Fortigate automation with perl or python


Question

Goal
I'm trying to automate a fortigate configuration change for a couple dozen routers and am not winning. Have tried Python's paramiko library, Python fabric and Perl's expect and Rex interfaces/libraries.

Other info
* Routers: Fortigate 60D
* Firmware: v5.0,build0252 (GA Patch 5)
* SSH enabled: True

I can log in over SSH and run these commands manually!

I used the perl expect library with Fortigate 60B's in the past but it no longer works. Before I share the code I want to ask:

Is there some new feature in Fortigate's that prevents this type of automation?

A simple and harmless command to test [ list current dhcp leases ]:

execute dhcp lease-list wifi

Code
Perl/Expect:

my $timeout = 10; 

$ssh->expect($timeout, [ qr/password: /i ]); 
$ssh->send("$passwd\r\n"); 
$ssh->expect($timeout, [ qr/#/i ]); 
$ssh->send("execute dhcp lease-list wifi\r"); 
$ssh->expect($timeout, [ qr/#/i ]); 
$ssh->send("exit\r"); 

$ssh->soft_close();

Output: none

Perl/Rex:

desc "List all dhcp leases";
task "leases", group => "forti", sub {
    my $output = run "execute dhcp lease-list wifi";
    say $output;
};

Output:

[2014-02-11 13:14:48] (30011) - INFO - Running task: leases
[2014-02-11 13:14:48] (30022) - INFO - Connecting to 10.10.10.2 (admin)
[2014-02-11 13:14:49] (30022) - INFO - Connected to 10.10.10.2, trying to authenticate.
Fortigate # Unknown action 0

Fortigate # 

Python/paramiko:

ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect('10.10.10.2',username='fake_root',password='fake_pass') 
stdin, stdout, stderr=ssh.exec_command("execute dhcp lease-list wifi")
stdout.readlines()
ssh.close()

Output: none

Python/Fabric:

def view_dhcp_leases():
        print("Viewing dhcp leases")
        run("execute dhcp lease-list wifi")

Output:


[10.10.10.2] Executing task 'view_dhcp_leases'
Viewing dhcp leases
[10.10.10.2] run: execute dhcp lease-list wifi
[10.10.10.2] out: Fortigate # Unknown action 0
[10.10.10.2] out: 
[10.10.10.2] out: Fortigate # 

Done.
Disconnecting from 10.10.10.2 ... done.

Conclusions ...so far

Unknown action 0 means, "I don't know this command [ in this context ]". This command can be run manually at the first prompt. Also, as you can see in the fabric and rex examples: it does authenticate and connect! I conclude that this is by design for security reasons ...and more likely to sell their proprietary management crap.

1
3
2/11/2014 9:34:49 PM

The following script worked for me against a FortiGate (5.2.4) with Python/Paramiko:

import paramiko
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect('1.1.1.254',username='admin',password='password')
stdin, stdout, stderr=ssh.exec_command("get system status")
type(stdin)
stdout.readlines()

Andy

2
10/22/2015 12:49:56 PM

Licensed under: CC-BY-SA with attribution
Not affiliated with: Stack Overflow
Icon