cancel
Showing results for 
Search instead for 
Did you mean: 

CLI question..

Jump to solution

is it possible to create a rulegroup via the cli?  I am having trouble accessing a remote firewall via the admin console,

I have created the ruleset I need via SSH, but to need to create a rule group, can I do that via the command line?

cf policy help does not indicate if this can be done.


1 Solution

Accepted Solutions
Highlighted
sliedl
Level 14
Report Inappropriate Content
Message 2 of 5

Re: CLI question..

Jump to solution

You can run this command to create a 'Login Console' rule (for logging-in locally using a keyboard/monitor) and an 'Admin Console' rule (for the GUI) at the very top of your policy:

$> cf policy restore_console_access

-- The Admin Console rule will be created with a Source and Destination zone of 'internal' when you run this command.  You can change that zone using 'cf policy modify.'

Do a 'man cf_policy' to read the whole manual page for the cf_policy command.  There is no need to ever create a rulegroup, but here is the syntax:

policy add table=rulegroup name=Administration pos=3 rulegroup='' disable=no \

    description='Allow access for firewall administration.' \

policy add table=rule name='Login Console' rulegroup=Administration pos=1 \

    action=allow appdefense=defaultgroup:defaultgroup \

    application='custom:Login Console' audit=standard \

    authenticator=authenticator:Password authgroups='*' dest=all:v4 \

    dest_zones=zone:Firewall disable=no exclude_capability='' ipsresponse='' \

    nat_addr='' nat_mode=none redir='' redir_port='' sign_category_grp='' \

    source=all:v4 source_zones=zone:Firewall ssl_ports='' tcp_ports='' \

    timeperiod='*' ts_enable=no ts_reputation=medium_unverified_threshold \

    udp_ports='' description='Allow login from system console.' \

policy add table=rule name='Admin Console' rulegroup=Administration pos=2 \

    action=allow appdefense=defaultgroup:defaultgroup \

    application='custom:Admin Console' audit=verbose \

    authenticator=authenticator:Password authgroups='*' dest=all:v4 \

    dest_zones=zone:internal disable=no exclude_capability='' ipsresponse='' \

    nat_addr=virtual_host:localhost nat_mode=normal \

    redir=virtual_ipaddr:Firewall redir_port=9002 sign_category_grp='' \

    source=all:v4 source_zones=zone:internal ssl_ports='' tcp_ports='' \

    timeperiod='*' ts_enable=no ts_reputation=medium_unverified_threshold \

    udp_ports='' \

    description='Allow Admin Console access from the internal zone' \

View solution in original post

4 Replies
Highlighted
sliedl
Level 14
Report Inappropriate Content
Message 2 of 5

Re: CLI question..

Jump to solution

You can run this command to create a 'Login Console' rule (for logging-in locally using a keyboard/monitor) and an 'Admin Console' rule (for the GUI) at the very top of your policy:

$> cf policy restore_console_access

-- The Admin Console rule will be created with a Source and Destination zone of 'internal' when you run this command.  You can change that zone using 'cf policy modify.'

Do a 'man cf_policy' to read the whole manual page for the cf_policy command.  There is no need to ever create a rulegroup, but here is the syntax:

policy add table=rulegroup name=Administration pos=3 rulegroup='' disable=no \

    description='Allow access for firewall administration.' \

policy add table=rule name='Login Console' rulegroup=Administration pos=1 \

    action=allow appdefense=defaultgroup:defaultgroup \

    application='custom:Login Console' audit=standard \

    authenticator=authenticator:Password authgroups='*' dest=all:v4 \

    dest_zones=zone:Firewall disable=no exclude_capability='' ipsresponse='' \

    nat_addr='' nat_mode=none redir='' redir_port='' sign_category_grp='' \

    source=all:v4 source_zones=zone:Firewall ssl_ports='' tcp_ports='' \

    timeperiod='*' ts_enable=no ts_reputation=medium_unverified_threshold \

    udp_ports='' description='Allow login from system console.' \

policy add table=rule name='Admin Console' rulegroup=Administration pos=2 \

    action=allow appdefense=defaultgroup:defaultgroup \

    application='custom:Admin Console' audit=verbose \

    authenticator=authenticator:Password authgroups='*' dest=all:v4 \

    dest_zones=zone:internal disable=no exclude_capability='' ipsresponse='' \

    nat_addr=virtual_host:localhost nat_mode=normal \

    redir=virtual_ipaddr:Firewall redir_port=9002 sign_category_grp='' \

    source=all:v4 source_zones=zone:internal ssl_ports='' tcp_ports='' \

    timeperiod='*' ts_enable=no ts_reputation=medium_unverified_threshold \

    udp_ports='' \

    description='Allow Admin Console access from the internal zone' \

View solution in original post

Re: CLI question..

Jump to solution

Thank you, I was able to create the rulegroup and make it match our other firewall configurations.

sliedl
Level 14
Report Inappropriate Content
Message 4 of 5

Re: CLI question..

Jump to solution

Good to hear!  May I close the support ticket you opened for this issue?

Re: CLI question..

Jump to solution

Yes

Thank You...

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community