Configuring APG CLI

You can edit the APG configuration file (apg_conf.xml) to:

• Customize when and how the APG consolidates multiple connections into whole networks or into 'Any' rules
• Exclude connections from the APG analysis
• Specify the input file, and the output file and file format

You can define all of these options in the XML configuration file and specify that the APG command use this configuration file. If you define any of these options directly as arguments in the APG command, the CLI parameters override the definitions from the configuration file.

The default name of the configuration file is: /usr/local/st/conf/apg_conf.xml . If you save the configuration file with a different name, you must specify the filename in the APG command.

The default APG configuration file is:

<conf>
    <!--ports_to_any>
        <port>80/6</port>
        <port>443/6</port>
        <port>21/6</port>
    </ports_to_any-->
    <log_filter>
        <!--rule>
            <source>
                <subnet>192.168.0.0/16</subnet>
                <negate>0</negate>
            </source>
            <destination>
            </destination>
            <!--service>
                <port>80/6</port>
                <port>443/6</port>
            </service>
        </rule-->
    </log_filter>
    <network_consolidation>
        <min_net_coverage>50</min_net_coverage>
        <min_net_size>24</min_net_size>
        <include_broadcast>1</include_broadcast>
        <any_threshold>500</any_threshold>
    </network_consolidation>
    <io>
        <input>logfile.log</input>
        <output>policy</output>
        <output_format>html</output_format>
        <out_phases>final</out_phases>
    </io>
</conf> 

Some sections of the default configuration file are commented out. To enable these features, remove the !-- and -- from the tags.

The APG configuration file is delimited by the <conf> tag, and contains these optional sections:

• <ports_to_any> – Ports defined in this section, when found in logs, define output rules with 'Any' destination. This is useful for services with which users need to be able to access the entire internet. Each <port> tag should contain a value in the format: Port#/IP-protocol# .

• <log_filter> – Each <rule> contains a traffic pattern, that when matched by a log, causes that log to be analyzed by the APG. When no traffic patterns are defined, all logs are analyzed.

  Each <rule> contains: <source>, <destination>, and <service>. <source> and <destination> each contain any number of <subnet>s; or none, which is the equivalent of: Any. <service> contains any number of <port>s; or none, which is the equivalent of: Any.

  <source>, <destination>, and <service> each can contain a <negate> value that when set to 1 negates the defined subnets or ports, such that the defined subnets or ports are ignored and only all other logs are analyzed.

• <network_consolidation> – Parameters for rule consolidation:

  • <min_net_coverage> : An integer between 1 and 100, indicating the minimum percentage that logged traffic needs to be of a network for network consolidation.
  • <min_net_size> : An integer between 1 and 32, indicating the minimal subnet length (in CIDR notation) that is allowed to be created by network consolidation.
  • <include_broadcast> : 0 or 1, determining whether or not to include the broadcast address in network consolidation.
  • <any_threshold> : An integer indicating the minimum number of traffic logs for Any consolidation.

• <io> – Input/output parameters:

  • <input> – A prepared log file (Getting Logs for APG).
  • <output> – A prefix for the output filename. The APG output phase (default: 5) and an extension will be appended to the filename.

  • <output_format> – The format for the generated firewall policy. The value must be one of the following:

    • txt
    • xml
    • html
  • <out_phases> – This tag is for setting the level of analysis. 1 shows the rules with hit counts on the flows, and 5 or final shows all of the APG analysis.