cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
46762
Views
30
Helpful
21
Replies

Automating Backup of Config

Mike Kwilosz
Level 1
Level 1

I'm looking to setup a way to backup the configuration of my C370's.  Currently I know how to do so manually through the GUI.  Is there a way to automate this and back it up through the CLI?  I was searching through the CLI yesterday but I couldn't find what the command was to save the config out.  I would assume if I could find the command I could setup a job through our Kiwi CatTools to do so.  Let me know if anyone knows how to do this or if you've found another way to do this effectively.

Thanks,

Mike

2 Accepted Solutions

Accepted Solutions

Hi Mike,

There are actually a couple of ways to do this.

You can backup the configuration from the CLI using the command saveconfig. You can load a configuration file using the command loadconfig. I would run those commands first just so you can see the process. Basically you can script something around these commands that would get the job done.

We also have a nice knowledgebase article that covers this subject as well. The approach is a little differnet but the results are the same.

How can I schedule or automate the backup of my appliance's XML  configuration file?  Where does it reside?  How do I do a scheduled  backup of the configuration file from a Windows system?

Environment:

- ESA with AsyncOS 6.x or later.
- A designated host for initiating and storing backups.

NOTES:

Some  familiarity with OS scripting and task scheduling is necessary to  understand and safely implement these tasks.  Please understand that  many of these concepts are outside of the scope of IronPort customer  support and these sample scripts are certainly not supported.  While  these steps have been successfully tested, this article is primarily for  demonstration and illustration purposes.

The configuration file  is dynamically generated when using the save or mail configuration tools  from the CLI or GUI.  To have an effective backup, it's best to  "unmask" the passwords, which allows the appliance to place a hashed  form of the passwords for the local administrative accounts in the  configuration file.  For this reason, we can not simply copy a flat  "running configuration" file from the device.  This method allows us to  first access the appliance, issue a command to dynamically build the  current configuration,  and either save or mail a copy of this file  somewhere remotely, without any user intervention.  Once this is  accomplished, we can then repeat or schedule this task to occur on a  regular basis.

To quickly and automatically backup configuration files with passwords unmasked:

1)  Generate an SSH keypair to use.  Verify that you can access your  appliance via SSH without having to manually enter a password.  Details  on this operation can be found in KB article #283.

2) Create  script to login to the appliance, save the config, and copy it (or mail  it).  Two such simple examples written in BASH:

Example #1: Saving the configuration to a specified host
#! /bin/bash
# this saves the config and then copies it locally via SCP to a directory called ironport/config-backups
HOSTNAME=test.com
USERNAME=admin
FILENAME=`ssh $USERNAME@$HOSTNAME "saveconfig yes" | grep xml | cut -f 3 -d " "`
scp $USERNAME@$HOSTNAME:./configuration/$FILENAME./ironport/config-backups/.

Example #2: Emailing the configuration to an email address
#! /bin/bash
# this mails the config to MAILDEST
HOSTNAME=mx.test.com
USERNAME=admin
MAILDEST=backups@test.com
ssh $USERNAME@$HOSTNAME 'mailconfig $MAILDEST yes'

NOTE: that similar logic can be applied in any OS scripting language  such as VB or batch scripts for Windows.  These scripts are intended as  rudimentary examples only.

3) Use cron or AT or similar scheduling  tool to kick off the job regularly.  Services like cron or Windows task  scheduler are easy tools that can be used to automate simple jobs like  this.  For instance, the *NIX CRON config file typically follows this  format:

minute (0-59), hour (0-23, 0 = midnight), day (1-31), month (1-12), weekday (0-6, 0 = Sunday), command

So a good example entry to run this script every day at 2:00 AM would look like:
00 02 * * * /location/your_script.sh



Alternatively, here is another method of automating a configuration backup.

How do I do a scheduled backup of the configuration file from a Windows system?

With the following procedure, you can backup the configuration file regularly from a Windows system.

1.  Install the terminal emulator "putty" under C:\

2.  Create a text file with following line and name it "send_config.txt" and place it under C:\ (Change the example@example.com to the email address you would like configuration file to be sent to)

mailconfig example@example.com

3.  Create a text file with following lines and name it "send_config_batch.bat" and place it under C:\
(Change  the "hostname" to the resolvable hostname or the IP address of your  appliance and the "password" to your actual password for admin account.)

C:\putty.exe -ssh hostname -l admin -pw password -m C:\send_config.txt
exit

4.  Add the "send_config_batch.bat" to the Windows' scheduled task.

The Configuration file will be sent to the address specified in the "send_config.txt".

Hope this helps!

Christopher C Smith

CSE
Cisco IronPort Customer Support 

View solution in original post

I came here with the same issue and adapted some items to work for me in my windows environment.

I also have 6 Ironports, some require SSHv1, some SSHv2 and one is the IEA which is different yet again.

I'll share my scripts, please let me know if you have questions on them as I did not document it all.

Schedule this BAT file below to run as often as you require. It will connect to a device that you tell it to, and backup the config then FTP the file back to the server.

Some of my older devices require SSHv1 still, so I check if the device supports v2, and connect that way, otherwise if not specified, fall back to v1. I also have an Encryption appliance, so that is all done via linux commands, that is the "iea" device. I was using public/private keys, but since I needed the password via FTP, I scrapped the key part.

BAT FILE:

@ECHO off
setlocal ENABLEDELAYEDEXPANSION
SET FTPCONFIG=%1FTP.txt
SET PLINK="C:\Program Files (x86)\PuTTY\plink.exe"
SET PSCP="C:\Program Files (x86)\PuTTY\pscp.exe"

::DATE - Sets %newdate% variable = yyyymmdd
for /f "tokens=2-4 delims=/ " %%a in ('date /t') do set NEWDATE=%%c%%a%%b

::GENERATE CONFIG FILE -2 FOR SSH v2 DEVICES
IF %1==ironport.congressionalfcu.org (
                %PLINK% -pw "password" -2 backup@%1 "saveconfig 0"
) ELSE IF %1==wsa (
                %PLINK% -pw "password" -2 backup@%1 "saveconfig 0"
) ELSE IF %1==iea (
                %PLINK% -pw "password" -2 admin@%1 "sudo rm -f /backup/server-*.tgz"
                %PLINK% -pw "password" -2 admin@%1 "sudo tar zcf /backup/server-%NEWDATE%.tgz /usr/local/postx/server"
                %PSCP% -pw "password" -2 admin@%1:/backup/server-%NEWDATE%.tgz "d:\SolarWinds\Configuration Management\Config-Archive\IEA\server-%NEWDATE%.tgz"
                GOTO EXIT
) ELSE %PLINK% -pw "password" -1 backup@%1 "saveconfig 0"
)

::RETREIVE CONFIG VIA FTP
ftp -s:%FTPCONFIG% %1

:EXIT

Then I have the FTPCONFIG txt file for each device that I call, it just gets all XML files, then deletes them from device. I have one of these for each device, b/c I could not figure out how to pass a varialbe from my BAT file to this file to set the LCD of where to store the config:

backup
password
lcd "D:\SolarWinds\Configuration Management\Config-Archive\wsa"
cd configuration
prompt
mget *.xml
mdelete *.xml
quit

 

Hope this helps someone out there.

 

View solution in original post

21 Replies 21

Hi Mike,

There are actually a couple of ways to do this.

You can backup the configuration from the CLI using the command saveconfig. You can load a configuration file using the command loadconfig. I would run those commands first just so you can see the process. Basically you can script something around these commands that would get the job done.

We also have a nice knowledgebase article that covers this subject as well. The approach is a little differnet but the results are the same.

How can I schedule or automate the backup of my appliance's XML  configuration file?  Where does it reside?  How do I do a scheduled  backup of the configuration file from a Windows system?

Environment:

- ESA with AsyncOS 6.x or later.
- A designated host for initiating and storing backups.

NOTES:

Some  familiarity with OS scripting and task scheduling is necessary to  understand and safely implement these tasks.  Please understand that  many of these concepts are outside of the scope of IronPort customer  support and these sample scripts are certainly not supported.  While  these steps have been successfully tested, this article is primarily for  demonstration and illustration purposes.

The configuration file  is dynamically generated when using the save or mail configuration tools  from the CLI or GUI.  To have an effective backup, it's best to  "unmask" the passwords, which allows the appliance to place a hashed  form of the passwords for the local administrative accounts in the  configuration file.  For this reason, we can not simply copy a flat  "running configuration" file from the device.  This method allows us to  first access the appliance, issue a command to dynamically build the  current configuration,  and either save or mail a copy of this file  somewhere remotely, without any user intervention.  Once this is  accomplished, we can then repeat or schedule this task to occur on a  regular basis.

To quickly and automatically backup configuration files with passwords unmasked:

1)  Generate an SSH keypair to use.  Verify that you can access your  appliance via SSH without having to manually enter a password.  Details  on this operation can be found in KB article #283.

2) Create  script to login to the appliance, save the config, and copy it (or mail  it).  Two such simple examples written in BASH:

Example #1: Saving the configuration to a specified host
#! /bin/bash
# this saves the config and then copies it locally via SCP to a directory called ironport/config-backups
HOSTNAME=test.com
USERNAME=admin
FILENAME=`ssh $USERNAME@$HOSTNAME "saveconfig yes" | grep xml | cut -f 3 -d " "`
scp $USERNAME@$HOSTNAME:./configuration/$FILENAME./ironport/config-backups/.

Example #2: Emailing the configuration to an email address
#! /bin/bash
# this mails the config to MAILDEST
HOSTNAME=mx.test.com
USERNAME=admin
MAILDEST=backups@test.com
ssh $USERNAME@$HOSTNAME 'mailconfig $MAILDEST yes'

NOTE: that similar logic can be applied in any OS scripting language  such as VB or batch scripts for Windows.  These scripts are intended as  rudimentary examples only.

3) Use cron or AT or similar scheduling  tool to kick off the job regularly.  Services like cron or Windows task  scheduler are easy tools that can be used to automate simple jobs like  this.  For instance, the *NIX CRON config file typically follows this  format:

minute (0-59), hour (0-23, 0 = midnight), day (1-31), month (1-12), weekday (0-6, 0 = Sunday), command

So a good example entry to run this script every day at 2:00 AM would look like:
00 02 * * * /location/your_script.sh



Alternatively, here is another method of automating a configuration backup.

How do I do a scheduled backup of the configuration file from a Windows system?

With the following procedure, you can backup the configuration file regularly from a Windows system.

1.  Install the terminal emulator "putty" under C:\

2.  Create a text file with following line and name it "send_config.txt" and place it under C:\ (Change the example@example.com to the email address you would like configuration file to be sent to)

mailconfig example@example.com

3.  Create a text file with following lines and name it "send_config_batch.bat" and place it under C:\
(Change  the "hostname" to the resolvable hostname or the IP address of your  appliance and the "password" to your actual password for admin account.)

C:\putty.exe -ssh hostname -l admin -pw password -m C:\send_config.txt
exit

4.  Add the "send_config_batch.bat" to the Windows' scheduled task.

The Configuration file will be sent to the address specified in the "send_config.txt".

Hope this helps!

Christopher C Smith

CSE
Cisco IronPort Customer Support 

Thank you for the reply.  I went with the second method and used Kiwi CatTools to log into the Ironport and run the same commands you provided.  Then I have Kiwi email it to myself.

Hi

We also own Kiwi CatTools.  What did you put as the DEVICE TYPE for the Ironport device?  How did you get it to run commands?

I have been struggling trying to get a Windows Scheduled Task to run a batch or script that uses plink to create an Ironport config backup.  If I manually run the batch it works, but won't run from a Windows Scheduled Task.  I could avoid all that if I could put it into CatTools with all our other automated backups.

Help?

Well you can't actually get Kiwi to directly backup the config.  Instead you have to make Kiwi act like a scheduled task and run a command on the Ironport to output the config in an .xml file.

With Kiwi I've setup the Type as Device.CLI.Send commands and then I just run a command on the Ironport that looks like the following.

mailconfig 1

Then when the Kiwi job runs I receive an email with an attachment that contains a the config in an .xml file.

I hope this helps.

Thanks,

Mike

Thank you for responding.

This is close to how I got CatTools to backup the Ironport configs. Instead of emailing it somewhere, I just run the command "saveconfig yes" from the Device.CLI.Send commands and then I have a weekly scheduled WinFTP Pro task that runs to copy the config files to our DRD directory.

You know thats another good way to approach it.  I might actually try that since one of the issues I have having is a way to get the copy of the config from an attachment in my email to a folder out on our network.  Using that save command and then an ftp tool would probably remediate this.

Thanks,

Mike

My FTP script consists of the following:

Connect FTPsite

lcd "
server\share\"

cd configuration

mget *.xml

close

Just an FYI - there is no way to delete more than 1 file at a time from the FTP commands. I wanted to delete any *.xml config files after I made a copy of them so there aren't a bunch of them sitting on the appliance. The only command you can use is "dele" and you have to know the actual filename, you can't use wildcards. I did confirm this with Cisco Ironport support. 8)

Good luck!

Greetings folks,

Log in to a Cisco IronPort Email Security Appliance, via FTP. Then using mdelete command:

ftp> mdelete  mail.text.@20110829T*

mdelete mail.text.@20110829T000030.s? y

250 DELE command successful.

mdelete mail.text.@20110829T010030.s? y

250 DELE command successful.

mdelete mail.text.@20110829T020030.s? y

250 DELE command successful.

mdelete mail.text.@20110829T030030.s? y

250 DELE command successful.

mdelete mail.text.@20110829T040030.s? ^C

Continue with mdelete? no

ftp> prompt

Interactive mode off.

ftp> mdelete mail.text.@20110829T*

250 DELE command successful.

250 DELE command successful.

250 DELE command successful.

250 DELE command successful.

250 DELE command successful.

250 DELE command successful.

250 DELE command successful.

ftp>

the prompt command will switch from on (default) to off first time you use it.

the mdelete command works for multiple files.

without prompt command or better saying without making prompt off, the server will ask you to confirm each deletion.

when you use prompt command and turn it off, the system does not require the confirmation.

I hope this helps.

Regards,

Thank you so much!  My whole backup config process is completely automated now.  Awesome.

You are welcome.

We are glad we could assist you.

Best regards,

Thanks for the comprehensive document. Just one questions, how do you gues deal with those configurations files generated on the Inporport itself? manually delete them peroidly? In case we forget, will Ironport send out some alerts notify us that the hard disk space is running out? thanks.

Leo Song

You are welcome.

I see few possibilities.

- Don't create files in the box, instead, send via Email to your (the administrator) account.

- Delete the files via FTP, periodically

Yes, the system will generate alerts for low disk space. Please refer to the Configuration Guide.

I hope this helps.

Regards,

-Valter

My Ironports are in Cluster mode, When I run "saveconfig yes" its asking to switch to cluster mode. How can I specify samething in script?

If youre scripting the save, execute "clustermode cluster" to switch mode to cluster.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: