Error's when going from Fortigate to Cisco about directfire_converter HOT 14 OPEN

Log file:
2021-08-01 07:53:43 INFO DirectFire.Converter.main: converter starting
2021-08-01 07:53:43 INFO DirectFire.Converter.main: source format is fortigate
2021-08-01 07:53:43 INFO DirectFire.Converter.main: loading source configuration from fg.conf
2021-08-01 07:53:43 INFO DirectFire.Converter.main: running configuration parser
2021-08-01 07:53:43 INFO DirectFire.Converter.parse: loading parser module for fortigate
2021-08-01 07:53:43 INFO DirectFire.Converter.parse: loaded parser module for fortigate
2021-08-01 07:53:43 INFO DirectFire.Converter.parse: starting parse of source configuration
2021-08-01 07:53:43 INFO DirectFire.Converter.parsers.fortigate: parser module started
2021-08-01 07:53:43 INFO DirectFire.Converter.parsers.fortigate: parse system
2021-08-01 07:53:43 INFO DirectFire.Converter.parsers.fortigate: parse interfaces - not yet supported
2021-08-01 07:53:43 INFO DirectFire.Converter.parsers.fortigate: parse zones - not yet supported
2021-08-01 07:53:43 INFO DirectFire.Converter.parsers.fortigate: parse static routes
2021-08-01 07:53:43 ERROR Traceback with variables (most recent call last):
File "converter.py", line 230, in main
.
. # Run configuration parser
.
. logger.info("DirectFire.Converter.main: running configuration parser")
.
> parsed_data = parse(
. src_format=src_format, src_config=src_config, routing_info=routing_info
. )
.
. logger.info("DirectFire.Converter.main: configuration parser finished")
.
src_format = 'fortigate'
dst_format = 'ciscoasa'
routing_info = None
config_file = <_io.TextIOWrapper name='fg.conf' mode='r' encoding='UTF-8'>
src_config = '#config-version=FGT4HD-6.2.8-FW-build1232-210426:opmode=0:vdom=0:user=user\n#conf_file_ver=361464447715519\n#buildno=1232\n#global_vdom=1\nconfig system global\n set admin-sport 8443\n set admintimeout 4> File "converter.py", line 127, in parse
.
. logger.info("DirectFire.Converter.parse: loaded parser module for " + src_format)
.
. logger.info("DirectFire.Converter.parse: starting parse of source configuration")
.
> parsed_data = parse(src_config, routing_info)
.
. logger.info("DirectFire.Converter.parse: completed parse of source configuration")
.
. return parsed_data
.
src_format = 'fortigate'
src_config = '#config-version=FGT4HD-6.2.8-FW-build1232-210426:opmode=0:vdom=0:user=user\n#conf_file_ver=361464447715519\n#buildno=1232\n#global_vdom=1\nconfig system global\n set admin-sport 8443\n set admintimeout 4> routing_info = None
parse = <function parse at 0x7f03f72cc940>
File "/home/user/DirectFire_Converter/DirectFire/Converter/parsers/fortigate.py", line 118, in parse
. + common.common_regex.ipv4_mask
. + ")\n",
. route_config,
. )
.
> route["network"] = re_match.group(1)
. route["mask"] = re_match.group(2)
.
. re_match = re.search(
. "set gateway ([0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3})\n",
. route_config,
src_config = '#config-version=FGT4HD-6.2.8-FW-build1232-210426:opmode=0:vdom=0:user=user\n#conf_file_ver=361464447715519\n#buildno=1232\n#global_vdom=1\nconfig system global\n set admin-sport 8443\n set admintimeout 4
routing_info = None
data = {'system': {'hostname': 'FG-HOSTNAME'}, 'interfaces': {}, 'zones': {}, 'routes': [], 'routes6': [], 'network_objects': {}, 'network6_objects': {}, 'network_groups': {}, 'network6_groups': {}, 'service_objects': {}, 's> re_match = None
routes_block = 'config router static\n edit 1\n set gateway X.X.X.XX\n set distance 100\n set device "port15"\n next\n edit 3\n set device "VPNtoLenoir"\n set comment "VPN: VPNto> route_match = <re.Match object; span=(21, 126), match=' edit 1\n set gateway X.X.X.X\n >
route_config = ' edit 1\n set gateway X.X.X.X\n set distance 100\n set device "port15"\n next'
route = {}
builtins.AttributeError: 'NoneType' object has no attribute 'group'

from directfire_converter.

Hi @mattynealo,

Looking through the log, have you changed the IP in your routing to X.X.X.X before running your config through the converter? Or have you just replaced this in the log?

Can you share the full 'config router static' section of the config please? Or output of command 'show router static' on the fortigate.

Thanks,
Glenn

from directfire_converter.

from directfire_converter.

See Below:
PUBLIC_IP is a real public address
each X1, X2 is a VPN site
PUBLIC_IP_SECOND_WAN is the real IP for redundant provider

config router static
edit 1
set gateway PUBLIC_IP
set distance 100
set device "port15"
next
edit 3
set device "VPNtoX1"
set comment "VPN: VPNtoX1 (Created by VPN wizard)"
set dstaddr "VPNtoX1_remote"
next
edit 5
set device "VPNX2"
set comment "VPN: VPNX2 (Created by VPN wizard)"
set dstaddr "VPNX2_remote"
next
edit 7
set device "VPNtoX3"
set comment "VPN: VPNtoX3 (Created by VPN wizard)"
set dstaddr "VPNtoX3_remote"
next
edit 11
set gateway PUBLIC_IP_SECOND_WAN
set distance 200
set device "port16"
next
edit 6
set device "X4"
set comment "VPN: X4 (Created by VPN wizard)"
set dstaddr "X4_remote"
next
edit 9
set distance 254
set comment "VPN: X5 (Created by VPN wizard)"
set blackhole enable
set dstaddr "X5_remote"
next
edit 10
set device "VPNtoX6"
set comment "VPN: VPN_ToX6 (Created by VPN wizard)"
set dstaddr "VPN_ToX6_remote"
next
edit 12
set distance 254
set comment "VPN: VPN_ToX6 (Created by VPN wizard)"
set blackhole enable
set dstaddr "VPN_ToX6_remote"
next
edit 13
set device "VPNToX7"
set comment "VPN: VPNX7 (Created by VPN wizard)"
set dstaddr "VPNX7_remote"
next
edit 14
set distance 254
set comment "VPN: VPNX7 (Created by VPN wizard)"
set blackhole enable
set dstaddr "VPNX7_remote"
next
edit 15
set dst 10.56.0.0 255.255.0.0
set gateway 192.168.255.1
set distance 2
set device "port14"
next
edit 18
set dst 10.2.5.0 255.255.255.0
set gateway 10.1.100.1
set distance 1
set device "Internal"
next
edit 21
set status disable
set dst 10.10.200.0 255.255.255.0
set gateway 1.1.1.1
set device "port6"
next
edit 22
set status disable
set dst 10.1.101.0 255.255.255.0
set gateway 1.1.1.1
set device "port6"
set comment "testing with 101 subnet"
next
edit 19
set dst 10.212.134.0 255.255.255.0
set distance 2
set device "ssl.root"
next
end

from directfire_converter.

Hi @mattynealo,

Thanks for sharing your config.

I have made some updates to the FortiGate parser module which hopefully resolves. Can you pull the latest from git and try again?

Glenn

from directfire_converter.

Thanks Glenn,

Looks like it still has errors on the GeoBlocks I removed Moldova which was in the first log and then it errored at the next which was Russia. see log below:
2021-08-04 09:06:53 INFO DirectFire.Converter.main: converter starting
2021-08-04 09:06:53 INFO DirectFire.Converter.main: source format is fortigate
2021-08-04 09:06:53 INFO DirectFire.Converter.main: loading source configuration from fg.conf
2021-08-04 09:06:53 INFO DirectFire.Converter.main: running configuration parser
2021-08-04 09:06:53 INFO DirectFire.Converter.parse: loading parser module for fortigate
2021-08-04 09:06:53 INFO DirectFire.Converter.parse: loaded parser module for fortigate
2021-08-04 09:06:53 INFO DirectFire.Converter.parse: starting parse of source configuration
2021-08-04 09:06:53 INFO DirectFire.Converter.parsers.fortigate: parser module started
2021-08-04 09:06:53 INFO DirectFire.Converter.parsers.fortigate: parse system
2021-08-04 09:06:53 INFO DirectFire.Converter.parsers.fortigate: parse interfaces - not yet supported
2021-08-04 09:06:53 INFO DirectFire.Converter.parsers.fortigate: parse zones - not yet supported
2021-08-04 09:06:53 INFO DirectFire.Converter.parsers.fortigate: parse IPv4 network objects
2021-08-04 09:06:53 ERROR Traceback with variables (most recent call last):
File "converter.py", line 230, in main
.
. # Run configuration parser
.
. logger.info("DirectFire.Converter.main: running configuration parser")
.
> parsed_data = parse(
. src_format=src_format, src_config=src_config, routing_info=routing_info
. )
.
. logger.info("DirectFire.Converter.main: configuration parser finished")
.
src_format = 'fortigate'
dst_format = 'ciscoasa'
routing_info = None
config_file = <_io.TextIOWrapper name='fg.conf' mode='r' encoding='UTF-8'>
src_config = '#config-version=FGT4HD-6.2.8-FW-build1232-210426:opmode=0:vdom=0:user=ntmneal\n#conf_file_ver=361464447715519\n#buildno=1232\n#global_vdom=1\nconfig system global\n set admin-sport 8443\n set admintimeout 4> File "converter.py", line 127, in parse
.
. logger.info("DirectFire.Converter.parse: loaded parser module for " + src_format)
.
. logger.info("DirectFire.Converter.parse: starting parse of source configuration")
.
> parsed_data = parse(src_config, routing_info)
.
. logger.info("DirectFire.Converter.parse: completed parse of source configuration")
.
. return parsed_data
.
src_format = 'fortigate'
src_config = '#config-version=FGT4HD-6.2.8-FW-build1232-210426:opmode=0:vdom=0:user=ntmneal\n#conf_file_ver=361464447715519\n#buildno=1232\n#global_vdom=1\nconfig system global\n set admin-sport 8443\n set admintimeout 4> routing_info = None
parse = <function parse at 0x7f375cd4c940>
File "/home/ntmneal/DirectFire_Converter/DirectFire/Converter/parsers/fortigate.py", line 136, in parse
. network_object,
. )
.
. data["network_objects"][network_object_name][
. "country_code"
> ] = re_match.group(1)
.
. elif network_object_type == "ipmask":
.
. re_match = re.search(
. "set subnet ("
src_config = '#config-version=FGT4HD-6.2.8-FW-build1232-210426:opmode=0:vdom=0:user=ntmneal\n#conf_file_ver=361464447715519\n#buildno=1232\n#global_vdom=1\nconfig system global\n set admin-sport 8443\n set admintimeout 4
routing_info = None
data = {'system': {'hostname': 'ACY-FGT400D_1'}, 'interfaces': {}, 'zones': {}, 'routes': [], 'routes6': [], 'network_objects': {'FABRIC_DEVICE': {'type': 'network', 'network': '0.0.0.0', 'mask': '0.0.0.0'}, 'FIREWALL_AUTH_PORT re_match = None
network_objects_block = 'config firewall address\n edit "FABRIC_DEVICE"\n set uuid 6f9b82ae-bc94-51e9-108c-26a1844c4012\n set comment "IPv4 addresses of Fabric Devices."\n next\n edit "FIREWALL_AUTH_PORT> network_object_match = <re.Match object; span=(3720, 3852), match=' edit "Russia"\n set uuid 7c9f9252-4553>
network_object = ' edit "Russia"\n set uuid 7c9f9252-4553-51e7-6971-0430e0d72e7d\n set type geography\n set country "RU"\n next'
network_object_name = 'Russia'
network_object_type = 'geography'
network_object_network = '185.129.148.19'
network_object_mask = '255.255.255.255'
builtins.AttributeError: 'NoneType' object has no attribute 'group'

from directfire_converter.

I have permission to upload the whole config

from directfire_converter.

Thanks @mattynealo, will have a look into this.

I've downloaded your config and removed it from your comment as it's potentially sensitive.

Glenn

from directfire_converter.

@glennake Thank you so much, Is there a way I can contribute to this project?

from directfire_converter.

Hi @mattynealo,

I've made a few fixes and additions which mean the tool will process your config without erroring now if you can pull the latest. I have not checked for accuracy so please make sure you do before using any configs from it, and let me know of any issues you find.

Always happy for additional contributors, if you can work in Python feel free to fork and improve any existing modules, or add your own for new vendors. Then raise a pull request for your changes to be reviewed for merge.

Thanks,
Glenn

from directfire_converter.

@glennake I am not a programmer... I was asking if I could buy you a beer or financially contribute for your time.

from directfire_converter.

THis is great so far, Looks like it stops right after the groups and network objects, but doesn't convert any of the rules.

from directfire_converter.

Also is it suppose to output to a file? If so I can't seem to find it.

from directfire_converter.

@mattynealo really appreciate the offer, thank you. It's fine though, you don't have to.

FortiGate parsing support is detailed here, I've just added service objects and service groups. Will add policies as soon as I can.

Glenn

from directfire_converter.