SunScreen 3.2 Installation Guide

Preparing Your FireWall-1 Configuration

Before you convert your FireWall-1 system, read this section carefully. There are certain limitations that you must address before running the conversion utility. You can experience unrecoverable errors that require restarting the migration. Your existing FireWall-1 configurations are not modified by this tool. You must first review your existing FireWall-1 configurations and modify those that will not convert directly to SunScreen rules. This section lists these known limitations.

Check your FireWall-1 configuration files and edit any that contain:

Reserved characters in comments and object names
Reserved words used for object names

If any of the following reserved characters or words are used, you need to remove or replace them.

Known FireWall-1 Reserved Characters

` ` (space)
`*'
`)`
`{`
`[`
`!'
`<`
`='
`:' (colon)
`'' (quote)
`"' (double quote)
`\' (back slash)
`+'
`?'
`)'
`}'
`]'
`#'
`>'
`,' (comma)
`:' (semicolon)
``' (back quote)
`/' (slash)
`\t' (tab)

Known FireWall-1 Reserved Words

The following are known reserved words that must not appear in the FireWall-1 object names, and must be edited prior to conversion:

"accept"
"and"
"black"
"blue"
"broadcasts"
"call"
"cyan"
"dark green"
"dark orchid"
"date"
"day"
"define"
"delete"
"direction"
"do"
"domains"
"drop"
"dst"
"dynamic"
"expcall"
"expires"
"firebrick"
"foreground"
"forest"
"forest green"
"format"
"from"
"fwline"
"fwrule"
"gateways"
"get"
"gold"
"gray 101"
"green"
"if"
"ifaddr"
"ifid"
"in"
"inbound"
"interface"
"interfaces"
"ipsecdata"
"ipsecmethods"
"hold"
"host"
"hosts"
"kbuf"
"keep"
"limit"
"log"
"magenta"
"medium slate"
"medium slate blue"
"modify"
"navy blue"
"netobj"
"netof"
"nets"
"nexpires"
"not"
"or"
"orange"
"origdst"
"origsport"
"origsrc"
"other"
"outbound"
"packet"
"packetid"
"pass"
"r_arg"
"r_cdir"
"r_cflags"
"r_ckey"
"r_connarg"
"r_ctype"
"r_entry"
"r_proxy_action"
"r_tab_status"
"r_xlate"
"record"
"red"
"resourceobj"
"refresh"
"reject"
"routers"
"servers"
"servobj"
"set"
"sienna"
"skippeer"
"src"
"static"
"sync"
"targets"
"to"
"tod"
"tracks"
"ufp"
"vanish"
"wasskipped"
"xlatedport"
"xlatedst"
"xlatesport"
"xlatesrc"
"xor"
"yellow"

What Configurations Convert From FireWall-1

The following limitations apply when converting FireWall-1 configurations to SunScreen. Some object-types and rules migrate with no difficulty, while others do not. FireWall-1 rules that do not migrate, contain an operation (on the Source, Destination, or Service) that SunScreen does not support. The following table lists what will and what will not migrate from FireWall-1 to SunScreen.

Table 8-1 What Converts From FireWall-1


Does Convert	Does Not Convert
Host objects	Resources
Group objects	NAT mappings
Network objects	Gateway objects
Most rules	Encryption and authentication information and rules
	Domain objects
	Router objects
	Switch objects
	Logical objects
	FW-1 services or user defined services
	Install objects
	Rules containing any object or service that will not migrate
	Using an object type as an object name