Fortigate automation with perl or python
Solution 1
The following script worked for me against a FortiGate (5.2.4) with Python/Paramiko:
import paramiko
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect('1.1.1.254',username='admin',password='password')
stdin, stdout, stderr=ssh.exec_command("get system status")
type(stdin)
stdout.readlines()
Andy
Solution 2
This works for me on a FortiNet Mail Appliance.
from Exscript.util.interact import Account
from Exscript.protocols import SSH2
account = Account('USERNAME', 'PASSWORD')
conn = SSH2()
conn.connect('IP')
conn.login(account)
conn.execute('COMMAND')
conn.send('exit \r')
conn.close()
https://github.com/knipknap/exscript
Solution 3
I have 60B.
Please try to run this command from linux terminal.
If you don't have sshpass - you can install it.
sshpass -p 'adminpassword' ssh ip_of_fw -l admin execute dhcp lease-list
Solution 4
If you want to use fabric to run commands on fortigates you need to disable the shell wrapping used by fabric when connecting via SSH:
from fabric.api import run
def get_sys():
run("get sys status",shell=False)
Comments
-
Bubnoff almost 2 years
Goal
I'm trying to automate a fortigate configuration change for a couple dozen routers and am not winning. Have tried Python's paramiko library, Python fabric and Perl's expect and Rex interfaces/libraries.Other info
* Routers: Fortigate 60D
* Firmware: v5.0,build0252 (GA Patch 5)
* SSH enabled: TrueI can log in over SSH and run these commands manually!
I used the perl expect library with Fortigate 60B's in the past but it no longer works. Before I share the code I want to ask:
Is there some new feature in Fortigate's that prevents this type of automation?
A simple and harmless command to test [ list current dhcp leases ]:
execute dhcp lease-list wifi
Code
Perl/Expect:my $timeout = 10; $ssh->expect($timeout, [ qr/password: /i ]); $ssh->send("$passwd\r\n"); $ssh->expect($timeout, [ qr/#/i ]); $ssh->send("execute dhcp lease-list wifi\r"); $ssh->expect($timeout, [ qr/#/i ]); $ssh->send("exit\r"); $ssh->soft_close();
Output: none
Perl/Rex:
desc "List all dhcp leases"; task "leases", group => "forti", sub { my $output = run "execute dhcp lease-list wifi"; say $output; };
Output:
[2014-02-11 13:14:48] (30011) - INFO - Running task: leases [2014-02-11 13:14:48] (30022) - INFO - Connecting to 10.10.10.2 (admin) [2014-02-11 13:14:49] (30022) - INFO - Connected to 10.10.10.2, trying to authenticate. Fortigate # Unknown action 0 Fortigate #
Python/paramiko:
ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) ssh.connect('10.10.10.2',username='fake_root',password='fake_pass') stdin, stdout, stderr=ssh.exec_command("execute dhcp lease-list wifi") stdout.readlines() ssh.close()
Output: none
Python/Fabric:
def view_dhcp_leases(): print("Viewing dhcp leases") run("execute dhcp lease-list wifi")
Output:
[10.10.10.2] Executing task 'view_dhcp_leases' Viewing dhcp leases [10.10.10.2] run: execute dhcp lease-list wifi [10.10.10.2] out: Fortigate # Unknown action 0 [10.10.10.2] out: [10.10.10.2] out: Fortigate # Done. Disconnecting from 10.10.10.2 ... done.
Conclusions ...so far
Unknown action 0
means, "I don't know this command [ in this context ]". This command can be run manually at the first prompt. Also, as you can see in the fabric and rex examples: it does authenticate and connect! I conclude that this is by design for security reasons ...and more likely to sell their proprietary management crap. -
Bubnoff almost 10 yearssshpass does not work either. With the -V option it just gives the license then exits.
-
f0rd42 about 8 yearshave you ever tried to run paraniko agains 5.2.5 or upwards? looks like it's broken since 5.2.5 (see github.com/paramiko/paramiko/issues/687)
-
tread almost 5 yearsWhen I try this I get
action not supported
from a Fortimail server