SunScreen EFS Release 3.0 Installation Guide

Verifying the Converted Rules

fwconvert creates three types of files from the FireWall-1 configuration files: command, executable, and log files. See Table 7-4 for a complete list. These files are described below.

Table 7-4 Generated Configuration Files

File Type 

File Name 

Description 

Data File 

policy.name_Objects

Contains the commands for configuring the SunScreen EFS addresses. 

Data File 

policy.name_Rules

Contains the commands for adding SunScreen EFS rules that use the generated objects. 

Executable Script 

policy.name_efscfg

Generates a SunScreen EFS configuration from the commands policy.name_Objects and policy.name_Rules.

Log File 

policy.name_Obj.log

Contains the objects from FireWall-1 that are not supported by SunScreen EFS. 

Log File 

policy.name_Rule.log

Contains the rules from FireWall-1 that could not be added. The rule is shown as a SunScreen EFS rule command with an explanation of the reason why the rule is not supported.  

Log File 

policy.name_Unused.log

List of the FireWall-1 objects that cannot be used in SunScreen EFS. 

 

Command and Executable Files

When you create the new SunScreen EFS 3.0 configuration, you run the configuration program, which then executes the command files. You do not need to take further action on the command and executable files.

Examples of the policy.name_Objects file, policy.name_Rules file, and the policy.name _efscfg file, respectively, follows.


# The address commands may contain other addresses which need to be created.
# These objects are logged in the policyname_Obj.log file

 add_nocheck Address  "mailhost-INT" HOST 205.167.60.6 COMMENT "Object from FW-1"
 add_nocheck Address  "mailhost-EXT" HOST 207.82.121.5 COMMENT "Object from FW-1"
 add_nocheck Address  "localnet" NETWORK 205.167.60.00 255.255.255.00  COMMENT 
"Object from FW-1, will need to be modified before using the GUI"
 add_nocheck Address  "talon" HOST 205.167.60.200 COMMENT "Object from FW-1"
 add_nocheck Address  "exosecure-alc" HOST 207.82.121.254 COMMENT "Object from FW-1"
 save

add_nocheck Rule  "ip all" "*" "*"  ALLOW  LOG SUMMARY 
 save


#!/bin/csh


setenv PATH .:/usr/bin:/usr/sbin:/bin:/opt/SUNWicg/SunScreen/bin


echo Creating Policy: 4complex

ssadm policy -a 4complex

echo Adding Policy Addresses

/opt/SUNWicg/SunScreen/bin/ssadm edit -P 4complex < 4complex_Objects

echo Adding Policy Rules

/opt/SUNWicg/SunScreen/bin/ssadm edit -P 4complex < 4complex_Rules

echo Finished!

Log Files

The log files describe instances where fwconvert could not directly convert your FireWall-1 policy to an equivalent SunScreen EFS 3.0 policy. After conversion, you should review the contents of the log files to determine further actions that might be necessary for the new SunScreen EFS 3.0 configuration.

policy.name_Obj.log

The policy.name_Obj.log file lists objects found in your FireWall-1 security policy that were not directly supported in SunScreen EFS 3.0. Table 7-5 lists the FireWall-1 objects and shows whether they were converted to SunScreen EFS.

Table 7-5 How Conversion to SunScreen EFS Affects FireWall-1 Objects

FireWall-1 Object 

EFS Equivalent 

Conversion Status 

Host 

Host 

Yes. 

Network 

None 

Yes. Does not appear in the GUI but will show up on the command line. To make them visible in the GUI, manually change the NETWORK objects to RANGE objects via the command line. 

Router 

None 

No. See the policy.name_Obj.log file for details.

Switch 

None 

No. See the policy.name_OBJ log file for details.

Domain 

None 

No. See the policy.name_OBJ log file for details.

Group 

Group 

Yes. 

Gateways 

None 

No. However, they are logged in the policy.name_OBJ.log file. Gateways require more configuration within SunScreen EFS to assure that the IP addresses of the gateway are correct. See the ss_interfaces man pages for more information.

Following is a sample which shows the policy.name_Obj.log file, similar to the file that you can generate from your FireWall-1 policy.


/***** SunScreen EFS 3.0: Firewall-1 conversion log *****/
/***** @(#)ObjStore.java        3.6 99/03/03 Sun Microsystems, Inc. *****/

Objects of type: gateway, need some user decisions
You had a gateway with name "skil" ipaddr 205.167.60.13
If this is the gateway on which SunScreen is being installed please refer to the 
'ssadm edit' command to enable the interfaces

policy.name_Rule.log

This file shows rules generated from FireWall-1 rules that cannot be used in the SunScreen EFS environment without modification. The policy.name_Rule.log file explains why these rules were not added to the SunScreen EFS firewall, for example:

SunScreen EFS 3.0 does not support FireWall-1 encryption, user authentication, or client authentication. Encryption in SunScreen EFS 3.0 is accomplished through SKIP, as explained in the SunScreen EFS 3.0 Reference Manual. For more information regarding SKIP, see the SunScreen SKIP 1.5 User's Guide.


Caution - Caution -

All FireWall-1 rules are generated during the conversion. You must manually remove any rules that you do not need.


The following shows a sample of a policy.name_Rule.log file such as you might find after FireWall-1 to SunScreen EFS conversion.


/***** SunScreen EFS 3.0: Firewall-1 conversion log *****/
/***** @(#)RuleStore.java       3.5 99/03/03 Sun Microsystems, Inc. *****/


Rule below not added as the action Encrypt is configured differently in SunScreen 
EFS.
 add_nocheck Rule  "smtp" "aiims" "*" Encrypt



Rule below not added as the action Encrypt is configured differently in SunScreen 
EFS.
 add_nocheck Rule  "echo" "aiims" "*" Encrypt



Rule below not added as the action User Authentication is not valid in SunScreen EFS.
 add_nocheck Rule  "ftp" "*" "aiims" User



Rule below not added as the action Client Encryption/Authentication is not valid in 
SunScreen EFS.
 add_nocheck Rule  "dns" """ "*" Client

policy.name_Unused.log

The following lists FireWall-1 objects encountered in your policy that are not supported by SunScreen EFS.


#Invalid Objects from FW-1
#Wed Mar 31 17:40:23 PST 1999
invalidobj1=gateway skil