Retrieval of configs via http #1287
Comments
|
Absolutely. You only need to create http.rb in the input directory and then have Unsure how to model, but one way would be same as tftp/ftp where I'm kinda surprised this hasn't come up. |
|
This has come up in a slightly different shape and was attempted in a limited fashion in #1110 and previously in #1103 (originally from #440). An HTTP input would allow elegantly closing those as well, although PanOS specifically also seems to require the ability to deal with some XML. HTTP authentication rituals vary wildly across devices (static tokens, cookies, OAuth, basic auth, ...) and some consideration may be required on what belongs in the input vs. in the model to make this particular input most flexible. |
|
I doubt that the generic use case/support will support the PanOS case. The PanOS case won't be satisfied with model doing HTTP GET for |
|
If someone gives me access to device with HTTP, I can write the model. |
|
It's hard to give access to a device like that with all the security implication. On my side, I'm backing the Palo Alto devices with a bash script using this method: curl -s --insecure --request POST 'https://<HOSTNAME>/api/?type=export' --data 'key=<APIKEY>=&category=configuration' | xmllint -format -> $BACKUPDIR/latest_firewall.xmlI don't know if it can help... |
|
You don't have spare Cambium you can put online without any sensitive information? It's either that or produce the model yourself. :) |
|
@ytti I had originally planned on doing it myself but time never seems to allow. Usually I do that kind of thing at night but my little one has been staying up later. I believe that we have a lab unit...unless someone decided to "borrow" it for production use. I will ask around today and see if management is OK with putting it online then factory-defaulting it afterwards. Paranoia. How long do you think that you would need it for? Any chance that you will be coming from a specific IP or set of IPs so we could restrict access(shouldn't really matter, but might make some people here happier)? |
|
I would need it for day, but I can't tell which day. Two weeks should be safe. With good luck next weekend will work. I'd come from 91.198.120.0/24. |
|
They opted to throw this off of an ONT in one of our public subnets for subscribers. Password protection. Is there a way to send you the IP, username, and password since GitHub removed its messenger functionality? |
|
To retrieve a config via http, the URL is http://DEVICE_IP/canopy_config.cgi |
|
You can use email to saku@ytti.fi, if you want encryption keybase has my key. |
|
@ytti First, many thanks for working on this. It works, which is awesome. Because I had issues installing mechanize on the usual box with the CentOS-approved version of ruby installed, I created a new VM where I installed 2.4.2 with mechanize 2.7.5. That meant:
had to become:
Perhaps a bit off topic, but which version of Ruby and Mechanize should I use? |
|
I'm going to bump this because i'd like to pull config's from HTTP on all types of Cambium devices, they all handle things a bit differently. ePMP series do not have a fixed URL for the config file (as far as i'm aware). The process with those is to login with username/password, then go to backup/restore section and click on download. This will store a JSON file The stupid thing with these devices is you can pull the config through SSH but it's in a totally different format, so you can't then just upload that to the web UI. Nor can you easily import those settings Am happy to provide a lab device to help with the config retrieval |
|
@ytti I can't get the included cambium.rb example to work either. I don't know what i'm missing or doing wrong I'm running CentOS7 and have run the following to install the latest version of Python, PIP and Mechanize I added the device in router.db as type cambium along with username and password. I just get 3 failures then it gives up. I've tried this on a number of Cambium PMP devices and they all fail. What else do I need to do? Here's the full output from Oxidized -d
|
|
Just chiming in as another Palo Alto user. Currently doing a curl GET (G) against the following firewall API with a generated API key, then running it through xmllint and dumping it into the Oxidized configs directory. curl -skG "https://palofirewall1.foobar.com/api/?type=export&category=configuration&key=<>" | xmllint -format -> /root/.config/oxidized/configs/palofirewall1config.xml |
Would http as a method of config retrieval be a valid addition to Oxidized?
This came up recently for us with a Cambium PMP 450i AP. These are master radios for fixed wireless service. There are only two ways to pull their configs: via http or by first signing in via telnet to generate the config file and then signing in by ftp to download it. http seems the simpler option.
The text was updated successfully, but these errors were encountered: