2 Replies Latest reply on Mar 17, 2010 11:27 PM by tessebie

    SG560 - CLI Backup of Config


      Looking at a way of scripting (cron) the config files to a backup location (possible ftp transport).


      I know there is the /etc/config folder, is it a matter of getting only these files (services we are using dependant of course)? Are other directories required ?


      Anybody had any experience/success with similar project ?


      Of course the next part is to do a restore from the location of these files.


      Kind Regards

        • 1. Re: SG560 - CLI Backup of Config

          only /etc/config/ is needed...all config files are here.


          the easiest would be ssh/scp


          scp root@UTM:/etc/config* .


          which will be easier with ssh public/private keys, and then you could cron it from a central server, as not all UTM devices have cron




          has this field


          AuthorizedKeysFile /etc/config/%u_authorized_keys


          I will have to find out what the %u will do, but you can populate the file specfied here for auto login.


          If you are not up to speed with ssh, then a look at the ssh docs will get you going



          • 2. Re: SG560 - CLI Backup of Config

            This is kinda long... because I can...


            Cron Info for SG:

            It may interest you to know the following about cron on the SG.

            10 * * * * root /sbin/reboot
            That means at 10 minutes past the hour, every hour.


            We support ranges (5-39) and skips (/10). So you want
            */10 * * * * root /sbin/reboot
            Which means
            0,10,20,30,40,50 * * * * root /sbin/reboot
            in the old parlance.


            We don't support @annually/yearly/monthly type short-cut strings.


            Ranges and skips can be conbined eg. every 5 minutes between 20-30
            minutes past the hour would be
            20-30/5 * * * *

            The crontab file is automatically checked for mods every minute,
            so NO need to tell /bin/cron that you changed it via SIGHUP or similar.


            Version 3+4 cgix CLI examples.


            /home/httpd/cgi-bin/cgix is the executable you care about.

            Text support report to stdout: cgix supportreport

            In note that the 'supportreport' string is the same string you would find in the URL if you clicked on the relevant support-report link.

            ie. cgix <something> will work in many instances exactly the way you'd want to.


            Backup configuration (not .sgc format though)
            this is the 'text' version from the gui.
              cgix configfiles


              ./cgix storerestore_local 'description=foobar' 'submit=Save'


            Version 4


            Text support report
              ./cgix supportreportview 'view=View' 2>&1


            Backup configuration to /etc/config/.SGsomething.

            ie. when you save a config locally it saves it to /etc/config. if you 'ls -la /etc/config' you will see the saved configs there.

            they all have a '.' at the front so they don't display during 'normal' listings (its a linux 'dot-file' thing).
              ./cgix configfiles


            Save local configuration (into /etc/config/.SGsomething
              .cgix storerestore_local '.session=1234567' .form=store .page=storerestore
              description=foobar submit=Save
              except session-id doesn't work.


            Restore local configuration. from /etc/config/.SGsomething
            config restore file
            sync -f


            HTTP based reboot
            3.x:  cgi-bin/cgix/rebootnow
            4.x:  requires a post.


            TSR Support Report Emulator
            bring up an x86 vm which has the emulator built-in (not all do).


            Execute tcl commands via the ui


            Enter CGI debug mode



            A lot of this stuff can also be done via shtcl/metash. Here are some generally useful examples (IMHO) that I've collected. might come in handy for those intending to play in the CLI space.Are these relevant to the question - no not directly. but CLI questions prop up from time to time, so I figured I might as well do a brain-dump. might help a few of you with 'something'


            all the strings / objects / paths mentioned here under can be found in Advanced -> Device-Config. ie. if you want to do something like below, but to a different subysstem, configure it in the UI, then go to Device Config and 'check it out', then you can replicate it with shtcl. If you want a slightly bigger example of what shtcl can do, read /bin/highavaild.



            Add aliases
            set co [config get ethernet<1> conn]
            set al [config new $co.alias ipaddr]
            config set $al netmask 32 index 3
            set al [config new $co.alias ipaddr]
            config set $al netmask 32 index 4


            enable disable ipsec
            metash -c 'config load -update;config set [config ref vpn.ipsec.tunnel<name=test>] enabled 0;
            config save'


            'config load -update' prepares metash for writing. it'll work without that, but its faster as it
            would have to be done behind the scene later anyway.


            'config save -flash' should be used to kick of an immediate flash update.


            bulk URL deny adding
            config new access_control.web_lists.web_list_block url first_url.com
            config new access_control.web_lists.web_list_block url second_url.com
            config save


            bulk addr range
            config set [config new firewall.fwaddress] desc $name lower $addr1 upper $addr2


            bulk DNS range
            config new firewall.fwhostname hostname first.host.com


            bulk addr group
            config ref firewall_fwaddress_group<name=mygroup>
            set g [config ref firewall.fwaddress_group<name=mygroup>]
            config new $g.address address [config ref firewall.fwhostname<hostname=first.host.com>]
            config new $g.address address [config ref firewall.fwhostname<hostname=second.host.com>]


            bulk deleting


            config delete firewall_fwaddress
            config delete firewall_fwhostname
            deletes all fwaddresses/fwhostname - provided they are not being pointed to.


            config delete firewall_fwaddress_group<name=mygroup>
            deletes everything under that group.








            while read Name Addr1 Addr2
                echo "config set [config new firewall.fwaddress] desc \"$Name\" lower $Addr1 upper $Addr2" >> $T
            echo "config save" >> $TMP


            metash $TMP
            rm $TMP


            ifconfig shtcl style
            set eth1 [config get ethernet<devname=eth1> conn]
            config set $eth1 ipaddr netmask 24 gateway




            re-enable Admin Web Access
            config set adminaccess.wan web 1
            config set adminaccess.wan webssl 1
            config setmodified config.commit
            config save


            muck with Firewall Classes on LAN
            set conn [config get ethernet<1> conn]
            config set $conn fwclass wan
            config setmodified config.commit
            config save




            tcpdump via inetd / shtcl
            set inetd [config new inetd port 2001]
            config set $inetd proto tcp command "/bin/tcpdump -n -i eth1 -w -"
            config setmodified config.commit
            config save


            or manually edit inetd.conf
            2001 stream tcp nowait root /bin/tcpdump -n -i eth1 -w -


            Create a Firewall Address Definition
            config set [config new firewall.fwaddress] desc "A name" lower upper
            config save



            If only I could customize the ssh/telnet login shells some, my life in CLI land would be so much nicer.

            # also remember 'bind' can do things to readline
            set -o vi
            PS1="\u@\h # "
            export INPUTRC=/etc/config/inputrc
            alias l='ls -la'


            if [ "$SHELL" = "/bin/sh" ]
                export SHELL="/bin/bash"
                exec bash --login



            I've written some bash scripts, but I need to log things - but how do I get things into syslog from the CLI???



              outputs something to syslog. but not on all releases


            logd message foobar
              outputs "message foobar" to logd partition


            metash -c "syslog -ident thingy debug stuff"
            metash -c "syslog -ident thingy debug \"stuff with spaces\""
              outputs debug level message for program 'thingy' with message 'stuff' to syslog


            output a bunch of stuff to syslog from bash
              while stuff
                  blah blah blah
              done | while read A do
                metash -c "syslog -ident thingy debug \"$A\""