cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1479
Views
4
Helpful
3
Replies

Script to Sync IPS Configs

manfernandez
Level 1
Level 1

Good day,

First time posting a new question.  I have many customers that have ASA in HA with Dual ssm-10 or 20s.  I want to know if anyone out there has a script already created that will,

1. Connect to the IPS running on the ACTIVE ASA and pull the config.

2. Run a 'Search AND Replace' for the specific IP address of the Sensor (e.g. 10.1.1.50/24 10.1.1.1) and replace it with the standby IPS' IP Address.

3. Run a 'Search AND Replace' for the 'host-name' and replace that with the standby's hostname.

4. Then TFTP the NEW config to the secondary IPS.

This would insure that all the changes, exceptions etc are the same  on both boxes.  You could then run a cron that would do this regularly.  I found this code snippet online and modified it.  I am in the process of teaching myself Perl since I have seen the benefits of it, but for now I fummble along.  I was able to get the first part to work.  It matches the IP exactly as it appears there (would be nicer to be able to look for ANY string after the host-ip).

Thanks

Manny

****** SNIPPET *******

#!/usr/bin/perl

use strict;
use warnings;
use File::Find;

my $startdir = 'c:\ips-test';
my $find = 'host-ip 10\.1\.1\.50';
my $replace = 'host-ip 10.1.1.51';
my $doctype = 'txt';

print qq~Finding "$find" and replacing it with "$replace"\n~;

find(
   sub{
      return unless (/\.$doctype$/i);
      local @ARGV = $_;
      local $^I = '.bac';
      while( <> ){
         if( s/$find/$replace/ig ) {
            print;
         }
         else {
            print;
         }
      }
}, $startdir);

print "Finished";

3 Replies 3

manfernandez
Level 1
Level 1

OK, here is the other piece to it.  Now I am able to find and replace the IP and the Hostname however the IP gets written twice.

I am just curious if others think this would be helpful.

#!/usr/bin/perl

use strict;
use warnings;
use File::Find;

my $startdir = 'c:\ips-test';
my $find = 'host-ip 10\.1\.1\.101';
my $replace = 'host-ip 10.1.1.102';
my $find2 = 'host-name corpips01';
my $replace2 = 'host-name corpips02';
my $doctype = 'txt';

print qq~Finding "$find" and replacing it with "$replace" and "$find2" with "$replace2" \n~;

find(
   sub{
      return unless (/\.$doctype$/i);
      local @ARGV = $_;
      local $^I = '.bac';
      while( <> ){
         if( s/$find/$replace/ig ) {
            print;
         }
          if( s/$find2/$replace2/ig ) {
            print;
         }
         else {
            print;
         }
      }
}, $startdir);
print "Finished";

Hi

Using IPS ver. 7, I found that the following procedure will do the job:

-    FTP the CurrentConfig of the primary unit to a FTP server

-    FTP the unchanged config file on to the failover unit.

     In the process of overwriting the CurrentConfig, on the failover unit:

     you will be asked if you want to overwrite IP, and Hostname – don’t ;-)

#Would you like to replace existing network

#settings(host-ipaddress/netmask/gateway/access-list) on sensor before proceeding? [no]:

Peter,

I will take a look at that this week.  That sounds a lot more simple :-)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: