Firewall Rule Converter

Feature Description


The ReSTNSX Firewall Rule Converter is a tool used to import third party firewall configurations into NSX. The tool will analyze existing rule sets, referenced objects and create a comparable NSX rule set. After reviewing, these rules can be published to dFW, ESG or Tier0/1 nodes.

Minimum Release: 3.1 (Cisco ASA Support)
Recommended Release: 3.5 or higher (Adds Palo Alto and Fortinet support)
Application: NSX-v, NSX T, VMCoAWS
License: Enterprise 
Privilege level: Security Engineer or higher

Setup


To publish an imported rule set, an active NSX Data Source must be defined in ReSTNSX.

Adding data sources require Enterprise Administrator privileges

Rule Import


To begin a rule conversion, navigate to the Rule Converter dashboard via Tools > Security Planning > Rule Converter. To create a new import, select the green plus button (Import New Configuration). Previously imported configurations are also displayed on this dashboard.

After selecting the Import New Configuration button, a new window will display for importing the 3rd party firewall configuration.

The current import method is via text file. API collected configurations will be available in a future release. v3.6 supports Cisco ASA, Palo Alto, Fortinet import.
Refer to your version’s release notes for currently supported 3rd party platforms.

Drag the file to be analyzed. In this example, a Cisco ASA configuration is being provided by using the output of the “show run” command on the ASA Firewall.

Once processed, the results are displayed on the dashboard. In this example, we see the rule counts and associated objects discovered. Click the magnifying glass to review the converted rules.

For this particular configuration, the rules are displayed and grouped by the rule name. When published to dFW, each rule will represent a new section.

For an ASA, a rule is equivalent to a section where is contains one or more entries. Every entry is imported along with the associated objects pending creation in NSX. Below is an example of a rule named myACL_name with 9 entries. Also note the network and service objects detected and converted to NSX compatible objects (Service, Service Groups and IP Sets).

Contained within entry #9 is destination criteria of mixed types – raw IP address; an IP Set with a single IP, range of IPs and entire networks. All of these IP Set types will be created upon publish.

Also supported are nested Service and Service Groups.

ASA Firewall Snippet showing network objects and nested groups

The Comparable NSX Firewall Rule and Object Anatomy

All Sections, Rules and Objects displayed are pending. No items have been created on NSX Manager yet

Publish


After review and the proposed rule set, select one or more sections and rules for publishing. Publishing to dFW and Edges (ESG, Tier0/1) are supported. In this example, dFW is selected and the Publish Selected Rules to NSX button is pressed. All referenced objects are created (ex: NS Groups) along with any service if it does not exist on the NSX Manager by destination port and protocol.

Upon clicking the publish button, a new window will open with verbose progress indicators.

While the new section is published on the destination NSX Manager, ALL rules are disabled

Rule Validation


Once the rules are published to NSX, the rules can be further edited or re-ordered before activating. Within the ReSTNSX dFW Operations page, select one or more rules to activate (enable), click Enable Selected from the Section Menu and Publish Changes. The rules are now live on NSX – enforcing the policy derived from the Cisco ASA Firewall.

Additionally, the validation on the object members can be performed using the Query pull-out tab on the right of the screen. Here we see the myNetwork IP Set was created with member 5.5.5.0/24.

Was this article helpful?
Dislike 0
Views: 1017