Monitoring support tag reference

This reference describes the use of each tag in the configuration file. The tags are listed in the same order as they appear in the configuration file.

Tag syntax

Tag syntax is presented as follows:

  • All parameters are presented in italics.
  • All optional elements of the tag appear in square brackets [ ].

For a comprehensive example, see Configuration file example, or refer to other examples under /usr/share/fa/data/plugins/.

DEVICE

Syntax

DEVICE -[id="id"] [name="name"] [title="title"]

Description

This is the main tag for the device, and it identifies the device.

Parameters

Id

String. The ID of the device brand.

Name

String. The name of the device brand.

The name will appear throughout the Web interface (for example, in the Overview and Changes tabs).

Title

String. The full name of the device brand.

The title represents the device in the list of device types in the Devices tab of the Administration pages.

Subtags

Example

In the following example, the device name FortiGate will appear throughout the Web interface, while the title Fortinet - FortiGate will appear in the list of device types only.

DEVICE id="fortigate" name="FortiGate" title="Fortinet - FortiGate"

FORM_FIELD

Syntax

FORM_FIELD id="id" title="title" [type="type"]

Description

By default, when adding or modifying a device in the Web interface, AFA provides fields for host name, username, and password. This tag specifies additional fields that should appear for the new device.

This tag is optional.

Parameters

id

String. The ID of the field.

It can include only the following characters: a-z , _ , -

The ID is used as a tag in the file firewall_data.xml.

title

String. The label representing the field in the Web interface.

type

String. The field's type. This can have the following values:

  • text. The user must input free text in this field.
  • password. The user must input a password in this field.

The default value is text.

Subtags

None.

Example

In the following example, a field called "Virtual Domain" was added for the device. The field type was not specified and is therefore "text".

FORM_FIELD id="vdom" title="Virtual Domain"

CONNECTION_CMD

Syntax

CONNECTION_CMD id="id" command="command" title="title"

Description

By default, when adding or modifying a device in the Web interface, the Remote Management Capabilities area includes the following connection options: SSH and Telnet. You can use this tag to add additional options.

This tag is optional.

Parameters

id

String. The ID of the connection option.

It can include only the following characters: a-z, A-Z, 0-9, @, _, !, +, ., :, -, ), (

The ID is used as a tag in the file firewall_data.xml.

command

String. The connection command.

This may include the following parameters from the file firewall_data.xml:

  • %attribute%. An attribute, where attribute represents the name of any attribute defined in the FORM_FIELD tag.
    %password%
    %user_name%
    %host_name%
title

String. The label representing the connection option in the Web interface.

Subtags

None.

Example

In the following example, the connection option SSH is defined.

CONNECTION_CMD id="ssh" command="ssh %user_name%@%host_name%" title="SSH"

DATA_COLLECTION

Syntax

DATA_COLLECTION prompt="prompt" [more_prompt="more_prompt"]

Description

This tag specifies device prompts that AFA will encounter when connecting to the device.

Parameters

prompt

String. The basic device prompt that appears when the AFA automatic data collection client connects to the device. This is a regular expression.

more_prompt

String. The device prompt that appears when there is additional data that is not currently displayed. This is a regular expression.

This parameter is optional.

Subtags

Example

DATA_COLLECTION prompt="#\s*$" more_prompt="^\s*-+\s*[Mm]ore\s*-+\s*$"

LOGIN_PROMPT

Syntax

LOGIN_PROMPT prompt="prompt" response="response" try_again="try_again"

Description

This tag specifies the device prompt that AFA will encounter after successfully connecting to the device. Usually, this prompt relates to logging in to the device, for example a request for a password.

This tag is optional.

Parameters

prompt

String. A regular expression that describes the device prompt that appears after the AFA automatic data collection client has connected to the device.

This regular expression should match the device prompt (e.g. "user1@device1 #") as tightly as possible.

response

String. The command or string that the AFA automatic data collection client should send after receiving the prompt.

try_again

String. Indicates whether after receiving the device prompt specified by the prompt parameter, the AFA automatic data collection client should attempt to log in again, or continue to wait for the basic login prompt. This can have the following values:

  • yes. Attempt to log in again.
  • no. Do not attempt to log in again. Instead, wait for the device prompt specified by the prompt parameter.

Subtags

None.

Example

In the following example, upon receiving the "yes/no?" prompt, the AFA automatic data collection client will send the response "yes" and then attempt to log in again.

LOGIN_PROMPT prompt="(yes/no)?\s+$" response="yes" try_again="yes"

POST_LOGIN_PROMPT

Syntax

POST_LOGIN_PROMPT prompt="prompt" response="response"

Description

This tag specifies device prompts that AFA will encounter after successfully logging in to the device.

This tag is optional.

Parameters

prompt

String. The device prompt that appears after the AFA automatic data collection client has logged in to the device. This is a regular expression.

response

String. The command or string that the AFA automatic data collection client should send after receiving the prompt.

Subtags

None.

Example

POST_LOGIN_PROMPT prompt="Terminal type\?.*$" response="xterm"

COMMANDS_SEQUENCE

Syntax

COMMANDS_SEQUENCE

Description

This tag specifies the sequence of commands that AFA should use during data collection.

Parameters

None.

Subtags

CMD

Syntax

CMD id="id" command="command" save_output="save_output" [condition="condition"] [prompt="prompt"]

Description

This tag specifies a command that AFA should use during data collection.

Parameters

id

Integer. The command's ID and order number.

Commands are implemented in numerical order.

command

String. The connection command that the AFA automatic data collection client should send to the device.

This may include the following parameters from the file firewall_data.xml:

  • %attribute%. An attribute, where attribute represents the attribute's name.
    %password%
    %user_name%
    %host_name%

save_output

String. Indicates whether the result of the command should be added to output device configuration file. This can have the following values:

  • yes. Add the result of the command to the output device configuration file.
  • no. Do not add the result of the command to the output device configuration file.

condition

String. The name of an attribute defined in the FORM_FIELD tag, which if assigned a value (i.e., the parameter is not empty), should cause the AFA automatic data collection client to send this command. This can have the following values:

  • The name of any attribute added in the FORM_FIELD tag
  • FW_VIRT. Run the command only if the device has a virtual system.

prompt

String. The device prompt that will appear after the AFA automatic data collection client has sent this command.

This is a regular expression and may include the following parameters from the file firewall_data.xml:

  • %attribute%. An attribute, where attribute represents the attribute's name.
    %password%
    %user_name%
    %host_name%

Note: By default, the AFA automatic data collection client will expect to receive the last defined prompt, (which was specified in the preceding DEVICE, CMD or LOGIN tag).

Subtags

None.

Example

In the following example, the enable command will run only if the device configuration file includes an enable attribute that is not empty. The result of the command will not be saved.

CMD id="1" command="enable" save_output="no" condition="enable" prompt="sword:\s*$"

CMD_VIRT

Syntax

CMD_VIRT id="id" command="command" save_output="save_output" [condition="condition"] [prompt="prompt"]

Description

This tag specifies a command that AFA should use during data collection on a virtual system.

This tag is optional.

Parameters

id

Integer. The command's ID and order number.

Commands are implemented in numerical order.

command

String. The connection command that the AFA automatic data collection client should send to the device.

This may include the following parameters from the file firewall_data.xml:

  • %attribute%. An attribute, where attribute represents the attribute's name.
    %password%
    %user_name%
    %host_name%

save_output

String. Indicated whether the result of the command should be added to output device configuration file. This can have the following values:

  • yes. Add the result of the command to the output device configuration file.
  • no. Do not add the result of the command to the output device configuration file.

condition

String. The name of an attribute defined in the FORM_FIELD tag, which if assigned a value (i.e., the parameter is not empty), should cause the AFA automatic data collection client to send this command. This can have the following values:

  • The name of any attribute added in the FORM_FIELD tag.
  • FW_VIRT. Run the command only if the device has a virtual system.

prompt

String. The device prompt that will appear after the AFA automatic data collection client has sent this command.

This is a regular expression and may include the following parameters from the file firewall_data.xml:

  • %attribute%. An attribute, where attribute represents the attribute's name.
    %password%
    %user_name%
    %host_name%

Note: By default, the AFA automatic data collection client will expect to receive the last defined prompt, (which was specified in the preceding DEVICE, CMD or LOGIN tag).

Subtags

None.

Example

In the following example, the end command will run only if the device configuration file includes a vdom attribute that is not empty. The result of the command will not be saved.

CMD_VIRT id="4" command="end" save_output="no" prompt="#\s*$" condition="vdom"

DATA_COLLECTION

Syntax

EXIT_COMMAND command="command"

Description

This tag specifies the command that AFA should use to end the connection to the device.

Parameters

command

String. The command that the AFA automatic data collection client should send, in order to end the connection.

Subtags

None.

Example

In the following example, the command is "exit".

EXIT_COMMAND command="exit"

DIFF

Syntax

DIFF context_lines="contextLines"

Description

When real-time monitoring and alerting is enabled, specified users receive e-mails upon changes to monitored devices, and the changes are displayed in the Web interface's Changes tab. This tag specifies the number of lines before and after a change to display in e-mails and in the Web interface's Changes tab. The lines surrounding a change represent the change's context.

This tag is optional.

Parameters

contextLines

Integer. The number of lines to show before and after a change.

The default value is 3.

Subtags

None.

Example

In the following example, the 5 lines before and after a change will be displayed.

DIFF context_lines="5"

EXCLUDE

Syntax

EXCLUDE regex="regex" [lines_before="lines_before"] [lines_after="lines_after"] [inline="inline"]

Description

When real-time monitoring is enabled, AFA periodically checks whether the device configuration has changed. You can use this tag to exclude certain lines in the device configuration from monitoring.

For example, the current date and other counters frequently change, yet do not represent an actual change to the device configuration. In order to prevent changes to such lines from repeatedly being interpreted as a device configuration changes and reported via e-mail and the Web interface's Changes tab, you can exclude these lines from monitoring.

This tag is optional.

Parameters

regex

String. A regular expression, describing a string in the device configuration file that should be ignored by AFA when checking for changes to the device configuration.

line_before

Integer. The number of lines preceding the string specified in regex, including the line in which the string appears, that should be excluded from monitoring.

lines_after

Integer. The number of lines following the string specified in regex, including the line in which the string appears, that should be excluded from monitoring.

inline

String. Indicates whether the whole line (or any whole lines before or after) or only the part of the line that matches the regular expression is excluded. This can have the following values:

  • yes. Exclude only the part of the line that matches the regular expression.
  • no. Exclude the whole line (or any lines before or after).

Subtags

None.

Example

In the following example, when checking the device configuration for changes, AFA will exclude 30 lines starting from the string "set private-key".

EXCLUDE regex="set private-key" lines_after="30"

ROUTING

Syntax

ROUTING script="script"

Description

This tag specifies a script that should be used to analyze the device's routing table.

This tag is optional.

Parameters

script

String. The name of the script to use for creating a routing table.

Subtags

None.

Example

In the following example, the script forti2urt.pl is specified.

ROUTING script="forti2urt.pl"

FEATURES

Syntax

FEATURES

Description

This tag specifies features that are supported for the device.

Note: By default, only real-time monitoring is supported for the device. To add more features, contact AlgoSec.

This tag is optional.

Parameters

None.

Subtags

FEATURE

Syntax

FEATURE name="name" [script="script"]

Description

This tag specifies a feature that is supported for the device.

Parameters

name

String. The name of the feature.

script

String. The name of the script to use to run the feature.

Subtags

None.

Example

In the following example, the topology feature is supported for the device.

FEATURE name="topology" script="snmp2urt"