FWdoc - Firewall Documentation
FWdoc is a vendor-independent standard of storing firewall ruleset configurations. We provide tools to extract the ruleset from proprietary formats into FWdoc format (in JSON), filter rules and objects, and export them into a number of other formats.
From the FWdoc file you can produce a well readable, cross-referenced HTML summary of the firewall configuration. A dump of network and service objects, users, rules and settings into separate files (TXT and Tab-separated tables) or templates (TXT, CSV, SQL, etc.) is possible.
FWdoc is the successor to ASLrules (Astaro), FW1Rules (CheckPoint) and ReadConfig (Raptor, Symantec)
| Requirements |
- Perl installed (version 5.something will do) for some of the converters
- Python 2.4 (or newer) for the main scripts (i.e. all non-derived stuff)
- The configuration files of your firewalls. Please look up which those are in the documentation of the respective conversion script.
| Documentation of FWdoc format and main tools. |
-
FWdoc data structure
in JSON microformat. (still quite rough) -
README.txt
| Working (with) Parts |
The FWdoc system is designed in modules connected with shell pipes. Thus to create a HTML documentation of a CheckPoint configuration you could run e.g. the following command line:
fw1r70_to_fwdoc.pl | fwdoc_used_objects.py | fwdoc_to_html.py > DOC.html
Input converters (*_to_FWdoc)
- CheckPoint Firewalls
- HTML output
- TXT output
- table output (CSV, SQL, etc.)
- filtering (un)used objects
- ungrouping of objects and services
- unrolling of rulesets
| Support / Bugs |
Important Note when encountering errors!
As soon as a JSON (.fwdoc) file is broken, all Python programs will
throw errors that look as program mistakes to the unaccustomed eye.
If you pipe output from one command to the next please serialize the
calls first, e.g. by writing to / reading from files, executing one
FWDOC command a time.
Please check the validity of the FWdoc/JSON file with FWDOC_VERIFY.PY if in doubt. That little program either prints an okay message - or throws a lengthy and a bit cryptic error message describing the JSON misformatting.
There is a user/developer mailing list available. To subscribe send a mail with "subscribe fwtools" as subject to minimalist@wyae.de
For bug reports and suggestions or if you just want to talk to me please contact me at volker.tanger@wyae.de or write to the list at fwtools@wyae.de (subscribers only).
FWdoc is represented at FreshMeat.NET where you can review release cycles, activity, etc.
| Roadmap / Contributing |
Please check the website for updates prior to submitting patches!
Currently I intend to develop - as spare time and
- RegEx filtering on rules
- converter for Juniper (JunOS)
- converter for Netscreen (ScreenOS)
- converter for PFsense
- converter for Cisco Pix
- converter into IPtables, OpenBSD pf, ...
(any suggestions?)
| Downloads |
- FW1r70_to_FWdoc (Version 10.6.6)
FWdoc-Converter for CheckPoint FW1 and NG (Version 3.0 up to R70) - FWdoc_to_HTML (Version 10.4.29)
FWdoc-Converter to create a nice HTML page - FWdoc_to_Tables (Version 10.6.6)
FWdoc-Converter to export various tables - FWdoc_to_TXT (Version 10.4.29)
FWdoc-Converter to create a human-readable text/TXT output - FWdoc_Ungroup (Version 0.1)
FWdoc-Converter to replace groups with their respective members - FWdoc_Unroll_Rules (Version 0.1)
Unroll multi-object rules into single-object ones. - FWdoc_used_Objects (Version 10.6.6)
FWdoc-Converter to filter out unused objects and services - FWdoc_verify (Version 0.1)
FWdoc reader to check wether the JSON is okay
| License(s) |
For details on licensing and support please see there.
 |
Software packages are published under "Gnu Public License" | |
| To ensure the data format stays unmodified (and thus the data interchangeable), it is placed under the Creative Commons BY-ND License. |  |
|
All licenses are open source licenses.
The data acquisition is based on analysis of well known configurations. The script is not (officially) supported by Checkpoint, Astaro, etc. or representatives.
