labunix's blog

labunixのラボUnix

Fortigate-80Cのバックアップをscpとcronで自動化する。

■Fortigate-80Cのバックアップをscpとcronで自動化する。
 確認するためのsyslogについては以下。
 FortiAnalyzerを使用しているなら、バックアップ時に「警告」が出る。
 警告レベルなので、メール通知も来る。

 Fortigate-80CのログをDebian Wheezyのrsyslogに転送してみる。
 http://labunix.hateblo.jp/entry/20150226/1424960541

■デフォルトではscpは無効。

# get system global | grep scp
admin-scp           : disable 

■単純にsshを有効にした環境では「501」で出来ない。

$ scp admin@172.31.31.251:sys_config .
admin@172.31.31.251s password: 
501-Permission Denied

$ echo 'show system interface internal' | ssh -T admin@172.31.31.251 \
  sed s/".*# "//g | grep -v "^\$"
config system interface
    edit "internal"
        set vdom "root"
        set ip 172.31.31.251 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
        set type physical
        set description "Internal"
        set snmp-index 1
    next
end

■scpを有効にする。

$ echo 'show system global
config system global
  set admin-scp enable
  end
show system global' | ssh -T admin@172.31.31.251 | \
  sed s/".*# "//g | grep -v "^\$"
config system global
    set fgd-alert-subscription advisory latest-threat
    set gui-application-control disable
    set gui-central-nat-table enable
    set gui-dlp disable
    set gui-endpoint-control disable
    set gui-explicit-proxy disable
    set gui-local-in-policy enable
    set gui-vpn disable
    set gui-vulnerability-scan disable
    set gui-webfilter disable
    set gui-wireless-controller disable
    set hostname "FGT-UTM"
    set language japanese
    set timezone 60
end
config system global
    set admin-scp enable
    set fgd-alert-subscription advisory latest-threat
    set gui-application-control disable
    set gui-central-nat-table enable
    set gui-dlp disable
    set gui-endpoint-control disable
    set gui-explicit-proxy disable
    set gui-local-in-policy enable
    set gui-vpn disable
    set gui-vulnerability-scan disable
    set gui-webfilter disable
    set gui-wireless-controller disable
    set hostname "FGT-UTM"
    set language japanese
    set timezone 60
end

■scpが成功。

$ scp admin@172.31.31.251:sys_config .
admin@172.31.31.251s password: 
sys_config                                    100%   82KB  82.4KB/s   00:01    

$ head -4 sys_config 
#config-version=FGT80C-5.00-FW-build252-131031:opmode=0:vdom=0:user=admin
#conf_file_ver=12384294209920742553
#buildno=0252
#global_vdom=1

■scpを無効にする。

$ echo 'show system global
config system global
  set admin-scp disable
  end
show system global' | ssh -T admin@172.31.31.251 | \
  sed s/".*# "//g | grep -v "^\$"
admin@172.31.31.251s password: 
config system global
    set admin-scp enable
    set fgd-alert-subscription advisory latest-threat
    set gui-application-control disable
    set gui-central-nat-table enable
    set gui-dlp disable
    set gui-endpoint-control disable
    set gui-explicit-proxy disable
    set gui-local-in-policy enable
    set gui-vpn disable
    set gui-vulnerability-scan disable
    set gui-webfilter disable
    set gui-wireless-controller disable
    set hostname "FGT-UTM"
    set language japanese
    set timezone 60
end
config system global
    set fgd-alert-subscription advisory latest-threat
    set gui-application-control disable
    set gui-central-nat-table enable
    set gui-dlp disable
    set gui-endpoint-control disable
    set gui-explicit-proxy disable
    set gui-local-in-policy enable
    set gui-vpn disable
    set gui-vulnerability-scan disable
    set gui-webfilter disable
    set gui-wireless-controller disable
    set hostname "FGT-UTM"
    set language japanese
    set timezone 60
end

■scpが失敗する。

$ scp admin@172.31.31.251:sys_config .
admin@172.31.31.251s password: 
501-Permission Denied

■sshの公開鍵をFortigateに登録する。

$ echo 'config system admin
edit labunix
set accprofile prof_admin
set ssh-public-key1 "'`cat .ssh/id_rsa.pub | awk '{print $1,$2}'`'"
end' | ssh -T admin@172.31.31.251

■再度scpを有効にして、パスワード無しでバックアップ

$ scp labunix@172.31.31.251:sys_config .
sys_config                                    100%   83KB  41.4KB/s   00:02    

■スクリプトにして。。。

$ cat fortigate_backup.sh 
#!/bin/bash

FUSER=labunix
FGTIP=172.31.31.251

scp ${FUSER}@${FGTIP}:sys_config \
  /home/${FUSER}/fortigate80c_`date '+%Y%m%d'`.log

$ chmod +x fortigate_backup.sh 
$ ./fortigate_backup.sh 
sys_config                                    100%   83KB  41.4KB/s   00:02

■syslogを確認。
 「level=warning」で出力される。

$ sudo tail -n 1000 /var/log/Fortigate-80C.log | grep backup | \
    sed s/"devid=[A-Z0-9]* "/"devid=FGT80CXXXXXXXXX "/g  | \
    sed s/" action=\| logid="/"\n&"/g
Feb 28 23:25:02 172.31.31.251 date=2015-02-28 time=23:25:02 devname=FGT-UTM devid=FGT80CXXXXXXXXX
 logid=0100032142 type=event subtype=system level=warning vd="root" user="admin" ui="sshd"
 action=backup msg="User admin backed up the configuration by SCP"

■リードオンリー権限に切り替えて。。。

$ echo 'show system accprofile' | \
    ssh -T admin@172.31.31.251 | \
    sed s/".* # \|-write"//g | \
    sed s/"prof_admin"/"read_bakup"/
admin@172.31.31.251s password: 
config system accprofile
    edit "read_backup"
        set admingrp read
        set authgrp read
        set endpoint-control-grp read
        set fwgrp read
        set loggrp read
        set mntgrp read
        set netgrp read
        set routegrp read
        set sysgrp read
        set updategrp read
        set utmgrp read
        set vpngrp read
        set wanoptgrp read
        set wifi read
    next
end

■プロファイルを作成して適用

$ echo 'config system accprofile
    edit "read_backup"
        set admingrp read
        set authgrp read 
        set endpoint-control-grp read
        set fwgrp read
        set loggrp read
        set mntgrp read
        set netgrp read
        set routegrp read
        set sysgrp read
        set updategrp read
        set utmgrp read
        set vpngrp read
        set wanoptgrp read
        set wifi read
    next
end
config system admin
     edit labunix
        set accprofile "read_backup"
    next
end' | ssh -T admin@172.31.31.251

■cronに登録して。。。
 ※CRONからはメール通知しない。

$ crontab -l | grep "fortigate\|MAILTO"
MAILTO=""
28 0 * * * /bin/bash /home/labunix/myscripts/fortigate_backup.sh

■CRON動作を確認

$ sudo grep CRON /var/log/syslog | tail -1 | awk -F\( '{print $NF}' | tr -d ')'
/bin/bash /home/labunix/myscripts/fortigate_backup.sh

$ sudo tail -3 /var/log/Fortigate-80C.log | grep backup | \
    sed s/"devid=[A-Z0-9]* "/"devid=FGT80CXXXXXXXXX "/g  | \
    sed s/" action=\| logid="/"\n&"/g
Mar  1 00:28:03 172.31.31.251 date=2015-03-01 time=00:28:03 devname=FGT-UTM devid=FGT80CXXXXXXXXX
 logid=0100032142 type=event subtype=system level=warning vd="root" user="labunix" ui="sshd"
 action=backup msg="User labunix backed up the configuration by SCP"