Policy Configuration File for Offline Analysis

You can use these commands to get policy configuration files for offline analysis.

Fortinet

To get an offline configuration from Fortigate firewalls:

  1. Open a command line to the device.

    For a virtual device, make sure to connect directly to the virtual device (not through the parent device).

  2. Run these commands:

    • For a VDOM-enabled Fortigate device:

      1. Run these commands:

        config global
        config system console
        set output standard
        end
        end
        config global config system console set output standard end end
      2. Print the configuration:

        config vdom
        edit VDOM_NAME
        show
        get system status
        show full-configuration firewall service custom
        show full-configuration firewall service group
        show full-configuration firewall address
        show full-configuration firewall addrgrp
        show full-configuration firewall schedule onetime
        show full-configuration firewall schedule recurring
        show full-configuration firewall vip
        show full-configuration firewall vipgrp
        show full-configuration firewall policy
        show full-configuration router static
        show full-configuration system interface
        show full-configuration system zone
        config vdom edit VDOM_NAME show get system status show full-configuration firewall service custom show full-configuration firewall service group show full-configuration firewall address show full-configuration firewall addrgrp show full-configuration firewall schedule onetime show full-configuration firewall schedule recurring show full-configuration firewall vip show full-configuration firewall vipgrp show full-configuration firewall policy show full-configuration router static show full-configuration system interface show full-configuration system zone
      3. (where VDOM_NAME is the name of the desired VDOM)

      4. Copy the configuration output to a text file.

      In a Fortinet Virtual Domain, you may receive some error messages, which can be safely ignored. The configuration output may be provided one page at a time.

      Each virtual domain collected should be imported as a standalone Fortigate Firewall.

      The license required is for a Firewall (and not a Virtual Firewall).

      Shared router configurations will not be imported.

    • For other Fortigate devices:

      1. Run these commands:

        config system console
        set output standard
        end
        config system console set output standard end
      2. Print the configuration:

        show
        show
        get system status
        show full-configuration firewall service custom
        show full-configuration firewall service group
        show full-configuration firewall address
        show full-configuration firewall addrgrp
        show full-configuration firewall schedule onetime
        show full-configuration firewall schedule recurring
        show full-configuration firewall vip
        show full-configuration firewall vipgrp
        show full-configuration firewall policy
        show full-configuration router static
        show full-configuration system interface
        show full-configuration system zone
        show get system status show full-configuration firewall service custom show full-configuration firewall service group show full-configuration firewall address show full-configuration firewall addrgrp show full-configuration firewall schedule onetime show full-configuration firewall schedule recurring show full-configuration firewall vip show full-configuration firewall vipgrp show full-configuration firewall policy show full-configuration router static show full-configuration system interface show full-configuration system zone
      3. Copy the configuration output to a text file.

Palo Alto

To get an offline configuration from Palo Alto firewalls:

  1. Make sure you have network connectivity between SecureTrack and the Palo Alto firewall.

  2. Run the following commands on the primary data node.

  3. Run the command:

    kubectl get pods | grep tss
    kubectl get pods | grep tss

    The output will be a string similar to the example below:

    tss-9cd5cd823-z6mma
  4. Copy the output string to the clipboard.

  5. Run the command:

    kubectl exec -it <COPIED TEXT> -c tss bash
    kubectl exec -it <COPIED TEXT> -c tss bash

    Where:

    <COPIED TEXT> - output string copied previously to the clipboard

  6. Run the commands:

    cd /usr/local/st
    ./st_paloalto_fw_login.pl ssl <ip> <user> <timeout> 443 <vsys> offline > <offline_file>
    cd /usr/local/st ./st_paloalto_fw_login.pl ssl <ip> <user> <timeout> 443 <vsys> offline > <offline_file>

    Where:

    <ip> – IP address of the firewall

    <user> – a user with the superuser Admin Role for the firewall

    <timeout> – seconds to wait for a response from the device (recommended: at least 120)

    <vsys> – the ID of the vsys, such as vsys1; you can find the vsys ID in the device web interface in Device > Virtual Systems

    For devices that do not support vsys or for devices that do not yet contain vsys, we recommend that you change the run script from <vsys> to vsys1.
    Note that certain versions of Palo Alto do not have Virtual Systems listed under Devices.

  7. When prompted, enter the password of the user account.

Other Devices

To get a policy configuration file from other devices:

  1. Open a command line to the device.

    For a virtual device, make sure to connect directly to the virtual device (not through the parent device).

  2. Run these commands:

    • On Cisco devices:

      show running-config
      show running-config

      If you need dynamic topology data, contact Tufin Support for assistance.

    • On Netscreen firewalls:

      get config
      get zone all
      get config get zone all

      For each zone run: get zone id <zone id> | include "(Zone name)|(interface)"

    • On JunOS devices:

      show configuration | display set | no-more
      show configuration | display inheritance defaults | display xml | no-more
      show configuration | display detail | display xml | display omit | no-more
      show configuration policy-options | display inheritance | no-more
      show configuration | display set | no-more show configuration | display inheritance defaults | display xml | no-more show configuration | display detail | display xml | display omit | no-more show configuration policy-options | display inheritance | no-more
    • On IPtables firewalls:

      iptables-save
      iptables-save

      Copy the output except for the first line (# Generated by...) and last line (# Completed on...).

    • On F5 devices: (For the Common partition only)

      show running config
      show running config
  3. Copy the configuration output to a text file.