I'm looking to see the full running configuration when logged in using SSH - something like an equivelant to Cisco's 'show running-config' or Juniper's 'show config'.
I'm looking to see the full running configuration when logged in using SSH - something like an equivelant to Cisco's 'show running-config' or Juniper's 'show config'.
Can this be done with the UTM?
No.
There are some shell commands (See here) but there is no full-featured CLI built-in.
This would be by the way a feature, I would expect from Copernicus, but so far, I couldn't find it on their Roadmap or Featurelist.
Please send me Spam gueselkuebel@sg-utm.also-solutions.ch
WebAdmin manipulates a database of objects. When one of these objects is changed, WebAdmin calls confd to rewrite all of the lines of iptables, etc. where the object is involved.
Once you're more familiar with the UTM, you will realize that there's no practical use for the level of detail you've requested. Also, while your Cisco knowledge will be an asset down the road, it is, at present, a hindrance to learning how to do things quickly and elegantly with WebAdmin.
Cheers - Bob
Sophos UTM Community Moderator Sophos Certified Architect - UTM Sophos Certified Engineer - XG Gold Solution Partner since 2005
WebAdmin manipulates a database of objects. When one of these objects is changed, WebAdmin calls confd to rewrite all of the lines of iptables, etc. where the object is involved.
Once you're more familiar with the UTM, you will realize that there's no practical use for the level of detail you've requested. Also, while your Cisco knowledge will be an asset down the road, it is, at present, a hindrance to learning how to do things quickly and elegantly with WebAdmin.
Cheers - Bob
The point of what I'm trying to do here is automate a system using scripted SSH sessions that will alert me when the UTM config has changed. It's a system I'm already using with out Cisco and Juniper devices, so I'd like to use it with the UTM too. I'd say that's a practical use for the detail I'm looking for [:D]
What you don't seem to understand is what I have been trying to impress upon Sophos NSG product managers for years. To show compliance (especially in today's financial vertical) when facing IT audits and examinations today, a security manager must provide a complete configuration file and change log. It is imperative. It would be great if a security manager only had responsibility for a few UTM(s), but if you're managing hundreds, you need a way to provide full textual configuration files and a change log for the life of the appliance in an automated fashion. It's a differentiator and if Sophos can't provide the mechanism they will always lose market share to the vendors that can.
With the UTM, it's much simpler to copy off the Configuration Daemon log, using syslog or remote log file archive (Logging & Reporting > Log Settings), then you can review or manipulate as you wish.
Unlike Cisco or Juniper, command line (shell) changes on the UTM are not allowed without permission from Support. Doing so can lead to voiding of your support agreement for paid license customers. I realize that you just want to read information, but if something goes terribly wrong, you could be put in a very bad situation if you have to open up a case and support tells you to pound sand.
__________________ ACE v8/SCA v9.3
...still have a v5 install disk in a box somewhere.
What do you consider a config change? Only changes made by a user logged into WebAdmin? Look at the 'Management' tab to see, in detail, what each recent change has been. Look at the top of the Executive Report to see if there have been any logins to the console or WebAdmin.
Cheers - Bob PS Be aware that changes made at the command line can void your support, and that they are not a part of the config backup. That said, just taking the output from teched's command, comparing it with a prior copy and sending an alert via SSH should be permitted. Also, crontab is dynamically rewritten by WebAdmin, so also add your cron job to crontab-static.
Sophos UTM Community Moderator Sophos Certified Architect - UTM Sophos Certified Engineer - XG Gold Solution Partner since 2005
What do you consider a config change? Only changes made by a user logged into WebAdmin? Look at the 'Management' tab to see, in detail, what each recent change has been. Look at the top of the Executive Report to see if there have been any logins to the console or WebAdmin.
I'm looking for any configuration changes at all, but my aim is to automate it using the same system I use for other network devices and appliances.
My suggestion was that a single change in WebAdmin can result in lots of changes to the configuration. If Prefetch is enabled to sync new users, the configuration will change when they're added automatically.
If you can't get the information out of the PostgreSQL database of recent changes, then the best you'll probably be able to do is get a message that says there's been a change so that you know to check the recent changes in WebAdmin.
Cheers - Bob
Sophos UTM Community Moderator Sophos Certified Architect - UTM Sophos Certified Engineer - XG Gold Solution Partner since 2005
Quote