topic Re: Generic firewall route and interface reporting in Network Security

Generic firewall route and interface reporting

erik.morillo — Fri, 21 Feb 2020 15:10:50 GMT

The forum is not displaying my replies and after editing the original post, the thread has disappeared so I am reposting this without any potential characters in the code snippet that may cause a problem.

I have several Cisco based firewalls all with different firmware versions for which I am asked to develop an application to report on all the interfaces and the firewalls routes. A technician has stated that each device requires 1000's of commands to enumerate this information. The question I have is whether the technician is correct in that assertion. I can imagine it may vary from device to device, and even by firmware version (though not frequently I am sure) however I am skeptical of the magnitude of commands suggested.

For example, in FreeBSD, I can obtain all the interfaces with ifconfig and known routes with netstat producing information such as:

vmx0: inet x.y.z.255 netmask 0xfffffc00 broadcast 255.255.255.255
vmx1: inet 172.18.0.1 netmask 0xffffff00 broadcast 172.18.0.255
vmx2: inet 172.17.0.1 netmask 0xffffff00 broadcast 172.17.0.255
vmx3: inet 172.16.0.1 netmask 0xffffff00 broadcast 172.16.0.255
vmx4: inet 172.15.0.1 netmask 0xffffff00 broadcast 172.15.0.255
vmx5: inet a.b.c.165 netmask 0xfffffc00 broadcast 255.255.255.255
lo0: inet 127.0.0.1 netmask 0xff000000

Internet:
Destination        Gateway            Flags     Netif Expire
default            x.y.z.1            UGS        vmx0
a.b.c.0/22         link#6             U          vmx5
a.b.c.165          link#6             UHS         lo0
x.y.z.0/22         link#1             U          vmx0
x.y.z.255          link#1             UHS         lo0
127.0.0.1          link#7             UH          lo0
172.15.0.0/24      link#5             U          vmx4
172.15.0.1         link#5             UHS         lo0
172.16.0.0/24      link#4             U          vmx3
172.16.0.1         link#4             UHS         lo0
172.17.0.0/24      link#3             U          vmx2
172.17.0.1         link#3             UHS         lo0
172.18.0.0/24      link#2             U          vmx1
172.18.0.1         link#2             UHS         lo0

Does a similar convention of reasonable command length exist for Cisco based firewalls?

Re: Generic firewall route and interface reporting

Francesco Molino — Sun, 21 Jan 2018 23:03:21 GMT

Hi

What command are you looking for?

For getting all interfaces and their IPs, you can use "show int ip brief" and for routes use "show route"

Re: Generic firewall route and interface reporting

erik.morillo — Sun, 21 Jan 2018 23:55:55 GMT

Hi Francesco,
So if I was to extrapolate the technicians reaction, it may take a combined total of 1000 or more commands to create and manage all the potential route types on a given firewall, but in the case where I need to simply enumerate the interfaces and all known routes at a given point in time on the device, the commands you provided are sufficient. To be honest, those look pretty basic and likely to be present on most firewall OS's and firmware versions. I'll revisit the concern with the guy but it looks like I can accomplish what I need.

Thanks a lot.

Re: Generic firewall route and interface reporting

Francesco Molino — Mon, 22 Jan 2018 00:24:53 GMT

1000 commands is a bit exaggerated.
With show route you'll get all routes the firewall knows (static and dynamic) like netstat -rn on a Linux. Show int ip brief gives you the interface name and the ip address. If this is the only thing you're interested in then those 2 command are enough.

If you want to go deeper in the routing then you'll have a set of command for each protocol, the same applies to interfaces, if you want to see the name zone of the interface or checking interfaces counters