Python Script to convert firewall rules

Kashif Rana kashifrana84 at gmail.com
Wed Dec 10 13:51:59 EST 2014 

Hello Experts

I am network engineer and not expert in programming. I would like to make one python script to convert juniper netscreen firewall configuration into juniper SRX firewall configuration. Sample is below. I would appreciate if anybody can give me the high level steps to start with.

Juniper Netscreen
--------------------
set interface ethernet0/0 ip 194.1.1.1/24
set interface ethernet0/0 route
set interface "ethernet0/0" zone "Untrust"


set interface ethernet2/5 ip 10.17.10.1/24
set interface ethernet2/5 route
set interface "ethernet2/5" zone "Mail DMZ"

 

set interface "ethernet0/0" mip 194.1.1.10 host 10.17.10.10 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/0" mip 194.1.1.20 host 10.17.10.20 netmask 255.255.255.255 vr "trust-vr"

set address "Mail DMZ" "mx1.union.com" 10.17.10.10 255.255.255.255
set address "Mail DMZ" "mx2.union.com" 10.17.10.20 255.255.255.255

set policy id 100 name "CR4444567" from "Untrust" to "DMZ"  "Any" "MIP(194.1.1.10)" "SMTP" permit log
set policy id 100
set dst-address "MIP(194.1.1.20)"
set log session-init
exit

Juniper SRX
----------
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 194.1.1.1/24;
            }
        }
    }
    ge-2/0/5 {
        unit 0 {
            family inet {
                address 10.17.10.1/24;
            }
        }
    }
}
security {
    nat {
        static {
            rule-set static-nat-"Untrust" {
                from zone "Untrust";
                rule rule-1 {
                    match {
                        destination-address 194.1.1.10/32;
                    }
                    then {
                        static-nat prefix 10.17.10.10/32;
                    }
                }
		rule rule-2 {
                    match {
                        destination-address 194.1.1.20/32;
                    }
                    then {
                        static-nat prefix 10.17.10.20/32;
                    }
                }
            }
        }
        proxy-arp {
            interface ge-0/0/0.0 {
                address {
                    194.1.1.10/32;
		    194.1.1.20/32;
                }
            }
        }
    }
    zones {
        security-zone Untrust {
            interfaces {
                ge-0/0/0.0;
            }
        }
        security-zone DMZ {
            address-book {
                address mx1.union.com  10.17.10.10/32;
                address mx2.union.com  10.17.10.20/32;
            }
            interfaces {
                ge-2/0/5.0;
            }
        }
    }
    policies {
        from-zone Untrust to-zone DMZ {
            /* "CR4444567" */
            policy 100 {
                match {
                    source-address any;
                    destination-address [ mx1.union.com mx2.union.com ];
                    application junos-smtp;
                }
                then {
                    permit;
                    log {
                        session-init;
                    }
                }
            }
        }
    }
}

More information about the Python-list mailing list