Re: [rancid] Fortigate additional tweaks and device filters

2018-07-31 Thread Chris Wopat 
On Tue, Jul 31, 2018 at 4:14 PM, heasley  wrote:
>
> This is from:
> r2258 | heas | 2010-10-11 20:49:05 + (Mon, 11 Oct 2010) | 3 lines
>
> fnrancid: update recent fortinet software - Diego Ercolani
> Cleaned-up a little by me.
>
> afaict, the justification for full-configuration was so that VDOMs would
> be included in the output.  perhaps this behavior has changed since this
> change??  I have none of these devices.
>

I had previously never used a vdom, but i just created one with:

config system global
set vdom-admin enable
config vdom
edit test-vdom
config system settings
set status enable

.. then let it run with just 'show' and it certainly shows it (its much
more than this, it created a cert and and a bunch of other stuff), This is
FortiOS 5.6.3.
___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

Re: [rancid] Fortigate additional tweaks and device filters

2018-07-31 Thread Doug Hughes 



On 7/31/2018 5:14 PM, heasley wrote:

Fri, Jul 27, 2018 at 08:02:28AM -0500, Chris Wopat:

Hi Heasley and folks,

Sept 2017 i sent a note in with some proposed tweaks to a Fortigate. to
filter out some additional chattiness, see:

http://www.shrubbery.net/pipermail/rancid-discuss/2017-September/009871.html
http://www.shrubbery.net/pipermail/rancid-discuss/2017-June/009643.html

A few people chimed in seeming to be OK with the propsed changes, which are
to filter these things:

next if (/^\s*IPS-ETDB: .*/);
next if (/^\s*APP-DB: .*/);
next if (/^\s*IPS Malicious URL Database: .*/);
next if (/^\s*Botnet DB: .*/);

Mentioning this as 3.8 came out and i didn't notice any of these included.

We have an additional fortigate tweak we make every time we update too,
which to change from 'show full-configuration' to just 'show' in
@commandtable. 'full-configuration' shows default config, just like the
cisco 'full' command. It's really not necessary IMO.

This is from:
r2258 | heas | 2010-10-11 20:49:05 + (Mon, 11 Oct 2010) | 3 lines

fnrancid: update recent fortinet software - Diego Ercolani
Cleaned-up a little by me.

afaict, the justification for full-configuration was so that VDOMs would
be included in the output.  perhaps this behavior has changed since this
change??  I have none of these devices.


I think you are right.. I have a vague recollection of this as well.

--
Doug Hughes
Keystone NAP
Fairless Hills, PA
1.844.KEYBLOCK (439.2562)   

___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

Re: [rancid] Fortigate additional tweaks and device filters

2018-07-31 Thread heasley 
Fri, Jul 27, 2018 at 08:02:28AM -0500, Chris Wopat:
> Hi Heasley and folks,
> 
> Sept 2017 i sent a note in with some proposed tweaks to a Fortigate. to
> filter out some additional chattiness, see:
> 
> http://www.shrubbery.net/pipermail/rancid-discuss/2017-September/009871.html
> http://www.shrubbery.net/pipermail/rancid-discuss/2017-June/009643.html
> 
> A few people chimed in seeming to be OK with the propsed changes, which are
> to filter these things:
> 
> next if (/^\s*IPS-ETDB: .*/);
> next if (/^\s*APP-DB: .*/);
> next if (/^\s*IPS Malicious URL Database: .*/);
> next if (/^\s*Botnet DB: .*/);
> 
> Mentioning this as 3.8 came out and i didn't notice any of these included.
> 
> We have an additional fortigate tweak we make every time we update too,
> which to change from 'show full-configuration' to just 'show' in
> @commandtable. 'full-configuration' shows default config, just like the
> cisco 'full' command. It's really not necessary IMO.

This is from:
r2258 | heas | 2010-10-11 20:49:05 + (Mon, 11 Oct 2010) | 3 lines

fnrancid: update recent fortinet software - Diego Ercolani
Cleaned-up a little by me.

afaict, the justification for full-configuration was so that VDOMs would
be included in the output.  perhaps this behavior has changed since this
change??  I have none of these devices.

___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

Re: [rancid] Cisco WLC 8540

2018-07-31 Thread Piegorsch, Weylin William 
I tried both cisco-wlc4 and cisco-wlc5; I got identical behavior from both.  
3.8 has a cisco-wlc8; I don’t know how that differs, but it’s not available to 
me in rancid 3.4.1.
weylin

From: Daniel Schmidt 
Date: Tuesday, July 31, 2018 at 1:30 PM
To: Weylin Piegorsch 
Cc: "rancid-discuss@shrubbery.net" 
Subject: Re: [rancid] Cisco WLC 8540

Why are you using cisco-wlc4?  Isn't that for really old controllers?

On Thu, Jul 26, 2018 at 3:13 PM, Piegorsch, Weylin William 
mailto:wey...@bu.edu>> wrote:
Hello,

Anyone know why I’m having an issue?

Weylin





[rancid@nsgv-prod-59 ~]$ rancid -V

rancid 3.4.1

[rancid@nsgv-prod-59 ~]$

[rancid@nsgv-prod-59 ~]$

[rancid@nsgv-prod-59 ~]$

[rancid@nsgv-prod-59 ~]$

[rancid@nsgv-prod-59 ~]$

[rancid@nsgv-prod-59 ~]$

[rancid@nsgv-prod-59 ~]$ rancid -d -t cisco-wlc4 
cumm111-wism-aca01.bu.edu

loadtype: device type cisco-wlc4

loadtype: found device type cisco-wlc4 in 
/usr/local/rancid/etc/rancid.types.base

executing wlogin -t 90 -c"show udi;show sysinfo;show runnning-config" 
cumm111-wism-aca01.bu.edu

PROMPT MATCH: \(cumm111-wism-aca01\) >

HIT COMMAND:(cumm111-wism-aca01) >show udi

In ShowUdi: (cumm111-wism-aca01) >show udi

  ShowUdi Data: NAME: "Chassis", DESCR: "Cisco 8540 Wireless Controller"

  ShowUdi Data: PID: AIR-CT8540-K9,  VID: V01,  SN: FCH2117V2A3

Exiting ShowSysinfo: (cumm111-wism-aca01) >show sysinfo

HIT COMMAND:(cumm111-wism-aca01) >show sysinfo

In ShowSysinfo: (cumm111-wism-aca01) >show sysinfo

  ShowSysinfo Data: Manufacturer's Name.. Cisco 
Systems Inc.

  ShowSysinfo Data: Product Name. Cisco 
Controller

  ShowSysinfo Data: Product Version.. 
8.2.166.0

  ShowSysinfo Data: RTOS Version. 
8.2.166.0

  ShowSysinfo Data: Bootloader Version... 
8.1.102.0

  ShowSysinfo Data: Emergency Image Version.. 
8.1.102.0

  ShowSysinfo Data: Build Type... DATA 
+ WPS

  ShowSysinfo Data: System Name.. 
cumm111-wism-aca01

  ShowSysinfo Data: System Location.. 111 
Cummington St., Room B05

  ShowSysinfo Data: System Contact... 
Network Operations Center

  ShowSysinfo Data: System ObjectID.. 
1.3.6.1.4.1.9.1.2171

  ShowSysinfo Data: Redundancy Mode.. SSO

  ShowSysinfo Data: IP Address... 
10.123.18.254

  ShowSysinfo Data: IPv6 Address. ::

  ShowSysinfo Data: System Timezone Location.

  ShowSysinfo Data: System Stats Realtime Interval... 5

  ShowSysinfo Data: System Stats Normal Interval. 180

  ShowSysinfo Data: Error: TIMEOUT reached

Exiting ShowSysinfo: 
cumm111-wism-aca01.bu.edu: missed cmd(s): 
show runnning-config

cumm111-wism-aca01.bu.edu: missed cmd(s): 
show runnning-config

cumm111-wism-aca01.bu.edu: End of run not 
found

cumm111-wism-aca01.bu.edu: End of run not 
found

!WLC Show Sysinfo End

[rancid@nsgv-prod-59 ~]$


___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss



E-Mail to and from me, in connection with the transaction
of public business, is subject to the Wyoming Public Records
Act and may be disclosed to third parties.

___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

Re: [rancid] Cisco WLC 8540

2018-07-31 Thread Daniel Schmidt 
Why are you using cisco-wlc4?  Isn't that for really old controllers?

On Thu, Jul 26, 2018 at 3:13 PM, Piegorsch, Weylin William 
wrote:

> Hello,
>
>
>
> Anyone know why I’m having an issue?
>
>
>
> Weylin
>
>
>
>
>
>
>
>
>
> [rancid@nsgv-prod-59 ~]$ rancid -V
>
> rancid 3.4.1
>
> [rancid@nsgv-prod-59 ~]$
>
> [rancid@nsgv-prod-59 ~]$
>
> [rancid@nsgv-prod-59 ~]$
>
> [rancid@nsgv-prod-59 ~]$
>
> [rancid@nsgv-prod-59 ~]$
>
> [rancid@nsgv-prod-59 ~]$
>
> [rancid@nsgv-prod-59 ~]$ rancid -d -t cisco-wlc4 cumm111-wism-aca01.bu.edu
>
> loadtype: device type cisco-wlc4
>
> loadtype: found device type cisco-wlc4 in /usr/local/rancid/etc/rancid.
> types.base
>
> executing wlogin -t 90 -c"show udi;show sysinfo;show runnning-config"
> cumm111-wism-aca01.bu.edu
>
> PROMPT MATCH: \(cumm111-wism-aca01\) >
>
> HIT COMMAND:(cumm111-wism-aca01) >show udi
>
> In ShowUdi: (cumm111-wism-aca01) >show udi
>
>   ShowUdi Data: NAME: "Chassis", DESCR: "Cisco 8540 Wireless
> Controller"
>
>   ShowUdi Data: PID: AIR-CT8540-K9,  VID: V01,  SN: FCH2117V2A3
>
> Exiting ShowSysinfo: (cumm111-wism-aca01) >show sysinfo
>
> HIT COMMAND:(cumm111-wism-aca01) >show sysinfo
>
> In ShowSysinfo: (cumm111-wism-aca01) >show sysinfo
>
>   ShowSysinfo Data: Manufacturer's Name..
> Cisco Systems Inc.
>
>   ShowSysinfo Data: Product Name.
> Cisco Controller
>
>   ShowSysinfo Data: Product Version..
> 8.2.166.0
>
>   ShowSysinfo Data: RTOS Version.
> 8.2.166.0
>
>   ShowSysinfo Data: Bootloader Version...
> 8.1.102.0
>
>   ShowSysinfo Data: Emergency Image Version..
> 8.1.102.0
>
>   ShowSysinfo Data: Build Type...
> DATA + WPS
>
>   ShowSysinfo Data: System Name..
> cumm111-wism-aca01
>
>   ShowSysinfo Data: System Location..
> 111 Cummington St., Room B05
>
>   ShowSysinfo Data: System Contact...
> Network Operations Center
>
>   ShowSysinfo Data: System ObjectID..
> 1.3.6.1.4.1.9.1.2171
>
>   ShowSysinfo Data: Redundancy Mode..
> SSO
>
>   ShowSysinfo Data: IP Address...
> 10.123.18.254
>
>   ShowSysinfo Data: IPv6 Address.
> ::
>
>   ShowSysinfo Data: System Timezone Location.
>
>   ShowSysinfo Data: System Stats Realtime Interval...
> 5
>
>   ShowSysinfo Data: System Stats Normal Interval.
> 180
>
>   ShowSysinfo Data: Error: TIMEOUT reached
>
> Exiting ShowSysinfo: cumm111-wism-aca01.bu.edu: missed cmd(s): show
> runnning-config
>
> cumm111-wism-aca01.bu.edu: missed cmd(s): show runnning-config
>
> cumm111-wism-aca01.bu.edu: End of run not found
>
> cumm111-wism-aca01.bu.edu: End of run not found
>
> !WLC Show Sysinfo End
>
> [rancid@nsgv-prod-59 ~]$
>
>
>
> ___
> Rancid-discuss mailing list
> Rancid-discuss@shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss
>
>

-- 

E-Mail to and from me, in connection with the transaction 
of public 
business, is subject to the Wyoming Public Records 
Act and may be 
disclosed to third parties.
___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

Re: [rancid] Juniper CLI prompts out of sync causing frequent changes

2018-07-31 Thread heasley 
Fri, Jul 27, 2018 at 12:58:14PM -0500, Chris Wopat:
> We actually do not have a banner, but your mention of that reminds me that
> indeed, when doing some updates recently we enabled login-tip (
> https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/login-tip-edit-system.html/)
> which is almost certainly putting something random in a banner-ish area
> upon each login.
> 
> Here are 3 random examples from the same device:
> 
> 
> Password:
> --- JUNOS 14.1X53-D47.3 built 2018-05-10 21:38:01 UTC
> JUNOS tip:
> Use the 'no-more' CLI pipe to disable the CLI's more capability and
> let the multiple pages of output scroll without stopping.
> 
> 
> --- JUNOS 14.1X53-D47.3 built 2018-05-10 21:38:01 UTC
> JUNOS tip:
> Use ESC-/ in the CLI to expand strings into matching words from the
> command line history.
> 
> Password:
> --- JUNOS 14.1X53-D47.3 built 2018-05-10 21:38:01 UTC
> JUNOS tip:
> Use the TAB key to autocomplete interface names in operational mode.
> 
> 
> Since they liberally use dashes, single quotes, forward slashes and so on-
> this seems to be the likely culprit?

maybe; those do not look like prompts.

> Would it be possible to filter out anything between "JUNOS tip" and the
> first valid prompt so we have a chance of leaving them enabled?

it is all about reliably identifying the valid prompt.  if i could tell
users and vendors not to use [\][[:space:])(_*\\<>] in their prompts, life
would be easier - the regex would simply be
^[^PROMPTTERMINALCHAR\r\n ]+PROMPTTERMINALCHAR

jlogin is looking for '>'.  can you reproduce it reliably with a particular
device?  if you can share (with me only) the output of
jlogin -d -c 'show version' hostname 2> output
i expect that i can fix it, but i may need more output, like:
jlogin -d -c 'show chassis clocks;show chassis environment;show chassis 
firmware;show chassis fpc detail' hostname 2> output

> --Chris
> 
> 
> 
> On Fri, Jul 27, 2018 at 12:00 PM, heasley  wrote:
> 
> > Fri, Jul 27, 2018 at 08:18:08AM -0500, Chris Wopat:
> > > Hi folks,
> > >
> > > Last year I commented on an issue we're seeing across many Juniper
> > devices.
> > > I neglected to follow up on Heasley's response then but are seeing it a
> > lot
> > > more frequently now, perhaps related to some OS upgrades or something
> > else.
> > >
> > >
> > > Thread was here:
> > >
> > > http://www.shrubbery.net/pipermail/rancid-discuss/2017-
> > October/009916.html
> > > http://www.shrubbery.net/pipermail/rancid-discuss/2017-
> > October/009922.html
> > >
> > > Looking at the last week or so of these we've had, they're on devices
> > > running 14.1X53-D4*, which is primaraily QFX5100 but also a few EX4200.
> > >
> > > Here's output from a single diff, its like this on various commands
> > nearly
> > > every run:
> > >
> > >
> > >
> > > Index: configs/r-kettlemoraine-hub
> > > ===
> > > retrieving revision 1.144
> > > diff -u -4 -r1.144 r-kettlemoraine-hub
> > > @@ -1,7 +1,8 @@
> > >   #RANCID-CONTENT-TYPE: juniper
> > >   #
> > >   # r-kettlemoraine-hub> show chassis clocks
> > > + # show chassis environment
> > >   # r-kettlemoraine-hub> show chassis environment
> > >   # Class Item   Status
> > >   # Power FPC 0 Power Supply 0   OK
> > >   #   FPC 0 Power Supply 1   OK
> > > Index: configs/r-lacrossecity-hub
> > > ===
> > > retrieving revision 1.108
> > > diff -u -4 -r1.108 r-lacrossecity-hub
> > > @@ -15,9 +15,8 @@
> > >   #   FPC 0 Fan 2OK
> > >   #   FPC 0 Fan 3OK
> > >   #
> > >   # r-lacrossecity-hub> show chassis firmware
> > > - # show chassis fpc detail
> > >   # Part Type   Version
> > >   # FPC 0uboot  U-Boot 1.1.6 (Jun  5 2012 -
> > > 02:24:53) 1.0.0
> > >   #  loader FreeBSD/PowerPC U-Boot bootstrap
> > > loader 2.4
> > >   #
> > > Index: configs/r-platteville-hub
> > > ===
> > > retrieving revision 1.274
> > > diff -u -4 -r1.274 r-platteville-hub
> > > @@ -1,7 +1,8 @@
> > >   #RANCID-CONTENT-TYPE: juniper
> > >   #
> > >   # r-platteville-hub> show chassis clocks
> > > + # show chassis environment
> > >   # r-platteville-hub> show chassis environment
> > >   # Class Item   Status
> > >   # Power FPC 0 Power Supply 0   OK
> > >   #   FPC 0 Power Supply 1   OK
> > >
> > > Heasley, you chimed in saying the prompt may be out of sync. While I
> > don't
> > > quite know what that means, you suggested sending output of:
> > >
> > > eval `rancid -Ct juniper device`
> > >
> > > Here that is, finally:
> > >
> > > jlogin -t 120 -c 'show

Re: [rancid] Unable to Conduct Cisco Wireless Controller Backup

2018-07-31 Thread Piegorsch, Weylin William 
> this is a(nother) design flaw in the o/s, imiho.

FULLY AGREE!  "config pager disable" is a per-session setting, and has no 
permanence.  I tried setting it, and it lasted the duration of my session, but 
once I logged out/in the CLI reverted to a paging behavior.  And yet, it's not 
available to a read-only user.  G

I'll start working with the wlogin from 3.8, and either upgrade rancid 
(management depending), replace wlogin, copy wlogin to wlogin-3.8 and define a 
new WLC type in rancid.types.conf, or as a last resort copy/paste the 
appropriate change.

Thanks for the help through this process.

weylin

-Original Message-
From: heasley 
Date: Monday, July 30, 2018 at 8:45 PM
To: Weylin Piegorsch 
Cc: heasley , Daniel Schmidt , 
"rancid-discuss@shrubbery.net" 
Subject: Re: [rancid] Unable to Conduct Cisco Wireless Controller Backup

Mon, Jul 30, 2018 at 10:59:39AM +, Piegorsch, Weylin William:
> Hi John,
> 
> I'm still playing around with AAA.  What I'm finding, is that the f*&^% 
WLC CLI authorization mechanism is all bork bork bork.  I can set a read-only 
role, but that disables the ability to issue the "config pager disable" command 
since the entire "config *" command tree is not available.  I can set a higher 
role, and perhaps the command will appear, but I'm struggling to figure out how 
to create a custom role definition (I suspect it might be impossible since the 
Cisco WLC is designed to be GUI-based).   We can discuss another time allowing 
automation to make changes to the system - I'm fighting this battle internally 
but it's not going well, for now let's just say I need to demonstrate 
confidence that rancid will only get data, not change anything more complicated 
than a "last login" notice.

this is a(nother) design flaw in the o/s, imiho.  as in ios, the pager
should only affect the given vty, not the config of the device.  not needing
to manipulate the pager is very convenient.

> In any event - so, this leaves me with the CLI role I have, and without 
the "config paging disable" to be used.

you could also change the config to disabled the pager, if most folk just
use the web UI.  or try setting the stty rows to some large number before
initiating the connection to the device; it might honor it, but i've seen
many of these half-baked platforms ignore it if it doesn't lie within some
unspoken acceptable range.

> I'm running rancid 3.4.1, I notice the latest 3.8 is slightly different 
in wlogin.  But, they're relatively similar, and neither version (I think?) 
catches the specific prompts that might appear to prompt for paging.  Might 
they possibly be added?  See below what I did to wlogin v3.4.1 (aka my 
installation), let me know if I did this wrong (I'm an accomplished network 
engineer... but a poor excuse for a software engineer).
> 
> Also, wlogin uses "exit" to close the CLI when -c or -x is specified; it 
needs to be "logout" instead regardless of user role.  Where do I change this?  
I suppose I can do this in rancid.types.base (.conf?), but I'd prefer not to 
since I /do/ use *login with the -p and -u options on occasion with some simple 
BASH command-line scripts to accomplish manual campus-wide pre-planned changes. 
 I tried grep'ing through some files, that didn't work too well.

you just need a newer wlogin; current is using logout.

> Weylin
> 
> I modified 3.4.1 bin/wlogin on this line:
> 
> for {set i 0} {$i < $num_commands} { incr i} {
> send -- "[subst -nocommands [lindex $commands $i]]\r"
> expect {
> -re "\b+"   { exp_continue }
> -re "^\[^\n\r *]*$reprompt" { send_user -- 
"$expect_out(buffer)"
> }
> -re "^\[^\n\r]*$reprompt."  { send_user -- 
"$expect_out(buffer)"
>   exp_continue
> }
> -re "^--More--\[\r\n]+" { # specific match c1900 
pager
>   send " "
>   exp_continue
> }
> -re "\[\n\r]+"  { send_user -- 
"$expect_out(buffer)"
>   exp_continue
> }
> +-re "^--More-- .*"  { send "q" # note the 
[[:space:]] between --More-- and the period
> +   exp_continue
> +}

difficult to say if that might cause problems with the output without seeing
the raw input.  it depends upon how the device