I saw several posts on this subject, but the latest was 4 years ago, so I expect that now someone can help me
My situation : 2*ESA (C370 with AsyncOS 7.6.3), Centralized management
My wish : automatic daily backup configuration files
To prevent :
- when my two appliances die together
- when an administrator do sh*t with the configuration and I want to roll back to the las week configuration
(basic stuff for admin)
I try to simply use "saveconfig" command, but the result (a "cluster configuration file") is just useless because appliance in Centralized Management mode cannot load configuration files, and appliance in Standalone mode cannot lod "cluster configuration file".
The only way I see is leaving the cluster, backup configuration, and rejoin the cluster, but :
- what are the consequences of acting like that ?
- is there an automatic way to leave and join cluster ?
Unfortunatly - you are correct - the only way to get a useable backup of a configuration for a single machine level appliance would be to take it out of cluster, run the backup/dump of the configuration - and then rejoin this back to a cluster level.
How to setup automated backup of configuration in cluster using batch commands?
Clustered machines can not save a usable configuration. To get a usable configuration from the machine, it must be removed from cluster before saving the configuration. While saving configuration using the saveconfig command from CLI, ESA generates following warning:
WARNING: Clustered machines do not support loadconfig. Your configuration file has complete data for the entire cluster, but cannot be used to restore a configuration.
There is no need to backup the configuration from every machine in a cluster. However, there could be multiple clusters in a network with multiple groups configured for each cluster. It will be quite difficult to remove every machine from cluster then save the configuration and join the cluster again manually.
The following batch commands can be used in conjunction with logging in to the Email Security appliance, remove machine from cluster, save or mail the config and join the cluster again.
Note: The syntax for the clusterjoin command has changed in version 7.5 and now requires an admin username.
To Remove machine from Cluster:
> clusterconfig removemachine
To Save configuration on appliance with passwords:
In AsyncOS 7.5 and newer:
Do you want to mask the password? Files with masked passwords cannot be loaded
using loadconfig command. [Y]> Yes
In AsyncOS 7.1.5 and older:
Do you want to include passwords? Please be aware that a configuration without
passwords will fail when reloaded with loadconfig. [N]> Yes
To email configuration with passwords:
> mailconfig yes
To Join Cluster again:
In AsyncOS 7.5 and newer
(clusterconfig join [--port=xx] [
In AsyncOS 7.1.5 and older:
> clusterconfig join [--port=xx]
Also --- please find the following article to aide in any automation/script creation:
I will look about the expect function, thank you for the advice.
I search around the sshconfig command, and would like to add the key from my ESA in the cluster to my ESA joining the cluster but I didn't find which key was send (I only have the fingerprint of this key).
The sshconfig command should list the keys already there, or allow you to add new ones. You can create new keys on the linux box using ssh-keygen command and then paste the key into the sshconfig command. The help and manuals on this are a bit sparse, the best info I have found is in a Cisco publication written by a former Cisco IronPort employee Chis Porter, called "Email Security with Cisco IronPort" from ciscopress.com
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :