08-22-2018 05:28 AM
Hi,
when you have 100-200 security rule and need to assign a threat security profile to all the rules, what do you do?
Does anyone know an easy way of doing it? I can either script it via XML API but there should be an easier way I think.
thanks.
08-22-2018 06:24 AM
Hello,
If they already have assigned a Group or Profile, you can just modify it, that way it will get applied. If you currently do not have any applied and need to apply one you can either do it by the XML method you mentioned, or I think there could be a way to script it via the API, but thats an area where I dont delve into. But I'm sure others may have another method.
Regards,
08-22-2018 06:42 AM
No profile is attached actually and need to assign group profile to multiple firewalls.
There is a nice feature on URL filtering profile for example. You choose the action and say apply the action to all categories
which is quite handy but couldn't see such for security rules yet. Maybe on the roadmap.
If there is no built-in method, then I need to look into API.
thanks.
08-22-2018 07:09 AM
Or Panorama if you have it.
08-22-2018 07:24 AM
I don't recall that panorama has such feature. If you don't mean assigning to device group and pushing it to multiple devices.
08-22-2018 07:26 AM
Sorry I didnt specify. If you have Panorama, you could make all the changes there and push those changes out to the different managed firewalls. However you would still need to assign the profiles to the different policies.
08-22-2018 07:59 AM
I've done this two ways, depending on how many times it will need to be done.
The way i've done it when tehre are many firewalls or device groups to update is via scripting and teh XML API - I pull the policies with powershell, iterate through the policies adding the profiles or profile group, then push them back to teh firewall or panorama. it's pretty quick.
If there is only one or two to do:
log into the CLI
issue the command "set cli config-output-format set" so that when you view the configuration it give set commands
enter edit mode
"show vsys vsys1 rulebase security | match 'action allow'" - this should give you a "list" of your rules, copy that to a text editor, so you can repalce "action allow" with 'profile-setting group "<your profile group>"' or the appropriate command to set the profile(s) you want.
paste the commands back into the firewall - be aware the buffer is relatively small, take 10-15 lines at a time
08-22-2018 09:47 AM
In addition to the method already specified by @JoeAndreini:
1) You could use Expedition (The migration tool) and do this easily. Depending on experiance with the API or modifying the XML this would actually be my preffered method.
2) You could modify the XML directly and simply look in every entry within <security> and ensure that it has a <profile-setting> element. If you're comfortable with XML this is my preffered method.
API scripts are great but you have to be very careful that it doesn't actually give a bad result on the rules. Making a script that accounts for these expections with the API can be a bit of a pain.
08-22-2018 03:07 PM
@JoeAndreini wrote:be aware the buffer is relatively small, take 10-15 lines at a time
... or if you're using a SSH client that has this feature, set a delay of 150ms between the commands
08-22-2018 03:39 PM
or use scripting-mode : set cli scripting-mode on
I never remember this exact command and often just paste 20 lines at a time rather than google it..
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
