Importing SNS firewalls from a CSV file

To quickly import a large number of firewalls in SMC and generate their connecting package, you can create a CSV file and import it on the server from the web interface or from the command line interface.

You have to be a general administrator to perform this operation, i.e., you hold write privileges on all folders in the SMC web interface. For more information, refer to the section Restricting folder administrators' access privileges.

An example of a CSV file "example-import-firewalls.csv" is available on the server, in the folder /opt/stormshield/examples/csv/.

The file may contain the following parameters organized in columns and separated by commas. The order in which columns appear does not matter. Only the value of the first column #fwname is mandatory, the others may be left blank:

  • #fwname: firewall's name,
  • #fwversion: version of the firewall used for determining the version of the generated connecting package. If this field is empty, version 4.0.0 will be used.
  • #fwdesc: firewall's description,
  • #fwplace: location of the firewall,
  • #folder: the destination folder of the firewall. A path in the form of <folder1>/<folder2>/... can be specified to indicate the destination folder in the hierarchy of folders. If the specified folders do not yet exist, the SMC server will create them. If this field is empty, the default folder will be the root folder.

  • #vpn_fw_public_ip_address: firewall contact IP address manually specified in its settings and used in VPN topologies,

  • #vpn_fw_local_address: firewall output interface used as source in VPN tunnels,
  • #network_cfg_deploy: determines whether network interfaces and routing can be managed via the SMC server. If nothing is entered in this field, the option will be disabled by default.

  • #pkg_fw_address: contact address of the firewall detected by SMC,

  • #pkg_fw_netmask: subnet mask,

  • #pkg_fw_gateway: the firewall's default gateway,

  • #pkg_smc_addresses (IP1:PORT1:BINDADDR1,IP2:PORT2): the IP address, port and outgoing interface of the SMC server. This information is needed for the connecting package. The outgoing port and interface are optional. On SNS firewalls in version 3.9 and upwards, you can specify an outgoing interface for each IP address. On firewalls from versions 3.7.X to 3.8.X, only the first outgoing interface will be taken into account.
  • vpn_fw_subject_dn: for certificates obtained via SCEP or EST, the Distinguished Name of the subject of the firewall's default certificate,
  • vpn_fw_issuer_dn: for certificates obtained via SCEP or EST, the Distinguished Name of the issuer of the firewall's default certificate.

IMPORTANT
Ensure that the CSV file editor has not changed the "," separator character, in which case the file may not be imported on the SMC server. For more information on the separator character, refer to the section Choosing the separator character in CSV files.

  1. Select Monitoring > Firewalls and click on Import firewalls.
    Import firewalls button
  2. Select the CSV file.
  3. Select all the necessary options.
  4. The following window will show a summary of the operations and enable connecting packages to be downloaded if you have selected this option.

If some of the firewalls in the file already exist on SMC, their properties will be updated with the new values found in the file. If any cell in the file is empty, the value will be considered empty and the older value will be overwritten.

If you wish to keep an existing value, delete the relevant column in the CSV file.

IMPORTANT
When several administrators are connected at the same time, we recommend that you import firewalls from the web interface instead of in command line, so that each administrator will be informed when changes are applied.

  1. Start by copying the CSV file on the SMC server using the SSH protocol in the /data/tmp folder for example. This example is used in the procedure below.
  2. Log in to the SMC server via the console of your hypervisor or in SSH.
  3. Enter the command:
    smc-import-firewalls /data/tmp/filename.csv.

To change the value of the delimiter character, use the environment variable SMC_CSV_DELIMITER. For more information, refer to the section Choosing the separator character in CSV files.

Generated connecting packages are available in the folder /tmp/import-firewalls-[date of import].

The status of an import will be indicated for each firewall, as well as a summary when the import is complete.

Executing a firewall import in command line

You can also:

  • Import firewalls without generating connecting packages, using the option --firewall-only:

smc-import-firewalls /data/tmp/filename.csv --firewall-only

  • Generate only connecting packages, by using the option --package-only:

smc-import-firewalls /data/tmp/filename.csv --package-only

If an imported firewall already existed in SMC, it will be automatically updated after the script is run.