Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1933
Views
0
Helpful
4
Replies

How to export All the rules from a 8350 FirePower Policy

subrun.jamil
Level 1
Level 1

‎05-31-2019 07:38 AM - edited ‎02-21-2020 09:11 AM

Hello, 

 

How to export All the rules in a FirePower Policy.  Reason I am asking this question is searching items in SourceFire is not that much user friendly. Like If I want to search with a AD Group name it really does not look at User field. That's why just wondering how to search AD Group in a Firewall Policy. Also better to know after exporting a Firewall Policy How to view them ?  

 

Labels:
0 Helpful
4 Replies 4

Francesco Molino
VIP Alumni
VIP Alumni

‎05-31-2019 10:06 PM

Hi

You will need to use API calls to export ACP and into returned results you'll see all role details which means you will have the AD group condition.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-31-2019 10:11 PM

The deployed access control policy should be located in:

/var/sf/detection_engines/UUID/ngfw.rules

The UUID (Universally Unique Identifier) will vary - look in /var/sf/detection_engines folder for your UUIDs and, if there are multiple, choose the one with the latest timestamp.

You can export and/or search that file (e.g. with grep utility) to examine the ACP in more detail.

 

0 Helpful

subrun.jamil
Level 1
Level 1
In response to Marvin Rhoads

‎07-02-2019 09:22 AM

Hello Marvin,

 

How can I get rid of below message while trying to scp

 

root@HH-HHH-HH1:/var/sf/detection_engines/302e2fca-7a77-11e6-870d-af9f5b863148# sudo scp ngfw.rules admin@10.7.XX.XX:/var/tmp
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:4raWthjsdjfhsdjhfkjsdhfiwryeiuweryVgdqAQLwraTy3L0NJk.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /root/.ssh/known_hosts:2
ECDSA host key for 10.7.XX.XX has changed and you have requested strict checking.
Host key verification failed.
lost connection

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to subrun.jamil

‎07-02-2019 06:10 PM

Do like the message says and:

"Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /root/.ssh/known_hosts:2"

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card