Getting a Policy Configuration File for Offline Analysis

You can use these commands to get policy configuration files for offline analysis.

Check Point

Offline configuration is not supported for Check Point R80 and above.

To get a Check Point policy configuration file:

  1. Download the R70 tool archive, and extract the contents to any location on the SmartDashboard host.

  2. On the SmartDashboard host, open a Windows command line, navigate to the tool's saved location, and run:

    st_cpmi_pull_win.exe <file> <ip>
    st_cpmi_pull_win.exe <file> <ip>

    Where:

    <file> - a name for the output file

    <ip> - the IP address of the relevant offline Check Point management server

  3. When prompted, type the username and password of a user authorized for the Check Point management server (can be read-only).

Fortinet

To get an offline configuration from Fortigate firewalls:

  1. Open a command line to the device.

    For a virtual device, make sure to connect directly to the virtual device (not through the parent device).

  2. Run these commands:

    • For a VDOM-enabled Fortigate device:

      1. Run these commands:

        config global
        config system console
        set output standard
        end
        end
        config global config system console set output standard end end

      2. Print the configuration:

        config vdom
        edit VDOM_NAME
        show
        get system status
        show full-configuration firewall service custom
        show full-configuration firewall service group
        show full-configuration firewall address
        show full-configuration firewall addrgrp
        show full-configuration firewall schedule onetime
        show full-configuration firewall schedule recurring
        show full-configuration firewall vip
        show full-configuration firewall vipgrp
        show full-configuration firewall policy
        show full-configuration router static
        show full-configuration system interface
        show full-configuration system zone
        config vdom edit VDOM_NAME show get system status show full-configuration firewall service custom show full-configuration firewall service group show full-configuration firewall address show full-configuration firewall addrgrp show full-configuration firewall schedule onetime show full-configuration firewall schedule recurring show full-configuration firewall vip show full-configuration firewall vipgrp show full-configuration firewall policy show full-configuration router static show full-configuration system interface show full-configuration system zone

        3. (where VDOM_NAME is the name of the desired VDOM)

      3. Copy the configuration output to a text file.

      In a Fortinet Virtual Domain, you may receive some error messages, which can be safely ignored. The configuration output may be provided one page at a time.

      Each virtual domain collected should be imported as a standalone Fortigate Firewall.

      The license required is for a Firewall (and not a Virtual Firewall).

      Shared router configurations will not be imported.

    • For other Fortigate devices:

      1. Run these commands:

        config system console
        set output standard
        end
        config system console set output standard end

      2. Print the configuration:

        show
        show
        get system status
        show full-configuration firewall service custom
        show full-configuration firewall service group
        show full-configuration firewall address
        show full-configuration firewall addrgrp
        show full-configuration firewall schedule onetime
        show full-configuration firewall schedule recurring
        show full-configuration firewall vip
        show full-configuration firewall vipgrp
        show full-configuration firewall policy
        show full-configuration router static
        show full-configuration system interface
        show full-configuration system zone
        show get system status show full-configuration firewall service custom show full-configuration firewall service group show full-configuration firewall address show full-configuration firewall addrgrp show full-configuration firewall schedule onetime show full-configuration firewall schedule recurring show full-configuration firewall vip show full-configuration firewall vipgrp show full-configuration firewall policy show full-configuration router static show full-configuration system interface show full-configuration system zone

      3. Copy the configuration output to a text file.

Palo Alto

To get an offline configuration from Palo Alto firewalls:

  1. Make sure you have network connectivity between SecureTrack and the Palo Alto firewall.

  2. Run the following commands on the primary data node.

  3. Run the command:

    kubectl get pods | grep device-collector
    kubectl get pods | grep device-collector

    The output will be a string similar to the example below:

    device-collector-9cd5cd823-z6mma

  4. Copy the output string to the clipboard.

  5. Run the command:

    kubectl exec -it <COPIED TEXT> -c device-collector bash
    kubectl exec -it <COPIED TEXT> -c device-collector bash

    Where:

    <COPIED TEXT> - output string copied previously to the clipboard

  6. Run the commands:

    cd /usr/local/st
    ./st_paloalto_fw_login.pl ssl <ip> <user> <timeout> 443 <vsys> offline > <offline_file>
    cd /usr/local/st ./st_paloalto_fw_login.pl ssl <ip> <user> <timeout> 443 <vsys> offline > <offline_file>

    Where:

    <ip> – IP address of the firewall

    <user> – a user with the superuser Admin Role for the firewall

    <timeout> – seconds to wait for a response from the device (recommended: at least 120)

    <vsys> – the ID of the vsys, such as vsys1; you can find the vsys ID in the device web interface in Device > Virtual Systems

    For devices that do not support vsys or for devices that do not yet contain vsys, we recommend that you change the run script from <vsys> to vsys1.
    Note that certain versions of Palo Alto do not have Virtual Systems listed under Devices.

  7. When prompted, enter the password of the user account.

Other Devices

To get a policy configuration file from other devices:

  1. Open a command line to the device.

    For a virtual device, make sure to connect directly to the virtual device (not through the parent device).

  2. Run these commands:

    • On Cisco devices:

      show running-config
      show running-config

      If you need dynamic topology data, contact Tufin Support for assistance.

    • On Netscreen firewalls:

      get config
      get zone all
      get config get zone all

      For each zone run: get zone id <zone id> | include "(Zone name)|(interface)"

    • On JunOS devices:

      show configuration | display set | no-more
      show configuration | display inheritance defaults | display xml | no-more
      show configuration | display detail | display xml | display omit | no-more
      show configuration policy-options | display inheritance | no-more
      show configuration | display set | no-more show configuration | display inheritance defaults | display xml | no-more show configuration | display detail | display xml | display omit | no-more show configuration policy-options | display inheritance | no-more

    • On IPtables firewalls:

      iptables-save
      iptables-save

      Copy the output except for the first line (# Generated by...) and last line (# Completed on...).

    • On F5 devices: (For the Common partition only)

      show running config
      show running config

  3. Copy the configuration output to a text file.