安全 : Cisco IronPort Email 安全设备

自动化或写脚本ESA的配置文件备份在团星的

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 4 月 23 日) | 反馈

简介

在AsyncOS版本8.5之前,集群设备不可能保存将使用的一可用的配置恢复配置到Cisco电子邮件安全工具(ESA)。为了从设备获得一可用的配置,您必须从集群删除设备和保存配置作为独立设备。本文描述如何使用批命令为了保存从一个设备的一配置在ESA的集群。这在AsyncOS所有版本可能仍然使用ESA。

贡献用里恩Latif和罗伯特Sherwin, Cisco TAC工程师。

先决条件

收集从ESAs的此信息在集群:

  • IP地址和主机名
  • 集群名称
  • 团星组名(如果适用)

并且,您应该读和了解这些technotes :

自动化或写脚本设备的配置文件备份在团星的

在版本8.5之前的AsyncOS版本,当您尝试保存配置,当在集群用saveconfigmailconfig命令, ESA生成此警告时:

WARNING: Clustered machines do not support loadconfig.  Your configuration file has
complete data for the entire cluster, but cannot be used to restore a configuration.

在AsyncOS版本8.5和以上,已保存的配置当前包含计算机级别配置和集群配置。这从版本8.5和以上用户指南详细被覆盖。参考全面的详细信息的最终用户指南

没有需要备份每个设备的配置在集群。然而,能有在网络的多集群,当多个组配置为每集群。 从集群删除每个设备,然后保存配置并且手工再再结合集群是相当难的。

这些命令,如果登录ESA,从集群删除ESA,保存或者邮寄配置,再,然后再结合集群可以使用。

为了开始,认识ESAs的机器名字和序列号在集群和组名的是重要的。如果进入在CLI的clusterconfig列表这可以获取:

(Cluster ESA1_ESA2)> clusterconfig list

Cluster esaA_esaB
=====================
Group Main_Group:
Machine ESA1.local (Serial #: 0000E878109A-G091111)
Machine ESA2.local (Serial #: 0000E878525D-9091111)

为了从集群删除设备,请使用clusterconfig removemachine <appliance name>命令:

(Cluster ESA1_ESA2)> clusterconfig removemachine ESA1.local

Please wait, this operation may take a minute...
Machine ESA1.local removed from the cluster.

saveconfig命令,请保存在设备上的配置用密码。如注释, “文件用被屏蔽的密码不可能装载使用loadconfig命令”。因此,请务必输入N,当提示:

ESA1.local> saveconfig

Do you want to mask the password? Files with masked passwords cannot be loaded
using loadconfig command. [Y]> n

File written on machine "esaA.local" to the location
"/configuration/C100V-0000E878109A-G091111-20140909T184724.xml".
Configuration saved. 

或者,给配置发电子邮件的使用mailconfig到一个有效电子邮件接收方。如注释, “文件用被屏蔽的密码不可能装载使用loadconfig命令”。因此,请务必输入N,当提示:

ESA1.local> mailconfig

Please enter the email address to which you want to send the configuration file.
Separate multiple addresses with commas.
[]> joe@example.com

Do you want to mask the password? Files with masked passwords cannot be loaded
using loadconfig command. [Y]> n

The configuration file has been sent to joe@example.com.

最后,请使用clusterconfig批命令为了加入设备回到集群:

clusterconfig join [--port=xx] <ip_of_remote_cluster> <admin_username>
<admin_password> <groupname>

为了继续前一个示例,这在此命令将被执行:

esaA.local> clusterconfig join --port=22 172.16.6.161 admin ironport Main_Group

Joining a cluster takes effect immediately, there is no need to commit.
(Cluster ESA1_ESA2)>

您在前一个示例中注明将注意prompt命令的自动更改对团星级别名称,作为“集群ESA1_ESA2)"。

先进的自动化的或写脚本的配置文件备份

注意:条款的此部分是proof-of-concept和,假设为例基本类型。当这些步骤成功测试时,此条款是主要为演示和说明目的。自定义脚本是在思科的范围和支持能力外面。Cisco技术支持中心不会写,更新或者在任何时间排除故障自定义外部脚本。

从一台外部主机(UNIX/Linux/OSX),您能使用上一个命令为了写脚本进程。

这是整个过程的示例写入到脚本,假设集群运行安全壳SSH,端口22 :

#! /bin/bash
#
# Script to save the ESA config, then copy locally via SCP. This is assuming you
wish to
# have the cluster in SSH via port 22. This script has been written and tested against
# AsyncOS 9.0.0-390 (01/15/2014).
#
# *NOTE* This script is a proof-of-concept and provided as an example basis. While
these steps have
# been successfully tested, this script is for demonstration and illustration purposes.
Custom
# scripts are outside of the scope and supportability of Cisco. Cisco Technical
Assistance will
# not write, update, or troubleshoot custom external scripts at any time.
#
# <SCRIPT>
#
# $HOSTNAME & $HOSTNAME2 can be either the FQDN or IP address of the ESAs in cluster.
#
HOSTNAME= [IP/HOSTNAME ESA1]
HOSTNAME2= [IP/HOSTNAME ESA2]
#
# $MACHINENAME is the local name for ESA1.
#
MACHINENAME= [MACHINENAME AS LISTED FROM 'clusterconfig list']
#
# $USERNAME assumes that you have preconfigured SSH key from this host to your ESA.
# http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/
118305-technote-esa-00.html
#
USERNAME=admin
#
# $BACKUP_PATH is the directory location on the local system.
#
BACKUP_PATH= [/local/path/as/desired]
#
# Following will remove ESA1 from cluster in order to backup standalone config.
# "2> /dev/null" at the end of string will quiet any additional output of the
clustermode command.
#
echo "|=== PHASE 1 ===| REMOVING $MACHINENAME FROM CLUSTER"
ssh $USERNAME@$HOSTNAME "clustermode cluster; clusterconfig removemachine
$MACHINENAME" 2> /dev/null
#
# $FILENAME contains the actual script that calls the ESA, issues the 'saveconfig'
command.
# The rest of the string is the cleanup action to reflect only the <model>-
<serial number>-<timestamp>.xml.
#
echo "|=== PHASE 2 ===| BACKUP CONFIGURATION ON ESA"
FILENAME=`ssh -q $USERNAME@$HOSTNAME "saveconfig y 1" | grep xml | sed -e
's/\/configuration\///g' | sed 's/\.$//g' | tr -d "\""`
#
# The 'scp' command will secure copy the $FILENAME from the ESA to specified
backup path, as entered above.
# The -q option for 'scp' will disable the copy meter/progress bar.
#
echo "|=== PHASE 3 ===| COPY XML FROM ESA TO LOCAL"
scp -q $USERNAME@$HOSTNAME:/configuration/$FILENAME $BACKUP_PATH
#
# Following will re-add ESA1 back into cluster.
#
echo "|=== PHASE 4 ===| ADDING $MACHINENAME BACK TO CLUSTER"
ssh $USERNAME@$HOSTNAME "clusterconfig join $HOSTNAME2 admin ironport
Main_Group" 2> /dev/null
#
echo "|=== COMPLETE ===| $FILENAME successfully saved to $BACKUP_PATH"
#
# </SCRIPT>
#

这是在脚本嵌入的主要命令的考试:

  • 从集群的删除ESA1 :

    ssh $USERNAME@$HOSTNAME "clustermode cluster; clusterconfig removemachine 
    $MACHINENAME" 2> /dev/null


  • 下载独立配置文件:

    FILENAME=`ssh -q $USERNAME@$HOSTNAME "saveconfig y 1" | grep xml | sed -e 's/
    \/configuration\///g' | sed 's/\.$//g' | tr -d "\""`


  • 复制XML从ESA1到本地主机:

    scp -q $USERNAME@$HOSTNAME:/configuration/$FILENAME $BACKUP_PATH


  • 放置ESA1回到集群。

    ssh $USERNAME@$HOSTNAME "clusterconfig join $HOSTNAME2 admin ironport 
    Main_Group" 2> /dev/null

脚本的一完整示例在操作的应该导致此:

my_host$ ./cluster_backup 
|=== PHASE 1 ===| REMOVING ESA1.local FROM CLUSTER
Please wait, this operation may take a minute...
Machine ESA1.local removed from the cluster.
|=== PHASE 2 ===| BACKUP CONFIGURATION ON ESA
|=== PHASE 3 ===| COPY XML FROM ESA TO LOCAL
|=== PHASE 4 ===| ADDING ESA1.local BACK TO CLUSTER
Joining a cluster takes effect immediately, there is no need to commit.
|=== COMPLETE ===| C100V-0000E878109A-G091111-20150116T192955.xml successfully
saved to /Users/saved_esa_configurations/

相关信息


相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


Document ID: 118403