SunScreen EFS Release 3.0 Installation Guide

Preparing Your FireWall-1 Configuration for Conversion

Before starting the conversion of your FireWall-1 configuration to a SunScreen EFS 3.0 performing in routing mode, please read this section carefully. There are certain limitations which must be addressed before running the conversion utility. You will experience unrecoverable errors if you do not first review your existing FireWall-1 configurations and modify those that will not convert directly to SunScreen EFS 3.0 rules. The following tables list those limitations that are known.

Prior to converting your FireWall-1 to SunScreen EFS 3.0, you should check your FireWall-1 configuration files and hand edit any that may contain reserved characters in comments and object names, or reserved words used for object names. If any of the following characters or reserved words are mis-used, you will need to first hand-edit these to remove or replace them. See TABLE 7-1 for a list of known reserved characters.

Table 7-1 Known FireWall-1 Reserved Characters

 

Illegal Characters 

Illegal Characters 

String contains 

` ` (space) 

`+' 

 

`*' 

`?' 

 

`)` 

`)' 

 

`{` 

`}' 

 

`[` 

`]' 

 

`!' 

`#' 

 

`<` 

`>' 

 

`=' 

`,' (comma) 

 

`:' (colon) 

`:' (semicolon) 

 

`'' (quote) 

``' (back quote) 

 

`"' (double quote) 

`/' (slash) 

 

`\' (back slash) 

`\t' (tab) 

Table 7-2 contains a list of known reserved words which must not appear in the FireWall-1 object names, and must be edited prior to conversion:

Table 7-2 Known FireWall-1 Reserved Words

"accept" 

"expcall" 

"hosts" 

"modify" 

"pass" 

"set" 

"and" 

"expires" 

"if" 

"navy blue" 

"r_arg" 

"skippeer" 

"black" 

"firebrick" 

"ifaddr" 

"netof" 

"r_cdir" 

"src" 

"blue" 

"foreground" 

"ifid" 

"nets" 

"r_cflags" 

"static" 

"broadcasts" 

"forest" 

"in" 

"nexpires" 

"r_ckey" 

"sync" 

"green" 

"call" 

"format" 

"inbound" 

"not" 

"r_connarg" 

"targets" 

"date" 

"from" 

"interface" 

"or" 

"r_ctype" 

"day" 

"fwline" 

"interfaces" 

"orange" 

"r_entry" 

"tod" 

"define" 

"fwrule" 

"ipsecmethods" 

"origsport" 

"r_proxy_action" 

"ufp" 

"delete" 

"gateways" 

"ipsecdata" 

"origdst" 

"r_xlate" 

"wasskipped" 

"do" 

"gold" 

"keep" 

"origsrc" 

"record" 

"xlatedport" 

"domains" 

"gray 101" 

"limit" 

"other" 

"red" 

"xlatedst" 

"drop" 

"green" 

"log" 

"outbound" 

"refresh" 

"xlatesport" 

"dst" 

"hold" 

"magenta" 

"packet" 

"reject" 

"xlatesrc" 

"dynamic" 

"host" 

"medium slate" 

"packetid" 

"routers" 

"xor" 

"r_tab_status" 

"vanish" 

"direction" 

"get" 

"kbuf" 

"gateways" 

"netobj" 

"resourceobj" 

"servobj" 

"servers" 

"tracks" 

"cyan" 

"dark green" 

"dark orchid" 

"forest green" 

"medium slate blue" 

"red" 

"sienna" 

"yellow" 

"to" 

 

There are known limitations when converting from a machine running FireWall-1 configurations to a machine running SunScreen EFS 3.0. Certain object-types and rules will migrate with no difficulty, while others will not. Those rules which are known not to migrate contain an operation which is performed on the Source, Destination, or Service in the original FireWall-1 rule, as SunScreen EFS 3.0 does not support any of these operations. Table 7-3 lists what is known to migrate and what is known not to migrate when converting from FireWall-1 to SunScreen EFS 3.0.

Table 7-3 What Does and Does Not Convert From FireWall-1

Does Migrate 

Does Not Migrate 

Host Objects 

Resources 

Group Objects 

NAT Mappings 

Network Objects 

Gateway Objects 

Most Rules 

Encryption and Authentication Information/Rules 

 

Domain Objects 

 

Router Objects 

 

Switch Objects 

 

Logical Objects 

 

FW-1 Services or User Defined Services 

 

Install Objects 

 

Rules which contain any Object or Service that can not migrate 

 

Using an Object Type as an Object Name 

 

 

 

 

 

 


Note -

NETWORK is not a supported type in SunScreen EFS 3.0. You must modify objects of this type first, before trying to access the configuration (called a "Policy" in SunScreen EFS 3.0) using the Administration GUI.