Twice a year the Security Analyst needs to do firewall review for PCI or other compliance, Yes, we need to have something that can automate to grab the latest firewall configuration to analyze it. I will describe in this blog one simple script in python to grab the configuration with explanations.

 

I am suing in this script two modules pexpect and sys, the first one allow us to connect simulating if we are doing it from the console itself. This scrip will ask you for the firewall's IP address.

 

The script begin (copy from bellow): 

 

import pexpect

import sys

 

asa_ip = raw_input ('Please Enter ASA IP: ')

user = "your-username-on-the-device"

password = "P@ssw0rd"

password_enable = "P@ssw0rd"

 

 

#This establish the SSH connection

 

child = pexpect.spawn ('ssh %s@%s' % (user,asa_ip))

 

#This log the result

fout = file('firewall.%s.txt' % asa_ip,'w')

 

#Expect the device to ask the password 

child.expect('password:')

 

#Script send the password 

child.sendline(password)

 

#Expect the '>" and type enable

child.expect('>')

child.sendline('enable')

 

#Expect asking enable password and send the password

child.expect('Password:')

child.sendline(password_enable)

 

child.expect('#')

 

#Send 'terminal pager 0' to avoid keep pressing Enter, if you do not do this you will have time out

child.sendline('terminal pager 0')

 

# Send the sh running-config command 

child.expect('#')

child.sendline('sh running-config')

 

#Max file size

child.maxread=999999999

child.timeout=360

 

#Put it in the log file

child.logfile_read = fout

 

#Expect : end to finish the configuration 

child.expect(': end')

 

print child.before

child.send('exit')

 

child.sendline()

 

 

# Clean the file, removing Cisco commands

 

with open('firewall.%s.txt' % asa_ip,'r') as fin:

        data = fin.read().splitlines(True)

with open('firewall.%s.txt' % asa_ip,'w') as fout:

        fout.writelines(data[1:])

 
#Finish script
 
At the end the script will create a txt file where you will have the firewall configuration. You can use this script to backup your configuration or just to begin your firewall review.