Importing SN firewalls from a CSV file
To quickly import a large number of firewalls in SMC and generate their connecting package, you can create a CSV file and import it on the server from the web interface or from the command line interface.
A sample CSV file "example-firewalls-and-packages.csv" is available on the server, in the folder /opt/stormshield/examples/csv/.
The file may contain the following parameters organized in columns and separated by commas. The order in which columns appear does not matter. Only the value of the first column #fwname is mandatory, the others may be left blank:
- #fwname: firewall's name,
- #fwversion: version of the firewall used for determining the version of the generated connecting package. If this field is empty, version 4.0.0 will be used.
- #fwdesc: firewall's description,
- #fwplace: location of the firewall,
- #fwfolder: the destination folder of the firewall. A path in the form of <folder1>/<folder2>/... can be specified to indicate the destination folder in the hierarchy of folders. If the specified folders do not yet exist, the SMC server will create them. If this field is empty, the default folder will be the root folder.
#vpn_fw_public_ip_address: firewall contact IP address manually specified in its settings and used in VPN topologies,
- #vpn_fw_local_address: firewall output interface used as source in VPN tunnels.
#pkg_fw_address: contact address of the firewall detected by SMC,
#pkg_fw_netmask: subnet mask,
#pkg_fw_gateway: the firewall's default gateway,
- #pkg_smc_addresses (IP1:PORT1:BINDADDR1,IP2:PORT2): the IP address, port and outgoing interface of the SMC server. This information is needed for the connecting package. The outgoing port and interface are optional. On SN firewalls in version 3.9 and upwards, you can specify an outgoing interface for each IP address. On firewalls from versions 3.3.X to 3.8.X, only the first outgoing interface will be taken into account.
- vpn_fw_subject_dn: for certificates obtained via SCEP or EST, the Distinguished Name of the subject of the firewall's default certificate,
- vpn_fw_issuer_dn: for certificates obtained via SCEP or EST, the Distinguished Name of the issuer of the firewall's default certificate.
Check that the CSV file editor has not modified the "," separator character, in which case the file may not be imported on the SMC server. For more information on the separator character, refer to the section Choosing the separator character in CSV files.
- Select Monitoring > Firewalls and click on Import firewalls.
- Select the CSV file.
- Select all the necessary options.
- The following window will show a summary of the operations and enable connecting packages to be downloaded if you have selected this option.
If some of the firewalls in the file already exist on SMC, their properties will be updated with the new values found in the file. If any cell in the file is empty, the value will be considered empty and the older value will be overwritten.
If you wish to keep an existing value, delete the relevant column in the CSV file.
When several administrators are connected at the same time, we recommend that you import firewalls from the web interface instead of in command line, so that each administrator will be informed when changes are applied.
- Start by copying the CSV file on the SMC server using the SSH protocol in the /tmp folder for example. This example is used in the procedure below.
- Connect to the SMC server via the console port or SSH connection with the “root” account.
- Enter the command:
Generated connecting packages are available in the folder /tmp/packages.
The status of an import will be indicated for each firewall, as well as a summary when the import is complete.
You can also:
- Import firewalls without generating connecting packages, using the option
smc-firewalls-and-packages /tmp/filename.csv --firewall-only
- Generate only connecting packages, using the option
smc-firewalls-and-packages /tmp/filename.csv --package-only
If an imported firewall already existed in SMC, an error will appear. You may use the
--force-update option to overwrite the existing firewall with the one indicated in the CSV file.