Community
    • Login

    Firewall Scripting Question

    Scheduled Pinned Locked Moved Help wanted · · · – – – · · ·
    9 Posts 3 Posters 772 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Mike GillM
      Mike Gill
      last edited by

      Some times we will get requests that require us to add 100 or more new IP’s into a firewall. To add them from a CLI it would look something like this:

      Example list the user sends us in the request:

      1.1.1.1
      1.1.1.2
      1.1.1.3
      1.1.1.4

      Firewall format for CLI:

      config firewall address
      edit 1.1.1.1/32
      set associated-interface “port16”
      set subnet 1.1.1.1/32
      next
      edit 1.1.1.2/32
      set associated-interface “port16”
      set subnet 1.1.1.2/32
      next
      edit 1.1.1.3/32
      set associated-interface “port16”
      set subnet 1.1.1.3/32
      next
      edit 1.1.1.4/32
      set associated-interface “port16”
      set subnet 1.1.1.4/32

      From a list of IP’s I have figured out all of the scripting to get the following done:

      config firewall address
      edit 1.1.1.1/32
      set associated-interface “port16”
      set subnet
      next
      edit 1.1.1.2/32
      set associated-interface “port16”
      set subnet
      next
      edit 1.1.1.3/32
      set associated-interface “port16”
      set subnet
      next
      edit 1.1.1.4/32
      set associated-interface “port16”
      set subnet

      From the initial IP list at the top of this post I will go thru and add a “/32” to the end of each line. Then I use the following

      find what: “32”
      replace with: “/32\n set associated-interface “port16”\n set subnet\nnext”

      IS there a way to copy the IP address from the edit line of each entry and enter it after the “set subnet” command? Right now I can copy/paste from each line which is not too bad when you are doing a list of 50 but when it may be 300 that is another story.

      Thanx!

      Mike

      Alan KilbornA PeterJonesP 2 Replies Last reply Reply Quote 0
      • Alan KilbornA
        Alan Kilborn @Mike Gill
        last edited by Alan Kilborn

        @Mike-Gill

        What you want is a capturing group, and then a way to put the captured text into the replacement in multiple places.

        I would be tempted to try the following:

        Open the Replace dialog by pressing Ctrl+h and then set up the following search parameters:
        Find what box: ^(\d+\.\d+.\d+.\d+)(\R)
        Replace with box: config firewall address\2edit \1/32\2set associated-interface "port16"\2set subnet \1/32\2next\2
        Search mode radiobutton: Regular expression
        Wrap around checkbox: ticked
        Option checkboxes not mentioned are typically not important to the operation, but should in general be unticked.
        Then press the Replace All button.

        From your original list of simply the 4 IP addresses, that generated the following for me:

        config firewall address
        edit 1.1.1.1/32
        set associated-interface "port16"
        set subnet 1.1.1.1/32
        next
        config firewall address
        edit 1.1.1.2/32
        set associated-interface "port16"
        set subnet 1.1.1.2/32
        next
        config firewall address
        edit 1.1.1.3/32
        set associated-interface "port16"
        set subnet 1.1.1.3/32
        next
        config firewall address
        edit 1.1.1.4/32
        set associated-interface "port16"
        set subnet 1.1.1.4/32
        next
        

        Note: I also captured the line-ending via (\R) into the second group and replayed it out into multiple spots in the replacement with \2.

        Mike GillM 1 Reply Last reply Reply Quote 4
        • PeterJonesP
          PeterJones @Mike Gill
          last edited by PeterJones

          @Mike-Gill ,

          Yes, there is. Assuming you have already added the /32 and the set/set/next lines, then the following should work for you:

          • FIND = (?s)edit (\d+\.\d+\.\d+\.\d+)/32.*?set subnet$
          • REPLACE = ${0} $1
          • Search Mode = Regular Expression

          This will add a space, plus the IP (1.1.1.4, etc) after the closest set subnet

          If you want the /32 included, change the FIND to

          • FIND = (?s)edit (\d+\.\d+\.\d+\.\d+/32).*?set subnet$

          Note: using regular expressions is not generally considered “scripting”. It’s just fancy search-and-replace.

          edit: while I was typing, @Alan-Kilborn beat me to the punch, though his assumed just the list of IP addresses, and mine assumed you’d already done the described portion of the search/replace. Both are good solutions, depending where in the process you are.

          1 Reply Last reply Reply Quote 4
          • Mike GillM
            Mike Gill
            last edited by

            THANK YOU BOTH @Alan-Kilborn and @PeterJones for answering this question!!! My SINCEREST apologies for not looking at this and thanking you sooner but I got sidetracked with other projects/endeavors.

            @PeterJones, Yes I would be using a list of IP’s that I pulled out of a spreadsheet and just pasted them into another file.

            1 Reply Last reply Reply Quote 2
            • Mike GillM
              Mike Gill @Alan Kilborn
              last edited by

              @Alan-Kilborn Is there a way to do it without the “config firewall address” being added to each line? I made a mistake in adding it to the ask. You type that in to get into the mode to add IP’s to the firewall and it is not needed on each line, you only have to enter it once so it would not be needed in the script.

              Alan KilbornA 1 Reply Last reply Reply Quote 0
              • Alan KilbornA
                Alan Kilborn @Mike Gill
                last edited by

                @Mike-Gill

                Is there a way to do it without the “config firewall address” being added to each line?

                Presume you would just remove this part from the Replace with ? :

                config firewall address\2

                Mike GillM 1 Reply Last reply Reply Quote 2
                • Mike GillM
                  Mike Gill @Alan Kilborn
                  last edited by

                  @Alan-Kilborn That works but for some reason it leaves the last IP without any text added (the original did the same when I tried). So from this list:

                  1.1.1.1
                  1.1.1.2
                  1.1.1.3
                  1.1.1.4

                  When I apply:

                  FIND:^(\d+.\d+.\d+.\d+)(\R)

                  REPLACE:edit \1/32\2set associated-interface “port16”\2set subnet \1/32\2next\2

                  I get the following:

                  edit 1.1.1.1/32
                  set associated-interface “port16”
                  set subnet 1.1.1.1/32
                  next
                  edit 1.1.1.2/32
                  set associated-interface “port16”
                  set subnet 1.1.1.2/32
                  next
                  edit 1.1.1.3/32
                  set associated-interface “port16”
                  set subnet 1.1.1.3/32
                  next
                  1.1.1.4

                  Did I miss copying something above?

                  Let me just say THANK YOU SOOOOOOO MUCH!! This can save me HOURS of TEDIOUS config doing it all by hand or doing thru the firewall GUI (which is a PAIN). Having to add a NULL IP at the end of the list with the current formula is NOT a big deal by any means… :-)

                  I

                  Alan KilbornA 1 Reply Last reply Reply Quote 0
                  • Alan KilbornA
                    Alan Kilborn @Mike Gill
                    last edited by

                    @Mike-Gill said in Firewall Scripting Question:

                    That works but for some reason it leaves the last IP without any text added

                    Well, probably your last line is different from the others.
                    It probably doesn’t have a line-ending on it.
                    The “pattern” for matching requires a line-ending.
                    Move the caret to after the 4 and press Enter to get that line-ending – hopefully that is an obvious thing, but I don’t know your “noob” status. :-)

                    Mike GillM 1 Reply Last reply Reply Quote 1
                    • Mike GillM
                      Mike Gill @Alan Kilborn
                      last edited by

                      @Alan-Kilborn Noob to Notepad++ I have ALWAYS used Textpad until recently. I was not looking at the BIG picture and trying to do 5 things at the same time… In my original script I was doing it the long and hard way and yours blew it out of the water…LOL!

                      I REALLY do appreciate your help and patience with answering my questions. Once again THANK YOU for your help on this!

                      1 Reply Last reply Reply Quote 1
                      • First post
                        Last post
                      The Community of users of the Notepad++ text editor.
                      Powered by NodeBB | Contributors