02-09-2011 06:36 AM
I'm looking to setup a way to backup the configuration of my C370's. Currently I know how to do so manually through the GUI. Is there a way to automate this and back it up through the CLI? I was searching through the CLI yesterday but I couldn't find what the command was to save the config out. I would assume if I could find the command I could setup a job through our Kiwi CatTools to do so. Let me know if anyone knows how to do this or if you've found another way to do this effectively.
Thanks,
Mike
Solved! Go to Solution.
02-09-2011 05:40 PM
Hi Mike,
There are actually a couple of ways to do this.
You can backup the configuration from the CLI using the command saveconfig. You can load a configuration file using the command loadconfig. I would run those commands first just so you can see the process. Basically you can script something around these commands that would get the job done.
We also have a nice knowledgebase article that covers this subject as well. The approach is a little differnet but the results are the same.
How can I schedule or automate the backup of my appliance's XML configuration file? Where does it reside? How do I do a scheduled backup of the configuration file from a Windows system?
Environment:
- ESA with AsyncOS 6.x or later.
- A designated host for initiating and storing backups.
NOTES:
Some familiarity with OS scripting and task scheduling is necessary to understand and safely implement these tasks. Please understand that many of these concepts are outside of the scope of IronPort customer support and these sample scripts are certainly not supported. While these steps have been successfully tested, this article is primarily for demonstration and illustration purposes.
The configuration file is dynamically generated when using the save or mail configuration tools from the CLI or GUI. To have an effective backup, it's best to "unmask" the passwords, which allows the appliance to place a hashed form of the passwords for the local administrative accounts in the configuration file. For this reason, we can not simply copy a flat "running configuration" file from the device. This method allows us to first access the appliance, issue a command to dynamically build the current configuration, and either save or mail a copy of this file somewhere remotely, without any user intervention. Once this is accomplished, we can then repeat or schedule this task to occur on a regular basis.
To quickly and automatically backup configuration files with passwords unmasked:
1) Generate an SSH keypair to use. Verify that you can access your appliance via SSH without having to manually enter a password. Details on this operation can be found in KB article #283.
2) Create script to login to the appliance, save the config, and copy it (or mail it). Two such simple examples written in BASH:
Example #1: Saving the configuration to a specified host
#! /bin/bash
# this saves the config and then copies it locally via SCP to a directory called ironport/config-backups
HOSTNAME=test.com
USERNAME=admin
FILENAME=`ssh $USERNAME@$HOSTNAME "saveconfig yes" | grep xml | cut -f 3 -d " "`
scp $USERNAME@$HOSTNAME:./configuration/$FILENAME./ironport/config-backups/.
Example #2: Emailing the configuration to an email address
#! /bin/bash
# this mails the config to MAILDEST
HOSTNAME=mx.test.com
USERNAME=admin
MAILDEST=backups@test.com
ssh $USERNAME@$HOSTNAME 'mailconfig $MAILDEST yes'
NOTE: that similar logic can be applied in any OS scripting language such as VB or batch scripts for Windows. These scripts are intended as rudimentary examples only.
3) Use cron or AT or similar scheduling tool to kick off the job regularly. Services like cron or Windows task scheduler are easy tools that can be used to automate simple jobs like this. For instance, the *NIX CRON config file typically follows this format:
minute (0-59), hour (0-23, 0 = midnight), day (1-31), month (1-12), weekday (0-6, 0 = Sunday), command
So a good example entry to run this script every day at 2:00 AM would look like:
00 02 * * * /location/your_script.sh
Alternatively, here is another method of automating a configuration backup.
How do I do a scheduled backup of the configuration file from a Windows system?
With the following procedure, you can backup the configuration file regularly from a Windows system.
1. Install the terminal emulator "putty" under C:\
2. Create a text file with following line and name it "send_config.txt" and place it under C:\ (Change the example@example.com to the email address you would like configuration file to be sent to)
mailconfig example@example.com
3. Create a text file with following lines and name it "send_config_batch.bat" and place it under C:\
(Change the "hostname" to the resolvable hostname or the IP address of your appliance and the "password" to your actual password for admin account.)
C:\putty.exe -ssh hostname -l admin -pw password -m C:\send_config.txt
exit
4. Add the "send_config_batch.bat" to the Windows' scheduled task.
The Configuration file will be sent to the address specified in the "send_config.txt".
Hope this helps!
Christopher C Smith
CSE
Cisco IronPort Customer Support
06-27-2014 04:33 AM
I came here with the same issue and adapted some items to work for me in my windows environment.
I also have 6 Ironports, some require SSHv1, some SSHv2 and one is the IEA which is different yet again.
I'll share my scripts, please let me know if you have questions on them as I did not document it all.
Schedule this BAT file below to run as often as you require. It will connect to a device that you tell it to, and backup the config then FTP the file back to the server.
Some of my older devices require SSHv1 still, so I check if the device supports v2, and connect that way, otherwise if not specified, fall back to v1. I also have an Encryption appliance, so that is all done via linux commands, that is the "iea" device. I was using public/private keys, but since I needed the password via FTP, I scrapped the key part.
BAT FILE:
@ECHO off
setlocal ENABLEDELAYEDEXPANSION
SET FTPCONFIG=%1FTP.txt
SET PLINK="C:\Program Files (x86)\PuTTY\plink.exe"
SET PSCP="C:\Program Files (x86)\PuTTY\pscp.exe"
::DATE - Sets %newdate% variable = yyyymmdd
for /f "tokens=2-4 delims=/ " %%a in ('date /t') do set NEWDATE=%%c%%a%%b
::GENERATE CONFIG FILE -2 FOR SSH v2 DEVICES
IF %1==ironport.congressionalfcu.org (
%PLINK% -pw "password" -2 backup@%1 "saveconfig 0"
) ELSE IF %1==wsa (
%PLINK% -pw "password" -2 backup@%1 "saveconfig 0"
) ELSE IF %1==iea (
%PLINK% -pw "password" -2 admin@%1 "sudo rm -f /backup/server-*.tgz"
%PLINK% -pw "password" -2 admin@%1 "sudo tar zcf /backup/server-%NEWDATE%.tgz /usr/local/postx/server"
%PSCP% -pw "password" -2 admin@%1:/backup/server-%NEWDATE%.tgz "d:\SolarWinds\Configuration Management\Config-Archive\IEA\server-%NEWDATE%.tgz"
GOTO EXIT
) ELSE %PLINK% -pw "password" -1 backup@%1 "saveconfig 0"
)
::RETREIVE CONFIG VIA FTP
ftp -s:%FTPCONFIG% %1
:EXIT
Then I have the FTPCONFIG txt file for each device that I call, it just gets all XML files, then deletes them from device. I have one of these for each device, b/c I could not figure out how to pass a varialbe from my BAT file to this file to set the LCD of where to store the config:
backup
password
lcd "D:\SolarWinds\Configuration Management\Config-Archive\wsa"
cd configuration
prompt
mget *.xml
mdelete *.xml
quit
Hope this helps someone out there.
02-09-2011 05:40 PM
Hi Mike,
There are actually a couple of ways to do this.
You can backup the configuration from the CLI using the command saveconfig. You can load a configuration file using the command loadconfig. I would run those commands first just so you can see the process. Basically you can script something around these commands that would get the job done.
We also have a nice knowledgebase article that covers this subject as well. The approach is a little differnet but the results are the same.
How can I schedule or automate the backup of my appliance's XML configuration file? Where does it reside? How do I do a scheduled backup of the configuration file from a Windows system?
Environment:
- ESA with AsyncOS 6.x or later.
- A designated host for initiating and storing backups.
NOTES:
Some familiarity with OS scripting and task scheduling is necessary to understand and safely implement these tasks. Please understand that many of these concepts are outside of the scope of IronPort customer support and these sample scripts are certainly not supported. While these steps have been successfully tested, this article is primarily for demonstration and illustration purposes.
The configuration file is dynamically generated when using the save or mail configuration tools from the CLI or GUI. To have an effective backup, it's best to "unmask" the passwords, which allows the appliance to place a hashed form of the passwords for the local administrative accounts in the configuration file. For this reason, we can not simply copy a flat "running configuration" file from the device. This method allows us to first access the appliance, issue a command to dynamically build the current configuration, and either save or mail a copy of this file somewhere remotely, without any user intervention. Once this is accomplished, we can then repeat or schedule this task to occur on a regular basis.
To quickly and automatically backup configuration files with passwords unmasked:
1) Generate an SSH keypair to use. Verify that you can access your appliance via SSH without having to manually enter a password. Details on this operation can be found in KB article #283.
2) Create script to login to the appliance, save the config, and copy it (or mail it). Two such simple examples written in BASH:
Example #1: Saving the configuration to a specified host
#! /bin/bash
# this saves the config and then copies it locally via SCP to a directory called ironport/config-backups
HOSTNAME=test.com
USERNAME=admin
FILENAME=`ssh $USERNAME@$HOSTNAME "saveconfig yes" | grep xml | cut -f 3 -d " "`
scp $USERNAME@$HOSTNAME:./configuration/$FILENAME./ironport/config-backups/.
Example #2: Emailing the configuration to an email address
#! /bin/bash
# this mails the config to MAILDEST
HOSTNAME=mx.test.com
USERNAME=admin
MAILDEST=backups@test.com
ssh $USERNAME@$HOSTNAME 'mailconfig $MAILDEST yes'
NOTE: that similar logic can be applied in any OS scripting language such as VB or batch scripts for Windows. These scripts are intended as rudimentary examples only.
3) Use cron or AT or similar scheduling tool to kick off the job regularly. Services like cron or Windows task scheduler are easy tools that can be used to automate simple jobs like this. For instance, the *NIX CRON config file typically follows this format:
minute (0-59), hour (0-23, 0 = midnight), day (1-31), month (1-12), weekday (0-6, 0 = Sunday), command
So a good example entry to run this script every day at 2:00 AM would look like:
00 02 * * * /location/your_script.sh
Alternatively, here is another method of automating a configuration backup.
How do I do a scheduled backup of the configuration file from a Windows system?
With the following procedure, you can backup the configuration file regularly from a Windows system.
1. Install the terminal emulator "putty" under C:\
2. Create a text file with following line and name it "send_config.txt" and place it under C:\ (Change the example@example.com to the email address you would like configuration file to be sent to)
mailconfig example@example.com
3. Create a text file with following lines and name it "send_config_batch.bat" and place it under C:\
(Change the "hostname" to the resolvable hostname or the IP address of your appliance and the "password" to your actual password for admin account.)
C:\putty.exe -ssh hostname -l admin -pw password -m C:\send_config.txt
exit
4. Add the "send_config_batch.bat" to the Windows' scheduled task.
The Configuration file will be sent to the address specified in the "send_config.txt".
Hope this helps!
Christopher C Smith
CSE
Cisco IronPort Customer Support
04-01-2011 07:31 AM
Thank you for the reply. I went with the second method and used Kiwi CatTools to log into the Ironport and run the same commands you provided. Then I have Kiwi email it to myself.
08-31-2011 12:26 PM
Hi
We also own Kiwi CatTools. What did you put as the DEVICE TYPE for the Ironport device? How did you get it to run commands?
I have been struggling trying to get a Windows Scheduled Task to run a batch or script that uses plink to create an Ironport config backup. If I manually run the batch it works, but won't run from a Windows Scheduled Task. I could avoid all that if I could put it into CatTools with all our other automated backups.
Help?
09-01-2011 07:44 AM
Well you can't actually get Kiwi to directly backup the config. Instead you have to make Kiwi act like a scheduled task and run a command on the Ironport to output the config in an .xml file.
With Kiwi I've setup the Type as Device.CLI.Send commands and then I just run a command on the Ironport that looks like the following.
mailconfig
Then when the Kiwi job runs I receive an email with an attachment that contains a the config in an .xml file.
I hope this helps.
Thanks,
Mike
09-01-2011 07:54 AM
Thank you for responding.
This is close to how I got CatTools to backup the Ironport configs. Instead of emailing it somewhere, I just run the command "saveconfig yes" from the Device.CLI.Send commands and then I have a weekly scheduled WinFTP Pro task that runs to copy the config files to our DRD directory.
09-01-2011 08:34 AM
You know thats another good way to approach it. I might actually try that since one of the issues I have having is a way to get the copy of the config from an attachment in my email to a folder out on our network. Using that save command and then an ftp tool would probably remediate this.
Thanks,
Mike
09-01-2011 08:50 AM
My FTP script consists of the following:
Connect FTPsite
lcd "
server\share\"
cd configuration
mget *.xml
close
Just an FYI - there is no way to delete more than 1 file at a time from the FTP commands. I wanted to delete any *.xml config files after I made a copy of them so there aren't a bunch of them sitting on the appliance. The only command you can use is "dele" and you have to know the actual filename, you can't use wildcards. I did confirm this with Cisco Ironport support. 8)
Good luck!
09-01-2011 11:32 AM
Greetings folks,
Log in to a Cisco IronPort Email Security Appliance, via FTP. Then using mdelete command:
ftp> mdelete mail.text.@20110829T*
mdelete mail.text.@20110829T000030.s? y
250 DELE command successful.
mdelete mail.text.@20110829T010030.s? y
250 DELE command successful.
mdelete mail.text.@20110829T020030.s? y
250 DELE command successful.
mdelete mail.text.@20110829T030030.s? y
250 DELE command successful.
mdelete mail.text.@20110829T040030.s? ^C
Continue with mdelete? no
ftp> prompt
Interactive mode off.
ftp> mdelete mail.text.@20110829T*
250 DELE command successful.
250 DELE command successful.
250 DELE command successful.
250 DELE command successful.
250 DELE command successful.
250 DELE command successful.
250 DELE command successful.
ftp>
the prompt command will switch from on (default) to off first time you use it.
the mdelete command works for multiple files.
without prompt command or better saying without making prompt off, the server will ask you to confirm each deletion.
when you use prompt command and turn it off, the system does not require the confirmation.
I hope this helps.
Regards,
09-01-2011 11:42 AM
Thank you so much! My whole backup config process is completely automated now. Awesome.
09-01-2011 11:53 AM
You are welcome.
We are glad we could assist you.
Best regards,
12-03-2013 07:51 AM
Thanks for the comprehensive document. Just one questions, how do you gues deal with those configurations files generated on the Inporport itself? manually delete them peroidly? In case we forget, will Ironport send out some alerts notify us that the hard disk space is running out? thanks.
Leo Song
12-03-2013 10:12 AM
You are welcome.
I see few possibilities.
- Don't create files in the box, instead, send via Email to your (the administrator) account.
- Delete the files via FTP, periodically
Yes, the system will generate alerts for low disk space. Please refer to the Configuration Guide.
I hope this helps.
Regards,
-Valter
09-10-2019 11:13 AM
My Ironports are in Cluster mode, When I run "saveconfig yes" its asking to switch to cluster mode. How can I specify samething in script?
09-10-2019 11:23 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide