PRIVATE KEY-*"$/m , '\\1 <configuration removed>'
    cfg.gsub! /(set ca ).*-+END CERTIFICATE-*"$/m , '\\1 <configuration removed>'
    cfg.gsub! /(set csr ).*-+END CERTIFICATE REQUEST-*"$/m , '\\1 <configuration removed>'
    cfg.gsub! /(Virus-DB|Extended DB|IPS-DB|IPS-ETDB|APP-DB|INDUSTRIAL-DB|Botnet DB|IPS Malicious URL Database).*/, '\\1 <configuration removed>'
    cfg.gsub! /(Cluster uptime:).*/, '\\1 <configuration removed>'
    cfg
  end

  cmd 'get system status' do |cfg|
    @vdom_enabled = cfg.include? 'Virtual domain configuration: enable'
    cfg.gsub!(/(System time: )(.*)/, '\1<stripped>\3')
    comment cfg
  end

  post do
    cfg = []
    cfg << cmd('config global') if @vdom_enabled

    cfg << cmd('get hardware status') do |cfg|
       comment cfg
    end

    #default behaviour: include autoupdate output (backwards compatibility)
    #do not include if variable "show_autoupdate" is set to false
    if  defined?(vars(:fortios_autoupdate)).nil? || vars(:fortios_autoupdate)
       cfg << cmd('diagnose autoupdate version') do |cfg|
          cfg.gsub! /(FDS Address\n---------\n).*/, '\\1IP Address removed'
          comment cfg.each_line.reject { |line| line.match /Last Update|Result/ }.join
       end
    end

cfg << cmd('end') if @vdom_enabled

    cfg << cmd('show full-configuration')
    cfg.join "\n"
  end

  cfg :telnet do
    username /login:/
    password /^Password:/
  end

  cfg :telnet, :ssh do
    pre_logout "exit\n"
  end

end

Thanks for your Help.

[laf]

You will need to enable debug then pastebin the output from that so we can see what's going on.

[NetSec33]

Sorry but i'm a beginner. Can you tell me how?

[laf]

https://github.com/ytti/oxidized/blob/master/docs/Configuration.md#debugging

[NetSec33]

Thanks for your help. This is what i see in the log file:

[laf]

If that (M) FRLIBLLBl is the oxidized shells prompt then it's showing that it's timing out connecting to the device. Try and manually connect using ssh or telnet depending on what you use.

[NetSec33]

When I connect manually in SSH it works! That's why I don't understand.

[laf]

Is that prompt from the device or your linux box?

[NetSec33]

I can connect in ssh frime The oxidized server to the fortiadc

[laf]

But is the (M) FRLIBLLBl prompt from your device or the linux box?

[NetSec33]

Linux box

[laf]

Then the options you've specified to connect to that device must be wrong. If you use hostnames does that one resolve to the correct ip? Are you specifying a port?

Show your config + the device from the source that is having this issue.

[NetSec33]

As you can see, i can connect to the Forti ADC in ssh directly from my backup server: But the backup dosn't works. I send you my config files:

---

username: backup password: ZWM5yk2uapfVnAQRUzjU model: ios interval: 86400 log: /root/.config/oxidized/log debug: true threads: 30 timeout: 36000 retries: 2 prompt: !ruby/regexp /^([\w.@-]+[#>]\s?)$/ rest: 172.20.18.42:80/oxidized vars: {} groups: switch: username: backup password: ZWM5yk2uapfVnAQRUzjU firewall: username: backup password: ZWM5yk2uapfVnAQRUzjU wifi: username: backup password: ZWM5yk2uapfVnAQRUzjU models: {} pid: "/root/.config/oxidized/pid" input: default: ssh, telnet debug: true ssh: secure: true output: default: git git: user: oxidized email: network.team@****.com repo: "/root/.config/oxidized/configs/" source: default: csv csv: file: "/root/.config/oxidized/router.db" delimiter: !ruby/regexp /:/ map: name: 0 model: 1 group: 2 gpg: false model_map: cisco: ios HP: comware fortigate: fortios F5: TMOS

I really don't understand. Why can i connect and won't backup?

[NetSec33]

I have missed one group in my config:

loadbalancer: username: backup password: ZWM5yk2uapfVnAQRUzjU

[jsynack]

Hello @NetSec33 ,

Your prompt on your device includes parenthesis that are causing it not to match the default prompt for the FortiOS device model. Is this part of your naming convention of your devices?

You can check your hostname from the FortiOS CLI:

show system global

You will need to be in the global edit (non-vdom) for this.

Once the prompt matches - things should be fine.

Also - per your config - it looks like you are running oxidized as root - this is not required or suggested. It does not need root permissions.

[no-response[bot]]

This issue has been automatically closed because there has been no response to our request for more information from the original author. The information that is currently in the issue is insufficient to take further action. Feel free to re-open this issue if additional information becomes available, or if you believe it has been closed in error.