Download Safari Books Online apps: Apple iOS | Android

Entire Site

Safari Books Online

    Free Trial

    Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.


    • Create BookmarkCreate Bookmark
    • Create Note or TagCreate Note or Tag
    • DownloadDownload
    • PrintPrint
    Share this Page URL
    Help

    Chapter 4. Security Policy > Converters and Scripts

    4.14. Converters and Scripts

    To help bridge the gap between the NetScreen system and the SRX system several tools have been developed. One such tool is the S2JES (ScreenOS to Junos-ES) converter. This is a free tool (it requires a valid login to http://www.juniper.net) that will convert a ScreenOS configuration file or syntax to Junos-ES. It can help with migration from a ScreenOS policy base to Junos policy. You can find the tool at https://i2j.juniper.net/s2jes/index.jsp.

    Op scripts will also assist in migration efforts. Op scripts are SLAX or XSLT-based scripts that run directly on the SRX. These scripts are often developed by Juniper and by external users. You can use op scripts to view information in a summarized format or, for example, to run a series of health checks.

    One of my favorite op scripts for the SRX is the policy test script. The policy test script will take input such as a source IP, destination IP, source port, or destination port and find any matching policies. All of these fields are optional, so the match can be as broad or as narrow as you want it to be.

    Here is example output of the policy test script:

    Code View: Scroll / Show All
    user@cli# op policy-test source-address 10.1.1.1 destination-address 10.2.2.2
From-Zone    To-Zone      Name            Src-Addr        Dst-Addr
Application  Action trust        untrust      ftp-permit      any             any
junos-ftp    permit trust        untrust      http-https-rej  any             any
junos-https  reject                                              junos-http

    The policy test script found two policies that match the source/destination address. From the preceding output it appears that only FTP is allowed and HTTP/HTTPS is explicitly denied.

    Other scripts mimic the output of ScreenOS-type commands, such as “get interface,” “get service,” and “get policy.” You can find these scripts in a number of places, but two of the major sites are:

    http://www.juniper.net/us/en/community/junos/script-automation/library/
    http://code.google.com/p/junoscriptorium/

    You can find the policy test script shown earlier at the following URL:

    http://www.juniper.net/us/en/community/junos/script-automation/library/configuration/policy-test/