Before starting the conversion of your FireWall-1 configuration to a SunScreen EFS 3.0 performing in routing mode, please read this section carefully. There are certain limitations which must be addressed before running the conversion utility. You will experience unrecoverable errors if you do not first review your existing FireWall-1 configurations and modify those that will not convert directly to SunScreen EFS 3.0 rules. The following tables list those limitations that are known.
Prior to converting your FireWall-1 to SunScreen EFS 3.0, you should check your FireWall-1 configuration files and hand edit any that may contain reserved characters in comments and object names, or reserved words used for object names. If any of the following characters or reserved words are mis-used, you will need to first hand-edit these to remove or replace them. See TABLE 7-1 for a list of known reserved characters.
Table 7-1 Known FireWall-1 Reserved Characters
|
Illegal Characters |
Illegal Characters |
---|---|---|
String contains |
` ` (space) |
`+' |
|
`*' |
`?' |
|
`)` |
`)' |
|
`{` |
`}' |
|
`[` |
`]' |
|
`!' |
`#' |
|
`<` |
`>' |
|
`=' |
`,' (comma) |
|
`:' (colon) |
`:' (semicolon) |
|
`'' (quote) |
``' (back quote) |
|
`"' (double quote) |
`/' (slash) |
|
`\' (back slash) |
`\t' (tab) |
Table 7-2 contains a list of known reserved words which must not appear in the FireWall-1 object names, and must be edited prior to conversion:
Table 7-2 Known FireWall-1 Reserved Words
"accept" |
"expcall" |
"hosts" |
"modify" |
"pass" |
"set" |
"and" |
"expires" |
"if" |
"navy blue" |
"r_arg" |
"skippeer" |
"black" |
"firebrick" |
"ifaddr" |
"netof" |
"r_cdir" |
"src" |
"blue" |
"foreground" |
"ifid" |
"nets" |
"r_cflags" |
"static" |
"broadcasts" |
"forest" |
"in" |
"nexpires" |
"r_ckey" |
"sync" |
"green" |
"call" |
"format" |
"inbound" |
"not" |
"r_connarg" |
"targets" |
"date" |
"from" |
"interface" |
"or" |
"r_ctype" |
"day" |
"fwline" |
"interfaces" |
"orange" |
"r_entry" |
"tod" |
"define" |
"fwrule" |
"ipsecmethods" |
"origsport" |
"r_proxy_action" |
"ufp" |
"delete" |
"gateways" |
"ipsecdata" |
"origdst" |
"r_xlate" |
"wasskipped" |
"do" |
"gold" |
"keep" |
"origsrc" |
"record" |
"xlatedport" |
"domains" |
"gray 101" |
"limit" |
"other" |
"red" |
"xlatedst" |
"drop" |
"green" |
"log" |
"outbound" |
"refresh" |
"xlatesport" |
"dst" |
"hold" |
"magenta" |
"packet" |
"reject" |
"xlatesrc" |
"dynamic" |
"host" |
"medium slate" |
"packetid" |
"routers" |
"xor" |
"r_tab_status" |
"vanish" |
"direction" |
"get" |
"kbuf" |
"gateways" |
"netobj" |
"resourceobj" |
"servobj" |
"servers" |
"tracks" |
"cyan" |
"dark green" |
"dark orchid" |
"forest green" |
"medium slate blue" |
"red" |
"sienna" |
"yellow" |
"to" |
|
There are known limitations when converting from a machine running FireWall-1 configurations to a machine running SunScreen EFS 3.0. Certain object-types and rules will migrate with no difficulty, while others will not. Those rules which are known not to migrate contain an operation which is performed on the Source, Destination, or Service in the original FireWall-1 rule, as SunScreen EFS 3.0 does not support any of these operations. Table 7-3 lists what is known to migrate and what is known not to migrate when converting from FireWall-1 to SunScreen EFS 3.0.
Table 7-3 What Does and Does Not Convert From FireWall-1
Does Migrate |
Does Not Migrate |
---|---|
Host Objects |
Resources |
Group Objects |
NAT Mappings |
Network Objects |
Gateway Objects |
Most Rules |
Encryption and Authentication Information/Rules |
|
Domain Objects |
|
Router Objects |
|
Switch Objects |
|
Logical Objects |
|
FW-1 Services or User Defined Services |
|
Install Objects |
|
Rules which contain any Object or Service that can not migrate |
|
Using an Object Type as an Object Name |
|
|
|
|
|
|
NETWORK is not a supported type in SunScreen EFS 3.0. You must modify objects of this type first, before trying to access the configuration (called a "Policy" in SunScreen EFS 3.0) using the Administration GUI.