Anyone has a standard backup policy for PIX?

Answered Question
Jul 2nd, 2007
User Badges:

Hi,

Would like to check if anyone has a standard backup procedures..meaning besides "sh run,sh ver" what other commands are recommended when doing a backup of the pix configuration..


Thanks in advanced,

Cindy

Correct Answer by srue about 9 years 10 months ago

i wrote some perl scripts i run from a unix box that executes the 'write net' command on all my PIX'es using a cron job. i'm sure most other people use some sort of commercial back up though.

To use the 'write net' command you first have to configure your tftp server using the tftp-server command.


eg:

firewall(config)# tftp-server inside ?


configure mode commands/options:

Hostname or A.B.C.D The IP address or name of the TFTP server

Hostname or X:X:X:X::X The IPv6 address or name of the TFTP server

firewall(config)# tftp-server inside 192.168.1.1 ?


configure mode commands/options:

WORD < 127 char The path and filename of the configuration file

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (1 ratings)
Loading.
Correct Answer
srue Mon, 07/02/2007 - 07:22
User Badges:
  • Blue, 1500 points or more

i wrote some perl scripts i run from a unix box that executes the 'write net' command on all my PIX'es using a cron job. i'm sure most other people use some sort of commercial back up though.

To use the 'write net' command you first have to configure your tftp server using the tftp-server command.


eg:

firewall(config)# tftp-server inside ?


configure mode commands/options:

Hostname or A.B.C.D The IP address or name of the TFTP server

Hostname or X:X:X:X::X The IPv6 address or name of the TFTP server

firewall(config)# tftp-server inside 192.168.1.1 ?


configure mode commands/options:

WORD < 127 char The path and filename of the configuration file

RAPHAEL KRUCZKOWSKI Mon, 07/02/2007 - 23:32
User Badges:

Hi,


Don't use 'sh run' when trying to do a backup. The preshare keys for VPNs are not displayed on the PIX. 'wr net' with a tftp server is a better option.


In our company we have several 501's and don't backup each one, just write down the parameters in a database.


Raphael

srue Tue, 07/03/2007 - 09:51
User Badges:
  • Blue, 1500 points or more

Here is my script. It first reads all my PIX IP's from a file then uses those as input to run through the script for each one. If you don't know Perl (or any other language) this might not make sense. I use a second script to tar up all of my IOS and PIX configs where they are then transferred to yet another server for long term tape backup.


#!/usr/bin/perl -w

#Written by SRUE

#this script backs up all cisco pix devices via tftp


use Net::Telnet::Cisco;


$passwd = 'password';

$enable_passwd = 'password';


open (HOSTS, "/usr/local/apache2/htdocs/db/pixhosts.db");

@hosts = ;

chomp (@hosts);


foreach $pix (@hosts)

{

my $session = Net::Telnet::Cisco->new(Host => $pix, Timeout => 30);

$session->prompt('/[\$%#>] $/');

$session->login('username', $passwd);

$session->enable($enable_passwd);

$session->cmd("write mem\nwrite net\n");

}


close (HOSTS);


------------------

there's more to it than all this. I also wrote a web page where I can add/delete new IOS or PIX devices. i use perl/cgi to add those entries to their respective files where Perl reads them and backs them all up.

(btw, I really don't know much Perl, just the bare minimum imo.)

Actions

This Discussion