CSV import file format
This topic lists the headers and values supported for CSV files used to import or update device data in AFA.
Note: Header values are case sensitive. Using header values with different cases from those listed below will cause unexpected results in your file upload.
For more details, see Add/update multiple devices in bulk and the How to Import and Mange Devices in Bulk from a .CSV File AlgoPedia article.
Tip: You can also use a CSV file to assign additional device identifiers for primary/parent devices or device sub-systems, such as VSYS or VDOM. In such cases, you only need to include the name and additional_fw_ips values.
Basic device description headers
Header name | Description |
---|---|
brand |
The device brand. For more details, see Supported device brand values. Required for all devices except for the following:
Specify these brand types in the Bulk Add/Update Device dialog instead. |
name |
The device ID (tree name). Required for all device types. This is an internal name, usually the name displayed in the tree, without non-alphanumeric characters or spaces. If you're specifying a sub-system, this is the name of the sub-system. |
display_name |
The name as it appears in the device tree, including spaces and other special or numeric characters. Optional for all devices Default: If this column is missing or empty, the device is added using the device's host name. |
Enter the following values to indicate device brands:
Analysis and monitoring devices |
|
Monitoring-only devices |
|
Access information headers
Header name | Description |
---|---|
host_name |
The device host name or IP address. Required for all device types. |
user_name |
The username used to access the device. Required for all device types. |
passwd |
The password used to access the device. Required for all device types unless CyberArk authentication is used. Note: For Cisco IOS or ASA devices enabled for CyberArk, the Password and Enable User Password must be the same. |
enable_user_name |
The enable user name. Relevant and required only for Cisco ISO devices. |
epasswd |
The enable password. Relevant and required only for the following devices, unless CyberArk authentication is used on these devices:
For more details, see CyberArk-related headers. Note: For Cisco IOS or ASA devices enabled for CyberArk, the Password and Enable User Password must be the same. |
Cisco-related headers
Header name | Description |
---|---|
rules_view |
Determines how rules are displayed in device reports, as one of the following:
Relevant for Cisco ASA devices only. |
CyberArk-related headers
Header name | Description |
---|---|
use_cyberark |
Determines whether to use CyberArk authentication:
Required for CyberArk devices. |
cyberark_platform |
Defines the CyberArk platform name. Required for CyberArk devices. |
cyberark_safe |
Defines the CyberArk safe. Required for CyberArk devices. |
cyberark_folder |
Defines the CyberArk folder. Required for CyberArk devices. |
cyberark_object |
Defines the CyberArk object. Required for CyberArk devices. |
cyberark_enable_platform |
Defines the CyberArk platform for the enable password. Optional, and relevant only for CyberArk devices. |
cyberark_enable_safe |
Defines the CyberArk safe for the enable password. Optional, and relevant only for CyberArk devices. |
cyberark_enable_folder |
Defines the CyberArk folder for the enable password. Optional, and relevant only for CyberArk devices. |
cyberark_enable_object |
Defines the CyberArk object for the enable password. Optional, and relevant only for CyberArk devices. |
Advanced headers
Header name | Description |
---|---|
separate_vrfs |
Determines whether to split the device into VRFs:
Relevant only for the following devices:
|
full_analysis |
Determines whether to include risk analysis and policy optimization details in the device reports:
Relevant for Cisco IOS and Cisco Nexus devices only. |
Remote management headers
Header name | Description |
---|---|
con |
Determines the connection type as one of the following:
Required for all devices except the following:
These devices connect to AFA via REST. |
number_of_allowed_encryption_keys |
Determines the permitted number of different RSA keys that AFA can receive from the device's IP address, as follows:
Note: Relevant only when using SSH. This might be required in cases of cluster fail-over, device operating system upgrades, and so on. |
ssh_port |
Defines the port to use for an SSH connection. Relevant only when using SSH. Defaults:
|
Log and monitoring headers
Note:
Header name | Description |
---|---|
collect_log |
Determines whether AFA collects logs for the device:
Relevant for the following device types:
Note: For Cisco ASA and FWSM devices, set to no to enable logging with only hit-counter data. |
log_collection_mode |
Determines the method for collecting logs for the device:
Relevant when log collection is enabled. |
collect_log_from |
Determines whether AFA collects logs from the NSM or a syslog-ng server:
Relevant for Juniper Netscreen when log collection is enabled. Note: If traffic logs and audit logs are not on the same server, specify the audit log server using additional headers listed below. In such cases, this value defines a value for the traffic log server. |
log_host_name |
Defines the host name or IP address of the server/device sending logs to AFA. Relevant when log collection is enabled. |
log_user_name |
Defines the user name used to connect to the server/device sending logs to AFA. Relevant when log collection is enabled. Note: To collect logs from a remote syslog-ng server using a user other that root, you must configure the server separately. For details, see Configure an external Syslog server for AFA messages. |
log_passwd |
Defines a password for connecting to the server/device sending logs to AFA. Relevant when log collection is enabled. |
collect_log_from_adt |
Determines whether AFA collects audit logs from the NSM or a syslog-ng server:
Relevant for Juniper Netscreen when log collection is enabled. Note: By default, the audit log server is the same as the traffic log server. |
log_host_name_adt |
Defines the host name or IP address of the server/device sending audit logs to AFA. Relevant for Juniper Netscreen when:
|
log_user_name_adt |
Defines the user name for connecting to the server/device sending audit logs to AFA. Relevant for Juniper Netscreen when:
|
log_passwd_adt |
Defines the password for connecting to the server/device sending audit logs to AFA. |
log_collection_frequency |
Defines how often AFA collects logs for the device, in minutes. Relevant for Juniper Netscreen when:
|
additional_fw_ips |
Defines any additional IP addresses or host names that identify the device, with colon-separated values. Relevant when log collection is enabled. |
Additional headers
Header name | Description |
---|---|
collector |
Defines a server to manage the device's data:
Relevant only when AFA is configured for geographic distribution. |
baseline_profile |
Defines the baseline compliance profile to use when generating reports for the device. Optional for all devices. |
root_psw |
Defines a password to increase permissions on the device to root user permissions. Relevant only for Linux Netfilter IPTables Tip: Devices usually block the ability to access the device as user root. Enable root access to the device to improve AFA support. |
monitoring |
Determines whether to enable real-time alerts for configuration changes:
Optional for all devices. For more details, see Configure real-time monitoring. |
set_user_permissions |
Determines whether you can set user permissions for the device:
Optional for all devices. |
firewall_users |
Defines the users with access to the reports produced for the device. Separate multiple usernames with slashes (/). Relevant when setting user permissions is enabled for the device. |
SNPM polling headers
Header name | Description |
---|---|
snmp_version |
Determines the SNMP version:
Relevant only for the following devices:
|
snmp_community |
Defines the SNMP community string. Required and relevant only when using SNMPv2c. |
snmp_username |
Defines the SNMP Security Name (username). Required and relevant only when using SNMPv2c. |
snmp_auth_password |
Defines the authentication password. Required and relevant only when:
|
snmp_auth_protocol |
Determines the authentication protocol:
Required and relevant only when using SNMPv2c. |
snmp_priv_password |
Defines the authentication password. Required and relevant only when:
|
snmp_priv_protocol |
Determines the privacy protocol:
Required and relevant only when using SNMPv2c. |