Traceability of configuration changes using Git — OPNsense documentation (2024)

When seeking a solution to keep full traceability of configuration changes made by (various) users on your firewall,the git-backup plugin might be a useful addition to your setup.

In order to use this feature, one has to install the git-backup plugin first (in System->Firmware->Plugins search for os-git-backup).

Concept

Since git backup is a little bit different than the standard backup options available, we will explain briefly how it works usingthe diagram below.

When config.xml changes happen due to user or api interaction, an event is triggered to which handlers can subscribe(using syshook).Our git-backup plugin subscribes to these events in order to add the received backups and commits these withinformation extracted from the received xml file. To prevent the system to lock during backups,we choose this loosely coupled method. Events which are yet unprocessed are being left in the (existing) backup directory.

Note

Events are processed from the moment the initial backup is configured, when disabling backups, the (local) changelog itselfremains active.

Git backup will push collected commits to the upstream repository nightly.To shorten this default interval, a custom cronjob (see Settings) can beset up, selecting Remote Backup as the Command. The regular backup procedure (which is also being triggered using the testbutton in the user interface) is responsible for initialising the empty local repository and configuring the upstream target.

Note

One can always change the upstream target, as long as the newly configured one is either “bare” (empty) or containing theexact same content (/change history) as the one used on this firewall.

Initial setup

The configuration part of this plugin is quite basic and offers two types of transport modes, https using a username andpassword combination or ssh using public key infrastructure.

Enable

Enable backup to the upstream target

URL

Target location, which defined transport protocol,options as ssh://server/project.git or https://server/project.git are allowed here.

Branch

The branch to push your commits to on the configured url

SSH private key

When using ssh, make sure to add a private key here

User Name

Username, when using gitlab and ssh, the default is git here(most of these providers use a single user and identify the user by it’s key)

password

When using https authentication, choose a password here.

Make sure to push to a “bare” upstream repository, when pressing “Setup/Test Git” the initial commits should be send toyour git server.

SSH Setup

If you use GitHub, then your only option for git-backup, is to configure it for SSH access since GitHub has removed the ability for external applications to log into your account via your username and password.

The fields in OPNSense under System / Configuration / Backups / Git should contain the following:

  • URL absolutely MUST follow this format when using GitHub and GitLab: ssh://github.com/user_name/repo_name.git. Any URL string that does not follow this pattern will not work.

  • SSH Private key (discussed below)

  • User Name should ONLY contain the word git

  • password: leave this field empty

You need to create your repository BEFORE enabling git-backup. Do not add any files or READMEs to the repository. In other words, create a BLANK repository.

Next, create a new SSH key specifically for git-backup (only generate the private / public keys per that document and skip the rest). It is imperative that you do not add a password to your key, or your backups will fail with authentication errors.

You should set up SSH access to just your repository by assigning your SSH public key to the repository instead of assigning it to your GitHub / GitLab account. Doing this ensures that you don’t arbitrarily expose more of your git resources to OPNSense than is absolutely necessary for git-backup to work properly.

If you use GitHub, you can add your SSH public key by going to your repository, then click on settings, then Deploy keys. Or you can go straight to the URL using this format: https://github.com/USER_NAME/REPOSITORY_NAME/settings/keys/new.

  • Check the box Allow write Access.

Make sure the fields are populated as stated above and that the Enable box is checked, then click on Setup / Test Git and you should see a message come back at the top of the page indicating that the first backup was successful.

Tip

When choosing an non-existing remote branch one will be created automatically. An existing one needs to be empty (blank) on orderto use it, which in practice is only possible when creating the repository for the first time.

Conflict resolution

From the user interface no conflict resolution is offered, you need to configure an upstream repository and stickto it for the lifetime of the firewall. When for some reason a backup needs to be restored and one would like tostick to the same git repository, manual conflict resolution might be an option. Support on these scenario’s isnot offered.

The repository is available on the OPNsense machine in the following directory /conf/backup/git.

Note

Conflict resolution can complicate the solution a lot (merging, fast-forward, ….), for this reason we will notaccept feature requests trying to push to existing (used) repositories.

Error handling

When errors occur these will be written to the normal system logging, search for git-backup in the generalsystem logging (System -> Log Files -> General).

Some standard errors might be returned via the test button, which should provide a clear direction, known ones are:

  • authentication failure -> username/password combination is not valid or the provided ssh key doesn’t match the expected one

  • ssh hostkey changed -> it looks like a man-in-the-middle attack is happening, if that’s not the case and the remote identificationchanged for valid reasons, manual intervention is required (remove the offensive key from /root/.ssh/known_hosts)

  • git out of sync -> unable to synchronize, see “Conflict resolution” for additional info.

Cleanup

The repository is saved locally on the firewall in /conf/backup/git, if for some reason one would like to remove thecollected history and start over from scratch, one can safetly remove this directory.

Login using a (ssh) console and remove the git directory in that case (rm -rf /conf/backup/git)

Note

As long as the plugin is installed and /conf/backup/git contains a git repository, the changes will be captured(also without an upstream). One could use this knowledge as well to keep a local (only) repository by creatinga repository without assigning an upstream and leave the backup option disabled.

Tip

The firewall contains a local backup of the most recent changes (configured in System -> Configuration -> History)which the config changed event handler uses to feed to the consumers. If after a cleanup one would like to flushthe collected changes again to the upstream provider, the /conf/event_config_changed.json could be removedto “forget” about the already handled config events (in which case all backups will be signaled again to all config syshook handlers)

Traceability of configuration changes using Git — OPNsense  documentation (2024)

FAQs

How to save OPNsense configuration? ›

Log into your OPNsense firewall and go to the backup feature. It is located at System ‣ Configuration ‣ Backups.

What is the default backup count for OPNsense? ›

If theres no number set, the code defaults to 100 kept backups.

What does save configuration mean? ›

2) "save configuration" means saving the configuration file (script) only. But the configuration information won't be sync to the database. Using the command "display saved configuration" you may see the information of the configuration file.

What is the default WAN interface in Opnsense? ›

By default, LAN is assigned to port 0 and WAN is assigned to port 1. Assignments can be changed by going to Interfaces ‣ Assignments. This lists existing interfaces, with the interface name on the left and the physical port selected in the dropdown.

What files are excluded by default from the backup? ›

Types of files excluded

Some of the excluded file types and folders are: Browser caches, cookies, and temporary files. System working files. System logs.

What is the default Web interface of Opnsense? ›

The GUI is accessible at https://192.168.1.1/ using Username: root Password: opnsense by default (unless a previous configuration was imported). Using SSH we can access the firewall at IP 192.168.1.1 . Both the root and installer users are available with the password specified above.

How do I save WLC configuration? ›

Step 1: Log into the Web GUI of the controller using Username "admin" and Password "Enable password" of the WLC controller.
  1. Step 2: Click on the Maintain tab, and then click on Start from Manage Configurations .
  2. Step 3: Choose Operation and select Save current configuration from the drop-down list and click on Next .
Nov 28, 2018

How to save the running configuration to the startup configuration file Cisco? ›

A startup configuration is stored in the nonvolatile memory of a device, which means that all configuration changes are saved even if the device loses power. To copy your running configuration into the startup configuration you need to type the command copy running-configuration startup-configuration.

How to save configuration in ASDM? ›

In CISCO's Adaptive Security Device Manager (ASDM) interface, to save the running configuration to the startup configuration, you need to click on the 'File' menu, then select 'Save Running Configuration to...'. On the next screen, you would select 'Startup Configuration'.

Where do you backup your Pfsense configuration from? ›

Backing up the configuration file
  1. Browse to Diagnostics | Backup/restore.
  2. Select the Backup/Restore tab.
  3. Set the Backup area to ALL. ...
  4. Leave Do not backup package information unchecked.
  5. Leave Do not backup RRD data checked.
  6. Click Download configuration.
  7. Save the file to a secure ...

Top Articles
Latest Posts
Article information

Author: Dan Stracke

Last Updated:

Views: 5711

Rating: 4.2 / 5 (43 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Dan Stracke

Birthday: 1992-08-25

Address: 2253 Brown Springs, East Alla, OH 38634-0309

Phone: +398735162064

Job: Investor Government Associate

Hobby: Shopping, LARPing, Scrapbooking, Surfing, Slacklining, Dance, Glassblowing

Introduction: My name is Dan Stracke, I am a homely, gleaming, glamorous, inquisitive, homely, gorgeous, light person who loves writing and wants to share my knowledge and understanding with you.