Getting a Policy Configuration File for Offline Analysis

You can use these commands to get policy configuration files for offline analysis.

Check Point

Offline configuration is not supported for Check Point R80 and above.

To get a Check Point policy configuration file:

Download the R70 tool archive, and extract the contents to any location on the SmartDashboard host.
On the SmartDashboard host, open a Windows command line, navigate to the tool's saved location, and run:
```
st_cpmi_pull_win.exe <file> <ip>
```
st_cpmi_pull_win.exe <file> <ip>
Where:

<file> - a name for the output file

<ip> - the IP address of the relevant offline Check Point management server
When prompted, type the username and password of a user authorized for the Check Point management server (can be read-only).

Fortinet

To get an offline configuration from Fortigate firewalls:

Open a command line to the device.

For a virtual device, make sure to connect directly to the virtual device (not through the parent device).
Run these commands:
- For a VDOM-enabled Fortigate device:
  1. Run these commands:
    config global config system console set output standard end end
    config global config system console set output standard end end
  2. Print the configuration:
    config vdom edit VDOM_NAME show get system status show full-configuration firewall service custom show full-configuration firewall service group show full-configuration firewall address show full-configuration firewall addrgrp show full-configuration firewall schedule onetime show full-configuration firewall schedule recurring show full-configuration firewall vip show full-configuration firewall vipgrp show full-configuration firewall policy show full-configuration router static show full-configuration system interface show full-configuration system zone
    config vdom edit VDOM_NAME show get system status show full-configuration firewall service custom show full-configuration firewall service group show full-configuration firewall address show full-configuration firewall addrgrp show full-configuration firewall schedule onetime show full-configuration firewall schedule recurring show full-configuration firewall vip show full-configuration firewall vipgrp show full-configuration firewall policy show full-configuration router static show full-configuration system interface show full-configuration system zone
  3. Copy the configuration output to a text file.
  In a Fortinet Virtual Domain, you may receive some error messages, which can be safely ignored. The configuration output may be provided one page at a time.
  
  Each virtual domain collected should be imported as a standalone Fortigate Firewall.
  
  The license required is for a Firewall (and not a Virtual Firewall).
  
  Shared router configurations will not be imported.
- For other Fortigate devices:
  1. Run these commands:
    config system console set output standard end
    config system console set output standard end
  2. Print the configuration:
    show
    show get system status show full-configuration firewall service custom show full-configuration firewall service group show full-configuration firewall address show full-configuration firewall addrgrp show full-configuration firewall schedule onetime show full-configuration firewall schedule recurring show full-configuration firewall vip show full-configuration firewall vipgrp show full-configuration firewall policy show full-configuration router static show full-configuration system interface show full-configuration system zone
    show get system status show full-configuration firewall service custom show full-configuration firewall service group show full-configuration firewall address show full-configuration firewall addrgrp show full-configuration firewall schedule onetime show full-configuration firewall schedule recurring show full-configuration firewall vip show full-configuration firewall vipgrp show full-configuration firewall policy show full-configuration router static show full-configuration system interface show full-configuration system zone
  3. Copy the configuration output to a text file.

Forcepoint

Open a command line to the device.
Run these commands:
```
srole
cf -J interface query
cf -J subnet query
cf -J netgroup query
cf -J iprange query
cf -J ipaddr query
cf -J domain query
cf -JK name,description,download_path geolocation query | grep -v download_path
cf -JK name,description host query
cf -JK name,description netmap query
cf appdb version
cf -J externalgroup query
cf -J application query
cf -J appgroup query
cf appdb list verbose=on
cf -J zone query
cf -J zonegroup query
cf -J route query
cf -J udb query
cf -J externalgroup query
cf -J usergroup query
cf -JK table,name,action,disable,source_zones,dest_zones,source,dest,application,ssl_ports,tcp_ports,udp_ports,authgroups,description  policy query
exit
exit
```
srole cf -J interface query cf -J subnet query cf -J netgroup query cf -J iprange query cf -J ipaddr query cf -J domain query cf -JK name,description,download_path geolocation query | grep -v download_path cf -JK name,description host query cf -JK name,description netmap query cf appdb version cf -J externalgroup query cf -J application query cf -J appgroup query cf appdb list verbose=on cf -J zone query cf -J zonegroup query cf -J route query cf -J udb query cf -J externalgroup query cf -J usergroup query cf -JK table,name,action,disable,source_zones,dest_zones,source,dest,application,ssl_ports,tcp_ports,udp_ports,authgroups,description policy query exit exit
Copy the configuration output to a text file.

Palo Alto

To get an offline configuration from Palo Alto firewalls:

Make sure you have network connectivity between SecureTrack and the Palo Alto firewall.
Run the commands:
```
cd /usr/local/st
./st_paloalto_fw_login.pl ssl <ip> <user> <timeout> 443 <vsys> offline > <offline_file>
```
cd /usr/local/st ./st_paloalto_fw_login.pl ssl <ip> <user> <timeout> 443 <vsys> offline > <offline_file>
Where:

<ip> – IP address of the firewall

<user> – a user with the superuser Admin Role for the firewall

<timeout> – seconds to wait for a response from the device (recommended: at least 120)

<vsys> – the ID of the vsys, such as vsys1; you can find the vsys ID in the device web interface in Device > Virtual Systems

For devices that do not support vsys or for devices that do not yet contain vsys, we recommend that you change the run script from <vsys> to vsys1.
Note that certain versions of Palo Alto do not have Virtual Systems listed under Devices.
When prompted, enter the password of the user account.

Other Devices

To get a policy configuration file from other devices:

Open a command line to the device.

For a virtual device, make sure to connect directly to the virtual device (not through the parent device).
Run these commands:
- On Cisco firewalls:
```
show running-config
```
  show running-config
- On Netscreen firewalls:
```
get config
get zone all
```
  get config get zone all
  For each zone run: get zone id <zone id> | include "(Zone name)|(interface)"
- On JunOS devices:
```
show configuration | display set | no-more
show configuration | display inheritance defaults | display xml | no-more
show configuration | display detail | display xml | display omit | no-more
show configuration policy-options | display inheritance | no-more
```
  show configuration | display set | no-more show configuration | display inheritance defaults | display xml | no-more show configuration | display detail | display xml | display omit | no-more show configuration policy-options | display inheritance | no-more
- On IPtables firewalls:
```
iptables-save
```
  iptables-save
  Copy the output except for the first line (# Generated by...) and last line (# Completed on...).
- On F5 devices: (For the Common partition only)
```
show running config
```
  show running config
Copy the configuration output to a text file.