Just a small post about an Expect script I quickly wrote to solve a backup issue. I already blogged about the “Expect” tool one year ago. I won’t explain again the basics of Expect, just read my previous post.
This time, Expect is used to perform an automatic backup of a PaloAlto firewall. Why Expect? The target device is only available remotely via SSH (it’s not possible to use the standard backup procedure). And more annoying, the configuration is displayed using via the command line interface in a local pager (The space-bar must be pressed to display the next screen).
Why use this procedure to backup the firewall will you ask? For several reasons:
- Backup automation (the script can be executed from a crontab)
- SSH increases the security by encrypting all the data
- The configuration in a flat file can be easily re-used to define a baseline and check for changes between two different backups (audit & change management)
Basically, the script opens a SSH session to the device, sends the required command (“show config running“) to dump the running configuration, simulates a key press at every pause and saves the results to a local file.
#!/usr/bin/expect -f
#
# backup.expect
#
# Expect script to backup a PaloAlto firewall via a SSH admin session
#
# Usage: pa_backup.expect <host|ip> <login> <password> <prompt> <output>
#
set firewall [ lrange $argv 0 0 ]
set username [ lrange $argv 1 1 ]
set password [ lrange $argv 2 2 ]
set prompt [ lrange $argv 3 3 ]
set filename [ lrange $argv 4 4 ]
match_max 50000
spawn ssh -l $username $firewall
expect "yes/no" { send "yes\r" }
expect "assword:"
send "$password\r"
expect -timeout 10 "$prompt>"
set output [open "$filename" "w"]
set running 1
send "show config running\r"
expect "\n"
expect "\[K"
while { $running > 0 } {
expect {
"\n" { puts -nonewline $output "$expect_out(buffer)" }
"lines *-* " { send " " }
"$prompt>" { set running 0 }
eof { set running 0 }
timeout { set running 0 }
}
}
send "exit\r"
The script is available: backup.expect (Of course provided “as is” without any warranty).
Just one question: why are you trying to achieve? If you’re working with PaloAlto firewalls, they provide a very nice REST API that can be used to automate almost everything…
Hi Xavier,
My script like this :
set usernamenya [lindex $argv 0]
set passwordnya [lindex $argv 1]
set hostnamenya [lindex $argv 2]
send_user “\n==\n===\n====StartOFExpectSession\n===\n==\n”
spawn ssh “$usernamenya@$hostnamenya”
expect “Pass” {send “$passwordnya\r”}
send “show clock\r”
expect “EHS>”
send “exit\r”
send_user “\n==\n===\n====EndOFExpectSession\n===\n==\n”
There is no quote (“) on send “show clock\r”
Maybe a problem with the quotes (“)? Replace by ‘send “show clock\r”‘ ?
Anybody could help me with this problem?
please wait…
send: spawn id exp6 not open
while executing
“send “show clock\r””
(file “/usr/script/expectTemplate_PaloAlto” line 27)
Job finished
Result Filename: /home/ade/PaloAltoCloudciti_20170420.141543.tar.gz
Log added in : /usr/script/getConfig.log
I just tested it with command send “show clock\r, but it shows error like that.
What’s wrong with my cronjob?
Thanks before
CRONTAB
Hi, I found a issue with this great script and crontab, this is who I solved it. Incluiding an sleep inside while loop and without output to a file, just with …/Palo.sh > …/PaloAlto1.conf inside crontab.
while { $running > 0 } {
expect {
“\n” { send ” ” }
“lines *-* ” { send ” ” }
“admin@PA-3050_HIBU1(active)>” { set running 0 }
eof { set running 0 }
timeout { set running 0 }
sleep 1 <<<<<<<<<<<<<<<<<<
}
To properly backup a PA firewall **managed by Panorama** you have to download the “device state” using the api. ( type=export category=configuration ).
log_file $device-$filesave.cfg
send “show running-config\r”
expect -ex “–More–” {send ” “;exp_continue}
log_file
interact
I have the following code for looping between the pages, but it finally ends with the # prompt and hangs. I have to stop it using Ctrl Z. Any solution to exit the code properly.
You can also send the command “set cli pager off” to the palo alto to disable paging in the shell
You’re right, I already heard good things about this product a few years ago! Completely forgot it.
Thanks for the feedback!
I advise you to check the opensource tool RANCID [http://www.shrubbery.net/rancid/] which does precisely that: backup regularly every network config and keep an history with csv/svn. It allows also to alert if there is some changes to check if it was correctly approved.
It’s more appropriate if you have many systems but could be use on small infrastructure too. It could probably be adapted to save some unix /etc in csv/svn.
Else, thanks for all your interesting posts.