howto list installed policies (command or file)

[mamakos]

Hello gentlemen, (and gentlewomen)

I am currently running NGX R60. I'd like to duplicate policies to have the latests installed renamed with a new naming convention. The thing is we have many modules (over 600 CMA thus making over 1200 fw modules) so I cannot afford using cpstat command to query each of my modules to know which policy package is installed on them. Indeed, I have a limited time and this command sometimes fails due to network latency of some other reasons.

On each CMA (i.e. like a smartcenter), we have several policy packages. But only one or two may be installed on the firewall (FW) modules managed by the CMA. I would like to retrieve the names of the policy packages that are currently installed on my modules.

With the dashboard, there is an option "File > Installed policies" that displays the policies that are installed on each FW module with this form :

FW Module | Name of the policy package | installed date

So I guess the dashboard retrieves this information from a file or built in command !

Do you, by chance, know a command (CLI) that would give me a similar output. Namely for each module, the name of the policy that is installed (again, I cannot afford to query my fw modules with cpstat).

Else do you know if there is a file that has this information ?

I need to write a script to get the list of installed policy packages...

Should you have any hint, please, feel free to share it with me !



PS : For your information, I know the audit log can give me an answer but it is not really practical to handle (it can take quite long to get the answer - 5 seconds per module are too much).

[nandushankar]

Duplication can be done from smart dashboard Select File -> Copy Policy Package and then give a new name for duplicated policy.

To check the installed policies you can run the command

fw stat from the enforcement module.

[mamakos]

The thing is this action must be automated.

So manual action via the dashboard is not an option. Actually to duplicate policies, the trick is to use cp_merge build in command to export a policy package and then import it with a new name.

But the question was to list policy packages that were installed on the FW modules. As I mentioned "fw stat" is not an option due to :
1) the very high number of modules we have.
2) the time it takes (between 5 and 10 seconds per fw module !)
3) the fact that it sometimes fails

The key points are :
- it must be quick
- it must be scriptable
- it must be remotely doable (from the Management center)

So for now, the only option I have found is to parse the audit logs... which is still faster than querying the fw modules with "fw stat" and then parsing the results.

Since the Dashboard gives the opportunity to see which policy is installed on each module, I would have thought it had this information hidden somewhere in a file/database. Unless it queries the modules each time we launch the application.

So any idea ?

[rugby1725]

If you're talking about a constant monitoring type of situation on that many boxes I would look into using Nagios and building a plugin that goes on each box that runs the fw stat command. The data is then collected back on the Nagios server and displays on a web page and can generate email alerts. We currently do this to monitor the number of connections in our state tables and haven't had a problem yet.

[mamakos]

Hi rugby.
I was not thinking of monitoring that kind of information. I "just" need it once before a migration and I need the migration to be as quick as possible so as to minimize the service interruption.

But maybe a kind of snmpwalk on a correct OID could do the job yes...

For your information, fw stat sometimes take up to 40 seconds on certain slow networks... Although this is quite an exception :)

[jerladej]

I too am searching for an answer to this question, but for R55. R62 and later now have a install_statuses.C file that is a map of the policies installed on each destination.

rulebases_5_0.fws lists all of the policies. I noticed that the R55 objects_5_0.C file has a :policies_collections() that appears to list the policies installed on each destination, but nothing listed by name is in the rulebases file.

Best regards,
Jerald