1. Firewalls, Routers, Switches

You are here:
< All Topics

Supported Devices

The following table is a comprehensive list of supported devices. The instructions provided in the table can be used to manually extract data from the device for import into NP-Live or NP-View. While we do our best to support the below devices, it is impossible for us to test the parsers with every possible device configuration combination. If errors occur during device import, Network Perception is committed to working with our customers to resolve their specific parsing issues.

Manufacturer Type/Model Configuration files needed
Alcatel-Lucent / Nokia Service Router (SR)
Service Aggregation Router (SAR)
save [filename]
Amazon Web Service Security Groups & Network Access Control Lists aws ec2 describe-security-groups
aws ec2 describe-instances
Azure Cloud Resource Groups (e.g., VM, VNets, Subnets, NICs, NSGs, etc.) Azure Cloud Shell (PowerShell 2.1.0): Export-AzResourceGroup
BSD (PF) Firewall (Open, Free and Net) ifconfig -a > hostname_interfaces.txt
See additional instructions below
Check Point R77 Security Management Server /etc/fw/conf/objects_5_0.C
/etc/fw/conf/rulebases_5_0.fws
See additional instructions below
R80 Security Management Server Use the NP CheckPoint R80 Exporter (PDF documentation, video)
See additional instructions below
Cisco ASA, FTD, Catalyst show running-config
See additional information below
Dell PowerConnect Switch console#copy running-config startup-config (instructions)
Enterasys Switch save config
Extreme Switch save configuration [primary , secondary , existing-config , new-config] (check which config is running with use configuration)
Fortinet Firewall and NGFW show full-configuration
Hirschmann Eagle One Firewall copy config running-config nv [profile_name]
HP / Aruba Switch show running-config
Juniper JunOS Firewall show configuration
NetScreen Firewall get config all
Linux IP Tables Firewall iptables-save
See additional instructions below
NETGEAR Switch CLI: show running-config all
Web UI: Maintenance > Download Configuration
Nokia Service Aggregation Router (SAR) save [filename]
Palo Alto Next Gen Firewall Device > Setup > Operations > Export named config. snapshot
or Device > Support > Generate Tech Support File
See additional instructions below
pfSense Firewall Diagnostics > Backup & Restore > Download configuration as XML
RuggedCom / Siemens ROS Switch config.csv
ROX Firewall admin > save-fullconfiguration. Choose format “cli” and indicate file name
Scalance / Siemens X300-400 Switch cfgsave
SEL-3620 Firewall From “Diagnostics”, click on “Update Diagnostics” and copy the text
SonicWall / Dell Firewall “Export Settings, then Export (default file name: sonicwall.exp)”
Sophos Firewall v16 Admin console: System > Backup & Firmware > Import Export
VMware NSX Firewall GET https://{nsxmgr-ip}/api/4.0/edges/ (XML format)
Learn more about vCenter and VSX
WatchGuard Firewall Select Manage System > Import/Export Configuration

Additional Instructions

BSD and Linux IP Tables

*BSD Firewalls

BSD has three firewalls built into the base system: PF, IPFW, and IPFILTER, also known as IPF

  • FreeBSD – (who focus on covering as many purposes as possible)
    • PF. Rules located in file /etc/pf.conf
    • IPFW. Default rules are found in /etc/rc.firewall. Custom firewall rules in any file provided through # sysrc firewall_script=”/etc/ipfw.rules”
    • IPFILTER also known as IPF, is a cross-platform, open source firewall which has been ported to several operating systems, including FreeBSD, NetBSD, OpenBSD, and Solaris™. Name of the ruleset file given via command ipf -Fa -f /etc/ipf.rules
  • OpenBSD – (who focus on security, sometimes at the expense of performance)
    • PF. Rules located in file /etc/pf.conf
  • NetBSD – (who focus on portability, running on pretty much any hardware)
    • NPF for PF. Rules located in file /etc/npf.conf
    • IPF – Use /etc/ipf.conf to allow the IPFilter firewall

Linux and similar systems will use the same names for interfaces (eth1, eth2, em1, em2, carp1, carp2, etc.). The parser might be confused if the user imports interface files and pf configs of different systems at the same time. Instead of creating separate devices, they might all be combined into one. To prevent this, the user should group all files by host, making sure to name the ifconfig file after the hostname (i.e. host1_interfaces.txt). In the example of 2 hosts host1 and host2, the user would import these 2 directories together:

host1

  • host1_interfaces.txt (note that the parser keys on the “_interfaces” string”.  Text before “_interfaces” will be used to name the device.
  • pf.conf
  • hostname.em1
  • hostname.carp1

host2

  • host2_interfaces.txt (note that the parser keys on the “_interfaces” string”.  Text before “_interfaces” will be used to name the device.
  • pf.conf
  • table1
  • table2

fw1

  • hostname.carp1
  • hostname.carp2
  • hostname.hvm2
  • hostname.hvm3
  • hostname.hvm4
  • obsd_fw1_interfaces.txt
  • pf.conf
  • table1
  • table2

The only required files are the config file (can be named something other than pf.conf) and the ifconfig file. hostname files are optional (unless they contain description of interfaces not in the ifconfig file).

Table files contain a list of IP addresses that can be manipulated without reloading the entire rule set. Table files are only needed if tables are used inside the config file. For example,

table <clients> persist { 198.51.100.0/27, !198.51.100.5 }

Check Point

Check Point R77 or earlier

With version R77 or earlier, Check Point has been storing the information needed by NP-View into two flat files named: objects_5_0.C and rulebases_5_0.fws. Those two files can usually be found in the folder /etc/fw/conf of the Check Point Management Server. In the case of a multi-domain environment, the following command can help locate the correct set of files: find / -name "rulebases_5_0.fws" -ls. Usually each domain is a subdirectory under $MDSDIR/customers/ on the Checkpoint Multi-Domain Management Server (MDS) management station.
Once the files have been identified, they can transferred to the NP-View workstation using scp or WinSCP.

Optionally, from each CheckPoint host, one can extract firewall specific route information using netstat:

 netstat -rn > /root/`hostname`.txt

To create a NP-View project, import:

  • objects_5_0.C
  • rulebases_5_0.fws or multiple .W policy files
  • (optional) hostname.txt
  • (optional) identity_roles.C

Check Point R80 or later

Starting with version R80, Check Point is replacing flat files with a database. We support the database loading using the NP CheckPoint R80 Exporter (PDF documentation, video).

Cisco
We provide support for the following CISCO devices:

  • ASA 55xx IOS 9.1.x+
  • ASAv IOS 9.15
  • FTD/vFTD FXOS 6.7+
  • Catalyst IOS 3750

For Cisco devices running FirePower, please run show running-config on the command line terminal of each device you’d like to import into NP-View or NP-Live.

Palo Alto & Panorama

Panorama

If Panorama is used to centrally manage policies, then security rules may not be stored in the snapshot running configuration file. Instead, one has to import the merged running configuration file from each managed devices. The step to do so are:

  1. Connect to the Web user interface of your managed Palo Alto device
  2. Go to Device > Support > Generate Tech Support File
  3. It may take a few minutes to generate the Tech Support file. Once ready, select Download Tech Support File and save the tarball file on your local workstation where NP-View is running
  4. Import the tarball (.tgz extension) directly into NP-View

For version of NP-View older than 6.1.4 or if you don’t see see the full ruleset being imported, then expand the tarball and import the following file after manually extracting the archive: opt/pancfg/mgmt/saved-configs/.merged-running-config.xml. It is a hidden (dot) file so it may not show up in your file explorer but you can find it via terminal or by changing the file explorer or finder settings.

Please note that exporting the Tech Support File directly from Panorama will not include a merged running configuration, only a running-config.xml file that may not have all the rulesets assigned to individual devices.

Requesting Support for New Devices

We are continuously developing parsers and adding support for new devices. Our current to do list includes the following devices in no specific order:

  • Foundry/Brocade/Ruckus
  • F5 – BigIP, Network Appliances
  • IPFire Firewall
  • IPCOP
  • Foundry switches
  • Allied Telesis switch
  • Raptor switch
  • IS5
  • OpnSense Firewall
  • Firepower Management Center (FMC)

If you require one of these parsers or have a firewall, router, or switch that is not listed, please let us know by contacting support@network-perception.com.

The easiest way for us to develop a new parser is to have access to a sample configuration file. You can securely send configuration file to the support team using the Portal File Vault. The File Vault includes a config sanitizer to automatically remove sensitive information and replace confidential IP addresses with random values.

Table of Contents