Some errors parsing Fortigate configuration
draggeta opened this issue · comments
Describe the bug and expected behavior
I seem to have a lot of issues parsing FortiGate configurations. Some errors that I get:
- VPN configuration seems to not parse at all
36,,[configs/config:[608]],Parse warning,This syntax is unrecognized,set dst-subnet 10.1.0.0 255.255.255.224,[fortios_configuration]
37,,[configs/config:[542]],Parse warning,This syntax is unrecognized,set localid-type auto,[fortios_configuration]
38,,"[configs/config:[315, 525]]",Parse warning,This syntax is unrecognized,"edit ""192.0.2.1""",[fortios_configuration]
40,,[configs/config:[597]],Parse warning,This syntax is unrecognized,set encapsulation tunnel-mode,[fortios_configuration]
etc...
- Everything that is quoted seems to be double-quoted in batfish and causes errors. I don't know what causes this:
10,,[configs/config:[175]],Parse warning,This syntax is unrecognized,"set alias ""Internet""",[fortios_configuration]
23,,[configs/config:[480]],Parse warning,This syntax is unrecognized,"set service ""ALL_ICMP"" ""HTTP"" ""HTTPS"" ""SSH""",[fortios_configuration]
30,,[configs/config:[174]],Parse warning,This syntax is unrecognized,"set description ""Internet""",[fortios_configuration]
284,,[configs/config:[396]],Parse warning,Zone edit block ignored: interface must be set,"edit ""INTERNET""
set description ''
set intrazone deny
set interface ""vl2001""
next",[csz_edit csz cs_zone c_system s_config statement fortios_configuration] <== This interface is configured
- VDOM config isn't understood?
Maybe related to #7874?
24,,[configs/config:[1]],Parse warning,This syntax is unrecognized,config vdom,[s_config statement fortios_configuration]
These issues make it so that testing any reachability beyond fortigates is difficult.
Runnable example
I'm not really sure if the below codeblock is completely valid FortiGate configuration, as I had to remove a lot of stuff to keep the relevant parts.
from pybatfish.client.session import Session
TXT = """
config vdom
edit root
next
edit INTERNET
next
end
config global
config system global
set hostname FW01
end
config system settings
set central-nat enable
end
config system interface
edit "FortiLink"
set vdom "root"
set vrf 0
set fortilink enable
set switch-controller-source-ip outbound
set mode static
set dhcp-relay-interface-select-method auto
set dhcp-relay-service disable
set management-ip 0.0.0.0 0.0.0.0
set ip 192.168.20.1 255.255.255.0
set allowaccess ping fabric
set fail-detect disable
set arpforward enable
set broadcast-forward disable
set bfd global
set l2forward disable
set icmp-send-redirect enable
set icmp-accept-redirect enable
set vlanforward disable
set stpforward disable
set ips-sniffer-mode disable
set ident-accept disable
set ipmac disable
set status up
set netbios-forward disable
set wins-ip 0.0.0.0
set type aggregate
set netflow-sampler disable
set sflow-sampler disable
set src-check enable
set sample-rate 2000
set polling-interval 20
set sample-direction both
set explicit-web-proxy disable
set explicit-ftp-proxy disable
set proxy-captive-portal disable
set tcp-mss 0
set inbandwidth 0
set outbandwidth 0
set egress-shaping-profile ''
set ingress-shaping-profile ''
set spillover-threshold 0
set ingress-spillover-threshold 0
set weight 0
set external disable
set member "port17" "port18"
set description ''
set alias ''
set device-identification disable
set lldp-reception enable
set lldp-transmission enable
set lldp-network-policy ''
set estimated-upstream-bandwidth 0
set estimated-downstream-bandwidth 0
set measured-upstream-bandwidth 0
set measured-downstream-bandwidth 0
set bandwidth-measure-time 0
set monitor-bandwidth disable
set vrrp-virtual-mac disable
set role undefined
set snmp-index 43
set secondary-IP disable
set preserve-session-route disable
set auto-auth-extension-device disable
set ap-discover enable
set fortilink-stacking enable
set fortilink-neighbor-detect fortilink
set ip-managed-by-fortiipam disable
set fortilink-split-interface disable
set switch-controller-mgmt-vlan 4094
set switch-controller-igmp-snooping-proxy disable
set switch-controller-igmp-snooping-fast-leave disable
set switch-controller-nac ''
set switch-controller-iot-scanning disable
set swc-first-create 127
set np-qos-profile 0
config ipv6
set ip6-mode static
set nd-mode basic
set ip6-address ::/0
unset ip6-allowaccess
set icmp6-send-redirect enable
set ra-send-mtu enable
set ip6-reachable-time 0
set ip6-retrans-time 0
set ip6-hop-limit 0
set dhcp6-prefix-delegation disable
set dhcp6-information-request disable
set vrrp-virtual-mac6 disable
set vrip6_link_local ::
set ip6-send-adv disable
set autoconf disable
set dhcp6-relay-service disable
end
set priority 0
set dhcp-relay-request-all-server disable
set dhcp-client-identifier ''
set dhcp-renew-time 0
set dns-server-override enable
set mtu-override disable
set wccp disable
set drop-overlapped-fragment disable
set drop-fragment disable
set lacp-mode active
set lacp-ha-slave enable
set system-id-type auto
set lacp-speed slow
set min-links 1
set min-links-down operational
set algorithm L4
set link-up-delay 50
next
edit "vl2001.root"
set vdom "root"
set vrf 0
set mode static
set dhcp-relay-interface-select-method auto
set dhcp-relay-service disable
set management-ip 0.0.0.0 0.0.0.0
set ip 0.0.0.0 0.0.0.0
unset allowaccess
set fail-detect disable
set arpforward enable
set broadcast-forward disable
set bfd global
set l2forward disable
set icmp-send-redirect enable
set icmp-accept-redirect enable
set vlanforward disable
set stpforward disable
set ips-sniffer-mode disable
set ident-accept disable
set ipmac disable
set subst disable
set substitute-dst-mac 00:00:00:00:00:00
set status up
set netbios-forward disable
set wins-ip 0.0.0.0
set type vlan
set netflow-sampler disable
set sflow-sampler disable
set src-check enable
set sample-rate 2000
set polling-interval 20
set sample-direction both
set explicit-web-proxy disable
set explicit-ftp-proxy disable
set proxy-captive-portal disable
set tcp-mss 0
set inbandwidth 0
set outbandwidth 0
set egress-shaping-profile ''
set ingress-shaping-profile ''
set spillover-threshold 0
set ingress-spillover-threshold 0
set weight 0
set external disable
set vlan-protocol 8021q
set description "Internet"
set alias "Internet"
set security-mode none
set device-identification disable
set estimated-upstream-bandwidth 0
set estimated-downstream-bandwidth 0
set measured-upstream-bandwidth 0
set measured-downstream-bandwidth 0
set bandwidth-measure-time 0
set monitor-bandwidth disable
set vrrp-virtual-mac disable
set role dmz
set snmp-index 62
set secondary-IP disable
set preserve-session-route disable
set auto-auth-extension-device disable
set ap-discover enable
set ip-managed-by-fortiipam disable
set switch-controller-access-vlan disable
set switch-controller-traffic-policy ''
set switch-controller-igmp-snooping disable
set switch-controller-dhcp-snooping disable
set switch-controller-learning-limit 0
set switch-controller-feature none
set color 0
set np-qos-profile 0
config ipv6
set ip6-mode static
set nd-mode basic
set ip6-address ::/0
unset ip6-allowaccess
set icmp6-send-redirect enable
set ra-send-mtu enable
set ip6-reachable-time 0
set ip6-retrans-time 0
set ip6-hop-limit 0
set dhcp6-prefix-delegation disable
set dhcp6-information-request disable
set vrrp-virtual-mac6 disable
set vrip6_link_local ::
set ip6-send-adv disable
set autoconf disable
set dhcp6-relay-service disable
end
set priority 0
set dhcp-relay-request-all-server disable
set dhcp-client-identifier ''
set dhcp-renew-time 0
set dns-server-override enable
set mtu-override disable
set wccp disable
set drop-overlapped-fragment disable
set drop-fragment disable
set interface "FortiLink"
set vlanid 2001
next
edit "vl2001"
set vdom "INTERNET"
set vrf 0
set fortilink disable
set mode static
set dhcp-relay-interface-select-method auto
set dhcp-relay-service disable
set management-ip 0.0.0.0 0.0.0.0
set ip 198.51.100.254 255.255.255.0
set allowaccess ping
set arpforward enable
set broadcast-forward disable
set bfd global
set l2forward disable
set icmp-send-redirect enable
set icmp-accept-redirect enable
set vlanforward disable
set stpforward disable
set ips-sniffer-mode disable
set ident-accept disable
set ipmac disable
set status up
set netbios-forward disable
set wins-ip 0.0.0.0
set type emac-vlan
set netflow-sampler disable
set sflow-sampler disable
set src-check enable
set sample-rate 2000
set polling-interval 20
set sample-direction both
set explicit-web-proxy disable
set explicit-ftp-proxy disable
set proxy-captive-portal disable
set tcp-mss 0
set inbandwidth 0
set outbandwidth 0
set egress-shaping-profile ''
set ingress-shaping-profile ''
set spillover-threshold 0
set ingress-spillover-threshold 0
set weight 0
set external disable
set description ''
set alias "INTERNET"
set security-mode none
set estimated-upstream-bandwidth 0
set estimated-downstream-bandwidth 0
set measured-upstream-bandwidth 0
set measured-downstream-bandwidth 0
set bandwidth-measure-time 0
set monitor-bandwidth enable
set role wan
set snmp-index 70
set secondary-IP enable
set preserve-session-route disable
set auto-auth-extension-device disable
set ap-discover enable
set ip-managed-by-fortiipam disable
set switch-controller-igmp-snooping-proxy disable
set switch-controller-igmp-snooping-fast-leave disable
config ipv6
set ip6-mode static
set nd-mode basic
set ip6-address ::/0
unset ip6-allowaccess
set icmp6-send-redirect enable
set ra-send-mtu enable
set ip6-reachable-time 0
set ip6-retrans-time 0
set ip6-hop-limit 0
set dhcp6-prefix-delegation disable
set dhcp6-information-request disable
set ip6-send-adv disable
set autoconf disable
set dhcp6-relay-service disable
end
set priority 0
set dhcp-relay-request-all-server disable
set dhcp-client-identifier ''
set dhcp-renew-time 0
set dns-server-override enable
set mtu-override disable
set interface "vl2001.root"
next
edit "192.0.2.1"
set vdom "INTERNET"
set vrf 0
set distance 5
set priority 0
set dhcp-relay-interface-select-method auto
set dhcp-relay-service disable
set ip 0.0.0.0 0.0.0.0
unset allowaccess
set arpforward enable
set broadcast-forward disable
set bfd global
set icmp-send-redirect enable
set icmp-accept-redirect enable
set ips-sniffer-mode disable
set ident-accept disable
set ipmac disable
set status up
set netbios-forward disable
set wins-ip 0.0.0.0
set type tunnel
set netflow-sampler disable
set sflow-sampler disable
set src-check enable
set sample-rate 2000
set polling-interval 20
set sample-direction both
set explicit-web-proxy disable
set explicit-ftp-proxy disable
set proxy-captive-portal disable
set tcp-mss 0
set inbandwidth 0
set outbandwidth 0
set egress-shaping-profile ''
set ingress-shaping-profile ''
set spillover-threshold 0
set ingress-spillover-threshold 0
set weight 0
set external disable
set remote-ip 0.0.0.0 0.0.0.0
set description ''
set alias ''
set security-mode none
set estimated-upstream-bandwidth 0
set estimated-downstream-bandwidth 0
set measured-upstream-bandwidth 0
set measured-downstream-bandwidth 0
set bandwidth-measure-time 0
set monitor-bandwidth disable
set role undefined
set snmp-index 102
set preserve-session-route disable
set auto-auth-extension-device disable
set ap-discover enable
set ip-managed-by-fortiipam disable
set switch-controller-igmp-snooping-proxy disable
set switch-controller-igmp-snooping-fast-leave disable
config ipv6
set ip6-mode static
set nd-mode basic
set ip6-address ::/0
unset ip6-allowaccess
set icmp6-send-redirect enable
set ra-send-mtu enable
set ip6-reachable-time 0
set ip6-retrans-time 0
set ip6-hop-limit 0
set dhcp6-prefix-delegation disable
set dhcp6-information-request disable
set ip6-send-adv disable
set autoconf disable
set dhcp6-relay-service disable
end
set dhcp-relay-request-all-server disable
set dns-server-override enable
set mtu-override disable
set wccp disable
set interface "vl2001"
next
end
config system zone
edit "INTERNET"
set description ''
set intrazone deny
set interface "vl2001"
next
end
config firewall address
edit "ADDR_1"
set uuid 41b947f2-ebab-51eb-4e96-f09e4fef4ff8
set type ipmask
set comment ''
set associated-interface ''
set color 0
set allow-routing disable
set fabric-object disable
set subnet 172.16.0.0 255.255.255.0
next
edit "ADDR_2"
set uuid 41b947f2-ebab-51eb-4e96-f09e4fef4ff8
set type ipmask
set comment ''
set associated-interface ''
set color 0
set allow-routing disable
set fabric-object disable
set subnet 172.16.1.0 255.255.255.0
next
end
config firewall addrgrp
edit "ADDR_GRP_1"
set type default
set uuid 18f16656-00ff-51ec-81a0-ac3f8c8e80fb
set member "ADDR_1" "ADDR_2"
set comment 'Some address group'
set exclude disable
set color 0
set fabric-object disable
next
end
config firewall ippool
edit "pool_198.51.100.1"
set type overload
set startip 198.51.100.1
set endip 198.51.100.1
set arp-reply enable
set arp-intf ''
set associated-interface ''
set cgn-client-ipv6shift 0
set comments 'NAT pool for VPN'
next
end
config firewall central-snat-map
edit 10
set uuid b99849e2-0b29-51ec-7e1e-6f6bcfd24d39
set status enable
set type ipv4
set srcintf "192.0.2.1"
set dstintf "INTRANET"
set orig-addr "10.1.0.1"
set dst-addr "all"
set protocol 0
set orig-port 0
set nat enable
set nat-ippool "pool_198.51.100.1"
set nat-port 0
set comments 'NAT rule for VPN'
next
end
config firewall policy
edit 10
set status enable
set name "RULE_10"
set uuid 0819b852-ebb4-51eb-210e-517744c1e41b
set srcintf "INTRANET"
set dstintf "192.0.2.1"
set srcaddr "ADDR_GRP_1"
set dstaddr "10.1.0.0_27"
set internet-service disable
set internet-service-src disable
unset reputation-minimum
set rtp-nat disable
set action accept
set schedule "always"
set schedule-timeout disable
set service "ALL_ICMP" "HTTP" "HTTPS" "SSH"
set tos-mask 0x00
set anti-replay enable
set dynamic-shaping disable
set utm-status disable
set inspection-mode flow
set profile-protocol-options "default"
set ssl-ssh-profile "no-inspection"
set logtraffic all
set logtraffic-start disable
set capture-packet disable
set auto-asic-offload enable
set np-acceleration enable
set permit-any-host disable
set permit-stun-host disable
set session-ttl 0
set vlan-cos-fwd 255
set vlan-cos-rev 255
set wccp disable
set disclaimer disable
set email-collect disable
set natip 0.0.0.0 0.0.0.0
set match-vip-only disable
set diffserv-forward disable
set diffserv-reverse disable
set tcp-mss-sender 0
set tcp-mss-receiver 0
set comments ''
set block-notification disable
set replacemsg-override-group ''
set srcaddr-negate disable
set dstaddr-negate disable
set service-negate disable
set timeout-send-rst disable
set captive-portal-exempt disable
set dsri disable
set radius-mac-auth-bypass disable
set delay-tcp-npu-session disable
unset vlan-filter
set traffic-shaper ''
set traffic-shaper-reverse ''
set per-ip-shaper ''
next
end
config vpn ipsec phase1-interface
edit "192.0.2.1"
set type static
set interface "vl2001"
set ip-version 4
set ike-version 2
set local-gw 0.0.0.0
set keylife 86400
set authmethod psk
set authmethod-remote psk
set peertype any
set net-device disable
set passive-mode disable
set exchange-interface-ip disable
set aggregate-member disable
set mode-cfg disable
set proposal aes256-sha1 aes256-sha256 aes128-sha256 des-sha1 aes256-md5 3des-sha1 aes256-sha384 aes128-sha1 aes192-sha1 3des-md5
set localid ''
set localid-type auto
set auto-negotiate enable
set negotiate-timeout 30
set fragmentation enable
set ip-fragmentation post-encapsulation
set dpd on-demand
set forticlient-enforcement disable
set comments "UNKNOWN"
set npu-offload enable
set dhgrp 14
set suite-b disable
set eap disable
set ppk disable
set wizard-type custom
set reauth disable
set idle-timeout disable
set ha-sync-esp-seqno enable
set inbound-dscp-copy disable
set auto-discovery-sender disable
set auto-discovery-receiver disable
set auto-discovery-forwarder disable
set encapsulation none
set nattraversal enable
set esn disable
set fragmentation-mtu 1200
set childless-ike disable
set rekey enable
set fec-egress disable
set fec-ingress disable
set network-overlay disable
set remote-gw 192.0.2.1
set monitor ''
set tunnel-search selectors
set add-gw-route disable
set psksecret ENC ENCRYPTEDSTRING
set psksecret-remote ENC ENCRYPTEDSTRING
set keepalive 10
set dpd-retrycount 3
set dpd-retryinterval 20
next
end
config vpn ipsec phase2-interface
edit "192.0.2.1_map_2"
set phase1name "192.0.2.1"
set proposal aes128-sha256
set pfs enable
set ipv4-df disable
set dhgrp 14
set replay enable
set keepalive disable
set auto-negotiate disable
set inbound-dscp-copy phase1
set auto-discovery-sender phase1
set auto-discovery-forwarder phase1
set keylife-type seconds
set encapsulation tunnel-mode
set comments ''
set initiator-ts-narrow disable
set diffserv disable
set protocol 0
set src-addr-type subnet
set src-port 0
set dst-addr-type subnet
set dst-port 0
set keylifeseconds 1800
set src-subnet 198.51.100.1 255.255.255.255
set dst-subnet 10.1.0.0 255.255.255.224
next
end
config router static
edit 1
set status enable
set dst 0.0.0.0 0.0.0.0
set gateway 198.51.100.128
set distance 1
set weight 0
set priority 0
set device "vl2001"
set comment "DEFAULT"
set blackhole disable
set dynamic-gateway disable
set sdwan disable
set dstaddr ''
unset internet-service
set internet-service-custom ''
set link-monitor-exempt disable
set bfd disable
next
edit 10
set status enable
set dst 10.1.0.0 255.255.255.224
set gateway 0.0.0.0
set distance 10
set weight 0
set priority 0
set device "192.0.2.1"
set comment 'Route over VPN'
set blackhole disable
set dynamic-gateway disable
set sdwan disable
set link-monitor-exempt disable
set bfd disable
next
end
"""
bf = Session()
bf.set_network("github-bug-report")
bf.init_snapshot_from_text(TXT)
# Verify that Batfish recognized the vendor format correctly
print(bf.q.fileParseStatus().answer())
# File_Name Status File_Format Nodes
# 0 configs/config PARTIALLY_UNRECOGNIZED FORTIOS ['fw01']
# Insert command(s) below to demonstrate the problem
print(bf.q.initIssues().answer())
Fill in the TXT
above and add commands or questions (e.g., bf.q.initIssues().answer()
) so that the code snippet, when run, serves as a standalone, working example of your problem.
The Batfish team will run your code example as-is and expect to see the problem demonstrated. Failure to provide a runnable, working example will very likely delay or entirely prevent a response to your issue.
You may attach a configuration file or an entire snapshot to the issue, and we can use bf.init_snapshot
instead, however, the example must when run demonstrate your issue.
If you are concerned about the secrecy of your configuration, feel free to anonymize it manually or use netconan to anonymize it. However, the anonymized configuration must still demonstrate your issue when we run the code you provide.
Additional context
Add any other context about the problem here.
The configuration example is folded btw in the original post.