自动执行或编写集群中ESA的配置文件备份脚本

下载选项

  • PDF     (352.9 KB)
    在各种设备上使用 Adobe Reader 查看
  • ePub     (80.0 KB)
    在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上使用各种应用查看
  • Mobi (Kindle)     (67.5 KB)
    在 Kindle 设备上查看或在多个设备上使用 Kindle 应用查看
已更新: 2016 年 4 月 6 日
文档 ID:118403

非歧视性语言

此产品的文档集力求使用非歧视性语言。在本文档集中,非歧视性语言是指不隐含针对年龄、残障、性别、种族身份、族群身份、性取向、社会经济地位和交叉性的歧视的语言。由于产品软件的用户界面中使用的硬编码语言、基于 RFP 文档使用的语言或引用的第三方产品使用的语言,文档中可能无法确保完全使用非歧视性语言。 深入了解思科如何使用包容性语言。

关于此翻译

思科采用人工翻译与机器翻译相结合的方式将此文档翻译成不同语言,希望全球的用户都能通过各自的语言得到支持性的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 Cisco Systems, Inc. 对于翻译的准确性不承担任何责任,并建议您总是参考英文原始文档(已提供链接)。

简介

本文档介绍如何使用批处理命令从思科邮件安全设备(ESA)集群中的设备保存配置。这可在所有版本的AsyncOS for ESA上使用。

在AsyncOS版本8.5之前,集群设备无法保存可用配置以用于将配置恢复到Cisco ESA。要从设备获取可用配置,必须从集群中删除设备并将配置另存为独立设备。

先决条件

注意:本文是概念验证,并提供了示例基础。虽然这些步骤已经过成功测试,但本文主要用于演示和说明目的。自定义脚本不属于思科的范围和受支持范围。思科技术支持中心不会随时编写、更新自定义外部脚本或对其进行故障排除。 在尝试和构建任何脚本之前,请确保您在构建最终脚本时具备脚本知识。

从集群中的ESA收集以下信息:

  • IP地址和/或主机名
  • 群集名称
  • 群集组名称(如果适用)

有关适用于邮件安全的AsyncOS版本,请参阅CLI参考指南,因为CLI的批次更改取决于ESA运行的版本。

阅读并理解以下TechNotes:

自动执行或编写集群中设备的配置文件备份的脚本

对于早于版本8.5的AsyncOS版本,当您在集群中尝试使用saveconfigmailconfig命令保存配置时,ESA会生成以下警告:

WARNING: Clustered machines do not support loadconfig. Your configuration file has
 complete  data for the entire cluster, but cannot be used to restore a configuration.
[an error occurred while processing this directive]

在AsyncOS版本8.5及更高版本中,保存的配置现在包含计算机级配置和集群配置。8.5版及更高版本的用户指南对此进行了详细介绍。有关完整详细信息,请参阅最终用户指南

无需备份集群中每台设备的配置。但是,网络中可以有多个集群,每个集群可以配置多个组。从集群中删除每个设备,然后手动保存配置并重新加入集群是非常困难的。

如果登录ESA,从集群中删除ESA,保存或通过邮件发送配置,然后再次加入集群,则可以使用以下命令

首先,必须知道集群中ESA的计算机名称和序列号以及组名称。如果在CLI上输入clusterconfig list,可以获取此信息:

(Cluster ESA1_ESA2)> clusterconfig list

Cluster esaA_esaB
=====================
 Group Main_Group:
 Machine ESA1.local (Serial #: 0000E878109A-G091111) 
 Machine ESA2.local (Serial #: 0000E878525D-9091111)
[an error occurred while processing this directive]

要从集群中删除设备,请使用clusterconfig removemachine <appliance name>命令:

(Cluster ESA1_ESA2)> clusterconfig removemachine ESA1.local

Please wait, this operation may take a minute...
Machine ESA1.local removed from the cluster.
[an error occurred while processing this directive]

使用saveconfig命令将配置保存到设备上,并设置密码。如前所述,“不能使用loadconfig命令加载带屏蔽密码的文件。” 因此,请确保在出现提示时输入N

ESA1.local> saveconfig

Do you want to mask the password? Files with masked passwords cannot be loaded
using loadconfig command. [Y]> n

File written on machine "esaA.local" to the location
"/configuration/C100V-0000E878109A-G091111-20140909T184724.xml".
Configuration saved. 
[an error occurred while processing this directive]

或者,使用mailconfig将配置通过电子邮件发送给有效的电子邮件收件人。如前所述,“不能使用loadconfig命令加载带屏蔽密码的文件。” 因此,请确保在出现提示时输入N

ESA1.local> mailconfig

Please enter the email address to which you want to send the configuration file.
Separate multiple addresses with commas.
[]> joe@example.com

Do you want to mask the password? Files with masked passwords cannot be loaded
using loadconfig command. [Y]> n

The configuration file has been sent to joe@example.com.
[an error occurred while processing this directive]

最后,使用clusterconfig batch命令将设备重新加入集群:

clusterconfig join [--port=xx] <ip_of_remote_cluster> <admin_username>
<admin_password> <groupname>
[an error occurred while processing this directive]

为了继续上一个示例,将在以下命令中执行此命令:

esaA.local> clusterconfig join --port=22 172.16.6.161 admin ironport Main_Group

Joining a cluster takes effect immediately, there is no need to commit.
(Cluster ESA1_ESA2)>
[an error occurred while processing this directive]

您将看到命令提示符自动更改为集群级别名称,如上一个示例中记为“集群ESA1_ESA2)”。

高级自动或脚本化配置文件备份

从外部主机(UNIX/Linux/OSX)上,您可以使用以上命令对进程编写脚本。

以下是将整个过程写入脚本的示例,假设集群通过安全外壳(SSH)端口22运行:

#! /bin/bash
#
# Script to save the ESA config, then copy locally via SCP. This is assuming you 
wish to
# have the cluster in SSH via port 22. This script has been written and tested against
# AsyncOS 9.0.0-390 (01/15/2014).
#
# *NOTE* This script is a proof-of-concept and provided as an example basis. While
these steps have 
# been successfully tested, this script is for demonstration and illustration purposes. 
Custom 
# scripts are outside of the scope and supportability of Cisco. Cisco Technical 
Assistance will 
# not write, update, or troubleshoot custom external scripts at any time.
#
# <SCRIPT>
#
# $HOSTNAME & $HOSTNAME2 can be either the FQDN or IP address of the ESAs in cluster.
#
HOSTNAME= [IP/HOSTNAME ESA1]
HOSTNAME2= [IP/HOSTNAME ESA2]
#
# $MACHINENAME is the local name for ESA1.
# 
MACHINENAME= [MACHINENAME AS LISTED FROM 'clusterconfig list']
#
# $USERNAME assumes that you have preconfigured SSH key from this host to your ESA.
# http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/
118305-technote-esa-00.html
#
USERNAME=admin
#
# $BACKUP_PATH is the directory location on the local system.
#
BACKUP_PATH= [/local/path/as/desired]
#
# Following will remove ESA1 from cluster in order to backup standalone config.
# "2> /dev/null" at the end of string will quiet any additional output of the 
clustermode command.
#
echo "|=== PHASE 1 ===| REMOVING $MACHINENAME FROM CLUSTER"
ssh $USERNAME@$HOSTNAME "clustermode cluster; clusterconfig removemachine 
$MACHINENAME" 2> /dev/null
#
# $FILENAME contains the actual script that calls the ESA, issues the 'saveconfig' 
command.
# The rest of the string is the cleanup action to reflect only the <model>-
<serial number>-<timestamp>.xml.
#
echo "|=== PHASE 2 ===| BACKUP CONFIGURATION ON ESA"
FILENAME=`ssh -q $USERNAME@$HOSTNAME "saveconfig y 1" | grep xml | sed -e 
's/\/configuration\///g' | sed 's/\.$//g' | tr -d "\""`
#
# The 'scp' command will secure copy the $FILENAME from the ESA to specified 
backup path, as entered above.
# The -q option for 'scp' will disable the copy meter/progress bar.
#
echo "|=== PHASE 3 ===| COPY XML FROM ESA TO LOCAL"
scp -q $USERNAME@$HOSTNAME:/configuration/$FILENAME $BACKUP_PATH
#
# Following will re-add ESA1 back into cluster.
#
echo "|=== PHASE 4 ===| ADDING $MACHINENAME BACK TO CLUSTER"
ssh $USERNAME@$HOSTNAME "clusterconfig join $HOSTNAME2 admin ironport 
Main_Group" 2> /dev/null
#
echo "|=== COMPLETE ===| $FILENAME successfully saved to $BACKUP_PATH"
#
# </SCRIPT>
#
[an error occurred while processing this directive]

下面是脚本中嵌入的主要命令的检查:

  • 从集群中删除ESA1:

    ssh $USERNAME@$HOSTNAME "clustermode cluster; clusterconfig removemachine 
    $MACHINENAME" 2> /dev/null
    [an error occurred while processing this directive]

  • 下载独立配置文件:

    FILENAME=`ssh -q $USERNAME@$HOSTNAME "saveconfig y 1" | grep xml | sed -e 's/
    \/configuration\///g' | sed 's/\.$//g' | tr -d "\""`
    [an error occurred while processing this directive]

  • 将XML从ESA1复制到本地主机:

    scp -q $USERNAME@$HOSTNAME:/configuration/$FILENAME $BACKUP_PATH
    [an error occurred while processing this directive]

  • 将ESA1放回集群中。

    ssh $USERNAME@$HOSTNAME "clusterconfig join $HOSTNAME2 admin ironport 
    Main_Group" 2> /dev/null
    [an error occurred while processing this directive]

操作中脚本的完整示例应会得出以下结果:

my_host$ ./cluster_backup 
|=== PHASE 1 ===| REMOVING ESA1.local FROM CLUSTER
Please wait, this operation may take a minute...
Machine ESA1.local removed from the cluster.
|=== PHASE 2 ===| BACKUP CONFIGURATION ON ESA
|=== PHASE 3 ===| COPY XML FROM ESA TO LOCAL
|=== PHASE 4 ===| ADDING ESA1.local BACK TO CLUSTER
Joining a cluster takes effect immediately, there is no need to commit.
|=== COMPLETE ===| C100V-0000E878109A-G091111-20150116T192955.xml successfully 
saved to /Users/saved_esa_configurations/
[an error occurred while processing this directive]

相关信息

修订历史记录

版本 发布日期 备注
1.0
13-Oct-2014
初始版本
TAC Authored

由思科工程师提供

  • 雷汉·拉蒂夫
    思科TAC工程师
  • 罗伯特·舍温
    思科TAC工程师

此文档是否有帮助?

Feedback反馈

联系我们

本文档适用于以下产品