Backing up firewall configs for disaster recovery is tedious and mundane task. And if you have enough firewalls doing it manually becomes impractical . To address this case I set up a highly secured server that periodically runs script backing up the clients’ firewalls.
I use here poll model – this central server connects by SSH to the remote firewalls ,issues upgrade_export command then downloads backup using SCP and finally deletes the backup from the firewall itself.
Advantage of such a schema as opposed to the push model where firewalls push backups to the central server I see in that:
- I can secure this server much more as no remotely accessible services are running (so no remote exploit is possible)
- I can have rule in firewall before this server Inbound - > Deny Any Any
- I centrally manage the backup script , if something changes I fix just one script .
Disadvantage – password to enter the firewalls is stored clear text in the script.
Now to the script – I did it in Expect to make life easier , in short it just emulates interactive login by SSH, then runs upgrade_export command, downloads by SCP the backup file, also creating file with md5sum of the backup and downloading it as well. The final action is to login by SSH back and remove the backup file from the firewall.
It names file by adding current date to the IP of the firewall. No error checking is done. Files used in script:
hosts - file containing IPs of the firewalls to backup in the form
The script goes next (at the end you can download script as file to fix lines wrapping):
#!/usr/local/bin/expect#set timeout to suffice for the largest backup file to downloadset timeout 3000 #set password to enter the firewallset password “password”set username “admin”#set format for naming filesset timeand_date [clock format [clock seconds] -format %B-%Y-%m-%d]#open hosts file that contains IPs of the firewalls and read it in a loopset ff [open "hosts" r]while {[gets $ff hostName] >= 0} { puts "Entering $hostName" spawn ssh -l $username $hostName expect { {[Pp]assword:} { send "$password\r" } "(yes*no)" { send "yes\r" expect {[Pp]assword:} { send "$password\r" }}} #increase timeout of SSH session expect {*#} { send "TMOUT=900\r" } expect {*#} { send "export TMOUT\r"}#Create backup directory expect {*#} { send "mkdir /var/Upgrade_export_backups\r" } expect {*#} { send "cd /var/Upgrade_export_backups\r" }#Issue the upgrade_export command expect {*#} { send "\$FWDIR/bin/upgrade_tools/upgrade_export $timeand_date$hostName\r" } expect {{ready} { send "\r" } {(y/n) [n]} { send "yes\r" }}#Calculate md5sum of the newly created backup file and save it to fileexpect {*#} {send "md5sum $timeand_date$hostName.tgz > $timeand_date$hostName.md5sum\r"} expect {*#} { send "exit\r"} spawn scp [$username@$hostName:/var/Upgrade_export_backups/\{$timeand_date$hostName.md5sum,$timeand_date$hostName.tgz\](mailto:$username@$hostName:/var/Upgrade_export_backups/\{$timeand_date$hostName.md5sum,$timeand_date$hostName.tgz\)} .expect { {[Pp]assword:} { send "$password\r" }} expect {#} { #send "exit\r"} spawn ssh -l $username $hostName expect { {[Pp]assword:} { send "$password\r" } "(yes*no)" { send "yes\r" expect {[Pp]assword:} { send "$password\r" }}} #remove created backup file expect {*#} { send "cd /var/Upgrade_export_backups\r" } expect {*#} { send "rm -f $timeand_date$hostName.tgz\r" } expect {*#} { send "exit\r" } }close $ff interactFollow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.
