Simplifying OCI Network Firewall Policy Management with a Python Tool — Part II
Introduction:
In our previous blog post, we addressed the complexities of managing network security policies within Oracle Cloud Infrastructure (OCI) and introduced the OCI Network Firewall Policy Configuration Tool — a Python script designed to simplify the bulk creation and management of OCI Network Firewall policies. Expanding on this, we’ll now explore additional functionalities discussed in this blog post, including the process of exporting an existing firewall policy and converting it into an Excel sheet template.
Where Could These Scripts Be Used? Let’s explore two primary use cases where these scripts can be helpful:
Use Case 1: Migration Across OCI Regions: Imagine you need to migrate your rules from OCI’s primary region to a disaster recovery (DR) region. However, the IP addresses of the Primary region (DC) and DR are different, necessitating changes in the IP addresses within the firewall rules. By exporting the rules into an Excel sheet, you gain the flexibility to make necessary adjustments to the addresses and security rules. Subsequently, the modified Excel sheet can serve as input for generating new JSON files tailored to the DR region’s requirements.
Use Case 2: Management Review and Reporting: At the moment, OCI firewall does not natively support for bulk export. Exporting the firewall rules into an Excel format simplifies the process, enabling management to review and analyze the data more effectively. Moreover, the data in the Excel sheet can be modified to suit specific reporting requirements, providing greater flexibility in presenting and interpreting the firewall policy data.
By leveraging these Python scripts, users can streamline the process of exporting, modifying, and managing OCI Network Firewall policies, enhancing efficiency, and facilitating better decision-making in network security management.
Exploring Python Scripts: In response to these requirements, we’ve integrated following Python scripts into the same GitHub repository under firewall-export directory. In this blog post, we’ll walk you through the code and provide a demonstration of how these scripts operate.
- Export.py: This script provides a user-friendly command-line interface for selecting between exporting policies to JSON format or converting policies from JSON to Excel format.
- Export-Policies.py: This script automates the export of OCI network firewall policy items to JSON files.
- Convert-Policies.py: Designed to extract data from JSON files and export it into an Excel template.
How to run them ?
Pre-requisites:
Before running the scripts, ensure that you have the following pre-requisites in place:
- Clone the Repository (or) download the files from github
This command clones the repository containing the OCI Network Firewall Policy Configuration Tool to your local machine. Navigate to the project directory to export an existing firewall policy:
cd OCI-Network-Firewall-Policy-Configuration-Tool\Firewall-Export
Change into the directory of the cloned repository.
2. Python Environment:
- Python 3.x must be installed on your system.
Required Python Libraries:
pandas: Used for data manipulation and Excel file handling.json: Used for JSON file parsing.os: Used for operating system related functionalities.
Run below command using pip:
pip install pandas3. OCI CLI: (Optional )
- Oracle Cloud Infrastructure Command Line Interface (OCI CLI) installed and configured on your system.
- Refer to the OCI CLI installation documentation for instructions on installation and configuration.
- OCI Cli version must be at least 3.38.1 for these scripts to work.
METHOD — 1 (with OCI CLI installation) : STEPS
1. Verify that you have installed and configured the required prerequisites mentioned above.
2. Execute Export.py and adhere to the instructions to choose an option:
3. If you select option 1, then:
The Export-Policies.py script will run and prompt you to provide a valid Network Firewall Policy ID (OCID).
Note: The OCID will be in the format ocid1.networkfirewallpolicy.oc1.xxxx; the script will return an error if a valid OCID is not entered as a response
Once the script has run successfully, you should see the following messages in your terminal.
4. If you choose option 2, Convert-Policies.py will be executed, which will convert the JSON files created in the previous step to output.xlsx
Make sure you have the necessary JSON files containing data (
security_rule_output.json,addresslist_output.json,service_output.json,servicelist_output.json,application_output.json,applicationlist_output.json) in the script's directory. The output.xlsx file will be generated in the same location where this script is executed.
METHOD — 2 (without OCI CLI installation): STEPS
Step 1 : Upload Export-Policies.py to OCI cloud shell , refer Transferring files section in “Getting Started with Cloud Shell”
Step 2: Run below command from cloud shell , it will prompt to enter OCID ID. (similar to step 3 in method — 1 )
python3 Export-Policies.pyAfter successful execution, all necessary JSON files will be generated. Make sure to download (security_rule_output.json, addresslist_output.json, service_output.json, servicelist_output.json, application_output.json, applicationlist_output.json) from the script directory.
Step 3: Move the files to the directory where you have downloaded Convert-Policies.py script, then run below command on your terminal.
python3 Convert-Policies.pyAfter successful execution — output.xlsx file will be generated in the same path where the script was run.
Key points:
Ensure you provide valid inputs when prompted, such as Network Firewall Policy IDs.
Before running the scripts, confirm that the necessary JSON files are present in the same directory.
Output files generated will be stored in the current working directory.
In case of any issues or errors during execution, please consult the documentation of the respective script.
Please refer to the previous blog post for detailed explanation on the Excel template. The output.xlsx created by the export scripts will be in the same format. Therefore, the data in Excel can be modified, which can then be converted into firewall configuration JSON files and subsequently imported into the OCI firewall using the OCI Network firewall GUI.
Watch the demo video showcasing the process of exporting OCI firewall policies, making modifications in Excel, and generating new configuration files, which are then uploaded to an updated OCI policy version.
I hope this tool helps in simplifying your OCI Network Firewall policy management tasks. Feel free to contribute, provide feedback, or report any issues on GitHub.
Happy firewall policy management!
