cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Zach
Level 7
Report Inappropriate Content
Message 1 of 4
‎09-17-2021 05:37 AM

Create an advanced scheduled job to export all rulesets to a file

Jump to solution

Hi,

Is there a way to create an advanced scheduled job to export all rulesets to a file?  Similar to using the REST API and doing 

POST "$REST/rulesets/export"

It can also be done through the gui by going to policy > rulesets and highlighting them all and exporting them to a file, however I cannot figure out if I can create an advanced scheduled job through configuration > central management > advanced scheduled jobs.

0 Kudos
Reply
1 Solution

Accepted Solutions
fw_mon
MVP
Report Inappropriate Content
Message 4 of 4
‎09-17-2021 08:36 AM

Re: Create an advanced scheduled job to export all rulesets to a file

Jump to solution

Hello @Zach 

I suggest to use a KISS principle.

all policy/ruleset files are on MWG already, so do a local diff using cronjob.

  • How you want to see what's changed? The xml diffs are not really readable experience. You can either highlight differences/changes (vim + html export) or just use audit log to see exactly what was changed.
  • Regarding "daily" - sometimes there are 30 changes a day, sometimes you can have a week without changes - would it better to compare config versions disregarding time? Or you need something like "daily change digest/log"?
# go the the conf folder
cd /opt/mwg/storage/default

# get the latest conf file:
ls -rt 2*/gwrs.xml|tail -1

# get the second to last modified conf file:
ls -rt 2*/gwrs.xml|tail -2 | head -1

# or you can find the yesterday's last modified conf file:
ls -rt $(find -name gwrs.xml -mtime +1 -mtime -2) | tail -1

# compare conf files:
diff $(ls -rt 2*/gwrs.xml|tail -2 | head -1) $(ls -rt 2*/gwrs.xml|tail -1)

# then you can store or send the results via email

 

Other alternatives? Use git. Send audit.log (or better all logs) to your SIEM. Don't forget to monitor /opt/mwg/plugin/data/Auth/ and your kerberos keytab because auth data stored outside of config. What about lists? What about external lists? The list of things can go on ...

Was my response useful to you? If so, please consider marking it as an Accepted Solution and giving it a Kudo (click on the thumb up symbol) to help other community members. MWG+Splunk=❤

View solution in original post

0 Kudos
Reply
3 Replies
swilkens1
Employee
Employee
Report Inappropriate Content
Message 2 of 4
‎09-17-2021 06:59 AM

Re: Create an advanced scheduled job to export all rulesets to a file

Jump to solution

Hi @Zach ,

Can you describe the use case? If you are wanting to preserve the policy for backup/restore purposes, I suggest you use the Central Management settings to do automatic backups, rather than try and only grab the rule sets. The backup file can then be used to restore only the policy, or just for viewing with the Policy Viewer if you would like.

If you must only export the rule sets, the only way to do that would be through the REST API, which could be automated via cron. There's no way to do that as a scheduled job in the GUI.

0 Kudos
Reply
Zach
Level 7
Report Inappropriate Content
Message 3 of 4
‎09-17-2021 08:00 AM

Re: Create an advanced scheduled job to export all rulesets to a file

Jump to solution

We'd like to get a copy each day to see what functional changes were made to our rulesets.  We had tried using the REST API but were experiencing some issues when trying to connect to proxy devices that were physically far away.  We would sometimes get the full XML file returned, and other times only a partial XML, leaving many tags unclosed.

0 Kudos
Reply
fw_mon
MVP
Report Inappropriate Content
Message 4 of 4
‎09-17-2021 08:36 AM

Re: Create an advanced scheduled job to export all rulesets to a file

Jump to solution

Hello @Zach 

I suggest to use a KISS principle.

all policy/ruleset files are on MWG already, so do a local diff using cronjob.

  • How you want to see what's changed? The xml diffs are not really readable experience. You can either highlight differences/changes (vim + html export) or just use audit log to see exactly what was changed.
  • Regarding "daily" - sometimes there are 30 changes a day, sometimes you can have a week without changes - would it better to compare config versions disregarding time? Or you need something like "daily change digest/log"?
# go the the conf folder
cd /opt/mwg/storage/default

# get the latest conf file:
ls -rt 2*/gwrs.xml|tail -1

# get the second to last modified conf file:
ls -rt 2*/gwrs.xml|tail -2 | head -1

# or you can find the yesterday's last modified conf file:
ls -rt $(find -name gwrs.xml -mtime +1 -mtime -2) | tail -1

# compare conf files:
diff $(ls -rt 2*/gwrs.xml|tail -2 | head -1) $(ls -rt 2*/gwrs.xml|tail -1)

# then you can store or send the results via email

 

Other alternatives? Use git. Send audit.log (or better all logs) to your SIEM. Don't forget to monitor /opt/mwg/plugin/data/Auth/ and your kerberos keytab because auth data stored outside of config. What about lists? What about external lists? The list of things can go on ...

Was my response useful to you? If so, please consider marking it as an Accepted Solution and giving it a Kudo (click on the thumb up symbol) to help other community members. MWG+Splunk=❤
0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC