Backing-up PIX config to TFTP

My first post to the world of Security gurus.

Guys i have this pix 535 sec appliance and duno how to backup its configuration to the TFTP. The version of the firewall is 6.3(4). I'm using Solarwinds as my TFTP application.

TFTP is already prepared.

Here is the command i used in pix.

pix535FW(config)#tftp-server 10.1.1.1 /tftp/cisco/fw_config

To start copying to tftp i type this:

pix535FW(config)#write net :

The error is:

Building configuration...
TFTP write '/tftp/cisco/fw_config' at 10.1.1.1 on interface 1
TFTP error: File Open Error 3
[FAILED]

I'm not good in pix

, im new to it and im starting to learn its features. I need to backup the configuration before purging any policies in the near future. I also heard that my company is planning to migrate to fortinet box. Is there a program that can translate pix commands to fortinet commands?

Thanks.

Find more posts tagged with

Comments

sprkymrk

I don't see Fortinet listed as supported right now, but you might drop these guys an email asking if it will soon. I am not sure if this tool will do what you want, but it's worth a look-see.
http://www.kiwisyslog.com/cattools-info.php

GodHand

Hi sprkymrk,

Thanks for the post, this tool is nice. I emailed their tech support and see if they can help me.

I have two pix 535 and contains a lot of policies, may be 20-25 pages and this next quarter we're planning to migrate to Fortigate 1000. If i will configure this policies line by line in Fortigate, it will consume time. I worry about downtime because im on a mission critical environment.

If you have any suggestions...

sprkymrk

I ran into the same type of situation almost 3 years ago when I started my current job here. There was an existing (but unstable and poorly configured) Symantec Enterprise Firewall in place with no documentation that had been touched at times by 3-4 different admins who knew little about firewalls. We decided to migrate to an SGS 5440 appliance, but there was no way to import existing rules/config. I spent about 6 weeks combing over the existing firewall with a fine tooth comb making notes as I went and dumping half the config as it was wide open and conflicting rules existed. After that I configured the new firewall offline as much as possible, (about 2 weeks of configuring and testing) then brought it online on a weekend to test live. I had to repeat this process a couple of weekends in a row before bringing it online during production hours. Fortunately the planning paid off and there was no disruption to any critical operations.

GodHand

wow amazing... that was a real challenge. 6 weeks of combing is great.

may be this is also my time to comb with a fine tooth comb of notes

. i think i need to start now familiarizing rules and policies. this is a no joke project

. We are on a 24x7 operation and my boss wants me to do the trick in just a day.

amazing...

sprkymrk

Wow, good luck!

GodHand

Thanks bro.

forbesl

GodHand wrote:

Here is the command i used in pix.

pix535FW(config)#tftp-server 10.1.1.1 /tftp/cisco/fw_config

Open up your Solarwinds TFTP server:

Click on "File", then "Configure" and select the directory you want your files placed in under the "TFTP Root Directory" tab. Click OK.

Leave the TFTP server up.

Go to your pix and type in "tftp-server <IP address where your TFTP server software resides> /(specify name you want to use for file)"

Then type in "write net <IP address where your TFTP server software resides>:"

It should look something like this:

firewall(config)# tftp-server 10.0.1.251 /pix
firewall(config)# write net 10.0.1.251:
Building configuration...
TFTP write '/pix' at 10.0.1.251 on interface 1
[OK]

GodHand

You make it work buddy.

. thanks a lot. now i have no worry purging and editing pix policies.

have you tried to restore saved config from tftp back to the pix? just in case i encounter a serious problem, my only option is to restore the previous config. how long will it take to make it operational again? is there an additional command that i need to execute after copying from tftp?

Thanks forbesl... saves my night

GodHand

Hi guys.

Anyone who tried to restore pix config from tftp server?
how long is the downtime?
do i need to type other commands after copying from tftp?

im on a live network that's why i can't test.

thanks...

netteaser

Instead of using third tftp software I backup my pix's and ASA devices by connecting directly to the device thorugh a web browser and works exactly the same way as getting it from a tftp server