It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Configure Revision Control System Monitoring (RCS)

  • Last updated on

The Revision Control System (RCS) provides information on all configuration changes to your system and is available on both the box and CC levels. On a Control Center, you can configure and run the RCS separately both on the box and/or the CC level for the configuration of the managed appliances.

Once activated, the RCS puts a copy of every configuration set into its own storage. Because the number of created copies increases with each configuration change, the RCS provides the option to restore an earlier version of stored configurations upon request. The RCS can also generate reports to help monitor configuration changes.

Note that operating the RCS on the CC level can take a lot of memory and storage if the Control Center manages a large number of appliances. This can also slow down your Control Center accordingly.

In the case of a Control Center, it is recommended to check the log file for progress.

Functioning and Limitations of the RCS System

The RCS system is disabled by default. If you want to use the RCS system, you first must enable and configure it to match your requirements. After disconnecting and reconnecting to your appliance via Firewall Admin, you can then create RCS reports selectively for any configuration node. When activated, RCS logs all configuration changes on a configuration tree node or service with the exception of:

  • DNS Service
  • VPN > VPN Settings
  • VPN > Client-to-site VPN
  • VPN > Site-to-Site VPN

How to Configure and Use the Revision Control System

The Revision Control System provides the following options:

  1. Activating and configuring the RCS.
  2. Viewing RCS content versions.
  3. How to create a report based on the changes.
  4. Reverting a configuration to a specific version.

1. Activating and Configuring the RCS

  1. Log into your firewall / Control Center.
  2. (On the box level): Go to CONFIGURATION > Box > Administrative Settings.
  3. (On the CC level): Go to CONFIGURATION > Configuration Tree > Multi-Range > Global Settings > CC Parameters.
  4. In the left menu, select RCS Setup.
  5. Click Lock.
  6. From the Version Control System list, select Enable.

  7. Define the following RCS settings:
    • Log Change Differences – Enables or disables the RCS log (file name: servicename_changes) of all configuration changes.
    • Log Creation Differences – Specifies how configuration changes are logged. You can select one of the following settings:
      • Disable – Log change differences will be ignored.
      • Difference-to-Default – Only differences to the default settings are listed.
      • Full-Info – Every configuration option is listed.
      • None – Only changes are listed.
    • Log Removal Differences – Specifies how to log file removals. You can select one of the following settings:
      • Difference-to-Default – Only differences to the default settings are listed.
      • Full-Info – Every action is listed.
      • None – The removal of files is not listed.
    • Report Processing Script – You can enter a script to automate the transmission of change reports to other destinations. The shell script can invoke Secure Copy (scp) or email delivery. See the table in the following paragraph for some scripting examples.
    • Force RCS Change Message – To enter a comment for every RCS check-in, select yes.
  8. Click Send Changes and Activate.
    rcs_improvements_rcs_setup.png
Report Processing Script Examples

The following table displays examples of scripts that you can enter in the Report Processing Script table for transmitting your change reports via scp or mailclt. In your script, use the $REPORT variable. The name of the report file is stored in $REPORT.

Scripts are triggered for execution each time a change is made to a configuration setting.
MethodExample Script
scpscp "$REPORT" root@recipient.com

mailclt
Note that the SMTP server must be entered as an IP address. Entering host names is not allowed.

/opt/phion/bin/mailclt
-f
sender@sender.com
-r
recipient@recipient.com
-s
"change"
-m 192.168.0.1 -a
"$REPORT"

Activate the RCS by disconnecting and then reconnecting to the Barracuda CloudGen Firewall. Click Disconnect and then click Connect. After configuring and activating RCS, you can view change reports for each configuration tree node.

2. Viewing RCS Content Versions

After a change has been made to a specific node, the new configuration set will replace its preceding version. After a change to a configuration node, you can inspect all revisions that the RCS has stored.

This example assumes that you have made changes to the Network node.

  1. Log into your firewall.
  2. (On the box level): Go to CONFIGURATION > Configuration Tree > Box > Network.
  3. (On the CC level): Go to CONFIGURATION > Configuration Tree > Multi-Range > your range > your cluster > Boxes > your box > Network.
  4. Right-click the Network node.
  5. A pop-up menu list is displayed that shows all valid options associated with the node.
  6. Click Show RCS Versions... in the list.
    rcs_improvement_menu_list_show_rcs_versions.png
  7. The RCS Versions window is displayed.
    rcs_improvements_rcs_versions_selected.png

     

    Note that the last two versions are always preselected for your convenience.
    However, if you want to compare other versions, you can always modify your selection by clicking on the preferred two versions in the list.

  8. The RCS Versions window displays a list of all versions of a configuration page. It displays the following information:

    ColumnDescription
    VersionThe version numbers of activated (by clicking Activate) changes.
    If a configuration has only been sent (by clicking Send Changes), this column displays, "session."
    If a linked file is edited, the file version and complete path to the link target are also displayed.
    DateThe date when the configuration version was activated. Dates are formatted as follows: yyyy/mm/dd
    TimeThe time when the configuration version was activated. Unless you have changed the time settings for the system, the UTC time format is used.
    AdminThe login name of the administrator who made changes to the configuration version.
    PeerThe IP address of the administrator who made changes for the configuration version.
    Operation

    Displays the type of change made by the administrator:

    • CHANGE – Indicates a modification.
    • ADD – Indicates an added configuration entry (for example a newly introduced firewall rule).
    • REMOVE – Indicates a removed configuration entry (for example removing a CloudGen F rule).
    • LINK – Indicates a link to a repository entry.
    • UNLINK – Indicates that a link to a repository entry was removed.
    Link VersionIf the configuration page is linked to a repository, the version of the link target is displayed.
    Link PathIf the configuration page is linked to a repository, the complete path of the link target is displayed.
    ReleaseThe product release number.
    MessageDisplays a message if configured.
  9. If you want to close the window, click Done.
  10. Alternatively, if you want to create a report, perform the following next steps.

3. How to Create a Report Based on the Changes

In the RCS Versions window, you can generate an RCS report to compare and view information for specific configuration versions. For configuration objects that contain at least one sub-node, you can also filter RCS reports for specific time periods and administrator IP addresses.

  1. Open the RCS versions page.
  2. Select the versions that you want to include in the report. To select a range of versions, click the first version and last version in the range of interest. Then select the Full History check box. To select all versions, click Select All.
  3. Click the button Show Differences... .
  4. The RCS Report window is displayed.
    rcs_improvements_rcs_report_list.png
  5. The RCS Report window displays the following information:

    OptionsDescription
    NodeDisplays change in a tree structure. The first level specifies the name of the configuration entity, the second level specifies the name of the data set, the third level specifies the position in the configuration dialog, and the fourth level specifies the object of editing.
    Operation

    The type of change made:

    Move - The position of the configuration entry was moved in the hierarchy (for example moving a rule up or down in a rule set).
    * - Indicates that multiple changes were made to the configuration entry.

    NewThe new value of the configuration entity.
    OldThe old value of the configuration entity. The New and Old columns may contain multiple lines. To view all the lines, expand the nodes in the Node column or right-click the Details… from the context menu.
    VersionDisplays the version number when editing is displayed. If there are multiple version numbers within this node, the column displays: *
    StampThe date and time when the configuration was modified. Unless you have changed the time settings for the system, the UTC time format is used. The date and time are formatted as follows: yyyy/mm/dd hh:mm:ss
    AdminThe name of the administrator who made changes to the configuration version.
    PeerThe IP address of the administrator who made changes for the configuration version. If the same IP address is entered multiple times within a firewall rule, the RCS Report window may display incorrect change history even if the change was correctly deployed.
    Querying Details from the Report
  1. At this point, you have the option to get more detailed information from the report:
    1. You can right-click the RCS Report columns and select any of the following options to modify the column view or print the report:

      • Details – Opens the RCS Report Detail window, which displays the column information in a more readable format (recommended for multi-line entries).
        rcs_improvement_show_details_from_report.png
      • Expand and Expand All – Expands a selected node or all nodes.
      • Collapse and Collapse (All) – Collapses a selected node or all nodes.
      • Print (Visible Only, Landscape/Portrait) – Prints the display as it is displayed. You can print the report in landscape or portrait orientation. The landscape orientation is recommended.
      • Print (All, Landscape/Portrait) – Prints all the information in the report. You can print the report in landscape or portrait orientation. The landscape orientation is recommended.

      The toolbar at the bottom of the RCS Report window offers the following functionalities:

      • Search String – In this empty field, you can enter the string you want to search for. Wildcards are not supported.
      • << Find / Find >> – Navigate up and down the report to find the specified search string.
      • Import … / Export … – Export the report into a *.prp file for archiving purposes or import an archived prp file.
      • << Prev / Next >> – Navigate between the selected configuration versions.
  2. If you want to export the list of changes, click Export.
  3. Enter a file name in the file creation window and click Save.
  4. If you want to close the window, click Done.

4. Reverting a Configuration to a Specific Version

With the exception of the nodes and services mentioned at the beginning of this article, you can revert any specific configuration to an earlier stored configuration.

This example assumes that you want to revert the Network node.

  1. Go to CONFIGURATION > Configuration Tree > Box > Network.
  2. Click Lock.
  3. Click RCS in the blue ribbon bar.
  4. A drop-down menu list is displayed.
  5. In the list, click Retrieve versions... .
  6. The RCS Versions window is displayed.
    rcs_improvements_RCS_window_for_selecting_version_to_revert.png
  7. Select the required line of the version you want to restore the configuration for.
  8. Click Choose.
  9. The configuration page now displays all values that were stored under the selected version.
  10. Click RCS.
  11. The drop-down menu is displayed and now shows the entry Accept Version.
    rcs_improvement_accept_version.png
  12. Select Accept Version.
  13. A dialog window opens and asks if you want to accept using an old version of the configuration.
    rcs_improvements_dialog_accept_old_version.png
  14. Click the Yes button to accept your selected old version.
  15. Click Send Changes.
  16. Click Activate.