Verifying the Converted Rules
fwconvert creates three types of files from the FireWall-1 configuration files: command, executable, and log files. See the following table for a complete list.
Table 8-2 Generated Configuration Files|
File Type |
File Name |
Description |
|---|---|---|
|
Data file |
policyname_Objects |
Contains the commands for configuring the SunScreen objects. |
|
Data file |
policyname_Rules |
Contains the commands for adding SunScreen rules that use the generated objects. |
|
Executable script |
policyname_sscfg |
Generates a SunScreen configuration from the commands in policyname_Objects and policyname_Rules. |
|
Log file |
policyname_Obj.log |
Contains the objects from FireWall-1 that are not supported by SunScreen. |
|
Log file |
policyname_Rule.log |
Contains the rules from FireWall-1 that could not be added. The rule is shown as a SunScreen rule command with an explanation of the reason why the rule is not supported. |
|
Log file |
policyname_Unused.log |
Lists the FireWall-1 objects that cannot be used in SunScreen. |
Command and Executable Files
When you create the new SunScreen configuration, you run the configuration program, which then executes the command files. You do not need to take further action on the command and executable files.
The following shows examples of these files.
Example 8-1 policyname_Objects File
# The address commands may contain other addresses which need to be created. # These objects are logged in the policyname_Obj.log file add_nocheck Address "mailhost-INT" HOST 205.167.60.6 COMMENT "Object from FW-1" add_nocheck Address "mailhost-EXT" HOST 207.82.121.5 COMMENT "Object from FW-1" add_nocheck Address "localnet" NETWORK 205.167.60.00 255.255.255.00 COMMENT "Object from FW-1" add_nocheck Address "talon" HOST 205.167.60.200 COMMENT "Object from FW-1" add_no |
check Address "exosecure-alc" HOST 207.82.121.254 COMMENT "Object from FW-1" save |
Example 8-2 policyname_Rules File
add_nocheck Rule "ip all" "*" "*" ALLOW LOG SUMMARY save |
Example 8-3 policyname_sscfg File (where policyname is 4complex)
#!/bin/csh setenv PATH .:/usr/bin:/usr/sbin:/bin:/usr/sbin echo Creating Policy: 4complex ssadm policy -a 4complex echo Adding Policy Addresses /usr/sbin/ssadm edit -P 4complex < 4complex_Objects echo Adding Policy Rules /usr/sbin/ssadm edit -P 4complex < 4complex_Rules echo Finished! |
Log Files
The log files describe instances where fwconvert could not directly convert your FireWall-1 policy to an equivalent SunScreen policy. After conversion, you should review the contents of the log files to see what else you may need to do to the new SunScreen configuration.
policyname_Obj.log
The policyname_Obj.log file lists objects found in your FireWall-1 security policy that were not directly supported in SunScreen 3.2. The following table lists the FireWall-1 objects and shows whether they were converted to SunScreen 3.2.
Table 8-3 How Conversion to SunScreen 3.2 Affects FireWall-1 Objects|
FireWall-1 Object |
SunScreen Equivalent |
Conversion Status |
|---|---|---|
|
Host |
Host |
Yes. |
|
Network |
Range |
Yes. |
|
Router |
None |
No. See the policyname_Obj.log file for details. |
|
Switch |
None |
No. See the policyname_Obj log file for details. |
|
Domain |
None |
No. See the policyname_Obj log file for details. |
|
Group |
Group |
Yes. |
|
Gateways |
None |
No. However, they are logged in the policyname_OBJ.log file. Gateways require more configuration within SunScreen to assure that the IP addresses of the gateway are correct. See the SunScreen 3.2 Administration Guide for more information. |
The following figure shows a sample policyname_Obj.log file, similar to the file that you can generate from your FireWall-1 policy.
Example 8-4 policyname_Obj.log File
/***** SunScreen: Firewall-1 conversion log *****/ /***** @(#)ObjStore.java 3.7 99/11/09 Sun Microsystems, Inc. *****/ Objects of type: gateway, need some user decisions You had a gateway with name "skil" ipaddr 205.167.60.13 If this is the gateway on which SunScreen is being installed please refer to the 'ssadm edit' command to enable the interfaces |
policyname_Rule.log
This file shows rules generated from FireWall-1 rules that cannot be used in the SunScreenenvironment without modification. The policyname_Rule.log file explains why these rules were not added to the SunScreen firewall, for example:
-
Source, Destination, or Installed on objects are of a type not supported by SunScreen
-
FireWall-1 Service is of a type not supported by SunScreen
-
FireWall-1 Action is not supported by SunScreen
SunScreen does not support FireWall-1 encryption, user authentication, or client authentication. Encryption in SunScreen is accomplished through SunScreen IKE or SunScreen SKIP, as explained in the SunScreen 3.2 Administrator's Overview. For more information regarding SKIP, see the SunScreen SKIP User's Guide, Release 1.5.1.
Caution - All FireWall-1 rules are generated during the conversion. You must remove any rules that you do not need manually.
The following shows a sample policyname_Rule.log file that might be generated after the FireWall-1 to SunScreen conversion.
Example 8-5 policyname_Rule.log File
/***** SunScreen: Firewall-1 conversion log *****/ /***** @(#)RuleStore.java 3.6 99/11/09 Sun Microsystems, Inc. *****/ Rule below not added as the action Encrypt is configured differently in SunScreen. add_nocheck Rule "smtp" "aiims" "*" Encrypt Rule below not added as the action Encrypt is configured differently in SunScreen. add_nocheck Rule "echo" "aiims" "*" Encrypt Rule below not added as the action User Authentication is not valid in SunScreen. add_nocheck Rule "ftp" "*" "aiims" User Rule below not added as the action Client Encryption/Authentication is not valid in SunScreen. add_nocheck Rule "dns" """ "*" Client |
|
|
policyname_Unused.log
The following figure lists FireWall-1 objects encountered in your policy that are not supported by SunScreen.
Example 8-6 policyname_Unused.log File
#Invalid Objects from FW-1 #Wed Mar 31 17:40:23 PST 1999 invalidobj1=gateway skil |
- © 2010, Oracle Corporation and/or its affiliates