自動執行或編寫叢集中ESA組態檔備份的指令碼

下載選項

  • PDF     (370.3 KB)
    在多種裝置上使用 Adobe Reader 檢視
  • ePub     (80.1 KB)
    在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上的各種應用程式中檢視
  • Mobi (Kindle)     (67.6 KB)
    在 Kindle 裝置或多部裝置的 Kindle 應用程式上檢視
已更新: 2016 年 4 月 6 日
文件 ID:118403

無偏見用語

本產品的文件集力求使用無偏見用語。針對本文件集的目的,無偏見係定義為未根據年齡、身心障礙、性別、種族身分、民族身分、性別傾向、社會經濟地位及交織性表示歧視的用語。由於本產品軟體使用者介面中硬式編碼的語言、根據 RFP 文件使用的語言,或引用第三方產品的語言,因此本文件中可能會出現例外狀況。深入瞭解思科如何使用包容性用語。

關於此翻譯

思科已使用電腦和人工技術翻譯本文件,讓全世界的使用者能夠以自己的語言理解支援內容。請注意,即使是最佳機器翻譯,也不如專業譯者翻譯的內容準確。Cisco Systems, Inc. 對這些翻譯的準確度概不負責,並建議一律查看原始英文文件(提供連結)。

簡介

本文檔介紹如何使用批處理命令從思科郵件安全裝置(ESA)集群中的裝置儲存配置。這可以在所有版本的AsyncOS for ESA上使用。

在AsyncOS版本8.5之前,集群裝置無法儲存可用配置以用於將配置還原到Cisco ESA。為了從裝置獲得可用配置,您必須從群集中刪除該裝置,並將該配置儲存為獨立裝置。

必要條件

:本文為概念驗證,可作為示例基礎。雖然這些步驟已經過成功測試,但本文主要是為了示範和說明目的。自定義指令碼不在思科的範圍和受支援範圍之內。思科技術支援中心不會隨時編寫、更新或診斷自定義外部指令碼。 在嘗試和建構任何指令碼之前,請確定您在建構最終指令碼時具備指令碼知識。

從集群中的ESA收集以下資訊:

  • IP地址和/或主機名
  • 叢集名稱
  • 叢集群組名稱(如果適用)

有關您的郵件安全AsyncOS版本,請參閱CLI參考指南,因為存在取決於ESA運行的修訂版的CLI批處理更改。

閱讀並理解以下技術說明:

自動執行或編寫叢集中裝置的組態檔備份的指令碼

對於早於版本8.5的AsyncOS版本,當使用saveconfigmailconfig命令嘗試在集群中儲存配置時,ESA將生成以下警告:

WARNING: Clustered machines do not support loadconfig. Your configuration file has
 complete  data for the entire cluster, but cannot be used to restore a configuration.
[an error occurred while processing this directive]

在AsyncOS版本8.5及更高版本中,儲存的配置現在同時包含電腦級配置和集群配置。本指南在8.5版及更高版本的使用手冊中有詳細說明。有關完整細節,請參閱最終使用手冊

無需備份集群中每台裝置的配置。但是,網路中可能有多台集群,並且為每個集群配置多個組。從群集中移除每台裝置,然後手動儲存配置並重新加入集群是非常困難的。

如果登入ESA,從集群中刪除ESA,儲存或郵寄配置,然後重新加入集群,可以使用以下命令

要開始操作,必須知道集群中ESA的電腦名和序列號以及組名。如果在CLI中輸入clusterconfig list,可以獲取以下資訊:

(Cluster ESA1_ESA2)> clusterconfig list

Cluster esaA_esaB
=====================
 Group Main_Group:
 Machine ESA1.local (Serial #: 0000E878109A-G091111) 
 Machine ESA2.local (Serial #: 0000E878525D-9091111)
[an error occurred while processing this directive]

要從集群中刪除裝置,請使用clusterconfig removemachine <裝置名稱>命令:

(Cluster ESA1_ESA2)> clusterconfig removemachine ESA1.local

Please wait, this operation may take a minute...
Machine ESA1.local removed from the cluster.
[an error occurred while processing this directive]

使用saveconfig命令,使用密碼將配置儲存到裝置上。如前所述,「無法使用loadconfig命令載入帶遮蔽口令的檔案。」 因此,請確保在出現提示時輸入N

ESA1.local> saveconfig

Do you want to mask the password? Files with masked passwords cannot be loaded
using loadconfig command. [Y]> n

File written on machine "esaA.local" to the location
"/configuration/C100V-0000E878109A-G091111-20140909T184724.xml".
Configuration saved. 
[an error occurred while processing this directive]

或者,請使用mailconfig以電子郵件形式將配置傳送給有效的電子郵件收件人。如前所述,「無法使用loadconfig命令載入帶遮蔽口令的檔案。」 因此,請確保在出現提示時輸入N

ESA1.local> mailconfig

Please enter the email address to which you want to send the configuration file.
Separate multiple addresses with commas.
[]> joe@example.com

Do you want to mask the password? Files with masked passwords cannot be loaded
using loadconfig command. [Y]> n

The configuration file has been sent to joe@example.com.
[an error occurred while processing this directive]

最後,使用clusterconfig batch命令將裝置連線回群集:

clusterconfig join [--port=xx] <ip_of_remote_cluster> <admin_username>
<admin_password> <groupname>
[an error occurred while processing this directive]

為了繼續上一個範例,會在此命令中執行此動作:

esaA.local> clusterconfig join --port=22 172.16.6.161 admin ironport Main_Group

Joining a cluster takes effect immediately, there is no need to commit.
(Cluster ESA1_ESA2)>
[an error occurred while processing this directive]

您將看到命令提示符自動更改為集群級別名稱,如上一個示例中提到的「Cluster ESA1_ESA2)」。

高級自動或指令碼配置檔案備份

從外部主機(UNIX/Linux/OSX),您可以使用先前的命令來編寫程式檔。

以下範例顯示寫入程式檔的整個程式,其中假設叢集透過安全殼層(SSH)、連線埠22執行:

#! /bin/bash
#
# Script to save the ESA config, then copy locally via SCP. This is assuming you 
wish to
# have the cluster in SSH via port 22. This script has been written and tested against
# AsyncOS 9.0.0-390 (01/15/2014).
#
# *NOTE* This script is a proof-of-concept and provided as an example basis. While
these steps have 
# been successfully tested, this script is for demonstration and illustration purposes. 
Custom 
# scripts are outside of the scope and supportability of Cisco. Cisco Technical 
Assistance will 
# not write, update, or troubleshoot custom external scripts at any time.
#
# <SCRIPT>
#
# $HOSTNAME & $HOSTNAME2 can be either the FQDN or IP address of the ESAs in cluster.
#
HOSTNAME= [IP/HOSTNAME ESA1]
HOSTNAME2= [IP/HOSTNAME ESA2]
#
# $MACHINENAME is the local name for ESA1.
# 
MACHINENAME= [MACHINENAME AS LISTED FROM 'clusterconfig list']
#
# $USERNAME assumes that you have preconfigured SSH key from this host to your ESA.
# http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/
118305-technote-esa-00.html
#
USERNAME=admin
#
# $BACKUP_PATH is the directory location on the local system.
#
BACKUP_PATH= [/local/path/as/desired]
#
# Following will remove ESA1 from cluster in order to backup standalone config.
# "2> /dev/null" at the end of string will quiet any additional output of the 
clustermode command.
#
echo "|=== PHASE 1 ===| REMOVING $MACHINENAME FROM CLUSTER"
ssh $USERNAME@$HOSTNAME "clustermode cluster; clusterconfig removemachine 
$MACHINENAME" 2> /dev/null
#
# $FILENAME contains the actual script that calls the ESA, issues the 'saveconfig' 
command.
# The rest of the string is the cleanup action to reflect only the <model>-
<serial number>-<timestamp>.xml.
#
echo "|=== PHASE 2 ===| BACKUP CONFIGURATION ON ESA"
FILENAME=`ssh -q $USERNAME@$HOSTNAME "saveconfig y 1" | grep xml | sed -e 
's/\/configuration\///g' | sed 's/\.$//g' | tr -d "\""`
#
# The 'scp' command will secure copy the $FILENAME from the ESA to specified 
backup path, as entered above.
# The -q option for 'scp' will disable the copy meter/progress bar.
#
echo "|=== PHASE 3 ===| COPY XML FROM ESA TO LOCAL"
scp -q $USERNAME@$HOSTNAME:/configuration/$FILENAME $BACKUP_PATH
#
# Following will re-add ESA1 back into cluster.
#
echo "|=== PHASE 4 ===| ADDING $MACHINENAME BACK TO CLUSTER"
ssh $USERNAME@$HOSTNAME "clusterconfig join $HOSTNAME2 admin ironport 
Main_Group" 2> /dev/null
#
echo "|=== COMPLETE ===| $FILENAME successfully saved to $BACKUP_PATH"
#
# </SCRIPT>
#
[an error occurred while processing this directive]

以下是內嵌在指令碼中的主要指令的檢查:

  • 從群集中刪除ESA1:

    ssh $USERNAME@$HOSTNAME "clustermode cluster; clusterconfig removemachine 
    $MACHINENAME" 2> /dev/null
    [an error occurred while processing this directive]

  • 下載獨立配置檔案:

    FILENAME=`ssh -q $USERNAME@$HOSTNAME "saveconfig y 1" | grep xml | sed -e 's/
    \/configuration\///g' | sed 's/\.$//g' | tr -d "\""`
    [an error occurred while processing this directive]

  • 將XML從ESA1複製到本地主機:

    scp -q $USERNAME@$HOSTNAME:/configuration/$FILENAME $BACKUP_PATH
    [an error occurred while processing this directive]

  • 將ESA1放回集群中。

    ssh $USERNAME@$HOSTNAME "clusterconfig join $HOSTNAME2 admin ironport 
    Main_Group" 2> /dev/null
    [an error occurred while processing this directive]

執行中指令碼的完整範例應該會產生以下結果:

my_host$ ./cluster_backup 
|=== PHASE 1 ===| REMOVING ESA1.local FROM CLUSTER
Please wait, this operation may take a minute...
Machine ESA1.local removed from the cluster.
|=== PHASE 2 ===| BACKUP CONFIGURATION ON ESA
|=== PHASE 3 ===| COPY XML FROM ESA TO LOCAL
|=== PHASE 4 ===| ADDING ESA1.local BACK TO CLUSTER
Joining a cluster takes effect immediately, there is no need to commit.
|=== COMPLETE ===| C100V-0000E878109A-G091111-20150116T192955.xml successfully 
saved to /Users/saved_esa_configurations/
[an error occurred while processing this directive]

相關資訊

修訂記錄

修訂 發佈日期 意見
1.0
13-Oct-2014
初始版本
TAC Authored

由思科工程師貢獻

  • 雷昂·拉蒂夫
    Cisco TAC工程師
  • 羅伯特·舍溫
    Cisco TAC工程師

這份文件是否有所幫助?

Feedback意見

讓思科協助您

本文件適用於這些產品