This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.

You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

CatTools and Fortigate Firewalls

jimbo58 over 15 years ago

Hi All,

I see that CatTools can backup Fortigate OS devices. I have 10 or so Fortigate Firewalls which I'd like to backup. But before I set this up I was trying to find out what commands CatTools issues to get the configuration just to check I'm not going to do any damage to my devices as they are hunreds of miles away from me. I'm running ver 3.2.19. Anyone have any idea or can point me in the right dorection to find out.

Thanks

Jimbo

Top Replies

0 Wardini over 15 years ago

Hi Jimbo,
I've had a look at the script and it seems that after login in it will try to go into either console or global mode, depending on the device, by issuing a 'config system console' command or a 'config global' command. It will then issue a 'set output standard' command. To generate the config it just sends a show command.
You can double check this by going to 'File|Enable capture mode' in the CatTools menu and then running the activity against one of your devices. In the debug folder in the main CatTools folder you will then have a debug log detailing the interaction between CatTools and the device. Anything following a statement like this '<W-3:32:10 p.m.> ' in the log is a command or data that CatTools is sending to the device.
I hope this helps.
Regards,
Wardini
Cancel
Vote Up +1 Vote Down

Cancel
0 jimbo58 over 15 years ago in reply to Wardini

Hi Wardini,
Thanks I tried running it as you suggested and apart from a couple of subtle differences between the CatTools backed up configuration and the backed config downloaded via the Fortigate web gui, everything was good. I couldn't get the debug to work, I enabled it and run the backup there was nothing there and debugging was no longer enabled.

I also tried to do the version report as the CatTools website says it is supported for FortinetOS but this doesn't work. As I can't enable the debug I can't see what is wrong, can you please let me know what command the version report would issue.

Thanks
Jimbo
Cancel
Vote Up 0 Vote Down

Cancel
0 Wardini over 15 years ago in reply to jimbo58

Hi Jimbo,
When you click File|Enable Capture Mode it should put a tick next to that item in the menu. If you go back into the menu and there is no tick then for some reason it didn't acknowledge that the menu item was clicked and so you will need to click it again. If the menu item is ticked then the debug should be generated.
For the Report.Version.Table we issue a "get system status' command and then parse the information from the returned data. If your device uses a different command can you let me know what that command is and attach a sample of the output from that command.
Regards,
Wardini
Cancel
Vote Up 0 Vote Down

Cancel
0 horric29 over 15 years ago in reply to Wardini

I have the same problems with Fortigates and opened a ticket but they said since I was on a demo, they couldn't help me. It almost looks like it’s not expecting a space between the hostname and the # symbol down at the waiting for… Is there anyway you could edit the Fortinet 300A to a 310B and make it account for that if that’s indeed what’s messing it up to no end… You could probably generate a good bit of business by supporting the 310 and newer series… I’ll test in whatever way possible! I changed a few things below like the hostname and username but, you can see that it's expecting to see 100# but it's recieving 100 # after recieving feedback.

<NEWSESSION Kiwi CatTools 3.3.17 4/2/2009 11:26:25 AM>
<PROTOCOL=Telnet>
<DEVICE TYPE=Fortinet.FortiOS.General>
<ACTIVITY TYPE=Device.Backup.Running Config>
<ACTIVITY SCRIPT=C:\Program Files\CatTools3\Scripts\Client.Device.Backup.Running Config.txt>
<USERS NAME FOR DEVICE=100>
<C OK 11:26:25 AM><R-11:26:25 AM>[13][10]100 login: <W-11:26:25 AM>Rich[13]<R-11:26:25 AM>Rich[13][10]Password: <W-11:26:25 AM>#TESTPASSWORD[13]<R-11:26:25 AM>*********[13][10]<R-11:26:25 AM>No entry for terminal type "vt100";[13][10]using dumb terminal settings.[13][10]Welcome ![13][10][13][10]100 # <W-11:26:27 AM> <R-11:26:27 AM> <W-11:26:27 AM>[13]<R-11:26:27 AM>[13][00][13][10]<R-11:26:27 AM>31001-FW-100 # <W-11:26:27 AM>[13]<R-11:26:27 AM>[13][00][13][10]<R-11:26:27 AM>31001-FW-100 # <W-11:26:27 AM>[13]<R-11:26:27 AM>[13][00][13][10]<R-11:26:27 AM>31001-FW-100 # <W-11:26:27 AM>config system console<R-11:26:27 AM>config system console<W-11:26:28 AM>[13]<R-11:26:28 AM>[13][00][13][10]<R-11:26:28 AM>[13][10]31001-FW-100 (console) # <W-11:26:28 AM>set output standard<R-11:26:28 AM>set output standard<W-11:26:28 AM>[13]<R-11:26:28 AM>[13][00][13][10]<R-11:26:28 AM>[13][10]31001-FW-100 (console) # <W-11:26:28 AM>end<R-11:26:28 AM>end<W-11:26:28 AM>[13]<R-11:26:28 AM>[13][00][13][10]<R-11:26:28 AM>[13][10]31001-FW-100 #
================================================================================
WFMDRetVal=1 Waiting for: "(console)#"
WFMDRetVal=2 Waiting for: "(console) #"
WFMDRetVal=3 Waiting for: "(console)$"
WFMDRetVal=4 Waiting for: "(console) $"
WFMDRetVal=5 Waiting for: "global #"
WFMDRetVal=6 Waiting for: "(global) #"
WFMDRetVal=7 Waiting for: "100#"
WFMDRetVal=8 Waiting for: "100 $"
WFMDBuffer="end[13][00][13][10][13][10]100 # "
================================================================================
Cancel
Vote Up 0 Vote Down

Cancel
0 Wardini over 15 years ago in reply to horric29

Hi,
We had quite a few issues trying to create a more generic Fortinet script because of the lack of consistency in the way the prompts are returned. ie. with or without spaces etc.
I have updated the script slightly to see if I can resolve your issue. Please give it a go and let me know how you get on.
Regards,

Gareth
Cancel
Vote Up +1 Vote Down

Cancel
0 horric29 over 15 years ago in reply to Wardini

So far it's working like a champ! You could probably mark this as 310B... Who know's though after they change the firmware to 4.0... I thank you for your help Gareth!
Cancel
Vote Up 0 Vote Down

Cancel
0 Wardini over 15 years ago in reply to horric29

No worries. Thanks for letting me know it's working. If you discover any issues please post back.
Kind regards,
Gareth
Cancel
Vote Up 0 Vote Down

Cancel
0 jimbo58 over 14 years ago in reply to Wardini

Hi Wardini,

I've tried the "get system status" command manually and get the following output:

XXXXXX-FG60-UTM # get system status
Version: Fortigate-60 3.00,build0564,070817
Virus-DB: 10.300(2009-04-19 22:04)
IPS-DB: 2.626(2009-04-17 18:55)
Serial-Number: FGT-60xxxxxxxxxx
BIOS version: 04000000
Log hard disk: Not available
Hostname: XXXXXX-FG60-UTM1
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
Common Criteria mode: disable
Current HA mode: standalone
Distribution: International
Branch point: 564
MR/Patch Information: MR5 Patch 1
System time: Mon Apr 20 11:25:44 2009

All our firewalls are FG60s and when run as an activity from CatTools this fails on all firewalls and there is no output.

Enable Capture still isn't working.

Thanks
Jimbo
Cancel
Vote Up 0 Vote Down

Cancel
0 Wardini over 14 years ago in reply to jimbo58

Hi Jimbo,
Thanks for the info. Nothing in there stands out as being a potential problem. I could really do with seeing the debug log. It can be a bit 'twitchy' turning it on but if you do the following it should work.
When you click File|Enable Capture Mode it should put a tick next to that item in the menu. Go back into the File menu and check that there is a tick, if not you will need to click it again and check again. If the menu item is ticked then the debug should be generated when you run the activity. It will be in the debug folder in the main CatTools folder.
If you can get the debug please post it back here (with any sensitive data **** out) and I'll see if it sheds some light on the issue.
Regards,
Wardini
Cancel
Vote Up 0 Vote Down

Cancel
0 jimbo58 over 14 years ago in reply to Wardini

Hi Wardini,
Debug output as requested:

<NEWSESSION Kiwi CatTools 3.2.19 22/04/2009 10:39:27>
<PROTOCOL=SSH2>
<DEVICE TYPE=Fortinet.FortiOS.General>
<ACTIVITY TYPE=Report.Version table>
<ACTIVITY SCRIPT=C:\Program Files\CatTools3\Scripts\Client.Report.Version table.txt>
<USERS NAME FOR DEVICE=XXXXXX-FG60-UTM>
<C OK 10:39:28><R-10:39:28>XXXXXX-FG60-UTM # <W-10:39:33>[13]<R-10:39:33>[13][13][10]XXXXXX-FG60-UTM # <W-10:39:33>[13]<R-10:39:33>[13][13][10]XXXXXX-FG60-UTM # <W-10:39:33>config system console<R-10:39:33>config system console<W-10:39:34>[13]<R-10:39:34>[13][13][10][13][10]XXXXXX-FG60-UTM (console) # <W-10:39:34>set output standard<R-10:39:34>set <R-10:39:34>output standard<W-10:39:34>[13]<R-10:39:34>[13][13][10][13][10]XXXXXX-FG60-UTM (console) # <W-10:39:34>end<R-10:39:34>end<W-10:39:34>[13]<R-10:39:34>[13][13][10]<R-10:39:34>[13][10]XXXXXX-FG60-UTM # <W-10:39:34>get system status<R-10:39:34>get system status<W-10:39:34>[13]<R-10:39:35>[13][13][10]Version: Fortigate-60 3.00,build0564,070817[13][10]Virus-DB: 10.309(2009-04-21 22:05)[13][10]IPS-DB: 2.628(2009-04-21 19:10)[13][10]Serial-Number: FGT-60XXXXXXXXXX[13][10]BIOS version: 04000000[13][10]Log hard disk: Not available[13][10]Hostname: XXXXXX-FG60-UTM1[13][10]Operation Mode: NAT[13][10]Current virtual domain: root[13][10]Max number of virtual domains: 10[13][10]Virtual domains status: 1 in NAT mode, 0 in TP mode[13][10]Virtual domain configuration: disable[13][10]Common Criteria mode: disable[13][10]Current HA mode: standalone[13][10]Distribution: International[13][10]Branch point: 564[13][10]MR/Patch Information: MR5 Patch 1[13][10]System time: Wed Apr 22 10:39:35 2009[13][10][13][10]XXXXXX-FG60-UTM # <D 10:39:35>
<SCRIPT VALUES>
<HOSTNAME="XXXXXX-FG60-UTM">
<PROMPT VTY="XXXXXX-FG60-UTM ">
<PROMPT ENABLE="XXXXXX-FG60-UTM #">
<PROMPT CONFIG="">
Cheers
Jimbo
Cancel
Vote Up 0 Vote Down

Cancel