Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to back up a configuration to an archive site using SCP

0

0

Article ID: KB36783 KB Last Updated: 05 May 2021Version: 1.0
Summary:

This article explains how to backup a configuration from a Juniper device to an archive site within the defined interval.  

Solution:

There are two methods to transfer a configuration backup from a Juniper device to an archive site. 

  • System archival configuration method 
  • The event-options method 

Before proceeding with either of the above methods, establish an SSH trust between the SRX and the archive site. This way, the SRX can perform SSH login to the archive site without a password. This procedure is known as SSH public key authentication or SSH password-less authentication

To backup the configuration to a remote server while executing a commit, refer to KB15399 - Back up/archive a configuration file to a remote server while executing commit

To backup the configuration to a remote server using time-interval without any authentication, refer to KB27993 - Archiving configuration using "transfer-interval" statement 

 

Topology:

Steps to perform SSH password-less authentication:

  1. Here, Linux Server is our Archive site. Create a user in the Linux Server. E.g., admin

  2. Create a Directory in the Linux Server. Make the “admin” as the owner of the directory and give relevant file permissions to receive the configuration backup from the SRX.

  3. In the SRX, generate the SSH key under the shell mode using the below command.

    Example: user@host% ssh-keygen

    Note: By using the above command, the SSH key will be generated with RSA algorithm with a key length of 2048. You can also generate the key with a stronger key-length or using a different algorithm.

  4. Locate the generated SSH key in the SRX (/root/.ssh/id_rsa.pub) and transfer it to the Linux Server in the following location: /var/home/<USERNAME>/.ssh/authorized_keys.

    Example: user@host% scp /root/.ssh/id_rsa.pub root@1.1.1.2:/var/home/admin/.ssh/authorized_keys​

  5. Try to SSH your Linux Server from the SRX.  You should be able to login without prompting for a password. Once this procedure is completed, use either transfer-on-commit or event-options to backup your configuration periodically to your archive site without login. 
     

System archival configuration method: 

This method uses transfer-interval of 15 minutes. For example, for every 15 minutes, the configuration will be transferred to the archive site. If you intend to transfer the configuration upon every commit, then use the statement "set system archival configuration transfer-on-commit".

set system archival configuration transfer-interval 15
set system archival configuration archive-sites "scp://admin@1.1.1.2:/var/tmp/config-archival"

If the archival is successful, the log below will be in the messages file with the device's hostname appended to it.

Apr  4 09:05:10  SRX logger: transfer-file: Transferred /var/transfer/config/SRX_20210404_090448_juniper.conf.gz
 

Event-Options method: 

The maximum transfer-interval using the above system archival configuration method is 2880 minutes, which is 48 hours. If the customer has a requirement where he/she would like to backup the configuration every week, then it is not possible to do so with the above method. For this purpose, we are using event-options with the time-interval of 604800 seconds which is 1 week. 

set event-options generate-event CONFIG-ARCHIVAL time-interval 604800
set event-options policy CONFIG-ARCHIVAL-POLICY events CONFIG-ARCHIVAL
set event-options policy CONFIG-ARCHIVAL-POLICY then upload filename /config/juniper.conf.gz destination MY-DESTINATION
set event-options destinations MY-DESTINATION archive-sites "scp://admin@1.1.1.2:/var/tmp/config-archival/"

If the archival is successful via event-options, the log below will be in the messages file:

Apr  4 09:14:06  SRX root: transfer-file: Transferred /config/juniper.conf.gz

Note: With both methods, the "set security ssh-known-hosts host <x.x.x.x> . . ." line will be added automatically once the SCP archive-site is configured.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search