Static support for generic devices
You can enable Analysis and Monitoring support for generic devices with a JSON file that represents the device's configuration at a single point in time.
Supported device types
- Policy-Based. One set of rules per device across all of its interfaces. For example, Check Point devices.
- Interface-based. One set of rules per interface. For example, Cisco devices.
- Zone-Based. Each policy rule is defined using a source zone and destination zone. For example, Fortinet devices managed by FortiManager.
Note: Static support is available only for traditional security devices and is not relevant for other sources, such as SDN and cloud.
Adding Support for a File Device
To add and analyze a generic device using a static configuration file, complete the following workflow:
- Create a JSON file which contains the necessary device configuration items. For details, see Creating the JSON File.
- Upload the JSON file to AlgoSec Firewall Analyzer as a file device. See Add other devices and routing elements
Note: Updating the device's policy requires manually updating and replacing the file in AFA. If desired, you can write your own script to automatically update the file in the /home/afa/algosec/fwfiles directory.
Creating the JSON File
The following procedure describes how to create the JSON file that represents the device configuration.
To create the JSON file:
- Review the example file located in /usr/share/fa/data/plugins/config_parser_template.json
-
Create your own configuration file according to the template. See Tag list and Tag Reference .
Note: If the device is a layer 2 device, you must specify this in the device (see device) tag. For zone based devices, AFA automatically converts the device's topology into layer 3 terminology using a heuristic based on the device's policy. For all other device types, you must provide the device's topology in layer 3 terminology by manually editing the device's URT file. For more details, see Specify routing data manually.
Note: Any rules with NAT must be defined separately from non-NAT rules in the configuration.
- Rename the file with the suffix ".algosec".
-
As user afa, run the JSON validator to verify the JSON file is valid:
su - afa
curl --si ‘127.0.0.1:8080/afa/configParser/validateFile?path=<full path to JSON file>’
Tag |
Description |
---|---|
config_type |
The policy model. |
device |
The definition of the device. |
hosts |
The host name. |
hosts_groups |
The host group name. |
interfaces |
The interface name. |
services |
The service name. |
services_groups |
The service group name. |
policies |
The rule name. |
rules_groups |
The rules group name. (optional) |
nat_rules |
The rule name. |
global_nat_rules |
The global NAT rule name |
nat_objects |
The NAT object name. |
nat_objects_groups |
The NAT object group name. |
nat_pools |
The NAT pool name. |
zones |
The zone name. (optional) |
routes |
The route's ID. |
schedules |
The schedule name. (optional) |
â See also: