4 Replies Latest reply on Sep 14, 2015 6:41 PM by cod6208

    CLI question..

    cod6208

      is it possible to create a rulegroup via the cli?  I am having trouble accessing a remote firewall via the admin console,

       

      I have created the ruleset I need via SSH, but to need to create a rule group, can I do that via the command line?

       

      cf policy help does not indicate if this can be done.


        • 1. Re: CLI question..
          sliedl

          You can run this command to create a 'Login Console' rule (for logging-in locally using a keyboard/monitor) and an 'Admin Console' rule (for the GUI) at the very top of your policy:

           

          $> cf policy restore_console_access

          -- The Admin Console rule will be created with a Source and Destination zone of 'internal' when you run this command.  You can change that zone using 'cf policy modify.'

           

          Do a 'man cf_policy' to read the whole manual page for the cf_policy command.  There is no need to ever create a rulegroup, but here is the syntax:

           

          policy add table=rulegroup name=Administration pos=3 rulegroup='' disable=no \

              description='Allow access for firewall administration.' \

          policy add table=rule name='Login Console' rulegroup=Administration pos=1 \

              action=allow appdefense=defaultgroup:defaultgroup \

              application='custom:Login Console' audit=standard \

              authenticator=authenticator:Password authgroups='*' dest=all:v4 \

              dest_zones=zone:Firewall disable=no exclude_capability='' ipsresponse='' \

              nat_addr='' nat_mode=none redir='' redir_port='' sign_category_grp='' \

              source=all:v4 source_zones=zone:Firewall ssl_ports='' tcp_ports='' \

              timeperiod='*' ts_enable=no ts_reputation=medium_unverified_threshold \

              udp_ports='' description='Allow login from system console.' \

          policy add table=rule name='Admin Console' rulegroup=Administration pos=2 \

              action=allow appdefense=defaultgroup:defaultgroup \

              application='custom:Admin Console' audit=verbose \

              authenticator=authenticator:Password authgroups='*' dest=all:v4 \

              dest_zones=zone:internal disable=no exclude_capability='' ipsresponse='' \

              nat_addr=virtual_host:localhost nat_mode=normal \

              redir=virtual_ipaddr:Firewall redir_port=9002 sign_category_grp='' \

              source=all:v4 source_zones=zone:internal ssl_ports='' tcp_ports='' \

              timeperiod='*' ts_enable=no ts_reputation=medium_unverified_threshold \

              udp_ports='' \

              description='Allow Admin Console access from the internal zone' \

          • 2. Re: CLI question..
            cod6208

            Thank you, I was able to create the rulegroup and make it match our other firewall configurations.

            • 3. Re: CLI question..
              sliedl

              Good to hear!  May I close the support ticket you opened for this issue?

              • 4. Re: CLI question..
                cod6208

                Yes

                 

                Thank You...