Cloning Firewall rules
Ever notice how Cato defaults are not Cato best practices. I have a preferred layout for Internet Firewall and WAN Firewall rules. I have them in multiple sections for business rules and best pract...
Forum Discussion
peter
Cato Employee
Cato EmployeeHello BrianT,
I think there are two questions here:
- How do I port an IFW rulebase from one account to another.
- How do I set up a template for IFW rules I can use to provision new accounts with my preferred best practice set of rules.
For the first requirement, you would use the policy.internetFirewall.policy query to read the existing rules from the first account, then you'd need to transform those into the right inputs for the policy.internetFirewall.addSection, policy.internetFirewall.addRule and policy.internetFirewall.publishPolicyRevision mutations to load the IFW policy into the second account.
The second requirement is similar but instead of reading the policy from an existing account you would be starting with an IFW policy defined in something like JSON or YAML.
If I was doing either of these, I'm most comfortable with Python, so I'd just script it. The second use case in particular though sounds like a good candidate for something like Terraform, so if this is interesting to you, it might be worth checking out the resources in our Github repo: https://github.com/catonetworks/terraform-provider-cato
Thank you, Peter,
Can you perhaps help me with the graphql query for "policy.internetFirewall.policy"? I am having a hard time understanding the documentation @ InternetFirewallPolicy any working example I could test at the GraphQL Playgroud would be super helpful.
I spoke too soon. I figured out how I was getting lost in the documentation. Once I found the right section, I was able to get a working query.
Now on to terraform, wish me luck. :)
