21 Replies Latest reply on Jul 7, 2009 7:43 PM by Wardini

    CatTools and Fortigate Firewalls

      Hi All,

      I see that CatTools can backup Fortigate OS devices.  I have 10 or so Fortigate Firewalls which I'd like to backup.  But before I set this up I was trying to find out what commands CatTools issues to get the configuration just to check I'm not going to do any damage to my devices as they are hunreds of miles away from me.  I'm running ver 3.2.19.  Anyone have any idea or can point me in the right dorection to find out.

       

      Thanks

      Jimbo

        • Re: CatTools and Fortigate Firewalls
          Wardini

          Hi Jimbo,

          I've had a look at the script and it seems that after login in it will try to go into either console or global mode, depending on the device, by issuing a 'config system console' command or a 'config global' command. It will then issue a 'set output standard' command. To generate the config it just sends a show command.

          You can double check this by going to 'File|Enable capture mode' in the CatTools menu and then running the activity against one of your devices.  In the debug folder in the main CatTools folder you will then have a debug log detailing the interaction between CatTools and the device. Anything following a statement like this '<W-3:32:10 p.m.> ' in the log is a command or data that CatTools is sending to the device.

          I hope this helps.

          Regards,

          Wardini

          1 of 1 people found this helpful
            • Re: CatTools and Fortigate Firewalls

              Hi Wardini,

              Thanks I tried running it as you suggested and apart from a couple of subtle differences between the CatTools backed up configuration and the backed config downloaded via the Fortigate web gui, everything was good.  I couldn't get the debug to work, I enabled it and run the backup there was nothing there and debugging was no longer enabled.

               

              I also tried to do the version report as the CatTools website says it is supported for FortinetOS but this doesn't work.  As I can't enable the debug I can't see what is wrong, can you please let me know what command the version report would issue.

               

              Thanks

              Jimbo

                • Re: CatTools and Fortigate Firewalls
                  Wardini

                  Hi Jimbo,

                  When you click File|Enable Capture Mode it should put a tick next to that item in the menu. If you go back into the menu and there is no tick then for some reason it didn't acknowledge that the menu item was clicked and so you will need to click it again. If the menu item is ticked then the debug should be generated.

                  For the Report.Version.Table we issue a "get system status' command and then parse the information from the returned data. If your device uses a different command can you let me know what that command is and attach a sample of the output from that command.

                  Regards,

                  Wardini

                    • Re: CatTools and Fortigate Firewalls

                      I have the same problems with Fortigates and opened a ticket but they said since I was on a demo, they couldn't help me.  It almost looks like it’s not expecting a space between the hostname and the # symbol down at the waiting for…  Is there anyway you could edit the Fortinet 300A to a 310B and make it account for that if that’s indeed what’s messing it up to no end…  You could probably generate a good bit of business by supporting the 310 and newer series…  I’ll test in whatever way possible!  I changed a few things below like the hostname and username but, you can see that it's expecting to see 100# but it's recieving 100 # after recieving feedback. 

                       

                       

                      <NEWSESSION Kiwi CatTools 3.3.17 4/2/2009 11:26:25 AM>

                      <PROTOCOL=Telnet>

                      <DEVICE TYPE=Fortinet.FortiOS.General>

                      <ACTIVITY TYPE=Device.Backup.Running Config>

                      <ACTIVITY SCRIPT=C:\Program Files\CatTools3\Scripts\Client.Device.Backup.Running Config.txt>

                      <USERS NAME FOR DEVICE=100>

                      <C OK 11:26:25 AM><R-11:26:25 AM>[13][10]100 login: <W-11:26:25 AM>Rich[13]<R-11:26:25 AM>Rich[13][10]Password: <W-11:26:25 AM>#TESTPASSWORD[13]<R-11:26:25 AM>*********[13][10]<R-11:26:25 AM>No entry for terminal type "vt100";[13][10]using dumb terminal settings.[13][10]Welcome ![13][10][13][10]100 # <W-11:26:27 AM>          <R-11:26:27 AM>          <W-11:26:27 AM>[13]<R-11:26:27 AM>[13][00][13][10]<R-11:26:27 AM>31001-FW-100 # <W-11:26:27 AM>[13]<R-11:26:27 AM>[13][00][13][10]<R-11:26:27 AM>31001-FW-100 # <W-11:26:27 AM>[13]<R-11:26:27 AM>[13][00][13][10]<R-11:26:27 AM>31001-FW-100 # <W-11:26:27 AM>config system console<R-11:26:27 AM>config system console<W-11:26:28 AM>[13]<R-11:26:28 AM>[13][00][13][10]<R-11:26:28 AM>[13][10]31001-FW-100 (console) # <W-11:26:28 AM>set output standard<R-11:26:28 AM>set output standard<W-11:26:28 AM>[13]<R-11:26:28 AM>[13][00][13][10]<R-11:26:28 AM>[13][10]31001-FW-100 (console) # <W-11:26:28 AM>end<R-11:26:28 AM>end<W-11:26:28 AM>[13]<R-11:26:28 AM>[13][00][13][10]<R-11:26:28 AM>[13][10]31001-FW-100 #

                      ================================================================================

                      WFMDRetVal=1 Waiting for: "(console)#"

                      WFMDRetVal=2 Waiting for: "(console) #"

                      WFMDRetVal=3 Waiting for: "(console)$"

                      WFMDRetVal=4 Waiting for: "(console) $"

                      WFMDRetVal=5 Waiting for: "global #"

                      WFMDRetVal=6 Waiting for: "(global) #"

                      WFMDRetVal=7 Waiting for: "100#"

                      WFMDRetVal=8 Waiting for: "100 $"

                      WFMDBuffer="end[13][00][13][10][13][10]100 # "

                      ================================================================================

                      • Re: CatTools and Fortigate Firewalls

                        Hi Wardini,

                         

                        I've tried the "get system status" command manually and get the following output:

                         

                        XXXXXX-FG60-UTM # get system status
                        Version: Fortigate-60 3.00,build0564,070817
                        Virus-DB: 10.300(2009-04-19 22:04)
                        IPS-DB: 2.626(2009-04-17 18:55)
                        Serial-Number: FGT-60xxxxxxxxxx
                        BIOS version: 04000000
                        Log hard disk: Not available
                        Hostname: XXXXXX-FG60-UTM1
                        Operation Mode: NAT
                        Current virtual domain: root
                        Max number of virtual domains: 10
                        Virtual domains status: 1 in NAT mode, 0 in TP mode
                        Virtual domain configuration: disable
                        Common Criteria mode: disable
                        Current HA mode: standalone
                        Distribution: International
                        Branch point: 564
                        MR/Patch Information: MR5 Patch 1
                        System time: Mon Apr 20 11:25:44 2009

                         

                        All our firewalls are FG60s and when run as an activity from CatTools this fails on all firewalls and there is no output.

                         

                        Enable Capture still isn't working.

                         

                        Thanks

                        Jimbo

                          • Re: CatTools and Fortigate Firewalls
                            Wardini

                            Hi Jimbo,

                            Thanks for the info.  Nothing in there stands out as being a potential problem. I could really do with seeing the debug log. It can be a bit 'twitchy' turning it on but if you do the following it should work.

                            When you click File|Enable Capture Mode it should put a tick next to that item in the menu. Go back into the File menu and check that there is a tick, if not you will need to click it again and check again. If the menu item is ticked then the debug should be generated when you run the activity. It will be in the debug folder in the main CatTools folder.

                            If you can get the debug please post it back here (with any sensitive data **** out) and I'll see if it sheds some light on the issue.

                            Regards,

                            Wardini

                              • Re: CatTools and Fortigate Firewalls

                                Hi Wardini,

                                Debug output as requested:

                                 

                                <NEWSESSION Kiwi CatTools 3.2.19 22/04/2009 10:39:27>
                                <PROTOCOL=SSH2>
                                <DEVICE TYPE=Fortinet.FortiOS.General>
                                <ACTIVITY TYPE=Report.Version table>
                                <ACTIVITY SCRIPT=C:\Program Files\CatTools3\Scripts\Client.Report.Version table.txt>
                                <USERS NAME FOR DEVICE=XXXXXX-FG60-UTM>
                                <C OK 10:39:28><R-10:39:28>XXXXXX-FG60-UTM # <W-10:39:33>[13]<R-10:39:33>[13][13][10]XXXXXX-FG60-UTM # <W-10:39:33>[13]<R-10:39:33>[13][13][10]XXXXXX-FG60-UTM # <W-10:39:33>config system console<R-10:39:33>config system console<W-10:39:34>[13]<R-10:39:34>[13][13][10][13][10]XXXXXX-FG60-UTM (console) # <W-10:39:34>set output standard<R-10:39:34>set <R-10:39:34>output standard<W-10:39:34>[13]<R-10:39:34>[13][13][10][13][10]XXXXXX-FG60-UTM (console) # <W-10:39:34>end<R-10:39:34>end<W-10:39:34>[13]<R-10:39:34>[13][13][10]<R-10:39:34>[13][10]XXXXXX-FG60-UTM # <W-10:39:34>get system status<R-10:39:34>get system status<W-10:39:34>[13]<R-10:39:35>[13][13][10]Version: Fortigate-60 3.00,build0564,070817[13][10]Virus-DB: 10.309(2009-04-21 22:05)[13][10]IPS-DB: 2.628(2009-04-21 19:10)[13][10]Serial-Number: FGT-60XXXXXXXXXX[13][10]BIOS version: 04000000[13][10]Log hard disk: Not available[13][10]Hostname: XXXXXX-FG60-UTM1[13][10]Operation Mode: NAT[13][10]Current virtual domain: root[13][10]Max number of virtual domains: 10[13][10]Virtual domains status: 1 in NAT mode, 0 in TP mode[13][10]Virtual domain configuration: disable[13][10]Common Criteria mode: disable[13][10]Current HA mode: standalone[13][10]Distribution: International[13][10]Branch point: 564[13][10]MR/Patch Information: MR5 Patch 1[13][10]System time: Wed Apr 22 10:39:35 2009[13][10][13][10]XXXXXX-FG60-UTM # <D 10:39:35>
                                <SCRIPT VALUES>
                                <HOSTNAME="XXXXXX-FG60-UTM">
                                <PROMPT VTY="XXXXXX-FG60-UTM ">
                                <PROMPT ENABLE="XXXXXX-FG60-UTM #">
                                <PROMPT CONFIG="">

                                Cheers

                                Jimbo

                                  • Re: CatTools and Fortigate Firewalls
                                    Wardini

                                    Hi Jimbo,

                                    Well the good news is that it appears that the correct data is coming back from your device so it's just a question of narrowing down why this isn't working for you.

                                    When you say it doesn't work can you elaborate a little bit more;

                                    Is no report being created?

                                    Is a report being created but with the incorrect data?

                                    Is there an error in the infolog?  (If you can post the relevant section of the infolog that may also be helpful)

                                    Or is it a different problem?

                                    Regards,

                                    Wardini

                                      • Re: CatTools and Fortigate Firewalls

                                        Hi Wardini,

                                         

                                        Thats correct there is no report being generated at all.

                                        I think these are the relevant lines of the infolog files:

                                         

                                        2009-04-22 10:39:28    4-Debug    XXXXXXX-FG60-UTM    Connected to x.x.x.x
                                        2009-04-22 10:39:28    4-Debug    XXXXXXX-FG60-UTM    Login FortiOS: XXXXXXX-FG60-UTM
                                        2009-04-22 10:39:33    4-Debug    XXXXXXX-FG60-UTM    Waiting for command prompt
                                        2009-04-22 10:39:33    4-Debug    XXXXXXX-FG60-UTM    Login to device was successful
                                        2009-04-22 10:39:33    4-Debug    XXXXXXX-FG60-UTM    DeviceHostnameID: XXXXXXX-FG60-UTM
                                        2009-04-22 10:39:33    4-Debug    XXXXXXX-FG60-UTM    Attempting to disable output paging
                                        2009-04-22 10:39:33    4-Debug    XXXXXXX-FG60-UTM    Waiting for an echo of config system console command
                                        2009-04-22 10:39:34    4-Debug    XXXXXXX-FG60-UTM    Waiting for an echo of set output standard command
                                        2009-04-22 10:39:34    4-Debug    XXXXXXX-FG60-UTM    Waiting for an echo of end command
                                        2009-04-22 10:39:34    4-Debug    XXXXXXX-FG60-UTM    Waiting for an echo of get system status command
                                        2009-04-22 10:39:35    1-Error    XXXXXXX-FG60-UTM    Unable to find initial hardware lines

                                         

                                        Thanks

                                        James

                                          • Re: CatTools and Fortigate Firewalls
                                            Wardini

                                            Hi James,

                                            I have tweaked the script can you copy the one attached into your scripts folder in the main CatTools folder and try again.

                                            Please let me know how you get on.

                                            Regards,

                                            Wardini

                                              • Re: CatTools and Fortigate Firewalls

                                                Hi Wardini,

                                                 

                                                Thats a little better as the report is now generated without CatTools generating an error, but the report has no data in it apart from device name, IP address and serial number.

                                                 

                                                Group    Device Name    IP Address    Serial #    Processor    IOS    ROM    Boot    Uptime    Flash    NVRAM    Memory    Image
                                                Foritgate    XXXXXX-FG60-UTM    x.x.x.x    FGT-60xxxxxxxxxx        04000000                           
                                                Thanks

                                                Jimbo

                                                  • Re: CatTools and Fortigate Firewalls
                                                    Wardini

                                                    Hi James,

                                                    I'm glad to hear that it now seems to be working, at least partially.

                                                    The report was originally designed for Cisco devices and so it is not always possible to get information for every field as not all devices make this available. The fields populated for the Fortinet are those which are returned by the 'get system status' command. If you are aware of other commands that can be issued to get data for some of the other fields I would be interested in seeing examples of these and their output.

                                                    Or if you think some of the data from the  'get system status' command should populate other fields, please let me know this also.

                                                    kind regards,

                                                    Wardini

                                                      • Re: CatTools and Fortigate Firewalls

                                                        Hi Wardini,

                                                        Ok I understand the report was design around Cisco equipment, but it would be good if the report could at least pick up the version of software to go with the serial number, the software version is clearly displayed in the command issued:

                                                        XXXXXX-FG60-UTM # get system status
                                                        Version: Fortigate-60 3.00,build0564,070817
                                                        Virus-DB: 10.300(2009-04-19 22:04)
                                                        IPS-DB: 2.626(2009-04-17 18:55)
                                                        Serial-Number: FGT-60xxxxxxxxxx
                                                        BIOS version: 04000000
                                                        Log hard disk: Not available
                                                        Hostname: XXXXXX-FG60-UTM1
                                                        Operation Mode: NAT
                                                        Current virtual domain: root
                                                        Max number of virtual domains: 10
                                                        Virtual domains status: 1 in NAT mode, 0 in TP mode
                                                        Virtual domain configuration: disable
                                                        Common Criteria mode: disable
                                                        Current HA mode: standalone
                                                        Distribution: International
                                                        Branch point: 564
                                                        MR/Patch Information: MR5 Patch 1
                                                        System time: Mon Apr 20 11:25:44 2009

                                                         

                                                        I know its not easily displyed in one line, the the version shows that is is version 3 of the software and then the MR/Patch Information shows thats it the MR5 Patch 1 relase.

                                                         

                                                        Thanks

                                                        Jimbo