I'm getting ready to migrate a number of Cisco ASA firewalls to Fortigate.
Fortinet sells a ~$4000 license for their FortiConverter which I didn't want to spend.
My goal was to automate the conversion of objects which will save time and virtually eliminate the possibility of typos.
The below perl script is what I came up with.
-Syntax: "perl converter.pl <ASA config file name>" (e.g. "perl converter.pl running-config.cg")
-Script converts hosts, networks and ip ranges
-Script does NOT convert or create group objects (someone want to add that for me?)
Once run all that's left to do is remove all the miscellaneous Cisco commands, import the config (via GUI or CLI) and within a couple of minutes you have all the objects ready for use in creating policies.
Happy New Year :)
#!/usr/bin/perl
# Requires Net::Netmask module
use strict;
use warnings;
use Net::Netmask;
$^I = '.bak'; # create a backup copy
BEGIN {undef $/;}
while (<>) {
# match host objects in groups
s/network\-object host ((?:\d{1,3}\.){3}\d{1,3})/config firewall address\redit h-$1\rset subnet $1 255.255.255.255\rnext\rend/g; # do the replacement
# match network objects in groups
s/network\-object ((?:\d{1,3}\.){3}\d{1,3})\s(.*)/"config firewall address\redit n-$1\/".Net::Netmask->new("0.0.0.0", $2)->bits."\rset subnet $1 $2\rnext\rend"/ge;
# match host objects with descriptions
s/object network.*\s*host ((?:\d{1,3}\.){3}\d{1,3})\s*description\s(.*)/config firewall address\redit h-$1\rset comment $2\rset subnet $1 255.255.255.255\rnext\rend/g;
# match host objects without descriptions
s/object network.*\s*host ((?:\d{1,3}\.){3}\d{1,3})/config firewall address\redit h-$1\rset subnet $1 255.255.255.255\rnext\rend/g;
# match subnet objects with descriptions
s/object network.*\s*subnet ((?:\d{1,3}\.){3}\d{1,3})\W(.*)\s*description\s(.*)/"config firewall address\redit n-$1\/".Net::Netmask->new("0.0.0.0", $2)->bits."\rset comment $3\rset subnet $1 $2\rnext\rend"/ge;
# match subnet objects without descriptions
s/object network.*\s*subnet ((?:\d{1,3}\.){3}\d{1,3})\W(.*)/"config firewall address\redit n-$1\/".Net::Netmask->new("0.0.0.0", $2)->bits."\rset subnet $1 $2\rnext\rend"/ge;
# match range objects with descriptions
s/object network\s.*\s*range ((?:\d{1,3}\.){3}\d{1,3})\W(.*)\s*description\s(.*)/config firewall address\redit r-$1-$2\rset comment $3\rset type iprange\rset start-ip $1\rset end-ip $2\rnext\rend/g;
# match range objects without descriptions
s/object network.*\s*range ((?:\d{1,3}\.){3}\d{1,3})\s(.*)/config firewall address\redit r-$1-$2\rset type iprange\rset start-ip $1\rset end-ip $2\rnext\rend/g;
# remove leftover network group names with descriptions
s/object\-group.*\s*description.*//g;
# remove leftover network group names without descriptions
s/object\-group.*//g;
# remove references to existing network objects
s/network-object object.*//g;
print; # print to the modified file
}
16 comments:
Dear Firewall Guru,
Since you know so much about fortinet maybe you can help me out.
I'm looking for a way to use the cisco anyconnect linux client to connect to a fortinet if that is even possible.
thanks.
I haven't found any information on how to do this. Unless an absolute requirement I'd advise against it.
Just been to eat live blog fantastic site thanks for sharing!
Firewall Guru,
I am not familiar with running Pearl. How would I run this script? I have a copy of my Cisco running-config (as a .txt file) on my desktop. How would I incorporate that into this script? Thank you for your assistance.
-Install ActivePerl Community edition (if you're running Windows)
https://www.activestate.com/activeperl/downloads
-Install the Net::Netmask module
"C:\perl64\bin\ppm install net-netmask"
-Run the conversion script
(perl conversion script: convert.pl, Cisco config: running-config.txt)
"C:\perl64\bin\perl c:\convert.pl c:\running-config.txt
what is the password?
Hi Gurus,
I'm pretty much noobie on perl, which need guidance for A-Z. Can someone point this to a site where i can learn perl and do the scripting works. Thanks!
Regards,
Hi Sebastian,
I'm trying to lunch the script on an ASA Config, but i have nothing in result, Can you please Assit me ?
by the end of the script where can i found the new config ?
Thank You !
Hi I try to execute this perl script but when is running, has this error:
perl convert.pl asa_running.txt
Can't locate Net/Netmask.pm in @INC (you may need to install the Net::Netmask module) (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.22.1 /usr/local/share/perl/5.22.1 /usr/lib/x86_64-linux-gnu/perl5/5.22 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.22 /usr/share/perl/5.22 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base .) at convert.pl line 7.
BEGIN failed--compilation aborted at convert.pl line 7.
Do you know how can I fix it?
Hi I try to execute this perl script but when is running, has this error:
perl convert.pl asa_running.txt
Can't locate Net/Netmask.pm in @INC (you may need to install the Net::Netmask module) (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.22.1 /usr/local/share/perl/5.22.1 /usr/lib/x86_64-linux-gnu/perl5/5.22 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.22 /usr/share/perl/5.22 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base .) at convert.pl line 7.
BEGIN failed--compilation aborted at convert.pl line 7.
Do you know how can I fix it?
Thanks for the script. Very helpful.
For those posting about the error, read the error. What does it say?
"you may need to install the Net::Netmask module"
Google: "how do I install perl modules"
That gives you: cpan Net::Netmask
wow it's a very great blog
Fiber Patch Cord In Delhi
Thanks for sharing good information.
Fortinet Training
It took some work to get it to run, but I'm impressed.
For anyone who comes across this and has issues, here's the steps I took on windows 10.
Download Perl from ActiveState.
Run the CLI installer and enter the "state activate" command it shows you on the activestate download page. This is a directory you will need to check later.
Then run:
powershell -Command "& $([scriptblock]::Create((New-Object Net.WebClient).DownloadString('https://platform.activestate.com/dl/cli/install.ps1')))"
Then:
state auth
This will prompt with an authentication hash that pops up in a browser, click there to confirm if it matches.
Then save the perl script from this post (I renamed it to perlconverter.pl and dropped the space and my ASA config is runningconfig.txt, will be needed later) to the directory containing your projects' activestate.yaml (this will be the directory from the state activate command earlier from the download page)
Move the running config from the ASA to the same directory.
Run the command:
cpan
And accept all default values here. May not be necessary, but I did this anyway. Then make sure you're back in the directory from before.
Install the Net::Netmask module with the following command:
ppm install Net-Netmask
Wait for that to finish. If everything is successful and you're still in that same directory with activestate.yaml, your script, and the ASA config, there's just one more step. Run this command:
state exec perl perlconverter.pl runningconfig.txt
This will save the new converted output as a file in that same directory, with the name runningconfig.txt.bak
Open that in Notepad++ or something and strip out your converted address objects, ready to put into a fortigate as a CLI script.
I did all as mentioned above., But the bak file is having same old ASA configuration
Post a Comment