Backup running config for OpenBSD PF Firewall

Hi,

I'm presuming you are creating your own custom script here for the OpenBSD.PF.Firewall as it does not appear to be an "out-the-box" CatTools device type?

From what I can tell from the debug log above, the device only requires SSH credentials to create a secure connection and there is no subsequent device authentication required post the successful SSH connection.

What may therefore be happening is your script is trying to run the device authentication code (LoginStd or LoginAAA) after the LoginSSH()  function has returned 'true' status.

I also noticed that there are a lot of ANSI Escape character sequence characters being returned by your device (which can cause parsing issues for CatTools).

If you add the line:

   cl.StripVT100ESC = 1

within the login() function (probably best after the cl.Initialise call and before the LoginSSH() function call) this will strip these characters out of the CatTools response buffer.

Just one last.  Did you try the Generic.Device device type in CatTools at all?   Most of these types of issues can be override with the Device Variations feature which is implemented with the Generic.Device (although depending on what commands are required for the backup of the OpenBSD.PF.Firewall, the Generic.Device may not quite work - but its probably worth giving it a try).

Steve

Hi Steve,

Yes, I am creating a custom device and script.

Here's the debug output from trying General.Device:

<NEWSESSION CatTools 3.5.0 7/10/2012 10:11:20 PM>

<PROTOCOL=SSH2>

<DEVICE TYPE=Generic.Device>

<ACTIVITY TYPE=Device.ConnectivityTest.Login>

<ACTIVITY SCRIPT=C:\Program Files\CatTools3\Scripts\Client.Device.ConnectivityTest.Login.txt>

<USERS NAME FOR DEVICE=DSFWTEST>

<C OK 10:11:21 PM><R-10:11:21 PM>Last login: Tue Jul 10 21:15:54 2012 from 10.100.101.248[13][13][10]OpenBSD 5.1 (GENERIC.MP) #207: Sun Feb 12 09:42:14 MST 2012[13][10][13][10]Welcome to OpenBSD: The proactively secure Unix-like operating system.[13][10][13][10]Please use the sendbug(1) utility to report bugs in the system.[13][10]Before reporting a bug, please try to reproduce it with the latest[13][10]version of the code.  With bug reports, please try to ensure that[13][10]enough information to reproduce the problem is enclosed, and if a[13][10]known fix for it exists, include that as well.[13][10][13][10][13]                                                                        [13][13]<W-10:11:21 PM>[13]<R-10:11:21 PM>[13][10]<R-10:11:22 PM># [13][13][10]# <D 10:11:22 PM>

<SCRIPT VALUES>

<HOSTNAME="">

<PROMPT VTY="">

<PROMPT ENABLE="">

<PROMPT CONFIG="">

It looks very similar to the output I get from my custom script. The only difference I can see is the removal of the string of [27]H 's and replaced with white space.  I added cl.StripVT100ESC = 1 where you suggested in the script and actual produced the same output that the Generic.Device did (removal of the [27]H 's)

In regards to Generic.Device and the commands to get the config, all I need it to do is run "cat /etc/pf.conf" to get the firewall config.

Is there anything else I can try?

And thanks for the help! I really appreciate it, I've been struggling with this thing for a while.

Aha, so it's a Linux based kernel?

I think the Generic.Device may get you there, but you'll need to add a few overrides in the Variations as Generic.Device is written based on Cisco IOS.

In the Device.Backup.Running Config activity, enter your cat /etc/pf.conf command in the Use alternate command: field in the activity Options tab.

You'll probably also need to override some script default values within the variations feature.

In the Modify Output variation tab, select all the Strip... options.

In the Additional Commands variation tab, select the Disable paging and Enable paging options and clear out the adjacent text fields so they are empty.  This will prevent the Generic Device script from sending the 'terminal length 0' and terminal length 24' commands to disable and re-enable paging.

Let me know how this works out.

Steve

Yes, OpenBSD is a Unix/Linux variant.

I found the check box to use an alternate command. I wasn't able to find the other settings you mentioned. I'm using version 3.5.0 of Cattools. Are those options available in that version?

I turned off the paging in my custom OpenBSD.PF.Firewall script. Here's the variables section of the script, do these settings look right?

Private Const SCRIPT_NAME = "Device Template"

Private Const DEVICE_USERNAMEPROMPT = "login as:"

Private Const DEVICE_PASSWORDPROMPT = "root's password:"

Private Const DEVICE_STANDARDPROMPT = "#"

Private Const DEVICE_PRIVILEGEDPROMPT = ""

Private Const DEVICE_CONFIGPROMPT = ""

Private Const DEVICE_MORETEXT = ":"

Private Const DEVICE_INVALIDCOMMAND = ""    ' Get this by typing BlahBlahBlah<cr>

Private Const DEVICE_INCOMPLETECOMMAND = ""        ' Get this by typing Copy<cr>

Private Const DEVICE_YESNOTEXT = ""

Private Const DEVICE_CONFIGHEADERTEXT = ""    ' Text to trim off the top of a config output before saving it.  Set to "" if no header to remove.

' If device does not have a command then set to ""

Private Const COMMAND_ENTERENABLEMODE = ""

Private Const COMMAND_EXITENABLEMODE = ""

Private Const COMMAND_ENTERCONFIG = ""

Private Const COMMAND_EXITCONFIG = ""

Private Const COMMAND_DISABLEPAGING = ""

Private Const COMMAND_ENABLEPAGING = "" ' Set back to the device default of 24 lines per page

Private Const COMMAND_RUNNINGCONFIG = "cat /etc/pf.conf"

Private Const COMMAND_STARTUPCONFIG = "cat /etc/pf.conf"

Private Const COMMAND_SAVENVRAM = ""

Private Const COMMAND_DISCONNECT = "exit"  ' * The command used to end the session on the device (logout/logoff/exit, etc.)

Private Const COMMAND_TIMEOUT = 30  ' in seconds.  It is not recommended you alter this default value.

Thanks,

Kevin

Is there anything else I can do or a work around to this problem? I'm about to give up and pursue another option like Rancid.

Hi Kevin,

The other options I was referring to above are specifically in the Device Variations feature which was implemented in CatTools v3.5.0, but only for the Generic.Device device type.

Can you try using the Generic.Device device type for you device and set the variations as I mentioned above (and the 'Use alternate command' option too for the Device.Backup.Running Config activity), and see how you go.

Device Variations is a device specific feature, whereas the 'Use alternate command' option is activity specific (as you have found).

Please post back if this works.

Steve

Thanks for the reply Steve. I got the variations config figured out. I had to add a variations file in the variations directory (no tab exists like in that help document for v3.5). Good news is that got me past the login problem. Now when I try to run the device backup, I get this output:

This is what I get in the debug log after running it, the config does come across (I had to truncate that section though).

<NEWSESSION CatTools 3.5.0 7/15/2012 2:24:18 PM>

<PROTOCOL=SSH2>

<DEVICE TYPE=Generic.Device>

<ACTIVITY TYPE=Device.Backup.Running Config>

<ACTIVITY SCRIPT=C:\Program Files\CatTools3\Scripts\Client.Device.Backup.Running Config.txt>

<USERS NAME FOR DEVICE=TEST>

<C OK 2:24:18 PM><R-2:24:18 PM>Last login: Sun Jul 15 13:27:53 2012 from 10.100.101.248[13][13][10]OpenBSD 5.1 (GENERIC.MP) #207: Sun Feb 12 09:42:14 MST 2012[13][10][13][10]Welcome to OpenBSD: The proactively secure Unix-like operating system.[13][10][13][10]Please use the sendbug(1) utility to report bugs in the system.[13][10]Before reporting a bug, please try to reproduce it with the latest[13][10]version of the code.  With bug reports, please try to ensure that[13][10]enough information to reproduce the problem is enclosed, and if a[13][10]known fix for it exists, include that as well.[13][10][13][10][13][27][3g        [27]H        [27]H        [27]H        [27]H        [27]H        [27]H        [27]H        [27]H        [27]H[13][13]<W-2:24:19 PM>cat /etc/pf.conf<R-2:24:19 PM>cat /etc/pf.conf<W-2:24:19 PM>[13]<R-2:24:19 PM>[13][10]<R-2:24:19 PM># cat /etc/pf.conf[13][13][10]#       $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $[13][10]#[13][10]# See pf.conf(5) for syntax and examples.[13][10]# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1[13][10]# in /etc/sysctl.conf if packets are to be forwarded between interfaces# Block all other traffic not specified in rules[13][10]block in log on $ExtIf[13][10]block out log on $ExtIf[13][10]# <W-2:24:20 PM> <R-2:24:20 PM>

================================================================================

WFMDRetVal=1 Waiting for: ":"

WFMDRetVal=18 Waiting for: "#"

WFMDRetVal=19 Waiting for: "#"

WFMDRetVal=20 Waiting for: "#"

WFMDBuffer=" "

================================================================================

<W-2:24:50 PM>exit[13]<D 2:24:50 PM>

<SCRIPT VALUES>

<HOSTNAME="">

<PROMPT VTY="#">

<PROMPT ENABLE="#">

<PROMPT CONFIG="#">

This is what I put in the variations file:

DEVICE_USERNAMEPROMPT = "login as:"

DEVICE_PASSWORDPROMPT = "root's password:"

DEVICE_STANDARDPROMPT = "# "

DEVICE_PRIVILEGEDPROMPT = "#"

DEVICE_CONFIGPROMPT = "#"

DEVICE_MORETEXT = ":"

DEVICE_INVALIDCOMMAND = ""    ' Get this by typing BlahBlahBlah<cr>

DEVICE_INCOMPLETECOMMAND = ""        ' Get this by typing Copy<cr>

DEVICE_YESNOTEXT = ""

DEVICE_CONFIGHEADERTEXT = ""    ' Text to trim off the top of a config output before saving it.  Set to "" if no header to remove.

DEVICE_VTYPROMPT = "#"

FULL_VTYPROMPT = "#"

FULL_ENABLEPROMPT = "#"

FULL_CONFIGPROMPT = "#"

' If device does not have a command then set to ""

COMMAND_ENTERENABLEMODE = ""

COMMAND_EXITENABLEMODE = ""

COMMAND_ENTERCONFIG = ""

COMMAND_EXITCONFIG = ""

COMMAND_DISABLEPAGING = ""

COMMAND_ENABLEPAGING = "" ' Set back to the device default of 24 lines per page

COMMAND_SAVENVRAM = ""

COMMAND_DISCONNECT = "exit"

It's a little hard to tell without seeing the full debuglog, so you may want to send me this offline?

If I had to take a guess, I'd say its the DEVICE_MORETEXT = ":" that you have specified that is causing the problem, as I can see CatTools is sending a ' ' (whitespace character) at the end of the debugfile which is probably the issue.

Why are you setting the DEVICE_MORETEXT to ":"?

That was it! I changed DEVICE+MORETEXT to = "" and it's running! Thanks so much.

I had that set to ":" because if I piped a command to "more" it would have a ":" as the prompt. I figured that's what that variable meant, must have been something different. Makes no difference now anyway. Thanks again!

One last question on this. Now that it's been running for a while, occasionally when it backups up the config on the Open BSD machine, it captures the command it issues to get the config "cat /etc/pf.conf". Is there anyway to prevent that?

Thanks