Static support for generic devices

You can enable Analysis and Monitoring support for generic devices with a JSON file that represents the device's configuration at a single point in time.

Supported device types

The ability to enable AFA support for a generic device is only supported for devices whose policy's conform to one of the following models:

  • Policy-Based. One set of rules per device across all of its interfaces. For example, Check Point devices.
  • Interface-based. One set of rules per interface. For example, Cisco devices.
  • Zone-Based. Each policy rule is defined using a source zone and destination zone. For example, Fortinet devices managed by FortiManager.

Note: Static support is available only for traditional security devices and is not relevant for other sources, such as SDN and cloud.

Back to top

Adding Support for a File Device

To add and analyze a generic device using a static configuration file, complete the following workflow:

  1. Create a JSON file which contains the necessary device configuration items. For details, see Creating the JSON File.
  2. Upload the JSON file to AlgoSec Firewall Analyzer as a file device. See Add other devices and routing elements

Note: Updating the device's policy requires manually updating and replacing the file in AFA. If desired, you can write your own script to automatically update the file in the /home/afa/algosec/fwfiles directory.

Back to top

Creating the JSON File

The following procedure describes how to create the JSON file that represents the device configuration.

To create the JSON file:

  1. Review the example file located in /usr/share/fa/data/plugins/config_parser_template.json
  2. Create your own configuration file according to the template. See Tag list and Tag Reference .

    Note: If the device is a layer 2 device, you must specify this in the device (see device) tag. For zone based devices, AFA automatically converts the device's topology into layer 3 terminology using a heuristic based on the device's policy. For all other device types, you must provide the device's topology in layer 3 terminology by manually editing the device's URT file. For more details, see Specify routing data manually.

    Note: Any rules with NAT must be defined separately from non-NAT rules in the configuration.

  3. Rename the file with the suffix ".algosec".
  4. As user afa, run the JSON validator to verify the JSON file is valid:

    su - afa
    curl --si ‘127.0.0.1:8080/afa/configParser/validateFile?path=<full path to JSON file>

Tag list

Tag

Description

config_type

The policy model.

device

The definition of the device.

hosts

The host name.

hosts_groups

The host group name.

interfaces

The interface name.

services

The service name.

services_groups

The service group name.

policies

The rule name.

rules_groups

The rules group name. (optional)

nat_rules

The rule name.

global_nat_rules

The global NAT rule name

nat_objects

The NAT object name.

nat_objects_groups

The NAT object group name.

nat_pools

The NAT pool name.

zones

The zone name. (optional)

routes

The route's ID.

schedules

The schedule name. (optional)

Back to top

 

â See also: