[rancid] Update configs by an external means
rancid at ale.cx
Fri Oct 6 12:40:44 UTC 2017
I was starting from a base of 3.6.2.
On 06/10/17 13:32, Piegorsch, Weylin William wrote:
> I had the same problem with rancid v1.x using a custom script (written by my predecessor for NX-OS). It cleared up when we migrated to v3.4.1, which had native NX-OS so it’s not clear to me if dumping the custom config fixed the issue or if it were a rancid version issue.
> Are you using a current version?
> -----Original Message-----
> From: Alex DEKKER <rancid at ale.cx>
> Date: Thursday, October 5, 2017 at 05:08
> To: <rancid-discuss at shrubbery.net>
> Subject: Re: [rancid] Update configs by an external means
> On 04/10/17 21:50, Dan Anderson wrote:
> > Rather than using a file that's been transferred onto the system, you
> > may be able to have RANCID log in via SSH and run "config\rshow
> > current-config" to dump the config. I'm guessing that there's some
> > other commands that may be useful, but "show current-config" from
> > config mode is how I typically get config copies from Sonicwall
> > firewalls when I'm doing firewall migrations for my customers.
> I have started a snwlrancid based on the Mikrotik config fetcher. I
> guess I should just throw it up somewhere for others to have a look at.
> One thing I've noticed is that the obscured encryption keys in VPN
> tunnels change *every time* the config is polled:
> < shared-secret
> > shared-secret
> So long as it works when it's pasted back in to the firewall then great,
> but obviously this is going to be absurdly noisy unless it's replaced
> with a placeholder with some post-processing. If it's replaced with a
> placeholder then the resulting config cannot be put back in to the
> firewall without some tweaking. Personally, working in a team of people
> who manage Sonicwalls, partial-RANCID is better than no RANCID at all.
> The main roadblock I hit was that the word "exit" just seems to move
> around at random, and it's not the same "exit" that does this, there are
> loads of exits in the config and any one of them can apparently do it:
> Index: configs/barkminisonic.rancid
> retrieving revision 1.21
> diff -u -4 -r1.21 minisonic.rancid
> @@ -5,8 +5,9 @@
> rom-version 188.8.131.52
> model "NSA 220"
> serial-number C0EA-E42D-XXXX
> last-modified-by "admin 192.168.253.16:X0 UI 2017/09/10 16:07:22"
> + exit
> firewall-name MiniSonic
> no auto-append-suffix
> admin-name admin
> @@ -20,9 +21,9 @@
> password constraints-apply-to limited-admins
> password constraints-apply-to local-users
> idle-logout-time 25
> no user-lockout
> - admin-preempt-action goto-non-configexit
> + admin-preempt-action goto-non-config
> admin-preempt-inactivity-timeout 10
> no inter-admin-messaging
> no web-management allow-http
> web-management https-port 443
> I don't have time to work on this at the moment but I will try and make
> some time to put what I've done so far on Github or similar.
More information about the Rancid-discuss