Backing-up PIX config to TFTP

GodHandGodHand Member Posts: 46 ■■□□□□□□□□
My first post to the world of Security gurus. :)

Guys i have this pix 535 sec appliance and duno how to backup its configuration to the TFTP. The version of the firewall is 6.3(4). I'm using Solarwinds as my TFTP application.

TFTP is already prepared.

Here is the command i used in pix.

pix535FW(config)#tftp-server 10.1.1.1 /tftp/cisco/fw_config

To start copying to tftp i type this:

pix535FW(config)#write net :

The error is: icon_sad.gif

Building configuration...
TFTP write '/tftp/cisco/fw_config' at 10.1.1.1 on interface 1
TFTP error: File Open Error 3
[FAILED]


I'm not good in pix icon_wink.gif , im new to it and im starting to learn its features. I need to backup the configuration before purging any policies in the near future. I also heard that my company is planning to migrate to fortinet box. Is there a program that can translate pix commands to fortinet commands?

Thanks. :)
Most of the important things in the world have been accomplished by people who have kept on trying when there seemed to be no hope at all.

Comments

  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    I don't see Fortinet listed as supported right now, but you might drop these guys an email asking if it will soon. I am not sure if this tool will do what you want, but it's worth a look-see.
    http://www.kiwisyslog.com/cattools-info.php
    All things are possible, only believe.
  • GodHandGodHand Member Posts: 46 ■■□□□□□□□□
    Hi sprkymrk,

    Thanks for the post, this tool is nice. I emailed their tech support and see if they can help me.

    I have two pix 535 and contains a lot of policies, may be 20-25 pages and this next quarter we're planning to migrate to Fortigate 1000. If i will configure this policies line by line in Fortigate, it will consume time. I worry about downtime because im on a mission critical environment.

    If you have any suggestions... icon_wink.gif
    Most of the important things in the world have been accomplished by people who have kept on trying when there seemed to be no hope at all.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    I ran into the same type of situation almost 3 years ago when I started my current job here. There was an existing (but unstable and poorly configured) Symantec Enterprise Firewall in place with no documentation that had been touched at times by 3-4 different admins who knew little about firewalls. We decided to migrate to an SGS 5440 appliance, but there was no way to import existing rules/config. I spent about 6 weeks combing over the existing firewall with a fine tooth comb making notes as I went and dumping half the config as it was wide open and conflicting rules existed. After that I configured the new firewall offline as much as possible, (about 2 weeks of configuring and testing) then brought it online on a weekend to test live. I had to repeat this process a couple of weekends in a row before bringing it online during production hours. Fortunately the planning paid off and there was no disruption to any critical operations.
    All things are possible, only believe.
  • GodHandGodHand Member Posts: 46 ■■□□□□□□□□
    wow amazing... that was a real challenge. 6 weeks of combing is great. icon_eek.gif

    may be this is also my time to comb with a fine tooth comb of notes icon_cry.gif . i think i need to start now familiarizing rules and policies. this is a no joke project icon_sad.gif . We are on a 24x7 operation and my boss wants me to do the trick in just a day. icon_rolleyes.gif amazing...
    Most of the important things in the world have been accomplished by people who have kept on trying when there seemed to be no hope at all.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Wow, good luck! icon_eek.gif
    All things are possible, only believe.
  • GodHandGodHand Member Posts: 46 ■■□□□□□□□□
    Thanks bro. icon_wink.gif
    Most of the important things in the world have been accomplished by people who have kept on trying when there seemed to be no hope at all.
  • forbeslforbesl Member Posts: 454
    GodHand wrote:
    Here is the command i used in pix.

    pix535FW(config)#tftp-server 10.1.1.1 /tftp/cisco/fw_config
    Open up your Solarwinds TFTP server:

    Click on "File", then "Configure" and select the directory you want your files placed in under the "TFTP Root Directory" tab. Click OK.

    Leave the TFTP server up.

    Go to your pix and type in "tftp-server <IP address where your TFTP server software resides> /(specify name you want to use for file)"

    Then type in "write net <IP address where your TFTP server software resides>:"

    It should look something like this:

    firewall(config)# tftp-server 10.0.1.251 /pix
    firewall(config)# write net 10.0.1.251:
    Building configuration...
    TFTP write '/pix' at 10.0.1.251 on interface 1
    [OK]
  • GodHandGodHand Member Posts: 46 ■■□□□□□□□□
    You make it work buddy. :D . thanks a lot. now i have no worry purging and editing pix policies.

    have you tried to restore saved config from tftp back to the pix? just in case i encounter a serious problem, my only option is to restore the previous config. how long will it take to make it operational again? is there an additional command that i need to execute after copying from tftp?

    Thanks forbesl... saves my night icon_wink.gif
    Most of the important things in the world have been accomplished by people who have kept on trying when there seemed to be no hope at all.
  • GodHandGodHand Member Posts: 46 ■■□□□□□□□□
    Hi guys.

    Anyone who tried to restore pix config from tftp server?
    how long is the downtime?
    do i need to type other commands after copying from tftp?

    im on a live network that's why i can't test. icon_sad.gif

    thanks...
    Most of the important things in the world have been accomplished by people who have kept on trying when there seemed to be no hope at all.
  • netteasernetteaser Member Posts: 198
    Instead of using third tftp software I backup my pix's and ASA devices by connecting directly to the device thorugh a web browser and works exactly the same way as getting it from a tftp server
Sign In or Register to comment.