From 12832993fa6f352584994defd2fc458762b136ad Mon Sep 17 00:00:00 2001 From: ASemenchuk <59782501+Botinoc@users.noreply.github.com> Date: Wed, 17 Aug 2022 13:11:47 +0300 Subject: [PATCH] JuniperSRX: parsing groups tag --- JuniperMigration/JuniperConverter.cs | 37 +++++++++++++++++++------- JuniperMigration/JuniperParser.cs | 39 ++++++++++++++++++++++++++++ 2 files changed, 66 insertions(+), 10 deletions(-) diff --git a/JuniperMigration/JuniperConverter.cs b/JuniperMigration/JuniperConverter.cs index d251c53..0d5f40d 100644 --- a/JuniperMigration/JuniperConverter.cs +++ b/JuniperMigration/JuniperConverter.cs @@ -4033,19 +4033,29 @@ private void MatchNATRulesIntoFirewallPolicy() { continue; } - - var parentLayerRuleZone = (CheckPoint_Zone)cpParentRule.Source[0]; - if (parentLayerRuleZone == null) + try { - continue; - } + var parentLayerRuleZone = (CheckPoint_Zone)cpParentRule.Source[0]; - // NAT rule source zone(s)/interface(s) should match on firewall rule source zone - if (!IsFirewallRuleSourceZoneMatchedByNATRule(parentLayerRuleZone.Name, juniperNatCustomData)) + if (parentLayerRuleZone == null) + { + continue; + } + + // NAT rule source zone(s)/interface(s) should match on firewall rule source zone + if (!IsFirewallRuleSourceZoneMatchedByNATRule(parentLayerRuleZone.Name, juniperNatCustomData)) + { + continue; + } + } catch (Exception ex) { - continue; + if (ex.Message == "Unable to cast object of type 'CheckPointObjects.CheckPoint_NetworkGroup' to type 'CheckPointObjects.CheckPoint_Zone'.") + continue; + else throw ex; } + + // Get into the relevant sub-policy foreach (CheckPoint_Layer subPolicy in cpPackage.SubPolicies) { @@ -4709,8 +4719,15 @@ private CheckPointObject GetCheckPointObjectOrCreateDummy(string cpObjectName, s juniperObject.ConversionIncidentType = ConversionIncidentType.ManualActionRequired; - errorDescription = string.Format("{0} Using dummy object: {1}.", errorDescription, cpDummyObject.Name); - _conversionIncidents.Add(new ConversionIncident(juniperObject.LineNumber, errorTitle, errorDescription, juniperObject.ConversionIncidentType)); + if (cpObjectName.Contains("<") && cpObjectName.Contains(">") && cpObjectName.Contains("*")) + { + errorDescription = string.Format("wildcard expression is not supported"); + _conversionIncidents.Add(new ConversionIncident(juniperObject.LineNumber, "Error creating a parent layer rule", errorDescription, juniperObject.ConversionIncidentType)); + } else + { + errorDescription = string.Format("{0} Using dummy object: {1}.", errorDescription, cpDummyObject.Name); + _conversionIncidents.Add(new ConversionIncident(juniperObject.LineNumber, errorTitle, errorDescription, juniperObject.ConversionIncidentType)); + } } return cpDummyObject; diff --git a/JuniperMigration/JuniperParser.cs b/JuniperMigration/JuniperParser.cs index 31a781e..46b71d8 100644 --- a/JuniperMigration/JuniperParser.cs +++ b/JuniperMigration/JuniperParser.cs @@ -59,6 +59,7 @@ public override void Parse(string filename) ParseApplicationsAndGroups(configNode); parseSchedulers(configNode); ParsePolicy(configNode); + ParsePolicyFromGroups(configNode); ParseNat(configNode); AttachRoutesToInterfacesTopology(); } @@ -448,6 +449,44 @@ private void ParsePolicy(XElement configNode) _juniperGlobalPolicyRules.Add(juniperDefaultActionRule); } + private void ParsePolicyFromGroups(XElement configNode) + { + var zonePolicies = configNode.XPathSelectElements("./groups/security/policies/policy"); + foreach (var zonePolicy in zonePolicies) + { + JuniperObject juniperZonePolicy = new Juniper_ZonePolicy(); + juniperZonePolicy.Parse(zonePolicy, null); + _juniperObjects.Add(juniperZonePolicy); + + var policies = zonePolicy.Elements("policy"); + foreach (var policy in policies) + { + var juniperRule = new Juniper_PolicyRule(); + juniperRule.Parse(policy, null); + ((Juniper_ZonePolicy)juniperZonePolicy).Rules.Add(juniperRule); + } + } + + var globalPolicies = configNode.XPathSelectElements("./groups/security/policies/global/policy"); + foreach (var globalPolicy in globalPolicies) + { + var juniperGlobalRule = new Juniper_GlobalPolicyRule(); + juniperGlobalRule.Parse(globalPolicy, null); + _juniperGlobalPolicyRules.Add(juniperGlobalRule); + } + + var defaultAction = Juniper_PolicyRule.ActionType.Deny; + var policyDefaultAction = configNode.XPathSelectElement("./groups/security/policies/default-policy"); + if (policyDefaultAction != null && policyDefaultAction.Element("permit-all") != null) + { + defaultAction = Juniper_PolicyRule.ActionType.Permit; + } + + var juniperDefaultActionRule = new Juniper_GlobalPolicyRule(); + juniperDefaultActionRule.GenerateDefaultActionRule(defaultAction); + _juniperGlobalPolicyRules.Add(juniperDefaultActionRule); + } + private void ParseNat(XElement configNode) { var nat = configNode.XPathSelectElement("./security/nat");