Cisco PIX Config Backup Utility

**** UPDATE (12/30/07)****

For the past year or more I’ve been using RANCID (Really Awesome New Cisco confIg Differ). I found this tool and discovered it was much more complex than what I wrote. It allows the ability to view the latest configs via a web portal (after removing the passwords of course). And it also allows me to integrate with my implementation of Syslog-NG and SEC so that if someone make a configuration change, once I see the syslog entry, I execute a script to call RANCID.

I highly recommend the use of RANCID.


This perl script will connect to a Cisco PIX via SSH and backup the configuration to a common server. After receiving the new configuration file, there is an option to create and MD5 hash of the config file. The backup user account will not be able to do anything except show the configuration.

The perl script itself has documentation on how to properly configure the PIX in order to ensure that the PIX backup account can only show the running-config. This should only be run from a secured server where the account cannot not compromised. As shown in the script, the backup account will pull the whole config, except for the lines containing the enable passwords. I believe the “exclude” statement will only work with PIX version 6.3 and above. Note that if the script is modified, a user could retrieve the lines containing the passwords.

The script reads through a return delimited file for hosts in which to connect. If the host is commented out with a pound sign (#), it is ignored. An example firewall host file can be seen here. The perl script can be viewed here.

If you have any suggestions for improvements to the code or security, please let me know. I feel that this script is important in helping maintain backups of firewall configurations, but I do not want to lose the security of maintaining a safe, uncompromised configuration.

If you have questions, you can email me at {sawall -[at]- gmail -[dot]- com}.

Version Information

Last updated 12/30/07.