02-16-2011 01:37 AM - edited 02-16-2011 01:37 AM
I looked across the forums as well as techpubs, but couldn’t find any clear answer, so starting a new thread.
There are „system archival” feature within JunOS, „archive” (in CiscoIOS). Which allows you more or less automate configuration saves to TFTP server.
Are there any feature within ScreenOS to automatically backup config to tftp server once „save” command is issued on the device or the only way is to do “save config to tftp” command
02-16-2011 11:52 PM
I didn't find anything the admin gui on my NS-50, but I can't speak to the newer code running on SSG's.
One alternative would be to use the procedure described in the following:
to use ssh to download the configuration.
Or you could a Juniper NSM (or successor).
02-17-2011 12:24 AM
Thanks for the tips.
We already do have a script which gathers device configurations once per 24hours. However there are devices where configurations are changed several times a day by various technicians therefore archival feature is implemented together with websvn, where we can track latest configs.
02-17-2011 04:56 AM
One not-foolproof, way to do it is to force the techs to use a checklist where step one is save config to tftp server. Then you can move/timestamp the files as they arrive.
Another way to do it would be to assume that the device has been backed up. Then when the device issues a trap/syslog indicating a user logs out, launch a job to grab the new config. If it's changed, save it, otherwise disgard.
02-17-2011 10:56 AM - edited 02-17-2011 10:58 AM
One method I've used in the past is to leverage syslog and/or SNMP traps. I don't think ScreenOS will send traps for configuration changes, but it will send syslog notices.
You can easily set up a syslog server and point your devices to send their logs there. Many syslog servers (I like syslog-ng on Linux) can be configured to watch for a particular pattern, and then take an action when they see it. You could set up a rule to watch for the log message from your ScreenOS devices that the configuration has been changed, and then you could fire off a script to go download the configuration immediately.
 I see that Theodore mentioned this in his reply as well.