Technical Tip: How to export all customized rules

FortiSIEM

FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)

Article Id 357129

Description

This article describes how to export all customized rules.

Scope

FortiSIEM.

Solution

When moving configuration from one FortiSIEM to another, it can be necessary to export all the customized rules in one go for backup purposes or to import it in another FortiSIEM.

Here are the steps to follow from super CLI as root:

echo "<Rules>" > /tmp/rules-tmp.xml
psql -U phoenix phoenixdb -t -c "select rule_xml from ph_drq_rule where creation_type=1;" |sed "s# *+##g" >> /tmp/rules-tmp.xml
echo "</Rules>" >> /tmp/rules-tmp.xml
cat /tmp/rules-tmp.xml | xmllint --format - > /tmp/rules.xml
rm -rf /tmp/rules-tmp.xml

Download the file at /tmp/rules.xml from scp / Winscp to have it on the local desktop. This file can be reused for import in other FortiSIEMs.

Contributors

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.