Blue Coat Support Forum

[javier.comeron]

Hi,

Recently we had faced the need to do a fully-automatic and scheduled backup of the configuration of several BlueCoat SG appliances as part of the Managed Security Services being provided to one of our customers.

Right now it is working OK and we have a daily backup with all the configuration.

As I think this approach could be helpful for you, I will write down all the required steps.

###############################################
STEP 1.- Unnatended execution of BlueCoat SG commands.
###############################################

As the backup procedure is based on the execution of a BC command inside the CLI we need a method for the unnatended execution of this kind of commands.

I've seen that some users of this forum recommend the use of plink (part of putty). While this works we found a more clean solution to use the standard "ssh" command from a remote box. If you make the BlueCoat SG appliance to trust in the remote-box's RSA public-key that will be used, no keyboard input will be necessary.

You will need to complete 2 steps:

1) create an ACL allowing a remote box to access the BlueCoat SG

root@remote-box ~
$ ssh admin@10.10.191.70
admin@10.10.191.70's password:

BlueCoat>enable
Enable Password:
BlueCoat#config t
Enter configuration commands, one per line. End with CTRL-Z.
BlueCoat#(config)security allowed-access add 10.11.0.50 255.255.255.255
ok
BlueCoat#(config)exit

2) Import the fingerprint of the RSA key that will be using the remote-box. This establishes an SSH trust-relationship:

BlueCoat#config t
Enter configuration commands, one per line. End with CTRL-Z.
BlueCoat#(config)services
BlueCoat#(config services)ssh-console
BlueCoat#(config services ssh-console)view
Port: 22 IP: 0.0.0.0 Type: ssh-console
Properties: enabled
BlueCoat#(config services ssh-console)import client-key admin
Paste client key here, end with "..." (three periods)
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAtzUP6xklmwNJtpx26fF/ ...
admin...
ok
BlueCoat#(config services ssh-console)exit
BlueCoat#(config services)exit

At this time this RSA-key is associated as an "admin" user login and your are able to execute remote commands from a remote box:

remote-box# ssh -i $PRIVATE_IDENTITY admin@BlueCoat command


###############################################
STEP 2.- Entering enable mode and executing more commands
###############################################

Although we are able to remote SSH and execute BlueCoat commands,
the backup requires enable mode, so we would be blocked again.

Combining SSH trust-relationship with "here-in documents" in shell programming we can login into the BlueCoat, go to enable mode supplying the password, and continue to run one command after another, without user intervention. The problem is security, as the script contains a clear text password.

Following the directions by RedTrousers user (viewtopic.php?t=905), here is a recommended backup procedure (as it is done by BlueCoat Director):

# enable
# (yourpassword)
# configure t
# line-vty
# length 0
# show version
# show status
# show configuration with-keyrings unencrypted
# length 80
# exit
# exit
# exit

###############################################
STEP 3.- Schedulling the backup
###############################################

In the remote box schedule a periodic task (via crontab, /etc/cron.daily/, etc.) and you will have periodic backups without no intervention. All the work is done only one time, and then you can forget about backing up your BlueCoat configuration data, as it will be in a known external location ready for restoration.

[thammer]

Has anyone actually recovered an SG using the data from this backup process? I'm reinitializing four SG's for the first time and finding out that the expanded archive restore can't restore passwords for things like the web filter database, ftp client for log uploads, and SNMP community strings. I'd like to find a way to completely restore the SG without having to manually restore the passwords. This seems promising so far but leaves out actually applying the config for restoration.

[Sinikuub]

Has anyone actually recovered an SG using the data from this backup process? I'm reinitializing four SG's for the first time and finding out that the expanded archive restore can't restore passwords for things like the web filter database, ftp client for log uploads, and SNMP community strings. I'd like to find a way to completely restore the SG without having to manually restore the passwords. This seems promising so far but leaves out actually applying the config for restoration.

In latest version there is some way to save configuration with certificate and importing it does import also the passwords. Just saving the plain text config does include only encrypted passwords.