Hi Martin,

How are you? Hope you are well.

I am trying to parse a range object:

object network network_object
 range 192.168.1.150 192.168.1.160

root@splunk:~/c2c# python2.7 c2c.py --verify --format text --ciscoFile 'test' --syntax asa --policy My_Policy --installOn My_Firewall --output 'network_script_verify.txt'
Importing all objects except groups.
Importing Checkpoint network objects
Importing all names.
Importing all hosts.
Importing all networks.
Importing all ranges.
Traceback (most recent call last):
File "c2c.py", line 168, in
c2c.importConfig(args.cpPortsFile,args.cpNetObjFile,args.ciscoFile)
File "lib/cisco2checkpoint.py", line 1740, in importConfig
self._importRanges(self.parser.getRangeObjs())
File "lib/cisco2checkpoint.py", line 1800, in _importRanges
print_debug(' Importing: %r' % h)
NameError: global name 'h' is not defined

Is it normal ?

thanks,

Hi Martin,
Sorry to bother you again, I think this one is important.

I have one case of same object name but different case on config I am parsing. This is allowed on Cisco configs but not allowed on CheckPoint.
I did few tests, and this can lead to a complete different rule on checkpoint.

There are two objects on checkpoint database ( importing using attached customer_network_objects.xml
customer_network_objects.xml.txt
).

Please pay close attention to object names and case ( this is causing all this mess).

CheckPoint Database:
host dns_1 - 1.1.1.1
group dns_servers containing only dns_1.

Cisco config to parse

object network dns_1
 host 192.168.71.41
object-group network dns_servers
 network-object host 1.1.1.1
 network-object object dns_1
 network-object host 172.16.11.64
object-group network DNS_SERVERS
 network-object host 172.16.11.110
 network-object host 172.16.11.111
 network-object host 172.16.11.24
 network-object host 172.16.11.112
object-group network DM_INLINE_NETWORK_17
 group-object DNS_SERVERS
 group-object dns_servers

Parsing output:

CiscoHost(name=H_172.16.11.64,ipAddr=172.16.11.64,desc=,alias=)
CiscoNetGroup(name=dns_servers,desc=,nbMembers=3,alias=)
 CiscoHost(name=dns_1,ipAddr=1.1.1.1,desc=,alias=)
 CiscoHost(name=dns_1,ipAddr=1.1.1.1,desc=,alias=)
 CiscoHost(name=H_172.16.11.64,ipAddr=172.16.11.64,desc=,alias=)
 Verify: <ASAObjGroupNetwork # 2 'object-group network dns_servers'>
CiscoHost(name=H_172.16.11.110,ipAddr=172.16.11.110,desc=,alias=)
CiscoHost(name=H_172.16.11.111,ipAddr=172.16.11.111,desc=,alias=)
CiscoHost(name=H_172.16.11.24,ipAddr=172.16.11.24,desc=,alias=)
CiscoHost(name=H_172.16.11.112,ipAddr=172.16.11.112,desc=,alias=)
CiscoNetGroup(name=DNS_SERVERS,desc=,nbMembers=4,alias=)
 CiscoHost(name=H_172.16.11.110,ipAddr=172.16.11.110,desc=,alias=)
 CiscoHost(name=H_172.16.11.111,ipAddr=172.16.11.111,desc=,alias=)
 CiscoHost(name=H_172.16.11.24,ipAddr=172.16.11.24,desc=,alias=)
 CiscoHost(name=H_172.16.11.112,ipAddr=172.16.11.112,desc=,alias=)
 Verify: <ASAObjGroupNetwork # 6 'object-group network DNS_SERVERS'>
CiscoNetGroup(name=DM_INLINE_NETWORK_17,desc=,nbMembers=2,alias=)
 CiscoNetGroup(name=dns_servers,desc=,nbMembers=3,alias=)
   CiscoHost(name=dns_1,ipAddr=1.1.1.1,desc=,alias=)
   CiscoHost(name=dns_1,ipAddr=1.1.1.1,desc=,alias=)
   CiscoHost(name=H_172.16.11.64,ipAddr=172.16.11.64,desc=,alias=)
 CiscoNetGroup(name=dns_servers,desc=,nbMembers=3,alias=)
   CiscoHost(name=dns_1,ipAddr=1.1.1.1,desc=,alias=)
   CiscoHost(name=dns_1,ipAddr=1.1.1.1,desc=,alias=)
   CiscoHost(name=H_172.16.11.64,ipAddr=172.16.11.64,desc=,alias=)
 Verify: <ASAObjGroupNetwork # 11 'object-group network DM_INLINE_NETWORK_17'>

Also as the checkpoint group with small case "dns_servers" was not recognized/loaded, it will fail to import using dbedit as a duplicated object will be found.

kind regards,

Hi Martin,

Sorry to send so much things over to you.
When a network is new loading an ACL, seems netmask is being incorrectly interpreted.
Try to process the following config line:
access-list FromInside extended deny ip 1.5.0.8 255.255.255.248 any4

result:
CiscoNet(name=N_1.5.0.8-3,ipAddr=1.5.0.8/0.0.0.7,desc=,alias=)
ACLRule(name=FromInside,src=N_1.5.0.8-3,dst=any,port=any,action=deny,pol=My_Policy,inst=My_Firewall,disabled=False,desc=)
Desc:
Src: CiscoNet(name=N_1.5.0.8-3,ipAddr=1.5.0.8/0.0.0.7,desc=,alias=)
Dst: CiscoAnyHost(name=any,ipAddr=None,desc=,alias=)
Port: CiscoAnyPort(name=any,port=0,desc=,alias=)
Verify: <ASAAclLine # 0 'access-list FromInside extended deny ip 1.5.0.8 255.255.255.248 any4'>

kind regards,

Hello,

I got wildcard mask in access list while use ASA syntax.
It should not be wildcard for ASA!
Please, correct it!

I discover one more problem. It do not undestand the follow:
name 172.16.1.0 kino
access-list oleg_list extended permit ip 192.168.1.0 255.255.255.0 kino 255.255.255.0

The result is:
modify network_objects N_kino-24 ipaddr kino

Best regards,
Oleg

Hello,

Hoping you can help me figure out why the script isn't working properly. I have the following object in the running config:

name 192.168.139.83 ssmongrep01

The object also appears in the config here:
object-group network scom-srvs
network-object host 192.168.203.80
network-object host 192.168.203.81
network-object host 192.168.203.82
network-object host ssmonmgt01
network-object host ssmongw02
network-object host ssmongrep01

The script is creating the following output:

# Creating new host: H_ssmongrep01
create host_plain H_ssmongrep01
modify network_objects H_ssmongrep01 ipaddr ssmongrep01
modify network_objects H_ssmongrep01 comments ""
modify network_objects H_ssmongrep01 color "black"
update network_objects H_ssmongrep01

AND

# Creating new host: H_ssmongrep01
create host_plain H_ssmongrep01
modify network_objects H_ssmongrep01 ipaddr ssmongrep01
modify network_objects H_ssmongrep01 comments ""
modify network_objects H_ssmongrep01 color "black"
update network_objects H_ssmongrep01

The two outputs seem to be dynamically created, based on the H_ prefix. The two outputs also occur at different places in the output, starting on lines 51 and 987 respectively.

Help please!

Thanks!

Hi Martin,

Long time since my last message. I solved this issue changing the original object name, sending this to you just to let you know.

the following config lines are not parsing:

object-group network HPT_HOSTS
 network-object host 10.6.20.31

access-list Inbound extended permit ip object-group HPT_HOSTS any

as per follow:

root@splunk:~/c2c# python2.7 c2c.py --verify --format text --ciscoFile 'test' --syntax asa --policy My_Policy --installOn My_Firewall --output 'network_script_verify.txt'
#[+] Importing all objects except groups.
#[+] Importing Checkpoint network objects
#[+] Importing all names.
#[+] Importing all hosts.
#[+] Importing all networks.
#[+] Importing all ranges.
#[+] Fixing duplicate names
#[+] Fixing duplicate IP addresses
#[+] Fixing duplicate subnets
#[+] Fixing duplicate ranges
#[+] Importing Checkpoint ports objects
#[+] Adding ICMP Aliases
#[+] Importing all single ports objects.
#[+] Importing all port ranges objects.
#[+] Importing all net/host/range groups.
#[+] Importing all protocol groups.
#[+] Importing all port groups.
#[+] Importing all NAT rules.
#[+] Importing all firewall rules. (access-list)
Traceback (most recent call last):
  File "c2c.py", line 171, in <module>
    c2c.importConfig(args.cpPortsFile,args.cpNetObjFile,args.ciscoFile)
  File "lib/cisco2checkpoint.py", line 1765, in importConfig
    self._importASAACLRules(self.parser.getACLRules())
  File "lib/cisco2checkpoint.py", line 1882, in _importASAACLRules
    forceLog = self.forceLog))
  File "lib/cisco2checkpoint.py", line 1255, in __init__
    self._buildFromParsedObj(parsedObj)
  File "lib/cisco2checkpoint.py", line 1299, in _buildFromParsedObj
    self.src = self._getSrc(parsedObj)
  File "lib/cisco2checkpoint.py", line 1317, in _getSrc
    return [self._getOrFailMemberObj('object-group',parsedObj.src_addr)]
  File "lib/cisco2checkpoint.py", line 526, in _getOrFailMemberObj
    'named "%s" for group %s' % (type,v1,self.name))
cisco2checkpoint.C2CException: Could not find mandatory "object-group" object named "HPT_HOSTS" for group Inbound

Seems it is changing the ilegal word but not using later.

kind regards,

Hi Martin,

The last issues I spotted I was actually "cheating", I was using an internal checkpoint tool to compare with your results. Then trying to improve your script.

The good news this tool is now open to all public, bad news is it will produce code to R80.10 ( with security zones concept). Yes R80.10 is now GA as well.

Link to the open tool:
https://github.com/CheckPoint-APIs-Team/SmartMove

CheckPoint sk to download tool:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk115416&partition=Advanced&product=Security

R80.10 CheckPoint SK:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk111841

kind regards,

Hi Martin,

If I import an existing checkpoint config ( with --cpPortsFile and/or --cpNetObjFile), if exist an exact same object name it does not check if also the port, IP address, or network is exact the same. It uses the one already existent on checkpoint database. I have the same object name with different IP address from a previous import.

Probably to add this extra check will demand much time from you.

Is there a way to add a prefix to all object names created by your script?

thank you in advance,

Hi Martin,

Seems app is importing my previous attempts to produce config.

I tried to use an empty file for 'customer_service_objects.xml' and 'customer_network_objects.xml', even without any object to import, it is loading my previous objects

Number of hosts (imported from checkpoint xml): 62

Number of subnet (imported from checkpoint xml): 24

Is there any temp file created? I am searching here on my system, but didnt find till now.

Do you have an idea which folder/objects I need to clean?

thanks,

Hi Martin,
This one I correcting manually as it is stopping parse when it find a case like this. I ll leave as suggestion for future if possible.

Trying to parse the following service group:

object-group service DM_INLINE_SERVICE_8
 service-object tcp 
object-group service DM_INLINE_SERVICE_9
 service-object udp 

parse output:

Traceback (most recent call last):
  File "c2c.py", line 171, in <module>
    c2c.importConfig(args.cpPortsFile,args.cpNetObjFile,args.ciscoFile)
  File "lib/cisco2checkpoint.py", line 1758, in importConfig
    self._importPortGroups(self.parser.getPortGroups())
  File "lib/cisco2checkpoint.py", line 1842, in _importPortGroups
    self.addObj(CiscoServiceGroup(self, newGrp))
  File "lib/cisco2checkpoint.py", line 1062, in __init__
    for mm_r in parsedObj.result_dict:
  File "lib/ciscoconfparse_patch.py", line 500, in result_dict
    .format(obj.text))
ValueError: [FATAL] models_asa cannot parse ' service-object tcp '

My suggestion for tcp/udp is to replace with following:

object-group service tcp_all tcp
 port-object range 1 65535
object-group service udp_all udp
 port-object range 1 65535

I saw there is an ANY_ on config.py, but not sure how can I add tcp or udp.

thanks,

Hi,
I using your app which is very handy thank you very much!

I am trying to import a Cisco Asa to checkpoint R77. I noticed few config lines not being recognized ( I can list them if you are interested), most of them I can adjust my original config and overcome with small manual work.
But one config line will cause a lot of extra manual work. Seems it is not recognizing object-group network nor object-group service. As per:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/objectgroups.html

I am using Ubuntu 16.01, with python2.7 and ciscoconfparse 1.2.40 ( also 1.2.47 latest version).

Am I using the incorrect syntax? Is there a way to use object-group with group-object inside?

Here an output from command line:

config lines:

!
object-group network exampleobject
 network-object host 1.1.1.254
!
object-group network groupexample
 group-object exampleobject
!

root@splunk:~/c2c# python2.7 c2c.py --verify --format text --ciscoFile 'test' --syntax asa --policy My_Policy --installOn My_Firewall --output 'network_script_verify.txt'
#[+] Importing all objects except groups.
#[+] Importing Checkpoint network objects
#[+] Importing all hosts.
#[+] Importing all networks.
#[+] Importing all ranges.
#[+] Fixing duplicate names
#[+] Fixing duplicate IP addresses
#[+] Fixing duplicate subnets
#[+] Fixing duplicate ranges
#[+] Importing Checkpoint ports objects
#[+] Adding ICMP Aliases
#[+] Importing all single ports objects.
#[+] Importing all port ranges objects.
#[+] Importing all net/host/range groups.
#[+] A null member was identifed in object "object-group network groupexample"
#[+] Importing all port groups.
#[+] Importing all protocol groups.
#[+] Importing all NAT rules.
#[+] Importing all firewall rules. (access-list)
#[+] Importing all firewall rules. (ip access-list)
#[+] Merging redundant ACL rules
#[+] Exporting to verify format

Summary of the findings in "test"

Number of names (before merge/cleanup): 0

Number of names (after merge/cleanup): 0

Number of hosts (imported from cisco file): 1

Number of hosts (imported from checkpoint xml): 0

Number of hosts (dynamically created): 1

Number of hosts (after merge/cleanup): 0

Number of subnet (imported from cisco file): 1

Number of subnet (imported from checkpoint xml): 0

Number of subnet (dynamically created): 0

Number of subnet (after merge/cleanup): 0

Number of range (imported from cisco file): 0

Number of range (imported from checkpoint xml): 0

Number of range (dynamically created): 0

Number of range (after merge/cleanup): 0

Number of subnet groups: 2

Number of service groups: 0

Number of nat rules: 0

Number of acl rules (not imported: established): 0

Number of acl rules (not imported: source port): 0

Number of acl rules (before merge/cleanup): 0

Number of acl rules (after merge/cleanup): 0

Number of single ports (imported from cisco file): 261

Number of single ports (imported from checkpoint xml): 0

Number of single ports (dynamically created): 0

Number of port range (imported from cisco file): 0

Number of port range (imported from checkpoint xml): 0

Number of port range (dynamically created): 0

root@splunk:/c2c# !cat
cat network_script_verify.txt
CiscoIcmp(name=echo-reply,desc=ICMP, echo reply,alias=)
CiscoIcmp(name=dest-unreach,desc=ICMP, destination unreach,alias=unreachable)
CiscoIcmp(name=source-quench,desc=ICMP, source quench,alias=)
CiscoIcmp(name=redirect,desc=ICMP, route redirect,alias=mobile-redirect)
CiscoIcmp(name=echo-request,desc=ICMP, echo request,alias=echo)
CiscoIcmp(name=time-exceeded,desc=ICMP, time to live exceeded,alias=)
CiscoIcmp(name=param-prblm,desc=ICMP, parameters problem,alias=parameter-problem)
CiscoIcmp(name=timestamp,desc=ICMP, timestamp request,alias=)
CiscoIcmp(name=timestamp-reply,desc=ICMP, timestamp reply,alias=)
CiscoIcmp(name=info-req,desc=ICMP, info request,alias=information-request)
CiscoIcmp(name=info-reply,desc=ICMP, info reply,alias=information-reply)
CiscoIcmp(name=mask-request,desc=ICMP, mask request,alias=)
CiscoIcmp(name=mask-reply,desc=ICMP, mask reply,alias=)
CiscoHost(name=H_1.1.1.254,ipAddr=1.1.1.254,desc=,alias=)
CiscoNetGroup(name=exampleobject,desc=,nbMembers=1,alias=)
CiscoHost(name=H_1.1.1.254,ipAddr=1.1.1.254,desc=,alias=)
Verify: <ASAObjGroupNetwork # 1 'object-group network exampleobject'>
CiscoNetGroup(name=groupexample,desc=,nbMembers=0,alias=)
Verify: <ASAObjGroupNetwork # 4 'object-group network groupexample'>
root@splunk:/c2c#

Let me know if you need more infor, and thanks in advance,

Hi,

Am I missing anything here? config line with https is being recognized as http.

thanks in advance,

service_https.txt

File "C:\Users\xx\Desktop\Py\Cisco2Checkpoint-master\c2c.py", line 34, in
from cisco2checkpoint import Cisco2Checkpoint,Cisco2CheckpointManager
File "lib\cisco2checkpoint.py", line 26, in
from ciscoconfparse import ciscoconfparse
ImportError: No module named ciscoconfparse

Hi Martin,

Seems another case issue.

Receiving error for the following parse

object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service same_name2
 service-object object TCPUDP

Error:

#[-]   Importing: <ASAObjGroupService # 3 'same_name2'>
Traceback (most recent call last):
  File "c2c.py", line 171, in <module>
    c2c.importConfig(args.cpPortsFile,args.cpNetObjFile,args.ciscoFile)
  File "lib/cisco2checkpoint.py", line 1758, in importConfig
    self._importPortGroups(self.parser.getPortGroups())
  File "lib/cisco2checkpoint.py", line 1842, in _importPortGroups
    self.addObj(CiscoServiceGroup(self, newGrp))
  File "lib/cisco2checkpoint.py", line 1062, in __init__
    for mm_r in parsedObj.result_dict:
  File "lib/ciscoconfparse_patch.py", line 519, in result_dict
    .format(name))
ValueError: FATAL: Cannot find service object named TCPUDP

kind regards,

Hello guys,
Great work !!

I am trying to use the tool but i get the below error

$ python c2c.py --export \

--ciscoFile 'showrun.txt' \
--syntax asa \
--policy My_Policy \
--installOn My_Firewall \
--output 'network_script.txt'

Traceback (most recent call last):
File "c2c.py", line 34, in
from cisco2checkpoint import Cisco2Checkpoint,Cisco2CheckpointManager
File "lib\cisco2checkpoint.py", line 26, in
from ciscoconfparse_patch import CiscoConfParse
File "lib\ciscoconfparse_patch.py", line 29, in
from ciscoconfparse import models_cisco
ImportError: No module named ciscoconfparse

Used "git clone --recursive https://github.com/gosecure/cisco2checkpoint c2c" to install the tool
I have installed python 2.7.0
I have my ASA exported config (showrun.txt) in c2c folder

Am i missing something ??

Hi Martin,

I tried to play with ICMP_DIC, but seems it is not being loaded.
I am receiving error when trying to import object group that contains icmp

object-group service icmp_Prot
 service-object icmp echo
 service-object icmp echo-reply

Output error:

Traceback (most recent call last):
  File "c2c.py", line 168, in <module>
    c2c.importConfig(args.cpPortsFile,args.cpNetObjFile,args.ciscoFile)
  File "lib/cisco2checkpoint.py", line 1749, in importConfig
    self._importPortGroups(self.parser.getPortGroups())
  File "lib/cisco2checkpoint.py", line 1833, in _importPortGroups
    self.addObj(CiscoServiceGroup(self, newGrp))
  File "lib/cisco2checkpoint.py", line 1054, in __init__
    for mm_r in parsedObj.result_dict:
  File "lib/ciscoconfparse_patch.py", line 497, in result_dict
    .format(obj.text))
ValueError: [FATAL] models_asa cannot parse ' service-object icmp echo'

thanks,

Hi Martin,

Sorry to bother you again :)

I am having issues parsing the following config lines:
Can you please help?

object-group service log_sys udp
 port-object eq syslog
object-group service UDPgroup udp
 group-object log_sys
 port-object eq snmp
 port-object eq echo
 port-object eq domain
 port-object eq ntp
access-list FromInside extended permit udp any4 object-group UDPgroup any4

Error I am getting:

root@splunk:~/c2c# python2.7 c2c.py --verify --format text --ciscoFile 'test' --syntax asa --policy My_Policy --installOn My_Firewall --output 'network_script_verify.txt'
Traceback (most recent call last):
  File "c2c.py", line 168, in <module>
    c2c.importConfig(args.cpPortsFile,args.cpNetObjFile,args.ciscoFile)
  File "lib/cisco2checkpoint.py", line 1734, in importConfig
    self.parser.parse(configFile, self.syntax)
  File "lib/cisco2checkpoint.py", line 1621, in parse
    self.parse = CiscoConfParse(configFile,factory=True,syntax=syntax)
  File "lib/ciscoconfparse_patch.py", line 1857, in __init__
    CiscoConfParse=self)
  File "lib/ciscoconfparse_patch.py", line 963, in __init__
    ignore_blank_lines, syntax, CiscoConfParse)
  File "/usr/local/lib/python2.7/dist-packages/ciscoconfparse-1.2.40-py2.7.egg/ciscoconfparse/ciscoconfparse.py", line 2598, in __init__
    self._bootstrap_obj_init(data)
  File "/usr/local/lib/python2.7/dist-packages/ciscoconfparse-1.2.40-py2.7.egg/ciscoconfparse/ciscoconfparse.py", line 2755, in _bootstrap_obj_init
    syntax='asa')
  File "lib/ciscoconfparse_patch.py", line 1756, in ConfigLineFactory
    comment_delimiter=comment_delimiter) # instance of the proper subclass
  File "lib/ciscoconfparse_patch.py", line 745, in __init__
    raise ValueError("[FATAL] models_asa cannot parse '{0}'".format(self.text))
ValueError: [FATAL] models_asa cannot parse 'access-list FromInside extended permit udp any4 object-group UDPgroup any4'
root@splunk:~/c2c#

thank you,

Hi Mart,

Nat config line is not being loaded, is it normal?

config example:
object network obj-10.1.1.16
host 10.1.1.16
object network obj-10.1.1.16-nat
host 1.1.1.16
object network obj-dest-192.168.1.16
host 192.168.1.16
nat (outside,inside) source static obj-10.1.1.16 obj-10.1.1.16-nat destination static obj-dest-192.168.1.16 obj-dest-192.168.1.16

thanks,