3

Goal
I'm trying to automate a fortigate configuration change for a couple dozen routers and am not winning. Have tried Python's paramiko library, Python fabric and Perl's expect and Rex interfaces/libraries.

Other info
* Routers: Fortigate 60D
* Firmware: v5.0,build0252 (GA Patch 5)
* SSH enabled: True

I can log in over SSH and run these commands manually!

I used the perl expect library with Fortigate 60B's in the past but it no longer works. Before I share the code I want to ask:

Is there some new feature in Fortigate's that prevents this type of automation?

A simple and harmless command to test [ list current dhcp leases ]:

execute dhcp lease-list wifi

Code
Perl/Expect:

my $timeout = 10; 

$ssh->expect($timeout, [ qr/password: /i ]); 
$ssh->send("$passwd\r\n"); 
$ssh->expect($timeout, [ qr/#/i ]); 
$ssh->send("execute dhcp lease-list wifi\r"); 
$ssh->expect($timeout, [ qr/#/i ]); 
$ssh->send("exit\r"); 

$ssh->soft_close();

Output: none

Perl/Rex:

desc "List all dhcp leases";
task "leases", group => "forti", sub {
    my $output = run "execute dhcp lease-list wifi";
    say $output;
};

Output:

[2014-02-11 13:14:48] (30011) - INFO - Running task: leases
[2014-02-11 13:14:48] (30022) - INFO - Connecting to 10.10.10.2 (admin)
[2014-02-11 13:14:49] (30022) - INFO - Connected to 10.10.10.2, trying to authenticate.
Fortigate # Unknown action 0

Fortigate #

Python/paramiko:

ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect('10.10.10.2',username='fake_root',password='fake_pass') 
stdin, stdout, stderr=ssh.exec_command("execute dhcp lease-list wifi")
stdout.readlines()
ssh.close()

Output: none

Python/Fabric:

def view_dhcp_leases():
        print("Viewing dhcp leases")
        run("execute dhcp lease-list wifi")

Output:

[10.10.10.2] Executing task 'view_dhcp_leases'
Viewing dhcp leases
[10.10.10.2] run: execute dhcp lease-list wifi
[10.10.10.2] out: Fortigate # Unknown action 0
[10.10.10.2] out: 
[10.10.10.2] out: Fortigate # 

Done.
Disconnecting from 10.10.10.2 ... done.

Conclusions ...so far

Unknown action 0 means, "I don't know this command [ in this context ]". This command can be run manually at the first prompt. Also, as you can see in the fabric and rex examples: it does authenticate and connect! I conclude that this is by design for security reasons ...and more likely to sell their proprietary management crap.

Improve this question
1
  • You may be affected by the issue described here! Commented Jun 14, 2017 at 10:38

5 Answers 5

Reset to default
2

This works for me on a FortiNet Mail Appliance.

from Exscript.util.interact import Account
from Exscript.protocols import SSH2
account = Account('USERNAME', 'PASSWORD')
conn = SSH2()
conn.connect('IP')
conn.login(account)
conn.execute('COMMAND')
conn.send('exit \r')
conn.close()

https://github.com/knipknap/exscript

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

The following script worked for me against a FortiGate (5.2.4) with Python/Paramiko:

import paramiko
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect('1.1.1.254',username='admin',password='password')
stdin, stdout, stderr=ssh.exec_command("get system status")
type(stdin)
stdout.readlines()

Andy

Improve this answer

2 Comments

have you ever tried to run paraniko agains 5.2.5 or upwards? looks like it's broken since 5.2.5 (see github.com/paramiko/paramiko/issues/687)
When I try this I get action not supported from a Fortimail server
1

I have 60B.

Please try to run this command from linux terminal.

If you don't have sshpass - you can install it.

sshpass -p 'adminpassword' ssh ip_of_fw -l admin execute dhcp lease-list

Improve this answer

1 Comment

sshpass does not work either. With the -V option it just gives the license then exits.
1

If you want to use fabric to run commands on fortigates you need to disable the shell wrapping used by fabric when connecting via SSH:

from fabric.api import run

def get_sys():
   run("get sys status",shell=False)
Improve this answer

Comments

0

Youc can upgrade an OS version and then use API with P

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.