From ea025af833a8819b68742aebb25a38f83954210f Mon Sep 17 00:00:00 2001 From: ASemenchuk <59782501+Botinoc@users.noreply.github.com> Date: Mon, 4 Jul 2022 11:22:08 +0300 Subject: [PATCH] Fortinet: changing the logic for creating zones (VDOM mod) --- FortinetMigration/FortiGateConverter.cs | 75 ++++++++++++++----------- 1 file changed, 42 insertions(+), 33 deletions(-) diff --git a/FortinetMigration/FortiGateConverter.cs b/FortinetMigration/FortiGateConverter.cs index 06616c5..7a079b8 100644 --- a/FortinetMigration/FortiGateConverter.cs +++ b/FortinetMigration/FortiGateConverter.cs @@ -3557,8 +3557,6 @@ public void Add_ParentLayer(CheckPoint_Package package, List fgComman cpRuleLayer.Rules.Add(cpSubRuleZone); } - bool isIntfContainsAny = false; - NewFortigateAnalizStatistic._fullrullPackcount = fgCommandsList.Count; foreach (FgCommand fgCommandE in fgCommandsList) { @@ -3616,20 +3614,20 @@ public void Add_ParentLayer(CheckPoint_Package package, List fgComman { fgSrcIntfs = fgCommand_Set.Value.Trim('"').Split(new string[] { "\" \"" }, StringSplitOptions.None).ToArray(); - if (Array.IndexOf(fgSrcIntfs.Select(s => s.ToLowerInvariant()).ToArray(), "any") > -1) - { - isIntfContainsAny = true; - } + //if (Array.IndexOf(fgSrcIntfs.Select(s => s.ToLowerInvariant()).ToArray(), "any") > -1) + //{ + // isIntfContainsAny = true; + //} } if (fgCommand_Set.Field.Equals("dstintf")) { fgDstIntfs = fgCommand_Set.Value.Trim('"').Split(new string[] { "\" \"" }, StringSplitOptions.None).ToArray(); - if (Array.IndexOf(fgDstIntfs.Select(s => s.ToLowerInvariant()).ToArray(), "any") > -1) - { - isIntfContainsAny = true; - } + //if (Array.IndexOf(fgDstIntfs.Select(s => s.ToLowerInvariant()).ToArray(), "any") > -1) + //{ + // isIntfContainsAny = true; + //} } @@ -4108,41 +4106,52 @@ public void Add_ParentLayer(CheckPoint_Package package, List fgComman //if Src or Dst Intf DO NOT contain ANY then we create sub-layers //otherwise policy is plain - if (!isIntfContainsAny) + List newRootRulesList = new List(); + foreach (CheckPoint_Rule rootRule in rootRulesList) { - package.ParentLayer.Rules.AddRange(rootRulesList); + if (!rootRule.Name.Contains("any")) + { + newRootRulesList.Add(rootRule); + } + } + package.ParentLayer.Rules.AddRange(newRootRulesList); - foreach (string key in extraZonesMap.Keys) + + foreach (string key in extraZonesMap.Keys) + { + if (key.Contains("any")) { - AddCpObjectToLocalMapper(key, extraZonesMap[key]); - AddCheckPointObject(extraZonesMap[key]); + continue; } + AddCpObjectToLocalMapper(key, extraZonesMap[key]); + AddCheckPointObject(extraZonesMap[key]); + } - _warningsList.AddRange(extraZonesWarnMsgsList); + _warningsList.AddRange(extraZonesWarnMsgsList); - foreach (string key in rootLayersMap.Keys) + foreach (string key in rootLayersMap.Keys) + { + if (key.Contains("any")) { - CheckPoint_Layer cpLayer = rootLayersMap[key]; + continue; + } + CheckPoint_Layer cpLayer = rootLayersMap[key]; - CheckPoint_Rule cpRuleCU = new CheckPoint_Rule(); - if(!OptimizeConf) NewFortigateAnalizStatistic._cleanupServicesRuleCount++; - NewFortigateAnalizStatistic._totalServicesRulesCount++; - cpRuleCU.Name = "Sub-Policy Cleanup"; - cpRuleCU.Layer = cpLayer.Name; + CheckPoint_Rule cpRuleCU = new CheckPoint_Rule(); + if (!OptimizeConf) NewFortigateAnalizStatistic._cleanupServicesRuleCount++; + NewFortigateAnalizStatistic._totalServicesRulesCount++; + cpRuleCU.Name = "Sub-Policy Cleanup"; + cpRuleCU.Layer = cpLayer.Name; - cpLayer.Rules.Add(cpRuleCU); + cpLayer.Rules.Add(cpRuleCU); - package.SubPolicies.Add(cpLayer); - validatePackage(package); - } + package.SubPolicies.Add(cpLayer); + validatePackage(package); } - else + foreach (CheckPoint_Rule ruleAdd in realRulesList) { - foreach (CheckPoint_Rule ruleAdd in realRulesList) - { - ruleAdd.Layer = package.ParentLayer.Name; - package.ParentLayer.Rules.Add(ruleAdd); - } + ruleAdd.Layer = package.ParentLayer.Name; + package.ParentLayer.Rules.Add(ruleAdd); } var cpRuleFake = new CheckPoint_Rule();