On This Page
From January 01, 2023, TOS R21-3 Classic is EOL. Technical support will be available for a limited period to customers with Extended Support agreements.
Running the APG CLI
After you prepare the log files (Getting Logs for APG, Collecting Log Files), you can generate an actual firewall policy from the log files with the command:
st_apg_gen <parameters>
where <parameters> is a list of any of the below parameters, each parameter name followed by =<value> . For example:
st_apg_gen --conf=/usr/local/st/conf/apg_conf.xml --input=logs.txt --output=policy --output-format=html --min-net-coverage=10 --min-net-size=28 --include-broadcast=0 --any-threshold=100Available parameters and values are:
Input/output parameters:
--conf: The APG configuration file. The default is located in:/usr/local/st/conf/apg_conf.xml--input:A prepared log file (Getting Logs for APG, Collecting Log Files).--output: A prefix for the output filename. The APG output phase (default: 5) and an extension will be appended to the filename.-
--output-format: The format for the generated firewall policy. The value must be one of the following:txtxmlhtml
Parameters for rule consolidation:
--min-net-coverage: An integer between 1 and 100, indicating the minimum percentage that logged traffic needs to be of a network for network consolidation.--min-net-size: An integer between 1 and 32, indicating the minimal subnet length (in CIDR notation) that is allowed to be created by network consolidation.--include-broadcast: 0 or 1, determining whether or not to include the broadcast address in network consolidation.--any-threshold: An integer indicating the minimum number of traffic logs for Any consolidation.
