Automatic backup of Netscreen configuration
I spent some time earlier automating the backups of our appliance configuration to a restricted network share and thought I’d share a simple batch script to backup the configuration from multiple Juniper Netscreen (ScreenOS) firewalls.
@echo off REM ================================================================ REM CONFIGURATION INFO REM ================================================================ set USERNAME=backupAccount set PASSWORD=superSecretPassword set CFGFILE=BackupList.txt set DESTDIR=C:\Backups\ REM ================================================================ REM STOP CHANGING HERE OR YOU'LL BREAK SOMETHING REM ================================================================ SET TIMESTAMP=%date:~-4,4%.%date:~-7,2%.%date:~-10,2% for /F "tokens=1,2 delims=," %%A in (%CFGFILE%) do ( IF NOT EXIST "%DESTDIR%%TIMESTAMP%" mkdir "%DESTDIR%%TIMESTAMP%" pscp -q -scp -pw %PASSWORD% %USERNAME%@%%B:ns_sys_config "%DESTDIR%%TIMESTAMP%\%%A.cfg" )
The above will read the details of the firewalls from a CSV file (BackupList.txt) in hostname,ip address format. PSCP is then used to SCP the configuration from the firewall to the location specified in DESTDIR.
You’ll need to make sure SSH + SCP is enabled on your firewalls and that pscp is in the same directory as the script. You can find the latest version of Putty and PSCP here.
i download a product key but during activation coming some error which code is0xc004E003
so tell me what i do
Had tested on my NS25, and it can’t work. Does this work in all Netscreen model?
BTW, it is a good script.
Date post: 28-Apr-2011
I use it on everything from NS5GT models all the way to the top end netscreen stuff. It’s dependant on the OS, not the hardware.
Hi
The above script, i take it this needs to be run on each netscreen device itself.
Where you have DESTDIR=C:\Backups\ is this the path where the backups are bveing sent to? does this not need to be an ip address of hostname of the remote machine?
Also i was thinking should the script not be run from a server where the backups will be stored.
Many thanks for your help, bascially been tasked to backup all our netscreen firewalls to one server and really not sure how and best way to do this, cheers
Hi Peter
The script is a batch script, so run it on a windows system and set it up as a scheduled task.
DESTDIR is a variable containing the destination location where the configurations should be saved. Create a text file named BackupList.txt is the same directory that you save the script (say BackupScreenos.bat). One each line add a firewall name and IP. For example:
NY-FW01,192.168.0.1
LON-FW01,192.168.1.1
SY-FW01,192.168.2.1
So long as you have SSHv2 and SCP enabled on your firewall, when you run the batch script it’ll go through every firewall in BackupList.txt and save the configuration for you.
Thanks
Dave
Hi Dave,
Appreciate your help on this.
The device I have to create the backup on is running Solaris, so do you think this could be modified to do the same task? Also when you say create a txt file Backuplist.txt, is this then placed on each netscreen device and if so where? Lastly I think all the backups from the netscreens should go backed to the NSM, if so do you think this can be done with the script and if so how?
Thanks again for your help, scripting is not one of more strong points, as you can see
Cheers
Peter,
BackyupList.txt would reside in the same directory as the batch script.
If you need to run the backup script on a Solaris system, it’s largely useless to you. You’ll need to write it in Bash or something. That wouldn’t be hard to do, especially since some kind of SSH client is likely already installed.
All you need to do is scp a file from the netscreen devices to the system you’re running the script of. If you don’t want to handle file I/O in bash, a file just executing a list of scp commands would do the trick?
cheers, you dont have one to hand, or have an emample one i could use or have something t ge me started?
There ar about 8 netscreen devices and they will be backed up to one server running Solaris, thanks again
Peter, Nope afraid not. If all you want to do is backup the 8 devices, why not just do something like:
scp netscreen@192.168.1.1:B:ns_sys_config ./192.168.1.1.cfg
Repeat it 8 times for each of your devices, replacing the username and firewall IP addresses as appropriate. Of course, you’d need to setup public/private key authentication for SSH on the netscreens though as OpenSSH doesn’t allow you to use the password on STDIN AFAIK?
Dave,
Thanks for this, sorry been away otherwise would have replied earlier.
So the above works fine, but how would you recommned this be done daily or weekly without manaually doing this, how would you suggest i script this scp?
Cheers
Perhaps on the box you’re running ssh from, add it to your crontab (crontab -e) ?
Dave,
Sounds good, but I guess you know what I”m going to ask?
So how do I add this to crontab -e
Any idea where to put this and in which lines etc,cheers for all your help so far
Hi Peter
Log in to the system you’re running the backup script from (the scp command). And add it to your crontab. To do that, once logged in via ssh to your Solaris system issue the command ‘crontab -e’ to edit your users scheduled jobs.
Add the path to your shell script into there in the relevant format. For example:
0 5 * * 1 /bin/bash /home/peter/backupNS5.sh
Where “/home/peter/backupNS5.sh” is the path to the shell script you created to backup your devices.
Hi Dave,
You’ve been a fantastic help and I wanted to ask you how would you suggest to generate ssh keys on a netscreen? What I mean is in order to automate this I guess the login to the netscreen needs to be in the script and if so where? How would I do this, on the backup server and then copy keys to netscreen, if so where on the netscreen and how? Thanks for your help and patience, cheers
Hi Peter,
You’d generate the SSH keys on the system you’re connecting from using ssh-keygen, see here for more information: http://pkeck.myweb.uga.edu/ssh/
Generate SSH keys without a passphrase and then import the public key onto each of your netscreens via the web UI, assigning it to your user (or the netscreen account if you use the default).
Then you can ssh/scp without a password.
Thanks
I run the script with one entry in the backuplist.txt but in the c:\backups it shows a folder with a date but that folder is empty? The username and password is correct.
Hi Mark, Is SSHv2 and SCP enabled?
If you login with Putty first, you’ll be prompted to accept the host key. Do that and then it’ll work if everything is setup correctly on the device.
Thanks
That worked thanks, but now this is an issue…
Disconnected: No supported authentication methods available (Server sent:)
When I telnet in and use the gt command all both scp and ssh are running…
Calgary_01-> get scp
SCP is enabled
SCP is ready
Calgary_01-> get ssh
SSH V2 is active
SSH is enabled
SSH is ready for connections
Maximum sessions: 6
Active sessions: 0
Also what is the minimum ios required for this script cause I notice it doesn’t support sshv1?
Hi Mark
Are you able to SSH to it as opposed to telnet? If not, ssh may need to be reset:
delete ssh device all
set ssh version v2
set ssh enable
set scp enable
Awesome work, thanks!