Assigning security profile to multiple security rules

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
tirexxerit
L2 Linker

Assigning security profile to multiple security rules

Hi,

  when you have 100-200 security rule and need to assign a threat security profile to all the rules, what do you do?

Does anyone know an easy way of doing it? I can either script it via XML API but there should be an easier way I think.

 

thanks.

OtakarKlier
Cyber Elite

Hello,

If they already have assigned a Group or Profile, you can just modify it, that way it will get applied. If you currently do not have any applied and need to apply one you can either do it by the XML method you mentioned, or I think there could be a way to script it via the API, but thats an area where I dont delve into. But I'm sure others may have another method.

 

Regards,

tirexxerit
L2 Linker

No profile is attached actually and need to assign group profile to multiple firewalls.

There is a nice feature on URL filtering profile for example. You choose the action and say apply the action to all categories

which is quite handy but couldn't see such for security rules yet. Maybe on the roadmap.

If there is no built-in method, then I need to look into API.

 

thanks.

 

OtakarKlier
Cyber Elite

Or Panorama if you have it.

tirexxerit
L2 Linker

I don't recall that panorama has such feature. If you don't mean assigning to device group and pushing it to multiple devices.

 

OtakarKlier
Cyber Elite

Sorry I didnt specify. If you have Panorama, you could make all the changes there and push those changes out to the different managed firewalls. However you would still need to assign the profiles to the different policies.

JoeAndreini
L4 Transporter

I've done this two ways, depending on how many times it will need to be done.

 

The way i've done it when tehre are many firewalls or device groups to update is via scripting and teh XML API - I pull the policies with powershell, iterate through the policies adding the profiles or profile group, then push them back to teh firewall or panorama.  it's pretty quick.

 

If there is only one or two to do:

log into the CLI

issue the command "set cli config-output-format set" so that when you view the configuration it give set commands

enter edit mode

"show vsys vsys1 rulebase security | match 'action allow'" - this should give you a "list" of your rules, copy that to a text editor, so you can repalce "action allow" with 'profile-setting group "<your profile group>"' or the appropriate command to set the profile(s) you want.

paste the commands back into the firewall - be aware the buffer is relatively small, take 10-15 lines at a time

BPry
Cyber Elite

@tirexxerit,

In addition to the method already specified by @JoeAndreini:

1) You could use Expedition (The migration tool) and do this easily. Depending on experiance with the API or modifying the XML this would actually be my preffered method.  

2) You could modify the XML directly and simply look in every entry within <security> and ensure that it has a <profile-setting> element. If you're comfortable with XML this is my preffered method. 

 

API scripts are great but you have to be very careful that it doesn't actually give a bad result on the rules. Making a script that accounts for these expections with the API can be a bit of a pain. 

vsys_remo
Cyber Elite


@JoeAndreini wrote:

be aware the buffer is relatively small, take 10-15 lines at a time


... or if you're using a SSH client that has this feature, set a delay of 150ms between the commands

 

 

JoeAndreini
L4 Transporter

or use scripting-mode : set cli scripting-mode on

 

I never remember this exact command and often just paste 20 lines at a time rather than google it..

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!