SSH/TELNET Orchestration — primer¶
Help Center primer for the MÓDULO CLI.Art SSH/TELNET orchestrator
What it does¶
Lets the dashboard run interactive shell commands on NGFWs + switches + servers via OOBI. Supports SSH (preferred) and TELNET (legacy). Used for: - Inventory collection — show-version, show-config, interface state - Troubleshooting — operator-driven CLI from the dashboard - Lifecycle — push config snippets in a write-mode window - Audit trail — every keystroke + redacted output stored
Vendor support (SSH-4)¶
7 vendors out of the box: - Cisco IOS-XE - Cisco NX-OS - Cisco FTD (FDM) - Fortinet FortiOS - PAN-OS - Juniper Junos - VyOS
Each profile carries prompt-detection regex + 7 canonical commands (show-version / show-config / show-interfaces / show-routes / show-bgp-summary / enter-config-mode / exit-config-mode).
Read-only by default (SSH-6)¶
Every session starts read-only. To run any state-changing command the operator must unlock write mode — granting a time-boxed window (default 5 min). Window auto-expires; renew if you need more time.
The classifier recognizes common write verbs: configure, set,
delete, commit, write, copy run start, reload.
Concurrency limits (SSH-8)¶
NGFW management planes typically allow 5-10 simultaneous shells. The orchestrator's per-host semaphore defaults to 2 concurrent sessions per host to leave room for the on-call operator.
Audit trail¶
Every session captures: - Full command transcript with secrets redacted (SSH-7) - Before/after config diff for write-mode sessions (SSH-10) - Session state-machine history (SSH-5) - Retry attempts + error classification (SSH-11)
Secrets redacted by default: SNMP community, BGP neighbor password,
enable secret, username password, TACACS/RADIUS key, IPSec PSK,
FortiOS set password. Extend DEFAULT_PATTERNS to add more.
Common workflows¶
Inventory sweep (read-only)¶
``` ansible-playbook -i inventory ansible/templates/playbooks/ngfw-inventory-collect.yml ```
→ writes artifacts/inventory/<host>.json per host. Phase 1 of the
staging wizard consumes this.
Quick show-version check¶
UI button on each host row in the dashboard inventory page. No write-mode unlock needed.
Push a config change¶
- Open the session (read-only)
- Click "Unlock write mode" + provide reason (audit trail)
- Run
configure terminal+ your snippet - Dashboard renders the config diff
- Session auto-locks after 5 min OR explicit "Lock" click
Connection issues¶
| Error class | Retriable? | What to do |
|---|---|---|
auth |
no | Check vault credentials, hostkey fingerprint |
hostkey |
no | Re-pin via ssh-keyscan -t rsa <host> |
transient (ECONNRESET, ETIMEDOUT, etc.) |
yes | Orchestrator auto-retries up to 4 attempts with exponential backoff |
unknown |
no | Conservative — inspect logs, file an issue |