FortiManager TCL scripts

I had a request sent to me the other day to make a script push some config with the hostname of the node included. Pretty basic thing to do. I was further constrained to use the FortiManager script runner to make this work. As usual, CLI-like scripting sucks and the magic behind the scenes made things more difficult.

FortiManager's Role

Big HA pile of shit to sync configs with templates. Also has a script runner (used by the config pushes).

The scripts are handled through a component called "deployment manager". Relevant debugs:

diagnose debug application depmanager -1 -> Not so useful for TCL, good under-the-hood look
diagnose debug dpm conf-trace enable -> Will show you SSH connection stuff. More useful IMO.

FortiManager holds SSH credentials for the device. It isn't like, even though FortiManager is trusted to play with config, FortiManager can magically login via SSH. This seems like quite a stupid design, but that is the situation we're playing with.

Note: SSH connection issues, including bad user/password require debugs to see this problem!

TCL scripting

Deployment manager will kick off the script in a sandbox. This sandbox allows the TCL script to ignore connecting to the box, the ins-and-outs of expect, etc.

The core component is the "exec" procedure. It looks like this:

exec <command> <expect token> <timeout>

This proc is basically undocumented outside of examples. It never discusses the timeout (or the importance of timeouts).

Some notes:
  • The command must have "\n" to send the command for running
  • The expect token is usually "# " (that is, hash space). This locates the prompt
  • exec returns a string with the output results.
  • If you don't set a timeout, it will gladly HANG FOREVER. Set a timeout.
  • Running a TCL script will always report SUCCESSFUL on the GUI. The logs MUST be checked (and you should add in proper error handling as FortiManager doesn't interpret the CLI output other than to find the expect token and return what it found.

Comments

Post a Comment

Popular posts from this blog

Linux unnumbered interface source IP behavior

In certain cases, (looking at you, Fortinet), interfaces make more sense without IP addresses. But the kernel must determine which source IP to use for sockets that don't specify one. Linux maintains a scoping of IP addresses. Those exposed directly with iproute2 are host, link, and global. When you intend on taking an unnumbered path, one of two things may happen: 1) A route exists for the unnumbered path. This route is populated with a src address when fib_create_info() is called  (such as in routing table update) (occurs via  fib_info_update_nh_saddr) or; 2) No route exists, but an interface is specified for the connection and the source is derived in ip_route_output_key_hash_rcu(). In both cases, inet_select_addr() is called to determine the source IP, but with slightly different parameters. In the first case, the scope of the FIB table is taken into account. As an example, sources used for link-local routes will permit link-local or global scope. In the seco...
Read more

But Ansible does it all!!

Most people running networks have a decent fleet of Cisco IOS devices (or devices that feature "industry-standard" *cough* ripoff *cough* CLI). Often times, the discussion of Ansible as a framework comes up as the solution. What does Ansible do? Ansible is designed to express desired state, compare against existing state and then calculate whether a change is needed. A great example is that we'll generate a config file with a template, push this to a server, and then signal the relevant service (perhaps with a restart). Cool! Easy! But what if the config file is already the same as what we generated from template? No problem, we'll calculate that the files are the same and do nothing. No restart, no problem.. its already good. This technique is highly effective for things like webservers where the service supports a consistent and suitable approach (in context, of course) for loading the new config. kk.. cool but what is wrong with IOS? IOS-like CLIs ar...
Read more