Script to Sync IPS Configs

Unanswered Question
Nov 28th, 2009
User Badges:

Good day,


First time posting a new question.  I have many customers that have ASA in HA with Dual ssm-10 or 20s.  I want to know if anyone out there has a script already created that will,


1. Connect to the IPS running on the ACTIVE ASA and pull the config.

2. Run a 'Search AND Replace' for the specific IP address of the Sensor (e.g. 10.1.1.50/24 10.1.1.1) and replace it with the standby IPS' IP Address.

3. Run a 'Search AND Replace' for the 'host-name' and replace that with the standby's hostname.

4. Then TFTP the NEW config to the secondary IPS.


This would insure that all the changes, exceptions etc are the same  on both boxes.  You could then run a cron that would do this regularly.  I found this code snippet online and modified it.  I am in the process of teaching myself Perl since I have seen the benefits of it, but for now I fummble along.  I was able to get the first part to work.  It matches the IP exactly as it appears there (would be nicer to be able to look for ANY string after the host-ip).



Thanks


Manny



****** SNIPPET *******


#!/usr/bin/perl


use strict;
use warnings;
use File::Find;


my $startdir = 'c:\ips-test';
my $find = 'host-ip 10\.1\.1\.50';
my $replace = 'host-ip 10.1.1.51';
my $doctype = 'txt';


print qq~Finding "$find" and replacing it with "$replace"\n~;


find(
   sub{
      return unless (/\.$doctype$/i);
      local @ARGV = $_;
      local $^I = '.bac';
      while( <> ){
         if( s/$find/$replace/ig ) {
            print;
         }
         else {
            print;
         }
      }
}, $startdir);


print "Finished";

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
manfernandez Sun, 11/29/2009 - 06:47
User Badges:

OK, here is the other piece to it.  Now I am able to find and replace the IP and the Hostname however the IP gets written twice.


I am just curious if others think this would be helpful.





#!/usr/bin/perl


use strict;
use warnings;
use File::Find;


my $startdir = 'c:\ips-test';
my $find = 'host-ip 10\.1\.1\.101';
my $replace = 'host-ip 10.1.1.102';
my $find2 = 'host-name corpips01';
my $replace2 = 'host-name corpips02';
my $doctype = 'txt';




print qq~Finding "$find" and replacing it with "$replace" and "$find2" with "$replace2" \n~;


find(
   sub{
      return unless (/\.$doctype$/i);
      local @ARGV = $_;
      local $^I = '.bac';
      while( <> ){
         if( s/$find/$replace/ig ) {
            print;
         }
          if( s/$find2/$replace2/ig ) {
            print;
         }
         else {
            print;
         }
      }
}, $startdir);
print "Finished";

froekjaer Wed, 02/03/2010 - 21:19
User Badges:

Hi


Using IPS ver. 7, I found that the following procedure will do the job:

-    FTP the CurrentConfig of the primary unit to a FTP server

-    FTP the unchanged config file on to the failover unit.

     In the process of overwriting the CurrentConfig, on the failover unit:

     you will be asked if you want to overwrite IP, and Hostname – don’t ;-)


#Would you like to replace existing network

#settings(host-ipaddress/netmask/gateway/access-list) on sensor before proceeding? [no]:

manfernandez Tue, 05/25/2010 - 06:44
User Badges:

Peter,


I will take a look at that this week.  That sounds a lot more simple :-)

Actions

This Discussion