Common groups across multiple firewalls

mahesh18 · ‎04-19-2013

Hi Everyone,

I need to review network objects groups in the firewalls for some project work.

Then i need to find common group across all the firewalls

as well as objects in those common groups.

Need to undertsand how can i start this work?

What commands should i run on the firewalls?

Thanks

Mahesh

Jouni Forss · ‎04-19-2013

Hi,

I am not sure if there is an easy way to do this.

You can use the following command to view all "object-group" on the firewall (both service and network type object-groups)

show run object-group

You can use the following commands to show all the certain types of "object-group"

show run object-group network

show run object-group service

show run object-group protocol

If you know a name of an "object-group" you can view its configuration with the command

show run object-group id

Rest of the commands to my understanding would be using some search string to filter the search results

For example to just get the names names of the "object-group" configured on the firewall you could use

show run object-group | inc object-group

Though this would also show the ACLs where the "object-group" are used too

And naturally there is multitude of different versions of the above according to what search string you use after the "| inc" parf of the above commands.

If you are just trying to find same named "object-group" on the firewalls then you can just filter the configurations with the name

sh run object-group | inc

Searching for object-groups which contain the same objects under them would be a bit harder. Especially if we are talking about "object-group" which contain multiple objects under them

- Jouni

patrick.preuss · ‎04-20-2013

Hi

You can use rancid to grap the configs and then some perl, Python magic Tod compare the object groups .

Hth

Sent from Cisco Technical Support Android App