is it possible to create a rulegroup via the cli? I am having trouble accessing a remote firewall via the admin console,
I have created the ruleset I need via SSH, but to need to create a rule group, can I do that via the command line?
cf policy help does not indicate if this can be done.
Solved! Go to Solution.
You can run this command to create a 'Login Console' rule (for logging-in locally using a keyboard/monitor) and an 'Admin Console' rule (for the GUI) at the very top of your policy:
$> cf policy restore_console_access
-- The Admin Console rule will be created with a Source and Destination zone of 'internal' when you run this command. You can change that zone using 'cf policy modify.'
Do a 'man cf_policy' to read the whole manual page for the cf_policy command. There is no need to ever create a rulegroup, but here is the syntax:
policy add table=rulegroup name=Administration pos=3 rulegroup='' disable=no \
description='Allow access for firewall administration.' \
policy add table=rule name='Login Console' rulegroup=Administration pos=1 \
action=allow appdefense=defaultgroup:defaultgroup \
application='custom:Login Console' audit=standard \
authenticator=authenticator:Password authgroups='*' dest=all:v4 \
dest_zones=zone:Firewall disable=no exclude_capability='' ipsresponse='' \
nat_addr='' nat_mode=none redir='' redir_port='' sign_category_grp='' \
source=all:v4 source_zones=zone:Firewall ssl_ports='' tcp_ports='' \
timeperiod='*' ts_enable=no ts_reputation=medium_unverified_threshold \
udp_ports='' description='Allow login from system console.' \
policy add table=rule name='Admin Console' rulegroup=Administration pos=2 \
action=allow appdefense=defaultgroup:defaultgroup \
application='custom:Admin Console' audit=verbose \
authenticator=authenticator:Password authgroups='*' dest=all:v4 \
dest_zones=zone:internal disable=no exclude_capability='' ipsresponse='' \
nat_addr=virtual_host:localhost nat_mode=normal \
redir=virtual_ipaddr:Firewall redir_port=9002 sign_category_grp='' \
source=all:v4 source_zones=zone:internal ssl_ports='' tcp_ports='' \
timeperiod='*' ts_enable=no ts_reputation=medium_unverified_threshold \
udp_ports='' \
description='Allow Admin Console access from the internal zone' \
You can run this command to create a 'Login Console' rule (for logging-in locally using a keyboard/monitor) and an 'Admin Console' rule (for the GUI) at the very top of your policy:
$> cf policy restore_console_access
-- The Admin Console rule will be created with a Source and Destination zone of 'internal' when you run this command. You can change that zone using 'cf policy modify.'
Do a 'man cf_policy' to read the whole manual page for the cf_policy command. There is no need to ever create a rulegroup, but here is the syntax:
policy add table=rulegroup name=Administration pos=3 rulegroup='' disable=no \
description='Allow access for firewall administration.' \
policy add table=rule name='Login Console' rulegroup=Administration pos=1 \
action=allow appdefense=defaultgroup:defaultgroup \
application='custom:Login Console' audit=standard \
authenticator=authenticator:Password authgroups='*' dest=all:v4 \
dest_zones=zone:Firewall disable=no exclude_capability='' ipsresponse='' \
nat_addr='' nat_mode=none redir='' redir_port='' sign_category_grp='' \
source=all:v4 source_zones=zone:Firewall ssl_ports='' tcp_ports='' \
timeperiod='*' ts_enable=no ts_reputation=medium_unverified_threshold \
udp_ports='' description='Allow login from system console.' \
policy add table=rule name='Admin Console' rulegroup=Administration pos=2 \
action=allow appdefense=defaultgroup:defaultgroup \
application='custom:Admin Console' audit=verbose \
authenticator=authenticator:Password authgroups='*' dest=all:v4 \
dest_zones=zone:internal disable=no exclude_capability='' ipsresponse='' \
nat_addr=virtual_host:localhost nat_mode=normal \
redir=virtual_ipaddr:Firewall redir_port=9002 sign_category_grp='' \
source=all:v4 source_zones=zone:internal ssl_ports='' tcp_ports='' \
timeperiod='*' ts_enable=no ts_reputation=medium_unverified_threshold \
udp_ports='' \
description='Allow Admin Console access from the internal zone' \
Thank you, I was able to create the rulegroup and make it match our other firewall configurations.
Good to hear! May I close the support ticket you opened for this issue?
Yes
Thank You...
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA