自动化或写脚本ESA的配置文件备份在团星的

简介

本文描述如何使用批命令为了保存从一个设备的一配置在思科电子邮件安全工具(ESA)的集群。这在AsyncOS所有版本可以使用ESA。

在AsyncOS版本8.5之前，集群设备不能保存将使用的一可用的配置恢复配置到Cisco ESA。为了从设备获得一可用的配置，您必须从集群删除设备和保存配置作为独立设备。

先决条件

注意：此条款是proof-of-concept和，假设为例基本类型。当这些步骤成功测试时，此条款主要为演示和说明目的打算。自定义脚本是在思科的范围和支持能力外面。Cisco技术支持中心不会写，更新或者在任何时间排除故障自定义外部脚本。 在您尝试并且修建所有脚本前，请保证您有执行脚本知识，当您修建最终脚本时。

收集从ESAs的此信息在集群：

• IP地址和主机名
• 集群名称
• 团星组名(如果适用)

参见AsyncOS您的版本的CLI参考指南电子邮件安全的，尽管有CLI取决于版本您的ESA运行的批更改。

读并且了解这些TechNotes ：

• 自动化或如何能写脚本配置文件备份？
• 如何配置SSH登录的公共密钥验证到ESA，不用密码

自动化或写脚本设备的配置文件备份在团星的

AsyncOS版本早于版本8.5，当您尝试保存配置，当在集群用saveconfig或mailconfig命令， ESA生成此警告时：

WARNING: Clustered machines do not support loadconfig. Your configuration file has
 complete  data for the entire cluster, but cannot be used to restore a configuration.

[an error occurred while processing this directive]

在AsyncOS版本8.5和以上，已保存的配置当前包含计算机级别配置和集群配置。这从版本8.5和以上用户指南详细被覆盖。参考全面的详细信息的最终用户指南。

没有需要备份每个设备的配置在集群。然而，能有在网络的多集群，当多个组配置为每集群。从集群删除每个设备，然后保存配置并且手工再再结合集群是相当难的。

这些命令，如果登录ESA，从集群删除ESA，保存或者邮寄配置，再，然后再结合集群可以使用。

为了开始，认识ESAs的机器名字和序列号在集群和组名的是重要的。如果进入在CLI的clusterconfig列表这可以获取：

(Cluster ESA1_ESA2)> clusterconfig list

Cluster esaA_esaB
=====================
 Group Main_Group:
 Machine ESA1.local (Serial #: 0000E878109A-G091111) 
 Machine ESA2.local (Serial #: 0000E878525D-9091111)

[an error occurred while processing this directive]

为了从集群删除设备，请使用clusterconfig removemachine <appliance name>命令：

(Cluster ESA1_ESA2)> clusterconfig removemachine ESA1.local

Please wait, this operation may take a minute...
Machine ESA1.local removed from the cluster.

[an error occurred while processing this directive]

用saveconfig命令，请保存在设备上的配置用密码。如注释， “文件用被屏蔽的密码不可能装载使用loadconfig命令”。因此，请务必输入N，当提示：

ESA1.local> saveconfig

Do you want to mask the password? Files with masked passwords cannot be loaded
using loadconfig command. [Y]> n

File written on machine "esaA.local" to the location
"/configuration/C100V-0000E878109A-G091111-20140909T184724.xml".
Configuration saved. 

[an error occurred while processing this directive]

或者，使用mailconfig为了给配置发电子邮件到一个有效电子邮件接收方。如注释， “文件用被屏蔽的密码不可能装载使用loadconfig命令”。因此，请务必输入N，当提示：

ESA1.local> mailconfig

Please enter the email address to which you want to send the configuration file.
Separate multiple addresses with commas.
[]> joe@example.com

Do you want to mask the password? Files with masked passwords cannot be loaded
using loadconfig command. [Y]> n

The configuration file has been sent to joe@example.com.

[an error occurred while processing this directive]

最后，请使用clusterconfig批命令为了加入设备回到集群：

clusterconfig join [--port=xx] <ip_of_remote_cluster> <admin_username>
<admin_password> <groupname>

[an error occurred while processing this directive]

为了继续前一个示例，这在此命令将被执行：

esaA.local> clusterconfig join --port=22 172.16.6.161 admin ironport Main_Group

Joining a cluster takes effect immediately, there is no need to commit.
(Cluster ESA1_ESA2)>

[an error occurred while processing this directive]

您在前一个示例中注明将注意prompt命令的自动更改对团星级别名称，作为“集群ESA1_ESA2)"。

先进的自动化的或写脚本的配置文件备份

从一台外部主机(UNIX/Linux/OSX)，您能使用上一个命令为了写脚本进程。

这是整个过程的示例写入到脚本，假设集群运行安全壳SSH，端口22 ：

#! /bin/bash
#
# Script to save the ESA config, then copy locally via SCP. This is assuming you 
wish to
# have the cluster in SSH via port 22. This script has been written and tested against
# AsyncOS 9.0.0-390 (01/15/2014).
#
# *NOTE* This script is a proof-of-concept and provided as an example basis. While
these steps have 
# been successfully tested, this script is for demonstration and illustration purposes. 
Custom 
# scripts are outside of the scope and supportability of Cisco. Cisco Technical 
Assistance will 
# not write, update, or troubleshoot custom external scripts at any time.
#
# <SCRIPT>
#
# $HOSTNAME & $HOSTNAME2 can be either the FQDN or IP address of the ESAs in cluster.
#
HOSTNAME= [IP/HOSTNAME ESA1]
HOSTNAME2= [IP/HOSTNAME ESA2]
#
# $MACHINENAME is the local name for ESA1.
# 
MACHINENAME= [MACHINENAME AS LISTED FROM 'clusterconfig list']
#
# $USERNAME assumes that you have preconfigured SSH key from this host to your ESA.
# http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/
118305-technote-esa-00.html
#
USERNAME=admin
#
# $BACKUP_PATH is the directory location on the local system.
#
BACKUP_PATH= [/local/path/as/?desired]
#
# Following will remove ESA1 from cluster in order to backup standalone config.
# "2> /dev/null" at the end of string will quiet any additional output of the 
clustermode command.
#
echo "|=== PHASE 1 ===| REMOVING $MACHINENAME FROM CLUSTER"
ssh $USERNAME@$HOSTNAME "clustermode cluster; clusterconfig removemachine 
$MACHINENAME" 2> /dev/null
#
# $FILENAME contains the actual script that calls the ESA, issues the 'saveconfig' 
command.
# The rest of the string is the cleanup action to reflect only the <model>-
<serial number>-<timestamp>.xml.
#
echo "|=== PHASE 2 ===| BACKUP CONFIGURATION ON ESA"
FILENAME=`ssh -q $USERNAME@$HOSTNAME "saveconfig y 1" | grep xml | sed -e 
's/\/configuration\///g' | sed 's/\.$//g' | tr -d "\""`
#
# The 'scp' command will secure copy the $FILENAME from the ESA to specified 
backup path, as entered above.
# The -q option for 'scp' will disable the copy meter/progress bar.
#
echo "|=== PHASE 3 ===| COPY XML FROM ESA TO LOCAL"
scp -q $USERNAME@$HOSTNAME:/configuration/$FILENAME $BACKUP_PATH
#
# Following will re-add ESA1 back into cluster.
#
echo "|=== PHASE 4 ===| ADDING $MACHINENAME BACK TO CLUSTER"
ssh $USERNAME@$HOSTNAME "clusterconfig join $HOSTNAME2 admin ironport 
Main_Group" 2> /dev/null
#
echo "|=== COMPLETE ===| $FILENAME successfully saved to $BACKUP_PATH"
#
# </SCRIPT>
#

[an error occurred while processing this directive]

这是在脚本嵌入的主要命令的考试：

• 从集群的删除ESA1 ：
  
  

  ssh $USERNAME@$HOSTNAME "clustermode cluster; clusterconfig removemachine 
  $MACHINENAME" 2> /dev/null

  [an error occurred while processing this directive]
  
  
• 下载独立配置文件：
  
  

  FILENAME=`ssh -q $USERNAME@$HOSTNAME "saveconfig y 1" | grep xml | sed -e 's/
  \/configuration\///g' | sed 's/\.$//g' | tr -d "\""`

  [an error occurred while processing this directive]
  
  
• 复制XML从ESA1到本地主机：
  
  

  scp -q $USERNAME@$HOSTNAME:/configuration/$FILENAME $BACKUP_PATH

  [an error occurred while processing this directive]
  
  
• 放置ESA1回到集群。
  
  

  ssh $USERNAME@$HOSTNAME "clusterconfig join $HOSTNAME2 admin ironport 
  Main_Group" 2> /dev/null

  [an error occurred while processing this directive]

脚本的一完整示例在操作的应该导致此：

my_host$ ./cluster_backup 
|=== PHASE 1 ===| REMOVING ESA1.local FROM CLUSTER
Please wait, this operation may take a minute...
Machine ESA1.local removed from the cluster.
|=== PHASE 2 ===| BACKUP CONFIGURATION ON ESA
|=== PHASE 3 ===| COPY XML FROM ESA TO LOCAL
|=== PHASE 4 ===| ADDING ESA1.local BACK TO CLUSTER
Joining a cluster takes effect immediately, there is no need to commit.
|=== COMPLETE ===| C100V-0000E878109A-G091111-20150116T192955.xml successfully 
saved to /Users/saved_esa_configurations/

[an error occurred while processing this directive]

相关信息

• 思科电子邮件安全工具-最终用户指南
• 技术支持和文档 - Cisco Systems