Is there CLI - Enable and Commit Policy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Is there CLI - Enable and Commit Policy

L3 Networker

Dear all, 

 

Since my WebUI is not responding even with a system reboot and management restart by CLI,  SSH works fine, 

 

Is there a way by CLI to enable and commit Policy?

 

Any help would be greatful.

 

Thanks, 

Sean

Life is full of surprise,
Just embrace it!
3 REPLIES 3

L3 Networker

Hi there,

If I understand you correctly, once on the cli enter the commands:

configure

commit

 

Any policy you want to create will be done once in configuration mode via set commands, although it is a bit of a minefield if you've not used it before!

 

Once you've logged onto the CLI run the command: set cli config-output-format set

The go into configure, and issue the command show .... this will display the entire config in set format and give you a good idea how to create/ update policy on the firewall. You can search the configuration with the command show | match foo where foo should be replaced with the string you are looking for.

 

cheers,

Seb.

Cyber Elite
Cyber Elite

@SeanDeHarris,

Absolutely. Anything you can configure in the GUI can also be configured in the CLI. Just log into the CLI and you can easily modify anything in any of the rulebases that you would need. I'm assuming that you need help with the security rulebase in particular, but if you give an exact example of what you need we can provide more syntax help.

 

Using the security rulebase entry as an example it would look something like this:

configure
set rulebase security rules "Example Entry" from trust source 192.168.1.5 source-user DOMAIN\USER to Mgmt destination 10.10.10.10 application [ ssl ssh ] service application-default action allow log-end yes log-setting Alert-NetOps description "Allows Traffic to Firewall" profile-setting group Default-Protection-Group

The syntax follows exactly what you would normally configure in the GUI, and this example includes how you would group things with [] if you need to specify more than one member. Then you can simply do your validate and commit operations to make the new rule active. "?" is your friend in the CLI, as everything has a very good description of what it is. 

 

 

 

Just to clarify on @SebRupik, you absolutely don't need to set your output format to set. Some people simply find it easier to read set format then XML. The firewall supports XML (default), JSON, or set output. 

 

Default/XML output simply displays the configuration as the firewall actually reads it (the entire configuration is just an XML file):

Allow any Web-App" {
  from trust;
  source 10.191.0.0/16;
  to untrust;
  destination any;
  application any;
  service [ service-http service-https];
  log-end yes;
  action allow;
  description "Allows connections to be made to any Web-Application";
  log-setting "Email Alerts";
  group-tag trust;
  tag [ trust untrust ];
  profile-setting {
    group LTSB-Protection-Profile;
  }
}

 

JSON displays output like this, which is more machine readable and I'm not sure why anyone would actually want to set their CLI output for this, as it's not very human optimized:

{
"@name":"Allow any Web-App",
"@uuid":"9cd38668-d9e4-48e1-85d0-4e4a941aa0b6",
"from":
{
"member":["trust"]
}
,
"source":
{
"member":["10.191.0.0/16"]
}
,
"to":
{
"member":["untrust"]
}
,
"destination":
{
"member":["any"]
}
,
"application":
{
"member":["any"]
}
,
"service":
{
"member":["service-http",
"service-https"]
}
,
"log-end":
"yes",
"action":
"allow",
"description":
"Allows connections to be made to any Web-Application",
"log-setting":
"Email Alerts",
"group-tag":
"trust",
"tag":
{
"member":["trust",
"untrust"]
}
,
"profile-setting":
{
"group":
{
"member":["LTSB-Protection-Profile"]
}
}
}
[edit]

 

Set format is how you actually issue the commands, which is why some people prefer it:

set rulebase security rules "Allow any Web-App" from trust
set rulebase security rules "Allow any Web-App" source 10.191.0.0/16
set rulebase security rules "Allow any Web-App" to untrust
set rulebase security rules "Allow any Web-App" destination any
set rulebase security rules "Allow any Web-App" application any
set rulebase security rules "Allow any Web-App" service [ service-http service-https ]
set rulebase security rules "Allow any Web-App" log-end yes
set rulebase security rules "Allow any Web-App" action allow
set rulebase security rules "Allow any Web-App" description "Allows connections to be made to any Web-Application"
set rulebase security rules "Allow any Web-App" log-setting "Email Alerts"
set rulebase security rules "Allow any Web-App" group-tag trust
set rulebase security rules "Allow any Web-App" tag [ trust untrust ]
set rulebase security rules "Allow any Web-App" profile-setting group LTSB-Protection-Profile

You may notice that this example while in set breaks out everything into it's own command. When you are configuring a new entry you can simply lump everything together instead of separating it out like this like I did in my first example. 

Excellent responses!

 

I think @SebRupik's point was that if you set the output format to set, then you can see the proper syntax for configuration.  Another excellent CLI option is to use the context sensitive help "?" to see what options are available.  You can view sections of the config such as "show network dhcp".

 

myfirewall# show ?
address address
address-group address-group
application application
application-filter application-filter
application-group application-group
application-tag application-tag
authentication-object authentication-object
captive-portal captive-portal
cloud-identity-engine cloud-identity-engine
device-object device-object

...

Help the community: Like helpful comments and mark solutions.
  • 3382 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!