Generic selectors
Exact matches only
Search in title
Search in content
post
page
How can we help?
Print

Firewalls, Routers, Switches

The following table is a comprehensive list of supported devices. The instructions provided in the table can be used to manually extract data from the device for import. While we do our best to support the below devices, it is impossible for us to test the parsers with every possible device configuration combination. If errors occur during device import, Network Perception is committed to working with our customers to resolve their specific parsing issues.

Manufacturer Type/Model/OS Configuration files needed
Alcatel-Lucent / Nokia Service Router (SR7755; TiMOS-C-12.0.Rx)
Service Aggregation Router (SAR7705; TiMOS-B-8.0.R10)
save [filename]
Amazon Web Service Security Groups & Network Access Control Lists aws ec2 describe-security-groups
aws ec2 describe-instances
Azure Cloud Resource Groups (e.g., VM, VNets, Subnets, NICs, NSGs, etc.) Azure Cloud Shell (PowerShell 2.1.0): Export-AzResourceGroup
BSD (PF) Firewall (Open, Free and Net; 3 series) ifconfig -a > hostname_interfaces.txt
See additional instructions below
Check Point Security Management Server (R77) /etc/fw/conf/objects_5_0.C
/etc/fw/conf/rulebases_5_0.fws
See additional instructions below
Cyber Security Platform (R80/R81) (Gaia OS) Use the NP Check Point R80 Exporter
See additional instructions below
Cisco ASA (9.8, 9.10, 9.16), FTD Firepower (6.7, 7.0.1), Catalyst (3750 G/M) show running-config
See additional information below
Dell PowerConnect Switch (6200) console#copy running-config startup-config (instructions)
Extreme Switch (x400, x600; XOC 22.6) save configuration [primary , secondary , existing-config , new-config] (check which config is running with use configuration)
Fortinet FortiGate NGFW (6.0.6, 6.4.8, 6.2.10, 7.0.5) show full-configuration
Google Cloud Platform Firewall rules, Instances, Subnets, Routes, VPN Gateways, VPN Tunnels Firewall rules (`gcloud compute firewall-rules list --format=json`)
Instances (`gcloud compute instances list --format=json`)
Subnets (`gcloud compute networks subnets list --format=json`)
Routes (`gcloud compute routes list --format=json`)
VPN Gateways (`gcloud compute vpn-gateways list --format=json`)
VPN Tunnels (`gcloud compute vpn-tunnels list --format=json`)
Hirschmann Eagle One Firewall (One-05.3.02) copy config running-config nv [profile_name]
HP / Aruba ProCurve Switch (2600, 2800, 4100, 6108) show running-config
Juniper Junos OS Firewall (SRX-V) show configuration
NetScreen Firewall (ISG, SSG) get config all
Linux IP Tables Firewall iptables-save
See additional instructions below
NETGEAR Smart managed Pro Switch (FS/GS-Series; 6.x) CLI: show running-config all
Web UI: Maintenance > Download Configuration
Nokia Service Aggregation Router (SAR) save [filename]
Palo Alto Next Gen Firewall (9.x, 10.x). We do not support SD-WAN See additional instructions below
pfSense Firewall (2.4 (BSD 11.1) Diagnostics > Backup & Restore > Download configuration as XML
Siemens / RuggedCom / Scalance ROS Switch (RSG2-300; 4.2)) config.csv
ROX Firewall (RX1000-RX5000; 1.16-2.9) admin > save-fullconfiguration. Choose format “cli” and indicate file name
X300-400 Switch cfgsave
SEL-3620 Firewall From “Diagnostics”, click on “Update Diagnostics” and copy the text
SonicWall / Dell Firewall (SonicOS 6.2) “Export Settings, then Export (default file name: sonicwall.exp)”
Sophos Firewall v16 Admin console: System > Backup & Firmware > Import Export
Stormshield Industrial Firewall, SN, SNi (4.2.4) autobackup.sh
or setup auto backup via console Configuration > System > Maintenance
VMware NSX Firewall GET https://{nsxmgr-ip}/api/4.0/edges/ (XML format)
Learn more about vCenter and VSX
WatchGuard Firewall (XTM 3300, XTM 850) Select Manage System > Import/Export Configuration

 

Additional Instructions

BSD Firewalls

BSD has three firewalls built into the base system: PF, IPFW, and IPFILTER, also known as IPF

    • FreeBSD – (who focus on covering as many purposes as possible)
        • PF. Rules located in file /etc/pf.conf
        • IPFW. Default rules are found in /etc/rc.firewall. Custom firewall rules in any file provided through # sysrc firewall_script=”/etc/ipfw.rules”
        • IPFILTER also known as IPF, is a cross-platform, open source firewall which has been ported to several operating systems, including FreeBSD, NetBSD, OpenBSD, and Solaris™. Name of the ruleset file given via command ipf -Fa -f /etc/ipf.rules
  • OpenBSD – (who focus on security, sometimes at the expense of performance)
        • PF. Rules located in file /etc/pf.conf
  • NetBSD – (who focus on portability, running on pretty much any hardware)
        • NPF for PF. Rules located in file /etc/npf.conf
        • IPF – Use /etc/ipf.conf to allow the IPFilter firewall

Linux and similar systems will use the same names for interfaces (eth1, eth2, em1, em2, carp1, carp2, etc.). The parser might be confused if the user imports interface files and pf configs of different systems at the same time. Instead of creating separate devices, they might all be combined into one. To prevent this, the user should group all files by host, making sure to name the ifconfig file after the hostname (i.e. host1_interfaces.txt). In the example of 2 hosts host1 and host2, the user would import these 2 directories together:

host1

  • host1_interfaces.txt (note that the parser keys on the “_interfaces” string”.  Text before “_interfaces” will be used to name the device.
  • pf.conf
  • hostname.em1
  • hostname.carp1

host2

  • host2_interfaces.txt (note that the parser keys on the “_interfaces” string”.  Text before “_interfaces” will be used to name the device.
  • pf.conf
  • table1
  • table2

fw1

  • hostname.carp1
  • hostname.carp2
  • hostname.hvm2
  • hostname.hvm3
  • hostname.hvm4
  • obsd_fw1_interfaces.txt
  • pf.conf
  • table1
  • table2

The only required files are the config file (can be named something other than pf.conf) and the ifconfig file. hostname files are optional (unless they contain description of interfaces not in the ifconfig file).

Table files contain a list of IP addresses that can be manipulated without reloading the entire rule set. Table files are only needed if tables are used inside the config file. For example,

table persist { 198.51.100.0/27, !198.51.100.5 }

Check Point R80 or later

Starting with version R80, Check Point is replacing flat files with a database. We support the database loading using the NP Check Point R80 Exporter (PDF documentation, video).

Check Point R77 or earlier

With version R77 or earlier, Check Point has been storing the required information in two flat files named: objects_5_0.C and rulebases_5_0.fws. Those two files can usually be found in the folder /etc/fw/conf of the Check Point Management Server. In the case of a multi-domain environment, the following command can help locate the correct set of files: find / -name "rulebases_5_0.fws" -ls. Usually each domain is a subdirectory under $MDSDIR/customers/on the Check Point Multi-Domain Management Server (MDS) management station.

Once the files have been identified, they can transferred to your workstation using scp or WinSCP.

Optionally, from each Check Point host, one can extract firewall specific route information using netstat:

 netstat -rn > /root/`hostname`.txt

The following files should be imported together:

  • objects_5_0.C
  • rulebases_5_0.fws or multiple .W policy files
  • (optional) hostname.txt
  • (optional) identity_roles.C

We provide support for the following CISCO devices:

  • ASA 55xx IOS 9.1.x+
  • ASAv IOS 9.15
  • FTD/vFTD FXOS 6.7+
  • Catalyst IOS 3750

For Cisco devices running FirePower, please run show running-config on the command line terminal of each device you’d like to import.

Panorama

If Panorama is used to centrally manage policies, the access rules and object groups can be retrieved from the running configuration XML file. Panorama file will only contain centrally managed access rules and object groups.  Locally defined access rules and object groups cannot be retrieved from Panorama and must be retrieved from each NGFW.

To download the .XML from the panorama UI:

  1. Connect to the Web user interface of your Panorama device
  2. Go to Panorama > Setup > Operations, and select “Export Configuration Version” it may take a few minutes to generate the file.
  3. Once ready, the .XML file will automatically download to your local workstation.
  4. Import the .XML file using the import function.

If your system contains .VSYS, an additional "mapping_config" file is require which can only be retrieved through the CLI using the “show devices connected” command.  The name of the file is “mapped_config_.xml”. and should be imported at the same time as the panorama config.xml

Next Gen Firewall (NGFW)

The configuration information from the NGFW is contained in several files, _merged_config.xml and .vsys(n)_pushed_policy.xml.  There will be one vsys file per virtual interface. The naming of these files is important for the parser to merge them during import.  All files from a single firewall must be imported at the same time.  If the files are improperly named, an error message will show that the files have parsed but are empty meaning they could not be linked to the other associated files.

An example of properly named files is below:

    • Chicago-IL-100-FW1_merged_config.xml
    • Chicago-IL-100-FW1.vsys1_pushed_policy.xml
    • Chicago-IL-100-FW1.vsys2_pushed_policy.xml

To download the .XML:

  1. Connect to the Web user interface of your NGFW device
  2. Go to Device > Setup > Operations and select “Export Configuration Version” it may take a few minutes to generate the file.
  3. Once ready, the .XML file will automatically download to your local workstation.
  4. Import the .XML file using the import function.

Requesting Support for New Devices

The above list of supported hardware has been lab and field tested.  Newer versions generally work unless their is a major platform or API upgrade.  Please contact support@network-perception.com if you wish to get more information on parsers, request support for a particular device or are interested on co-developing a solution.

Next Connectors
Table of Contents