Does anyone know of a way to grab the configs from a Juniper SA or MAG series SSL VPN? There seem to be ways to do it but I don't think NCM supports them. Does anyone have it working and if not please add this a a feature request! Thanks!
John
John,
Have you succeeded here with NCM? From your other conversation wit SolarWinds it seems that these devices should be able to dump the config to a file and trasfer it via SCP. If that's the case then NCM should be able to handle it.
Regards,
Jiri
I really never had the time to explore this. Perhaps in the next few months. The longer I wait the more I hope the next release of NCM will solve the problem for us.
You know NCM 7.1 is in RC phase now, i.e. GA in a few week's time. Improved Juniper device support is planned for longer future...
Well - we are at 7.2 and this still does not work!! Any ideas?
We are running 7.3 and it still does not work.
Is increased support for these boxes still in the plan?
So I've had many a conversation with Solarwinds about this since my original post here. Juniper supports NetConf, which is an industry sanctioned way of doing things but surprise, one of this bigger guys has been slow to get on board. Anyhow it can all be done via the CLI via the Netconf standard.
NETCONF - Wikipedia, the free encyclopedia
Packetpushers article on using it http://packetpushers.net/using-netconf-yang-to-configure-network-devices-and-why-it-does-not-replace-snmp/
And even Cisco finally getting into the action - This documentation has been moved - Network Configuration Protocol [Support] - Cisco
Juniper Support - NETCONF XML Management Protocol Developer Guide - Technical Documentation - Support - Juniper Networks
Specifically on the MAG / SSL VPN the settings are here:
this may be helpful. , came across this looking for the same thing.
jspanitz your article works just fine to run netconf... even on 8.2R5.1. I'm just not sure if you can use netconf in any way with NCM to grab the config.
Things to note:
So you need these things configured to make it work under Configuration | DMI Agent:
Test by running ssh -l username a.b.c.d -s netconf
Enter password
Response should be:
<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<capabilities>
<capability>urn:ietf:params:netconf:base:1.0</capability>
<capability>urn:ietf:params:netconf:base:2.0</capability>
<capability>http://xml.juniper.net/dmi/software/1.0</capability>
<capability>http://xml.juniper.net/dmi/software/2.0</capability>
<capability>http://xml.juniper.net/dmi/system/1.0</capability>
<capability>http://xml.juniper.net/dmi/ive-sa/8.2R5</capability>
<capability>urn:ietf:params:xml:ns:netconf:base:1.0</capability>
<capability>urn:ietf:params:netconf:capability:writable-running:1.0</capability>
</capabilities>
<session-id>28905</session-id>
</hello>
I was able to grab the configuration properly with Tufin's firewall analyzer after making these adjustments to the MAG DMI settings.
Here is the expect script that Tufin uses if this could help anyone make an NCM script please, please let me know!!
#!/usr/local/st/expect --
if {[llength $argv] < 4} {
puts "usage: juniper_sa_login ssh host user timeout port"
exit 1
}
log_user 0
set prompt "\]\]>\]\]>"
set cmd [lindex $argv 0]
set host [lindex $argv 1]
set username [lindex $argv 2]
set timeout [lindex $argv 3]
set port [lindex $argv 4]
if {$cmd == "ssh" && $port != ""} {
set port "-p $port"
proc read_config {prompt} {
send -- "<rpc message-id='10'><get-config><source><running/></source></get-config></rpc>\r"
expect {
-ex "<rpc message-id='10'><get-config><source><running/></source></get-config></rpc>\r\n" {
timeout {
send_error "\nConnection timed out\n"
send_error "\nbuffer: $expect_out(buffer)\n"
exit 4
#prompt:
-re "^($prompt)\r\n" {
# we are done
send_error "Config finished got prompt: $expect_out(1,string)\r\n"
#regular output lines:
-re "(\[^\r]*)\r\n" {
set line $expect_out(1,string)
# Juniper SA may send a huge embedded binary file in xml element <logo-image>
set filter [regexp "(.*)+(\<\/logo-image\>)" $line s0 s1 s2]
if { $filter == "1" } {
set line "<logo-image>--REMOVED--</logo-image>"
# Juniper SA may send a huge embedded binary file in xml element <header-logo>
set filter [regexp "(.*)+(\<\/header-logo\>)" $line s0 s1 s2]
set line "<header-logo>--REMOVED--</header-logo>"
# Juniper SA may send a huge embedded binary file in xml element <html-file>
set filter [regexp "(.*)+(\<\/html-file\>)" $line s0 s1 s2]
set line "<html-file>--REMOVED--</html-file>"
# This value seems to change with every revision: <last-update-time>Wed 15 Dec 2010 08:50:17 EST</last-update-time>
set filter [regexp "(.*)+(\<\/last-update-time\>)" $line s0 s1 s2]
set line "<last-update-time>--REMOVED--</last-update-time>"
# This value seems to change with every revision: <updatefile>md5=6ccbb49aee6e6795d272684f8006b261,size=468045</updatefile>
set filter [regexp "(.*)+(\<\/updatefile\>)" $line s0 s1 s2]
set line "<updatefile>--REMOVED--</updatefile>"
# This value seems to change with every revision: <code>s5gPUHsoBAABAAAAJ6ZCav+juPEE7K9YI/WYzkmPiV58dPvmVfetvyS0v.....</code>
set filter [regexp "(.*)+(\<\/code\>)" $line s0 s1 s2]
set line "<code>--REMOVED--</code>"
send_user -- "$line\n"
exp_continue
send_error "\nConnection timed out when trying to get configuration\n"
exit 7
default {
send_error "\nUknown error:\n$expect_out(buffer)\n"
# enable this line for verbose debuging
#exp_internal 1
# we read the password from stdin, since it is insecure to pass it as an argument
expect_user -re "(.*)\n" {
set password $expect_out(1,string)
set env(TERM) xterm
if [ catch {spawn $cmd -l $username $host $port -s netconf} error] {
send_error "\nError: $cmd failed: $error\n"
exit 2
sleep 2
"login: " {
send "$username\r"
send_error "\nsent username\n"
"assword: " {
send "$password\r"
send_error "\nsent password\n"
-re "(The authenticity of host .* be established).*\(yes\/no)\?" {
send "yes\r"
send_error "\nHost $host added to the list of known hosts.\n"
-re "(Host key not found).*\(yes\/no)\?" {
-re "Host key verification failed.*" {
send_error "\nHost key verification failed\n"
exit 3
send_error "\nConnection timed out 1\n"
send_error "\n$expect_out(buffer)\n"
#prompt
-re $prompt {
#we are done
send_error "got prompt !! \n"
send_error "\nPassword error!\n"
exit 5
send_error "\nConnection timed out here 2\n"
send_error "\nUknown error should have prompt:\n$expect_out(buffer)\n"
send_user "=====config begin=====\n"
read_config $prompt
send_user "=====config end=====\n"
set timeout 1
send "<rpc message-id='999'><close-session/></rpc>\r"
send_error "\nsent exit\n"
expect
exit 0
cvachovecj So you can grab the XML of the config using <rpc message-id='10'><get-config><source><running/></source></get-config></rpc>\r
However, it is just dumped into the CLI of the SSH session. How can you take a CLI response and use that as the begining and end of the running configuration file vs exporting it via FTP, etc.???
I uploaded "not-quite-yet-PulseSecure" template to Thwack for your review.