Introduction: How to Backup a Netscreen Firewall
This instructable shows a script that can be used to automate backups of a netscreen firewall running ScreenOS.
Step 1: Requirements
This script is written in expect and assumes you have SSH turned on on your netscreen and a linux environment.
If you have never check out expect, Oreilly has a great book "Exploring Expect"
http://oreilly.com/catalog/9781565920903/
Step 2: Variables
We will start with setting some variables.
You will want to set the port/username/password/netscreen/prompt variables to match your environment.
#!/usr/bin/expect
#Expect script to backup config of netscreen firewalls
#Joe
#Set some vars
set timeout 60
set user "root"
set password "password"
set port "2022"
set netscreen "foo.bar.com"
set basedir "/mnt/netapp/backups/foo.bar.com"
set log "[timestamp -format %Y-%m-%d]-config.txt"
set mailto "joe@foo.com"
set mailsubject "Error: netscreen backup failed [timestamp -format %Y-%m-%d] "
set mailfail ""
set prompt "foo-> "
Step 3: Connect
Next in the script we will try and connect.
send_user "NetScren Backup Script\n"
send_user "Connecting to $netscreen\n"
spawn ssh $user@$netscreen -p$port
expect {
"password:" {
send "$password\r"
expect {
"$prompt" {
send_user "Connected"
} "Permission denied" {
send_user "Invalid password, exiting"
set mailfail "Invalid password, exiting"
close
} timeout {
send_user "No prompt returned"
set mailfail "No prompt returned"
close
}
}
} "No route to host" {
send_user "Unable to connect to $netscreen\n"
set mailfail "Unable to connect to $netscreen\n"
} "Name or service not known" {
send_user "Unable to connect to $netscreen\n"
set mailfail "Unable to connect to $netscreen\n"
} timeout{
send_user "Timeout conncting to $netscreen"
set mailfail "Timeout conncting to $netscreen"
close
}
}
if { $mailfail != "" } {
exec /bin/mail -s$mailsubject $mailto << "
$mailfail"
exit
}
Step 4: Turn Off Paging
You need to turn off paging - or the more prompt in on the netscreen.
#Disable the "more" prompt
send "set console page 0\r"
expect {
"$prompt" {
send_user "\nPaging Disabled\n"
} default {
send "ScreenOS did not except paging option.\n"
set mailfail "ScreenOS did not except paging option."
close
}
timeout {
send_user "ScreenOS did not except paging option\n"
set mailfail "ScreenOS did not except paging option."
close
}
}
if { $mailfail != "" } {
exec /bin/mail -s$mailsubject $mailto << "
$mailfail"
exit
}
Step 5: Get Config
We will now get the config.
send_user "Downloading Configuration\n"
log_file $basedir/$log
send "get config\r"
expect {
"$prompt" {
log_file
send_user "\nConfiguration Downloaded\n"
}
timeout {
send_user "\nError during configuration download."
set mailfail "Error during configuration download."
}
}
close
if { $mailfail != "" } {
exec /bin/mail -s$mailsubject $mailto << "
$mailfail"
exit
}
Step 6: Check to See If the Config Is the Right Size
We will know check to see if the config is at least 1k.
set filesize [file size $basedir/$log]
if { $filesize <= 1024 } {
send_user "Netscreen config is too small, please investigate\n"
set mailfail "Netscreen config is too small, please investigate\n"
exec /bin/mail -s$mailsubject $mailto << "
$mailfail"
exit
}
Step 7: Cleanup
Lets run a little cleanup to remove configs older than two weeks.
#Remove config older than 2 weeks
exec find $basedir -name '*config.txt*' -mtime +14
Step 8: All Together
Put it all together now. It is attached as a text file. It will send emails on any failures.
#!/usr/bin/expect
#Expect script to backup config of netscreen firewalls
#Joe
#Set some vars
set timeout 60
set user "root"
set password "password"
set port "2022"
set netscreen "foo.bar.com"
set basedir "/mnt/netapp/backups/foo.bar.com"
set log "[timestamp -format %Y-%m-%d]-config.txt"
set mailto "joe@foo.com"
set mailsubject "Error: netscreen backup failed [timestamp -format %Y-%m-%d] "
set mailfail ""
set prompt "foo-> "
send_user "NetScren Backup Script\n"
send_user "Connecting to $netscreen\n"
spawn ssh $user@$netscreen -p$port
expect {
"password:" {
send "$password\r"
expect {
"$prompt" {
send_user "Connected"
} "Permission denied" {
send_user "Invalid password, exiting"
set mailfail "Invalid password, exiting"
close
} timeout {
send_user "No prompt returned"
set mailfail "No prompt returned"
close
}
}
} "No route to host" {
send_user "Unable to connect to $netscreen\n"
set mailfail "Unable to connect to $netscreen\n"
} "Name or service not known" {
send_user "Unable to connect to $netscreen\n"
set mailfail "Unable to connect to $netscreen\n"
} timeout{
send_user "Timeout conncting to $netscreen"
set mailfail "Timeout conncting to $netscreen"
close
}
}
if { $mailfail != "" } {
exec /bin/mail -s$mailsubject $mailto << "
$mailfail"
exit
}
#Now that that is over, continue
#Disable the "more" prompt
send "set console page 0\r"
expect {
"$prompt" {
send_user "\nPaging Disabled\n"
} default {
send "ScreenOS did not except paging option.\n"
set mailfail "ScreenOS did not except paging option."
close
}
timeout {
send_user "ScreenOS did not except paging option\n"
set mailfail "ScreenOS did not except paging option."
close
}
}
if { $mailfail != "" } {
exec /bin/mail -s$mailsubject $mailto << "
$mailfail"
exit
}
send_user "Downloading Configuration\n"
log_file $basedir/$log
send "get config\r"
expect {
"$prompt" {
log_file
send_user "\nConfiguration Downloaded\n"
}
timeout {
send_user "\nError during configuration download."
set mailfail "Error during configuration download."
}
}
close
if { $mailfail != "" } {
exec /bin/mail -s$mailsubject $mailto << "
$mailfail"
exit
}
set filesize [file size $basedir/$log]
if { $filesize <= 1024 } {
send_user "Netscreen config is too small, please investigate\n"
set mailfail "Netscreen config is too small, please investigate\n"
exec /bin/mail -s$mailsubject $mailto << "
$mailfail"
exit
}
#Remove config older than 2 weeks
exec find $basedir -name '*config.txt*' -mtime +14
