StoneBlog.stonesoft.com

This post adds another bit to the series of articles about SMC interaction through batch scripts.

Today scenario is similar to the following.
Suppose you have an installed base composed of several StoneGate Engines (IPS, Firewalls) plus few 3rd party devices that you monitor thanks to new cool feature of SMC 5.0.

You would like to allow batch scripting monitoring of such devices to have data from SMC to populate other processes or software you might use.

Continue reading »

written by RoarinPenguin - 1,517 views \\ tags: batch interaction, script, sgElementStatus, SMC

Following the SMC scripting galore trend here’s another tool for you, hoping you find it useful.

The scenario is when you need to verify/validate from command line is a given policy has issues if installed on a particular engine (but naturally without installing it).

The command sgPolicyCheck.[bat|sh] can be issued with the following parameters and options.

Parameters:
host=<Mgtserver address> (default: 127.0.0.1)login=<loginname> (default: root)
pass=<password> (default: password)
cluster=<cluster name> (default: "")
policy=<policy name> (default: "")
all_clusters=<use all clusters> (default: false)

An example could be:

C:\Stonesoft\StoneGate\bin>sgPolicyCheck.bat host=192.168.1.101 login=root pass=mypass cluster=FW-5000 policy="verify-this-policy"
…and the output is similar to the one reported below:

Connect to Management Server: root@191.168.1.101
Validation of Firewall Policy verify-this-policy on Single Firewall FW-5000:

6 issues found.
  6 warnings found:
    2 Missing Definitions found.
      Rule @2.0
      Rule @3.0
    2 Unreachable Rules found.
      Rule @1006.0
      Rule @981.0
    2 NAT and Routing Definitions found.
      Rule @1274.5
      Rule @1157.0

As usual, Files area of StoneBlog Community contains the script for Windows and for Linux.

written by RoarinPenguin - 1,172 views \\ tags: batch interaction, script, SMC

Here we go with a second article to enable batch interaction with a StoneGate Management Center: this one is about publishing a ready made policy to a StoneGate Firewall/VPN Engine.

Scenario could be, for instance, that you receive an alert raising the DefCon level and you want to react by activating a more restrictive policy.

The script for you today is called sgUploadFw.[sh|bat] and the syntax is:

sgUploadFw.[bat|sh] [host=hostname] [login=loginname] [pass=password] cluster=clustername [cluster=otherclustername] policy=policyname

host ==> SMC host where you want this script to be executed.
login ==> login of an Administrator Profile, who has rights to operate on given elements
pass ==> password (yes, in cleartext. It’s up to you to decide about security level you want to implement )
cluster ==> could be a single node or a cluster of engines
policy ==> the name of the policy you want to upload

Example and output:

C:\Stonesoft\StoneGate\bin>sgUploadFw.bat host=192.168.1.101 login=root pass=mypassword cluster=”FW-5000″ policy=”DefCon 1″
Finding cluster(s)
Found FW-5000
Found policy: DefCon 1
Accepted a compatible cluster: FW-5000
Starting upload
Waiting 900 seconds…

Contacting nodes of FW-5000
Connection ok on firewall FW-5000
Preparing configuration for FW-5000
Policy snapshot started
Policy snapshot created.
Uploading configuration on FW-5000
New configuration generated for firewall FW-5000
New configuration uploaded to firewall FW-5000
Rule @1279.6 has Source NAT translated to ipaddresses that corresponds to an int
erface address
Applying configuration on FW-5000
New configuration activated on firewall FW-5000
Checking connectivity on FW-5000
Contact with firewall FW-5000 confirmed
Policy installation successful for FW-5000

upload finished

To download the script for Windows click here, while the version for Linux is available here.

Both scripts will remain available in StoneBlog Community, Files area.

written by RoarinPenguin - 1,228 views \\ tags: batch interaction, script, SMC, upload policy