SRX

Expand all | Collapse all

Automated configuration backup - SRX345

  • 1.  Automated configuration backup - SRX345

    Posted 05-22-2019 11:11
    I would like to automate the backup of the active configuration file for an SRX345 to be sent to a remote FTP Server. This should be done every 6months (I.e every 1st of June and every 1st of Dec) and be repeatable every year.
    Manually getting the backup (I.e by doing commit) isn't desirable.
    Any suggestions please? Thank you.


  • 2.  RE: Automated configuration backup - SRX345

    Posted 05-22-2019 11:26


  • 3.  RE: Automated configuration backup - SRX345

    Posted 05-22-2019 11:37
    Thanx for your reply. However, transfer-on-commit isn't that I'm looking for. Could events-options help in this case? If yes, can you provide me a sample configuration?


  • 4.  RE: Automated configuration backup - SRX345

     
    Posted 05-22-2019 11:48

    Instead of transfer-on-commit, there is transfer-interval - but maximum interval is every 48 hours so not 100% what you are looking for. Would backup every second day and then a cleanup job, deleting files older than X days on the archival server be a feasible solution?



  • 5.  RE: Automated configuration backup - SRX345

    Posted 05-22-2019 12:00
    I would consider that option. Can you provide me a sample configuration please?


  • 6.  RE: Automated configuration backup - SRX345

     
    Posted 05-22-2019 12:05

    something like this. There can be several archive-sites defined if needed:

     

    user@fw# show system archival
    configuration {
        transfer-interval 2880;
        archive-sites {
            "ftp://user:pass@192.168.1.10:";
            "scp://user:pass@192.168.1.11:/some/folder/";
        }
    }
    


  • 7.  RE: Automated configuration backup - SRX345

    Posted 05-22-2019 16:23

    Hi dimkatsar,

     

    You could use the following event-options script:

     

    • Generate an event every week
    set event-options generate-event EVENT_NAME time-interval [SECONDS]
    

     

    • Create event-policy for the above event to upload /config/juniper.conf.gz to ftp
    set event-options policy POLICY_NAME events EVENT_NAME
    set event-options policy POLICY_NAME then upload filename /config/juniper.conf.gz destination DESTINATION_NAME

     

    • Specify the FTP/SCP server where you want to copy the file.
    set event-options destinations DESTINATION_NAME archive-sites "ftp://USER@SERVER_ADDRESS/config" password PASSWORD

     

    It was shared over the following post for a weekly configuration backup:

     

    https://forums.juniper.net/t5/SRX-Services-Gateway/Weekly-Schedule-configuration-backup-auto/m-p/316188#M47905

     

    Because the time-interval value has to be specified in seconds, they used 604800 seconds which is equivalent to 7 days. I know you are looking for this to happen every 6 months, however the maximun value you can configure are 2,592,000 seconds which are 30 days:

     

    https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/time-interval-edit-event-options.html

     

    This way if you have to try a workaround on the server side at least you will only have 6 configuration files.

     

    I checked for an option that will let you specify a date for the event to be generated but that option doesnt exist:

     

    root@a13-17# set event-options generate-event TEST ?
    Possible completions:
      no-drift             Avoid event generation delay propagating to next event
      time-interval        Frequency for generating the event (60..2592000 seconds)
      time-of-day          Time of day at which to generate event (hh:mm:ss)
    

    I hope this helps.

     

    Please mark this post as Solution if it applies.

     



  • 8.  RE: Automated configuration backup - SRX345

    Posted 05-22-2019 20:31
    This solutionooks also great to me. Would like to thank the community for being so supportive.


  • 9.  RE: Automated configuration backup - SRX345

    Posted 05-22-2019 23:25

    dimkatsar,

     

    Im glad we were able to help, if you consider any of the comments as a valid solution please mark it as such so that future users can see it right since the beggining. 

     



  • 10.  RE: Automated configuration backup - SRX345

    Posted 05-26-2019 07:35
    Greetings,
    I applied the configuration you proposed, however seems doesn't work at all. I have set a time interval of 60mins. I also did it with a "transfer on commit" but still nothing happens. Do I miss something?


  • 11.  RE: Automated configuration backup - SRX345

     
    Posted 05-26-2019 23:38
    are you able to manually copy the files to configured destinations from SRX?


  • 12.  RE: Automated configuration backup - SRX345

    Posted 05-27-2019 19:14

    Hi,

     

    Can you share the configuration you used? Also please confirm if you are seeing any error messages related to the file transfer in the messages log file (if its configured):

     

    > show log messages

     

    You could also configure a new log file that will save any logs matching the "transfer" word:

     

    # set system syslog file [new_file_name] any any
    # set system syslog file [new_file_name] match transfer #commit

    ****try the test****

    > show log [new_file_name]

     

    Please try to manually copy the configuration file to your FTP server:

     

    root@host> file copy /config/juniper.conf ftp://user@hostname/juniper.conf
    Password for user@hostname: ******
    Receiving ftp: //user@hostname/juniper.conf (2198 bytes): 100%
    2198 bytes transferred in 0.0 seconds (2.69 MBps)

     

    Reference: https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/file-copy.html

     



  • 13.  RE: Automated configuration backup - SRX345

    Posted 05-28-2019 08:03
    I will try this test and I will let you know about the result. For your info, whenever I do a commit then I can see all files saved to /var/transfer/config but not saved to the root folder of my TFTP server.
    When I manually copy a file using the "file copy" command then an error message occurs saying that hostname cannot be resolved.
    Can the destination url be assigned with the IP address of the TFTP server or only hostname is acceptable? In case of hostname only, do I have to enable DNS lookup?
    Please advice.


  • 14.  RE: Automated configuration backup - SRX345

    Posted 05-28-2019 08:39
    Yes you can use the IP address instead of the hostname. Also if you decide to use the hostname you need to configure a DNS server on the SRX so the firewall can resolve hostnames to IPs.
    Example:
    # set system name-server 8.8.8 8



  • 15.  RE: Automated configuration backup - SRX345

    Posted 05-29-2019 01:27

    Here is the configuration i set on the device. Also below you can see the logs collected from the file i created as you told me to do so. Manually copying a file with the file copy command is also failing. I`m wondering if that would be related to any TFTP process used by the device, is there such one? As i previously mentioned, whenever i do a commit, i can see the new file created on the /var/config/transfer but for some reason that file cannot be copied to the server through TFTP.

     

    configuration {
    transfer-on-commit;
    archive-sites {
    tftp://172.30.200.193/ab5-dmz-fw001.cfg;

     

    OUTPUT - LOGS

    May 29 08:50:14.048 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_065232_juniper.conf.gz
    May 29 08:51:02.990 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_065232_juniper.conf.gz
    May 29 08:51:14.129 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_065232_juniper.conf.gz
    May 29 08:52:03.071 2019 AB5-DMZ-FW001 last message repeated 2 times
    May 29 08:52:14.267 2019 AB5-DMZ-FW001 last message repeated 2 times
    May 29 08:53:03.241 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_065232_juniper.conf.gz
    May 29 08:54:03.361 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_065232_juniper.conf.gz
    May 29 08:54:03.404 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_065232_juniper.conf.gz
    May 29 08:55:03.517 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_065232_juniper.conf.gz
    May 29 09:03:10.393 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_065232_juniper.conf.gz
    May 29 09:04:10.482 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_065232_juniper.conf.gz
    May 29 09:04:10.531 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_065232_juniper.conf.gz
    May 29 09:06:10.722 2019 AB5-DMZ-FW001 last message repeated 3 times
    May 29 09:06:10.770 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_065232_juniper.conf.gz
    May 29 09:07:00.819 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_065232_juniper.conf.gz
    May 29 09:07:00.923 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_065232_juniper.conf.gz
    May 29 09:07:10.868 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_065232_juniper.conf.gz
    May 29 09:07:10.884 2019 AB5-DMZ-FW001 pfed: Error <256> uploading file '/var/transfer/config/AB5-DMZ-FW001_20190528_065232_juniper.conf.gz'. Remaining retry attempts = 1, retry in 595 seconds...
    May 29 09:08:01.032 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_065232_juniper.conf.gz
    May 29 09:08:42.721 2019 AB5-DMZ-FW001 mgd[3280]: UI_CMDLINE_READ_LINE: User 'butacms', command 'file list /var/transfer/config/ '
    May 29 09:09:01.129 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_065232_juniper.conf.gz
    May 29 09:09:01.174 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_065232_juniper.conf.gz
    May 29 09:09:43.433 2019 AB5-DMZ-FW001 mgd[3280]: UI_CMDLINE_READ_LINE: User 'butacms', command 'file list /var/transfer/config/ '
    May 29 09:10:02.905 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_065232_juniper.conf.gz
    May 29 09:10:02.935 2019 AB5-DMZ-FW001 pfed: Error <256> uploading file '/var/transfer/config/AB5-DMZ-FW001_20190528_065232_juniper.conf.gz'. Remaining retry attempts = 1, retry in 595 seconds...
    May 29 09:11:03.051 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_065232_juniper.conf.gz
    May 29 09:11:03.650 2019 AB5-DMZ-FW001 mgd[3280]: UI_CMDLINE_READ_LINE: User 'butacms', command 'file list /var/transfer/config/ '
    May 29 09:12:03.167 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_065232_juniper.conf.gz
    May 29 09:12:03.216 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_065232_juniper.conf.gz
    May 29 09:13:03.320 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_065232_juniper.conf.gz
    May 29 09:14:03.414 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_065232_juniper.conf.gz
    May 29 09:14:03.458 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_065232_juniper.conf.gz
    May 29 09:15:03.548 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_065232_juniper.conf.gz
    May 29 09:17:05.961 2019 AB5-DMZ-FW001 pfed: Error <256> uploading file '/var/transfer/config/AB5-DMZ-FW001_20190528_065232_juniper.conf.gz'
    May 29 09:18:32.118 2019 AB5-DMZ-FW001 mgd[3280]: UI_CMDLINE_READ_LINE: User 'butacms', command 'file list /var/transfer/config/ '
    May 29 09:19:57.937 2019 AB5-DMZ-FW001 pfed: Error <256> uploading file '/var/transfer/config/AB5-DMZ-FW001_20190528_065232_juniper.conf.gz'
    May 29 09:20:02.934 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_070910_juniper.conf.gz
    May 29 09:20:29.070 2019 AB5-DMZ-FW001 mgd[3280]: UI_CMDLINE_READ_LINE: User 'butacms', command 'file list /var/transfer/config/ '
    May 29 09:21:03.029 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_070910_juniper.conf.gz
    May 29 09:21:03.074 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_070910_juniper.conf.gz
    May 29 09:21:29.387 2019 AB5-DMZ-FW001 mgd[3280]: UI_CMDLINE_READ_LINE: User 'butacms', command 'file list /var/transfer/config/ '
    May 29 09:22:03.162 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_070910_juniper.conf.gz
    May 29 09:23:03.256 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_070910_juniper.conf.gz
    May 29 09:23:03.303 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_070910_juniper.conf.gz
    May 29 09:24:03.436 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_070910_juniper.conf.gz
    May 29 09:24:59.692 2019 AB5-DMZ-FW001 logger: transfer-file: file /var/transfer/config/AB5-DMZ-FW001_20190528_065232_juniper.conf.gz not found
    May 29 09:25:00.666 2019 AB5-DMZ-FW001 pfed: Error <256> uploading file '/var/transfer/config/AB5-DMZ-FW001_20190528_065232_juniper.conf.gz'. Remaining retry attempts = 1, retry in 595 seconds...
    May 29 09:25:32.754 2019 AB5-DMZ-FW001 mgd[3280]: UI_CMDLINE_READ_LINE: User 'butacms', command 'file list /var/transfer/config/ '
    May 29 09:26:20.637 2019 AB5-DMZ-FW001 mgd[3280]: UI_CMDLINE_READ_LINE: User 'butacms', command 'file list /var/transfer/config/ '
    May 29 09:27:02.987 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_070910_juniper.conf.gz
    May 29 09:34:55.777 2019 AB5-DMZ-FW001 pfed: Error <256> uploading file '/var/transfer/config/AB5-DMZ-FW001_20190528_065232_juniper.conf.gz'
    May 29 09:35:00.952 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_070910_juniper.conf.gz
    May 29 09:35:01.940 2019 AB5-DMZ-FW001 logger: transfer-file failed to transfer /var/transfer/config/AB5-DMZ-FW001_20190528_070910_juniper.conf.gz



  • 16.  RE: Automated configuration backup - SRX345

    Posted 05-29-2019 15:00

    Hello Dimkatsar,

     

    As far as I know, the commit-transfer commands ONLY support the following options: -

     

    file:// transfer on a path to a named file
    ftp:// transfer using active FTP server
    pasvftp:// transfer to a device that only accepts passive FTP services
    scp:// transfer to a known host using background SCP file transfers
     
     
     


  • 17.  RE: Automated configuration backup - SRX345

    Posted 05-29-2019 16:40

    Please note that you were looking in the problem description for a FTP transfer and that the commands provided by lpaniagua make reference to FTP as well.

     

    configuration {
    transfer-on-commit;
    archive-sites {
    tftp://172.30.200.193/ab5-dmz-fw001.cfg;

     

    TFTP is not supported by the SRX as a transfer protocol, try with ftp and let us know.

     



  • 18.  RE: Automated configuration backup - SRX345

    Posted 06-02-2019 00:57
    I try again and again but ni success. Says connection refused and put-file failed. Couldn't send local copy of file.
    FTP is allowed to pass from juniper device to NMS FTP Server. The image version of the device is 15.1X49-D150.2. Do you believe it might be some kind of software but perhaps? I have tried with different FTP Servers but still is unsuccessful.


  • 19.  RE: Automated configuration backup - SRX345

    Posted 06-02-2019 08:18
    This is definitely not a software issue, By any chance are you putting "~" sign in the command, if yes then instead of "~" put actual path like "/home/user" root>file copy backup.conf scp://user@1.1.1.1:~/ Apparently "~" isn’t interpreted as “HOME” directory in Junos the way it works in Linux. Let's try this.