How Can I Automate or Script Configuration File Backups?

Introduction

This document describes basic concepts and understanding associated with creating scripts for an external host to perform and retreive updates against a Cisco Email Security Appliance (ESA).

Note: This article is a proof-of-concept and provided as an example basis. While these steps have been successfully tested, this article is primarily for demonstration and illustration purposes. Custom scripts are outside of the scope and supportability of Cisco. Cisco Technical Assistance will not write, update, or troubleshoot custom external scripts at any time.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• OS scripting and task scheduling
• SSH keypair configuration and procedures

How Can I Automate or Script Configuration File Backups?

The configuration file is dynamically generated when using the saveconfig or mailconfig from the CLI, or the associated backup options through the GUI (System Administration > Configuration File). To have an effective backup that is able to be loaded and applied to an ESA, it is best to "unmask" the passwords. This allows the appliance to place a hashed form of the passwords for the local administrative accounts in the configuration file. For this reason, we can not simply copy a flat "running configuration" file from the device. This method allows us to first access the appliance, issue a command to dynamically build the current configuration, and either save or mail a copy of this file somewhere remotely, without any user intervention. Once this is accomplished, we can then repeat or schedule this task to occur on a regular basis.

To quickly and automatically backup configuration files with passwords unmasked:

1. Generate an SSH keypair to use, and verify that you can access your appliance via SSH without having to manually enter a password.  
2. Create script to login to the appliance, save the config, and copy it (or mail it).  

Note: Similar logic can be applied in any OS scripting language such as VB or batch scripts for Windows.

Saving the Configuration to a Specified Host Using saveconfig

#! /bin/bash
#
# Simple script to save the ESA config, then copy locally via SCP.
#
# $HOSTNAME can be either FQDN or IP address.
HOSTNAME=[FQDN OR IP ADDRESS]
# $USERNAME assumes that you have preconfigured SSH key from this host to your ESA.
USERNAME=admin
FILENAME=`ssh $USERNAME@$HOSTNAME "saveconfig yes" | grep xml | sed -e 's/\/
configuration\///g' | sed 's/\.$//g' | tr -d "\""`
scp $USERNAME@$HOSTNAME:/configuration/$FILENAME .

Once you make the script exexcutable, you should see similar to the following:

jsmith@linux_server:~$ ./esa_backup 
C000V-564D1A718795ACFED603-1A77BAD60A5A-20140902T222913.xml 100% 158KB 157.9KB/
s 00:00 

jsmith@linux_server:~$ ls -la
total 1196
drwx------ 10 jsmith jsmith 40960 Sep 2 22:29 .
drwxr-xr-x 13 root root 4096 Aug 13 22:22 ..
-rw-rw---- 1 jsmith jsmith 161642 Sep 2 22:29 C000V-564D1A718795ACFED603-
1A77BAD60A5A-20140902T222913.xml

Running the command ls -la lists the contents of the directory on your local system or host. You should verify the filename, timestamp, and overall XML file size.

Emailing the Configuration to an Email Address Using mailconfig

#! /bin/bash
#
# Simple script to email the ESA config to pre-specified email address.
#
# $HOSTNAME can be either FQDN or IP address.
HOSTNAME=[FQDN OR IP ADDRESS]
# $USERNAME assumes that you have preconfigured SSH key from this host to your ESA.
USERNAME=admin
# $MAILDEST is preconfigured email address
MAILDEST=backups@example.com
ssh $USERNAME@$HOSTNAME 'mailconfig $MAILDEST yes'

Schedule Your Task to Run on a Regular Basis (UNIX/Linux)

Use cron (UNIX/Linux) to kick off the job regularly. Cron is driven by a crontab (cron table) file, a configuration file that specifies shell commands to run periodically on a given schedule. The crontab files are stored where the lists of jobs and other instructions to the cron daemon are kept.  

UNIX/Linux cron config file typically follows this format:

minute (0-59), hour (0-23, 0 = midnight), day (1-31), month (1-12), weekday (0-6, 0 = Sunday), command

 
So a good example entry to run this script every day at 2:00 AM would look like:

00 02 * * * /home/jsmith/esa_backup

How Can I Automate or Script Configuration File Backups from a Windows System?

With the following procedure, you can backup the configuration file regularly from a Windows system.

1. Install the terminal emulator PuTTY.
2. Create a text file named "send_config" with the mailconfig command and valid email address.  (For simplicity, place it under C:\)
   

   mailconfig example@example.com
   

3. Create a text file named "send_config_batch" with following PuTTy command.  (For simplicity, also place it under C:\)
   

   C:\putty.exe -ssh hostname -l admin -pw password -m C:\send_config.txt
   exit

   Note: Be sure to change the hostname to FQDN or IP address of your ESA, and the password to your actual password for admin account.

Schedule Your Task to Run on a Regular Basis (Windows)

Using Task Scheulder, or a similar scheduling tool in Windows, find and add the "send_config_batch" to the Windows' scheduled tasks.

The ESA configuration file will be sent to the address specified in the "send_config" text file as specified.

Note: This article is a proof-of-concept and provided as an example basis. While these steps have been successfully tested, this article is primarily for demonstration and illustration purposes. Custom scripts are outside of the scope and supportability of Cisco. Cisco Technical Assistance will not write, update, or troubleshoot custom external scripts at any time.

Related Information

• How to configure SSH Public Key Authentication for login to the ESA without a password
  
• Cisco Email Security Appliance - End-User Guides
• Technical Support & Documentation - Cisco Systems