Preparing Your FireWall-1 Configuration
Before you convert your FireWall-1 system, please read this section carefully. There are certain limitations which you must address before running the conversion utility. You will experience unrecoverable errors if you do not first review your existing FireWall-1 configurations and modify those that will not convert directly to SunScreen 3.1 rules. The following tables list these known limitations.
Check your FireWall-1 configuration files and hand edit any that may contain:
If any of the following characters or reserved words are misused, you need to remove or replace them.
Reserved Characters
See the following table for a list of known reserved characters.
Table 8-1 Known FireWall-1 Reserved Characters|
|
Illegal Characters |
Illegal Characters |
|---|---|---|
|
String contains |
` ` (space) |
`+' |
|
|
`*' |
`?' |
|
|
`)` |
`)' |
|
|
`{` |
`}' |
|
|
`[` |
`]' |
|
|
`!' |
`#' |
|
|
`<` |
`>' |
|
|
`=' |
`,' (comma) |
|
|
`:' (colon) |
`:' (semicolon) |
|
|
`'' (quote) |
``' (back quote) |
|
|
`"' (double quote) |
`/' (slash) |
|
|
`\' (back slash) |
`\t' (tab) |
Reserved Words
The following table contains a list of known reserved words which must not appear in the FireWall-1 object names, and must be edited prior to conversion:
Table 8-2 Known FireWall-1 Reserved Words|
"accept" |
"expcall" |
"hosts" |
|
"modify" |
"pass" |
"set" |
|
"and" |
"expires" |
"if" |
|
"navy blue" |
"r_arg" |
"skippeer" |
|
"black" |
"firebrick" |
"ifaddr" |
|
"netof" |
"r_cdir" |
"src" |
|
"blue" |
"foreground" |
"ifid" |
|
"nets" |
"r_cflags" |
"static" |
|
"broadcasts" |
"forest" |
"in" |
|
"nexpires" |
"r_ckey" |
"sync" |
|
"green" |
"call" |
"format" |
|
"inbound" |
"not" |
"r_connarg" |
|
"targets" |
"date" |
"from" |
|
"interface" |
"or" |
"r_ctype" |
|
"day" |
"fwline" |
"interfaces" |
|
"orange" |
"r_entry" |
"tod" |
|
"define" |
"fwrule" |
"ipsecmethods" |
|
"origsport" |
"r_proxy_action" |
"ufp" |
|
"delete" |
"gateways" |
"ipsecdata" |
|
"origdst" |
"r_xlate" |
"wasskipped" |
|
"do" |
"gold" |
"keep" |
|
"origsrc" |
"record" |
"xlatedport" |
|
"domains" |
"gray 101" |
"limit" |
|
"other" |
"red" |
"xlatedst" |
|
"drop" |
"green" |
"log" |
|
"outbound" |
"refresh" |
"xlatesport" |
|
"dst" |
"hold" |
"magenta" |
|
"packet" |
"reject" |
"xlatesrc" |
|
"dynamic" |
"host" |
"medium slate" |
|
"packetid" |
"routers" |
"xor" |
|
"r_tab_status" |
"vanish" |
"direction" |
|
"get" |
"kbuf" |
"gateways" |
|
"netobj" |
"resourceobj" |
"servobj" |
|
"servers" |
"tracks" |
"cyan" |
|
"dark green" |
"dark orchid" |
"forest green" |
|
"medium slate blue" |
"red" |
"sienna" |
|
"yellow" |
"to" |
|
What Does and Does Not Convert
The following limitations apply when converting FireWall-1 configurations to SunScreen 3.1. Some object-types and rules migrate with no difficulty, while others do not. FireWall-1 rules, which do not migrate, contain an operation (on the Source, Destination, or Service) that SunScreen 3.1 does not support. The following table lists what will migrate and will not to migrate from FireWall-1 to SunScreen 3.1.
Table 8-3 What Converts From FireWall-1|
Does Convert |
Does Not Convert |
|---|---|
|
Host Objects |
Resources |
|
Group Objects |
NAT Mappings |
|
Network Objects |
Gateway Objects |
|
Most Rules |
Encryption and Authentication Information/Rules |
|
|
Domain Objects |
|
|
Router Objects |
|
|
Switch Objects |
|
|
Logical Objects |
|
|
FW-1 Services or User Defined Services |
|
|
Install Objects |
|
|
Rules which contain any Object or Service that can not migrate |
|
|
Using an Object Type as an Object Name |
Note -
NETWORK is not a supported type in SunScreen 3.1. You must modify objects of this type first, before trying to access the configuration (called a Policy in SunScreen) using the SunScreen administration GUI.
- © 2010, Oracle Corporation and/or its affiliates