StoneBlog.stonesoft.com

Want to share with you a quick yet powerful way to create objects in StoneGate, taking advantage of flexibility of bundled commands to export and import elements.

For a test I was doing few days ago, I had the need of creating quickly a quite big number of objects. Done that, I needed to reference them in an alias to manage efficiently a rulebase that could be published to many different firewalls simultaneously, changing value of the element depending on which firewall it is installed on (that is, the beautiful power of StoneGate Aliases).

Here’s what I’ve done (on a Linux based SMC).

• created a Host element, giving it a name and an IP address:
  
• export the element to have a sample XML (unzipped default filename is exported_data.xml):
  <?xml version="1.0" encoding="UTF-8" standalone="no"?>
  <!DOCTYPE generic_import_export SYSTEM "generic_import_export_v4.3.dtd">
  <generic_import_export>
     <host comment="DMZ Web Server NAT 55" name="Web Server – 192.168.55.200">
        <mvia_address address="192.168.55.200"/>
     </host>
  </generic_import_export>
  easy enough? I think so… now let’s “build” the import file we will need to create many similar objects (IP changes from 56 to 104)
• at prompt, issue commands:
• head –3 exported_data.xml > ManyWebServerElements.xml (creates a new file with the proper header)
• for i in `seq 56 104`; do tail –4 exported_data.xml | head –3 | sed “s/55/$i/g” >> ManyWebServerElements.xml; done (appends to existing header the content for all elements)
• tail –1 exported_data.xml >> ManyWebServerElements.xml (closes file with the proper footer)
• zip ManyWebServerElements.zip ManyWebServerElements.xml (creates zip file for re-importing)
• once you’re done with steps above, you can proceed to import your file in StoneGate and… voilà, all elements will magically appear in GUI!

About the alias generation, mapping each value for a given firewall (we have 50 firewalls, each needing a different value for Web Server in $NAT Web Server Alias") to reach the following result (without manually editing it):

Proceed as follows.

• create an Alias element, giving it a name and setting translation value for one firewall:
  
• now I will proceed as before to fill in rest of the alias with needed data, starting from the exported XML file:
  <?xml version="1.0" encoding="UTF-8" standalone="no"?>
  <!DOCTYPE generic_import_export SYSTEM "generic_import_export_v4.3.dtd">
  <generic_import_export>
     <alias comment="Alias for NAT Web Server" name="$ NAT Web Server" type="other">
        <alias_value fw_ref="Virtual Appliance Firewall 55">
           <ne_list ref="Web Server – 192.168.55.200"/>
        </alias_value>
     </alias>
  </generic_import_export>
  
• at prompt, issue commands:
• head -4 exported_data.xml > NatWebServerAlias.xml (creates a new file with the proper header
• for i in `seq 56 104`; do tail -5 exported_data.xml | head -3 | sed "s/55/$i/g" >> NatWebServerAlias.xml ; done (appends to existing header the content for all elements)
• tail –2 exported_data.xml >> NatWebServerAlias.xml (closes file with the proper footer)
• zip NatWebServerAlias.zip NatWebServerAlias.xml (creates zip file for re-importing)
• import the zip file to update the element defined

The alias you just created is then usable in policy and traffic rules, taking advantage of one of the most time saving features of StoneGate.

written by RoarinPenguin - 1,732 views \\ tags: alias, configuration, multiple elements, script, xml