The ReSTNSX Firewall Rule Converter is a tool used to import third party firewall configurations into NSX. The tool will analyze existing rule sets, referenced objects and create a comparable NSX rule set. After reviewing, these rules can be published to dFW, ESG or Tier0/1 nodes.
Minimum Release: 3.1 (Cisco ASA Support) Recommended Release: 3.5 or higher (Adds Palo Alto and Fortinet support) Application: NSX-v, NSX T, VMCoAWS License: Enterprise Privilege level: Security Engineer or higher
To publish an imported rule set, an active NSX Data Source must be defined in ReSTNSX.
To begin a rule conversion, navigate to the Rule Converter dashboard via Tools > Security Planning > Rule Converter. To create a new import, select the green plus button (Import New Configuration). Previously imported configurations are also displayed on this dashboard.
After selecting the Import New Configuration button, a new window will display for importing the 3rd party firewall configuration.
Drag the file to be analyzed. In this example, a Cisco ASA configuration is being provided by using the output of the “show run” command on the ASA Firewall.
Once processed, the results are displayed on the dashboard. In this example, we see the rule counts and associated objects discovered. Click the magnifying glass to review the converted rules.
For this particular configuration, the rules are displayed and grouped by the rule name. When published to dFW, each rule will represent a new section.
For an ASA, a rule is equivalent to a section where is contains one or more entries. Every entry is imported along with the associated objects pending creation in NSX. Below is an example of a rule named myACL_name with 9 entries. Also note the network and service objects detected and converted to NSX compatible objects (Service, Service Groups and IP Sets).
Contained within entry #9 is destination criteria of mixed types – raw IP address; an IP Set with a single IP, range of IPs and entire networks. All of these IP Set types will be created upon publish.
Also supported are nested Service and Service Groups.
ASA Firewall Snippet showing network objects and nested groups
The Comparable NSX Firewall Rule and Object Anatomy
After review and the proposed rule set, select one or more sections and rules for publishing. Publishing to dFW and Edges (ESG, Tier0/1) are supported. In this example, dFW is selected and the Publish Selected Rules to NSX button is pressed. All referenced objects are created (ex: NS Groups) along with any service if it does not exist on the NSX Manager by destination port and protocol.
Upon clicking the publish button, a new window will open with verbose progress indicators.
Once the rules are published to NSX, the rules can be further edited or re-ordered before activating. Within the ReSTNSX dFW Operations page, select one or more rules to activate (enable), click Enable Selected from the Section Menu and Publish Changes. The rules are now live on NSX – enforcing the policy derived from the Cisco ASA Firewall.
Additionally, the validation on the object members can be performed using the Query pull-out tab on the right of the screen. Here we see the myNetwork IP Set was created with member 188.8.131.52/24.