Fortinet does not work when config global not working

[FloLaco]

Hello @ktbyers

Just would like to know why you close the session and reopen it if config global does not work ?

netmiko/netmiko/fortinet/fortinet_ssh.py

Line 54 in 5bbbb73

self.remote_conn.close()

In my case, this command is not allowed but we are still in vdom mode.
The reconnection does not work because you don't type the 'a' the second time :

(Press 'a' to accept):
DEBUG:netmiko:write_channel: b'a\r'
DEBUG:netmiko:read_channel: 

hostname $ 

hostname $ 
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:write_channel: b'\n'
DEBUG:netmiko:read_channel: 

hostname $ 
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:[find_prompt()]: prompt is hostname $
DEBUG:netmiko:write_channel: b'get system status | grep Virtual\n'
DEBUG:netmiko:send_command_timing current output: 
DEBUG:netmiko:read_channel: get system status | grep Virtual


DEBUG:netmiko:read_channel: Virtual domains status: 2 in NAT mode, 0 in TP mode
Virtual domain configuration: multiple

hostname $ 
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:send_command_timing final output: Virtual domains status: 2 in NAT mode, 0 in TP mode
Virtual domain configuration: multiple

DEBUG:netmiko:write_channel: b'config global\n'
DEBUG:netmiko:send_command_timing current output: 
DEBUG:netmiko:read_channel: config global


command parse error before 'global'
Command fail. Return code 1

hostname $ 
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:send_command_timing final output: 
command parse error before 'global'
Command fail. Return code 1

DEBUG:paramiko.transport:[chan 0] EOF sent (0)
DEBUG:paramiko.transport:starting thread (client mode): 0xdccdffa0
DEBUG:paramiko.transport:Local version/idstring: SSH-2.0-paramiko_2.7.2
DEBUG:paramiko.transport:Remote version/idstring: SSH-2.0--r9gL4OEJ
INFO:paramiko.transport:Connected (version 2.0, client -r9gL4OEJ)

[...] 
(Press 'a' to accept):
DEBUG:netmiko:Clear buffer detects data in the channel
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:write_channel: b'\n'
DEBUG:paramiko.transport:[chan 0] EOF received (0)
DEBUG:paramiko.transport:[chan 0] EOF sent (0)
DEBUG:netmiko:read_channel: 


DEBUG:netmiko:read_channel: 

[ktbyers]

Let me look at it. It has been a long time since that code was written.

[ktbyers]

@FloLaco On fortinet, what are the mechanisms for disabling output paging?

Can you disable paging if you cant go into global config mode?

[Gatorjosh14]

I have a new Fortinet driver I've been using extensively, should be compatible with VDOM and non-VDOM devices. I'm working with Ktbyers to get it tested and approved.

[ktbyers]

Related PR from @Gatorjosh14

#2876

[ktbyers]

@FloLaco Updated Fortinet Driver here:

#3091

config global is probably required though either that or you must configure:

            "config system console",
            "set output standard",

And potentially be on FortiOS version7 or later.

[FloLaco]

Hi @ktbyers
Sorry to not responding to you earlier.

My fortinet is the property of my WAN carrier, so it's a managed device.
I can't type what I want, but by default paging is disable (on my side) (just tested with the show full-configuration command).
Is there a way to disable netmiko to try to disable paging (because it's already disabled) ?

[ktbyers]

@FloLaco Are you testing with the current develop branch?

I think it already does this. Though Netmiko probably needs to go into config global to determine whether the device is configured properly (i.e. to determine whether paging has been disabled already).

Can you post what error you are receiving?

[FloLaco]

@ktbyers

I've just tested the develop branch and I get another error :

  File "fortinet.py", line 16, in <module>
    net_connect = ConnectHandler(**cisco_881)
  File "/home/florian_lacommare/.pyenv/versions/netmiko_dev/lib/python3.8/site-packages/netmiko/ssh_dispatcher.py", line 376, in ConnectHandler
    return ConnectionClass(*args, **kwargs)
  File "/home/florian_lacommare/.pyenv/versions/netmiko_dev/lib/python3.8/site-packages/netmiko/base_connection.py", line 456, in __init__
    self._open()
  File "/home/florian_lacommare/.pyenv/versions/netmiko_dev/lib/python3.8/site-packages/netmiko/base_connection.py", line 462, in _open
    self._try_session_preparation()
  File "/home/florian_lacommare/.pyenv/versions/netmiko_dev/lib/python3.8/site-packages/netmiko/fortinet/fortinet_ssh.py", line 24, in _try_session_preparation
    super()._try_session_preparation(force_data=force_data)
  File "/home/florian_lacommare/.pyenv/versions/netmiko_dev/lib/python3.8/site-packages/netmiko/base_connection.py", line 944, in _try_session_preparation
    self.session_preparation()
  File "/home/florian_lacommare/.pyenv/versions/netmiko_dev/lib/python3.8/site-packages/netmiko/fortinet/fortinet_ssh.py", line 40, in session_preparation
    self._original_output_mode = self._get_output_mode()
  File "/home/florian_lacommare/.pyenv/versions/netmiko_dev/lib/python3.8/site-packages/netmiko/fortinet/fortinet_ssh.py", line 200, in _get_output_mode
    return self._get_output_mode_v6()
  File "/home/florian_lacommare/.pyenv/versions/netmiko_dev/lib/python3.8/site-packages/netmiko/fortinet/fortinet_ssh.py", line 169, in _get_output_mode_v6
    raise ValueError("Unable to determine the output mode on the Fortinet device.")
ValueError: Unable to determine the output mode on the Fortinet device.

The log :

DEBUG:paramiko.transport:starting thread (client mode): 0xaff9d220
DEBUG:paramiko.transport:Local version/idstring: SSH-2.0-paramiko_3.0.0
DEBUG:paramiko.transport:Remote version/idstring: SSH-2.0-AxX4y
INFO:paramiko.transport:Connected (version 2.0, client AxX4y)
DEBUG:paramiko.transport:=== Key exchange possibilities ===
DEBUG:paramiko.transport:kex algos: [email protected], diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1
DEBUG:paramiko.transport:server key: ssh-rsa, ssh-ed25519
DEBUG:paramiko.transport:client encrypt: [email protected], aes128-ctr, aes192-ctr, aes256-ctr, [email protected], [email protected]
DEBUG:paramiko.transport:server encrypt: [email protected], aes128-ctr, aes192-ctr, aes256-ctr, [email protected], [email protected]
DEBUG:paramiko.transport:client mac: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], hmac-sha2-256, hmac-sha2-512, hmac-sha1, [email protected], hmac-ripemd160, [email protected]
DEBUG:paramiko.transport:server mac: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], hmac-sha2-256, hmac-sha2-512, hmac-sha1, [email protected], hmac-ripemd160, [email protected]
DEBUG:paramiko.transport:client compress: none, [email protected]
DEBUG:paramiko.transport:server compress: none, [email protected]
DEBUG:paramiko.transport:client lang: <none>
DEBUG:paramiko.transport:server lang: <none>
DEBUG:paramiko.transport:kex follows: False
DEBUG:paramiko.transport:=== Key exchange agreements ===
DEBUG:paramiko.transport:Kex: diffie-hellman-group14-sha1
DEBUG:paramiko.transport:HostKey: ssh-ed25519
DEBUG:paramiko.transport:Cipher: aes128-ctr
DEBUG:paramiko.transport:MAC: hmac-sha2-256
DEBUG:paramiko.transport:Compression: none
DEBUG:paramiko.transport:=== End of kex handshake ===
DEBUG:paramiko.transport:kex engine KexGroup14 specified hash_algo <built-in function openssl_sha1>
DEBUG:paramiko.transport:Switch to new keys ...
DEBUG:paramiko.transport:Adding ssh-ed25519 host key for 10.x.x.x: b'31ded3f2d7a3b97e3fd49a1221dcadc2'
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication (password) successful!
DEBUG:paramiko.transport:[chan 0] Max packet in: 32768 bytes
DEBUG:paramiko.transport:Received global request "[email protected]"
DEBUG:paramiko.transport:Rejecting "[email protected]" global request from server.
DEBUG:paramiko.transport:[chan 0] Max packet out: 32768 bytes
DEBUG:paramiko.transport:Secsh channel 0 opened.
DEBUG:paramiko.transport:[chan 0] Sesch channel 0 request ok
DEBUG:paramiko.transport:[chan 0] Sesch channel 0 request ok
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: 
=======================================================================
                      --- ACCES RESTREINT ---
L'acces a ce systeme n'est possible qu'aux seules personnes autorisees.
Toutes les connexions et commandes passees sont enregistrees.
Toute tentative d'acces sans autorisation de Orange
expose ses auteurs a des poursuites penales
conformement aux articles L.323-1 a L.323-7 du code penal.
=======================================================================
                     --- RESTRICTED ACCESS ---
This is a private network device. If you are not authorized by Orange
to connect or configure this device, disconnect at once! Actual
or attempted use, access, examination, or configuration change by
an unauthorized person will result in criminal and civil prosecution
to the full extent permitted by the law.
=======================================================================


 **********************************************************  

 *              DEVICE INFORMATION                        * 

 ********************************************************** 

 Customer name: CENSORED 
 Site name: CENSORED 
 Location: CENSORED 
 Ressource equipement: CENSORED 
 SU: CENSORED 
 Configuration date: 2022-10-19 15:46:22 
 Ansible script version: R1v1.9
 
(Press 'a' to accept):
DEBUG:netmiko:Pattern found: (to accept|[#$]) 
=======================================================================
                      --- ACCES RESTREINT ---
L'acces a ce systeme n'est possible qu'aux seules personnes autorisees.
Toutes les connexions et commandes passees sont enregistrees.
Toute tentative d'acces sans autorisation de Orange
expose ses auteurs a des poursuites penales
conformement aux articles L.323-1 a L.323-7 du code penal.
=======================================================================
                     --- RESTRICTED ACCESS ---
This is a private network device. If you are not authorized by Orange
to connect or configure this device, disconnect at once! Actual
or attempted use, access, examination, or configuration change by
an unauthorized person will result in criminal and civil prosecution
to the full extent permitted by the law.
=======================================================================


 **********************************************************  

 *              DEVICE INFORMATION                        * 

 ********************************************************** 

 Customer name: CENSORED 
 Site name: CENSORED 
 Location: CENSORED
 Ressource equipement: CENSORED
 SU: CENSORED 
 Configuration date: 2022-10-19 15:46:22 
 Ansible script version: R1v1.9
 
(Press 'a' to accept
DEBUG:netmiko:write_channel: b'a\r'
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: 


DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: CENSORED-SD1 $ 
CENSORED-SD1 $ 
DEBUG:netmiko:Pattern found: ([#$]) ):

CENSORED-SD1 $
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:Clear buffer detects data in the channel
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:write_channel: b'\n'
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: 
CENSORED-SD1 $ 
DEBUG:netmiko:Pattern found: ([#$]) 
CENSORED-SD1 $
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:Clear buffer detects data in the channel
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:[find_prompt()]: prompt is CENSORED-SD1 $
DEBUG:netmiko:write_channel: b'get system status | grep Virtual\n'
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: get system
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel:  status | grep Virtual

DEBUG:netmiko:Pattern found: (get\ system\ status\ \|\ grep\ Virtual) get system status | grep Virtual
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: Virtual domains status: 2 in NAT mode, 0 in TP mode
Virtual domain configuration: multiple

CENSORED-SD1 $ 
DEBUG:netmiko:write_channel: b'get system status | grep Version\n'
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: get s
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: ystem status | grep Version
Version: FortiGate-60F v6.4.6,build8755,220121 (GA)
Release Version Information: GA

CENSORED-SD1 $ 
DEBUG:netmiko:Pattern found: (get\ system\ status\ \|\ grep\ Version) get system status | grep Version
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:write_channel: b'config global\n'
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: con
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: fig global

command parse error before 'global'
Command fail. Return code 1

CENSORED-SD1 $ 
DEBUG:netmiko:Pattern found: (config\ global) config global
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:write_channel: b'config system console\n'
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: confi
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: g system console

command parse error before 'system'
Command fail. Return code 1

CENSORED-SD1 $ 
DEBUG:netmiko:Pattern found: (config\ system\ console) config system console
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:write_channel: b'show full-configuration\n'
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: show fu
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: ll-configuration
config system object-tagging
    edit "default"
        set address optional
        set device optional
        set interface optional
        set multiple enable
        set color 0
    next
end
[...]
config system vne-tunnel
    set status disable
end

CENSORED-SD1 $ end
Unknown action 0

CENSORED-SD1 $ 
DEBUG:netmiko:write_channel: b'end\n'
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: end
Unknown action 0

CENSORED-SD1 $ 
DEBUG:netmiko:Pattern found: (end) end
DEBUG:netmiko:read_channel: 

[ktbyers]

@FloLaco It looks like config global is failing for you. Netmiko needs to go into config global to disable output paging.

Do you have config global permissions.

[FloLaco]

@ktbyers I've not the permission to type this command.
I've fixed my issue by providing the output type myself. Please check my PR : #3127

[ktbyers]

I probably don't want to support more i.e. output paging must be disabled.

So I don't see a good solution here. You can't determine the output mode without config global and you can't actually configure it properly without config global.

I guess we could try something like a failed config global will then just test a command that will page the output and if there is paging Netmiko raises an exception saying that you must allow config global or your must manually disable output paging permanently (so that Netmiko just works).

Does that work for you?

[FloLaco]

One thing that I don't understand.
On this new version of fortinet driver, netmiko send a `show full-configurationˋ and search a particular command.
How can it works if paging is enable ? Because the output of this command is very long.

On my side, I don't have permission to type the config global but the show full-config yes and the output os not paged.

[ktbyers]

@FloLaco This is Fortinet V6 only:

        self._send_command_str(
            "config system console", expect_string=self.prompt_pattern
        )
        output = self._send_command_str(
            "show full-configuration", expect_string=self.prompt_pattern
        )

Doesn't that only give you the configuration of the config system console context (which shouldn't be paginated)?

[FloLaco]

@ktbyers
You're right, when typing config system console before show full-configuration, we only see the configuration of this config block.

I've access to a fortinet with admin privilege. I'll try to add the fallback code for 'check if a big output if paginated or not'

[FloLaco]

I found another issue. When user have read-only permission (cannot type config system console) but have the right to type config global :

Traceback (most recent call last):
  File "fortinet.py", line 24, in <module>
    net_connect = ConnectHandler(**cisco_881)
  File "/home/florian_lacommare/contribution/netmiko/netmiko/ssh_dispatcher.py", line 376, in ConnectHandler
    return ConnectionClass(*args, **kwargs)
  File "/home/florian_lacommare/contribution/netmiko/netmiko/fortinet/fortinet_ssh.py", line 21, in __init__
    super().__init__(args, **kwargs)
  File "/home/florian_lacommare/contribution/netmiko/netmiko/base_connection.py", line 456, in __init__
    self._open()
  File "/home/florian_lacommare/contribution/netmiko/netmiko/base_connection.py", line 462, in _open
    self._try_session_preparation()
  File "/home/florian_lacommare/contribution/netmiko/netmiko/fortinet/fortinet_ssh.py", line 34, in _try_session_preparation
    super()._try_session_preparation(force_data=force_data)
  File "/home/florian_lacommare/contribution/netmiko/netmiko/base_connection.py", line 944, in _try_session_preparation
    self.session_preparation()
  File "/home/florian_lacommare/contribution/netmiko/netmiko/fortinet/fortinet_ssh.py", line 51, in session_preparation
    self._original_output_mode = self._get_output_mode()
  File "/home/florian_lacommare/contribution/netmiko/netmiko/fortinet/fortinet_ssh.py", line 243, in _get_output_mode
    return self._get_output_mode_v6()
  File "/home/florian_lacommare/contribution/netmiko/netmiko/fortinet/fortinet_ssh.py", line 177, in _get_output_mode_v6
    output = self._send_command_str(
  File "/home/florian_lacommare/contribution/netmiko/netmiko/base_connection.py", line 1794, in _send_command_str
    output = self.send_command(*args, **kwargs)
  File "/home/florian_lacommare/contribution/netmiko/netmiko/utilities.py", line 592, in wrapper_decorator
    return func(self, *args, **kwargs)
  File "/home/florian_lacommare/contribution/netmiko/netmiko/base_connection.py", line 1772, in send_command
    raise ReadTimeout(msg)
netmiko.exceptions.ReadTimeout:
Pattern not detected: '[#$]' in output.

Things you might try to fix this:
1. Explicitly set your pattern using the expect_string argument.
2. Increase the read_timeout to a larger value.

You can also look at the Netmiko session_log or debug log for more information.

DEBUG:netmiko:write_channel: b'config global\n'
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: config global

FGT60C3G11025908 (global) $ 
DEBUG:netmiko:Pattern found: (config\ global) config global
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:write_channel: b'config system console\n'
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:read_channel: config system console
Unknown action 0

FGT60C3G11025908 (global) $ 
DEBUG:netmiko:Pattern found: (config\ system\ console) config system console
DEBUG:netmiko:read_channel: 
DEBUG:netmiko:write_channel: b'show full-configuration\n'

I'll fix this issue too

[FloLaco]

@ktbyers I've fixed the issue like you proposed. You can check the PR

I try to make a show full-config. 2 cases :

1. We are stuck waiting to press 'enter', so we have a ReadTimeout --> more output detected
2. else we are in standard mode

I've fix another issue :
When we are in readonly privilege, and device is configured in more , we cannot type command to disable paging. So I've added en Exception because we cannot go further (if you don't want to support more)

[FloLaco]

@ktbyers any news about the PR I submited ?

[ktbyers]

I got tied up in some other things. I should be able to look at this next week. Kirk

On Mon, Mar 6, 2023 at 12:21 AM FLaco ***@***.***> wrote: @ktbyers <https://github.com/ktbyers> any news about the PR I submited ? — Reply to this email directly, view it on GitHub <#2833 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAG3VBFQRCDWDULHAALVXJDW2WNAXANCNFSM5ZYCJGDA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

-- Kirk Byers ***@***.*** Simplify through Automation * <https://pynet.twb-tech.com>*

[muffi-dn]

@ktbyers One of my colleagues faced a similar issue and I suggested to use show full-configuration system console for _get_output_mode_v6 which does not require to go into the config mode. This is especially useful when the user only has the RO privileges. It worked fine during our testing. Probably the entering config mode and exiting can be removed as part of this. Here's the PR: #3248

[ktbyers]

PR #3248 has now been merged.

In general, Netmiko requires output paging to be disabled or it won't work / is not supported (consequently, I am pretty reluctant to add things that require manual handling of output paging). Though I am more open to it, if it is caused by things directly baked into the driver that are hard to work around.

I am going to close this issue and the earlier referenced PR.

If things are still broken here, just re-open this issue.