Run CLI batch processes

The following AFA CLI batch processes enable you to integrate AFA with other systems, such as with an existing backup device procedure or an existing change management system.

Run batch device analysis and comparisons

The AFA multi-run utility allows you analyze several devices from the command line. With additional Unix shell scripts (not provided by AlgoSec), the AFA multi-run utility gives you the ability to integrate AFA into your automatic device backup system.

The AFA multi-run utility also supports bulk comparisons, and can create zip files of the resulting comparison reports.

Do the following:

  1. Collect your device data from all the devices you wish to analyze. For details, see Alternate data collection methods).

  2. On the AFA machine, create a sub-directory for the collected files. e.g., type
    mkdir ~/myfirewalls

  3. Place the archives you collected in the directory you created (e.g. ~/myfirewalls)

  4. Type the following command, adding any desired parameters.

    fa_multi_run -d ~/myfirewalls

    AFA will analyze all the files in that directory.

    For more details, see AFA Multi-Run Parameters.

  5. Once the analysis of the files is completed, you may view the AFA reports by activating the AFA main application window by typing fa.

Note: AFA multi-run produces a log file at $HOME/algosec/firewalls/fa_multi_run.log.

AFA Multi-Run Parameters

Parameter

Description

-a <after_dir>

Optional. Indicates that fa_multi_run should work in comparison mode, and specifies the directory to which fa_multi_run should write post-migration files.

Note: The -d parameter must still be used, to specify the directory of pre-migration files.

When the -a parameter is used, fa_multi_run will perform the following actions:

  • Run an analysis on each file in the pre-migration directory (specified by -d)
  • Run an analysis on each matching file in the post-migration directory (specified by -a)
    Note: It is assumed that the before and after file names in both directories are the same (except, optionally, the extension). If one is missing, no comparison is performed.
  • Run a comparison report between the two files, which then is attached to the second file.
  • Create a zip file named title-filename-comparison.zip under $HOME/algosec/firewalls/
    The zip file will include all the necessary files (from both reports), including an index.html home page that will lead to the comparison report's main page.
-t <title>

Optional. A string that will be added to the comparison report title and the beginning of all the created zip file names.

-l <log_file>

Optional. The log file name to which fa_multi_run should write the log summary.

The default value is $HOME/algosec/firewalls/fa_multi_run.log.

-p <risk_profile>

Optional. The risk profile to use.

The default value is the risk profile specified in the AFA administration area. For details, see Set a default risk profile.

Run batch traffic simulation queries

AFA provides a script for running batch traffic simulation queries. The script runs each query in both directions.

Do the following:

  1. Create a text file containing the desired queries in the following format:

    source1,source2,...;destination1,destination2...;service

    For example:

    0.0.0.0-255.255.255.255;*;*192.168.2.0/24;200.0.0.0/24;tcp*;*;*

  2. Open a terminal and log in using the username "afa" and the related password.

  3. Enter the following command:

    bulk_query -i inputFile -o outputFile

    For more details, see Batch Traffic Simulation Query Flags.

    The bulk_query script runs the traffic simulation queries in the input file and writes the results to the output file.

Batch Traffic Simulation Query Flags

Flag

Description

-i inputFile

The name of the query file.

Note: The file must be located in the current directory.

-o outputFile

The name of the XML file that will be created, into which the script should write the query results.

This file can be converted to CSV format. For more details, see Convert batch process results to CSV.

Run batch IP address searches

AFA provides a script for executing batch IP address searches on rules. This script can be used when performing such tasks as handling shutdown or migrating a large number of servers.

Do the following:

  1. Create a text file containing the desired IP addresses or ranges.

    The IP addresses and ranges must each appear in a separate line.

    For example:

    10.0.0.0-10.0.255.255192.168.2.24

    Note: Comment lines are ignored.

  2. Open a terminal and log in using the username "afa" and the related password.

  3. Enter the following command:

    bulk_locate -iinput_ips_file-o output_xml_file [-gtarget_name]

    For more details, see Batch IP Address Search Flags.

The bulk_locate script runs and writes a list of objects containing the specified IP addresses to the output file.

Batch IP Address Search Flags

Flag

Description

-iinput_ips_file

The name of the input file containing the IP addresses and ranges.

Note: The file must be located in the current directory.

-o output_xml_file

The name of the XML file that will be created, into which the script should write the search results.

This file can be converted to CSV format. For more details, see Convert batch process results to CSV.

-gtarget_name

The name of the group or report you want to search, for example: afa-245.

This flag is optional. If it is not included, the search operation will be performed on ALL_FIREWALLS.

Note: Specifying a device's name is not supported.

Convert batch process results to CSV

AFA provides an XSLT transformation file for converting the results of batch traffic simulation queries or batch IP address operations from XML to CSV format, for easy import into Microsoft Excel or other table-based applications.

Note: The output CSV file will include only those columns that exist in the input XML file.

Do the following:

  1. Open a terminal and log in using the username "afa" and the related password.
  2. (Optional) Edit configuration parameters as desired, by doing the following:

    1. Open the file /usr/share/fa/bin/bulk_results_to_csv.xslt in a text or XML editor.
    2. Modify the parameters as desire. For details, see XSLT Transformation File Parameters.

    3. Save the file.

  3. Enter the following command:

    xsltproc xslt_file_name input_xml > output_csv

    Where

    • xslt_file_name is the name of the XSLT transformation file.
    • input_xml is the name of the input file.
    • output.csv is the name of the output file.

The script runs, converts the contents of the batch results file from XML format to CSV format, and writes them to the output file.

XSLT Transformation File Parameters

Parameter

Description

major_delimiter

The delimiter to use between fields of rules.

The default value is a comma (,).

minor_delimiter

The delimiter to use between values in a field, for example between destination addresses.

The default value is a semi-colon (;).

rule_types

The types of rules to include in the output file. They can be one or more of the following:

  • Any. Rules that contain the searched IP address as part of an "Any" clause.
  • NAT. NAT rules that contain the searched IP address.
  • Explicit. Rules that explicitly contain the searched IP address as part of their source or destination.

Values must be surrounded by a "|" on both sides.

For example, to create a CSV file that contains only "Any" and "Explicit" rules, set this parameter's value to |Any|Explicit|.

The default value is |Any|Explicit|NAT|, meaning that all rule types will be included in the output file.

This parameter is only supported for batch IP address operation output.