Log Files
The log files describe instances where fwconvert could not directly convert your FireWall-1 policy to an equivalent SunScreen policy. After conversion, you should review the contents of the log files to see what else you may need to do to the new SunScreen 3.1 configuration.
policy.name_Obj.log
The policy.name_Obj.log file lists objects found in your FireWall-1 security policy that were not directly supported in SunScreen. The following table lists the FireWall-1 objects and shows whether they were converted to SunScreen 3.1.
Table 8-5 How Conversion to SunScreen Affects FireWall-1 Objects|
FireWall-1 Object |
SunScreen Equivalent |
Conversion Status |
|---|---|---|
|
Host |
Host |
Yes. |
|
Network |
None |
Yes. Does not appear in the GUI but will show up on the command line. To make them visible in the GUI, manually change the NETWORK objects to RANGE objects via the command line. |
|
Router |
None |
No. See the policy.name_Obj.log file for details. |
|
Switch |
None |
No. See the policy.name_OBJ log file for details. |
|
Domain |
None |
No. See the policy.name_OBJ log file for details. |
|
Group |
Group |
Yes. |
|
Gateways |
None |
No. However, they are logged in the policy.name_OBJ.log file. Gateways require more configuration within SunScreen to assure that the IP addresses of the gateway are correct. See the Administration Guide for more information. |
The following figure shows a sample policy.name_Obj.log file, similar to the file that you can generate from your FireWall-1 policy.
Example 8-4 policy.name_Obj.log File
/***** SunScreen: Firewall-1 conversion log *****/ /***** @(#)ObjStore.java 3.7 99/11/09 Sun Microsystems, Inc. *****/ Objects of type: gateway, need some user decisions You had a gateway with name "skil" ipaddr 205.167.60.13 If this is the gateway on which SunScreen is being installed please refer to the 'ssadm edit' command to enable the interfaces |
policy.name_Rule.log
This file shows rules generated from FireWall-1 rules that cannot be used in the SunScreen 3.1 environment without modification. The policy.name_Rule.log file explains why these rules were not added to the SunScreen firewall, for example:
-
Source, Destination, or Installed on objects are of a type not supported by SunScreen 3.1
-
FireWall-1 Service is of a type not supported by SunScreen 3.1
-
FireWall-1 Action is not supported by SunScreen 3.1
SunScreen 3.1 does not support FireWall-1 encryption, user authentication, or client authentication. Encryption in SunScreen is accomplished through SKIP, as explained in the SunScreen 3.1 Reference Manual. For more information regarding SKIP, see the SunScreen SKIP 1.5.1 User's Guide.
Caution - All FireWall-1 rules are generated during the conversion. You must manually remove any rules that you do not need.
The following shows a sample policy.name_Rule.log file such as you might find after a FireWall-1 to SunScreen 3.1 conversion.
Example 8-5 policy.name_Rule.log File
/***** SunScreen: Firewall-1 conversion log *****/ /***** @(#)RuleStore.java 3.6 99/11/09 Sun Microsystems, Inc. *****/ Rule below not added as the action Encrypt is configured differently in SunScreen. add_nocheck Rule "smtp" "aiims" "*" Encrypt Rule below not added as the action Encrypt is configured differently in SunScreen. add_nocheck Rule "echo" "aiims" "*" Encrypt Rule below not added as the action User Authentication is not valid in SunScreen. add_nocheck Rule "ftp" "*" "aiims" User Rule below not added as the action Client Encryption/Authentication is not valid in SunScreen. add_nocheck Rule "dns" """ "*" Client |
policy.name_Unused.log
The following figure lists FireWall-1 objects encountered in your policy that are not supported by SunScreen 3.1.
Example 8-6 policy.name_Unused.log File
#Invalid Objects from FW-1 #Wed Mar 31 17:40:23 PST 1999 invalidobj1=gateway skil |
- © 2010, Oracle Corporation and/or its affiliates