search

glennake / DirectFire_Converter

DirectFire Firewall Converter - Network Security, Next-Generation Firewall Configuration Conversion, Firewall Syntax Translation and Firewall Migration Tool - supports Cisco ASA, Fortinet FortiGate (FortiOS), Juniper SRX (JunOS), SSG / Netscreen (ScreenOS) and WatchGuard (support for further devices in development). Similar to FortiConverter, SmartMove, Expedition etc.
GNU General Public License v3.0
50 stars 17 forks source link

Error's when going from Fortigate to Cisco #10

Open mattynealo opened 2 years ago

mattynealo commented 2 years ago

Traceback (most recent call last): File "converter.py", line 254, in main(src_format=args.source, dst_format=args.destination, routing_info=args.routing) File "/home/user/.local/lib/python3.8/site-packages/traceback_with_variables/print.py", line 98, in wrapper return func(*args, **kwargs) File "converter.py", line 230, in main parsed_data = parse( File "converter.py", line 127, in parse parsed_data = parse(src_config, routing_info) File "/home/user/DirectFire_Converter/DirectFire/Converter/parsers/fortigate.py", line 118, in parse route["network"] = re_match.group(1) AttributeError: 'NoneType' object has no attribute 'group'

mattynealo commented 2 years ago

Log file: 2021-08-01 07:53:43 INFO DirectFire.Converter.main: converter starting 2021-08-01 07:53:43 INFO DirectFire.Converter.main: source format is fortigate 2021-08-01 07:53:43 INFO DirectFire.Converter.main: loading source configuration from fg.conf 2021-08-01 07:53:43 INFO DirectFire.Converter.main: running configuration parser 2021-08-01 07:53:43 INFO DirectFire.Converter.parse: loading parser module for fortigate 2021-08-01 07:53:43 INFO DirectFire.Converter.parse: loaded parser module for fortigate 2021-08-01 07:53:43 INFO DirectFire.Converter.parse: starting parse of source configuration 2021-08-01 07:53:43 INFO DirectFire.Converter.parsers.fortigate: parser module started 2021-08-01 07:53:43 INFO DirectFire.Converter.parsers.fortigate: parse system 2021-08-01 07:53:43 INFO DirectFire.Converter.parsers.fortigate: parse interfaces - not yet supported 2021-08-01 07:53:43 INFO DirectFire.Converter.parsers.fortigate: parse zones - not yet supported 2021-08-01 07:53:43 INFO DirectFire.Converter.parsers.fortigate: parse static routes 2021-08-01 07:53:43 ERROR Traceback with variables (most recent call last): File "converter.py", line 230, in main . . # Run configuration parser . . logger.info("DirectFire.Converter.main: running configuration parser") .

parsed_data = parse(

. src_format=src_format, src_config=src_config, routing_info=routing_info . ) . . logger.info("DirectFire.Converter.main: configuration parser finished") . src_format = 'fortigate' dst_format = 'ciscoasa' routing_info = None config_file = <_io.TextIOWrapper name='fg.conf' mode='r' encoding='UTF-8'> src_config = '#config-version=FGT4HD-6.2.8-FW-build1232-210426:opmode=0:vdom=0:user=user\n#conf_file_ver=361464447715519\n#buildno=1232\n#global_vdom=1\nconfig system global\n set admin-sport 8443\n set admintimeout 4> File "converter.py", line 127, in parse . . logger.info("DirectFire.Converter.parse: loaded parser module for " + src_format) . . logger.info("DirectFire.Converter.parse: starting parse of source configuration") . parsed_data = parse(src_config, routing_info) . . logger.info("DirectFire.Converter.parse: completed parse of source configuration") . . return parsed_data . src_format = 'fortigate' src_config = '#config-version=FGT4HD-6.2.8-FW-build1232-210426:opmode=0:vdom=0:user=user\n#conf_file_ver=361464447715519\n#buildno=1232\n#global_vdom=1\nconfig system global\n set admin-sport 8443\n set admintimeout 4> routing_info = None parse = <function parse at 0x7f03f72cc940> File "/home/user/DirectFire_Converter/DirectFire/Converter/parsers/fortigate.py", line 118, in parse . + common.common_regex.ipv4_mask . + ")\n", . route_config, . ) . route["network"] = re_match.group(1) . route["mask"] = re_match.group(2) . . re_match = re.search( . "set gateway ([0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3})\n", . route_config, src_config = '#config-version=FGT4HD-6.2.8-FW-build1232-210426:opmode=0:vdom=0:user=user\n#conf_file_ver=361464447715519\n#buildno=1232\n#global_vdom=1\nconfig system global\n set admin-sport 8443\n set admintimeout 4 routing_info = None data = {'system': {'hostname': 'FG-HOSTNAME'}, 'interfaces': {}, 'zones': {}, 'routes': [], 'routes6': [], 'network_objects': {}, 'network6_objects': {}, 'network_groups': {}, 'network6_groups': {}, 'service_objects': {}, 's> re_match = None routes_block = 'config router static\n edit 1\n set gateway X.X.X.XX\n set distance 100\n set device "port15"\n next\n edit 3\n set device "VPNtoLenoir"\n set comment "VPN: VPNto> route_match = <re.Match object; span=(21, 126), match=' edit 1\n set gateway X.X.X.X\n > route_config = ' edit 1\n set gateway X.X.X.X\n set distance 100\n set device "port15"\n next' route = {} builtins.AttributeError: 'NoneType' object has no attribute 'group'

glennake commented 2 years ago

Hi @mattynealo,

Looking through the log, have you changed the IP in your routing to X.X.X.X before running your config through the converter? Or have you just replaced this in the log?

Can you share the full 'config router static' section of the config please? Or output of command 'show router static' on the fortigate.

Thanks, Glenn

mattynealo commented 2 years ago

Glenn,

Thanks for the quick response the x.x.x.x is a scrubbed ip as I didn’t want it posted publicly.

On Sun, Aug 1, 2021 at 9:35 AM Glenn @.***> wrote:

Hi @mattynealo https://github.com/mattynealo,

Looking through the log, have you changed the IP in your routing to X.X.X.X before running your config through the converter? Or have you just replaced this in the log?

Can you share the full 'config router static' section of the config please? Or output of command show router static on the fortigate.

Thanks, Glenn

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/glennake/DirectFire_Converter/issues/10#issuecomment-890522397, or unsubscribe https://github.com/notifications/unsubscribe-auth/AG3A3PYTIER5ZCE5FZ3RAVLT2VETPANCNFSM5BLB5O5Q .

-- Thanks, Matt

mattynealo commented 2 years ago

See Below: PUBLIC_IP is a real public address each X1, X2 is a VPN site PUBLIC_IP_SECOND_WAN is the real IP for redundant provider

config router static edit 1 set gateway PUBLIC_IP set distance 100 set device "port15" next edit 3 set device "VPNtoX1" set comment "VPN: VPNtoX1 (Created by VPN wizard)" set dstaddr "VPNtoX1_remote" next edit 5 set device "VPNX2" set comment "VPN: VPNX2 (Created by VPN wizard)" set dstaddr "VPNX2_remote" next edit 7 set device "VPNtoX3" set comment "VPN: VPNtoX3 (Created by VPN wizard)" set dstaddr "VPNtoX3_remote" next edit 11 set gateway PUBLIC_IP_SECOND_WAN set distance 200 set device "port16" next edit 6 set device "X4" set comment "VPN: X4 (Created by VPN wizard)" set dstaddr "X4_remote" next edit 9 set distance 254 set comment "VPN: X5 (Created by VPN wizard)" set blackhole enable set dstaddr "X5_remote" next edit 10 set device "VPNtoX6" set comment "VPN: VPN_ToX6 (Created by VPN wizard)" set dstaddr "VPN_ToX6_remote" next edit 12 set distance 254 set comment "VPN: VPN_ToX6 (Created by VPN wizard)" set blackhole enable set dstaddr "VPN_ToX6_remote" next edit 13 set device "VPNToX7" set comment "VPN: VPNX7 (Created by VPN wizard)" set dstaddr "VPNX7_remote" next edit 14 set distance 254 set comment "VPN: VPNX7 (Created by VPN wizard)" set blackhole enable set dstaddr "VPNX7_remote" next edit 15 set dst 10.56.0.0 255.255.0.0 set gateway 192.168.255.1 set distance 2 set device "port14" next edit 18 set dst 10.2.5.0 255.255.255.0 set gateway 10.1.100.1 set distance 1 set device "Internal" next edit 21 set status disable set dst 10.10.200.0 255.255.255.0 set gateway 1.1.1.1 set device "port6" next edit 22 set status disable set dst 10.1.101.0 255.255.255.0 set gateway 1.1.1.1 set device "port6" set comment "testing with 101 subnet" next edit 19 set dst 10.212.134.0 255.255.255.0 set distance 2 set device "ssl.root" next end

glennake commented 2 years ago

Hi @mattynealo,

Thanks for sharing your config.

I have made some updates to the FortiGate parser module which hopefully resolves. Can you pull the latest from git and try again?

Glenn

mattynealo commented 2 years ago

Thanks Glenn,

Looks like it still has errors on the GeoBlocks I removed Moldova which was in the first log and then it errored at the next which was Russia. see log below: 2021-08-04 09:06:53 INFO DirectFire.Converter.main: converter starting 2021-08-04 09:06:53 INFO DirectFire.Converter.main: source format is fortigate 2021-08-04 09:06:53 INFO DirectFire.Converter.main: loading source configuration from fg.conf 2021-08-04 09:06:53 INFO DirectFire.Converter.main: running configuration parser 2021-08-04 09:06:53 INFO DirectFire.Converter.parse: loading parser module for fortigate 2021-08-04 09:06:53 INFO DirectFire.Converter.parse: loaded parser module for fortigate 2021-08-04 09:06:53 INFO DirectFire.Converter.parse: starting parse of source configuration 2021-08-04 09:06:53 INFO DirectFire.Converter.parsers.fortigate: parser module started 2021-08-04 09:06:53 INFO DirectFire.Converter.parsers.fortigate: parse system 2021-08-04 09:06:53 INFO DirectFire.Converter.parsers.fortigate: parse interfaces - not yet supported 2021-08-04 09:06:53 INFO DirectFire.Converter.parsers.fortigate: parse zones - not yet supported 2021-08-04 09:06:53 INFO DirectFire.Converter.parsers.fortigate: parse IPv4 network objects 2021-08-04 09:06:53 ERROR Traceback with variables (most recent call last): File "converter.py", line 230, in main . . # Run configuration parser . . logger.info("DirectFire.Converter.main: running configuration parser") .

parsed_data = parse(

. src_format=src_format, src_config=src_config, routing_info=routing_info . ) . . logger.info("DirectFire.Converter.main: configuration parser finished") . src_format = 'fortigate' dst_format = 'ciscoasa' routing_info = None config_file = <_io.TextIOWrapper name='fg.conf' mode='r' encoding='UTF-8'> src_config = '#config-version=FGT4HD-6.2.8-FW-build1232-210426:opmode=0:vdom=0:user=ntmneal\n#conf_file_ver=361464447715519\n#buildno=1232\n#global_vdom=1\nconfig system global\n set admin-sport 8443\n set admintimeout 4> File "converter.py", line 127, in parse . . logger.info("DirectFire.Converter.parse: loaded parser module for " + src_format) . . logger.info("DirectFire.Converter.parse: starting parse of source configuration") . parsed_data = parse(src_config, routing_info) . . logger.info("DirectFire.Converter.parse: completed parse of source configuration") . . return parsed_data . src_format = 'fortigate' src_config = '#config-version=FGT4HD-6.2.8-FW-build1232-210426:opmode=0:vdom=0:user=ntmneal\n#conf_file_ver=361464447715519\n#buildno=1232\n#global_vdom=1\nconfig system global\n set admin-sport 8443\n set admintimeout 4> routing_info = None parse = <function parse at 0x7f375cd4c940> File "/home/ntmneal/DirectFire_Converter/DirectFire/Converter/parsers/fortigate.py", line 136, in parse . network_object, . ) . . data["network_objects"][network_object_name][ . "country_code" ] = re_match.group(1) . . elif network_object_type == "ipmask": . . re_match = re.search( . "set subnet (" src_config = '#config-version=FGT4HD-6.2.8-FW-build1232-210426:opmode=0:vdom=0:user=ntmneal\n#conf_file_ver=361464447715519\n#buildno=1232\n#global_vdom=1\nconfig system global\n set admin-sport 8443\n set admintimeout 4 routing_info = None data = {'system': {'hostname': 'ACY-FGT400D_1'}, 'interfaces': {}, 'zones': {}, 'routes': [], 'routes6': [], 'network_objects': {'FABRIC_DEVICE': {'type': 'network', 'network': '0.0.0.0', 'mask': '0.0.0.0'}, 'FIREWALL_AUTH_PORT re_match = None network_objects_block = 'config firewall address\n edit "FABRIC_DEVICE"\n set uuid 6f9b82ae-bc94-51e9-108c-26a1844c4012\n set comment "IPv4 addresses of Fabric Devices."\n next\n edit "FIREWALL_AUTH_PORT> network_object_match = <re.Match object; span=(3720, 3852), match=' edit "Russia"\n set uuid 7c9f9252-4553> network_object = ' edit "Russia"\n set uuid 7c9f9252-4553-51e7-6971-0430e0d72e7d\n set type geography\n set country "RU"\n next' network_object_name = 'Russia' network_object_type = 'geography' network_object_network = '185.129.148.19' network_object_mask = '255.255.255.255' builtins.AttributeError: 'NoneType' object has no attribute 'group'

mattynealo commented 2 years ago

I have permission to upload the whole config

glennake commented 2 years ago

Thanks @mattynealo, will have a look into this.

I've downloaded your config and removed it from your comment as it's potentially sensitive.

Glenn

mattynealo commented 2 years ago

@glennake Thank you so much, Is there a way I can contribute to this project?

glennake commented 2 years ago

Hi @mattynealo,

I've made a few fixes and additions which mean the tool will process your config without erroring now if you can pull the latest. I have not checked for accuracy so please make sure you do before using any configs from it, and let me know of any issues you find.

Always happy for additional contributors, if you can work in Python feel free to fork and improve any existing modules, or add your own for new vendors. Then raise a pull request for your changes to be reviewed for merge.

Thanks, Glenn

mattynealo commented 2 years ago

@glennake I am not a programmer... I was asking if I could buy you a beer or financially contribute for your time.

mattynealo commented 2 years ago

THis is great so far, Looks like it stops right after the groups and network objects, but doesn't convert any of the rules.

mattynealo commented 2 years ago

Also is it suppose to output to a file? If so I can't seem to find it.

glennake commented 2 years ago

@mattynealo really appreciate the offer, thank you. It's fine though, you don't have to.

FortiGate parsing support is detailed here, I've just added service objects and service groups. Will add policies as soon as I can.

Glenn