Importing rules from a CSV file

An example of a CSV file "example-import-rules.csv" is available on the server, in the folder /opt/stormshield/examples/csv/.

You can either export existing rules from a firewall or create a new CSV file.

To export the CSV file from a firewall:

1. Connect to the firewall.
2. Go to the menu Security policy ⇒ Filtering and NAT.
3. At the top of the panel, choose whether to display the global or local policy that you wish to export. Only rules from the active slot will be exported.
4. Click on Export.

IMPORTANT
Ensure that the CSV file editor has not changed the "," separator character, in which case the file may not be imported on the SMC server. For more information on the separator character, refer to the section Choosing the separator character in CSV files.

To create a new CSV file, and to find out details about header lines, you may:

• Choose to export rules from a firewall,
• Look up the example given on the SMC server as indicated above.

Do note that you must create a CSV file for each rule folder and a CSV file per firewall for the firewall's specific rules.

You need read/write privileges to import rules.

If the rules reference objects from your SNS configuration that are not already in the SMC configuration, you must import them beforehand on the server. For more information on importing objects, refer to the section Importing objects.

1. In Configuration > Firewalls and Folders, browse until you reach the level of the folder or the firewall on which you want to import the rules.
2. Open the Filtering and translation tab and select Filter rules or NAT rules tab. Both types of rules can be imported from either tab and from the same CSV file.
3. Click on Import in the toolbar.
4. Select the CSV file to import.
5. Choose whether to add the rules to existing rules or to replace them with the new imported rules. When you select the first option, new rules will be added after existing rules in a separator, and the date on which they were imported will be indicated.
   Rules are imported to the high-priority rules of a folder by default. To import rules to low-priority rules, indicate the value "low" in the column #smc_folder_prio in the CSV file (last column). If the file was exported from a firewall, there is no such column; add it manually.

NOTE
If you wish to import a security policy that contains rule sets, you must create them first on the SMC server. For more information, refer to the section Creating rule sets.

In case of error, refer to the import summary.

No other actions can be performed on the server while rules are being imported.

The command for importing rules is: smc-import-rules

Various options can be added to this command.

During import, we recommend that you log on to the administration session exclusively with read/write access.

Rule sets cannot be imported in command line.

In both of the following cases, for each rule imported, the status of the import will be displayed. If there is a failure while importing a rule, the reason will be given and no rules or objects will be imported. However, the entire CSV file will be scanned so that the SMC server can detect potential errors. Correct any errors before attempting a new import.

Rules that were imported in command line are added after existing rules.

If the rules reference objects from your SNS configuration that are not already in the SMC configuration, you can also import them on the server together with the rules.

If you are importing rules and objects referenced in rules:

1. Export the list of objects in CSV format from an SNS firewall by following the procedure in the section Creating the CSV file.
2. Copy both CSV files (rules and objects) on the SMC server using the SSH protocol in the /tmp folder for example.
3. Log in to the SMC server via the console of your hypervisor or in SSH.
4. Depending on the rule destination, type the command:
   • smc-import-rules /tmp/rules-file.csv --objects /tmp/objects-file.csv --firewall destination-firewall: the destination of these rules is a firewall,
   • smc-import-rules /tmp/rules-file.csv --objects /tmp/objects-file.csv --folder destination-folder: the destination of these rules is a folder, Rules are imported to the high-priority rules of a folder by default. To import rules to low-priority rules, add --low-priority at the end of the command or indicate the value "low" in the column #smc_folder_prio in the CSV file (last column). If the file was exported from a firewall, there is no such column; add it manually.

The CSV file containing the list of objects includes the full list of objects found in the configuration of the SNS firewall, but at this stage, the SMC server will only import objects that were referenced in rules. If objects referenced in rules are already on the server, they will not be imported a second time.

However, if necessary, you can force the update of these objects using the option --update:

smc-import-rules /tmp/fichier-de-regles.csv --update --objects /tmp/fichier-d-objets.csv --folder dossier-de-destination --low-priority

If you are importing rules only (without objects):

1. Start by copying the CSV file on the SMC server using the SSH protocol in the /tmp folder for example.
2. Log in to the SMC server via the console of your hypervisor or in SSH.
3. Depending on the rule destination, type the command:
   • smc-import-rules /tmp/rules-file.csv --firewall destination-firewall: the destination of these rules is a firewall,
   • smc-import-rules /tmp/rules-file.csv --folder destination-folder: the destination of these rules is a folder. Rules are imported to the high-priority rules of a folder by default. To import rules to low-priority rules, add --low-priority at the end of the command or indicate the value "low" in the column #smc_folder_prio in the CSV file (last column). If the file was exported from a firewall, there is no such column; add it manually.