Hi,
I've created a script which can check if you have firewall(s) configured as installation target of multiple policy-package (based on real story ...).
It uses dbedit and should be useful if you are dealing with many firewalls and some/many policy packages.
#!/bin/sh
echo "###############"
echo "##"
echo "# dbedit script"
echo "# To find : if a firewall is the installation target of multiple Policy Packages"
echo "#"
echo "# Usage :"
echo "# [Expert@mySMS:0]# ./dbedit_extractNotUniqueTargetForPolicies.sh"
echo "#"
#
# Changelog:
# AAAA-MM-JJ AUTEUR DESCRIPTION
# ---------- --------------------------- ---------------------------------------------
# 2018-02-09 Xavier Bensemhoun (Victrix) Initial version
# 2018-02-11 Xavier Bensemhoun (Victrix) Adding comments and publishing
#
#
echo "#"
# Command is:
# echo -e "query policies_collections, name='*'\n-q\n" | dbedit -local
# in order to retreive all policy packages details
#
# From the result, we will filter as:
# 1) grep installable_targets
# > In order to retreive only lines with targets (firewalls)
# 2) sed 's/Name\:
# > delete some words
# 3) sed -e 's/[[:blank:]]\+/\n/g'
# > replace spaces with new lines (firewalls names cannot have space on their names
echo -e "query policies_collections, name='*'\n-q\n" | dbedit -local | grep installable_targets | sed 's/Name\:
# Then we will copy no-empty lines into a new file
files="dbedit_extractNotUniqueTargetForPolicies.log"
for i in $files
do
sed '/^$/d' $i > $i.out
#mv $i.out $i
done
# Then we will count unique firewall names ; from this list, we will copy non-unique list into a new file
sort $files.out | uniq -c | sed '/ 1 /d;' > $files.out.unique
# Then, for each non-unique target, we will find policy packages for which it's the target using whereused dbedit command
if [ -s $files.out.unique ]
then
echo "Ouch ! The following firewall(s) are installation target for multiple policy packages:"
# we will open this last file and then execute following commands line-by-line
while IFS='' read -r line || [[ -n "$line" ]]; do
# Explode each line in a array :
# ${arrIN[0]} is the number of policy packages for which the firewall is the installation target
# ${arrIN[1]} is the name of the firewall
arrIN=(${line
echo "${arrIN[1]}, ${arrIN[0]} times"
# Command is:
# echo -e "whereused network_objects ${arrIN[1]}\n-q\n" | dbedit -local
# in order to execute the whereused search for a specific firewall network objects
#
# From the result, we will filter as:
# 1) grep "policies_collections"
# > In order to retreive only the list of policy packages for which is the installation target
# 2) sed 's/referral_obj\: Name/Policy/g;' | sed 's/ (Table\: policies_collections)
# > delete some words
echo -e "whereused network_objects ${arrIN[1]}\n-q\n" | dbedit -local | grep policies_collections | sed 's/referral_obj\: Name/Policy/g;' | sed 's/ (Table\: policies_collections)
done < "$files.out.unique"
else
echo "Perfect: there is no firewall as installation target of multiple policy packages"
fi
# You can delete or keep temporary files if you need
rm dbedit_extractNotUniqueTargetForPolicies.log*
You'll be able to launch this script without argument.
Something like:
[Expert@mySMS:0]# ./dbedit_extractNotUniqueTargetForPolicies.sh
Enjoy
Information Security enthusiast, CISSP, CCSP