Alternate data collection methods

Relevant for: AFA Administrators

This section describes offline device data collection methods that can be used as alternates to on-boarding the device into AFA from the Administration area and collecting data automatically.

Note: Since these are static files and not live devices, configuration changes such as dynamic route updates only appear in AFA when you update the file again.

Additionally, AFA cannot track changes in real-time, or track who may have made each change on the device. Updates are represented only in reports generated after the update.

ActiveChange is not supported for file devices.

When to use these procedures

While we recommend that you generally collect data from live devices automatically, this requires that the AFA machine be connected to the device's network.

This may not always be possible, and you may want to analyze devices in a different location, or on a network that you are not able to connect to directly.

Additionally, you may have L3 devices where this data is already collected by an existing toolset.

Note: We recommend that customers ensure that AFA has the most recent device data possible, which helps to provide network map completeness and traffic simulation accuracy.

Complete device data typically involves analyzing your core and distribution layer routing infrastructure as well as firewalls.

Back to top

Recommended device data collection per device type

Collect data from your devices semi-automatically or manually using scripts provided by AlgoSec.

Each device type has a recommended method, described in the table below.

Note: These procedures are documented in our Alternate data collection method documentation, on the AlgoSec portal. Use your portal credentials to access them.

Check Point

For details, see:

  • Check Point FireWall-1 devices (semi-automatic). For Check Point FireWall-1 devices running on specific platforms, device data collected includes components of the Check Point file structure and the filter module's routing table.

    Relevant platforms include Windows, Sun, Nokia, SecurePlatform, Alteon, and Linux.

  • Check Point devices (manual). Semi-automatic and manual data collection is supported only for Check Point device versions R77.X and below.

Cisco

For details, see Cisco routers and devices.
Juniper

For details, see Juniper devices.
Fortinet Fortigate

For details, see Fortinet Fortigate (manual).
Palo Alto Networks

For details, see Palo Alto Networks (manual).
McAfee Firewall Enterprise (Forcepoint Sidewinder)

For details, see McAfee Firewall Enterprise (Sidewinder) (manual).

Note:  

Support for the Forcepoint brands (Sidewinder, StoneGate) and Hillstone was deprecated in ASMS version A30.00.

If you had defined these devices in an earlier version of ASMS, these devices are still available to you, with all the existing capabilities, but you cannot add new ones after upgrading.

We recommend backing up device data before or after upgrading and then removing these devices from AFA. Make sure to download any report zip files for the device before deleting.

For more details, see View an earlier report for a specific device and the relevant AlgoPedia KB article.
Symantec BlueCoat

For details, see Symantec Blue Coat (manual).

Access semi-automatic data collection scripts from the AlgoSec portal. For details, see Semi-automatic data collection scripts.

Depending on your system configuration, device files can also be obtained as follows:

Use a recent AFA report
  • If you have a live device on another ASMS system, retrieve the full device configuration file from the latest AFA report.
  • For example, you may want to do this when adding a device that already exists in a production system to a testing system as well.
  • For more details, see Access log and configuration files.

    • Tip: If your device is supported only as EA, make sure that the device support is enabled as needed in both your production and testing environments. For details, see Extend device support.
    Create a JSON file manually

    If you do not have another device to collect the data from, create the file manually.

    For details, see Static support for generic devices.

    Note: AFA does not currently support manual data collection from monitoring devices.

    Back to top

    Add a static file device to AFA (UI)

    This procedure describes how to add a file device to AFA from the AFAAdministration area.

    Note: Alternately, see Add a static file device to AFA (CLI).

    Do the following:

    1. In AFA, access the Devices Setup page. For details, see Access the DEVICES SETUP page.

    2. In the vendor and device selection page, click Device from File on the right.

    3. In the Name field, enter a name for your file device.

    4. Select the file you want to analyze by selecting one of the following:

      Upload new

      Upload a file from your computer. Browse to and select your file.

      File size must not exceed 20 MB.

      For larger files, copy the file to the /home/afa/algosec/fwfiles directory, and use the Existing on server option.

      For more details, see Recommended device data collection per device type.
      Existing on server

      Select a file already saved on the AFA server, in the /home/afa/algosec/fwfiles directory.

      Select the file you want to analyze from the dropdown list.

    5. Define how AFA should acquire the device's routing information. Select one of the following:

      Automatic
      • Automatic. Automatically generate the device's routing information upon analysis or monitoring.
      • Static Routing Table (URT). Take the device's routing information from a static file you provide. For more details, see Specify routing data manually.
      Static Routing Table (URT).

      Take the device's routing information from a static file you provide.

      For more details, see Specify routing data manually.

    6. Select Real-time change monitoring option to enable real-time alerting upon configuration changes. For more details, see Configure real-time monitoring.

    7. Select Set user permissions to set user permissions for this device.
    8. Click Finish. The new device is added to the device tree.

    9. If you selected Set user permissions, the Edit users dialog box appears.

      In the list of users displayed, select one or more users to provide access to reports for this account.

      To select multiple users, press the CTRL button while selecting.

      Click OK to close the dialog.

    A success message appears to confirm that the device is added. The device is now shown in the device tree in AFA, and will be included in the ALL_FIREWALLS analysis reports.

    Back to top

    Add a static file device to AFA (CLI)

    This procedure describes how to add a file device to AFA using CLI commands.

    Note: Alternately, see Add a static file device to AFA (UI).

    Do the following:

    1. Place any collected device data files, such as in the following directory on the AFA server: home/afa/algosec/fwfiles/

      For more details, see Recommended device data collection per device type.

    2. Summarize the files in a single CSV file with the following columns:

      name

      The device's display name, used in the device tree and all other locations around ASMS.
      path_name

      The location of the device file on the AFA machine, in the /home/afa/algosec/fwfiles directory.
      full_analysis

      Determines whether to perform full analysis.

      To optimize performance during device analysis, enter no.

      For example:

      name path_name full_analysis
      MYROUTER /home/afa/algosec/fwfiles/MyRouter.rd no
      MYNEXUS /home/afa/algosec/fwfiles/MyNexus.nexus no

      Save the CSV file in the home/afa/algosec/fwfiles/ directory on the AFA server.

    3. Log in to the AFA server as user afa.

    4. Run import_devices -f <CSV filename> -t FILE

      where <CSV filename> is the name of the CSV file you saved in the previous step.

      For example: import_devices -f BulkL3Devices.csv -t FILE

    When complete, all devices listed in the CSV file are shown in the device tree in AFA, and will be included in the ALL_FIREWALLS analysis reports.

    Back to top

    Semi-automatic data collection scripts

    The following scripts use the same commands for copying files and creating directories as are listed in the manual data collection procedures.

    Firewall-1 Windows NT batch file Downloadckp_collect.bat version: 1.23 (within a .zip archive)
    Firewall-1 Sun Solaris, Linux, SecurePlatform, Nortel Alteon or Nokia IPSO Downloadckp_collect.tar version: 1.80 (within a .tar archive)
    Cisco router access-control list (IOS) collection scripts Downloadrouterdump.pl utility version: 1.12 (within a .tar archive)
    Juniper Netscreen Downloadnsm_log_collect.tar version: 1.3 (within a .tar archive)

    If you copy the Firewall-1 Unix data collection script (ckp_collect) from a Windows PC to a Sun, Nokia, SecurePlatform, Alteon, or Linux platform, ensure that any carriage returns (^M) added by the Windows system are removed on the target platform.

    If you have a compressed ckp_collect.z file, expand the file as follows:

    Copy the ckp_collect.z to a Check Point SmartCenter server running on Sun Solaris, SecurePlatform, or Linux.

    Run one of the following commands:

    Sun platforms

    uncompress ckp_collect.Z

    SecurePlatform or Linux platforms

    gunzip ckp_collect.Z

    The ckp_collect and ckp_log_collect files are created, and the compressed ckp_collect.z file is deleted.

    These scripts are ready for you to run as needed.

    Back to top