Skip to main content
seadave
seadave
New Member
March 7, 2016
Question

Importing Firewall Addresses

  • March 7, 2016
  • 1 reply
  • 13910 views

I'm testing a migration to 5.4.  I have two 500Ds.  One is in production right now running 5.2.3 and is stable.  I decided I want to do a clean config for 5.4 because doing so exposes old settings you no longer need and forces you to rethink how you have rules setup, etc.  It isn't easy, BUT it would be SO much easier if I could export or at least import a CSV list of my over 500 firewall addresses.

 

I did a select copy from the Firewall Address Screen copied those to Excel.  This makes it very easy to sort and spot anomalies.  I noticed that in 5.4 you have both "FDQN" and "Wildcard FQDN" so you need to make sure addresses are identified as such and have their "Type" converted.  It is really unfortunate that color and tags are no longer in the 5.4 GUI as those were very useful for Addresses.

 

Anyway being able to build a clean list of addresses and types, then importing as a CSV via the GUi would be awesome.  I may be able to figure out how to transpose my values using a script, but why create all the extra work when it could be built into the firewall and made easy?  I'm sure there is a perl/regex wizard who has done this, but not my specialty unfortunately. 

    1 reply

    Dave_Hall
    Dave_Hall
    New Member
    March 8, 2016

    This may work for you - save an unenrypted backup of the old config and load that into a text editor, edit/trim the firewall address section, and enter/merge that into the new config (live or via text editer), perform a diagnose debug config-error-log read after merging/loading the changes. 

     

    config firewall address
        edit "update.microsoft.com"
            set associated-interface "port16"
            set type fqdn
            set fqdn "update.microsoft.com"
        next
        edit "download.windowsupdate.com"
            set associated-interface "port16"
            set type fqdn
            set fqdn "download.windowsupdate.com"
        next
        edit "windowsupdate.microsoft.com"
            set associated-interface "port16"
            set type fqdn
            set fqdn "windowsupdate.microsoft.com"
        next
        edit "msftncsi"
            set associated-interface "port16"
            set type fqdn
            set fqdn "www.msftncsi.com"
        next
        edit "download.microsoft.com"
            set associated-interface "port16"
            set type fqdn
            set fqdn "download.microsoft.com"
        next
        edit "wustat.windows.com"
            set associated-interface "port16"
            set type fqdn
            set fqdn "wustat.windows.com"
        next
        edit "ntservicepack.microsoft.com"
            set associated-interface "port16"
            set type fqdn
            set fqdn "ntservicepack.microsoft.com"
        next
    end

     

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    March 8, 2016

    ...never associate an address object with a port...next time, the port is renamed, other hardware or whatever, poof...

     

    And yes, I've ported addresses, adress groups and other mass definitions from the config file into a *.bcmd text file to bulk import it. Runs smoothly.

    seadave
    seadaveAuthor
    New Member
    March 8, 2016

    ede_pfau wrote:

    And yes, I've ported addresses, adress groups and other mass definitions from the config file into a *.bcmd text file to bulk import it. Runs smoothly.

    Funny was just thanking your for your script.  Can you elaborate on the above?

    Terms & ConditionsAccessibility statement