asg_policy

This command is supported only on these:

  • ElasticXL Cluster

  • Maestro Security Group

  • Scalable Chassis Security Group

Notes:

  • You must run the "asg_policy" command in the Expert mode.

  • You can run the "asg policy" command in Gaia gClish or in the Expert mode.

Description

Shows the security policy status.

Controls the installed security policy.

Syntax in the Security Gateway / VSNext mode

asg_policy -h

asg policy -h

asg policy [-a] [--print_sig_diff]

      verify

      verify_amw

      unload [{--ip_forward |--disable_pnotes}]

Syntax in the Traditional VSX mode

asg_policy -h

asg policy -h

asg policy [-vs <VS ID>] [-a] [-v]

      verify

      verify_amw

      unload [--disable_pnotes]

Parameters

Parameter

Description

-h

Shows the built-in help.

-vs <VS ID>

Applies only to the Traditional VSX mode.

Specifies the IDs of the relevant Virtual Systems.

  • If you do not enter the IDs, then the command applies to the current virtual context.

  • To specify one Virtual System ID, just enter its ID value.

    Example: -vs 2

  • To specify two or more Virtual System IDs, separate the ID values with the comma or the minus character.

    Example: -vs 2,3

    Example: -vs 2-3

    Example: -vs 2,4-6

-a

Applies the command also to the Security Group Members that are in the "DOWN" state.

-v

Applies only to the Traditional VSX mode.

Verbose mode - shows the output for each Security Group Member.

verify

Verifies that the same Access Control policy is installed on all Security Group Members.

verify_amw

Verifies that the same Threat Prevention policy is installed on all Security Group Members.

unload

Warning - Do not use this command.

For security reasons, your Security Group must always have a policy installed.

Unloads the current security policy from all Security Group Members.

  • --ip_forward

    Enables the IP Forwarding in the Linux kernel.

    Does not apply to the Traditional VSX mode.

    Warning - This allows all traffic to pass through the Security Group without any inspection.

  • --disable_pnotes

    Configures the corresponding Critical Devices not to report their state as "problem".

Examples

[Expert@SG-s01-01:0]# asg policy verify

+----------------------------------------------------------------------+
|Policy Verification                                                   |
+-------+-------------------+---------------+-----------------+--------+
|Member |Policy Name        |Policy Date    |Policy Signature |Status  |
+-------+-------------------+---------------+-----------------+--------+
|1_01   |Standard           |15Oct24 10:35  |21b8f0ef7        |Success |
|2_01   |Standard           |15Oct24 10:35  |21b8f0ef7        |Success |
+-------+-------------------+---------------+-----------------+--------+


+------------------------------------------------------------------------------+
|Summary                                                                       |
+------------------------------------------------------------------------------+
|Policy Verification completed successfully                                    |
+------------------------------------------------------------------------------+
[Expert@SG-s01-01:0]#
 
[Expert@SG-s01-01:0]# asg policy verify_amw

+------------------------------------------------------+
|AMW Policy Verification                               |
+-------+-------------------+-----------------+--------+
|Member |Policy Name        |Policy Signature |Status  |
+-------+-------------------+-----------------+--------+
|1_01   |Standard           |bd49c351c        |Success |
|2_01   |Standard           |bd49c351c        |Success |
+-------+-------------------+-----------------+--------+


+------------------------------------------------------------------------------+
|Summary                                                                       |
+------------------------------------------------------------------------------+
|AMW Policy Verification completed successfully                                |
+------------------------------------------------------------------------------+

[Expert@SG-s01-01:0]#