Firewalls, Routers, Switches

BSD Firewalls

BSD has three firewalls built into the base system: PF, IPFW, and IPFILTER, also known as IPF

• • FreeBSD – (who focus on covering as many purposes as possible)

    • • PF. Rules located in file /etc/pf.conf

      • IPFW. Default rules are found in /etc/rc.firewall. Custom firewall rules in any file provided through # sysrc firewall_script=”/etc/ipfw.rules”
      • IPFILTER also known as IPF, is a cross-platform, open source firewall which has been ported to several operating systems, including FreeBSD, NetBSD, OpenBSD, and Solaris™. Name of the ruleset file given via command ipf -Fa -f /etc/ipf.rules
• OpenBSD – (who focus on security, sometimes at the expense of performance)
  • • • PF. Rules located in file /etc/pf.conf
• NetBSD – (who focus on portability, running on pretty much any hardware)
  • • • NPF for PF. Rules located in file /etc/npf.conf
      • IPF – Use /etc/ipf.conf to allow the IPFilter firewall

Linux and similar systems will use the same names for interfaces (eth1, eth2, em1, em2, carp1, carp2, etc.). The parser might be confused if the user imports interface files and pf configs of different systems at the same time. Instead of creating separate devices, they might all be combined into one. To prevent this, the user should group all files by host, making sure to name the ifconfig file after the hostname (i.e. host1_interfaces.txt). In the example of 2 hosts host1 and host2, the user would import these 2 directories together:

host1

• host1_interfaces.txt (note that the parser keys on the “_interfaces” string”.  Text before “_interfaces” will be used to name the device.
• pf.conf
• hostname.em1
• hostname.carp1

host2

• host2_interfaces.txt (note that the parser keys on the “_interfaces” string”.  Text before “_interfaces” will be used to name the device.
• pf.conf
• table1
• table2

fw1

• hostname.carp1
• hostname.carp2
• hostname.hvm2
• hostname.hvm3
• hostname.hvm4
• obsd_fw1_interfaces.txt
• pf.conf
• table1
• table2

The only required files are the config file (can be named something other than pf.conf) and the ifconfig file. hostname files are optional (unless they contain description of interfaces not in the ifconfig file).

Table files contain a list of IP addresses that can be manipulated without reloading the entire rule set. Table files are only needed if tables are used inside the config file. For example,

table persist { 198.51.100.0/27, !198.51.100.5 }

We provide support for the following CISCO devices:

• ASA 55xx IOS 9.1.x+
• ASAv IOS 9.15
• FTD/vFTD FXOS 6.7+
• Catalyst IOS 3750

For Cisco devices running FirePower, please run show running-config on the command line terminal of each device you’d like to import.

Panorama

If Panorama is used to centrally manage policies, the access rules and object groups can be retrieved from the running configuration XML file (we do not support the import unstructured text files). The Panorama file will only contain centrally managed access rules and object groups.  Locally defined access rules and object groups cannot be retrieved from Panorama and must be retrieved from each NGFW.

To download the .XML from the panorama UI:

1. Connect to the Web user interface of your Panorama device
2. Go to Panorama > Setup > Operations, and select “Export Panorama and devices config bundle” it may take a few minutes to generate the file.
3. Once ready, the .XML file will automatically download to your local workstation.
4. Import the .XML file using the import function.

If your system contains .VSYS, an additional "mapping_config" file is require which can only be retrieved through the CLI using the “show devices connected” command.  The name of the file is “mapped_config_.xml”. and should be imported at the same time as the panorama config.xml

Examples of Panorama CLI commands are as follows:

Get API Key
https://{host}/api/?type=keygen&user={username}&password={password}
(use the key found inside element in the response for subsequent calls)

Get Panorama and device bundle Configuration, saving the XML response to file named _running_config.xml:
https://{host}/api?type=config&action=show&key={key}&xpath=/config
(save the content of element in the XML response to a file named _running_config.xml)

Get device mapping:
https://{host}/api?type=op&key={key}&cmd=
(save the whole XML response to a file named _mapping_config.xml)

Next Gen Firewall (NGFW)

The configuration information from the NGFW is contained in several .xml files, _merged_config.xml and .vsys(n)_pushed_policy.xml.  There will be one vsys file per virtual interface. The naming of these files is important for the parser to merge them during import.  All files from a single firewall must be imported at the same time and in .xml format (we do not support the import plain text files).  If the files are improperly named or formatted, an error message will show that the files have parsed but are empty meaning they could not be linked to the other associated files.

An example of properly named files is below:

• • Chicago-IL-100-FW1_merged_config.xml
  • Chicago-IL-100-FW1.vsys1_pushed_policy.xml
  • Chicago-IL-100-FW1.vsys2_pushed_policy.xml

To download the .XML:

1. Connect to the Web user interface of your NGFW device
2. Go to Device > Setup > Operations and select “Export Configuration Version” it may take a few minutes to generate the file.
3. Once ready, the .XML file will automatically download to your local workstation.
4. Import the .XML file using the import function.

Examples of Palo Alto NGFW CLI commands are as follows:

Get API Key:
https://{host}/api/?type=keygen&user={username}&password={password}
(use the key found inside element in the response for subsequent calls)

Get PANos Firewall full configuration (including Panorama pushed configuration if Panorama managed) :
https://{host}/api/?type=op&cmd=&key={key}
(save the whole XML response to file named _merged_config.xml)

For a managed firewall - Get device policies pushed by Panorama

For multi-vsys firewall, call the following for each
https://{host}/api/?type=op&cmd={vsys_name}&key={key}

For single vsys firewall, saving the XML response to file named _pushed_policy.xml:
https://{host}/api/?type=op&cmd=&key={key}
(save the XML response to file named _pushed_policy.xml)

Support for Check Point R77.30 ended in May of 2019. Please note that no upgrades to this parser will be supported if it fails to operate as expected. Below are the instruction for manually exporting R77 files.

Check Point R7x version store configuration information in flat files on the management server's filesystem. The file location is different when using a multi-domain environment.

When using Checkpoint R77 management server, the required files can be found here:

• /etc/fw/conf/objects_5_0.C
• /etc/fw/conf/rulebases_5_0.fws
• /etc/fw/conf/identity_roles.C (optional)

Load all of the retrieved files at the same time into NP-View.

When using a Multi Domain environment, the required pairs of objects and rule base files are typically stored in: $MDSDIR/customers/

If you have trouble locating the files, you can use the command: find / -name "rulebases_5_0.fws" -ls to locate the files.

All configs in these 3 locations are required (not just one)

• One Global Database, located in directory: /var/opt/CPmds-R77/conf
• One Multi-domain Server (MDS) database, located in directory: /var/opt/CPmds-R77/conf/mdsdb
• The contents of the Domain Management Server databases (DMS), located in directory: /var/opt/CPmds-R77//CPsuite-R77/fw1/conf/ which include:
  • object
  • rulebase
  • /object...

Load all of the retrieved files at the same time into NP-View.