On This Page
Running APG CLI
Overview
After you prepare the log files (Getting Logs for APG), you can generate an actual firewall policy from the log files with the command:
st_apg_gen <parameters>
where:
<parameters> is a list of any of the following parameters. Each parameter name is followed by =<value>, for example:
[<ADMIN> ~]# kubectl exec -it deployment/device-collector -c device-collector -- bash
[<ADMIN> ~]# st_apg_gen --conf=/usr/local/st/conf/apg_conf.xml --input=logs.txt --output=policy --output-format=html --min-net-coverage=10 --min-net-size=28 --include-broadcast=0 --any-threshold=100Input/Output Parameters
|
Parameter |
Description |
|---|---|
--conf
|
The APG configuration file. By default, the file is located in /usr/local/st/conf/apg_conf.xml. |
--input
|
A prepared log file. See Getting Logs for APG. |
--output
|
A prefix for the output filename. The APG output phase (default: 5) and an extension will be appended to the filename. |
--output-format
|
The format for the generated firewall policy, and can be one of the following:
|
Parameters for rule consolidation
|
Parameter |
Description |
|---|---|
|
--min-net-coverage
|
The minimum percentage of traffic, from 1 to 100, that must be logged within a network for it to qualify for network consolidation. |
|
--min-net-size
|
The minimum allowed prefix length in CIDR notation (between 1 and 32) for subnets created by network consolidation. |
|
--include-broadcast
|
Determines if to include the broadcast address in network consolidation: 0 = no 1 = yes |
--any-threshold
|
The minimum number of traffic log entries needed to generalize the source or destination to Any during consolidation. |
Was this helpful?
Thank you!
We’d love your feedback
We really appreciate your feedback
Send this page to a colleague