Offline Rule Bases and Objects

I have been through a couple of exercises in the past few weeks where I had to work after hours preparing a rule base. The problem is though, that usually one is using a Cisco PIX or other device to export the rules and network objects to be re-imported into an enterprise or standard policy.


The problem of course, in my case, was that I discovered some useful things which did not do exactly what I needed them to.


I needed to import a huge list of IP addresses into a computer set in an Enterprise Firewall Policy in ISA 2006 Enterprise, now, that may sound easy. Go to www.isascripts.org and get the script to import from delimited text files, into Computer Sets.


YAY! It works on ISA 2006 Standard, but it does not work on ISA 2006 Enterprise. Here’s how to get around the problem.


First, get your text file correctly formatted, like below, we’ll call ours listofmachines.txt:


Host1 192.168.1.1


Host2 192.168.1.2


Now, get the ISA_Fill_Computer_Set_Computers.vbs file from www.isascripts.org, and import your text file into your ISA 2006 Standard installation. Easy, here is the format:


C:\scripts>ISA_Fill_Computer_Set_Computers.vbs [NameOfComputerSet] listofmachines.txt


We will name our computer set here as List_Of_Machines


Now we have a situation where we have the following being seen in your console, once you Refresh it of course:



Figure 1


So there we have our List_of_Machines. If we open that computer set, we see the following:



Figure 2


So our text file has been added.


Now here’s the exciting part, how to get this list into the Enterprise Firewall Policy? Well, if we right click on the computer set and Export it, we get an .XML file, which in this case, we will call Computer_Set_Export.XML.


Once we have our file, we can then try to import it into our ISA 2006 Enterprise, this is the message you should receive:



Figure 3


Oops, that’s irritating. Now, how to fix this issue.


If we open the XML file in notepad, we see something like this:



Figure 4


Note the highlighted text. The important thing here is that 16. So, if we change it to 32 and save our .XML file:



Figure 5


We get the following message on import:



Figure 6


So clearly we beat the system.


This also works with exporting entire firewall policies and any type of other .XML export from ISA 2006 to ISA 2006 Enterprise.


This also works in reverse, which allows you to export information from an ISA 2006 Enterprise machine and import it to an ISA 2006 Standard environment. This provided that you DO NOT use any objects from the Enterprise Policies in ISA 2006 Enterprise in your Array Firewall Policy. So basically I am saying from the Array Firewall Policy, to your ISA Standard Firewall Policy


This is not a supported option from Microsoft, so use it at your own risk, bearing in mind, it works great for me.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top