How to backup the configuration using FTP with read-only account over CLI to another subnet?

Our managing partner is using Auvik for monitoring and backup of Firebox configuration.

The Auvik agent is running on a server on different subnet at AWS VPC, and our Firebox M270 has VPN Interface with static route to that subnet at AWS. This VPN Interface works fine.

Auvik agent is using CLI to connect to Firebox and backup its configuration:
"export config to ftp://'user':'password'@'serverIP':21/'timebakup.cfg".

It appears that:
1. A local IP address must be assigned to VPN Interface for the backup via CLI to work.
2. CLI does not work with read-only accounts and requires an admin account.

Both these requirements create issues, so the question is can the configuration be backed up via CLI using read-only account, and what other options besides assigning local IP address to VPN Interface can be used to allow FTP traffic to different subnet?

Answers

  • So, this route was added automatically when VPN Interface was created (picture below)

    But the Firebox seems to use 0.0.0.0 as source IP when sending the FTP traffic to the server on 172.31.0.0/16 subnet and that is not working.

  • edited July 2022

    I think about adding FTP packet filter with policy based routing from Firebox to the Auvik server on 172.31.0.0/16 subnet and route outbound traffic via that VPN Interface. Will then Firebox use its local IP address as source IP?

  • james.carsonjames.carson Moderator, WatchGuard Representative
    edited July 2022

    Hi @maestro
    If it's going externally (as in not to a destination on a subnet the firebox owns,) the firebox will source via its lowest numbered interface's external IP.

    The firewall itself should be able to produce a config file via the CLI by using the "export" command.

    Your options via that command are to the SSH console, FTP, or TFTP,

    "export config to "

    <ftp>    FTP file(UTF-8 encoding) transfer <ftp://[user[:passwd]@]host[:port]/url-path>
    <tftp>   TFTP file(UTF-8 encoding) transfer <tftp://host/url-path>
    console  Console terminal
    

    Doing this via Auvik isn't specifically supported, but if all it's doing is running an FTP, it should work provided the firewall has the correct credentials and the FTP is accessible.

    The export command works via status or admin type users, so you should be able to use it without escalation. I would suggest making a specific account for this if you try to do it so that your status password changing does not break it, and you can revoke access if need be.

    -James Carson
    WatchGuard Customer Support

  • edited July 2022

    Thank you for your response, James.

    Good to know that status type users can use the CLI and export config command too.

    I suppose the Firebox is using its external IP, as FTP server at AWS is on a different subnet.
    Like I mentioned earlier the VPN Interface on the firewall tunnels the traffic between the local Firebox subnet and the subnet at AWS.

    So, is there a way to route the "export config to ftp" traffic via tunnel as well?
    I guess if the Firebox could use its internal IP for this FTP traffic to pass through the tunnel, then we would have the problem solved.

    One option is to assign a local IP address to VPN Interface, but I do not want to do that, as it breaks other things.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @maestro
    You can potentially make a rule for that specific traffic and use the "set source IP" in the advanced NAT options.

    -You'd need to expose the "any from firebox" rule in the firebox's gobal settings.
    -Once the any from firebox rule is exposed, make a new rule with that NAT option, and place it above the any from firebox rule.

    If you decide to do this, make sure your rule is very specific so that it doesn't accidentally catch other traffic from the firebox.

    -James Carson
    WatchGuard Customer Support

  • Thank you, James. I will try that and post back.

Sign In to comment.