Configure Firewall Credential Profiles to Fetch Configuration and Rules


    In a Firewall device, there could be numerous rules/access-list defined to secure the network from external attacks. Out of the rules/access-list configured, there could be certain rules which would be most used and certain which are least used or never used. Firewall Analyzer captures the most used rules in the Top Used Rules as they would be available in the logs generated by Firewall. But, to get the  Unused Rules, one needs to configure the Firewall Analyzer to fetch the complete rules from the device. Once, Firewall Analyzer fetches the complete rules configured in the Firewall, it can provide the Unused Rules view.

    List Profile

    Credential Profile

    On the top, there are buttons provided to add device credential profiles to fetch rules and to delete the device info. The links are:

    After creating and saving the Device Profile values through the Firewall Analyzer GUI, the profiles, edit option, view/associate profile with devices to fetch rules, is listed in the Credential Profile table. The details of the columns of the Credential Profile table are:

    • Profile Name
    • Description
    • Edit

    Delete Profile

     To delete the Device Profile from the list of Device Profile Details table, select the check boxes of the respective Device Profile entries and click the Delete Profile icon.

    Add Profile

     Click the Add button to create device credential profiles to fetch the rules information from a set of common devices. The Add Profile screen pops up.

    You can configure the individual device credentials to fetch the rules from the device or you can create a common profile of device credential which can be used for a group of devices to fetch rules.

    1. Enter the name of the new profile in the Profile Name field. Enter the description of the profile in the Profile Description text area.
    2. Select the protocol (Telnet or SSH) in the Protocol drop down list. The protocols available are, Telnet, SSH, Telnet - TFTP, SSH - TFTP, and SCP.
    3. Select the type of devices in the Device Type drop down list.
    4. Enter the Device Profile Info. The Device Profile Info has been split into two sections:
      • Primary Info - deal with parameters that are necessary to establish communication with a common set of devices. Details such as Login Name, Password, Admin Privilege, Prompt, Enable UserName, Enable Password and Enable Prompt are classified as basic details.
      • Secondary Info - certain parameters usually take standard values. All such parameters have been classified under 'Secondary Info'. Port, Login Prompt, Password Prompt, Enable User Prompt, Enable Password Prompt, and Command values are usually assigned with certain Standard Values by default. Such standard values have been filled for these parameters. Most of the devices would work well with these values and you need not edit these details unless you want to provide different set of details.

    Primary Info 

    Device Info

    Description

    Login Name

    While establishing connection with a device, if the device asks for a Login Name, set a value for this parameter. This parameter is Optional.

    Password

    To set the Password for accessing the device.

    Admin Privilege Whether administrator privilege is required for device access. Select Yes or No
    Banner Prompt The prompt that appears for the banner
    Banner Input The banner message

    Prompt

    The prompt that appears after successful login.

    Enable Command The command to fetch the rule and configurations

    Enable UserName

    When entering into privileged mode, some devices require UserName to be entered. Provide the username if prompted; otherwise leave this field empty.

    Enable Password

    This is for entering into privileged mode to perform configuration operations like backup/upload. This parameter is mandatory.

    Enable Prompt

    This is the prompt that will appear after going into enable mode.

     

    Note:

    Both Primary and Secondary credentials (Login Name and Password) of the Firewalls are encrypted and stored in the Firewall Analyzer.

    Secondary Info

    Click the link Secondary Info to view/enter values for these parameters. All the parameters are usually assigned with certain Standard Values by default. Such standard values have been filled for these parameters. Most of the devices would work well with these values and you need not edit these details unless you want to provide different set of details.

    Device Info

    Description

    Port (Telnet/SSH)

    Port number of Telnet/SSH - 23 (for Telnet) and 22 (for SSH) by default.

    Login Prompt

    The text/symbol that appears on the console to get the typed login name is referred as login prompt. For example, Login:

    Password Prompt

    The text displayed on the console when asking for password. For example, Password:

    Enable User Prompt

    The text displayed on the console when asking for Enable UserName. For example, UserName:

    Enable Password Prompt

    The text displayed on the console when asking for password. For example, Password:

    Command

    The command to be executed, to fetch the Firewall rules is displayed in the Command field.

    1. Click Save button to apply the values to the device info profile. Click Cancel to cancel the adding device profile info operation.

    Assign Profile

     Click the Assign Profile button to associate devices to device profiles to fetch the rules information from the devices. The Associate Profiles to Devices screen opens up.

    1. In the Profile Name combo box, select the profile to be associated with the devices. If there is no profile available or you want to create and use a new profile, you can create a new profile.
    2. If you want to fetch the rules/configurations from the individual virtual Firewalls (virtual domain) separately, select the option 'Display Virtual Domains in the below resources list.' It lists both the virtual Firewalls (virtual domain) and the physical devices in the Available Devices & Selected Devices list.
    3. Select the devices, which you want to assign/re-assign to the selected profile. All the available devices are listed in the Available Device(s) list. Select the devices and click right arrow. The selected devices are moved to the Selected Device(s) list. If you want to remove any device from the Selected Device(s) list, select the devices and click left arrow. The removed devices will be moved back to the Available Device(s) list.
    4. Select Schedule > Fetch Rules check box to fetch the rules from the Firewall device.
      If commands are not available to fetch rules from the device, Choose File button automatically appears besides the select item. If the file is not yet selected, 'No file chosen' message appears besides the button. If it is not supported for the particular device [Not Supported] messages appears besides the select item.
    5. Select Schedule > Generate Security Audit report check box to generate Firewall Security Audit report. If commands are not available to fetch configurations from the device, Choose File button automatically appears besides the select item. If the file is not yet selected, 'No file chosen' message appears besides the button. If it is not supported for the particular device [Not Supported] messages appears besides the select item.
    6. Select the Want to Schedule the Rules/Config fetching to schedule the rules and/or configuration fetching using the Every <1 to 31> day(s) @ <0 to 23> Hrs <0 to 50> Min. (For example: If you configure like Every 10 day(s) @ 2 Hrs 30 Min, the rules and/or configuration will be fetched from the device, every 10 days at 02:30 AM).
    Note:

    In the Fetch Rules from the device section, if the following message appears: 'Unable to generate compliance report. Reason: Failed to locate Nipper. Click here to enable it'. Carry out the procedure given at the end of the document.

    1. Select Report > Generate Change Management Report check box to generate configuration change management report. In this section, Notification Options and Scheduling Options, for the configuration changes of the device, are available. If commands are not available to fetch configurations from the device, there will not be any Change Management report.
    2. Under the Notification Options, enter the Email address of the user(s), who need to be informed via Email when any configuration change happens, in the Mail To: text box. If the mail server is not configured in the Firewall Analyzer, Click here to configure link appears. Click the link to configure the mail server. Enter the cellular phone number of the user(s), who need to be informed via SMS when any configuration change happens in the SMS: text box. If the SMS server is not configured in the Firewall Analyzer, the Click here to configure link appears. Click the link to configure SMS server.
    3. Under the Scheduling Options, enter the Email address of the user(s), to whom the report to be sent via em ail when a scheduled configuration change report is generated, in the Email: text box. If the mail server is not configured in the Firewall Analyzer, Click here to configure link appears. Click the link to configure the mail server. Select the schedule for report generation using the Get Report for Every <1 to 31> day(s) @ <0 to 23> Hrs <0 to 50> Min. (For example: If you configure like Every 10 day(s) @ 2 Hrs 30 Min, the reports will be generated for the device, every 10 days at 02:30 AM), For the <Previous Week, Last 7 Days, Previous Month, Last 30 Days> for the selected duration. Select the report format to be sent via em ail using the PDFCSV radio buttons.
    4. Click Save button to apply the values.

    After associating the devices to Device Profiles the profiles and the associated devices are listed in the Device Profile Details table.

    Note:

    Getting Rules/ Configuration Information from the individual virtual Firewalls (virtual domain)

    If you want to fetch the rules/configurations from the individual virtual Firewalls (virtual domain) separately, select the option 'Display Virtual Domains in the below resources list.' in Associate Profiles to Devices page. It lists both the virtual Firewalls (virtual domain) and the physical devices in the Select Device drop down list.

     

    Note:

    Trouble Shooting: If the following message appears in the Compliance Reports field, enable Nipper.

    'Unable to generate compliance report. Reason: failed to locate nipper. Click here to enable it'

     

    Procedure to enable Nipper

     In the Compliance Report field, the following message appears: 'Unable to generate compliance report. Reason: Failed to locate Nipper. Click here to enable it'. What should I do?

    Supported Platform:

    • Ubuntu 9.1.10
    • Fedora 12
    • OpenSuSE 11.2
    • CentOS 5.5

     Prerequisite:

    The GNU/Linux platform requires Qt 4.5 to be installed. Your package manager system should automatically install this for you.

    Steps:

    1. Download Nipper libraries from https://www.manageengine.com/products/firewall/download-third-party-utilities.html according to your platform
    2. Install the rpm or deb according to your Operating System
    3. Connect to Firewall Analyzer web client and type the following URL: 'http://<host name>:8500/fw/userConfig.do'
    4. In that, there is an option to provide the path in which you have installed 'Nipper'. For ex: '/usr/bin/nipper'
    5. Click on Save link

    After performing the above steps, go to Setting > Device Profile > Add, the option to generate compliance report for the device will be enabled.