Feature #4194

Mass maintenance tools :-)

Added by Hollander Hollander over 4 years ago. Updated 30 days ago.

Rules / NAT
Target version:
Start date:
Due date:
% Done:


Estimated time:


G'day :D

As I wrote here:

If you would want, at least in my humble opinion, greatly add value to the GUI, I'd recommend mass maintenance tools. For your convenience I'd like to quote what I wrote in the above referenced thread:

Even more, Gonzo, if you are planning to do some work on the GUI, I'd love to see some more mass maintenance tools. For example: select 30 firewall rules and click one button 'disable' instead of having to click 30 times. Similar: copy 30 rules to a new interface instead of doing that manually. Or, even nicer (and now we dive into SAP software territory which I seem to know a little about ;D ): a firewall rules template:

1. Define a set of firewall rules in a template, for example, for LAN's;
2. Add all LAN's to the template-group 'LAN';
3. Assign the firewall template 'LAN' to the firewall-group 'LAN';
4. Click 'apply'.
5. Go home to WIFE, and don't forget to stop on the way to buy her flowers :P

Now, conceptually (I'm not a programmer, although I can read a little ABAP), 'behind the screen' this boils down to:

1. User configures firewall rules for LAN in 'LAN-firewall-template' screen (can be the same screen as the current firewall rules screen);
2. These rules are 'downloaded' somewhere by program logic1;
3. Programlogic2 looks in the table 'firewall group LAN' for other LAN's in there;
4. Programlogic3 takes the config file downloaded by logic1 (step2), copies it to a new file, and does a search and replace for $LAN > LAN2, LAN3, and so on (I know I am not typing this right :)).
5. Programlogic4 'uploads' the newly generated config files to the appropriate part of the system where the firewall can use it.

I think this adds GREAT user value to the GUI, my suspicion is many users will want to kiss you :-)

If you have 10 interfaces, this is the difference between a day of work - and errors - or letting the system do it for you in 30 seconds (...).

Bye :D


#1 Updated by Jim Pingle over 4 years ago

The mass disable/enable/copy function is good, but the second bit you describe is essentially already there with Interface Groups.

#2 Updated by Hollander Hollander over 4 years ago

Thank you, Jim: how could I have overlooked that?(?) Even more: as I have used them in the past(!) (But there was something with it, I don't recall anymore). This happens, obviously, when your brain is a little bit damaged (as mine is).

#3 Updated by Hollander Hollander over 4 years ago

In the thread you referred to, Jim, Volker made another good mass maintenance suggestion:

The other really useful feature would be to be able to disable entries in the alias list without having to remove them, like it is possible with rules.[/quote]

#4 Updated by Hollander Hollander over 4 years ago

Give my damaged brain some time, and it comes back to me (in the shower, this morning :D).


Anyway, the problem I found to bite me with interface groups is: you want to set certain rules on the interface address. But when setting up the rule in the tab for the interface group (for example the VLAN group, containing 40 VLAN's), you can not do anything useful in Destination - Type field; there's 40 individual VLAN addresses there, but no setting 'individual VLAN address for the respective VLAN' (I hope you understand me :-)).

So perhaps you could trick around by creating an alias, but that will very quickly become messy (VLAN10 can go to VLAN 20 but nog to 30, 40 can go to etc etc etc): that's a lot of aliases.

Hence my original proposal, it would solve this all elegantly :-)


#5 Updated by Jim Pingle over 4 years ago

On 2.2 there is a macro in the drop-down list for destination that is "This Firewall" which covers all IP addresses on the firewall itself.

#6 Updated by Jim Thompson over 3 years ago

  • Assignee set to Steve Beaver
  • Priority changed from High to Normal
  • Target version set to Future

#7 Updated by Jim Pingle 30 days ago

  • Category changed from Web Interface to Rules / NAT
  • Status changed from New to Duplicate
  • Assignee deleted (Steve Beaver)
  • Target version deleted (Future)

Some of this we already have and the other parts are covered by other more specific (and individual) feature requests like #1937 and #8365

Also available in: Atom PDF