Backing up Sonicwall firewalls when you have more than say 4 of them can be quite a task.
Sure Dell\Sonicwall offer you the option of buying there automatic GM something or other but that’s rather expensive if you just want a central back for all your config files.
With that being said below is a quick script that will go out and collect the files for you and keep them on a ftp server.
Again like many other machines i have made i started with a centos minimal install.
Step 1) install all the required packages and service accounts.
ftp cronie sendmail expect vsftp bash
## create the vsftp username
useradd sonicwall
passwd sonicwall
ThePassword
Step 2) Auto start the required services.
chkconfig vsftpd on
chkconfig sendmail on
Step 3) optional* change send mail to use a smarthost <you may have some other blackmagic mail setup>
vi /etc/mail/sendmail.cf
look for line:
# “Smart” relay host (may be null)
change value to:
DSrelayserver.domain.com ##NoSpaces##
Step 4) create the 2 scripts
Script 1) This script is written in “EXPECT” which will wait (60sec) for certain text markers before supplying commands.
Name = sonicwallbackup.exp
#!/usr/bin/expect
set timeout 60## COLLECT INPUT DATA AND TRANSFORM
set ip [lindex $argv 0]
set user [lindex $argv 1]
set password [lindex $argv 2]
set cc [lindex $argv 3]
set type [lindex $argv 4]
set ftpserv [lindex $argv 5]
set ftpusr [lindex $argv 6]
set ftppas [lindex $argv 7]
set ftpfile [lindex $argv 8]## SSH OPTIONS
set sshoptions "-o ConnectTimeout=5 -o StrictHostKeyChecking=no"## START FILE COLLECTION
spawn ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no $ip
expect -re ".*?ser:"
send "$user\n"
expect -re ".*?assword:"
send "$password\n"
expect -re ">"
send "export preferences ftp $ftpserv $ftpusr $ftppas $ftpfile\n"
expect -re ">"
send "exit\n"
Script 2) This script builds the command for the expect scripts and then counts the files at the end and reports back on them.
Name = sonicwallbackup.sh
#!/bin/bash
#
############################################################
#### This script will be used to backup all the sonicwall devices ###
#### All files will be located at /home/$ftpusr ###
#### Created by: Randy Coburn ###
#### Date Last Updated: 11/03/2013 ###
############################################################
############################################################
#### Scripts Requirements ###
#### Sendmail,ftp,expect,partner sonicwallbackup.exp script,cron ###
#### crontab (0 1 1 * * root /etc/scripts/sonicwallbackup.sh) ###
########################################################################################################################
### LINE TO CREATE ###
## ./sonicwallbackup.exp $ip $user $password $cc $type $ftpserv $ftpusr $ftppas##
############################################################## default values
declare -a sonicfile## GENERIC VALUES
user=admin
password=XXSonicwallPasswordXX
ftpserv=192.168.100.100
ftpusr=sonicwall
ftppas=FtPpAssWoRd## THESE VALUES HAVE TO BE SET PER CASE
ip=""
type=""
cc=""#############################################################
## CHANGE THE BELOW VALUES ###
## ARRAY TO CYCLE THROUGH ###
## ADD THE SONIC WALL TO THE BOTTOM OF THE LIST AND THE NEXT IN LINE NUMBER ###
#############################################################soniclist[0]=lon
soniclist[1]=dcr
soniclist[2]=fra
soniclist[3]=par
soniclist[4]=mad
soniclist[5]=jhbfor i in "${soniclist[@]}"
do
case $i in
‘lon’)
ip=192.168.100.1
type=NSA3500
cc=$i
ftpfile=$cc-$type-$(date +%Y-%m-%d).exp
sonicfile[$[${#sonicfile[@]}+1]]=$ftpfile
./sonicwallbackup.exp $ip $user $password $cc $type $ftpserv $ftpusr $ftppas $ftpfile
;;
‘dcr’)
ip=192.168.101.1
type=NSA2400
cc=$i
ftpfile=$cc-$type-$(date +%Y-%m-%d).exp
sonicfile[$[${#sonicfile[@]}+1]]=$ftpfile
./sonicwallbackup.exp $ip $user $password $cc $type $ftpserv $ftpusr $ftppas $ftpfile
;;
‘fra’)
ip=192.168.103.1
type=TZ215
cc=$i
ftpfile=$cc-$type-$(date +%Y-%m-%d).exp
sonicfile[$[${#sonicfile[@]}+1]]=$ftpfile
./sonicwallbackup.exp $ip $user $password $cc $type $ftpserv $ftpusr $ftppas $ftpfile
;;
‘par’)
ip=192.168.104.1
type=TZ215
cc=$i
ftpfile=$cc-$type-$(date +%Y-%m-%d).exp
sonicfile[$[${#sonicfile[@]}+1]]=$ftpfile
./sonicwallbackup.exp $ip $user $password $cc $type $ftpserv $ftpusr $ftppas $ftpfile
;;
‘mad’)
ip=192.168.105.1
type=NSA2400
cc=$i
ftpfile=$cc-$type-$(date +%Y-%m-%d).exp
sonicfile[$[${#sonicfile[@]}+1]]=$ftpfile
./sonicwallbackup.exp $ip $user $password $cc $type $ftpserv $ftpusr $ftppas $ftpfile
;;
‘jhb’)
ip=192.168.106.1
type=TZ200
cc=$i
ftpfile=$cc-$type-$(date +%Y-%m-%d).exp
sonicfile[$[${#sonicfile[@]}+1]]=$ftpfile
./sonicwallbackup.exp $ip $user $password $cc $type $ftpserv $ftpusr $ftppas
esac
done##############################################################
### Create Email for report and check for files that didnt arrive ####
##############################################################function fappend {
echo "$2">>$1;
}
YYYYMMDD=`date +%Y%m%d`# CHANGE THESE TO SUIT YOUR NEEDS
TOEMAIL=itsupport@someone.com;
FREMAIL=sonicbackup@someone.com;
SUBJECT="Sonicwall backup report";
MSGBODY="Sonicwall Backup files";###############################
# DON’T CHANGE ANYTHING BELOW #
###############################
TMP="/tmp/tmpfil_123"$RANDOM;rm -rf $TMP;
fappend $TMP "From: $FREMAIL";
fappend $TMP "To: $TOEMAIL";
fappend $TMP "Reply-To: $FREMAIL";
fappend $TMP "Subject: $SUBJECT";
fappend $TMP "";
fappend $TMP "$MSGBODY";
fappend $TMP "";## cycle through the array to check for the created files
for i in "${sonicfile[@]}"
do
if [ -f /home/sonicwall/$i ]
then
fappend $TMP "PASS – $i";
else
fappend $TMP "FAILED – $i";
fidone
cat $TMP|sendmail -t;
rm $TMP;#####################################################
####### END ########
#####################################################
To Add sonicwalls copy and past in the following lines and make the needed changes.
Remember to add them to the correct sections as shown above.
soniclist[<Next Number>]=code
***********************************************************‘code’)
ip=<IP OF SONICWALL>
type=<TYPE OF SONICWALL>
cc=$i
ftpfile=$cc-$type-$(date +%Y-%m-%d).exp
sonicfile[$[${#sonicfile[@]}+1]]=$ftpfile
./sonicwallbackup.exp $ip $user $password $cc $type $ftpserv $ftpusr $ftppas $ftpfile
;;
I have split the script into 2 parts for many reasons that i wont go into but, mainly to allow 1 session to fail and not stop the rest from working.
Im no expert at bash scripting so im sure they may be better ways but this works 100% for me.
i have 17 sonicwalls running on this script.
Step 5) add execute rights
chmod +x sonicwallbackup.exp
chmod +x sonicwallbackup.sh
Step 6) Create a cron job for the script
crontab –e
0 1 1 * * root /etc/scripts/sonicwallbackup.sh
Step 7) Enable SSH Access on sonicwall
you will need to allow ssh access on your sonicwall. This may be on your interface or though the vpn if you have one.
A simple gotcha is that if you are going over a vpn tunnel to get to an interface you need to allow ssh management over the vpn tunnel. these options are presented to you when you create the vpn or edit them under advanced.
Step 8) TEST TEST TEST!
cd $scriptLocations/
./sonicwallbackup.sh
You will see the ssh sessions happen on screen and you can make sure they are all working.
There after you will get a email that will tell you which files where located on the server and which failed to come down.
I have found that your sonicwall needs to be about firmware 5.1.x + in order for this to work correctly.
Now that you have your config files all nice and centralized you can look “forward” to your next sonicwall failure!
This post was extremely helpful, but it doesn’t seem to work for me. I have the .sh file configured correctly, but it isn’t starting the ssh connections to the sonicwalls. What could be wrong?
Pingback: Sonicwall backup via ssh FTP failure CopyQuery | Question & Answer Tool for your Technical Queries
I had an issue with one of the sonicwalls not allowing SSH connections it. boiled down to the sonicwall having zombied ssh sessions. You could try a reboot.
Other than that you could try to do the steps 1 by 1 manually and see if it all works.
Thanks for the reply. I’ve been testing with the .exp file using static values instead of variables and found a new issue where the ssh goes through and it tries to run the export command, but it comes up with an error “FTP Failure!”. I can ftp to that server with the same credentials from another PC, so I’m not sure what the problem could be.
check the firmware version on the Sonicwall. Another issue i had was that the export to FTP wasn’t considered a valid command because it had not been implemented yet. Since this was quite a old version i just pushed a update to it and carried on.
See this line in the blog.
####
I have found that your sonicwall needs to be about firmware 5.1.x + in order for this to work correctly.
###
Maybe this could be your issue ?
The way i found this was doing the commands manually on this sonicwall and making sure it all work.
I was quite surprised when I found the CLI telling me i was putting in the incorrect command.
Goodluck getting this information out of sonicwall themselves 🙂
Hope this gets you going.
We are running firmware 5.8.x, so that doesn’t seem to be the issue. I appreciate your feedback. I’ll keep troubleshooting the issue.
Last thing I would suggest then is using Filezilla Ftp server. Its logging is really good. Another option is wireshark. That would tell you if the packets are even getting sent to the server.
Maybe it is something as simple as a firewall or Anti-Virus blocking the traffic.
I feel really stupid right now. Turns out the problem was that vsftpd wasn’t started. Not sure why I could ftp in from another machine, but once I started the service is worked.
😀 IT Black Magic ! Glad to head it’s working.
Well, sort of working. The ssh bit works, but the script as a whole isn’t. I’m back to my initial issue where the script runs but doesn’t run the cases for some reason. I’m combing through the script to find out what is missing.
Got it sorted out. The case names needed double quotes, not single. Thanks for your script. It is a great help!
This script proved to be even more useful, as I was able to modify it to pull configurations from our ProCurve switches as well!
While I am pleased that you have found another use for this script 🙂 can i suggest rather looking at something like rancid to configuration backups of your switches.
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch1_:_Network_Backups_With_Rancid
It will allow you to do side by side configuration comparison.