3 Replies Latest reply: May 23, 2013 12:54 AM by sliedl RSS

    multiple configuration management




      We need to create and manage around 240 different sidewinder configurations. The only differences between each configuration are the interface IP addresses and the OSPF configuration.


      I was hoping to use a template approach with variable substitution, but unfortunately the configurations are binary encoded.


      Does anybody have any ideas how I could do this, without having to generate and manage 240 individual configurations ?


      thanks in advance



        • 1. Re: multiple configuration management



          I imagine this is exactly what the Firewall Control Center is supposed to do:-


          Taken directly from - http://www.mcafee.com/us/products/firewall-enterprise.aspx


          "McAfee Firewall Enterprise Control Center (sold separately) — Offers centralized, enterprise-class network firewall policy management for global-scale deployments."




          Message was edited by: PhilM on 17/05/13 16:51:33 IST
          • 2. Re: multiple configuration management



            thanks for the reply. unfortunately we would have to buy 240 of these as our "network units" are portable and can be dynamically connected to other "network units" at any time, then torn down at any time. We have to give our customer an easy way of configuring the sidewinder based on a unique ID. We cannot give them access to the standard GUI as they could then foul up the configuration. Unfortunately its complicated. I was hoping the configuration could be downloaded over a serial port like a cisco, but no such luck



            • 3. Re: multiple configuration management

              You could do something like this:

              • Create a configuration with all the rules you need.
              • Configure OSPF and get it working.
              • Figure out exactly what you will need to change for each new configuration (hostname, interface IPs, SSH keys, routes...)
              • Create a simple shell script to run 'cf' commands to change the hostname, interfaces, copy commands (to copy OSPF config files to the config directory let's say, or SSH keys), up/down the interfaces, et cetera.
              • Put this shell script and any files (OSPF configs, SSH keys, Readmes) into the home directory of a default user.  All user directories are backed-up in the config backups (which is why you don't want to keep large files in the /home directories).
              • Restore this config onto the firewalls, login as that user, edit the script for the correct values for this firewall (or make it interactive), run it, reboot.


              You can basically configure everything using the 'cf' command and standard bsd/linux commands.  The GUI will be needed sometimes though, and you could create a rule for that for future issues (a rule only you can use, locked down by source/IP let's say).


              Also, Phil is right, Control Center can do this.  The OSPF (all routing configuration actually) and interface configurations are separate for each firewall.  You can push the same rules to all firewalls and they would all have different OSPF configs, IPs, and hostnames.  You can register firewalls to Control Center using the 'cf' command also (in a script).


              I'm sure if we discuss this we can find something suitable, or at least give you ideas.