search

GoSecure / Cisco2Checkpoint

Tool that assists in migrating firewall rules from Cisco to Checkpoint. Will optimize rules for you (rationalization, reuse merging, etc.).
http://gosecure.net/2017/01/30/cisco2checkpoint-cisco-checkpoint-conversion-tool/
GNU General Public License v3.0
21 stars 11 forks source link

Cisco ASA: object-group network with child group-object not recognized #4

Closed mjardeli closed 7 years ago

mjardeli commented 7 years ago

Hi, I using your app which is very handy thank you very much!

I am trying to import a Cisco Asa to checkpoint R77. I noticed few config lines not being recognized ( I can list them if you are interested), most of them I can adjust my original config and overcome with small manual work. But one config line will cause a lot of extra manual work. Seems it is not recognizing object-group network nor object-group service. As per: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/objectgroups.html

I am using Ubuntu 16.01, with python2.7 and ciscoconfparse 1.2.40 ( also 1.2.47 latest version).

Am I using the incorrect syntax? Is there a way to use object-group with group-object inside?

Here an output from command line:

config lines:

!
object-group network exampleobject
 network-object host 1.1.1.254
!
object-group network groupexample
 group-object exampleobject
!

root@splunk:~/c2c# python2.7 c2c.py --verify --format text --ciscoFile 'test' --syntax asa --policy My_Policy --installOn My_Firewall --output 'network_script_verify.txt'

[+] Importing all objects except groups.

[+] Importing Checkpoint network objects

[+] Importing all hosts.

[+] Importing all networks.

[+] Importing all ranges.

[+] Fixing duplicate names

[+] Fixing duplicate IP addresses

[+] Fixing duplicate subnets

[+] Fixing duplicate ranges

[+] Importing Checkpoint ports objects

[+] Adding ICMP Aliases

[+] Importing all single ports objects.

[+] Importing all port ranges objects.

[+] Importing all net/host/range groups.

[+] A null member was identifed in object "object-group network groupexample"

[+] Importing all port groups.

[+] Importing all protocol groups.

[+] Importing all NAT rules.

[+] Importing all firewall rules. (access-list)

[+] Importing all firewall rules. (ip access-list)

[+] Merging redundant ACL rules

[+] Exporting to verify format

Summary of the findings in "test"

#

Number of names (before merge/cleanup): 0

Number of names (after merge/cleanup): 0

Number of hosts (imported from cisco file): 1

Number of hosts (imported from checkpoint xml): 0

Number of hosts (dynamically created): 1

Number of hosts (after merge/cleanup): 0

Number of subnet (imported from cisco file): 1

Number of subnet (imported from checkpoint xml): 0

Number of subnet (dynamically created): 0

Number of subnet (after merge/cleanup): 0

Number of range (imported from cisco file): 0

Number of range (imported from checkpoint xml): 0

Number of range (dynamically created): 0

Number of range (after merge/cleanup): 0

Number of subnet groups: 2

Number of service groups: 0

Number of nat rules: 0

Number of acl rules (not imported: established): 0

Number of acl rules (not imported: source port): 0

Number of acl rules (before merge/cleanup): 0

Number of acl rules (after merge/cleanup): 0

Number of single ports (imported from cisco file): 261

Number of single ports (imported from checkpoint xml): 0

Number of single ports (dynamically created): 0

Number of port range (imported from cisco file): 0

Number of port range (imported from checkpoint xml): 0

Number of port range (dynamically created): 0

root@splunk:~/c2c# !cat cat network_script_verify.txt CiscoIcmp(name=echo-reply,desc=ICMP, echo reply,alias=) CiscoIcmp(name=dest-unreach,desc=ICMP, destination unreach,alias=unreachable) CiscoIcmp(name=source-quench,desc=ICMP, source quench,alias=) CiscoIcmp(name=redirect,desc=ICMP, route redirect,alias=mobile-redirect) CiscoIcmp(name=echo-request,desc=ICMP, echo request,alias=echo) CiscoIcmp(name=time-exceeded,desc=ICMP, time to live exceeded,alias=) CiscoIcmp(name=param-prblm,desc=ICMP, parameters problem,alias=parameter-problem) CiscoIcmp(name=timestamp,desc=ICMP, timestamp request,alias=) CiscoIcmp(name=timestamp-reply,desc=ICMP, timestamp reply,alias=) CiscoIcmp(name=info-req,desc=ICMP, info request,alias=information-request) CiscoIcmp(name=info-reply,desc=ICMP, info reply,alias=information-reply) CiscoIcmp(name=mask-request,desc=ICMP, mask request,alias=) CiscoIcmp(name=mask-reply,desc=ICMP, mask reply,alias=) CiscoHost(name=H_1.1.1.254,ipAddr=1.1.1.254,desc=,alias=) CiscoNetGroup(name=exampleobject,desc=,nbMembers=1,alias=) CiscoHost(name=H_1.1.1.254,ipAddr=1.1.1.254,desc=,alias=) Verify: <ASAObjGroupNetwork # 1 'object-group network exampleobject'> CiscoNetGroup(name=groupexample,desc=,nbMembers=0,alias=) Verify: <ASAObjGroupNetwork # 4 'object-group network groupexample'> root@splunk:~/c2c#


Let me know if you need more infor, and thanks in advance,
mjardeli commented 7 years ago

Hi, I also asked on ciscoconfparse project if the object-group network and/or object-group service with child group-object config lines allowed/recognized.

thanks,

martindube commented 7 years ago

I found that the CiscoNetGroup receive an empty member. 

#[-] Adding Alias "information-request" on object "info-req"
#[-] Adding Alias "information-reply" on object "info-reply"
#[+] Importing all single ports objects.
#[+] Importing all port ranges objects.
#[+] Importing all net/host/range groups.
#[-]   Importing: <ASAObjGroupNetwork # 1 'object-group network group1 '>
#[-] Adding Alias "group1 " on object "group1"
[{'mask': '255.255.255.255', 'ipaddr': '1.1.1.254', 'member_method': 'host'}]
#[-] Warning: Could not find object "1.1.1.254" (host). The script will create it.
#[-] Adding member H_1.1.1.254 to group group1
#[-]   Importing: <ASAObjGroupNetwork # 4 'object-group network groupexample'>
[{}]
#[+] A null member was identifed in object "object-group network groupexample"
#[+] Importing all port groups.

It could be caused by ciscoconfparse or other part of my code. I will do more tests.

mjardeli commented 7 years ago

Hi Mart,

Cheers for looking/investigating this. I found why wasnt working for "object-group service" line. Seems for a config with "object-group service" is expected at the end another identifier ( tcp, udp or tcp-udp). When this identifier is missing, code does not recognize the config and disregard it.

I have a guess that something similar is happening for "object-group network", and it is also waiting for this identifier at the end, I tested here adding space or tcp ( just to fake), but no luck.

If you need more details or tests I am available!

kind regards,

martindube commented 7 years ago

It was an annoying typo. Let me know if that fix the issues.

mjardeli commented 7 years ago

Posted on wrong place:

Hi Mart,

Config line is now being recognized and loaded. But seems there is something wrong with the logic.

When I try to add it to the checkpoint, its giving me the following error:

dbedit -local -f network_script.txt -ignore_script_failure -continue_updating H_1.1.1.254 updated successfully. Object H_1.1.1.254 already exists Object Already Exists Error in line: 12 exampleobject updated successfully. groupexample updated successfully. network_objects::H_1.1.1.254 Object H_1.1.1.254 already exists Object Already Exists for network_objects::H_1.1.1.254 Error in line: 25

network_objects::H_1.1.1.254 was not updated. update now ?[y/n] y I am using R77.30, seems it is trying to add host twice, harmless error by the way.

Using your verify command, I receive the following output:

CiscoNetGroup(name=exampleobject,desc=,nbMembers=1,alias=) CiscoHost(name=H_1.1.1.254,ipAddr=1.1.1.254,desc=,alias=) Verify: <ASAObjGroupNetwork # 1 'object-group network exampleobject'> CiscoNetGroup(name=groupexample,desc=,nbMembers=1,alias=) CiscoNetGroup(name=exampleobject,desc=,nbMembers=1,alias=) CiscoHost(name=H_1.1.1.254,ipAddr=1.1.1.254,desc=,alias=) Verify: <ASAObjGroupNetwork # 4 'object-group network groupexample'>

I did this on a big config file, normally I look for the " Verify:" tag as it indicates an issue.

Am i correct thinking in this way? If yes, why is it flagged to " Verify:"?

thank you very much,

martindube commented 7 years ago

Hi mjardeli,

The verify command was written to help identify from which cisco lines a checkpoint object was defined. The keyword comes from the need to verify the whole configuration before importing. I agree that it's not the best keyword.

It is mostly useful when importing a ton of ACLs. It does not raise issues per say but could raise inconsistencies or bugs (as you found). However, you should find more logical issues in Warning messages or with the --debug parameter.

Thank you,

mjardeli commented 7 years ago

Hi Mart,

I am the one here that must say thanks. thanks for your good work!

You are so kind, if you prefer not to reply to me Ill understand.

On my previous post, I did not express myself correctly.

When I use your command with the --verify like you suggest on github page.

Like the following command line: python2.7 c2c.py --verify --format text --ciscoFile 'test.conf' --syntax asa --policy My_Policy --installOn My_Firewall --output 'network_script_verify.txt'

The output file "network_script_verify.txt" contains a lot of lines. On this one I added few hosts, and services. All lines are normal, but for the group config lines, I can see the " Verify:", at the end of the group loading:

CiscoHost(name=aaa,ipAddr=172.16.11.1,desc=,alias=)
CiscoHost(name=aab,ipAddr=172.16.11.2,desc=,alias=)
CiscoIcmp(name=echo-reply,desc=ICMP, echo reply,alias=)
CiscoIcmp(name=dest-unreach,desc=ICMP, destination unreach,alias=unreachable)
CiscoIcmp(name=source-quench,desc=ICMP, source quench,alias=)
CiscoIcmp(name=redirect,desc=ICMP, route redirect,alias=mobile-redirect)
CiscoIcmp(name=echo-request,desc=ICMP, echo request,alias=echo)
CiscoIcmp(name=time-exceeded,desc=ICMP, time to live exceeded,alias=)
CiscoIcmp(name=param-prblm,desc=ICMP, parameters problem,alias=parameter-problem)
CiscoIcmp(name=timestamp,desc=ICMP, timestamp request,alias=)
CiscoIcmp(name=timestamp-reply,desc=ICMP, timestamp reply,alias=)
CiscoIcmp(name=info-req,desc=ICMP, info request,alias=information-request)
CiscoIcmp(name=info-reply,desc=ICMP, info reply,alias=information-reply)
CiscoIcmp(name=mask-request,desc=ICMP, mask request,alias=)
CiscoIcmp(name=mask-reply,desc=ICMP, mask reply,alias=)
CiscoHost(name=H_1.1.1.254,ipAddr=1.1.1.254,desc=,alias=)
CiscoNetGroup(name=exampleobject,desc=,nbMembers=1,alias=)
 CiscoHost(name=H_1.1.1.254,ipAddr=1.1.1.254,desc=,alias=)
 Verify: <ASAObjGroupNetwork # 16 'object-group network exampleobject'>
CiscoNetGroup(name=groupexample,desc=,nbMembers=1,alias=)
 CiscoNetGroup(name=exampleobject,desc=,nbMembers=1,alias=)
   CiscoHost(name=H_1.1.1.254,ipAddr=1.1.1.254,desc=,alias=)
 Verify: <ASAObjGroupNetwork # 18 'object-group network groupexample'>
CiscoServiceGroup(name=web_services,desc=,nbMembers=6)
 CiscoServicePort(name=ftp,port=21,desc=File Transfer Protocol,alias=)
 CiscoServicePort(name=http,port=80,desc=Hypertext Transfer Protocol,alias=)
 CiscoServicePort(name=https,port=443,desc=HTTP protocol over TLS/SSL,alias=)
 CiscoServicePort(name=domain-tcp,port=53,desc=Domain Name System Download,alias=)
 CiscoServicePort(name=pop-3,port=110,desc=Post Office Protocol - Version 3,alias=)
 CiscoServicePort(name=smtp,port=25,desc=Simple Mail Transfer Protocol,alias=)
 Verify: <ASAObjGroupService # 6 'web_services'>
CiscoServiceGroup(name=groupservice,desc=,nbMembers=2)
 CiscoServicePort(name=smtp,port=25,desc=Simple Mail Transfer Protocol,alias=)
 CiscoServicePort(name=SMTPS,port=465,desc=SSL protocol over SMTPS,alias=)
 Verify: <ASAObjGroupService # 13 'groupservice'>

When I was adjusting my config, I was searching for this tag and all times there was an issue with the config I had to modify to be loaded correctly. Does not seem to be the case now, or its an issue/error I dont see. Anyway, never mind.

Thank you again for your help,