[rancid] Update configs by an external means
Alex DEKKER
rancid at ale.cx
Thu Oct 5 09:08:41 UTC 2017
On 04/10/17 21:50, Dan Anderson wrote:
> Rather than using a file that's been transferred onto the system, you
> may be able to have RANCID log in via SSH and run "config\rshow
> current-config" to dump the config. I'm guessing that there's some
> other commands that may be useful, but "show current-config" from
> config mode is how I typically get config copies from Sonicwall
> firewalls when I'm doing firewall migrations for my customers.
I have started a snwlrancid based on the Mikrotik config fetcher. I
guess I should just throw it up somewhere for others to have a look at.
One thing I've noticed is that the obscured encryption keys in VPN
tunnels change *every time* the config is polled:
< shared-secret
4,c99c5ca7b2d0907883e8c6eacb251bfc189265ff041f4941cfaca1a3f3371511611bef8ee56affb2e091204a7c93f8c0d976d2cb3d251b4b940b0fafdb0d8f6812b8c067e1d1d3683db2f6d1247cf5c670171ba6f72e6bc1b62de89b79d23512ee6abf58b5f6ed6dcfb492a4a9d1800f9234e12899b2bc7f7eb4ccf865b478244f0b1a80ffd91035
---
> shared-secret
4,aa138a1f3e053d8fe0efbc3089e2be854a1a9d31fc6e3c26165674b26823f2e32c2e2ecf57fd16e74af093c9e6d35923be216133728061756144089c6ef3cfefc4f1f7bd270e41010e765b1afaed41f2d3e07950c3a3bf9a96264bbf7d9e17ad4280062cbdf2fa1f8b1071423186d5bb232e4424f50493c3ef64b34c7645305a56669a379d5abbba
So long as it works when it's pasted back in to the firewall then great,
but obviously this is going to be absurdly noisy unless it's replaced
with a placeholder with some post-processing. If it's replaced with a
placeholder then the resulting config cannot be put back in to the
firewall without some tweaking. Personally, working in a team of people
who manage Sonicwalls, partial-RANCID is better than no RANCID at all.
The main roadblock I hit was that the word "exit" just seems to move
around at random, and it's not the same "exit" that does this, there are
loads of exits in the config and any one of them can apparently do it:
Index: configs/barkminisonic.rancid
===================================================================
retrieving revision 1.21
diff -u -4 -r1.21 minisonic.rancid
@@ -5,8 +5,9 @@
rom-version 5.0.5.6
model "NSA 220"
serial-number C0EA-E42D-XXXX
last-modified-by "admin 192.168.253.16:X0 UI 2017/09/10 16:07:22"
+ exit
administration
firewall-name MiniSonic
no auto-append-suffix
admin-name admin
@@ -20,9 +21,9 @@
password constraints-apply-to limited-admins
password constraints-apply-to local-users
idle-logout-time 25
no user-lockout
- admin-preempt-action goto-non-configexit
+ admin-preempt-action goto-non-config
admin-preempt-inactivity-timeout 10
no inter-admin-messaging
no web-management allow-http
web-management https-port 443
I don't have time to work on this at the moment but I will try and make
some time to put what I've done so far on Github or similar.
alexd
More information about the Rancid-discuss
mailing list