Thursday, December 29, 2016

Cisco ASA to Fortigate conversion

I'm getting ready to migrate a number of Cisco ASA firewalls to Fortigate.
Fortinet sells a ~$4000 license for their FortiConverter which I didn't want to spend.

My goal was to automate the conversion of objects which will save time and virtually eliminate the possibility of typos.

The below perl script is what I came up with.

-Syntax: "perl converter.pl <ASA config file name>" (e.g. "perl converter.pl running-config.cg")
-Script converts hosts, networks and ip ranges
-Script does NOT convert or create group objects (someone want to add that for me?)

Once run all that's left to do is remove all the miscellaneous Cisco commands, import the config (via GUI or CLI) and within a couple of minutes you have all the objects ready for use in creating policies.

Happy New Year :)


#!/usr/bin/perl

# Requires Net::Netmask module

use strict;
use warnings;
use Net::Netmask;

$^I = '.bak'; # create a backup copy

BEGIN {undef $/;}

while (<>) {
# match host objects in groups
   s/network\-object host ((?:\d{1,3}\.){3}\d{1,3})/config firewall address\redit h-$1\rset subnet $1 255.255.255.255\rnext\rend/g; # do the replacement
 

# match network objects in groups
   s/network\-object ((?:\d{1,3}\.){3}\d{1,3})\s(.*)/"config firewall address\redit n-$1\/".Net::Netmask->new("0.0.0.0", $2)->bits."\rset subnet $1 $2\rnext\rend"/ge;
 

# match host objects with descriptions
   s/object network.*\s*host ((?:\d{1,3}\.){3}\d{1,3})\s*description\s(.*)/config firewall address\redit h-$1\rset comment $2\rset subnet $1 255.255.255.255\rnext\rend/g;
 

# match host objects without descriptions
   s/object network.*\s*host ((?:\d{1,3}\.){3}\d{1,3})/config firewall address\redit h-$1\rset subnet $1 255.255.255.255\rnext\rend/g;
 

# match subnet objects with descriptions
   s/object network.*\s*subnet ((?:\d{1,3}\.){3}\d{1,3})\W(.*)\s*description\s(.*)/"config firewall address\redit n-$1\/".Net::Netmask->new("0.0.0.0", $2)->bits."\rset comment $3\rset subnet $1 $2\rnext\rend"/ge;
 

# match subnet objects without descriptions
   s/object network.*\s*subnet ((?:\d{1,3}\.){3}\d{1,3})\W(.*)/"config firewall address\redit n-$1\/".Net::Netmask->new("0.0.0.0", $2)->bits."\rset subnet $1 $2\rnext\rend"/ge;
 

# match range objects with descriptions  
   s/object network\s.*\s*range ((?:\d{1,3}\.){3}\d{1,3})\W(.*)\s*description\s(.*)/config firewall address\redit r-$1-$2\rset comment $3\rset type iprange\rset start-ip $1\rset end-ip $2\rnext\rend/g;
 

# match range objects without descriptions
   s/object network.*\s*range ((?:\d{1,3}\.){3}\d{1,3})\s(.*)/config firewall address\redit r-$1-$2\rset type iprange\rset start-ip $1\rset end-ip $2\rnext\rend/g;
 

# remove leftover network group names with descriptions
   s/object\-group.*\s*description.*//g;
 

# remove leftover network group names without descriptions
   s/object\-group.*//g;
 

# remove references to existing network objects
   s/network-object object.*//g;

 print; # print to the modified file
}

5 comments:

Dementor said...

Dear Firewall Guru,
Since you know so much about fortinet maybe you can help me out.
I'm looking for a way to use the cisco anyconnect linux client to connect to a fortinet if that is even possible.

thanks.

Sebastian said...

I haven't found any information on how to do this. Unless an absolute requirement I'd advise against it.

murali krishna said...

Just been to eat live blog fantastic site thanks for sharing!

cruellas_boyz said...

Firewall Guru,
I am not familiar with running Pearl. How would I run this script? I have a copy of my Cisco running-config (as a .txt file) on my desktop. How would I incorporate that into this script? Thank you for your assistance.

Sebastian said...

-Install ActivePerl Community edition (if you're running Windows)
https://www.activestate.com/activeperl/downloads

-Install the Net::Netmask module
"C:\perl64\bin\ppm install net-netmask"

-Run the conversion script
(perl conversion script: convert.pl, Cisco config: running-config.txt)

"C:\perl64\bin\perl c:\convert.pl c:\running-config.txt