Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4283
Views
0
Helpful
17
Replies

Scripting retrieval of the config file

Nicolas Melay
Level 1
Level 1

‎02-11-2008 10:52 PM

Just in case someone else needs it, this works for me on AsyncOS 5.5:

wget --no-check-certificate -O config.xml "https://your.ironport.box/login?username=admin&password=your_password&action:Login=Login&referrer=https
%3A%2F%2Fyour.ironport.box%2Fsystem_administration%2Fconfiguration_file?acti
on=Save%26operation=download"

Labels:
0 Helpful
17 Replies 17

dkoopman_ironport
Level 1
Level 1

‎07-22-2009 08:26 PM

So, SSH keys allows you to run a single command, for the commands that let you execute all in one line.

First, on a linux box:

ssh-keygen -b 1024 -t rsa

Answer the questions, don't use a password, and you'll have a id_rsa and id_rsa.pub file.
cat id_rsa.pub


Get on your IronPort CLI, and issue a "sshconfig" command, follow the prompts to enter the public key.

Now you can run a command like this in a single line:

ssh -i /path/to/private_key/id_rsa foobar@yourhost "mailconfig you@domain.tld yes"


This saves you from needing to use Expect scripting to enter your password. Ok, that's nice.

FEATURE REQUEST: make it so ALL commands can be executed without going through prompts. In particular: showconfig. It should print out the whole config, and not stop for "-Any key for more-".

I don't want to email the config to myself, I want to just grab it.

From this post, I see a method to save a config on the IronPort, get the filename it created, then SCP it back to my machine. That would work, except for one problem: The user I'm using to grab the config should be a Read Only Operator, b/c it's sitting on a box used by many administrators. That leads me to another problem: mailconfig doesn't work, unless you're an Operator. But, showconfig does. Minus the User and a few other sections. The RO Operator should be able to download the complete config file!!!! So should Operator. I realize there is a security conflict with this: Operators could try to crack the password hashes of administrators and escalate their priviledge. My counter to that is: admins should use strong passwords. And, the trade off of needing to store an Admin user/pass on a backup server, just to fetch a copy of the full configuration is a bigger security risk!

0 Helpful

Andrew Wurster
Level 1
Level 1

‎07-22-2009 10:24 PM

I know exactly what you mean. That is an awesome feature request IMHO (although a huge task). As always - your account team will be best for translating these ideas into valid enhancement requests.

I really like this one though, coming with some Cisco IOS/ASA and general Unix command line experience. The menu driven stuff can be rough!

I like your suggestions - keep them coming!

Andrew

0 Helpful

steven_geerts
Level 1
Level 1

‎08-07-2009 07:44 PM 

It's still useful, though. Imagine you made a change, and it messed things up, and you weren't totally sure what changed. You could diff the last known good config with the broken config, and tell what changed.


Great idea! +1 thank you!

Steven

0 Helpful
Customers Also Viewed These Support Documents