CheckPointSW · chkp-ofirs · Sep 1, 2022 · Aug 17, 2022
diff --git a/JuniperMigration/JuniperConverter.cs b/JuniperMigration/JuniperConverter.cs
@@ -4033,19 +4033,29 @@ private void MatchNATRulesIntoFirewallPolicy()
                     {
                         continue;
                     }
-
-                    var parentLayerRuleZone = (CheckPoint_Zone)cpParentRule.Source[0];
-                    if (parentLayerRuleZone == null)
+					try
                     {
-                        continue;
-                    }
+                        var parentLayerRuleZone = (CheckPoint_Zone)cpParentRule.Source[0];
 
-                    // NAT rule source zone(s)/interface(s) should match on firewall rule source zone
-                    if (!IsFirewallRuleSourceZoneMatchedByNATRule(parentLayerRuleZone.Name, juniperNatCustomData))
+                        if (parentLayerRuleZone == null)
+                        {
+                            continue;
+                        }
+
+                        // NAT rule source zone(s)/interface(s) should match on firewall rule source zone
+                        if (!IsFirewallRuleSourceZoneMatchedByNATRule(parentLayerRuleZone.Name, juniperNatCustomData))
+                        {
+                            continue;
+                        }
+                    } catch (Exception ex)
                     {
-                        continue;
+                        if (ex.Message == "Unable to cast object of type 'CheckPointObjects.CheckPoint_NetworkGroup' to type 'CheckPointObjects.CheckPoint_Zone'.")
+                            continue;
+                        else throw ex;
                     }
 
+
+
                     // Get into the relevant sub-policy
                     foreach (CheckPoint_Layer subPolicy in cpPackage.SubPolicies)
                     {
@@ -4709,8 +4719,15 @@ private CheckPointObject GetCheckPointObjectOrCreateDummy(string cpObjectName, s
 
                 juniperObject.ConversionIncidentType = ConversionIncidentType.ManualActionRequired;
 
-                errorDescription = string.Format("{0} Using dummy object: {1}.", errorDescription, cpDummyObject.Name);
-                _conversionIncidents.Add(new ConversionIncident(juniperObject.LineNumber, errorTitle, errorDescription, juniperObject.ConversionIncidentType));
+                if (cpObjectName.Contains("<") && cpObjectName.Contains(">") && cpObjectName.Contains("*"))
+                {
+                    errorDescription = string.Format("wildcard expression is not supported");
+                    _conversionIncidents.Add(new ConversionIncident(juniperObject.LineNumber, "Error creating a parent layer rule", errorDescription, juniperObject.ConversionIncidentType));
+                } else
+                {
+                    errorDescription = string.Format("{0} Using dummy object: {1}.", errorDescription, cpDummyObject.Name);
+                    _conversionIncidents.Add(new ConversionIncident(juniperObject.LineNumber, errorTitle, errorDescription, juniperObject.ConversionIncidentType));
+                }
             }
 
             return cpDummyObject;

diff --git a/JuniperMigration/JuniperParser.cs b/JuniperMigration/JuniperParser.cs
@@ -59,6 +59,7 @@ public override void Parse(string filename)
             ParseApplicationsAndGroups(configNode);
             parseSchedulers(configNode);			
             ParsePolicy(configNode);
+            ParsePolicyFromGroups(configNode);
             ParseNat(configNode);
             AttachRoutesToInterfacesTopology();
         }
@@ -448,6 +449,44 @@ private void ParsePolicy(XElement configNode)
             _juniperGlobalPolicyRules.Add(juniperDefaultActionRule);
         }
 
+        private void ParsePolicyFromGroups(XElement configNode)
+        {
+            var zonePolicies = configNode.XPathSelectElements("./groups/security/policies/policy");
+            foreach (var zonePolicy in zonePolicies)
+            {
+                JuniperObject juniperZonePolicy = new Juniper_ZonePolicy();
+                juniperZonePolicy.Parse(zonePolicy, null);
+                _juniperObjects.Add(juniperZonePolicy);
+
+                var policies = zonePolicy.Elements("policy");
+                foreach (var policy in policies)
+                {
+                    var juniperRule = new Juniper_PolicyRule();
+                    juniperRule.Parse(policy, null);
+                    ((Juniper_ZonePolicy)juniperZonePolicy).Rules.Add(juniperRule);
+                }
+            }
+
+            var globalPolicies = configNode.XPathSelectElements("./groups/security/policies/global/policy");
+            foreach (var globalPolicy in globalPolicies)
+            {
+                var juniperGlobalRule = new Juniper_GlobalPolicyRule();
+                juniperGlobalRule.Parse(globalPolicy, null);
+                _juniperGlobalPolicyRules.Add(juniperGlobalRule);
+            }
+
+            var defaultAction = Juniper_PolicyRule.ActionType.Deny;
+            var policyDefaultAction = configNode.XPathSelectElement("./groups/security/policies/default-policy");
+            if (policyDefaultAction != null && policyDefaultAction.Element("permit-all") != null)
+            {
+                defaultAction = Juniper_PolicyRule.ActionType.Permit;
+            }
+
+            var juniperDefaultActionRule = new Juniper_GlobalPolicyRule();
+            juniperDefaultActionRule.GenerateDefaultActionRule(defaultAction);
+            _juniperGlobalPolicyRules.Add(juniperDefaultActionRule);
+        }
+
         private void ParseNat(XElement configNode)
         {
             var nat = configNode.XPathSelectElement("./security/nat");