Forum Discussion

BrianT's avatar
BrianT
Comet
2 months ago

Cloning Firewall rules

Ever notice how Cato defaults are not Cato best practices.

I have a preferred layout for Internet Firewall and WAN Firewall rules.  I have them in multiple sections for business rules and best practice rules.

I am wanting to created a pristine template that I can apply to a new tenant that sets up all of my preferences.

I am pretty fluent with Postman and python.

Any bread crumbs or ideas on how to back up the Internet Rules from one tenant and push them in to a net new tenant?

Any ideas are greatly appreciated.

Thanks,

Brian

5 Replies

  • Hi BrianT ,
    We are working on publishing bulk management of internet firewall and wan firewall rules through terraform very soon, would you be open to setting up a workshop to walk through how we can help manage in this way using terraform?

  • peter's avatar
    peter
    Icon for Cato Employee rankCato Employee

    Hello BrianT,

    I think there are two questions here:

    1. How do I port an IFW rulebase from one account to another.
    2. How do I set up a template for IFW rules I can use to provision new accounts with my preferred best practice set of rules.

    For the first requirement, you would use the policy.internetFirewall.policy query to read the existing rules from the first account, then you'd need to transform those into the right inputs for the policy.internetFirewall.addSection, policy.internetFirewall.addRule and policy.internetFirewall.publishPolicyRevision mutations to load the IFW policy into the second account.

    The second requirement is similar but instead of reading the policy from an existing account you would be starting with an IFW policy defined in something like JSON or YAML.

    If I was doing either of these, I'm most comfortable with Python, so I'd just script it. The second use case in particular though sounds like a good candidate for something like Terraform, so if this is interesting to you, it might be worth checking out the resources in our Github repo: https://github.com/catonetworks/terraform-provider-cato

    • BrianT's avatar
      BrianT
      Comet

      Thank you, Peter,

      Can you perhaps help me with the graphql query for "policy.internetFirewall.policy"?  I am having a hard time understanding the documentation @ InternetFirewallPolicy any working example I could test at the GraphQL Playgroud would be super helpful.

      • BrianT's avatar
        BrianT
        Comet

        I spoke too soon.  I figured out how I was getting lost in the documentation.  Once I found the right section, I was able to get a working query.

        Now on to terraform, wish me luck. :)