I'm having difficulty importing a sidewinder configuration into Migration Tool 3.0
After import, I see zones and objects, but no security rules, and "Monitor Logs and Reports" is blank. Only message in /debug is a single line warning about a certificate.
Here's two examples of the rules as exported from Sidewinder (McAfee 7.1):
policy add table=rule name='allow all tcp 23' rulegroup=Administration pos=3 \
action=allow appdefense=defaultgroup audit=standard authenticator= \
authgroups='*' dest='*' dest_burbs='*' disable=no inspection_level=none \
ipsresponse= nat_addr=host:localhost nat_mode=normal redir= redir_port= \
service=service:Allow_TCP_23 sign_category_grp= source='*' \
source_burbs='*' timeperiod='*' ts_enable=no \
ts_reputation=suspicious_unverified_threshold description='' \
last_changed_by='mortk on Mon Nov 14 11:44:34 2011'
policy add table=rule name=Block_Network_Printers rulegroup='' pos=13 \
action=drop appdefense=group:Protect_computers audit=standard \
authenticator= authgroups='*' dest='*' dest_burbs=burb:external \
disable=no inspection_level=comprehensive ipsresponse= \
nat_addr=host:localhost nat_mode=normal redir= redir_port= \
service='servicegroup:Internet Services' sign_category_grp= \
source=netgroup:Network_Printers source_burbs=burb:internal \
timeperiod='*' ts_enable=no ts_reputation=suspicious_unverified_threshold \
description='Block network printers' \
last_changed_by='johnd on Fri Mar 21 15:14:10 2014'
Yes we are aware, our team is working to finalise this part. Please be patience this is a priority for us to have this ready as soon as we can.
Hi k.kadow ,
Please upgrade to the release date 13th may 2015 00 and try it again. Please let us know how it works, all your feedback and help is much appreciated!
Making good progress with the new release.
I did notice the commands Palo Alto suggests do not include netgroups? (Tool doesn't ask for the output of "cf netgroup query" ).
For my source device, all Interfaces are populated with names, but not Interface IPs or descriptions. Also, disabled interfaces (enabled=no) are treated as if they were enabled. This isn't a big deal, easy to adjust manually.
Lastly, the commands suggested generates an error on a Sidewinder firewalls with only static routes and no routing protocol, "cf route q" fails. I added the output of "cf static q" and the static routes did come in, again without descriptions/names.
i am havimg a similar issue but with the netmaps and interfaces secondary IPs.
when i try to migrate the interface, only the first ip gets migrated. usually the first ip gets migrated and the others does not show up.
The netmap issue is that i dont see any natting rule created after migration. not sure if i am missing something but when i only try to upload the netmaps from the sidewinder nothing happen on the tool.
other than that poicy, route, interfaces, zones, addresses and address group all worked really well.
NAT in Sidewinder is not supported. Can you share an example of the piece of code that shows the secondary ip address? You can change the Ip address by X.X.X.X :) Thx
sorry for the late reply
this is an example of a seconday IP addresses
interface add entrytype=interface name=em1 hwdevice=em1 enabled=yes \
qos_profile='' mtu=1500 description='description'
its all seperated by comma and no space between the comma and the next ip
fort he NAT i thought it was supported because the tool actually tell you how to get the config for the NAT
cf netmap q >> config_sidewinder.txt
this is an example of a netmap or NAT
netmap add \
name='your name here' \
members=ipaddr:your ip members:second IP member \ (those are your IPADDR
description='your description here' \
last_changed_by='admin on Mon Apr 22 10:54:27 2013'
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!