Release Notes: This is the first release of 360-FAAR Enhanced. This version of 360-FAAR supports all original functionality and enhances this by adding "complex" processing modes which retain the firewall rulebases structure and are also capable of handling complex enterprise firewall policies with very high fidelity. Drop, Reject, and Encrypt rule structures are maintained as well as Accept rules. This is a separate code branch from 360-FAAR 0.4.x.
Release Notes: This release adds the 'hc' option to build rules in 'rr' mode and arrange the most hit new rules at the top. Beware: hit count rules are not 100% reliable at present. Hit counts can be multiplied for multi IP objects. 'cl' mode rules now use the original global rule number instead of incrementing it by 1. The defaults have been changed slightly, and a 'log' defaults option added. This release fixes a bug in 'load' mode trying to load files from '.', and Checkpoint rules that are not logged with a rule number are handled now.
Release Notes: This release adds the 'cl' option to clean/filter original rules, in 'rr' mode, and allows output of service priority rules as well as the original dst src priority rule build. The 'rr' mode menu has been simplified further. Starting the script without any options now starts load mode to add at least one config. This release fixes a bug in the 'any' object matching, any should now be matched from logs. The rashfilter hash tree format has been changed to match the order of the other rule processing hashes: mergebase, filterbase, and rulegroups; this should reduce memory use slightly.
Release Notes: This release adds the 'mergelog' mode to merge binary log entries from one config with another and significantly updates the user interface. All configs can be loaded from the 'load' menu instead of specifying them on the command line. This release adds 'verbose' switches to 'print' and 'rr' modes so that screen output can be switched off, and all 'end.' key words have been changed to simply '.' to reduce the number of keystrokes needed. Entering '0' now adds all options, and '.' chooses the default if available. The netscreen output stage now uses a default zone if none are specified.
Release Notes: This release adds Cisco ASA 8.3+ object NAT to the cisco reader for static and dynamic NAT. Network objects, ranges, and IPs are translated. Running the script with "--help" or "-h" or "h" prints the simple help screen. Two new options have been added to the "rr" mode filters, to allow encryption rules from the "merge from" and "merge to" rulebases to be used to mask later rules in the merge from rulebase. Connectivity matches output during "rr" mode filtering are now listed using the source configuration bundle object names instead of the binary CIDR IP's. This release resolves the menu infiniteloop issue.
Release Notes: This release fixes many of the bugs in the Cisco reader and writer sections. Cisco configurations can now be processed, written, re-read, processed, and written again cyclically. Access lists using proto groups, specifying only protocol details or using "ip/any" services, are now handled. Protocol group objects are written and used in rules for service groups with many different protocol types specified within them. "port-objects" are read in service objects, service groups, and protocol groups alike. The Cisco "echo" default service has been updated to remove TCP and UDP from its listed ports.
Release Notes: This release resolves many of the problems with the filter sections; as many of the undefined warnings as the author could find are now fixed. Both the specific and the subnet 'rr' mode filter sections have been upgraded to fix many of the issues related to combining various filter mode types, and as a result, the filters behavior should be much more predictable. The Cisco and od output section definitions now print service defs for all defined prototypes.
Release Notes: This release includes much stronger consistency checks against the internal network and service object, and group and rule definitions after each round of processing. The netscreen reader now reads "interface dip" and rule "dip-id" statements and adds appropriate objects and NAT translation rules. Warnings are printed for unknown Cisco object group objects found in policies during the configuration read. NAT SRC DST translations in "rr" mode now support range objects using the range start address only, and network objects are now translated to their network bits only.
Release Notes: This release resolves Cisco ICMP default services without printing stringified hash references in the cs output sections. Cisco network and range objects are listed as such in object-groups instead of as hosts. The Cisco output writer uses 'object' in access-lists instead of IP NM, as well as listing range objects using 'range' in access lists as well as groups. The NAT translation now supports SRC NAT translation for known network objects in rr mode filters.
Release Notes: This release adds NAT capabilities to the Cisco ASA reader. "static" NAT IP IP NM and access-list statements are now added the NATs table, and policy NAT rules are identified. The < and > range identifiers used in ports are now stripped before printing Netscreen policies in rr mode. Some of the "undefined" warnings have been resolved.