Solved: Generic firewall route and interface reporting

erik.morillo · ‎01-20-2018

I am developing a custom reporting and calculation application for a team of users. While I am awaiting access to a mock lab, I know I will need to manually define a list of applicable firewall devices of various models (and firmware versions) and determine the interfaces and their associated routes. Its been suggested that given the variance of device models in scope, there is no reasonable generic approach applicable within the time constraints. A technician has indicated the variance on route types and their commands across all device and firmware combinations is too large.

My question is, does a software and device specific command exist that can enumerate all active routes and their associated interfaces? If 30 devices are in scope and each device has 3 software versions for example, I am content developing an interface that supports that many potential variations involved if only a short few commands are needed, but if the technician is correct and its 30 devices, each with several potential firmware versions, each with 1000's of commands, then the feat is not likely possible.

Can I obtain the info I need in a simplified approach, regardless if its unique to a device and firmware version?

Reply in message edit as forum is not revealing my reply attempts:

All I know as of yet is the devices will be Cisco based firewalls all with different firmware versions. The question I have is whether the technician is correct in asserting that in order to enumerate a devices interfaces and route table, it involves 1000's commands. I can imagine it may vary from device to device, and even by firmware version (though not frequently I am sure) however I am skeptical of the magnitude suggested.

For example, in FreeBSD, I can obtain all the interfaces and known routes as follows:

# ifconfig -a |egrep -e '^[a-z]|inet '
vmx0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        inet x.y.z.255 netmask 0xfffffc00 broadcast 255.255.255.255
vmx1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        inet 172.18.0.1 netmask 0xffffff00 broadcast 172.18.0.255
vmx2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        inet 172.17.0.1 netmask 0xffffff00 broadcast 172.17.0.255
vmx3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        inet 172.16.0.1 netmask 0xffffff00 broadcast 172.16.0.255
vmx4: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        inet 172.15.0.1 netmask 0xffffff00 broadcast 172.15.0.255
vmx5: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        inet a.b.c.165 netmask 0xfffffc00 broadcast 255.255.255.255
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        inet 127.0.0.1 netmask 0xff000000
enc0: flags=0<> metric 0 mtu 1536

# netstat -rn4
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            x.y.z.1         UGS        vmx0
a.b.c.0/22         link#6             U          vmx5
a.b.c.165          link#6             UHS         lo0
x.y.z.0/22         link#1             U          vmx0
x.y.z.255          link#1             UHS         lo0
127.0.0.1          link#7             UH          lo0
172.15.0.0/24      link#5             U          vmx4
172.15.0.1         link#5             UHS         lo0
172.16.0.0/24      link#4             U          vmx3
172.16.0.1         link#4             UHS         lo0
172.17.0.0/24      link#3             U          vmx2
172.17.0.1         link#3             UHS         lo0
172.18.0.0/24      link#2             U          vmx1
172.18.0.1         link#2             UHS         lo0

Does a similar convention of reasonable command length exist for Cisco based firewalls?

Dennis Mink · ‎01-24-2018

show ip route, will give you the complete routing table of a layer 3 switch, router and or FW. show ip int brief (or show addresses on an asa) will give you the interface and their respective IP addresses

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

Dennis Mink · ‎01-21-2018

I have no idea what you are talking about, could you give an example? what cisco products are in scope fro this,

Please remember to rate useful posts, by clicking on the stars below.

erik.morillo · ‎01-21-2018

Hi Dennis,
I don't have a list yet but I can assume its a decent sized collection of Cisco firewall products. I will have to accommodate the subset when I begin developing.

I guess what I am after is a confirmation of whether getting route and interface data is an enormous task or not. For example, in FreeBSD I can enumerate the info as follows:

# ifconfig -a |egrep -e '^[a-z]|inet '
vmx0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        inet x.x.x.255 netmask 0xfffffc00 broadcast 255.255.255.255
vmx1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        inet 172.18.0.1 netmask 0xffffff00 broadcast 172.18.0.255
vmx2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        inet 172.17.0.1 netmask 0xffffff00 broadcast 172.17.0.255
vmx3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        inet 172.16.0.1 netmask 0xffffff00 broadcast 172.16.0.255
vmx4: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        inet 172.15.0.1 netmask 0xffffff00 broadcast 172.15.0.255
vmx5: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        inet y.y.y.165 netmask 0xfffffc00 broadcast 255.255.255.255
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        inet 127.0.0.1 netmask 0xff000000

# netstat -rn4
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            x.x.x.1            UGS        vmx0
y.y.y.0/22         link#6             U          vmx5
y.y.y.165          link#6             UHS         lo0
x.x.x.0/22         link#1             U          vmx0
x.x.x.255          link#1             UHS         lo0
127.0.0.1          link#7             UH          lo0
172.15.0.0/24      link#5             U          vmx4
172.15.0.1         link#5             UHS         lo0
172.16.0.0/24      link#4             U          vmx3
172.16.0.1         link#4             UHS         lo0
172.17.0.0/24      link#3             U          vmx2
172.17.0.1         link#3             UHS         lo0
172.18.0.0/24      link#2             U          vmx1
172.18.0.1         link#2             UHS         lo0
172.21.2.0/24      172.21.2.2         UGS      ovpns2
172.21.2.1         link#11            UHS         lo0
172.21.2.2         link#11            UH       ovpns2

This is what I am after, a complete enumeration of all interfaces and the routes known at a given point in time. I can accept that a given device and firmware may require a different command, but what I want to know is whether it takes 1000's of commands as indicated by a technician and therefor is not feasible.

Dennis Mink · ‎01-24-2018

show ip route, will give you the complete routing table of a layer 3 switch, router and or FW. show ip int brief (or show addresses on an asa) will give you the interface and their respective IP addresses

Please remember to rate useful posts, by clicking on the stars below.

erik.morillo · ‎01-21-2018

All I know as of yet is the devices will be Cisco based firewalls all with different firmware versions. The question I have is whether the technician is correct in asserting that in order to enumerate a devices interfaces and route table, it involves 1000's commands. I can imagine it may vary from device to device, and even by firmware version (though not frequently I am sure) however I am skeptical of the magnitude suggested.

For example, in FreeBSD, I can obtain all the interfaces and known routes as follows:

# ifconfig -a |egrep -e '^[a-z]|inet '
vmx0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        inet x.y.z.255 netmask 0xfffffc00 broadcast 255.255.255.255
vmx1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        inet 172.18.0.1 netmask 0xffffff00 broadcast 172.18.0.255
vmx2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        inet 172.17.0.1 netmask 0xffffff00 broadcast 172.17.0.255
vmx3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        inet 172.16.0.1 netmask 0xffffff00 broadcast 172.16.0.255
vmx4: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        inet 172.15.0.1 netmask 0xffffff00 broadcast 172.15.0.255
vmx5: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        inet a.b.c.165 netmask 0xfffffc00 broadcast 255.255.255.255
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        inet 127.0.0.1 netmask 0xff000000
enc0: flags=0<> metric 0 mtu 1536

# netstat -rn4
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            x.y.z.1         UGS        vmx0
a.b.c.0/22         link#6             U          vmx5
a.b.c.165          link#6             UHS         lo0
x.y.z.0/22         link#1             U          vmx0
x.y.z.255          link#1             UHS         lo0
127.0.0.1          link#7             UH          lo0
172.15.0.0/24      link#5             U          vmx4
172.15.0.1         link#5             UHS         lo0
172.16.0.0/24      link#4             U          vmx3
172.16.0.1         link#4             UHS         lo0
172.17.0.0/24      link#3             U          vmx2
172.17.0.1         link#3             UHS         lo0
172.18.0.0/24      link#2             U          vmx1
172.18.0.1         link#2             UHS         lo0

Does a similar convention of reasonable size exist for Cisco based firewalls?