Automate Configuration Backups

While there are dedicated solutions that hook into network appliances to perform regularly backup of their state, namely their configurations, I devised a method using PowerShell and the built-in FTP service included with Internet Information Services (IIS) for Windows. The requirements are light and this can be set up on either a dedicated Windows Server or even a Windows client jump box.

The script below was tested on Windows 7 sometime ago, retrieving a configuration from a Juniper vSRX; with a bit of tweaking, you can modify the Invoke-SSHStreamExpectAction commands to interact with other network appliances over SSH.

To mask the password from plain text, the script uses password blob, hashing the password. This blob can only work on the computer in which it was created from; if you move the script onto another computer, you will need to recreate the password blob.

The script essentially does the following:

Goes to the working directory and starts the FTP service
Logs onto the network appliance
Uploads the config to the FTP server
Logs out of the network appliance
Stops the FTP service
Renames the config as hostname_yyyyMMdd.conf

To start, install IIS with the FTP role on the destined Windows system and ensure the Post-SSH PowerShell Module is installed:

Install-WindowsFeature Web-FTP-Server
Install-Module Posh-SSH

#Create the password blob file on a new host

###Read-Host "Enter Password" -AsSecureString | ConvertFrom-SecureString | Out-File .\blob.txt

# Change to working directory

cd C:\Files\ConfigBackup

#Start FTP Server - ensure FTP service is set to Manual

Clear-Host

Get-Service ftpsvc | Where {$_.status –eq 'Stopped'} | Start-Service

sleep 5

#Specify the password blob file

Get-Content "blob.txt" | ConvertTo-SecureString

$blob = "blob.txt"

#Declare variables, req. Install-Module Posh-SSH

#Prepare credentials

$hostname = "172.17.17.1"

$username = "root"

$password = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username, (Get-Content $blob | ConvertTo-SecureString)

#Log onto the vSRX

New-SSHSession -ComputerName $hostname -Acceptkey -Force -Credential $password

#Invoke-SSHCommand -Index 0 -Command "ls -lash"

$session = Get-SSHSession

$session.SessionId

$stream = $session.Session.CreateShellStream("PS-SSH", 0, 0, 0, 0, 100)

Invoke-SSHStreamExpectAction -ShellStream $stream -Command "cli" -ExpectRegex '[\$%#>] $' -Action 'configure' -Verbose

Invoke-SSHStreamExpectAction -ShellStream $stream -Command "run" -ExpectRegex '[\$%#>] $' -Action 'save ftp://ftpuser:ftppassword@172.17.17.7/vsrx' -Verbose

sleep 3

Remove-SSHSession -Index 0 -Verbose

#Stop FTP Server

Get-Service ftpsvc | Where {$_.status –eq 'Running'} | Stop-Service

sleep 5

#Rename the config

$ftplocalpath = "C:\inetpub\ftproot"

$renameconfig = "vsrx" + "_" + (Get-Date -Format "yyyyMMdd")

Remove-Item -Path "$ftplocalpath\$renameconfig.conf" -ErrorAction SilentlyContinue

Rename-Item -Path "$ftplocalpath\vsrx" -NewName "$renameconfig.conf" -ErrorAction SilentlyContinue

Remove-Item -Path "$ftplocalpath\vsrx" -ErrorAction SilentlyContinue