Securing your config backups with BackBox and Paessler PRTG

Backing up is not only for user data; it's also critical for security and network device configuration data. Although these kinds of backups can be complex and time-consuming, there are tools that help automate the process. Let's look at how BackBox and Paessler PRTG monitoring software can be used to do this. 

Backups are not just for user data

If I were to ask you, “When did you last backup your user data?”, I’m guessing the replies would range from “continuously” through to “last night” or “last weekend” (hopefully, no longer than that!). This isn’t surprising, as whether you’re part of a global IT department with a dedicated team of backup techs or one person taking care of “everything with a plug on it”, ensuring user data is securely backed up is likely one of your key responsibilities.

But what if I asked, “When did you last backup the config of your core switch?” How about your WLAN controllers, firewalls, phone system or load balancers? I can pretty much guarantee the replies would vary by weeks, months or even years (gulp!).

Network and security device backups simplified

Of course, any Sysadmin worthy of the title will take a backup before making any config changes to a device. But despite what your users (should) think, you are only human and are therefore likely to forget things and make occasional mistakes. Also, backing up network kit can be a pain in the posterior – every vendor has different management tooling and many only rely on CLI interfaces, requiring you to create, maintain and schedule scripts to backup the configs. If only there was a tool that could automate the whole process…

Fortunately, there is. BackBox's eponymous automation platform supports thousands of physical and virtual devices from over 180 of the world’s leading vendors and provides almost 5000 pre-defined automations to help control and administer the devices that comprise your network.

Implementation

Available as on-prem, private cloud or as-a-service variants, the system provides easy automated management of both physical and virtual equipment. It’s also inherently designed to be multitenant, making it an ideal tool for MSPs, with all the security and segmentation controls required by such teams.

BackBox can connect to your devices either directly, or via an easy-to-deploy agent that simplifies the management of remote sites (in much the same way as PRTG’s Remote Probes do).

BackBox includes an easily customizable dashboard to visualize the status of its various operations.

Backups

There’s more to backups than just “grabbing the configuration file”. BackBox provides a complete solution, including some key capabilities.

Restoring from backup is a single click operation, simplifying the ability to get devices back up and running when under pressure from a failure.

Besides just backing up an appliance’s configuration, BackBox can also collect licence keys and other meta data, making “bare metal” restores very simple.

BackBox validates the integrity of each backup, both when created and before any restore operation.

Backup histories can also be analysed and compared, providing an invaluable tool for “what’s changed” troubleshooting tasks.

BackBox is also more than just backups.

OS Updates

The robust and flexible automation features greatly simplify the installation of OS upgrades. Advanced automations included in the Automation Library provide for multi-step updates helping administrators get to the most recent OS versions simply.

BackBox NVM even provides a network vulnerability assessment based on device inventory to help administrators keep their networks secure and prioritize OS updates.

Compliance

For those working in regulated industries, BackBox can also validate device configurations against various compliance frameworks, including HIPAA and PCI, as well as inhouse defined policies, all with full auditing and reporting facilities.

Monitoring BackBox with PRTG

The BackBox system includes a rich and powerful API, which allows PRTG to retrieve status information for backup jobs, configuration tasks and config changes, using our new REST Custom V2 sensor. This new sensor type is still in “Beta” status. You must enable “experimental features” in PRTG to access them. As with any pre-release feature, use your own judgement before using them in a production environment. The manual link above will provide more details about the sensor and its status.

To retrieve data using the BackBox API, you’ll need to create an Authentication Token, which you can do from the Administrative menu:

Add your BackBox instance as a device in PRTG and turn off the “Inherit From” option for REST API Credentials. Next, select “Bearer Token” as the authentication type and copy & paste the API key into the Token field:

Then, when you start building out your REST Custom V2 sensors, you can just use the placeholder variable (%restbearertoken) in the Custom HTTP Headers field of the sensor config (see below).

You’ll need to specify the Request URL, which you can find from the API link in the BackBox GUI. The link will take you to the Swagger-based documentation for the API, where you can explore the various endpoints and test queries to see the data they return.

One of the nice features of the REST Custom V2 sensors is that a “template” file is no longer needed to parse the returned data and map it to sensor channels. Instead, you just need to specify the JSONPath for the value you’re interested in. There are several online tools available that will make this easy, such as JSON Path Finder – simply paste the Response Body from a successful Swagger query into the left side panel and it will let you explore the resulting JSON object and show the path to the metric you’re interested in:

Paste that value into the PRTG sensor config (replacing the leading “x” with “$”)

The API provides a huge selection of interesting endpoints and is still under active development. The metrics available under the \api\dashboard branch are particularly useful to PRTG as they provide API access to the data used for the summary reports shown on the BackBox dashboard.

Once you have some sensors built, you can then add them to a map (dashboard) to summarize the status of your environment:

Backing up your user data may be part of your daily routine, but the most rigorous and carefully tested data backup plan in the world will be useless if there’s no network connecting your backup data to the right hosts. BackBox provides a quick and easy way for administrators to collect, validate and store the configs of all their networking equipment, and rapidly restore them, should things go wrong.