Automate Configuration Backups

While there are dedicated solutions that hook into network appliances to perform regularly backup of their state, namely their configurations, I devised a method using PowerShell and the built-in FTP service included with Internet Information Services (IIS) for Windows. The requirements are light and this can be set up on either a dedicated Windows Server or even a Windows client jump box.

The script below was tested on Windows 7 sometime ago, retrieving a configuration from a Juniper vSRX; with a bit of tweaking, you can modify the Invoke-SSHStreamExpectAction commands to interact with other network appliances over SSH. 

To mask the password from plain text, the script uses password blob, hashing the password. This blob can only work on the computer in which it was created from; if you move the script onto another computer, you will need to recreate the password blob.

The script essentially does the following:

  • Goes to the working directory and starts the FTP service
  • Logs onto the network appliance
  • Uploads the config to the FTP server
  • Logs out of the network appliance
  • Stops the FTP service
  • Renames the config as hostname_yyyyMMdd.conf

To start, install IIS with the FTP role on the destined Windows system and ensure the Post-SSH PowerShell Module is installed:
Install-WindowsFeature Web-FTP-Server
Install-Module Posh-SSH

#Create the password blob file on a new host
###Read-Host "Enter Password" -AsSecureString |  ConvertFrom-SecureString | Out-File .\blob.txt
# Change to working directory
cd C:\Files\ConfigBackup
#Start FTP Server - ensure FTP service is set to Manual
Get-Service ftpsvc | Where {$_.status –eq 'Stopped'} |  Start-Service
sleep 5
#Specify the password blob file
Get-Content "blob.txt" | ConvertTo-SecureString
$blob = "blob.txt"
#Declare variables, req. Install-Module Posh-SSH
#Prepare credentials
$hostname = ""
$username = "root"
$password = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username, (Get-Content $blob | ConvertTo-SecureString)
#Log onto the vSRX
New-SSHSession -ComputerName $hostname -Acceptkey -Force -Credential $password
#Invoke-SSHCommand -Index 0 -Command "ls -lash"
$session = Get-SSHSession
$stream = $session.Session.CreateShellStream("PS-SSH", 0, 0, 0, 0, 100)
Invoke-SSHStreamExpectAction -ShellStream $stream -Command "cli" -ExpectRegex '[\$%#>] $' -Action 'configure' -Verbose
Invoke-SSHStreamExpectAction -ShellStream $stream -Command "run" -ExpectRegex '[\$%#>] $' -Action 'save ftp://ftpuser:ftppassword@' -Verbose
sleep 3
Remove-SSHSession -Index 0 -Verbose
#Stop FTP Server
Get-Service ftpsvc | Where {$_.status –eq 'Running'} |  Stop-Service
sleep 5
#Rename the config
$ftplocalpath = "C:\inetpub\ftproot"
$renameconfig = "vsrx" + "_" + (Get-Date -Format "yyyyMMdd")
Remove-Item -Path "$ftplocalpath\$renameconfig.conf" -ErrorAction SilentlyContinue
Rename-Item -Path "$ftplocalpath\vsrx" -NewName "$renameconfig.conf" -ErrorAction SilentlyContinue
Remove-Item -Path "$ftplocalpath\vsrx" -ErrorAction SilentlyContinue