Firewall Scripting Question
-
Some times we will get requests that require us to add 100 or more new IP’s into a firewall. To add them from a CLI it would look something like this:
Example list the user sends us in the request:
1.1.1.1
1.1.1.2
1.1.1.3
1.1.1.4Firewall format for CLI:
config firewall address
edit 1.1.1.1/32
set associated-interface “port16”
set subnet 1.1.1.1/32
next
edit 1.1.1.2/32
set associated-interface “port16”
set subnet 1.1.1.2/32
next
edit 1.1.1.3/32
set associated-interface “port16”
set subnet 1.1.1.3/32
next
edit 1.1.1.4/32
set associated-interface “port16”
set subnet 1.1.1.4/32From a list of IP’s I have figured out all of the scripting to get the following done:
config firewall address
edit 1.1.1.1/32
set associated-interface “port16”
set subnet
next
edit 1.1.1.2/32
set associated-interface “port16”
set subnet
next
edit 1.1.1.3/32
set associated-interface “port16”
set subnet
next
edit 1.1.1.4/32
set associated-interface “port16”
set subnetFrom the initial IP list at the top of this post I will go thru and add a “/32” to the end of each line. Then I use the following
find what: “32”
replace with: “/32\n set associated-interface “port16”\n set subnet\nnext”IS there a way to copy the IP address from the edit line of each entry and enter it after the “set subnet” command? Right now I can copy/paste from each line which is not too bad when you are doing a list of 50 but when it may be 300 that is another story.
Thanx!
Mike
-
What you want is a capturing group, and then a way to put the captured text into the replacement in multiple places.
I would be tempted to try the following:
Open the Replace dialog by pressing Ctrl+h and then set up the following search parameters:
Find what box:^(\d+\.\d+.\d+.\d+)(\R)
Replace with box:config firewall address\2edit \1/32\2set associated-interface "port16"\2set subnet \1/32\2next\2
Search mode radiobutton: Regular expression
Wrap around checkbox: ticked
Option checkboxes not mentioned are typically not important to the operation, but should in general be unticked.
Then press the Replace All button.From your original list of simply the 4 IP addresses, that generated the following for me:
config firewall address edit 1.1.1.1/32 set associated-interface "port16" set subnet 1.1.1.1/32 next config firewall address edit 1.1.1.2/32 set associated-interface "port16" set subnet 1.1.1.2/32 next config firewall address edit 1.1.1.3/32 set associated-interface "port16" set subnet 1.1.1.3/32 next config firewall address edit 1.1.1.4/32 set associated-interface "port16" set subnet 1.1.1.4/32 nextNote: I also captured the line-ending via
(\R)into the second group and replayed it out into multiple spots in the replacement with\2. -
Yes, there is. Assuming you have already added the /32 and the set/set/next lines, then the following should work for you:
- FIND =
(?s)edit (\d+\.\d+\.\d+\.\d+)/32.*?set subnet$ - REPLACE =
${0} $1 - Search Mode = Regular Expression
This will add a space, plus the IP (
1.1.1.4, etc) after the closestset subnetIf you want the /32 included, change the FIND to
- FIND =
(?s)edit (\d+\.\d+\.\d+\.\d+/32).*?set subnet$
Note: using regular expressions is not generally considered “scripting”. It’s just fancy search-and-replace.
edit: while I was typing, @Alan-Kilborn beat me to the punch, though his assumed just the list of IP addresses, and mine assumed you’d already done the described portion of the search/replace. Both are good solutions, depending where in the process you are.
- FIND =
-
THANK YOU BOTH @Alan-Kilborn and @PeterJones for answering this question!!! My SINCEREST apologies for not looking at this and thanking you sooner but I got sidetracked with other projects/endeavors.
@PeterJones, Yes I would be using a list of IP’s that I pulled out of a spreadsheet and just pasted them into another file.
-
@Alan-Kilborn Is there a way to do it without the “config firewall address” being added to each line? I made a mistake in adding it to the ask. You type that in to get into the mode to add IP’s to the firewall and it is not needed on each line, you only have to enter it once so it would not be needed in the script.
-
Is there a way to do it without the “config firewall address” being added to each line?
Presume you would just remove this part from the Replace with ? :
config firewall address\2 -
@Alan-Kilborn That works but for some reason it leaves the last IP without any text added (the original did the same when I tried). So from this list:
1.1.1.1
1.1.1.2
1.1.1.3
1.1.1.4When I apply:
FIND:^(\d+.\d+.\d+.\d+)(\R)
REPLACE:edit \1/32\2set associated-interface “port16”\2set subnet \1/32\2next\2
I get the following:
edit 1.1.1.1/32
set associated-interface “port16”
set subnet 1.1.1.1/32
next
edit 1.1.1.2/32
set associated-interface “port16”
set subnet 1.1.1.2/32
next
edit 1.1.1.3/32
set associated-interface “port16”
set subnet 1.1.1.3/32
next
1.1.1.4Did I miss copying something above?
Let me just say THANK YOU SOOOOOOO MUCH!! This can save me HOURS of TEDIOUS config doing it all by hand or doing thru the firewall GUI (which is a PAIN). Having to add a NULL IP at the end of the list with the current formula is NOT a big deal by any means… :-)
I
-
@Mike-Gill said in Firewall Scripting Question:
That works but for some reason it leaves the last IP without any text added
Well, probably your last line is different from the others.
It probably doesn’t have a line-ending on it.
The “pattern” for matching requires a line-ending.
Move the caret to after the4and press Enter to get that line-ending – hopefully that is an obvious thing, but I don’t know your “noob” status. :-) -
@Alan-Kilborn Noob to Notepad++ I have ALWAYS used Textpad until recently. I was not looking at the BIG picture and trying to do 5 things at the same time… In my original script I was doing it the long and hard way and yours blew it out of the water…LOL!
I REALLY do appreciate your help and patience with answering my questions. Once again THANK YOU for your help on this!