cancel
Showing results for 
Search instead for 
Did you mean: 

CLI question..

Jump to solution

is it possible to create a rulegroup via the cli?  I am having trouble accessing a remote firewall via the admin console,

I have created the ruleset I need via SSH, but to need to create a rule group, can I do that via the command line?

cf policy help does not indicate if this can be done.


1 Solution

Accepted Solutions
sliedl
Level 14
Report Inappropriate Content
Message 2 of 5

Re: CLI question..

Jump to solution

You can run this command to create a 'Login Console' rule (for logging-in locally using a keyboard/monitor) and an 'Admin Console' rule (for the GUI) at the very top of your policy:

$> cf policy restore_console_access

-- The Admin Console rule will be created with a Source and Destination zone of 'internal' when you run this command.  You can change that zone using 'cf policy modify.'

Do a 'man cf_policy' to read the whole manual page for the cf_policy command.  There is no need to ever create a rulegroup, but here is the syntax:

policy add table=rulegroup name=Administration pos=3 rulegroup='' disable=no \

    description='Allow access for firewall administration.' \

policy add table=rule name='Login Console' rulegroup=Administration pos=1 \

    action=allow appdefense=defaultgroup:defaultgroup \

    application='custom:Login Console' audit=standard \

    authenticator=authenticator:Password authgroups='*' dest=all:v4 \

    dest_zones=zone:Firewall disable=no exclude_capability='' ipsresponse='' \

    nat_addr='' nat_mode=none redir='' redir_port='' sign_category_grp='' \

    source=all:v4 source_zones=zone:Firewall ssl_ports='' tcp_ports='' \

    timeperiod='*' ts_enable=no ts_reputation=medium_unverified_threshold \

    udp_ports='' description='Allow login from system console.' \

policy add table=rule name='Admin Console' rulegroup=Administration pos=2 \

    action=allow appdefense=defaultgroup:defaultgroup \

    application='custom:Admin Console' audit=verbose \

    authenticator=authenticator:Password authgroups='*' dest=all:v4 \

    dest_zones=zone:internal disable=no exclude_capability='' ipsresponse='' \

    nat_addr=virtual_host:localhost nat_mode=normal \

    redir=virtual_ipaddr:Firewall redir_port=9002 sign_category_grp='' \

    source=all:v4 source_zones=zone:internal ssl_ports='' tcp_ports='' \

    timeperiod='*' ts_enable=no ts_reputation=medium_unverified_threshold \

    udp_ports='' \

    description='Allow Admin Console access from the internal zone' \

4 Replies
sliedl
Level 14
Report Inappropriate Content
Message 2 of 5

Re: CLI question..

Jump to solution

You can run this command to create a 'Login Console' rule (for logging-in locally using a keyboard/monitor) and an 'Admin Console' rule (for the GUI) at the very top of your policy:

$> cf policy restore_console_access

-- The Admin Console rule will be created with a Source and Destination zone of 'internal' when you run this command.  You can change that zone using 'cf policy modify.'

Do a 'man cf_policy' to read the whole manual page for the cf_policy command.  There is no need to ever create a rulegroup, but here is the syntax:

policy add table=rulegroup name=Administration pos=3 rulegroup='' disable=no \

    description='Allow access for firewall administration.' \

policy add table=rule name='Login Console' rulegroup=Administration pos=1 \

    action=allow appdefense=defaultgroup:defaultgroup \

    application='custom:Login Console' audit=standard \

    authenticator=authenticator:Password authgroups='*' dest=all:v4 \

    dest_zones=zone:Firewall disable=no exclude_capability='' ipsresponse='' \

    nat_addr='' nat_mode=none redir='' redir_port='' sign_category_grp='' \

    source=all:v4 source_zones=zone:Firewall ssl_ports='' tcp_ports='' \

    timeperiod='*' ts_enable=no ts_reputation=medium_unverified_threshold \

    udp_ports='' description='Allow login from system console.' \

policy add table=rule name='Admin Console' rulegroup=Administration pos=2 \

    action=allow appdefense=defaultgroup:defaultgroup \

    application='custom:Admin Console' audit=verbose \

    authenticator=authenticator:Password authgroups='*' dest=all:v4 \

    dest_zones=zone:internal disable=no exclude_capability='' ipsresponse='' \

    nat_addr=virtual_host:localhost nat_mode=normal \

    redir=virtual_ipaddr:Firewall redir_port=9002 sign_category_grp='' \

    source=all:v4 source_zones=zone:internal ssl_ports='' tcp_ports='' \

    timeperiod='*' ts_enable=no ts_reputation=medium_unverified_threshold \

    udp_ports='' \

    description='Allow Admin Console access from the internal zone' \

Re: CLI question..

Jump to solution

Thank you, I was able to create the rulegroup and make it match our other firewall configurations.

sliedl
Level 14
Report Inappropriate Content
Message 4 of 5

Re: CLI question..

Jump to solution

Good to hear!  May I close the support ticket you opened for this issue?

Highlighted

Re: CLI question..

Jump to solution

Yes

Thank You...

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support
  • The McAfee ePO Support Center Plug-in is now available in the Software Manager. Follow the instructions in the Product Guide for more.