■Fortigate-80Cのバックアップをscpとcronで自動化する。
確認するためのsyslogについては以下。
FortiAnalyzerを使用しているなら、バックアップ時に「警告」が出る。
警告レベルなので、メール通知も来る。
Fortigate-80CのログをDebian Wheezyのrsyslogに転送してみる。
http://labunix.hateblo.jp/entry/20150226/1424960541
■デフォルトではscpは無効。
admin-scp : disable
■単純にsshを有効にした環境では「501」で出来ない。
$ scp admin@172.31.31.251:sys_config .
admin@172.31.31.251s password:
501-Permission Denied
$ echo 'show system interface internal' | ssh -T admin@172.31.31.251 \
sed s/".*# "//g | grep -v "^\$"
config system interface
edit "internal"
set vdom "root"
set ip 172.31.31.251 255.255.255.0
set allowaccess ping https ssh snmp http telnet
set type physical
set description "Internal"
set snmp-index 1
next
end
■scpを有効にする。
$ echo 'show system global
config system global
set admin-scp enable
end
show system global' | ssh -T admin@172.31.31.251 | \
sed s/".*# "//g | grep -v "^\$"
config system global
set fgd-alert-subscription advisory latest-threat
set gui-application-control disable
set gui-central-nat-table enable
set gui-dlp disable
set gui-endpoint-control disable
set gui-explicit-proxy disable
set gui-local-in-policy enable
set gui-vpn disable
set gui-vulnerability-scan disable
set gui-webfilter disable
set gui-wireless-controller disable
set hostname "FGT-UTM"
set language japanese
set timezone 60
end
config system global
set admin-scp enable
set fgd-alert-subscription advisory latest-threat
set gui-application-control disable
set gui-central-nat-table enable
set gui-dlp disable
set gui-endpoint-control disable
set gui-explicit-proxy disable
set gui-local-in-policy enable
set gui-vpn disable
set gui-vulnerability-scan disable
set gui-webfilter disable
set gui-wireless-controller disable
set hostname "FGT-UTM"
set language japanese
set timezone 60
end
■scpが成功。
$ scp admin@172.31.31.251:sys_config .
admin@172.31.31.251s password:
sys_config 100% 82KB 82.4KB/s 00:01
$ head -4 sys_config
■scpを無効にする。
$ echo 'show system global
config system global
set admin-scp disable
end
show system global' | ssh -T admin@172.31.31.251 | \
sed s/".*# "//g | grep -v "^\$"
admin@172.31.31.251s password:
config system global
set admin-scp enable
set fgd-alert-subscription advisory latest-threat
set gui-application-control disable
set gui-central-nat-table enable
set gui-dlp disable
set gui-endpoint-control disable
set gui-explicit-proxy disable
set gui-local-in-policy enable
set gui-vpn disable
set gui-vulnerability-scan disable
set gui-webfilter disable
set gui-wireless-controller disable
set hostname "FGT-UTM"
set language japanese
set timezone 60
end
config system global
set fgd-alert-subscription advisory latest-threat
set gui-application-control disable
set gui-central-nat-table enable
set gui-dlp disable
set gui-endpoint-control disable
set gui-explicit-proxy disable
set gui-local-in-policy enable
set gui-vpn disable
set gui-vulnerability-scan disable
set gui-webfilter disable
set gui-wireless-controller disable
set hostname "FGT-UTM"
set language japanese
set timezone 60
end
■scpが失敗する。
$ scp admin@172.31.31.251:sys_config .
admin@172.31.31.251s password:
501-Permission Denied
■sshの公開鍵をFortigateに登録する。
$ echo 'config system admin
edit labunix
set accprofile prof_admin
set ssh-public-key1 "'`cat .ssh/id_rsa.pub | awk '{print $1,$2}'`'"
end' | ssh -T admin@172.31.31.251
■再度scpを有効にして、パスワード無しでバックアップ
$ scp labunix@172.31.31.251:sys_config .
sys_config 100% 83KB 41.4KB/s 00:02
■スクリプトにして。。。
$ cat fortigate_backup.sh
FUSER=labunix
FGTIP=172.31.31.251
scp ${FUSER}@${FGTIP}:sys_config \
/home/${FUSER}/fortigate80c_`date '+%Y%m%d'`.log
$ chmod +x fortigate_backup.sh
$ ./fortigate_backup.sh
sys_config 100% 83KB 41.4KB/s 00:02
■syslogを確認。
「level=warning」で出力される。
$ sudo tail -n 1000 /var/log/Fortigate-80C.log | grep backup | \
sed s/"devid=[A-Z0-9]* "/"devid=FGT80CXXXXXXXXX "/g | \
sed s/" action=\| logid="/"\n&"/g
Feb 28 23:25:02 172.31.31.251 date=2015-02-28 time=23:25:02 devname=FGT-UTM devid=FGT80CXXXXXXXXX
logid=0100032142 type=event subtype=system level=warning vd="root" user="admin" ui="sshd"
action=backup msg="User admin backed up the configuration by SCP"
■リードオンリー権限に切り替えて。。。
$ echo 'show system accprofile' | \
ssh -T admin@172.31.31.251 | \
sed s/".* # \|-write"//g | \
sed s/"prof_admin"/"read_bakup"/
admin@172.31.31.251s password:
config system accprofile
edit "read_backup"
set admingrp read
set authgrp read
set endpoint-control-grp read
set fwgrp read
set loggrp read
set mntgrp read
set netgrp read
set routegrp read
set sysgrp read
set updategrp read
set utmgrp read
set vpngrp read
set wanoptgrp read
set wifi read
next
end
■プロファイルを作成して適用
$ echo 'config system accprofile
edit "read_backup"
set admingrp read
set authgrp read
set endpoint-control-grp read
set fwgrp read
set loggrp read
set mntgrp read
set netgrp read
set routegrp read
set sysgrp read
set updategrp read
set utmgrp read
set vpngrp read
set wanoptgrp read
set wifi read
next
end
config system admin
edit labunix
set accprofile "read_backup"
next
end' | ssh -T admin@172.31.31.251
■cronに登録して。。。
※CRONからはメール通知しない。
$ crontab -l | grep "fortigate\|MAILTO"
MAILTO=""
28 0 * * * /bin/bash /home/labunix/myscripts/fortigate_backup.sh
■CRON動作を確認
$ sudo grep CRON /var/log/syslog | tail -1 | awk -F\( '{print $NF}' | tr -d ')'
/bin/bash /home/labunix/myscripts/fortigate_backup.sh
$ sudo tail -3 /var/log/Fortigate-80C.log | grep backup | \
sed s/"devid=[A-Z0-9]* "/"devid=FGT80CXXXXXXXXX "/g | \
sed s/" action=\| logid="/"\n&"/g
Mar 1 00:28:03 172.31.31.251 date=2015-03-01 time=00:28:03 devname=FGT-UTM devid=FGT80CXXXXXXXXX
logid=0100032142 type=event subtype=system level=warning vd="root" user="labunix" ui="sshd"
action=backup msg="User labunix backed up the configuration by SCP"