Checkpoint – back up centrally for recovery.


Backing up firewall configs for disaster recovery  is tedious and mundane task. And if you have enough firewalls doing it manually becomes impractical . To address this case I set up a highly secured server that periodically runs script backing up the clients’ firewalls.

I use here poll model – this central server connects by SSH to the remote firewalls ,issues upgrade_export command then downloads backup using SCP and finally deletes the backup from the firewall itself.
Advantage of such a schema as opposed to the push model where firewalls push backups to the central server I see in that:
 - I can secure this server much more as no remotely accessible services are running (so no remote exploit is possible)
 - I can have rule in firewall before this server Inbound - > Deny Any Any
 - I centrally manage the backup script , if something changes I fix just one script .
Disadvantage – password to enter the firewalls is stored clear text in the script.
Now to the script – I did it in Expect to make life easier , in short it just emulates interactive login by SSH, then runs upgrade_export command, downloads by SCP the backup file, also creating file with md5sum of the backup and downloading it as well. The final action is to login by SSH back and remove the backup file from the firewall.
It names file by adding current date to the IP of the firewall. No error checking is done.   Files used in script:
hosts  - file containing IPs of the firewalls to backup in the form one per line .

The script goes next (at the end you can download script as file to fix lines wrapping):

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#!/usr/local/bin/expect
#set timeout to suffice for the largest backup file to download
set timeout 3000
 
#set password to enter the firewall
set password password
set username  admin
#set format for naming files
set timeand_date [clock format [clock seconds] -format %B-%Y-%m-%d]
#open hosts file that contains IPs of the firewalls and read it in a loop
set ff [open "hosts" r]
while {[gets $ff hostName] >= 0} {
 
 puts "Entering $hostName"
 spawn ssh -l $username $hostName
 expect {
        {[Pp]assword:} { send "$password\r" }
 "(yes*no)" { send "yes\r"
              expect {[Pp]assword:} {
 send "$password\r"
 }
}}
 
#increase timeout of SSH session
 expect {*#}  {
 send "TMOUT=900\r" }
 expect {*#}  {
 send "export TMOUT\r"}
#Create backup directory
 expect {*#}  {
 send "mkdir /var/Upgrade_export_backups\r"  }
 expect {*#}  {
 send "cd /var/Upgrade_export_backups\r"  }
#Issue the upgrade_export command
 expect {*#}  {  
 send "\$FWDIR/bin/upgrade_tools/upgrade_export $timeand_date$hostName\r"  }  
 expect {
{ready} {
 send "\r"      }
 {(y/n) [n]} {
 send "yes\r" }
}
#Calculate md5sum of the newly created backup file and save it to file
expect {*#} {
send "md5sum $timeand_date$hostName.tgz > $timeand_date$hostName.md5sum\r"}
 
expect {*#} {
  send "exit\r"}
  spawn  scp  [$username@$hostName:/var/Upgrade_export_backups/\{$timeand_date$hostName.md5sum,$timeand_date$hostName.tgz\](mailto:$username@$hostName:/var/Upgrade_export_backups/\{$timeand_date$hostName.md5sum,$timeand_date$hostName.tgz\)}    .
expect {
        {[Pp]assword:} { send "$password\r" }
}
 expect {#}   {
 #send "exit\r"
}
 
 spawn ssh -l $username $hostName
 expect {
        {[Pp]assword:} { send "$password\r" }
 "(yes*no)" { send "yes\r"
              expect {[Pp]assword:} {
 send "$password\r"
 }
}}
 
#remove created backup file
 expect {*#}  {
 send "cd /var/Upgrade_export_backups\r"  }  
 expect {*#}  {  
 send "rm -f $timeand_date$hostName.tgz\r"  }
 expect {*#}  {
 send "exit\r"  }  
}
close $ff
 interact

Script as a file

Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.