Getting a Policy Configuration File for Offline Analysis

You can use these commands to get policy configuration files for offline analysis.

Check Point

Offline configuration is not supported for Check Point R80 and above.

To get a Check Point policy configuration file:

  1. Download the R70 tool archive, and extract the contents to any location on the SmartDashboard host.

  2. On the SmartDashboard host, open a Windows command line, navigate to the tool's saved location, and run:

    st_cpmi_pull_win.exe <file> <ip>
    st_cpmi_pull_win.exe <file> <ip>

    Where:

    <file> - a name for the output file

    <ip> - the IP address of the relevant offline Check Point management server

  3. When prompted, type the username and password of a user authorized for the Check Point management server (can be read-only).

Fortinet

To get an offline configuration from Fortigate firewalls:

  1. Open a command line to the device.

    For a virtual device, make sure to connect directly to the virtual device (not through the parent device).

  2. Run these commands:

    • For a VDOM-enabled Fortigate device:

      1. Run these commands:

        config global
        config system console
        set output standard
        end
        end
        config global config system console set output standard end end
      2. Print the configuration:

        config vdom
        edit VDOM_NAME
        show
        get system status
        show full-configuration firewall service custom
        show full-configuration firewall service group
        show full-configuration firewall address
        show full-configuration firewall addrgrp
        show full-configuration firewall schedule onetime
        show full-configuration firewall schedule recurring
        show full-configuration firewall vip
        show full-configuration firewall vipgrp
        show full-configuration firewall policy
        show full-configuration router static
        show full-configuration system interface
        show full-configuration system zone
        config vdom edit VDOM_NAME show get system status show full-configuration firewall service custom show full-configuration firewall service group show full-configuration firewall address show full-configuration firewall addrgrp show full-configuration firewall schedule onetime show full-configuration firewall schedule recurring show full-configuration firewall vip show full-configuration firewall vipgrp show full-configuration firewall policy show full-configuration router static show full-configuration system interface show full-configuration system zone
      3. (where VDOM_NAME is the name of the desired VDOM)

      4. Copy the configuration output to a text file.

      In a Fortinet Virtual Domain, you may receive some error messages, which can be safely ignored. The configuration output may be provided one page at a time.

      Each virtual domain collected should be imported as a standalone Fortigate Firewall.

      The license required is for a Firewall (and not a Virtual Firewall).

      Shared router configurations will not be imported.

    • For other Fortigate devices:

      1. Run these commands:

        config system console
        set output standard
        end
        config system console set output standard end
      2. Print the configuration:

        show
        show
        get system status
        show full-configuration firewall service custom
        show full-configuration firewall service group
        show full-configuration firewall address
        show full-configuration firewall addrgrp
        show full-configuration firewall schedule onetime
        show full-configuration firewall schedule recurring
        show full-configuration firewall vip
        show full-configuration firewall vipgrp
        show full-configuration firewall policy
        show full-configuration router static
        show full-configuration system interface
        show full-configuration system zone
        show get system status show full-configuration firewall service custom show full-configuration firewall service group show full-configuration firewall address show full-configuration firewall addrgrp show full-configuration firewall schedule onetime show full-configuration firewall schedule recurring show full-configuration firewall vip show full-configuration firewall vipgrp show full-configuration firewall policy show full-configuration router static show full-configuration system interface show full-configuration system zone
      3. Copy the configuration output to a text file.

Forcepoint

  1. Open a command line to the device.

  2. Run these commands:

    srole
    cf -J interface query
    cf -J subnet query
    cf -J netgroup query
    cf -J iprange query
    cf -J ipaddr query
    cf -J domain query
    cf -JK name,description,download_path geolocation query | grep -v download_path
    cf -JK name,description host query
    cf -JK name,description netmap query
    cf appdb version
    cf -J externalgroup query
    cf -J application query
    cf -J appgroup query
    cf appdb list verbose=on
    cf -J zone query
    cf -J zonegroup query
    cf -J route query
    cf -J udb query
    cf -J externalgroup query
    cf -J usergroup query
    cf -JK table,name,action,disable,source_zones,dest_zones,source,dest,application,ssl_ports,tcp_ports,udp_ports,authgroups,description  policy query
    exit
    exit
    srole cf -J interface query cf -J subnet query cf -J netgroup query cf -J iprange query cf -J ipaddr query cf -J domain query cf -JK name,description,download_path geolocation query | grep -v download_path cf -JK name,description host query cf -JK name,description netmap query cf appdb version cf -J externalgroup query cf -J application query cf -J appgroup query cf appdb list verbose=on cf -J zone query cf -J zonegroup query cf -J route query cf -J udb query cf -J externalgroup query cf -J usergroup query cf -JK table,name,action,disable,source_zones,dest_zones,source,dest,application,ssl_ports,tcp_ports,udp_ports,authgroups,description policy query exit exit
  3. Copy the configuration output to a text file.

Palo Alto

To get an offline configuration from Palo Alto firewalls:

  1. Make sure you have network connectivity between SecureTrack and the Palo Alto firewall.

  2. Run the commands:

    cd /usr/local/st
    ./st_paloalto_fw_login.pl ssl <ip> <user> <timeout> 443 <vsys> offline > <offline_file>
    cd /usr/local/st ./st_paloalto_fw_login.pl ssl <ip> <user> <timeout> 443 <vsys> offline > <offline_file>

    Where:

    <ip> – IP address of the firewall

    <user> – a user with the superuser Admin Role for the firewall

    <timeout> – seconds to wait for a response from the device (recommended: at least 120)

    <vsys> – the ID of the vsys, such as vsys1; you can find the vsys ID in the device web interface in Device > Virtual Systems

    For devices that do not support vsys or for devices that do not yet contain vsys, we recommend that you change the run script from <vsys> to vsys1.
    Note that certain versions of Palo Alto do not have Virtual Systems listed under Devices.

  3. When prompted, enter the password of the user account.

Other Devices

To get a policy configuration file from other devices:

  1. Open a command line to the device.

    For a virtual device, make sure to connect directly to the virtual device (not through the parent device).

  2. Run these commands:

    • On Cisco firewalls:

      show running-config
      show running-config
    • On Netscreen firewalls:

      get config
      get zone all
      get config get zone all

      For each zone run: get zone id <zone id> | include "(Zone name)|(interface)"

    • On JunOS devices:

      show configuration | display set | no-more
      show configuration | display inheritance defaults | display xml | no-more
      show configuration | display detail | display xml | display omit | no-more
      show configuration policy-options | display inheritance | no-more
      show configuration | display set | no-more show configuration | display inheritance defaults | display xml | no-more show configuration | display detail | display xml | display omit | no-more show configuration policy-options | display inheritance | no-more
    • On IPtables firewalls:

      iptables-save
      iptables-save

      Copy the output except for the first line (# Generated by...) and last line (# Completed on...).

    • On F5 devices: (For the Common partition only)

      show running config
      show running config
  3. Copy the configuration output to a text file.