[rancid] Update configs by an external means

Alex DEKKER rancid at ale.cx
Thu Oct 5 09:08:41 UTC 2017


On 04/10/17 21:50, Dan Anderson wrote:
> Rather than using a file that's been transferred onto the system, you 
> may be able to have RANCID log in via SSH and run "config\rshow 
> current-config" to dump the config. I'm guessing that there's some 
> other commands that may be useful, but "show current-config" from 
> config mode is how I typically get config copies from Sonicwall 
> firewalls when I'm doing firewall migrations for my customers.

I have started a snwlrancid based on the Mikrotik config fetcher. I 
guess I should just throw it up somewhere for others to have a look at. 
One thing I've noticed is that the obscured encryption keys in VPN 
tunnels change *every time* the config is polled:


<         shared-secret 
4,c99c5ca7b2d0907883e8c6eacb251bfc189265ff041f4941cfaca1a3f3371511611bef8ee56affb2e091204a7c93f8c0d976d2cb3d251b4b940b0fafdb0d8f6812b8c067e1d1d3683db2f6d1247cf5c670171ba6f72e6bc1b62de89b79d23512ee6abf58b5f6ed6dcfb492a4a9d1800f9234e12899b2bc7f7eb4ccf865b478244f0b1a80ffd91035
---
 >         shared-secret 
4,aa138a1f3e053d8fe0efbc3089e2be854a1a9d31fc6e3c26165674b26823f2e32c2e2ecf57fd16e74af093c9e6d35923be216133728061756144089c6ef3cfefc4f1f7bd270e41010e765b1afaed41f2d3e07950c3a3bf9a96264bbf7d9e17ad4280062cbdf2fa1f8b1071423186d5bb232e4424f50493c3ef64b34c7645305a56669a379d5abbba

So long as it works when it's pasted back in to the firewall then great, 
but obviously this is going to be absurdly noisy unless it's replaced 
with a placeholder with some post-processing. If it's replaced with a 
placeholder then the resulting config cannot be put back in to the 
firewall without some tweaking. Personally, working in a team of people 
who manage Sonicwalls, partial-RANCID is better than no RANCID at all.

The main roadblock I hit was that the word "exit" just seems to move 
around at random, and it's not the same "exit" that does this, there are 
loads of exits in the config and any one of them can apparently do it:

Index: configs/barkminisonic.rancid
===================================================================
retrieving revision 1.21
diff -u -4 -r1.21 minisonic.rancid
@@ -5,8 +5,9 @@
   rom-version 5.0.5.6
   model "NSA 220"
   serial-number C0EA-E42D-XXXX
   last-modified-by "admin 192.168.253.16:X0 UI 2017/09/10 16:07:22"
+ exit
   administration
       firewall-name MiniSonic
       no auto-append-suffix
       admin-name admin
@@ -20,9 +21,9 @@
       password constraints-apply-to limited-admins
       password constraints-apply-to local-users
       idle-logout-time 25
       no user-lockout
-     admin-preempt-action goto-non-configexit
+     admin-preempt-action goto-non-config
       admin-preempt-inactivity-timeout 10
       no inter-admin-messaging
       no web-management allow-http
       web-management https-port 443


I don't have time to work on this at the moment but I will try and make 
some time to put what I've done so far on Github or similar.

alexd



More information about the Rancid-discuss mailing list