Versions Compared

Old Version 1

changes.mady.by.user Jorge Ramirez

Saved on

compared with

New Version 2

changes.mady.by.user Jorge Ramirez

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In this section we are assuming that you already create the command set to extract the configuration that you need. Please check this article How-To Create a Compliance Policy in opConfig Step 1-b

Parser files.

Non-structured command outputs need to be condensed and transformed before opConfig can make compliance assessments in an efficient manner. This operation is performed by any number of 'configuration parsers', small components (written in Perl) that act as Subject-matter Experts and digest the textual input into one precise, unambiguous and structured document that's minimal in the sense of only containing relevant facts and properties.

...

Code Block
FGVM04TM22002236 # show full-configuration system netflow
config system netflow
    set collector-ip 192.168.0.104
    set collector-port 2055
    set source-ip 192.168.0.105
    set active-flow-timeout 1800
    set inactive-flow-timeout 15
    set template-tx-timeout 1800
    set template-tx-counter 20
    set interface-select-method auto
end

Step 2.

...

Create the parser file.

Now we have to create the parser for the "show full-configuration system netflow" command. We can copy the cisco-config.pm parser to create fortigate-netflow.pm parser.

...

Code Block
# this is a Fortigate "show full-configuration system netflow" parser for opconfig, which amends the config_features->config section
our $VERSION = "1.0.0";

my %config;
for my $line (split(/\r?\n/,$input)) # the $input vriable contains all the command output from show full-configuration system netflow
{
        if ($line =~ /.*set collector-ip (.+)/)  # the (.+) is the $1 variable
        {
                $config{collectorip} = $1;    # collectorip variable store the value 192.168.0.104
        }
        if ($line =~ /.*set collector-port (.+)/)
        {
                $config{collectorport} = $1;
        }
        if ($line =~ /.*set source-ip (.+)/)
        {
                $config{sourceip} = $1;
        }
        if ($line =~ /.*set active-flow-timeout (.+)/)
        {
                $config{activeFtimeout} = $1;
        }
        if ($line =~ /.*set inactive-flow-timeout (.+)/)
        {
                $config{inactFtimeout} = $1;
        }
        if ($line =~ /.*set template-tx-timeout (.+)/)
        {
                $config{txtimeout} = $1;
        }
        if ($line =~ /.*set template-tx-counter (.+)/)
        {

                $config{txcounter} = $1;
        }
        if ($line =~ /.*set interface-select-method (.+)/)
        {
                $config{intmethod} = $1;
        }
}

return { config_features => { netflow => \%config } };

We can check if the syntaxis is ok using this: 

Code Block
# perl -c fortigate-netflow.pm
fortigate-netflow.pm syntax OK


Warning

To create parsers files you need to know the basic concepts of perl programin and regular expresions  

Step 3. Add parser file to opCommon file.

Now we need to add the fortigate-netflow.pm file to the opCommon file.

Code Block
# cd /usr/local/omk/conf/
# vi opCommon.json


Code Block
.
.
.
      "opconfig_url_base" : "",
      "opconfig_disable_ios_ssh_connection_discovery" : "false",
      "opconfig_parsers" : [
         [
            "^show full-configuration system netflow$",          # Command that we are using to extract the information 
            "config_parsers/fortigate-netflow.pm"                # File to parse the command output
         ]
      ],
      "opconfig_queue_expire_after_seconds" : 691200,
      "opconfig_audit_import" : 1,
.
.
.

We can check if the syntaxis is ok using this: 

Code Block
# json_xs < opCommon.json

Note that all matching parsers will be applied for a particular command, in the order they are given in the configuration.

Step 4. Execute the update_config_status and export_config_status commands. 

To verify that your parsers have correctly extracted the expected properties, you can update and export the newest version of the config status document. 

Code Block
# /usr/local/omk/bin/opconfig-cli.pl act=update_config_status node=FortinetTest force=1 debug=9


Code Block
[root@localhost conf]# /usr/local/omk/bin/opconfig-cli.pl act=update_config_status node=FortinetTest force=1 debug=9
opconfig-cli.pl Version 3.420.0

Copyright (C) 2015 Opmantek Limited (www.opmantek.com)
This program comes with ABSOLUTELY NO WARRANTY;
See www.opmantek.com or email contact@opmantek.com

opConfig is licensed to Opmantek Internal for 50 Nodes - Expires 15-Aug-2023

[2023-01-20 17:26:48.57293] [7905] [debug] new opConfig: require_db
[2023-01-20 17:26:48.71776] [7905] [debug] Creating NMISx
[2023-01-20 17:26:48.95578] [7905] [debug] getting newest config status for node FortinetTest
[2023-01-20 17:26:48.96042] [7905] [debug] Node status for FortinetTest needs updating
[2023-01-20 17:26:48.96154] [7905] [debug] found no config parser for command "diagnose ip address list" on node FortinetTest
[2023-01-20 17:26:48.96165] [7905] [debug] found no config parser for command "get system status" on node FortinetTest
[2023-01-20 17:26:48.96168] [7905] [debug] found no config parser for command "nmap -T4 -F" on node FortinetTest
[2023-01-20 17:26:48.96170] [7905] [debug] found no config parser for command "nmap -T4 -O -F --version-light" on node FortinetTest
[2023-01-20 17:26:48.96173] [7905] [debug] found no config parser for command "ping" on node FortinetTest
[2023-01-20 17:26:48.96176] [7905] [debug] found no config parser for command "show full-configuration" on node FortinetTest
[2023-01-20 17:26:48.96178] [7905] [debug] found no config parser for command "show full-configuration system interface" on node FortinetTest
[2023-01-20 17:26:48.96181] [7905] [debug] getting newest command output for show full-configuration system netflow
[2023-01-20 17:26:48.96393] [7905] [debug] newest command output for show full-configuration system netflow is in
[2023-01-20 17:26:48.96404] [7905] [debug] processing command show full-configuration system netflow, node FortinetTest, revision 1, input length 289, structured no
[2023-01-20 17:26:48.96451] [7905] [debug] running parser /usr/local/omk/conf/config_parsers/fortigate-netflow.pm for node FortinetTest and command "show full-configuration system netflow"
[2023-01-20 17:26:48.96492] [7905] [debug] parser finished, merging results
[2023-01-20 17:26:48.96511] [7905] [debug] found no config parser for command "traceroute" on node FortinetTest


Warning

Please avoid to use "-" or "_" in the parser files variable. Example: 


my %config;
for my $line (split(/\r?\n/,$input)) # the $input vriable contains all the command output from show full-configuration system netflow
{
        if ($line =~ /.*set collector-ip (.+)/)  # the (.+) is the $1 variable
        {

                $config{collector-ip} = $1;    # collector-ip variable store the value 192.168.0.104
        }


Error that you could get when execute the update_config_status command: 


[2023-01-20 17:41:31.89140] [9699] [debug] running parser /usr/local/omk/conf/config_parsers/fortigate-netflow.pm for node FortinetTest and command "show full-configuration system netflow"
[2023-01-20 17:41:31.89179] [9699] [warn] Config parser /usr/local/omk/conf/config_parsers/fortigate-netflow.pm failed to execute: Bareword "collector" not allowed while "strict subs" in use at (eval 1231) line 7.
Bareword "ip" not allowed while "strict subs" in use at (eval 1231) line 7.
Bareword "collector" not allowed while "strict subs" in use at (eval 1231) line 12.


Code Block
# /usr/local/omk/bin/opconfig-cli.pl act=export_config_status node=FortinetTest debug=true


Code Block
[root@localhost conf]# /usr/local/omk/bin/opconfig-cli.pl act=export_config_status node=FortinetTest debug=true
opconfig-cli.pl Version 3.420.0

Copyright (C) 2015 Opmantek Limited (www.opmantek.com)
This program comes with ABSOLUTELY NO WARRANTY;
See www.opmantek.com or email contact@opmantek.com

opConfig is licensed to Opmantek Internal for 50 Nodes - Expires 15-Aug-2023

[2023-01-20 17:32:28.57037] [8596] [debug] new opConfig: require_db
[2023-01-20 17:32:28.71590] [8596] [debug] Creating NMISx
{
   "config_features" : {
      "netflow" : {
         "activeFtimeout" : "1800",
         "collectorip" : "192.168.0.104",
         "collectorport" : "2055",
         "inactFtimeout" : "15",
         "intmethod" : "auto",
         "sourceip" : "192.168.0.105",
         "txcounter" : "20",
         "txtimeout" : "1800"
      }
   }
}