sonrancid: A [very] basic RANCID module for sonicwall

I know, I know, I’m always saying that you don’t need a firewall. That’s mostly to get your attention to push my agenda of sane security architecture, I do actually believe that firewalls are appropriate in a great many use cases and I’ve managed them big and small ranging from Juniper SRX 5800 clusters to tiny purpose built BSD distros on custom hardware. I even managed Checkpoint and gauntlet firewall back in the 1990s. And Novell Border manager….good gravy….border manager. I just had a chill, that thing is still around.  They work well when spec’d, designed, maintained correctly and placed in an appropriate location in a network architecture.  That said, I have a few SonicWall devices that I work on occasionally and it has always irritated me that there was not a usable RANCID module for it.  To that end, I hacked up the Cisco RANCID script to support very rudimentary config backups.

<Insert comment about having some DevOps skills is useful, even if they are very basic like mine.>

The script will log in and pull the config and version using the following commands:

show current-config
show version

I am really hoping that someone else will pick it up and massage it a bit because it is very chatty and will produce a diff every time due to the way SonicOS presents some of its configuration parameters. It also needs tested against larger SonicWall devices as I only have smaller boxes to run against.  I know it works against a TZ210, YMMV. Please post comments on github if you use it with anything else.   The password hash is particularly annoying, it always changes when the configuration is displayed. Some of the framework is there to remove it so I may hack at it a bit more but it’s usable in the loosest sense for the short term.  It’s available on my github site.

2 Comments

  1. Les Begnaud says:

    Hi there, I just implemented your set of scripts and had a couple comments:
    1) seems to work just fine on an NSA 3600
    2) have you attempted to rebuild a sonicwall based on the output of ‘show current-config’?
    3) any luck with getting the ever-changing passwords to behave themselves? I am not a fan of constant diffs… defeats the purpose of diffs
    4) your github sonrancid script references clogin, and not sonlogin
    5) Thanks so much for doing this!

    Let me know if I can help

    • I never got the password diffs to work and my TZ210 has died, so I no longer have a good way to test. I also never got an opportunity to restore from the backup due to the failure of the device.

      Use clogin, the sonlogin piece was unnecessary. In addition, don’t upgrade to RANCID 3, it completely breaks this script due to the massive changes made.

      I’m working on a RANCID replacement as well that should, if we do it right, work on pretty much any gear. https://github.com/buraglio/claw

      It’s pretty raw and not all in github yet, but we do have working proof of concept code that I hope to get up there this week.

© 2019 The Forwarding Plane. All rights reserved.

Copyright 2016 Nick Buraglio, ForwardingPlane, LLC

%d bloggers like this: