Author Topic: ScreenOS to JunOS ES scripts?  (Read 16210 times)

signal15

  • Administrator
  • Hero Member
  • *****
  • Posts: 531
  • Karma: +1/-0
    • View Profile
    • JuniperForum.com
ScreenOS to JunOS ES scripts?
« on: January 18, 2009, 01:38:16 pm »
Does anyone know of anything out there, or does anyone have any that they have written?

I know that not all of the features are supported, but I'd like to find something that can convert objects, zone configurations, IP configuration, policies and VPN's automatically.

As a side note, the preshared keys for VPN's is encrypted.  Is it encrypted the same way on both platforms, or would you actually need to know the key when converting VPN's?

I can write something if I need to, but I don't want to duplicate someone else's work.

screenie.

  • Global Moderator
  • Atomic Playboy
  • *****
  • Posts: 1315
  • Karma: +1/-0
    • View Profile
Re: ScreenOS to JunOS ES scripts?
« Reply #1 on: January 18, 2009, 02:04:09 pm »
Just thought: what if you use NSM for this? Push a policy from a ScreenOS to Junos and all policies and objects should be in the config. VPN's only when you use VPN manger. But on Junos you have the profiles above the gateway / VPN's. So automating with full use of this feature seems very hard anyway.
Regards, Screenie
------------------------
JNSS, JNCIA, JNCIS, JNCIP, JNCI

Tim Eberhard

  • Sr. Member
  • ****
  • Posts: 302
  • Karma: +0/-0
    • View Profile
Re: ScreenOS to JunOS ES scripts?
« Reply #2 on: January 21, 2009, 04:49:32 pm »
Does anyone know of anything out there, or does anyone have any that they have written?

I know that not all of the features are supported, but I'd like to find something that can convert objects, zone configurations, IP configuration, policies and VPN's automatically.

As a side note, the preshared keys for VPN's is encrypted.  Is it encrypted the same way on both platforms, or would you actually need to know the key when converting VPN's?

I can write something if I need to, but I don't want to duplicate someone else's work.

Juniper has a (soon be public if not already public) configuration converter. Hit up your local RE/SE about it to see what your ScreenOS configuration would look like in JunOS.

A few things are obviously not supported as of yet such as Track-ip and other "to be developed" items but all in all it works well for 99% of ScreenOS configuration.

Good luck!
-Tim Eberhard
JNCIS-FWV, JNCIS-M, C|EH, CCSP
Author of Netscreen Session Analyzer:
http://performanceclassifieds.net/NSSA.zip
TPCAT

screenie.

  • Global Moderator
  • Atomic Playboy
  • *****
  • Posts: 1315
  • Karma: +1/-0
    • View Profile
Re: ScreenOS to JunOS ES scripts?
« Reply #3 on: January 22, 2009, 05:10:41 am »
I've heard about that tool, looked for it on the supportsite, not there yet I believe.
Regards, Screenie
------------------------
JNSS, JNCIA, JNCIS, JNCIP, JNCI

Tim Eberhard

  • Sr. Member
  • ****
  • Posts: 302
  • Karma: +0/-0
    • View Profile
Re: ScreenOS to JunOS ES scripts?
« Reply #4 on: January 22, 2009, 07:51:55 am »
I've heard about that tool, looked for it on the supportsite, not there yet I believe.

I asked a few engineers at juniper and it is in fact released. A juniper.net login is obviously required but here is the link.

https://i2j.juniper.net/s2jes

Good luck guys. Hope this helps.

-Tim Eberhard
JNCIS-FWV, JNCIS-M, C|EH, CCSP
Author of Netscreen Session Analyzer:
http://performanceclassifieds.net/NSSA.zip
TPCAT

screenie.

  • Global Moderator
  • Atomic Playboy
  • *****
  • Posts: 1315
  • Karma: +1/-0
    • View Profile
Re: ScreenOS to JunOS ES scripts?
« Reply #5 on: January 22, 2009, 12:39:37 pm »
Ok, you're the best! Thanks for a great post!
Regards, Screenie
------------------------
JNSS, JNCIA, JNCIS, JNCIP, JNCI

screenie.

  • Global Moderator
  • Atomic Playboy
  • *****
  • Posts: 1315
  • Karma: +1/-0
    • View Profile
Re: ScreenOS to JunOS ES scripts?
« Reply #6 on: January 25, 2009, 03:07:11 pm »
I played around with s2jes a bit. It's cool!
Regards, Screenie
------------------------
JNSS, JNCIA, JNCIS, JNCIP, JNCI

MaxPipeline

  • Hero Member
  • *****
  • Posts: 702
  • Karma: +0/-0
    • View Profile
Re: ScreenOS to JunOS ES scripts?
« Reply #7 on: January 31, 2009, 11:26:54 pm »
Basically you can get to the tool by going to migration-tools.juniper.net. You will find that in addition to ScreenOS to JUNOS-ES conversion, there is also IOS to JUNOS-ES and JUNOS to JUNOS-ES conversion.
Help us help you.

Have you looked at the documentation?
http://www.juniper.net/techpubs/

Have you checked the Juniper Knowledgebase?
http://kb.juniper.net

xiaocisco

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: ScreenOS to JunOS ES scripts?
« Reply #8 on: February 19, 2009, 01:19:08 am »
Differences-JUNOS ES vs Screen OS

CLI

JUNOS CLI

No ‘get’ command, use “show”

No “unset command”, use “delete”

CLI commands must be “COMMIT” for configuration changes

Interfaces

None of the interfaces are bound to zones by default.

Interfaces can have IP addresses without zone assignment

Loopback interfaces cannot be used for NAT and VPN configuration

No Manage-IP configuration

Self originated traffic

Does not require a policy match

Zones

Only global zone exists by default

IPSec

No ‘compatible’ proposal for P1 and P2

Tunnel interface “tunnel.x” is secure tunnel interface “st0.x”

Huge differences in debugging

System limits

No artificial limit on configured VPN’s, address book entries, policies etc.

Good for dynamic configurations

Bad to determine overall system capacities