Tuesday, July 21, 2015

Rancid and Fortigate - not straight forward

Today I have been working with Rancid and Fortigate. Everything seemed ok in the beginning, all my tests was working as expected.

This was until I found a problem with one of the configuration files. One of the configuration files was missing a lot of configuration. It has stopped after about 60-70 lines. At the end of the diff email, I found the following text: "\ No newline at end of file"
I am not completely sure why this Fortigate was having this problem. It might be because it has VDOM configuration. I solved this by downloading a new fnrancid and fnlogin file from the rancid git repository (https://github.com/dotwaffle/rancid-git/tree/master/bin)

After this, I was a bit skeptical as Rancid did not give any warnings that the configuration was not complete, so I looked deeper into the configuration files that Rancid had backed up. I found that all Fortigates with VDOM configuration did not have the full configuration files. It seems Rancid skips small parts of the configuration as it only get it by typing show commands in the console. I did a search for "config vdom" and "edit root" in backups, but I did not find it. It may not be a problem, but I think it will be a problem to do a complete restore. Another problem is that Rancid do not get the header of the configuration file. This will certainly cause a problem if you need a complete restore.

Header:
#config-version=FGT80C-5.00-FW-build301-141216:opmode=0:vdom=0:user=admin
#conf_file_ver=155545630586610253649
#buildno=0301
#global_vdom=1

You can of course add this header yourself, but I advice to get it right for the firmware your are restoring to. I am not sure what will happen if you get it wrong.

Because of these problems, I rather download the configuration file from the Fortigates with SCP. I have another article in my blog about this.