glennake / directfire_converter Goto Github PK

DirectFire Firewall Converter - Network Security, Next-Generation Firewall Configuration Conversion, Firewall Syntax Translation and Firewall Migration Tool - supports Cisco ASA, Fortinet FortiGate (FortiOS), Juniper SRX (JunOS), SSG / Netscreen (ScreenOS) and WatchGuard (support for further devices in development). Similar to FortiConverter, SmartMove, Expedition etc.

License: GNU General Public License v3.0

Python 100.00%

firewall firewall-configuration firewall-rules configuration-parser parser parser-generator cisco-asa fortigate fortigate-firewall fortigate-configuration

directfire_converter's Introduction

DirectFire Converter

DirectFire Converter is a firewall configuration conversion tool written in Python. Support for any firewall type will be considered based on request, demand and developer availability.

This tool generates configuration for supported elements only, that are typically input through CLI or "merged" with a full or running configuration. It does not generate full configuration files.

See the documentation for supported firewall types and details on what configuration elements are converted.

If you encounter problems when using this tool, please search open issues on GitHub and create a new issue if one does not exist.

WARNING: THIS TOOL IS IN VERY EARLY DEVELOPMENT AND MAY BE INACCURATE AND/OR UNRELIABLE, IT IS YOUR RESPONSIBILITY TO VALIDATE ALL CONFIGURATIONS BEFORE USE.

Disclaimer

This tool will attempt to convert configurations from one firewall type to another by translating directly between the configuration syntax and format. There may be limitations, assumptions or errors made during this process. Any errors from the source configuration may be copied to the translated configuration. There are no guarantees of this tools accuracy, or the security effectiveness of any configuration output. Any translated configuration should be validated in full by the person or organisation responsible for any firewall on which it is applied, also accepting any and all liability for the use of this tool and its output. By using this tool, you agree to this disclaimer. If you provide any output from this tool to any other person or organisation, you must provide them with and they must agree to this disclaimer.

Getting Started

https://github.com/glennake/DirectFire_Converter/wiki/Getting-Started

Firewall Support

https://github.com/glennake/DirectFire_Converter/wiki/Firewall-Support

Changelog

https://github.com/glennake/DirectFire_Converter/blob/master/CHANGELOG.md

Full Documentation

https://github.com/glennake/DirectFire_Converter/wiki

directfire_converter's People

Contributors

Stargazers

Watchers

Forkers

stefanlindblom gh0st0ne blackapex routenull0 andy-landy hirandalpe navpay itsin-git anter74 gecarius mozfet12 mdnoyanred anthonydouwes c0d3d-net liszhu

directfire_converter's Issues

Watchguard error

Hi. I started to use the tool to migrate a configuration from watchguard to fortigate, but I get this error:

python3 converter.py -c XTM850-backup-convertido3.xml -s watchguard -d fortigate
Traceback (most recent call last):
File "converter.py", line 236, in
main(src_format=args.source, dst_format=args.destination, routing_info=args.routing)
File "converter.py", line 212, in main
parsed_data = parse(
File "converter.py", line 110, in parse
parsed_data = parse(logger, src_config, routing_info)
File "/Users/rackbreaker/DirectFire_Converter/DirectFire/Converter/parsers/watchguard.py", line 134, in parse
if physical_interface.find("ip-node-type").text == "IP4_ONLY":
AttributeError: 'NoneType' object has no attribute 'text'

I'm trying to figure out what's going on. Thank you very much for your work

Cisco Asa parser

Hello, thanks for you wrok, It help a lot. A minor issue, in cisco asa -> data conversion it odes not fill the NAT and does not take into account VPN (access-list crypto-map)?

In the service-object it does not fill with service members name?

Thanks for your help

Juniper SSG to SRX policy conversion

Hello,

Can you please also add Juniper ssg to srx policy conversion in this tool.

Thanks

builtins.ImportError: cannot import name 'prints_tb'

Hi Glenn,

I installed all requirements and receive this error during a conversion from Watchguard to Fortigate:

File "watchguard.py", line 7, in
from traceback_with_variables import prints_tb, LoggerAsFile
...skipped... 10 vars
builtins.ImportError: cannot import name 'prints_tb'

Would this be something small (I hope :) ?

Regards

AttributeError: 'NoneType' object has no attribute 'group'

Hello , i'm trying to execute the script via the command : python3.6 converter.py -s fortigate -d ciscoasa -c addresses-out.csv
and i'm getting this errors:

builtins.AttributeError: 'NoneType' object has no attribute 'group'
Traceback (most recent call last):
File "converter.py", line 254, in
main(src_format=args.source, dst_format=args.destination, routing_info=args.routing)
File "/usr/local/lib/python3.6/site-packages/traceback_with_variables/print.py", line 98, in wrapper
return func(*args, **kwargs)
File "converter.py", line 231, in main
src_format=src_format, src_config=src_config, routing_info=routing_info
File "converter.py", line 127, in parse
parsed_data = parse(src_config, routing_info)
File "/root/DirectFire_Converter/DirectFire/Converter/parsers/fortigate.py", line 71, in parse
data["system"]["hostname"] = re_match.group(1)
AttributeError: 'NoneType' object has no attribute 'group'

What to do . ??

ASA to FortiGate

Hi Glen,

I'm sorry, actually I'm not really clear the source and destination support, does this tool support ASA to FortiGate? Thanks

Some issues which I needed fixing to get a working result

Thanks for your work, this perfectly suits my needs. Hope you'll finish it ;-)

I had to make a few minor (crude) adjustments for it to process my asa code:

Asa code missed another possibility for a rule object.
Fortigate generator must not start with policy '0' since this will in fact create policy '1' when no policies exist
'description' should be 'comment' and should be contained in parathensis
There was some bad mapping to certain host types
I gave all policies a name since this is mandatory anyway when changing afterwards in the GUI
You'll see for yourself below.

Hope this information is of use to you.

diff mod/DirectFire/Converter/parsers/ciscoasa.py original/DirectFire/Converter/parsers/ciscoasa.py
601d600
< elif network_object[1] == "host": # is a host
603,622d601
< network_object_name = network_object[2]
<
< if network_object_name not in data["network_objects"]:
<
< data["network_objects"][network_object_name] = {}
< data["network_objects"][network_object_name][
< "type"
< ] = "host"
< data["network_objects"][network_object_name][
< "host"
< ] = network_object[2]
< data["network_objects"][network_object_name][
< "description"
< ] = ""
<
< ## add network object to the group
<
< data["network_groups"][network_group_name]["members"].append(
< network_object_name
< )

diff mod/Converter/generators/fortigate.py original/DirectFire/Converter/generators/fortigate.py
403,404c403
< dst_config.append(cfglvl1 + "edit " + str(policy_id + 1)) # must start at 1
< dst_config.append(cfglvl2 + "set name PID_" + str(policy_id + 1)) # must start at 1

    dst_config.append(cfglvl1 + "edit " + str(policy_id))

406,413c405,409
< if "".join(list(map(str, attributes["src_interfaces"]))):
< dst_config.append(
< cfglvl2
< + "set srcintf "
< + " ".join(list(map(str, attributes["src_interfaces"])))
< )
< else:
< dst_config.append(cfglvl2 + "set srcintf ANY")

    dst_config.append(
        cfglvl2
        + "set srcintf "
        + " ".join(list(map(str, attributes["src_interfaces"])))
    )

415,422c411,415
< if "".join(list(map(str, attributes["dst_interfaces"]))):
< dst_config.append(
< cfglvl2
< + "set dstintf "
< + " ".join(list(map(str, attributes["dst_interfaces"])))
< )
< else:
< dst_config.append(cfglvl2 + "set dstintf ANY")

    dst_config.append(
        cfglvl2
        + "set dstintf "
        + " ".join(list(map(str, attributes["dst_interfaces"])))
    )

431c424
< # cfglvl2

    #     cfglvl2

435,479d427
< if attributes["src_addresses"][0]["name"] == "any":
< dst_config.append(cfglvl2 + "set srcaddr all")
< else:
< dst_config.append(
< cfglvl2
< + "set srcaddr "
< + " " + attributes["src_addresses"][0]["name"]
< )
<
< if attributes["dst_addresses"][0]["name"] == "any":
< dst_config.append(cfglvl2 + "set dstaddr all")
< else:
< dst_config.append(
< cfglvl2
< + "set dstaddr "
< + " " + attributes["dst_addresses"][0]["name"]
< )
<
< if attributes["action"] == "allow":
< dst_config.append(cfglvl2 + "set action accept")
< else:
< dst_config.append(cfglvl2 + "set action deny")
<
< dst_config.append(
< cfglvl2
< + "set schedule always "
< )
<
< if attributes["src_services"][0]["name"] == "any":
< dst_config.append(cfglvl2 + "set service ALL")
< else:
< dst_config.append(cfglvl2 + "set service "
< + " " + attributes["src_services"][0]["name"]
< )
<
< dst_config.append(
< cfglvl2
< + "set logtraffic all"
< )
<
< # set action accept
< # set schedule "always"
< # set service "ALL_ICMP"
< # set logtraffic all
< # set comments " (Copy of CUST2BACKUP)"
482c430
< dst_config.append(cfglvl2 + 'set comments "' + attributes["description"] + '"')

        dst_config.append(cfglvl2 + "set description " + attributes["description"])

Error's when going from Fortigate to Cisco

Traceback (most recent call last):
File "converter.py", line 254, in
main(src_format=args.source, dst_format=args.destination, routing_info=args.routing)
File "/home/user/.local/lib/python3.8/site-packages/traceback_with_variables/print.py", line 98, in wrapper
return func(*args, **kwargs)
File "converter.py", line 230, in main
parsed_data = parse(
File "converter.py", line 127, in parse
parsed_data = parse(src_config, routing_info)
File "/home/user/DirectFire_Converter/DirectFire/Converter/parsers/fortigate.py", line 118, in parse
route["network"] = re_match.group(1)
AttributeError: 'NoneType' object has no attribute 'group'

Ssg to srx policies

Does it support convertion of firewall policies from juniper ssg/isg to SRX ?

ASA to SRX

Hi, Can this tools convert from ASA to SRX?

Small fortigate parsing issues

There were some small parsing issues for my Fortinet config. I fixed it with the following patch:

fortigate_parsing.zip

Conversion from netscreen not working

Hi,
I'm trying to convert a Juniper SSG config file to Fortigate, but every time I try I get an error.
Same error if I use as input one of the provided config files:
marco@MNB:~/DirectFire_Converter$ python3 converter.py -c /home/marco/DirectFire_Converter/tests/netscreen/netscreen.txt -s netscreen -d fortigate Traceback (most recent call last): File "/home/marco/DirectFire_Converter/converter.py", line 261, in <module> main(src_format=args.source, dst_format=args.destination, routing_info=args.routing) File "/home/marco/.local/lib/python3.11/site-packages/traceback_with_variables/print.py", line 98, in wrapper return func(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^ File "/home/marco/DirectFire_Converter/converter.py", line 247, in main dst_config = generate(dst_format=dst_format, parsed_data=parsed_data) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/marco/DirectFire_Converter/converter.py", line 177, in generate dst_config = generate(parsed_data) ^^^^^^^^^^^^^^^^^^^^^ File "/home/marco/DirectFire_Converter/DirectFire/Converter/generators/fortigate.py", line 362, in generate for ports in attributes["dst_ports"]: ~~~~~~~~~~^^^^^^^^^^^^^ KeyError: 'dst_ports'

I also tried using ciscoasa as destination, same thing.
It works if I use other firewalls as input (i.e. Juniper SRX to Fortigate).

Could you please help me solve this issue?

Thank you,
Marco

NameError: name 'logging' is not defined

Hi Glenn, I am getting an error every time I try to run the script, even if I use the test ciscoasa_pre83.txt config:

python3 converter.py -c /home/ubuntu/DirectFire_Converter/tests/ciscoasa_pre83/ciscoasa_pre83.txt -s "ciscoasa_pre83" -d "fortigate"

Traceback (most recent call last):
  File "converter1.py", line 257, in <module>
    main(src_format=args.source, dst_format=args.destination, routing_info=args.routing)
  File "/home/ubuntu/.local/lib/python3.8/site-packages/traceback_with_variables/print.py", line 98, in wrapper
    return func(*args, **kwargs)
  File "converter1.py", line 233, in main
    parsed_data = parse(
  File "converter1.py", line 107, in parse
    from DirectFire.Converter.parsers.ciscoasa_pre83 import parse
  File "/home/ubuntu/DirectFire_Converter/DirectFire/Converter/parsers/ciscoasa_pre83.py", line 23, in <module>
    logger = logging.getLogger(__name__)
NameError: name 'logging' is not defined

I am trying it from Ubuntu 20.04.2.

pip freeze output:

ubuntu@ubuntu2004:~/DirectFire_Converter$ pip freeze
apturl==0.5.2
bcrypt==3.1.7
blinker==1.4
Brlapi==0.7.0
certifi==2019.11.28
chardet==3.0.4
Click==7.0
colorama==0.4.3
command-not-found==0.3
cryptography==2.8
cupshelpers==1.0
dbus-python==1.2.16
defer==1.0.6
distro==1.4.0
distro-info===0.23ubuntu1
duplicity==0.8.12.0
entrypoints==0.3
fasteners==0.14.1
future==0.18.2
httplib2==0.14.0
idna==2.8
keyring==18.0.1
language-selector==0.1
launchpadlib==1.10.13
lazr.restfulclient==0.14.2
lazr.uri==1.0.3
lockfile==0.12.2
logger==1.4
louis==3.12.0
macaroonbakery==1.3.1
Mako==1.1.0
MarkupSafe==1.1.0
monotonic==1.5
netifaces==0.10.4
oauthlib==3.1.0
olefile==0.46
paramiko==2.6.0
pexpect==4.6.0
Pillow==7.0.0
protobuf==3.6.1
pycairo==1.16.2
pycups==1.9.73
PyGObject==3.36.0
PyJWT==1.7.1
pymacaroons==0.13.0
PyNaCl==1.3.0
pyRFC3339==1.1
python-apt==2.0.0+ubuntu0.20.4.4
python-dateutil==2.7.3
python-debian===0.1.36ubuntu1
pytz==2019.3
pyxdg==0.26
PyYAML==5.3.1
reportlab==3.5.34
requests==2.22.0
requests-unixsocket==0.2.0
SecretStorage==2.3.1
simplejson==3.16.0
six==1.14.0
ssh-import-id==5.10
systemd-python==234
traceback-with-variables==2.0.1
ubuntu-advantage-tools==27.0
ubuntu-drivers-common==0.0.0
ufw==0.36
unattended-upgrades==0.1
Unidecode==1.2.0
urllib3==1.25.8
usb-creator==0.3.7
wadllib==1.3.3
xkit==0.0.0

Thanks.

Juniper Netscreen to Fortigate

Does this tool support as above subject? Since Juniper Junos are supported, maybe Netscreen support as well. Any idea?

Output Folder is empty after convert

There is an error found inside the log, any advise on this to solve?

2024-04-16 14:31:14 INFO DirectFire.Converter.main: converter starting
2024-04-16 14:31:14 INFO DirectFire.Converter.main: source format is netscreen
2024-04-16 14:31:14 INFO DirectFire.Converter.main: loading source configuration from /home/cvghk/Desktop/cfg.txt
2024-04-16 14:31:14 INFO DirectFire.Converter.main: running configuration parser
2024-04-16 14:31:14 INFO DirectFire.Converter.parse: loading parser module for netscreen
2024-04-16 14:31:14 INFO DirectFire.Converter.parse: loaded parser module for netscreen
2024-04-16 14:31:14 INFO DirectFire.Converter.parse: starting parse of source configuration
2024-04-16 14:31:14 INFO DirectFire.Converter.parsers.netscreen: parser module started
2024-04-16 14:31:14 INFO DirectFire.Converter.parsers.netscreen: parse system
2024-04-16 14:31:14 INFO DirectFire.Converter.parsers.netscreen: parse system - domain
2024-04-16 14:31:14 INFO DirectFire.Converter.parsers.netscreen: parse interfaces
2024-04-16 14:31:14 INFO DirectFire.Converter.parsers.netscreen: parse zones
2024-04-16 14:31:14 ERROR Traceback with variables (most recent call last):
File "/home/cvghk/DirectFire_Converter/converter.py", line 237, in main
.
. # Run configuration parser
.
. logger.info("DirectFire.Converter.main: running configuration parser")
.
> parsed_data = parse(
. src_format=src_format, src_config=src_config, routing_info=routing_info
. )
.
. logger.info("DirectFire.Converter.main: configuration parser finished")
.
src_format = 'netscreen'
dst_format = 'data'
routing_info = None
config_file = <_io.TextIOWrapper name='/home/cvghk/Desktop/cfg.txt' mode='r' encoding='UTF-8'>
src_config =

Regards,
Creighton

Error from cisco ASA to fortigate

Traceback (most recent call last):
File "converter.py", line 254, in
main(src_format=args.source, dst_format=args.destination, routing_info=args.routing)
File "/usr/local/lib/python3.8/dist-packages/traceback_with_variables/print.py", line 98, in wrapper
return func(*args, **kwargs)
File "converter.py", line 230, in main
parsed_data = parse(
File "converter.py", line 127, in parse
parsed_data = parse(src_config, routing_info)
File "/root/DirectFire_Converter/DirectFire/Converter/parsers/ciscoasa.py", line 1585, in parse
src_interface = interface_lookup(
File "/root/DirectFire_Converter/DirectFire/Converter/common.py", line 40, in interface_lookup
ip_address = ipaddress.ip_address(ip_address)
File "/usr/lib/python3.8/ipaddress.py", line 53, in ip_address
raise ValueError('%r does not appear to be an IPv4 or IPv6 address' %
ValueError: 'host' does not appear to be an IPv4 or IPv6 address