[rancid] Update configs by an external means
rancid at ale.cx
Thu Oct 5 09:08:41 UTC 2017
On 04/10/17 21:50, Dan Anderson wrote:
> Rather than using a file that's been transferred onto the system, you
> may be able to have RANCID log in via SSH and run "config\rshow
> current-config" to dump the config. I'm guessing that there's some
> other commands that may be useful, but "show current-config" from
> config mode is how I typically get config copies from Sonicwall
> firewalls when I'm doing firewall migrations for my customers.
I have started a snwlrancid based on the Mikrotik config fetcher. I
guess I should just throw it up somewhere for others to have a look at.
One thing I've noticed is that the obscured encryption keys in VPN
tunnels change *every time* the config is polled:
So long as it works when it's pasted back in to the firewall then great,
but obviously this is going to be absurdly noisy unless it's replaced
with a placeholder with some post-processing. If it's replaced with a
placeholder then the resulting config cannot be put back in to the
firewall without some tweaking. Personally, working in a team of people
who manage Sonicwalls, partial-RANCID is better than no RANCID at all.
The main roadblock I hit was that the word "exit" just seems to move
around at random, and it's not the same "exit" that does this, there are
loads of exits in the config and any one of them can apparently do it:
retrieving revision 1.21
diff -u -4 -r1.21 minisonic.rancid
@@ -5,8 +5,9 @@
model "NSA 220"
last-modified-by "admin 192.168.253.16:X0 UI 2017/09/10 16:07:22"
@@ -20,9 +21,9 @@
password constraints-apply-to limited-admins
password constraints-apply-to local-users
- admin-preempt-action goto-non-configexit
+ admin-preempt-action goto-non-config
no web-management allow-http
web-management https-port 443
I don't have time to work on this at the moment but I will try and make
some time to put what I've done so far on Github or similar.
More information about the Rancid-discuss