Cisco PIX Config Backup Utility

**** UPDATE (12/30/07)****
For the past year or more I’ve been using RANCID (Really Awesome New Cisco confIg Differ). I found this tool and discovered it was much more complex than what I wrote. It allows the ability to view the latest configs via a web portal (after removing the passwords of course). And it also allows me to integrate with my implementation of Syslog-NG and SEC so that if someone make a configuration change, once I see the syslog entry, I execute a script to call RANCID.

I highly recommend the use of RANCID.

This perl script will connect to a Cisco PIX via SSH and backup the configuration to a common server. After receiving the new configuration file, there is an option to create and MD5 hash of the config file. The backup user account will not be able to do anything except show the configuration.

The perl script itself has documentation on how to properly configure the PIX in order to ensure that the PIX backup account can only show the running-config. This should only be run from a secured server where the account cannot not compromised. As shown in the script, the backup account will pull the whole config, except for the lines containing the enable passwords. I believe the “exclude” statement will only work with PIX version 6.3 and above. Note that if the script is modified, a user could retrieve the lines containing the passwords.

The script reads through a return delimited file for hosts in which to connect. If the host is commented out with a pound sign (#), it is ignored. An example firewall host file can be seen here. The perl script can be viewed here.

If you have any suggestions for improvements to the code or security, please let me know. I feel that this script is important in helping maintain backups of firewall configurations, but I do not want to lose the security of maintaining a safe, uncompromised configuration.

If you have questions, you can email me at {sawall -[at]- gmail -[dot]- com}.

Version Information

Version 1.3**Update*
Because of the my use of RANCID now, I have stopped working on this.
Coming soon. With the introduction of PIX 7.0.1 code, the current version does not work properly unless you set the pager length to zero ahead of time. I am debating on whether to rewrite the code to accommodate both versions (6.x and 7.x) or just make another version that only handles version 7.x.

Version 1.2Changed method of checking for existence of the PIX configuration. Because of the way the Expect module is getting the config, it does not reliably return the same information every time. Sometimes it has an extra line or space at the beginning or end of the file. This made checking the MD5 hash very hard because even if the config did not change, the MD5 hash did. So now the script compares the PIX Crytpochecksum that is at the end of the PIX configuration. This checksum only changes when the config is modified and a “write memory” is performed. So far this has been very reliable.

Version 1.1Added functionality to recheck/connect to PIX to pull down config. The Expect module seems to prematurely exit every now and then. Also added ability to for existing PIX config with matching MD5 hashes. If hash is the same, then the config must be the same, so don’t create another copy of the config. Added function to delete PIX configs older than X number of days.

Version 1.0Created script to connect to a Cisco PIX via SSH, pull down config and store in a flat file. A MD5 hash is then created for each PIX config.

Last updated 12/30/07.