RE:RE:RE: scripts to disable rules and clientAddrSet members

From: Daniel <daniel@xxxxxxxxxxxxxxxx>
To: isalist@xxxxxxxxxxxxx
Date: Sat, 06 Aug 2005 19:15:56 -0300

Tkank you very much, Jim!

About ISA schedules:
I know and apply it. But in my case, for example:

1)I have some deny rules that apply in workhours with some permanent exceptions (Is a permanent rule, rigth!).
Casually I need that some user (ex: bob) should be in exceptions of such rules, ONLY TODAY, to make a especific task (for example: today it can download .zip and .exe files in workhours).
So will put bob in exceptions clientAddrSet and schedule a windows task schedule, using your script example, to delete bob from exception clientaddr at the end of the current working day, ex. at 6:30PM. So tomorrow I don't need remeber to delete bob from exceptions.

2)In other cases I need allow some user to access some protocol only per one day or for some hours today. I will apply a scripts to disable the protoRule in the same way, at the end of the day.

Still that ISA had shedules with begin/end date, my first case will still better resolved with scripts.

Thanks again!

----- Original Message -----

From: Jim Harrison

To: [ISAserver.org Discussion List]

Sent: Saturday, August 06, 2005 6:06 PM

Subject: [isalist] RE: scripts to disable rules and clientAddrSet members

http://www.ISAserver.org

You say you want to run these as a scheduled task - are you aware of ISA schedules that can be applied to any rule?

Always start with this:

Dim oISA

Set oISA = CreateObject( "FPC.Root" )

Example to toggle a S&C rule:

-- snip --

Dim S_C_Rule

Set Set S_C_Rule = oISA.Arrays.GetContainingArray.ArrayPolicy.SiteAndContentRules( "NameOfRule" )

S_C_Rule.Enabled = Not( S_C_Rule.Enabled )

S_C_Rule.Save

-- snip --

Example to add a CAS element:

-- snip --

Dim CAS

Set CAS = oISA.Arrays.GetContainingArray.ArrayPolicy.PolicyElements.ClientAddressSets( ?NameOfSet? )

CAS.Add 1.2.3.4 1.2.3.4

CAS.Save

-- snip --

Example to delete a CAS element:

-- snip --

Dim CAS

Set CAS = oISA.Arrays.GetContainingArray.ArrayPolicy.PolicyElements.ClientAddressSets( ?NameOfSet? )

CAS.Remove 1.2.3.4

CAS.Save

-- snip --

Remember ? these are bare-bones examples.

You?ll want to add appropriate logging, error handling, etc.

ISATools.org has lots of examples for you to read through.

-----Original Message-----

From: Daniel [mailto:daniel@xxxxxxxxxxxxxxxx]

Sent: Saturday, August 06, 2005 12:15 PM

To: [ISAserver.org Discussion List]

Subject: [isalist] RE: scripts to disable rules and clientAddrSet members

http://www.ISAserver.org

Hi Jim!

I'm not a VB script programmer, today I make only some .bat routines, but windows .bat scripts are very limited. I was a programmer in the past (10 years ago), if you a very simple sample, is good for me! I know that change on the fly rules or chains is not easy, still more if you not a programer.

I need 2 scripts, one for disable a site&content rule and other to delete some client addrset members. I use such rules to allow temporary access but forget some times to disable it.

thanks,

----- Original Message -----

From: "Jim Harrison" <Jim@xxxxxxxxxxxx <mhtml:mid://00000006/mailto:Jim@xxxxxxxxxxxx> >

To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx <mhtml:mid://00000006/mailto:isalist@xxxxxxxxxxxxx> >

Sent: Saturday, August 06, 2005 2:48 PM

Subject: [isalist] RE: scripts to disable rules and clientAddrSet members

> http://www.ISAserver.org <mhtml:mid://00000006/http://www.ISAserver.org>

> Again - do you want scripts or help writing them?

> It's actually simpler to move users into/ out of user groups that apply

> to static rules than it is to change ISA rules on the fly.

> -----Original Message-----

> From: Daniel [mailto:daniel@xxxxxxxxxxxxxxxx]