2 Replies Latest reply on Mar 17, 2010 11:27 PM by tessebie

    SG560 - CLI Backup of Config

      Hi,

      Looking at a way of scripting (cron) the config files to a backup location (possible ftp transport).

       

      I know there is the /etc/config folder, is it a matter of getting only these files (services we are using dependant of course)? Are other directories required ?

       

      Anybody had any experience/success with similar project ?

       

      Of course the next part is to do a restore from the location of these files.

       

      Kind Regards

        • 1. Re: SG560 - CLI Backup of Config

          only /etc/config/ is needed...all config files are here.

           

          the easiest would be ssh/scp

           

          scp root@UTM:/etc/config* .

           

          which will be easier with ssh public/private keys, and then you could cron it from a central server, as not all UTM devices have cron

           

          /etc/config/sshd_config

           

          has this field

           

          AuthorizedKeysFile /etc/config/%u_authorized_keys

           

          I will have to find out what the %u will do, but you can populate the file specfied here for auto login.

           

          If you are not up to speed with ssh, then a look at the ssh docs will get you going

           

          http://www.openssh.com/manual.html

          • 2. Re: SG560 - CLI Backup of Config

            This is kinda long... because I can...

             

            Cron Info for SG:

            It may interest you to know the following about cron on the SG.

            10 * * * * root /sbin/reboot
            That means at 10 minutes past the hour, every hour.

             

            We support ranges (5-39) and skips (/10). So you want
            */10 * * * * root /sbin/reboot
            Which means
            0,10,20,30,40,50 * * * * root /sbin/reboot
            in the old parlance.

             

            We don't support @annually/yearly/monthly type short-cut strings.

             

            Ranges and skips can be conbined eg. every 5 minutes between 20-30
            minutes past the hour would be
            20-30/5 * * * *


            The crontab file is automatically checked for mods every minute,
            so NO need to tell /bin/cron that you changed it via SIGHUP or similar.

             

            Version 3+4 cgix CLI examples.

            version3

            /home/httpd/cgi-bin/cgix is the executable you care about.

            Text support report to stdout: cgix supportreport

            In note that the 'supportreport' string is the same string you would find in the URL if you clicked on the relevant support-report link.

            ie. cgix <something> will work in many instances exactly the way you'd want to.

             

            Backup configuration (not .sgc format though)
            this is the 'text' version from the gui.
              cgix configfiles

             

              ./cgix storerestore_local 'description=foobar' 'submit=Save'

             

            Version 4

             

            Text support report
              ./cgix supportreportview 'view=View' 2>&1

             

            Backup configuration to /etc/config/.SGsomething.

            ie. when you save a config locally it saves it to /etc/config. if you 'ls -la /etc/config' you will see the saved configs there.

            they all have a '.' at the front so they don't display during 'normal' listings (its a linux 'dot-file' thing).
              ./cgix configfiles

             

            Save local configuration (into /etc/config/.SGsomething
              .cgix storerestore_local '.session=1234567' .form=store .page=storerestore
              description=foobar submit=Save
              except session-id doesn't work.

             


            Restore local configuration. from /etc/config/.SGsomething
            shtcl
            config restore file
            sync -f
            reboot

             

            HTTP based reboot
            3.x:  cgi-bin/cgix/rebootnow
            4.x:  requires a post.

             

            TSR Support Report Emulator
            bring up an x86 vm which has the emulator built-in (not all do).
            http://ip/cgi-bin/cgix-load

             

            Execute tcl commands via the ui
               cgi-bin/cgix/debugexec

             

            Enter CGI debug mode
               cgi-bin/cgix/debug

             

             

            A lot of this stuff can also be done via shtcl/metash. Here are some generally useful examples (IMHO) that I've collected. might come in handy for those intending to play in the CLI space.Are these relevant to the question - no not directly. but CLI questions prop up from time to time, so I figured I might as well do a brain-dump. might help a few of you with 'something'

             

            all the strings / objects / paths mentioned here under can be found in Advanced -> Device-Config. ie. if you want to do something like below, but to a different subysstem, configure it in the UI, then go to Device Config and 'check it out', then you can replicate it with shtcl. If you want a slightly bigger example of what shtcl can do, read /bin/highavaild.

             

             

            Add aliases
            set co [config get ethernet<1> conn]
            set al [config new $co.alias ipaddr 1.2.3.4]
            config set $al netmask 32 index 3
            set al [config new $co.alias ipaddr 1.2.3.5]
            config set $al netmask 32 index 4

             


            enable disable ipsec
            metash -c 'config load -update;config set [config ref vpn.ipsec.tunnel<name=test>] enabled 0;
            config save'

             

            'config load -update' prepares metash for writing. it'll work without that, but its faster as it
            would have to be done behind the scene later anyway.

             

            'config save -flash' should be used to kick of an immediate flash update.

             


            -------------------
            bulk URL deny adding
            config new access_control.web_lists.web_list_block url first_url.com
            config new access_control.web_lists.web_list_block url second_url.com
            config save

             

            ----------------
            bulk addr range
            config set [config new firewall.fwaddress] desc $name lower $addr1 upper $addr2

             

            bulk DNS range
            config new firewall.fwhostname hostname first.host.com

             

            bulk addr group
            config ref firewall_fwaddress_group<name=mygroup>
            or
            set g [config ref firewall.fwaddress_group<name=mygroup>]
            config new $g.address address [config ref firewall.fwhostname<hostname=first.host.com>]
            config new $g.address address [config ref firewall.fwhostname<hostname=second.host.com>]

             

            ----
            bulk deleting

             

            config delete firewall_fwaddress
            config delete firewall_fwhostname
            deletes all fwaddresses/fwhostname - provided they are not being pointed to.

             

            config delete firewall_fwaddress_group<name=mygroup>
            deletes everything under that group.

             

            -------------------

             

            bulk-addr

             

            #!/bin/bash

             

            TMP=/var/tmp.$$
            IFS=","
            while read Name Addr1 Addr2
            do
                echo "config set [config new firewall.fwaddress] desc \"$Name\" lower $Addr1 upper $Addr2" >> $T
            MP
            done
            echo "config save" >> $TMP

             

            metash $TMP
            rm $TMP

             


            -------------------
            ifconfig shtcl style
            set eth1 [config get ethernet<devname=eth1> conn]
            config set $eth1 ipaddr 10.0.0.1 netmask 24 gateway 10.0.0.255

             

             

             

            --------------------
            re-enable Admin Web Access
            config set adminaccess.wan web 1
            config set adminaccess.wan webssl 1
            config setmodified config.commit
            config save

             

            --------------------
            muck with Firewall Classes on LAN
            shtcl
            set conn [config get ethernet<1> conn]
            config set $conn fwclass wan
            config setmodified config.commit
            config save

             

             

             

            --------------------
            tcpdump via inetd / shtcl
            shtcl
            set inetd [config new inetd port 2001]
            config set $inetd proto tcp command "/bin/tcpdump -n -i eth1 -w -"
            config setmodified config.commit
            config save

             

            or manually edit inetd.conf
            2001 stream tcp nowait root /bin/tcpdump -n -i eth1 -w -

             


            --------------------
            Create a Firewall Address Definition
            config set [config new firewall.fwaddress] desc "A name" lower 1.2.3.4 upper 1.2.3.4
            config save

             

            --------

            If only I could customize the ssh/telnet login shells some, my life in CLI land would be so much nicer.

            # also remember 'bind' can do things to readline
            set -o vi
            PS1="\u@\h # "
            export INPUTRC=/etc/config/inputrc
            alias l='ls -la'

             

            if [ "$SHELL" = "/bin/sh" ]
            then
                export SHELL="/bin/bash"
                exec bash --login
            fi

             

            --------

            I've written some bash scripts, but I need to log things - but how do I get things into syslog from the CLI???

             

             

            logger
              outputs something to syslog. but not on all releases

             

            logd message foobar
              outputs "message foobar" to logd partition

             


            metash -c "syslog -ident thingy debug stuff"
            metash -c "syslog -ident thingy debug \"stuff with spaces\""
              outputs debug level message for program 'thingy' with message 'stuff' to syslog

             

            output a bunch of stuff to syslog from bash
              while stuff
              do
                  blah blah blah
              done | while read A do
                metash -c "syslog -ident thingy debug \"$A\""
              done