I've built a working template for downloading Sidewinder Firewall configurations with NCM, and been happy (so far) with the results showing in NCM's Daily Configuration Comparison Reports. There are some important caveats for you to be aware of if you apply this template:
Do NOT enable NCM's option to use this template for auto-discovery. The OID is one recommended by SolarWinds Technical Support, and I'd previously used 1.3.6.1.4.1.1573.2.1. I found that when I used the suggested OID, AND when I enabled this template for auto-discovery, some of my Cisco switches began using this template and no longer were accessible by NCM. I disabled auto-discovery for this template and the Cisco problem was resolved. It might be appropriate to use a more granular OID for this template (such as 1.3.6.1.4.1.1573.2.1)--please feel free to share that if you find a better one.
This config backup cannot be used to restore a Sidewinder. It’s only for config comparison and for daily configuration management. Use the McAfee Configuration Backup and Restore processes, preferably by generating an Emergency Config Backup & Restore USB drive.
This template WILL NOT backup a Sidewinder's Startup-Config. Don't expect to be able to backup the Startup-config of a Sidewinder with this. You may be able to create such a script by working with McAfee and modifying this template, but this template isn't for startup-config backups. The startup solution on a Sidewinder relies on hardened FreeBSD structure and files. This template does not address those needs.
There is no section for executing command scripts in this template. I recommend you use the Cobra GUI for the Firewall Enterprise (a.k.a.: "Sidewinder firewall"), or perform your commands manually at the CLI.
<Configuration-Management Device="Device Name" SystemOID=" 1.3.6.1.4.1.9">
<Commands>
<Command Name="RESET" Value="srole${CRLF}uname -r" />
<Command Name="DownloadConfig" Value="cf policy query${CRLF}cf policy export${CRLF}cf service q${CRLF}cf burb q${CRLF}cf config q${CRLF}cf license q${CRLF}cf adminuser 1${CRLF}cf agent q${CRLF}cf appfilter q${CRLF}cf audit q${CRLF}cf auth q${CRLF}cf burbgroup q${CRLF}cf cert q${CRLF}cf cluster q${CRLF}cf cmd q${CRLF}cf crontab q${CRLF}cf daemond q${CRLF}cf dns q${CRLF}cf domain q${CRLF}cf export q${CRLF}cf failover q${CRLF}cf fips q${CRLF}cf fwregistered q${CRLF}cf geolocation q${CRLF}cf host q${CRLF}cf hostname q${CRLF}cf ids q${CRLF}cf ikmpd q${CRLF}cf interface q${CRLF}cf ipaddr q${CRLF}cf cf iprange q${CRLF}cf ipsec q${CRLF}cf lca q${CRLF}cf netgroup q${CRLF}cf ntp q${CRLF}cf package q${CRLF}cf pool q${CRLF}cf reports q${CRLF}cf server q${CRLF}cf servicegroup 1${CRLF}cf snmp q${CRLF}cf ssl q${CRLF}cf subnet q${CRLF}cf timeperiod q${CRLF}cf timezone q${CRLF}cf udb q${CRLF}cf ups 1${CRLF}cf usergroup q"/>
<Command Name="Version" Value="uname -r"/>
<Command Name="Disconnect" Value="exit${CRLF}exit"/>
<Command Name="VirtualPrompt" Value="%"/>
<Command Name="MenuBased" Value="false"/>
<Command Name="UseVirtualPromptForCommands" Value="True"/>
<Command Name="UseMultipleDownloadCommands" Value="True"/>
</Commands>
</Configuration-Management>
My thanks to SolarWinds Technical Support for assisting on the basics for helping me determine the appropriate syntax for the various Values, and also to Secure Computing (now McAfee) for helping with the many "cf" commands. Note that the list I provided in the "DownloadConfig" Value is from data I received from Secure Computing back in 2009. It works perfectly for my Sidewinders, but may not be complete, given they've been upgraded several times since 2009. You can access your Sidewinder's "man" page from an SSH CLI session and search for the various options using the "man cf" command. And you can remove or add sections to this section as needed, since you may not want to see all of the data.
You might consider ONLY using just this line:
<Command Name="DownloadConfig" Value="cf policy query"/>
and omit all the rest in the "Download Config" section.
One thing I've observed is that Sidewinders automatically make certain changes to themselves when specific trigger conditions are met. Those conditions can be attacks, environment changes, hardware errors, etc. When the Sidewinder makes those changes they will show up in your Daily Configuration Change Report. You might spend some cycles trying to discover who made those changes and why; that could be a waste of your time--particularly when attacks are common. Folks frequently try to scan addresses or ports on the outside of the firewall, or do SYN Floods, etc. As the Strikeback features of the Sidewinder engage and automatically set higher logging or send off alerts, the Sidewinder temporarily reconfigures lines that are downloaded in the set of "cf" commands above, and consequently they show up in the Config Change Report. It's your call whether to include all the items above, or narrow the template down to specific sections in the interest of simplifying and shortening your Daily Configuration Change Report output.
Swift Packets!
Rick Schroeder
