test

SunScreen 3.1 Installation Guide

Chapter 8 Converting FireWall-1 to SunScreen 3.1 in Routing Mode

This chapter explains how to convert from FireWall-1 (Release 2.1 or 3.0) to a SunScreen 3.1 system in routing mode.

Topics covered include:

Before installing, review the SunScreen 3.1 Release Notes for the latest information about this product.

Preparing Your FireWall-1 Configuration

Before you convert your FireWall-1 system, please read this section carefully. There are certain limitations which you must address before running the conversion utility. You will experience unrecoverable errors if you do not first review your existing FireWall-1 configurations and modify those that will not convert directly to SunScreen 3.1 rules. The following tables list these known limitations.

Check your FireWall-1 configuration files and hand edit any that may contain:

If any of the following characters or reserved words are misused, you need to remove or replace them.

Reserved Characters

See the following table for a list of known reserved characters.

Table 8-1 Known FireWall-1 Reserved Characters

 

Illegal Characters 

Illegal Characters 

String contains 

` ` (space) 

`+' 

 

`*' 

`?' 

 

`)` 

`)' 

 

`{` 

`}' 

 

`[` 

`]' 

 

`!' 

`#' 

 

`<` 

`>' 

 

`=' 

`,' (comma) 

 

`:' (colon) 

`:' (semicolon) 

 

`'' (quote) 

``' (back quote) 

 

`"' (double quote) 

`/' (slash) 

 

`\' (back slash) 

`\t' (tab) 

Reserved Words

The following table contains a list of known reserved words which must not appear in the FireWall-1 object names, and must be edited prior to conversion:

Table 8-2 Known FireWall-1 Reserved Words

"accept" 

"expcall" 

"hosts" 

"modify" 

"pass" 

"set" 

"and" 

"expires" 

"if" 

"navy blue" 

"r_arg" 

"skippeer" 

"black" 

"firebrick" 

"ifaddr" 

"netof" 

"r_cdir" 

"src" 

"blue" 

"foreground" 

"ifid" 

"nets" 

"r_cflags" 

"static" 

"broadcasts" 

"forest" 

"in" 

"nexpires" 

"r_ckey" 

"sync" 

"green" 

"call" 

"format" 

"inbound" 

"not" 

"r_connarg" 

"targets" 

"date" 

"from" 

"interface" 

"or" 

"r_ctype" 

"day" 

"fwline" 

"interfaces" 

"orange" 

"r_entry" 

"tod" 

"define" 

"fwrule" 

"ipsecmethods" 

"origsport" 

"r_proxy_action" 

"ufp" 

"delete" 

"gateways" 

"ipsecdata" 

"origdst" 

"r_xlate" 

"wasskipped" 

"do" 

"gold" 

"keep" 

"origsrc" 

"record" 

"xlatedport" 

"domains" 

"gray 101" 

"limit" 

"other" 

"red" 

"xlatedst" 

"drop" 

"green" 

"log" 

"outbound" 

"refresh" 

"xlatesport" 

"dst" 

"hold" 

"magenta" 

"packet" 

"reject" 

"xlatesrc" 

"dynamic" 

"host" 

"medium slate" 

"packetid" 

"routers" 

"xor" 

"r_tab_status" 

"vanish" 

"direction" 

"get" 

"kbuf" 

"gateways" 

"netobj" 

"resourceobj" 

"servobj" 

"servers" 

"tracks" 

"cyan" 

"dark green" 

"dark orchid" 

"forest green" 

"medium slate blue" 

"red" 

"sienna" 

"yellow" 

"to" 

 

What Does and Does Not Convert

The following limitations apply when converting FireWall-1 configurations to SunScreen 3.1. Some object-types and rules migrate with no difficulty, while others do not. FireWall-1 rules, which do not migrate, contain an operation (on the Source, Destination, or Service) that SunScreen 3.1 does not support. The following table lists what will migrate and will not to migrate from FireWall-1 to SunScreen 3.1.

Table 8-3 What Converts From FireWall-1

Does Convert 

Does Not Convert 

Host Objects 

Resources 

Group Objects 

NAT Mappings 

Network Objects 

Gateway Objects 

Most Rules 

Encryption and Authentication Information/Rules 

 

Domain Objects 

 

Router Objects 

 

Switch Objects 

 

Logical Objects 

 

FW-1 Services or User Defined Services 

 

Install Objects 

 

Rules which contain any Object or Service that can not migrate 

 

Using an Object Type as an Object Name 

Note -

NETWORK is not a supported type in SunScreen 3.1. You must modify objects of this type first, before trying to access the configuration (called a Policy in SunScreen) using the SunScreen administration GUI.

SunScreen 3.1 Conversion Utility

The following procedures explain how to install, generate, and run the conversion utility.

To Install the Conversion Utility

  1. Open a terminal window and become root on the FireWall-1 machine.

  2. Insert the SunScreen 3.1 CD-ROM into the CD-ROM drive.

  3. Add the software by typing:


    For SPARC systems:
# pkgadd -d /cdrom/cdrom0/sparc SUNWfwcnv
 
For Intel systems:
# pkgadd -d /cdrom/cdrom0/i386 SUNWfwcnv

  4. Continue the installation when prompted by pressing Return.

    The various files in SUNWfwcnv are displayed as they are installed. The installation ends with the following message: Installation of SUNWfwcnv was successful.

The SunScreen 3.1 conversion utility is now installed in /opt/SUNWfwcnv/bin.

Generating Conversion Files

The following procedures explain how to generate conversion files.

The fwconvert utility (located in /opt/SUNWfwcnv/bin) generates files that create the SunScreen 3.1 configuration from the original FireWall-1 configuration. fwconvert examines the rules and objects in your FireWall-1 security policy and generates new configuration files with commands for configuring SunScreen 3.1.

fwconvert uses the following FireWall-1 configuration files:

Verify the location of these files and the name of the policy file (indicated by the .pf or .W extension) before you run fwconvert.

Note -

You must run the conversion utility on the FireWall-1 machine, even if you are configuring SunScreen 3.1 on a different machine.

To Run the Conversion Utility

  1. Open a terminal window and become root on the FireWall-1 machine.

  2. Run the conversion utility by typing:


    # /opt/SUNWfwcnv/bin/fwconvert &

    fwconvert displays the FW-1 Configuration Converter dialog box with the default values already inserted, as shown in the following figure.

    Figure 8-1 FireWall-1 Configuration Converter Dialog Box

    Graphic

  3. Type the path name where the FireWall-1 conversion files are located, or accept the default, if appropriate.

  4. Type the name of the policy file you want to convert, if different from the default.

    Note -

    Do not type the .pf or .W extension.

  5. Type the name of the directory where you want to store the new configuration files, and make sure the directory actually exists before you proceed. Otherwise, accept the /opt/SUNWfwcnv/output default.

  6. Pull down the Version menu and choose the release number of your FireWall-1 software, or accept the default, if appropriate.

  7. Click Proceed to start the conversion.

    fwconvert reads the file policy.name.pf (or policy.name.W) and the objects.C files and generates the files used to generate the SunScreen configuration.

    When fwconvert completes successfully, the FireWall-1 Configuration Converter dialog box displays a DONE button.

  8. Click DONE to exit fwconvert.

  9. Verify the converted Rules.

    For more information, see "Verfying the Converted Rules."

After the conversion completes, the generated configuration files are located in the directory you specified in the FireWall-1 Configuration Converter dialog box, (/opt/SUNWfwcnv/output by default). The policy.name_Objects and policy.name_Rules files must reside in the same directory as policy.name_sscfg before you can run the policy.name_sscfg generation program. Look at these files to confirm that the information was correctly converted.

Troubleshooting the fwconvert Utility

The following section describes how to troubleshoot the fwconvert utility.

Conditions for Failure

The following conditions can cause the conversion to fail:

When fwconvert encounters these conditions, it displays an error message in the FW-1 Converter dialog box, as shown in the following figure.

Figure 8-2 Error Message From fwconvert

Graphic

Note -

When data cannot be parsed, this error is displayed on the terminal window and not in the FW-1 Converter dialog box.

To Clear Conversion Errors (Except Parse Errors)

  1. Click the OK bar to clear the error message in the FW-1 Converter dialog box.

  2. Change permissions on the affected directories, if applicable.

  3. Fill in the corrected information in the fwconvert FW-1 Convertor dialog box, making sure you have the accurate path names and file names that you need to specify.

  4. Click the Retry button.

    When it completes successfully, the FireWall-1 Configuration Converter displays the DONE button.

  5. Click DONE to exit fwconvert.

    fwconvert creates a set of files that are used to generate the SunScreen configuration.

  6. Verify the converted Rules.

    For more information, see "Verfying the Converted Rules."

After the conversion completes, the generated configuration files are located in the directory you specified in the FireWall-1 Configuration Converter dialog box, (/opt/SUNWfwcnv/output by default). The policy.name_Objects and policy.name_Rules files must reside in the same directory as policy.name_sscfg before you can run the policy.name_sscfg generation program. Look at these files to confirm that the information was correctly converted.

To Clear Parse Errors

Note -

The most common parse error is caused by the use of a reserved character (such as a ` ` space) in an object name.

  1. Hand edit the line containing the error.

  2. Restart fwconvert.

    See the procedure "To Run the Conversion Utility," if needed.

Verifying the Converted Rules

fwconvert creates three types of files from the FireWall-1 configuration files: command, executable, and log files. See the following table for a complete list.

Table 8-4 Generated Configuration Files

File Type 

File Name 

Description 

Data File 

policy.name_Objects

Contains the commands for configuring the SunScreen addresses. 

Data File 

policy.name_Rules

Contains the commands for adding SunScreen rules that use the generated objects. 

Executable Script 

policy.name_sscfg

Generates a SunScreen configuration from the commands in policy.name_Objects and policy.name_Rules.

Log File 

policy.name_Obj.log

Contains the objects from FireWall-1 that are not supported by SunScreen. 

Log File 

policy.name_Rule.log

Contains the rules from FireWall-1 that could not be added. The rule is shown as a SunScreen rule command with an explanation of the reason why the rule is not supported.  

Log File 

policy.name_Unused.log

List of the FireWall-1 objects that cannot be used in SunScreen. 

 

Command and Executable Files

When you create the new SunScreen configuration, you run the configuration program, which then executes the command files. You do not need to take further action on the command and executable files.

The following figures show examples of these files.

Example 8-1 policy.name_Objects File


# The address commands may contain other addresses which need to be created.
# These objects are logged in the policyname_Obj.log file
 
 add_nocheck Address  "mailhost-INT" HOST 205.167.60.6 COMMENT "Object from FW-1"
 add_nocheck Address  "mailhost-EXT" HOST 207.82.121.5 COMMENT "Object from FW-1"
 add_nocheck Address  "localnet" NETWORK 205.167.60.00 255.255.255.00  COMMENT 
"Object from FW-1, will need to be modified before using the GUI"
 add_nocheck Address  "talon" HOST 205.167.60.200 COMMENT "Object from FW-1"
 add_nocheck Address  "exosecure-alc" HOST 207.82.121.254 COMMENT "Object from FW-1"
 save
Example 8-2 policy.name_Rules File


add_nocheck Rule  "ip all" "*" "*"  ALLOW  LOG SUMMARY 
 save
Example 8-3 policy.name_sscfg File (where policy.name is 4complex)


#!/bin/csh
 
 
setenv PATH .:/usr/bin:/usr/sbin:/bin:/opt/SUNWicg/SunScreen/bin
 
 
echo Creating Policy: 4complex
 
ssadm policy -a 4complex
 
echo Adding Policy Addresses
 
/opt/SUNWicg/SunScreen/bin/ssadm edit -P 4complex < 4complex_Objects
 
echo Adding Policy Rules
 
/opt/SUNWicg/SunScreen/bin/ssadm edit -P 4complex < 4complex_Rules
 
echo Finished!

Log Files

The log files describe instances where fwconvert could not directly convert your FireWall-1 policy to an equivalent SunScreen policy. After conversion, you should review the contents of the log files to see what else you may need to do to the new SunScreen 3.1 configuration.

policy.name_Obj.log

The policy.name_Obj.log file lists objects found in your FireWall-1 security policy that were not directly supported in SunScreen. The following table lists the FireWall-1 objects and shows whether they were converted to SunScreen 3.1.

Table 8-5 How Conversion to SunScreen Affects FireWall-1 Objects

FireWall-1 Object 

SunScreen Equivalent 

Conversion Status 

Host 

Host 

Yes. 

Network 

None 

Yes. Does not appear in the GUI but will show up on the command line. To make them visible in the GUI, manually change the NETWORK objects to RANGE objects via the command line. 

Router 

None 

No. See the policy.name_Obj.log file for details.

Switch 

None 

No. See the policy.name_OBJ log file for details.

Domain 

None 

No. See the policy.name_OBJ log file for details.

Group 

Group 

Yes. 

Gateways 

None 

No. However, they are logged in the policy.name_OBJ.log file. Gateways require more configuration within SunScreen to assure that the IP addresses of the gateway are correct. See the Administration Guide for more information.

The following figure shows a sample policy.name_Obj.log file, similar to the file that you can generate from your FireWall-1 policy.

Example 8-4 policy.name_Obj.log File


/***** SunScreen: Firewall-1 conversion log *****/
/***** @(#)ObjStore.java	3.7 99/11/09 Sun Microsystems, Inc. *****/
 
Objects of type: gateway, need some user decisions
You had a gateway with name "skil" ipaddr 205.167.60.13
If this is the gateway on which SunScreen is being installed 
please refer to the 'ssadm edit' command to enable the interfaces

policy.name_Rule.log

This file shows rules generated from FireWall-1 rules that cannot be used in the SunScreen 3.1 environment without modification. The policy.name_Rule.log file explains why these rules were not added to the SunScreen firewall, for example:

SunScreen 3.1 does not support FireWall-1 encryption, user authentication, or client authentication. Encryption in SunScreen is accomplished through SKIP, as explained in the SunScreen 3.1 Reference Manual. For more information regarding SKIP, see the SunScreen SKIP 1.5.1 User's Guide.

Caution - Caution -

All FireWall-1 rules are generated during the conversion. You must manually remove any rules that you do not need.

The following shows a sample policy.name_Rule.log file such as you might find after a FireWall-1 to SunScreen 3.1 conversion.

Example 8-5 policy.name_Rule.log File


/***** SunScreen: Firewall-1 conversion log *****/
/***** @(#)RuleStore.java	3.6 99/11/09 Sun Microsystems, Inc. *****/
 
 
Rule below not added as the action Encrypt is configured differently in SunScreen.
 add_nocheck Rule  "smtp" "aiims" "*" Encrypt
 
 
 
Rule below not added as the action Encrypt is configured differently in SunScreen.
 add_nocheck Rule  "echo" "aiims" "*" Encrypt
 
 
 
Rule below not added as the action User Authentication is not valid in SunScreen.
 add_nocheck Rule  "ftp" "*" "aiims" User
 
 
 
Rule below not added as the action Client Encryption/Authentication is not valid in SunScreen.
 add_nocheck Rule  "dns" """ "*" Client

policy.name_Unused.log

The following figure lists FireWall-1 objects encountered in your policy that are not supported by SunScreen 3.1.

Example 8-6 policy.name_Unused.log File


#Invalid Objects from FW-1
#Wed Mar 31 17:40:23 PST 1999
invalidobj1=gateway skil

Creating the SunScreen 3.1 Configuration

The following procedures explain how you prepare for and generate the new SunScreen 3.1 configuration.

Choosing which of the next two procedures to follow depends on whether you plan to run SunScreen 3.1 on the former FireWall-1 machine or on a new machine. Option 1 discusses preparing the FireWall-1 machine to become a SunScreen machine. Option 2 discusses preparing a new machine to run the converted FireWall-1 configurations.

Note -

Choose only one option or the other.

Option 1: To Prepare the FireWall-1 Machine to Run SunScreen 3.1

  1. Open a terminal window and become root.

  2. Save the existing FireWall-1 configuration files located in the /opt/SUNWfw/conf directory as a backup.

  3. Use the pkgrm command to remove the SUNWfw package by typing:


    # pkgrm SUNWfw

  4. Upgrade your operating environment to at least Solaris 2.6 (if not already done).

    See your Solaris documentation for instructions, if necessary.

  5. Install the additional Solaris packages and kernel packages required as listed in "Installation Overview" (if not already done).

    Note -

    Prior to installing the SunScreen software, make sure that the machine is performing properly as a router.

  6. Install the SunScreen 3.1 software as described in "Installing in Routing Mode With Local Administration."

What Is Next?

Continue to the section, "To Generate the New SunScreen Configuration."

Option 2: To Prepare a New SunScreen Machine to Run the Converted FireWall-1 Configuration

Note -

Prior to installing the SunScreen 3.1 software, make sure that the machine is performing properly as a router.

  1. Open a terminal window and become root.

  2. Upgrade your operating environment to at least Solaris 2.6 (if not already done).

    See your Solaris documentation for instructions, if necessary.

  3. Install the additional Solaris packages and kernel packages required as listed in "Installation Overview" (if not already done).

  4. Copy the generated configuration files to a directory on the new SunScreen machine.

  5. Install the SunScreen 3.1 software as described in "Installing in Routing Mode With Local Administration."

What Is Next?

Continue to the section, "To Generate the New SunScreen Configuration."

To Generate the New SunScreen Configuration

  1. Open a terminal window and become root.

  2. Change to the directory where the conversion files were saved and make the policy.name_sscfg file executable by typing:


    # chmod 544 policy.name_sscfg

    Verify that the commands in the generated file are accurate.

  3. Run the script by typing:


    # ./policy.name_sscfg

policy.name_sscfg creates the new SunScreen configuration from the FireWall-1 configuration, which is similar to the FireWall-1 policy.

See the SunScreen 3.1 Administration Guide for instructions on activating the configuration.