cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 8

CatTools and Fortigate Firewalls

Jump to solution

Hi All,

I see that CatTools can backup Fortigate OS devices.  I have 10 or so Fortigate Firewalls which I'd like to backup.  But before I set this up I was trying to find out what commands CatTools issues to get the configuration just to check I'm not going to do any damage to my devices as they are hunreds of miles away from me.  I'm running ver 3.2.19.  Anyone have any idea or can point me in the right dorection to find out.

 

Thanks

Jimbo

Tags (3)
1 Solution

Hi Jimbo,

It looks like the script was picking up the BIOS version rather than just the version. Please try this one to see if it now gets the version correctly.

Kind regards,

Wardini

View solution in original post

0 Kudos
21 Replies
Level 12

Hi Jimbo,

I've had a look at the script and it seems that after login in it will try to go into either console or global mode, depending on the device, by issuing a 'config system console' command or a 'config global' command. It will then issue a 'set output standard' command. To generate the config it just sends a show command.

You can double check this by going to 'File|Enable capture mode' in the CatTools menu and then running the activity against one of your devices.  In the debug folder in the main CatTools folder you will then have a debug log detailing the interaction between CatTools and the device. Anything following a statement like this '<W-3:32:10 p.m.> ' in the log is a command or data that CatTools is sending to the device.

I hope this helps.

Regards,

Wardini

Hi Wardini,

Thanks I tried running it as you suggested and apart from a couple of subtle differences between the CatTools backed up configuration and the backed config downloaded via the Fortigate web gui, everything was good.  I couldn't get the debug to work, I enabled it and run the backup there was nothing there and debugging was no longer enabled.

 

I also tried to do the version report as the CatTools website says it is supported for FortinetOS but this doesn't work.  As I can't enable the debug I can't see what is wrong, can you please let me know what command the version report would issue.

 

Thanks

Jimbo

0 Kudos

Hi Jimbo,

When you click File|Enable Capture Mode it should put a tick next to that item in the menu. If you go back into the menu and there is no tick then for some reason it didn't acknowledge that the menu item was clicked and so you will need to click it again. If the menu item is ticked then the debug should be generated.

For the Report.Version.Table we issue a "get system status' command and then parse the information from the returned data. If your device uses a different command can you let me know what that command is and attach a sample of the output from that command.

Regards,

Wardini

0 Kudos

Hi Wardini,

 

I've tried the "get system status" command manually and get the following output:

 

XXXXXX-FG60-UTM # get system status
Version: Fortigate-60 3.00,build0564,070817
Virus-DB: 10.300(2009-04-19 22:04)
IPS-DB: 2.626(2009-04-17 18:55)
Serial-Number: FGT-60xxxxxxxxxx
BIOS version: 04000000
Log hard disk: Not available
Hostname: XXXXXX-FG60-UTM1
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
Common Criteria mode: disable
Current HA mode: standalone
Distribution: International
Branch point: 564
MR/Patch Information: MR5 Patch 1
System time: Mon Apr 20 11:25:44 2009

 

All our firewalls are FG60s and when run as an activity from CatTools this fails on all firewalls and there is no output.

 

Enable Capture still isn't working.

 

Thanks

Jimbo

0 Kudos

Hi Jimbo,

Thanks for the info.  Nothing in there stands out as being a potential problem. I could really do with seeing the debug log. It can be a bit 'twitchy' turning it on but if you do the following it should work.

When you click File|Enable Capture Mode it should put a tick next to that item in the menu. Go back into the File menu and check that there is a tick, if not you will need to click it again and check again. If the menu item is ticked then the debug should be generated when you run the activity. It will be in the debug folder in the main CatTools folder.

If you can get the debug please post it back here (with any sensitive data **** out) and I'll see if it sheds some light on the issue.

Regards,

Wardini

0 Kudos

Hi Wardini,

Debug output as requested:

 

<NEWSESSION Kiwi CatTools 3.2.19 22/04/2009 10:39:27>
<PROTOCOL=SSH2>
<DEVICE TYPE=Fortinet.FortiOS.General>
<ACTIVITY TYPE=Report.Version table>
<ACTIVITY SCRIPT=C:\Program Files\CatTools3\Scripts\Client.Report.Version table.txt>
<USERS NAME FOR DEVICE=XXXXXX-FG60-UTM>
<C OK 10:39:28><R-10:39:28>XXXXXX-FG60-UTM # <W-10:39:33>[13]<R-10:39:33>[13][13][10]XXXXXX-FG60-UTM # <W-10:39:33>[13]<R-10:39:33>[13][13][10]XXXXXX-FG60-UTM # <W-10:39:33>config system console<R-10:39:33>config system console<W-10:39:34>[13]<R-10:39:34>[13][13][10][13][10]XXXXXX-FG60-UTM (console) # <W-10:39:34>set output standard<R-10:39:34>set <R-10:39:34>output standard<W-10:39:34>[13]<R-10:39:34>[13][13][10][13][10]XXXXXX-FG60-UTM (console) # <W-10:39:34>end<R-10:39:34>end<W-10:39:34>[13]<R-10:39:34>[13][13][10]<R-10:39:34>[13][10]XXXXXX-FG60-UTM # <W-10:39:34>get system status<R-10:39:34>get system status<W-10:39:34>[13]<R-10:39:35>[13][13][10]Version: Fortigate-60 3.00,build0564,070817[13][10]Virus-DB: 10.309(2009-04-21 22:05)[13][10]IPS-DB: 2.628(2009-04-21 19:10)[13][10]Serial-Number: FGT-60XXXXXXXXXX[13][10]BIOS version: 04000000[13][10]Log hard disk: Not available[13][10]Hostname: XXXXXX-FG60-UTM1[13][10]Operation Mode: NAT[13][10]Current virtual domain: root[13][10]Max number of virtual domains: 10[13][10]Virtual domains status: 1 in NAT mode, 0 in TP mode[13][10]Virtual domain configuration: disable[13][10]Common Criteria mode: disable[13][10]Current HA mode: standalone[13][10]Distribution: International[13][10]Branch point: 564[13][10]MR/Patch Information: MR5 Patch 1[13][10]System time: Wed Apr 22 10:39:35 2009[13][10][13][10]XXXXXX-FG60-UTM # <D 10:39:35>
<SCRIPT VALUES>
<HOSTNAME="XXXXXX-FG60-UTM">
<PROMPT VTY="XXXXXX-FG60-UTM ">
<PROMPT ENABLE="XXXXXX-FG60-UTM #">
<PROMPT CONFIG="">

Cheers

Jimbo

0 Kudos

Hi Jimbo,

Well the good news is that it appears that the correct data is coming back from your device so it's just a question of narrowing down why this isn't working for you.

When you say it doesn't work can you elaborate a little bit more;

Is no report being created?

Is a report being created but with the incorrect data?

Is there an error in the infolog?  (If you can post the relevant section of the infolog that may also be helpful)

Or is it a different problem?

Regards,

Wardini

0 Kudos

Hi Wardini,

 

Thats correct there is no report being generated at all.

I think these are the relevant lines of the infolog files:

 

2009-04-22 10:39:28    4-Debug    XXXXXXX-FG60-UTM    Connected to x.x.x.x
2009-04-22 10:39:28    4-Debug    XXXXXXX-FG60-UTM    Login FortiOS: XXXXXXX-FG60-UTM
2009-04-22 10:39:33    4-Debug    XXXXXXX-FG60-UTM    Waiting for command prompt
2009-04-22 10:39:33    4-Debug    XXXXXXX-FG60-UTM    Login to device was successful
2009-04-22 10:39:33    4-Debug    XXXXXXX-FG60-UTM    DeviceHostnameID: XXXXXXX-FG60-UTM
2009-04-22 10:39:33    4-Debug    XXXXXXX-FG60-UTM    Attempting to disable output paging
2009-04-22 10:39:33    4-Debug    XXXXXXX-FG60-UTM    Waiting for an echo of config system console command
2009-04-22 10:39:34    4-Debug    XXXXXXX-FG60-UTM    Waiting for an echo of set output standard command
2009-04-22 10:39:34    4-Debug    XXXXXXX-FG60-UTM    Waiting for an echo of end command
2009-04-22 10:39:34    4-Debug    XXXXXXX-FG60-UTM    Waiting for an echo of get system status command
2009-04-22 10:39:35    1-Error    XXXXXXX-FG60-UTM    Unable to find initial hardware lines

 

Thanks

James

0 Kudos

Hi James,

I have tweaked the script can you copy the one attached into your scripts folder in the main CatTools folder and try again.

Please let me know how you get on.

Regards,

Wardini

0 Kudos

Hi Wardini,

 

Thats a little better as the report is now generated without CatTools generating an error, but the report has no data in it apart from device name, IP address and serial number.

 

Group    Device Name    IP Address    Serial #    Processor    IOS    ROM    Boot    Uptime    Flash    NVRAM    Memory    Image
Foritgate    XXXXXX-FG60-UTM    x.x.x.x    FGT-60xxxxxxxxxx        04000000                           
Thanks

Jimbo

0 Kudos

Hi James,

I'm glad to hear that it now seems to be working, at least partially.

The report was originally designed for Cisco devices and so it is not always possible to get information for every field as not all devices make this available. The fields populated for the Fortinet are those which are returned by the 'get system status' command. If you are aware of other commands that can be issued to get data for some of the other fields I would be interested in seeing examples of these and their output.

Or if you think some of the data from the  'get system status' command should populate other fields, please let me know this also.

kind regards,

Wardini

0 Kudos

Hi Wardini,

Ok I understand the report was design around Cisco equipment, but it would be good if the report could at least pick up the version of software to go with the serial number, the software version is clearly displayed in the command issued:

XXXXXX-FG60-UTM # get system status
Version: Fortigate-60 3.00,build0564,070817
Virus-DB: 10.300(2009-04-19 22:04)
IPS-DB: 2.626(2009-04-17 18:55)
Serial-Number: FGT-60xxxxxxxxxx
BIOS version: 04000000
Log hard disk: Not available
Hostname: XXXXXX-FG60-UTM1
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
Common Criteria mode: disable
Current HA mode: standalone
Distribution: International
Branch point: 564
MR/Patch Information: MR5 Patch 1
System time: Mon Apr 20 11:25:44 2009

 

I know its not easily displyed in one line, the the version shows that is is version 3 of the software and then the MR/Patch Information shows thats it the MR5 Patch 1 relase.

 

Thanks

Jimbo

0 Kudos

Hi Jimbo,

It looks like the script was picking up the BIOS version rather than just the version. Please try this one to see if it now gets the version correctly.

Kind regards,

Wardini

View solution in original post

0 Kudos

Worked a treat, excellent, thanks for all your help.

0 Kudos

Hi Jimbo,

Cool. Thanks for letting me know.

Kind regards,

Wardini

0 Kudos

Hi,

I'm new to kiwi catTools.


Trying to download the config file for my fortigate firewall.

Please kindly assist.

Thanks


<NEWSESSION Kiwi CatTools 3.3.17 15-06-2009 11:52:15 AM>
<PROTOCOL=Telnet>
<DEVICE TYPE=Fortinet.FortiOS.General>
<ACTIVITY TYPE=Device.Backup.Running Config>
<ACTIVITY SCRIPT=C:\Program Files\CatTools3\Scripts\Client.Device.Backup.Running Config.txt>
<USERS NAME FOR DEVICE=Fortinet Device 1>
<C Err=The current connection has timeout. 11:52:36 AM><D 11:52:36 AM>
<SCRIPT VALUES>
<HOSTNAME="xxx">
<PROMPT VTY="xxx>">
<PROMPT ENABLE="xxx#">
<PROMPT CONFIG="">

<C Err=The current connection has timeout. 11:52:57 AM><D 11:52:57 AM>
<SCRIPT VALUES>
<HOSTNAME="xxx">
<PROMPT VTY="xxx>">
<PROMPT ENABLE="xxx#">
<PROMPT CONFIG="">

<C Err=The current connection has timeout. 11:53:19 AM><D 11:53:19 AM>
<SCRIPT VALUES>
<HOSTNAME="xxx">
<PROMPT VTY="xxx>">
<PROMPT ENABLE="xxx">
<PROMPT CONFIG="">

0 Kudos

Hi flea,

can you post the relevant section of the infolog please to see if this sheds any light on the issue.

Regards,

Wardini

0 Kudos

I have the same problems with Fortigates and opened a ticket but they said since I was on a demo, they couldn't help me.  It almost looks like it’s not expecting a space between the hostname and the # symbol down at the waiting for…  Is there anyway you could edit the Fortinet 300A to a 310B and make it account for that if that’s indeed what’s messing it up to no end…  You could probably generate a good bit of business by supporting the 310 and newer series…  I’ll test in whatever way possible!  I changed a few things below like the hostname and username but, you can see that it's expecting to see 100# but it's recieving 100 # after recieving feedback. 

 

<NEWSESSION Kiwi CatTools 3.3.17 4/2/2009 11:26:25 AM>

<PROTOCOL=Telnet>

<DEVICE TYPE=Fortinet.FortiOS.General>

<ACTIVITY TYPE=Device.Backup.Running Config>

<ACTIVITY SCRIPT=C:\Program Files\CatTools3\Scripts\Client.Device.Backup.Running Config.txt>

<USERS NAME FOR DEVICE=100>

<C OK 11:26:25 AM><R-11:26:25 AM>[13][10]100 login: <W-11:26:25 AM>Rich[13]<R-11:26:25 AM>Rich[13][10]Password: <W-11:26:25 AM>#TESTPASSWORD[13]<R-11:26:25 AM>*********[13][10]<R-11:26:25 AM>No entry for terminal type "vt100";[13][10]using dumb terminal settings.[13][10]Welcome ![13][10][13][10]100 # <W-11:26:27 AM>          <R-11:26:27 AM>          <W-11:26:27 AM>[13]<R-11:26:27 AM>[13][00][13][10]<R-11:26:27 AM>31001-FW-100 # <W-11:26:27 AM>[13]<R-11:26:27 AM>[13][00][13][10]<R-11:26:27 AM>31001-FW-100 # <W-11:26:27 AM>[13]<R-11:26:27 AM>[13][00][13][10]<R-11:26:27 AM>31001-FW-100 # <W-11:26:27 AM>config system console<R-11:26:27 AM>config system console<W-11:26:28 AM>[13]<R-11:26:28 AM>[13][00][13][10]<R-11:26:28 AM>[13][10]31001-FW-100 (console) # <W-11:26:28 AM>set output standard<R-11:26:28 AM>set output standard<W-11:26:28 AM>[13]<R-11:26:28 AM>[13][00][13][10]<R-11:26:28 AM>[13][10]31001-FW-100 (console) # <W-11:26:28 AM>end<R-11:26:28 AM>end<W-11:26:28 AM>[13]<R-11:26:28 AM>[13][00][13][10]<R-11:26:28 AM>[13][10]31001-FW-100 #

================================================================================

WFMDRetVal=1 Waiting for: "(console)#"

WFMDRetVal=2 Waiting for: "(console) #"

WFMDRetVal=3 Waiting for: "(console)$"

WFMDRetVal=4 Waiting for: "(console) $"

WFMDRetVal=5 Waiting for: "global #"

WFMDRetVal=6 Waiting for: "(global) #"

WFMDRetVal=7 Waiting for: "100#"

WFMDRetVal=8 Waiting for: "100 $"

WFMDBuffer="end[13][00][13][10][13][10]100 # "

================================================================================

0 Kudos

Hi,

We had quite a few issues trying to create a more generic Fortinet script because of the lack of consistency in the way the prompts are returned. ie. with or without spaces etc.

I have updated the script slightly to see if I can resolve your issue. Please give it a go and let me know how you get on.

Regards,

 

Gareth

So far it's working like a champ!  You could probably mark this as 310B...  Who know's though after they change the firmware to 4.0...  I thank you for your help Gareth!

0 Kudos