Newbie question: How to create multi-line IP4GROUPs in CLI

[inge]

Hi,

I'm currently assigned to evaluating the Clavister W-series (through a V-series demo license) and one of the items on my agenda is to take on of our live Cisco configs and "port" it to the Clavister. One really basic problem I'm facing is how to add items to a IP4GROUP from CLI after putting a line's worth of members in the initial add/set command (which normally is only a fraction of the group size). Further "set"-commands seem to overwrite the initial one. The firewall config I'm porting protects around 1000 servers on 200 VLANs and the object groups (the Cisco equivalent of IP4GROUPs) range from 2 to 250 items. I've been through every reference to IP4GROUP and MEMBERS in the documentation as well as looking at the interactive help, but no luck.

all the best,

-- Inge

[Peter]

Hello.

There is a function in the CLI that you can use to make it print out the current members of e.g. an IP4Group object.

Lets say you used the following command to create a group:

Code: Select all

add Address IP4Group TestGrp Members=Vlan10-IP,gw-world

Now you want to add another object in this group, so you use:

Code: Select all

set Address IP4Group TestGrp Members=if1net

BUT, as you have pointed out the above command will overwrite the existing members in this group, so this is not an alternative, so we need to first make it list the existing members of the group so we can add a new object to it. To do that we type the following:

Code: Select all

set Address IP4Group TestGrp Members=.<tab>

So by typing a dot + pressing TAB, it will list all the current members of the group, so you can then add the extra network in it:

Code: Select all

set Address IP4Group TestGrp Members=Vlan10-IP,gw-world, if1net

I will send a notice to our technical writer to make sure that this is mentioned in the manual as well. Thank you for informing us about it.

Best regards
/Peter

[inge]

Hi Peter,

Thank you for your reply. It is indeed documented that you can use the "."+TAB in order to expand the current elements of an IP4GROUP. This is a convenient feature for interactive use, but I can't see how this is supposed to help me when doing batch upload a group definition from a central configuration server. My problem is entering more than a "normal" lines worth of members to a IP4GROUP: Assume that you have 190 CIDR values (networks and host addresses) I need to put into a group. Each CIRD has an average length of e.g. 12 characters and between each CIDR there must be a comma. My configuration upload tool has a max line length of 160 characters. This means that a single configuration line can hold about 12 CIDRs. Assume that I have entered a line with 12 CIDRs, how do I add the remaining 178 (which would imply a total line length of around 2500 characters, which is hard to support on any configuration tool)?

An example of what I mean is to be found on Cisco switches when setting up a trunk on a switchport. Cisco sees that fitting a complete list of VLANs onto a single line of configuration would be quite hard, like:
switchport trunk allowed vlan 1,3,7,10,118,113,129,328....... 1024,2021,2030-2040...

So in order to create a list with more than 80 characters, you specify extra lines with the "add keyword" and you are able to upload the complete list without hitting the max line length of your terminal or configuration tool:
switchport trunk allowed vlan 1,3,7,10,118,113,129,328,445,447,449
switchport trunk allowed vlan add 569,652,666,671,829,299,955,957,960-970

This way, there is no hard limit on the number of number of VLANs you can specify.

I can try to make the configuration tool type "."+TAB as a replacement for Cisco's "add" keyword, but as the Clavister appliance will try to expand this interactively, I doubt if this will work very well. If it was possible to do something like the command below (making the TAB expansion optional), it would solve my problem:

add address ip4group testgrp members=1.2.3.4,1.2.3.5,1.2.3.6
set address ip4group testgrp members=.,1.2.3.7

Having to use TAB after the ".", will cause the list to expand and go beyond the maximum line length.

All the best, -- Inge

[Peter]

Hello.

I have configured a group named test that consists of 25 objects with long names in my test. I wanted to test to add another object into this group by using .TAB and push it our through a script.

I used a tool called plink.exe (available online for free) that allows me to send in CLI commands from my text file where I have specified the object that I want to add. The tab character is represented in the text file.

To do this, run this command in the command prompt:

Code: Select all

plink.exe admin@IP_to_gateway -m add.txt

I have attached the text file, please use it as a reference. A limitation on the Windows command prompt is that the TAB character cannot be represented, and this is the reason I have to use a text file to insert the TAB character to the security gateway. Is this something that could be of use in your scenario?

Best regards
/Peter

[inge]

Hi Peter,

I've rewritten the configuration uploader to support lines up to 8K in length as well as transmission of "TAB" to create multi-line objects. Trying to create ip4object larger than abt. 2000 characters fails as the Clavister does not accept lines longer than this. Try typing:

Code: Select all

set Address IP4Group norway-ranges Members=2.150.0.0/17,46.9.0.0/16,46.66.0.0/17,62.13.48.0/24,62.13.50.0/28,62.16.128.0/17,62.50.160.0/19,62.63.0.0/16,62.65.0.0/16,62.70.0.0/16,62.73.192.0/18,62.89.32.0/19,62.92.0.0/16,62.97.128.0/17,62.101.192.0/18,62.109.0.0/16,62.113.128.0/19,62.119.44.0/26,62.128.224.0/19,62.141.128.0/19,62.148.32.0/19,62.176.192.0/19,62.184.247.0/24,62.185.228.0/24,62.186.0.0/16,62.187.0.0/16,62.200.128.0/17,62.209.64.0/18,62.249.160.0/19,63.149.27.64/27,64.14.62.112/28,64.28.0.0/16,64.106.218.64/26,64.210.208.0/24,65.110.0.0/16,66.111.0.0/16,66.216.103.96/29,67.192.16.8/29,69.13.0.0/16,72.3.137.160/27,72.32.45.0/24,74.86.118.112/29,74.205.37.88/29,75.126.81.96/29,77.16.0.0/14,77.40.128.0/17,77.70.128.0/17,77.73.0.0/21,77.74.160.0/21,77.74.216.0/21,77.75.208.0/21,77.88.64.0/18,77.94.232.0/21,77.95.72.0/21,77.106.128.0/18,77.110.192.0/18,77.222.128.0/17,77.223.160.0/19,77.241.96.0/20,77.247.144.0/20,78.24.0.0/16,78.26.0.0/18,78.31.80.0/21,78.41.136.0/21,78.91.0.0/16,78.111.112.0/20,78.156.0.0/19,78.158.224.0/22,78.158.240.0/20,79.135.0.0/19,79.136.12.0/23,79.141.96.0/20,79.160.0.0/15,79.170.80.0/21,79.171.80.0/21,80.64.192.0/20,80.65.48.0/20,80.77.106.0/24,80.80.0.0/16,80.86.128.0/20,80.86.208.0/20,80.89.32.0/19,80.90.240.0/20,80.91.32.0/20,80.91.224.0/20,80.202.0.0/15,80.212.0.0/15,80.231.89.0/24,80.231.90.0/24,80.232.0.0/16,80.239.0.0/16,80.241.80.0/20,80.254.32.0/20,81.0.128.0/18,81.26.32.0/19,81.27.32.0/20,81.29.32.0/20,81.31.195.72/29,81.31.224.0/19,81.93.96.0/20,81.93.160.0/20,81.94.176.0/20,81.166.0.0/15,81.175.0.0/18,81.191.0.0/16,82.96.47.160/28,82.99.0.0/16,82.116.64.0/19,82.117.32.0/19,82.134.0.0/17,82.146.64.0/19,82.147.32.0/19,82.148.128.0/18,82.164.0.0/16,82.194.192.0/19,82.196.192.0/19,82.199.0.0/19,82.206.156.0/25,83.108.0.0/15,83.137.0.0/16,83.140.3.0/24,83.140.245.0/28,83.142.96.0/21,83.143.80.0/21,83.143.112.0/21,83.178.38.0/23,83.178.48.0/22,83.191.144.0/21,83.233.248.0/26,83.241.144.80/29,83.242.0.0/19,83.243.128.0/17

and add another item after this, e.g. ", 84.234.16.0/24" and see that the firewall stops echoing characters and does not accept further input on that line. There is not only a limitation on line length, but of configuration input in general: At around 10K of uploaded ip4group configuration (where no line is longer than 120 characters), the same thing happens independently of the lengths of the lines entered: The firewall no longer supports configuration input and stalls.

To me it seems like you have some problems here.

One more point; The "activate" command lacks an option for waiting until the command completes before returning to the prompt. This is bad, since a script has to wait an undefined period of time before entering "commit". I suggest adding a "-wait" option to facilitate this.


all the best,

-- Inge

[wahiba]

please what is the way to show the already configured IP4group from cli?

[Peter]

Hello.

Regarding the IPv4 group limit, there is a limit to the amount of objects that can exist in a group. That limit is 256, there exist an RFE about extending the limit, developer ID is COP-9818.

But in your case you only seem to have about 130'ish objects in this group. I tested your command and added 5+ additional networks in addition to the ones you used in your example and i did not encounter any problems.

I did however use just a normal putty session, i tried Plink but it seems the latest version of Plink does not like me as it crashed when attempted to make it run even one command

The activate command is a tricky one as there is no exact time on how long a configuration activation/deployment could take. It can be anything from 2 seconds to 60+ seconds depending on the hardware, size of configuration, what changes is made etc. There is a hidden command you can use to check how long the previous reconfigure took:

reconfigure -timings

Then maybe base that time in your script. Please note that if/when the system performs an update on some of the larger databases such as Anti-virus or IDP the time can increase quite a lot. So it's best to base the time on whenever the system does this to have a maximum value.

@wahiba: Your question about how to show already configured IP4group, the trick is the following:

set Address IP4Group test Members=.

As you can see i added a dot "." at the start of the members, if you do that and press "TAB" it will print out all the existing members of the group and you can just keep building / adding/removing members based on that output.

Best regards
/Peter