forked from atasco/fortigate_scripts
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathfg_vpn
More file actions
executable file
·127 lines (98 loc) · 2.91 KB
/
Copy pathfg_vpn
File metadata and controls
executable file
·127 lines (98 loc) · 2.91 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
#!/usr/bin/expect -f
# —————- -————— #
# by aH - 2014 #
# #
# —————- -————— #
# —————- configuration —————- #
set username admin
set hostname fortigate
set fgpd fgpd.enc
set cfg_dir ./etc
set log_dir ./logs
set log_name fg_vpn.log
exp_internal 0
log_user 0
# —————- don't change below here —————- #
set enc_fgpd $cfg_dir/$fgpd
set timeout 9
set send_slow {10 .001}
# —————- check passed parameters —————- #
if {[llength $argv] < 3} {
send_user "\nERROR: Faltan Argumentos\n"
send_user "========================\n"
send_user "USO: fg_vpn <VPN> <ACTIVACION> <KEY>\n\n"
send_user "VPN: IDENTIFICADOR de la VPN\n"
send_user "ACTIVACION: ON o OFF\n"
send_user "KEY: LLAVE de CIFRADO\n"
send_user "\n"
exit 1
}
if { [lindex $argv 0] ne "" } {
set vpnid [lindex $argv 0]
} else {
send_user "\nERROR: Argumentos Erroneos\n"
send_user "==========================\n"
send_user "VPN NO VALIDA\n"
send_user "\n"
exit 1
}
if { [lindex $argv 1] eq "ON" } {
set status enable
set flag HABILITADA
} elseif { [lindex $argv 1] eq "OFF" } {
set status disable
set flag DESHABILITADA
} else {
send_user "\nERROR: Argumentos Erroneos\n"
send_user "==========================\n"
send_user "MODO DE ACTIVACION INCORRECTO\n"
send_user "\n"
exit 1
}
if { [lindex $argv 2] ne "" } {
set key [lindex $argv 2]
} else {
send_user "\nERROR: Argumentos Erroneos\n"
send_user "==========================\n"
send_user "KEY NO VALIDA\n"
send_user "\n"
exit 1
}
# ————– password decrypt ————– #
proc password_decrypt filename {
global key
catch {exec openssl des3 -d -salt -in $filename -k $key} dpd
return $dpd
}
# ————– ssh login ————– #
set password [password_decrypt $enc_fgpd]
spawn ssh -q -o StrictHostKeyChecking=no $username@$hostname
expect {
timeout { send_user "\nTimeout SSH\n"; exit 1 }
eof { send_user "\nFallo SSH para $hostname\n"; exit 1 }
"*assword:" { send "$password\r" }
}
# ————– vpn policy change ————– #
set fp [open $cfg_dir/$vpnid r]
while {[gets $fp policyid] != -1} {
expect "* #"
send "config firewall policy\r"
expect "*(policy) #"
send "edit $policyid\r"
expect "*($policyid) #"
send "set status $status\r"
expect "*($policyid) #"
send "end\r"
}
close $fp
expect {
"* #" { send "exit\r" }
}
# ————– logging and script data return ————– #
send_user "\nVPN $vpnid $flag\n"
log_file -a $log_dir/$log_name
send_log "### /START-SESSION/ IP: $hostname @ [exec date] ###\n"
send_log "VPN $vpnid $flag\n"
send_log "### /END-SESSION/ IP: $hostname @ [exec date] #####\n\n"
close
# EOF