On This Page
Getting a Policy Configuration File for Offline Analysis
You can use these commands to get policy configuration files for offline analysis.
Check Point
To get a Check Point policy configuration file:
-
Download the R70 tool archive, and extract the contents to any location on the SmartDashboard host.
-
On the SmartDashboard host, open a Windows command line, navigate to the tool's saved location, and run:
Where:
<file>
- a name for the output file<ip>
- the IP address of the relevant offline Check Point management server - When prompted, type the username and password of a user authorized for the Check Point management server (can be read-only).
Fortinet
To get an offline configuration from Fortigate firewalls:
-
Open a command line to the device.
For a virtual device, make sure to connect directly to the virtual device (not through the parent device).
-
Run these commands:
-
For a VDOM-enabled Fortigate device:
-
Run these commands:
-
Print the configuration:
config vdom
edit VDOM_NAME
show
get system status
show full-configuration firewall service custom
show full-configuration firewall service group
show full-configuration firewall address
show full-configuration firewall addrgrp
show full-configuration firewall schedule onetime
show full-configuration firewall schedule recurring
show full-configuration firewall vip
show full-configuration firewall vipgrp
show full-configuration firewall policy
show full-configuration router static
show full-configuration system interface
show full-configuration system zoneconfig vdom edit VDOM_NAME show get system status show full-configuration firewall service custom show full-configuration firewall service group show full-configuration firewall address show full-configuration firewall addrgrp show full-configuration firewall schedule onetime show full-configuration firewall schedule recurring show full-configuration firewall vip show full-configuration firewall vipgrp show full-configuration firewall policy show full-configuration router static show full-configuration system interface show full-configuration system zone -
Copy the configuration output to a text file.
(where
VDOM_NAME
is the name of the desired VDOM)In a Fortinet Virtual Domain, you may receive some error messages, which can be safely ignored. The configuration output may be provided one page at a time.
Each virtual domain collected should be imported as a standalone Fortigate Firewall.
The license required is for a Firewall (and not a Virtual Firewall).
Shared router configurations will not be imported.
-
-
For other Fortigate devices:
-
Run these commands:
-
Print the configuration:
showshow
get system status
show full-configuration firewall service custom
show full-configuration firewall service group
show full-configuration firewall address
show full-configuration firewall addrgrp
show full-configuration firewall schedule onetime
show full-configuration firewall schedule recurring
show full-configuration firewall vip
show full-configuration firewall vipgrp
show full-configuration firewall policy
show full-configuration router static
show full-configuration system interface
show full-configuration system zoneshow get system status show full-configuration firewall service custom show full-configuration firewall service group show full-configuration firewall address show full-configuration firewall addrgrp show full-configuration firewall schedule onetime show full-configuration firewall schedule recurring show full-configuration firewall vip show full-configuration firewall vipgrp show full-configuration firewall policy show full-configuration router static show full-configuration system interface show full-configuration system zone -
Copy the configuration output to a text file.
-
-
Forcepoint
-
Open a command line to the device.
-
Run these commands:
srole
cf -J interface query
cf -J subnet query
cf -J netgroup query
cf -J iprange query
cf -J ipaddr query
cf -J domain query
cf -JK name,description,download_path geolocation query | grep -v download_path
cf -JK name,description host query
cf -JK name,description netmap query
cf appdb version
cf -J externalgroup query
cf -J application query
cf -J appgroup query
cf appdb list verbose=on
cf -J zone query
cf -J zonegroup query
cf -J route query
cf -J udb query
cf -J externalgroup query
cf -J usergroup query
cf -JK table,name,action,disable,source_zones,dest_zones,source,dest,application,ssl_ports,tcp_ports,udp_ports,authgroups,description policy query
exit
exitsrole cf -J interface query cf -J subnet query cf -J netgroup query cf -J iprange query cf -J ipaddr query cf -J domain query cf -JK name,description,download_path geolocation query | grep -v download_path cf -JK name,description host query cf -JK name,description netmap query cf appdb version cf -J externalgroup query cf -J application query cf -J appgroup query cf appdb list verbose=on cf -J zone query cf -J zonegroup query cf -J route query cf -J udb query cf -J externalgroup query cf -J usergroup query cf -JK table,name,action,disable,source_zones,dest_zones,source,dest,application,ssl_ports,tcp_ports,udp_ports,authgroups,description policy query exit exit -
Copy the configuration output to a text file.
Palo Alto
To get an offline configuration from Palo Alto firewalls:
-
Make sure you have network connectivity between SecureTrack and the Palo Alto firewall.
-
Run the commands:
cd /usr/local/st
./st_paloalto_fw_login.pl ssl <ip> <user> <timeout> 443 <vsys> offline > <offline_file>cd /usr/local/st ./st_paloalto_fw_login.pl ssl <ip> <user> <timeout> 443 <vsys> offline > <offline_file>Where:
<ip> – IP address of the firewall
<user> – a user with the superuser Admin Role for the firewall
<timeout> – seconds to wait for a response from the device (recommended: at least 120)
<vsys> – the ID of the vsys, such as vsys1; you can find the vsys ID in the device web interface in Device > Virtual Systems
For devices that do not support vsys or for devices that do not yet contain vsys, we recommend that you change the run script from <vsys> to
vsys1
.
Note that certain versions of Palo Alto do not have Virtual Systems listed under Devices. -
When prompted, enter the password of the user account.
Other Devices
To get a policy configuration file from other devices:
-
Open a command line to the device.
For a virtual device, make sure to connect directly to the virtual device (not through the parent device).
-
Run these commands:
-
On Cisco firewalls:
-
On Netscreen firewalls:
For each zone run:
get zone id <zone id> | include "(Zone name)|(interface)"
-
On JunOS devices:
show configuration | display set | no-more
show configuration | display inheritance defaults | display xml | no-more
show configuration | display detail | display xml | display omit | no-more
show configuration policy-options | display inheritance | no-moreshow configuration | display set | no-more show configuration | display inheritance defaults | display xml | no-more show configuration | display detail | display xml | display omit | no-more show configuration policy-options | display inheritance | no-more -
On IPtables firewalls:
Copy the output except for the first line (
# Generated by...)
and last line (# Completed on...
). -
On F5 devices: (For the Common partition only)
-
-
Copy the configuration output to a text file.