The following command-line tools are available to automate configuration tasks during deployment of your NextGen Firewall.
Retrieving PAR files from a NextGen Control Center
Use this command to retrieve PAR files from a Control Center during provisioning. For PAYG firewalls, the licenses are pushed to the Control Center before fetching the configuration.
Usage: getpar -a [CC IP address] -c [clustername] -r [range id number] -b [firewall name]
- -a|--address [address] – Control Center IP address.
- -u|--username [username] – CC admin user used to connect to the Control Center.
- -c|--cluster [cluster] – Cluster name.
- -r|--range [range] – Range number.
- -b|--boxname [boxname] – Firewall name.
- -d|--destination [dest] – Destination directory and filename for the par file. E.g., /opt/phion/update/box.par
- -s|–spoe – Use Single Point of Entry to connect to the Control Center.
- -l|--pushlic auto|always|never – Configures if the licenses should be pushed to the Control Center before retrieving the PAR file. For PAYG firewalls, the license must be pushed to the Control Center.
For more information, see How to Modify CloudFormation Templates to Retrieve the PAR File from a Control Center.
Create a High Availability Cluster
Execute this command on the primary firewall to create a high availability cluster via command line. You are prompted for the password for the other firewall. If the secondary firewall is running in the public cloud, you must disable enforcing a password change on the secondary firewall by adding the following editconf commands to the provisioning / user data scripts:
Usage: /opt/phion/bin/create-dha -s [virtual server name] -c -o [IP address of other firewall] -n [netmask of other firewall] -g [IP address for default gateway used by the other firewall]
/opt/phion/bin/editconf -f /opt/phion/config/active/boxadm.conf -p RPASSWDENFORCE -v 0 /opt/phion/bin/editconf -f /opt/phion/config/configroot/boxadm.conf -p RPASSWDENFORCE -v 0
- -u|--username [username] – Specify username for connecting to the secondary firewall (default: root).
- -o|--other-ip [address] – IP address of the secondary firewall.
- -g|--other-gw [address] – IP address of the default gateway for the subnet in which the secondary firewall is running.
- -n|--other-netmask [CIDR netmask] – CIDR mask of the subnet in which the secondary firewall is running.
- -s|--server [server name] – (Optional) Specify the virtual server name used for the high availability cluster.
- -c|–cleardirty – Clear the dirty download flag after setting up the high availability cluster.
- --verbosity [verbosity] – Enable command-line logging and set verbosity to the specified level.
- --fullcolortrace – Enable colored command-line logging.
For more information on high availability, see High Availability.
Insert or Edit Configuration Parameter
In some cases, you may be required to edit a configuration parameter. For example, you need to disable enforcing a password change on first log in when pairing a high availability cluster via create-dha.
Usage: editconf -f [/absolutepath/file.conf] -p [parameter to set] -v [value for the parameter]
- -f|--file [input config file, absolute path] – Absolute path to the configuration file.
- -p|--put [key to set in the config file] – Set a configuration parameter. Requires value to also be set.
- -d|--delete [key to delete] – Delete a configuration parameter.
- -D|--delete-section – Remove the entire section from the configuration file.
- -v|–value [value content] – Value to add to the configuration file.
Change Dynamic to a Static IP Management IP Address
Convert the management IP address on a dynamic interface to a static configuration. If no gateway or subnet is entered, these values are derived from the management IP address. In this case, the gateway is set to the first IP address in the subnet.
usage: cloud-setmip [management IP] [subnet in CIDR format] [default gateway IP address]