Is there CLI - Enable and Commit Policy

SeanDeHarris — Fri, 20 Aug 2021 12:38:43 GMT

Dear all,

Since my WebUI is not responding even with a system reboot and management restart by CLI, SSH works fine,

Is there a way by CLI to enable and commit Policy?

Any help would be greatful.

Thanks,

Sean

Re: Is there CLI - Enable and Commit Policy

SebRupik — Fri, 20 Aug 2021 15:43:52 GMT

Hi there,

If I understand you correctly, once on the cli enter the commands:

configure

commit

Any policy you want to create will be done once in configuration mode via set commands, although it is a bit of a minefield if you've not used it before!

Once you've logged onto the CLI run the command: set cli config-output-format set

The go into configure, and issue the command show .... this will display the entire config in set format and give you a good idea how to create/ update policy on the firewall. You can search the configuration with the command show | match foo where foo should be replaced with the string you are looking for.

cheers,

Seb.

Re: Is there CLI - Enable and Commit Policy

BPry — Fri, 20 Aug 2021 20:07:37 GMT

@SeanDeHarris,

Absolutely. Anything you can configure in the GUI can also be configured in the CLI. Just log into the CLI and you can easily modify anything in any of the rulebases that you would need. I'm assuming that you need help with the security rulebase in particular, but if you give an exact example of what you need we can provide more syntax help.

Using the security rulebase entry as an example it would look something like this:

configure set rulebase security rules "Example Entry" from trust source 192.168.1.5 source-user DOMAIN\USER to Mgmt destination 10.10.10.10 application [ ssl ssh ] service application-default action allow log-end yes log-setting Alert-NetOps description "Allows Traffic to Firewall" profile-setting group Default-Protection-Group

The syntax follows exactly what you would normally configure in the GUI, and this example includes how you would group things with [] if you need to specify more than one member. Then you can simply do your validate and commit operations to make the new rule active. "?" is your friend in the CLI, as everything has a very good description of what it is.

Just to clarify on @SebRupik, you absolutely don't need to set your output format to set. Some people simply find it easier to read set format then XML. The firewall supports XML (default), JSON, or set output.

Default/XML output simply displays the configuration as the firewall actually reads it (the entire configuration is just an XML file):

Allow any Web-App" { from trust; source 10.191.0.0/16; to untrust; destination any; application any; service [ service-http service-https]; log-end yes; action allow; description "Allows connections to be made to any Web-Application"; log-setting "Email Alerts"; group-tag trust; tag [ trust untrust ]; profile-setting { group LTSB-Protection-Profile; } }

JSON displays output like this, which is more machine readable and I'm not sure why anyone would actually want to set their CLI output for this, as it's not very human optimized:

{ "@name":"Allow any Web-App", "@uuid":"9cd38668-d9e4-48e1-85d0-4e4a941aa0b6", "from": { "member":["trust"] } , "source": { "member":["10.191.0.0/16"] } , "to": { "member":["untrust"] } , "destination": { "member":["any"] } , "application": { "member":["any"] } , "service": { "member":["service-http", "service-https"] } , "log-end": "yes", "action": "allow", "description": "Allows connections to be made to any Web-Application", "log-setting": "Email Alerts", "group-tag": "trust", "tag": { "member":["trust", "untrust"] } , "profile-setting": { "group": { "member":["LTSB-Protection-Profile"] } } } [edit]

Set format is how you actually issue the commands, which is why some people prefer it:

set rulebase security rules "Allow any Web-App" from trust set rulebase security rules "Allow any Web-App" source 10.191.0.0/16 set rulebase security rules "Allow any Web-App" to untrust set rulebase security rules "Allow any Web-App" destination any set rulebase security rules "Allow any Web-App" application any set rulebase security rules "Allow any Web-App" service [ service-http service-https ] set rulebase security rules "Allow any Web-App" log-end yes set rulebase security rules "Allow any Web-App" action allow set rulebase security rules "Allow any Web-App" description "Allows connections to be made to any Web-Application" set rulebase security rules "Allow any Web-App" log-setting "Email Alerts" set rulebase security rules "Allow any Web-App" group-tag trust set rulebase security rules "Allow any Web-App" tag [ trust untrust ] set rulebase security rules "Allow any Web-App" profile-setting group LTSB-Protection-Profile

You may notice that this example while in set breaks out everything into it's own command. When you are configuring a new entry you can simply lump everything together instead of separating it out like this like I did in my first example.

Re: Is there CLI - Enable and Commit Policy

TomYoung — Sat, 21 Aug 2021 13:03:24 GMT

Excellent responses!

I think @SebRupik's point was that if you set the output format to set, then you can see the proper syntax for configuration. Another excellent CLI option is to use the context sensitive help "?" to see what options are available. You can view sections of the config such as "show network dhcp".

myfirewall# show ?
address address
address-group address-group
application application
application-filter application-filter
application-group application-group
application-tag application-tag
authentication-object authentication-object
captive-portal captive-portal
cloud-identity-engine cloud-identity-engine
device-object device-object

...

topic Is there CLI - Enable and Commit Policy in General Topics

Is there CLI - Enable and Commit Policy

Re: Is there CLI - Enable and Commit Policy

Re: Is there CLI - Enable and Commit Policy

Re: Is there CLI - Enable and Commit Policy